This Week’s [in]Security – Issue 94 | insecurity | Control Gap

Welcome to This Week’s [in]Security. This week: card-not-present fraud on the rise, 200M Chinese resumes exposed by data scrapper and several smaller breaches, more magecart, driving and droning under the influence, lawsuit over vulnerabilities harming Jeep resales, nation state ransomware not covered starts a potential landmark insurance case, a commercial quantum computer, Ring's an IoT mess, Unicode Zero-Width-Spaces break URL safety checks, 51% - taking over the blockchain for profit, new DUI police powers, filter bubbles, and two very different different redaction problems.

Now here's this week’s selection of news, opinions, and research. Quickly skim annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

News and announcements relating to Payment Security, Payments, PCI, and Card Brands.

• MasterCard updates it's logo https://www.wsj.com/articles/mastercard-drops-its-name-from-logo-11546858800
• Juniper Research study shows card-not-present fraud is growing faster than card-not-present transactions and costing $130B to 2023 (video and link to paywall survey)  https://www.bankinfosecurity.com/interviews/card-not-present-fraud-growth-no-end-in-sight-i-4217
• A look at fraud prevention https://www.pymnts.com/news/security-and-risk/2019/luxury-retail-neiman-marcus-omnichannel-fraud/
• New York state joins others throwing out law banning credit-card surcharges http://www.digitaltransactions.net/new-york-credit-card-surcharges-get-a-green-light-as-merchants-and-the-state-agree-to-dismiss-lawsuit/
• India embracing tokenization https://www.pymnts.com/safety-and-security/2019/rbi-releases-guidelines-for-electronic-card-payments/

Breaches / Leaks

Covering breaches, leaks, data exposures, and their fallout.

• Resumes of 200M Chinese left exposed online by web scraping application  https://www.zdnet.com/article/cvs-containing-sensitive-info-of-over-202-million-chinese-users-left-exposed-online/New trading platform DX:Exchange is leaking login credentials and personal data https://arstechnica.com/information-technology/2019/01/hot-new-trading-site-leaked-oodles-of-user-data-including-login-tokens/
• Titan manufacturing and distributing (payments) breach https://www.securityweek.com/hackers-steal-customer-data-manufacturing-company
• OXO, the home goods company, suffered an unsized e-commerce magecart breach of payment data https://www.darkreading.com/attacks-breaches/magecart-mayhem-continues-in-oxo-breach/d/d-id/1333614
• Humana / Bankers Life (healthcare) PII breach https://www.securityweek.com/managed-healthcare-provider-humana-discloses-data-breach
• Many of the recent healthcare breaches have been cases of credential stuffing https://www.darkreading.com/endpoint/humana-breaches-reflect-chronic-credential-theft-in-healthcare/d/d-id/1333607
• Canadian senator's personal data leaked online in apparent Twitter hack https://www.ctvnews.ca/canada/canadian-senator-s-personal-data-leaked-online-in-apparent-twitter-hack-1.4242897
• Australian real estate network First National breached for job applicant data https://www.zdnet.com/article/first-national-dealing-with-authorities-after-reported-information-leak/
• Followup on last weeks' breach of data on German politicians, suspects questioned and accusations of https://www.theguardian.com/world/2019/jan/07/germany-data-breach-teenager-being-questioned-by-police
• Summary of 2018 breaches https://blog.dashlane.com/data-breaches-2018/
• Neiman Marcus settles 2014 breach of 370K payment cards for $1.5M with 43 states https://www.securityweek.com/neiman-marcus-reaches-15-million-data-breach-settlement

Privacy

Articles about privacy related news, risks, and trends.

