This Week’s [in]Security – Issue 96 | insecurity | Control Gap

Welcome to This Week’s [in]Security. This week: PCI Qualified PIN Assessor (QPA) program, FAQ updates, ElasticSearch db leaks 24M mortgage records and 70K shopliffters, Google gets $57M GDPR fine, multiple GDPR investigations, phishing quiz, widespread DNS hijacking, challenges and case law about the right to be forgotten, accessibility and the law affects apps, Breach law updates, trademark fights, law enforcement tech, Russian email trove, reply-all-avalanches, and more.

Now here's this week’s selection of news, opinions, and research. Quickly skim annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

News and announcements relating to Payment Security, Payments, PCI, and Card Brands.

• PIN assessment becomes an official PCI program with assessors known as Qualified PIN Assessors (QPA)

  • Article https://blog.pcisecuritystandards.org/coming-soon-qualified-pin-assessor-program
  • Program Guide https://www.pcisecuritystandards.org/documents/QualifiedPINAssessor_(QPA)_ProgramGuideV1.0.pdf
  • QPA qualification https://www.pcisecuritystandards.org/documents/QualifiedPINAssessor_(QPA)_QualificationRequirements%20V1.0.pdf
  • PIN ROC Reporting Template https://www.pcisecuritystandards.org/documents/PCIPINv3.0ROCReporting_Template.pdf
  • PIN AOC https://www.pcisecuritystandards.org/documents/PCIPINv3.0_AOC.pdf
• PCI What to expect with SPoC and Contactless in 2019 https://blog.pcisecuritystandards.org/pci-spoc-and-contactless-standards-what-to-expect-in-2019
• PCI small merchant resources: guide to safe payments https://blog.pcisecuritystandards.org/resource-for-small-merchants-guide-to-safe-payments
• New PCI FAQ #1462 https://pcissc.secure.force.com/faq/articles/FrequentlyAskedQuestion/What-does-Window-of-Payment-Card-Data-Storage-mean-in-the-Final-PFI-Report-template
• Updated list of all PCI FAQ's https://controlgap.com/index-pci-frequently-asked-questions/
• PCI SSC 2019-2020 board of advisors https://www.pcisecuritystandards.org/pdfs/PCISECURITYSTANDARDSCOUNCILANNOUNCES2019-2020ADVISORY_BOARD.pdf
• Mastercard fined almost $650M in EU over interchange fees https://www.pymnts.com/news/regulation/2019/european-commission-fines-mastercard-interchange-fees/

Breaches / Leaks

Covering breaches, leaks, data exposures, and their fallout.

• Online casino group leaks information on 108 million bets, including user details https://www.zdnet.com/google-amp/article/online-casino-group-leaks-information-on-108-million-bets-including-user-details/
• Texas based Ascension Data & Analytics leaks 24M mortgage records from unprotected ElasticSearch server. Citigroup, HSBC Life Insurance, Wells Fargo, CapitalOne, and US Department of Housing and Urban Development are impacted https://gizmodo.com/millions-of-financial-records-leaked-at-texas-based-dat-1831996146
• Swedend launches GDPR investigation of Google over collection of location data in Android https://www.infosecurity-magazine.com/news/google-under-investigation-gdpr/
• GDPR update: 42K breach notifications and 255 investigations https://www.bleepingcomputer.com/news/security/gdpr-behind-42k-data-breach-notifications-255-investigations/
• Ireland is looking at Twitter under GDPR after another breach notification https://www.pymnts.com/news/security-and-risk/2019/twitter-data-breach-gdpr-investigation/
• 100K records on Alaskan households breached through DHSS through malware https://www.scmagazine.com/home/security-news/data-of-100000-alaskan-households-that-applied-for-public-assistance-breached/
• UK retailer B&Q exposes unprotected ElasticSearch database of 70K indivuals suspect of stealing - it's still a breach https://www.itgovernance.co.uk/blog/70000-affected-in-bq-data-breach
• Personal info of thousands of Ontario Disability Support Program (ODSP) recipients compromised https://toronto.ctvnews.ca/personal-info-of-thousands-of-disability-support-recipients-compromised-1.4263047
• A large trove of Russian emails and documents that had been turned down by WikiLeaks was released https://www.thedailybeast.com/this-time-its-russias-emails-getting-leaked

Privacy

Articles about privacy related news, risks, and trends.

• France has assessed Google with a $57M GDPR fine for a lack of transparency on data collection https://www.nytimes.com/2019/01/21/technology/google-europe-gdpr-fine.html
• Dutch surgeon with prior medical negligence wins lawsuit to require Google to remove history https://www.theguardian.com/technology/2019/jan/21/dutch-surgeon-wins-landmark-right-to-be-forgotten-case-google
• Lab assistant fined for snooping health data https://globalnews.ca/news/4875079/calgary-lab-assistant-fined-snooping-files/
• ACLU demand DoJ reveal facial recognition use https://www.scmagazine.com/home/security-news/aclu-demands-justice-reveal-facial-recognition-tech-use/
• Six Flags being sued by teen under Illinois Pro=ivacy law over use of Biometric data https://www.pymnts.com/news/biometrics/2019/six-flags-lawsuit-ruling-facebook-google
• Ontario nurse fired over privacy breach - unauthorized browsing of patient records https://www.intelligencer.ca/news/local-news/nurse-fired-after-privacy-breach-updated-at-7-p-m
• The large credit agencies and data brokers apparently have access to election rolls in Austrailia https://www.bankinfosecurity.com/blogs/do-data-brokers-access-australian-electoral-roll-p-2714

Laws & Regulations / Standards

News about laws, regulations, and standards affecting security, privacy,  technology, and public interest.

