This Week’s [in]Security – Issue 95 | insecurity | Control Gap

Welcome to This Week’s [in]Security. This week: PCI's new Software Security Standard and PCI's new Software Security Framework, huge collection of compromised emails and passwords, using GDPR to go after tech companies, warrant needed to compel biometric access, hack a Telsa for profit, airline PNRs at risk, more IoT problems, even more Magecart, Payroll diversion BEC, $1.7M average breach cost, big game ransomware, DNA accuracy, proof AI can't solve everything, and three technologies to fight climate change.

Now here's this week’s selection of news, opinions, and research. Quickly skim annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

News and announcements relating to Payment Security, Payments, PCI, and Card Brands.

• PCI just released the new Software Security Framework (SSF) including security standards for software and software life cycle. This is the first step in the implementation of the program and the eventual replacement of the PA-DSS. https://blog.pcisecuritystandards.org/just-published-new-pci-software-security-standards

  • Secure Software Requirements and Assessment Procedures Standard https://www.pcisecuritystandards.org/documents/PCI-Secure-Software-Standard-v1_0.pdf
  • Secure Software Lifecycle (Secure SLC) Requirements and Assessment Procedures https://www.pcisecuritystandards.org/documents/PCI-Secure-SLC-Standard-v1_0.pdf
  • Glossary https://www.pcisecuritystandards.org/documents/PCI-Software-Security-Framework-Glossary-v1_0.pdf
  • SSF FAQs https://www.pcisecuritystandards.org/documents/FAQs-for-PCI-Software-Security-Framework-v1_0.pdf
• PCI updates
• First Data acquired by FiServ http://www.digitaltransactions.net/fiserv-stuns-the-industry-with-a-massive-all-stock-acquisition-of-first-data/

Breaches / Leaks

Covering breaches, leaks, data exposures, and their fallout.

• VOIPO leaves ElasticSearch db with more than 10M records of API credentials, and customer call & SMS logs open for over 6 months https://threatpost.com/voipo-database-exposes-millions-of-texts-call-logs/140898/
• After last years' Ticketmaster breach new cards are being issued https://www.theregister.co.uk/2019/01/14/banksissuecards_ticketmaster/
• Oklahoma Department of Securities (ODS) exposed 3TB of data on unprotected servers https://thehackernews.com/2019/01/oklahoma-fbi-data-leak.html
• KYC (Know-Your-Customer) data from cryptocurrency exchanges is for sale on the dark web https://www.ccn.com/hacked-customer-data-from-world-leading-cryptocurrency-exchanges-for-sale-on-the-dark-web/
• Massive data breach collection of 773M email addresses and 21M unique passwords appears to be amalgamation of prior breach data https://www.troyhunt.com/the-773-million-record-collection-1-data-reach/

Privacy

Articles about privacy related news, risks, and trends.

• Do search engines infringe Canadian's Charter rights? https://www.thestar.com/news/canada/2019/01/15/google-wants-court-to-decide-whether-search-curbs-would-infringe-charter-rights.html
• Nova Scotia failed to protect information in preventable breaches https://www.thestar.com/halifax/2019/01/15/nova-scotia-failed-to-protect-information-in-preventable-privacy-breaches-scathing-reports-say.html
• Facebook's 10 year challenge may have been a way to mine facial data for AI https://www.forbes.com/sites/nicolemartin1/2019/01/17/was-the-facebook-10-year-challenge-a-way-to-mine-data-for-facial-recognition-ai/#5e7feebb5859
• Privacy campaigner Schrems slaps Amazon, Apple, Netflix, others with GDPR data access complaints https://techcrunch.com/2019/01/18/privacy-campaigner-schrems-slaps-amazon-apple-netflix-others-with-gdpr-data-access-complaints/
• FTC is considering fining Facebook an amount exceeding it's record of $22.5M https://globalnews.ca/news/4864724/facebook-federal-trade-commission-fine/
• Singapore sets healthcare breach fine at $740K https://www.securityweek.com/singapore-imposes-740000-fines-over-major-cyber-attack
• EPIC joins in proposal for US privacy framework https://epic.org/2019/01/consumer-organizations-announc.html and https://www.cbc.ca/news/world/battle-lines-forming-ahead-of-a-looming-u-s-privacy-law-fight-1.4981526
• Discussion about article claiming political/social pressure for content moderation will force tech companies to disable encryption https://www.schneier.com/blog/archives/2019/01/alexstamoson_.html

Laws & Regulations / Standards

News about laws, regulations, and standards affecting security, privacy,  technology, and public interest.