• Some smartphone users have discovered they can't delete Facebook https://business.financialpost.com/technology/personal-tech/samsung-phone-users-get-a-shock-they-cant-delete-facebook
• US carriers are still selling cellphone location data https://motherboard.vice.com/en_us/article/nepxbz/i-gave-a-bounty-hunter-300-dollars-located-phone-microbilt-zumigo-tmobile and https://www.theregister.co.uk/2019/01/08/telcoscustomertracking_sales/
• Cambridge Analytica fined $19K over denying a single request https://www.pymnts.com/news/security-and-risk/2019/cambridge-analytica-scl-elections-fine-data-privacy/
• Bell Canada needs permission to gather and track customer data https://www.cbc.ca/news/business/bell-customer-data-1.4969066
• Twitter meta-data can be used to infer private and sensitive information https://www.theregister.co.uk/2019/01/08/twitterprivacyproblems/
• EFF: People should be able to sue companies that violate their privacy https://www.eff.org/deeplinks/2019/01/you-should-have-right-sue-companies-violate-your-privacy
• Dash cams and auto-mechanics https://www.cbc.ca/news/canada/toronto/toronto-man-raises-privacy-concerns-after-dealership-employee-turns-off-his-dashcams-twice-1.4973924
• Facebook staff discussed cashing in on user data, reports say https://www.theguardian.com/technology/2019/jan/12/facebook-staff-discussed-cashing-in-on-user-data-reports-say

Laws & Regulations / Standards

News about laws, regulations, and standards affecting security, privacy,  technology, and public interest.

• A lawsuit claiming vehicle security vulnerabilities have harmed resale prices can go forward https://www.theregister.co.uk/2019/01/08/jeephackingsupreme_court/
• Discussion and renewed debate on "hacking back" https://www.forbes.com/sites/samcurry/2019/01/07/hack-back-vigilantism-in-the-connected-world/#32f2f9b05437
• EFF is critical of the heavy redaction in the Uniloc (a patent troll) vs. Apple case https://www.eff.org/deeplinks/2019/01/apple-says-patent-troll-case-should-be-dismissed-because-redacted-public-should
• Canada recently changed the criminal code giving police more powers in driving under the influence cases stetting off a civil liberties vs. public safety debate. Many of the details are deep inside provincial Highway Traffic Acts but court challenges are predicted https://globalnews.ca/news/4832762/impaired-driving-canada-breath-samples/
• Canada has updated its rules and regulations on drones including registration, certification, operational restrictions, and DUI https://www.cbc.ca/news/politics/drones-aviation-garneau-regulations-1.4970750
• Article on US border patrol powers https://theintercept.com/2019/01/07/cbp-border-patrol-enforcement-law-course/
• Another example of DMCA abuse and the right to repair https://www.eff.org/deeplinks/2019/01/bird-sends-nastygram-reporter-describing-lawful-re-use-impounded-scooters

Defense / Techniques / Solutions

Covering developments and opportunities that may help improve security.

• The NSA is releasing one of its' reverse engineering tools https://thehackernews.com/2019/01/ghidra-reverse-engineering-tool.html
• Metasploit 5.0 has been released https://www.securityweek.com/rapid7-releases-metasploit-50
• The National Counterintelligence and Security Center began sending out advisories https://www.securityweek.com/us-companies-urged-protect-against-foreign-government-hackers
• EFF expands efforts from encrypt-the-web to encrypt-the-net: mail-servers https://www.eff.org/deeplinks/2019/01/encrypting-web-encrypting-net-primer-using-certbot-secure-your-mailserver
• Firefox 65 adds more information about local programs performing MITM activities  https://www.bleepingcomputer.com/news/security/firefox-65-to-show-certificates-used-in-man-in-the-middle-ssl-attacks/
• DNS security improvements may be having an impact https://www.darkreading.com/vulnerabilities-and-threats/stronger-dns-security-stymies-would-be-criminals/d/d-id/1333600
• Applying AI (ML) to finding software vulnerabilities https://www.schneier.com/blog/archives/2019/01/machine_learnin.html
• Article on encryption pitfalls https://www.bankinfosecurity.com/encryption-avoiding-pitfalls-that-lead-to-breaches-a-11918
• AWS launches services with HIPAA, PCI, ISO and SOC compliance built-in https://aws.amazon.com/blogs/security/new-aws-services-launch-with-hipaa-pci-iso-and-soc/
• Hyatt Hotels launches a bug bounty in wake of recent skimming attacks https://www.zdnet.com/article/hyatt-hotels-launches-bug-bounty-program-following-card-skimming-attack/
• Zero-trust models are gaining traction https://www.securityweek.com/re-emergence-zero-trust
• IBM just announced a commercial quantum computer https://www.zdnet.com/article/ibm-at-ces-2019-outlines-q-system-one-quantum-computer/
• Drug testing could be improve detection of sample tampering by looking for normal substances like caffeine, chocolate, and nicotine https://www.scientificamerican.com/article/testing-for-caffeine-could-help-foil-fake-urine-scam/

Bugs / Design Flaws / Vulnerabilities / Research

Articles about newly discovered vulnerabilities and research.