• US court rules police require a warrant to compel you to unlock devices protected by biometrics https://www.forbes.com/sites/thomasbrewster/2019/01/14/feds-cant-force-you-to-unlock-your-iphone-with-finger-or-face-judge-rules/#391ed3c642b7
• Essay discussing GCHQ's proposed alternative to encryption backdoors https://www.schneier.com/blog/archives/2019/01/evaluatingthe\.html
• Update on the EU copyright directive https://www.eff.org/deeplinks/2019/01/even-rightsholders-think-europes-article-13-mess-call-immediate-halt-negotiations
• Germany is looking at serious restrictions on Facebook https://www.businessinsider.com/facebook-is-under-increasing-threat-from-german-regulators-2019-1
• EFF opinion: device ownership is a civil liberties issue https://www.eff.org/deeplinks/2019/01/device-ownership-civil-liberties-issue
• US Congress looking at location privacy issue https://epic.org/2019/01/congress-requests-emergency-me.html
• US government shutdown spurring lawsuits https://www.washingtonpost.com/nation/2019/01/14/compelled-work-without-pay-federal-employees-sue-trump-violating-th-amendment/

Defense / Techniques / Solutions

Covering developments and opportunities that may help improve security.

• $900K Pwn2Own prize for Tesla hacks https://arstechnica.com/information-technology/2019/01/a-contest-is-offering-900000-for-hacks-that-exploit-teslas/
• How the US decides which zero-days to keep secret https://www.darkreading.com/vulnerabilities--- threats/how-the-us-chooses-which-zero-day-vulnerabilities-to-stockpile-/a/d-id/1333652
• 2FA/MFA is good but SMS-2FA should be killed off https://threatpost.com/survey-2fa-kill-sms/140933/
• Cleansing your data from Shodan's IoT search engine https://www.comparitech.com/blog/vpn-privacy/remove-device-shodan/
• Canadian Revenue Agency partners with SecureKey to offer enhanced identity verification https://www.msn.com/en-ca/news/finance-top-stories/cra-eyes-new-way-to-secure-online-services/ar-BBSsPVr

Bugs / Design Flaws / Vulnerabilities / Research

Articles about newly discovered vulnerabilities and research.

• Zero-day (malicious link)
  vulnerability in Windows Vcard (VCF) processing https://www.zdnet.com/article/poc-for-windows-vcf-zero-day-published-online/
• Decades old vulnerabilities found in the Secure Copy Protocol (SCP) client implementations https://thehackernews.com/2019/01/scp-software-vulnerabilities.html
• Intel patches SGX (software guard) enclave mechanism https://www.theregister.co.uk/2019/01/14/intelpatchessgx_flaw/
• Researchers found a bug in a airline travel reservation system used by over 140 airlines worldwide that allowed anyone to see PNR's, access sensitive information, and make changes https://thehackernews.com/2019/01/airlines-flight-hacking.html
• The state of web application security https://www.imperva.com/blog/the-state-of-web-application-vulnerabilities-in-2018/
• Why software bugs are so common https://www.bankinfosecurity.com/blogs/software-bugs-are-so-common-p-2712
• Hard-coded admin credentials found in PDC IDenticard PremiSys software allows adding new users to physical card access systems https://www.tenable.com/blog/multiple-zero-days-in-premisys-identicard-access-control-system and https://threatpost.com/identicard-zero-days-allow-corporate-building-access-location-recon/140891/
• Smart-building proof-of-concept malware https://www.forbes.com/sites/daveywinder/2019/01/15/proof-of-concept-malware-reveals-smart-building-vulnerabilities-your-business-needs-to-deal-with/#14c44c319399
• Docker test environment escape proof-of-concept https://threatpost.com/hack-allows-escape-of-play-with-docker-containers/140831/
• Follow-up to November's CERT advisory on construction crane software vulnerabilities fines more attacks https://www.theregister.co.uk/2019/01/15/evencranesarehackabletrend_micro/
• Tricking Windows into sending your password hashes to an attacker is back in the news https://www.csoonline.com/article/3333916/windows-security/i-can-get-and-crack-your-password-hashes-from-email.html and previously https://www.zdnet.com/article/windows-security-microsoft-patch-for-outlook-password-leak-bug-not-a-full-fix/
• EVlink charging stations have multiple vulnerabilities https://www.securityweek.com/schneider-electric-vehicle-charging-stations-exposed-hacker-attacks
• More home router vulnerabilities (TP-Link) https://blog.talosintelligence.com/2019/01/vulnerability-deep-dive-tp-link.html
• Bug in Twitter Android app made private tweets publicly accessible https://www.securityweek.com/bug-twitter-android-app-exposed-protected-tweets
• Microsoft exposes every case number and ticket title on their partner portal https://www.theregister.co.uk/2019/01/18/microsoftpartnerportalsupportrequestdatavisible/
• Profiting from bug bounties - don't quit your day job https://blog.trailofbits.com/2019/01/14/on-bounties-and-boffins/

Hacking / Malware / Cybercrime / Exploitation

News covering active trends and events.