• New hardware agnostic side channel attack on multiple OS cache pages https://www.zdnet.com/article/new-hardware-agnostic-side-channel-attack-works-against-windows-and-linux/
• Linus Torvald's fast fix for the new may break somethings attack https://www.theregister.co.uk/2019/01/08/linuxpatchpage_cache/
• Another unintended consequence of Unicode, Zero-Width-Spaces in URLs are being used to bypass Microsoft Office's Safe Link and URL reputation checker https://thehackernews.com/2019/01/phishing-zero-width-spaces.html
• New proxy tool automates phishing attacks that bypass 2FA https://www.zdnet.com/article/new-tool-automates-phishing-attacks-that-bypass-2fa/
• IoT has made your life the attack surface https://www.darkreading.com/endpoint/your-life-is-the-attack-surface-the-risks-of-iot-/a/d-id/1333588
• Ring's security cameras are an IoT security mess https://theintercept.com/2019/01/10/amazon-ring-security-camera/
• WordPress experienced a spike in vulnerabilities through 2018 https://threatpost.com/threatlist-wordpress-vulnerabilities/140690/
• Article on security vulnerabilities in cell phone standards and systems https://www.schneier.com/blog/archives/2019/01/securityvulner19.html

Hacking / Malware / Cybercrime / Exploitation

News covering active trends and events.

• The ease of Magecart supply chain attacks  https://www.forbes.com/sites/jasonbloomberg/2019/01/06/cybercrime-so-simple-anyone-can-do-it/
• The importance of protecting your DNS administration interface, a new  Wave of DNS hijacking combined with TLS certificates https://arstechnica.com/information-technology/2019/01/a-dns-hijacking-wave-is-targeting-companies-at-an-almost-unprecedented-scale/
• Insurance firm Zurich denies $100M ransomware claim citing act-of-war - headed to the courts https://www.theregister.co.uk/2019/01/11/notpetyainsuranceclaim/
• America’s Electric Grid Has a Vulnerable Back Door—and Russia Walked Through It https://www.wsj.com/articles/americas-electric-grid-has-a-vulnerable-back-doorand-russia-walked-through-it-11547137112
• New ransomware rakes in $4 million by adopting a “big game hunting” strategy https://arstechnica.com/information-technology/2019/01/new-ransomware-rakes-in-4-million-by-adopting-a-big-game-hunting-strategy/
• Ransomware and data integrity https://www.databreachtoday.com/ransomware-attacks-data-integrity-issues-a-11917
• A malware laced app "Weather Forecast-World Weather Accurate Radar" causing users direct financial loss was found on the Play Store and preinstalled on Alcatel smartphones https://www.zdnet.com/article/malware-found-preinstalled-on-some-alcatel-smartphones/
• $1.5M crypto-currency theft from Ethereum Classic after criminals took over more than half the blockchain https://www.independent.co.uk/life-style/gadgets-and-tech/news/crytpoccurency-51-percent-attack-what-is-double-spend-blockchain-explained-a8717411.html
• Unauthorized intruder sends fake alerts over Australian Early Warning Network  https://www.abc.net.au/news/2019-01-07/emergency-text-service-hacked-warning-about-personal-data-sent/10688748
• Hacktivist Gets 10-Year Prison Sentence for DDoS Attack on US Hospitals https://www.securityweek.com/hacktivist-gets-10-year-prison-sentence-ddos-attack-hospitals
• Man who took down Liberia's Internet gets 3 years https://www.cnn.com/2019/01/12/uk/hacker-liberia-cyber-attack-jailed-gbr-intl/index.html
• Krebs looks at the downside of cheap & sketchy Windows software offerings https://krebsonsecurity.com/2019/01/dirt-cheap-legit-windows-software-pick-two/
• Google turfs 85 adware apps that infected 9M users https://thehackernews.com/2019/01/android-adware-malware.html
• Hamilton Police warn online sellers they're targets https://globalnews.ca/news/4823464/hamilton-police-warning-of-buy-and-sell-website-thefts/
• The Feds flipped El Chapo's IT manager to get access to encrypted messages  https://www.theregister.co.uk/2019/01/09/drugkingpinelchaposysadmin/