• New Magecart attack delivered through e-commerce advertising software https://blog.trendmicro.com/trendlabs-security-intelligence/new-magecart-attack-delivered-through-compromised-advertising-supply-chain/
• Payroll diversion through phishing/business-email-compromise (BEC) https://www.securityweek.com/new-variant-bec-seeks-divert-payroll-deposits
• Ransomware gang playing long game and going after big fish with deep pockets https://arstechnica.com/information-technology/2019/01/new-ransomware-rakes-in-4-million-by-adopting-a-big-game-hunting-strategy/
• Stealthy new Android malware only installs if the phone and user are moving https://thehackernews.com/2019/01/android-malware-play-store.html
• Nasty hard to kill RAT malware protects itself in memory https://www.zdnet.com/article/nanocore-trojan-stops-you-killing-its-process/
• SIM card swapper stole millions in cryptocurrencies https://krebsonsecurity.com/2019/01/stole-24-million-but-still-cant-keep-a-friend/
• Estimate of cyber attack costs - $1.7M on average https://threatpost.com/threatlist-cost-cyber-attack/140870/
• South Korea investigating breach of ministry of defense systems https://www.theregister.co.uk/2019/01/17/southkoreadefenseministrythacked/
• Charges laid in hacking of SEC's EDGAR database https://www.pymnts.com/news/security-and-risk/2019/ukraine-hacker-sec-edgar-database/
• Book review: Breaking and Entering: The Extraordinary Story of a Hacker Called ‘Alien’ https://www.nytimes.com/2019/01/15/books/review/breaking-entering-alien-jeremy-n-smith.html

Other Security / Risk

Articles covering other types of risks.

• US CEO's rank hacking as biggest external threat https://www.pymnts.com/news/security-and-risk/2019/ceos-cybersecurity-concern-over-recession/
• In the new world of IoT and surveillance talkative home buyers should beware - the seller might be eavesdropping https://www.cbc.ca/news/canada/toronto/surveillance-home-real-estate-1.4979049
• More US website certificates expire during shutdown https://www.securityweek.com/more-gov-domains-hit-government-shutdown
• Voting machine (and IoT) security opinion piece through the lens of an XKCD comic https://blog.erratasec.com/2018/08/that-xkcd-on-voting-machine-software-is.html
• Accuracy of 5 DNA ancestry sites tested using data from identical twins and, surprise, the reports were NOT identical https://www.cbc.ca/news/technology/dna-ancestry-kits-twins-marketplace-1.4980976
• Remember the 90's expression "On the Internet, no one can tell if you are a dog" - now we have fake everything and broken trust https://www.cbc.ca/news/technology/internet-is-fake-ramona-pringle-1.4971834
• The impact of the US Government shutdown on GDP, could it go to zero? https://www.forbes.com/sites/kenrapoza/2019/01/15/can-the-government-shutdown-really-drive-gdp-to-zero/#48834e634437
• Cybergangs are hiring https://www.bankinfosecurity.com/cybercrime-gangs-advertise-fresh-jobs-hacking-services-a-11934
• Can GPS trackers limit domestic violence https://www.wired.com/story/gps-tracking-technology-can-curb-domestic-violence/
• Not only are there problems AI can't solve, there are problems AI can never solve https://www.sciencealert.com/mathematicians-found-a-machine-learning-problem-they-say-won-t-ever-be-solved

Off-Topic / Science & Tech / Lighter Side

A variety of scientific, technical, historical, and more light-hearted news.

• McFly! Tie your shoes. https://www.independent.co.uk/life-style/nike-self-lacing-trainers-shoes-controlled-smartphone-a8729236.html
• Class Central offers free online courses https://medium.freecodecamp.org/here-are-380-ivy-league-courses-you-can-take-online-right-now-for-free-9b3ffcbd7b8c
• New method transforms carbon emissions into Hydrogen and electric power
• https://scienmag.com/scientists-turn-carbon-emissions-into-usable-energy/
• Artificial photosynthesis could help fight climate change https://scienmag.com/climate-change-how-could-artificial-photosynthesis-contribute-to-limiting-global-warming/
• Nuclear energy is needed as a stopgap in getting green https://www.wsj.com/articles/only-nuclear-energy-can-save-the-planet-11547225861
• Biological batteries https://www.sciencealert.com/game-changing-bacteria-that-produce-electricity-are-now-much-easier-to-find
• Converting cancer cells into fat https://www.sciencealert.com/researchers-convert-breast-cancer-to-harmless-fat-cells-to-try-to-stop-cancer-s-spread
• Binary star with vertical (polar) proto-planenary disk https://astroengine.com/2019/01/14/this-weird-star-system-is-flipping-awesome/
• 100 years since the founding of the Bauhaus School of Design that influenced modern architecture https://www.bbc.com/news/in-pictures-46863364