Other Security / Risk

Articles covering other types of risks.

• More casualties of the US government shutdown making us less safe, dozens of ".gov" HTTPS certificates are expiring https://www.theregister.co.uk/2019/01/11/governmentshutdownsecurity/
• Article and study on filter bubbles and search engine privacy including tests of Google's Incognito mode shows a disturbing amount of personalization https://www.comparitech.com/blog/vpn-privacy/is-google-chrome-incognito-browsing-really-private/ and the study https://spreadprivacy.com/google-filter-bubble-study/ (you may also want to look at last weeks news article on search engines)
• The real life risks of living near where maps pin unresolvable IP address https://gizmodo.com/how-cartographers-for-the-u-s-military-inadvertently-c-1830758394
• A summary of the kinds of problems and risks with AI deep-fakes, big brother and facial recognition, autonomous vehicles, political manipulation, weaponization, bias and discrimination https://www.technologyreview.com/s/612689/never-mind-killer-robotshere-are-six-real-ai-dangers-to-watch-out-for-in-2019/
• Tight on disk space?  Microsoft: Windows 10 to grab 7GB of your storage so big updates don't fail https://www.zdnet.com/article/microsoft-windows-10-to-grab-7gb-of-your-storage-so-big-updates-dont-fail/
• Confusing food allergies with other conditions https://www.businessinsider.com/allergy-study-half-of-adults-think-they-have-allergy-when-they-dont-2019-1
• It's 2019 and failed document redaction is still a problem. Case in point - Paul Manafort, who previously had legal difficulty relating to lack of expertise with PDFs, has been exposed by his legal team's difficulty with PDFs (link to PDF included) https://www.bbc.com/news/world-us-canada-46804127
• Now Heathrow is being disrupted by drones https://arstechnica.com/tech-policy/2019/01/heathrow-flights-disrupted-by-yet-another-drone/
• Interesting twist on the Kaspersky vs US government story, Kaspersky alerted NSA about their tool horder https://arstechnica.com/tech-policy/2019/01/kaspersky-blew-whistle-on-nsa-hacking-tool-hoarder/
• "Right-to-repair" which has previously challenged some of Intellectual Property positions the manufactures has an ally with clmate change https://www.bbc.co.uk/news/science-environment-46797396
• Bill Gates on the ethics (and risk) of gene-editing https://www.businessinsider.com/bill-gates-says-gene-editing-raises-ethical-questions-2019-1
• People are dying in charity donation bins https://www.bbc.co.uk/news/world-us-canada-46801018
• Infographic on the most dangerous occupations https://www.forbes.com/sites/niallmccarthy/2019/01/08/americas-most-dangerous-occupations-infographic/#71e4f9534e7f
• Natural disaster retrospective: 1998's Quebec ice storm https://globalnews.ca/news/4822530/quebec-ice-story-anniversary/

Off-Topic / Science & Tech / Lighter Side

A variety of scientific, technical, historical, and more light-hearted news.

• Size matters (but not how you might expect) https://scienmag.com/human-brain-allocates-attention-based-on-known-size-of-objects/
• Crowd-sourcing astronomy, people find a super-earth in a Goldilocks zone that algorithms missed https://www.cnet.com/news/unusual-super-earth-k2-288bb-in-goldilocks-zone-spotted-by-citizen-scientists/
• Opportunity may be dead https://www.universetoday.com/141097/still-no-word-from-opportunity/