• Domino's Pizza app must be accessible to blind people http://www.bbc.co.uk/news/technology-46894463
• Massachusetts amends consumer security breach protection
  law https://www.bleepingcomputer.com/news/security/massachusetts-amends-law-protecting-consumers-from-security-breaches/
• North Carolina reintroduces tougher breach laws including 30 day notification and including ransomware as a breach https://healthitsecurity.com/news/north-carolina-reintroduces-strict-data-breach-notification-law and https://www.securityweek.com/proposed-law-classifies-ransomware-infection-data-breach
• Why the "right to be forgotten" under GDPR gets complicated https://thenextweb.com/contributors/2019/01/21/why-right-to-erasure-is-stopping-companies-from-complying-with-gdpr/
• Russia is taking tech giants to task for failing to host data in the country https://www.securityweek.com/russian-watchdog-launches-administrative-proceedings-against-facebook-twitter
• Finally the US names a Privacy Shield ombudsperson https://www.theregister.co.uk/2019/01/22/privacyshieldombudsperson/
• Stupid, groundless trademark threats https://www.eff.org/deeplinks/2019/01/eff-client-responds-ludicrous-collusion-trademark-threat
• A more nuanced trademark vs free speech dispute between the Washington Post and a parody site - parody wins https://www.eff.org/deeplinks/2019/01/washington-post-tries-take-down-parody-site-announcing-trumps-resignation-0
• US court rules traffic stops can't be used to compel passengers to provide identification http://epic.org/2019/01/federal-court-rules-police-may.html
• On spys and hacking laws https://www.theregister.co.uk/2019/01/22/countriesspyregardlessglobalcybersecurity_regulation/
• Schneier looks at the proposed GCHQ backdoor and how it might be detected https://www.schneier.com/blog/archives/2019/01/hackingthegch.html

Defense / Techniques / Solutions

Covering developments and opportunities that may help improve security.

• Google/Jigsaw can you spot if you're being phished quiz. Article https://www.businessinsider.com/google-quiz-hackers-phishing-emails-jigsaw-2019-1 and the quiz https://phishingquiz.withgoogle.com/
• Amazon Elasticsearch Service and AWS Lambda - PCI-DSS alerting, monitoring, and reporting https://aws.amazon.com/blogs/security/alerting-monitoring-and-reporting-for-pci-dss-awareness-with-amazon-elasticsearch-service-and-aws-lambda/
• Monitoring expiring certificates https://blog.cloudflare.com/tracing-soon-to-expire-federal-gov-certificates-with-ct-logs/
• Security testing - a deep dive on fuzzing: https://blog.trailofbits.com/2019/01/22/fuzzing-an-api-with-deepstate-part-1/, https://blog.trailofbits.com/2019/01/23/fuzzing-an-api-with-deepstate-part-2/
• Bypassing network restrictions using RDP tunneling https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html

Bugs / Design Flaws / Vulnerabilities / Research

Articles about newly discovered vulnerabilities and research.

• Browser extensions can bypass Same Origin Policy https://www.securityweek.com/websites-can-exploit-browser-extensions-steal-user-data
• Linux software updater (APT) is vulnerable to man-in-the-middle remote attacks https://thehackernews.com/2019/01/linux-apt-http-hacking.html
• Proof-of-concept privilege escalation for Microsoft Exchange http://www.tenable.com/blog/proof-of-concept-code-gives-standard-microsoft-exchange-users-domain-administrator-privileges
• Let's Encrypt is shutting down TLS-SNI-01 in favor of DNS-01 and HTTP-01 - this primarily affects sites hosted on virtual hosting IPs https://www.theregister.co.uk/2019/01/22/letsencryptgivesadminsuntilfebruary13toswitchofftlssni/
• Google is changing how web extensions are handled and it will harm some ad-blockers https://www.theregister.co.uk/2019/01/22/googlechromebrowseradcontentblockchange/

Hacking / Malware / Cybercrime / Exploitation

News covering active trends and events.

• Poor authentication at many DNS registrars is a serious problem. GoDaddy was exploited by spammers in bomb hoax and sextortion scams https://krebsonsecurity.com/2019/01/bomb-threat-sextortion-spammers-abused-weakness-at-godaddy-com/
• The US government is also warning about widespread DNS hijacking https://threatpost.com/gov-warning-dns-hijacking/141088/
• Staff at Citizen lab are being targeted in an apparent attempt to compromise their work https://citizenlab.ca/2019/01/statement-from-citizen-lab-director-on-attempted-operations-against-researchers/
• Cyber thieves make off with hundreds of thousands of dollars in attack targeting Coast Capital Savings https://www.cbc.ca/news/canada/british-columbia/coast-capital-savings-cyber-attacks-1.4977944
• Malware using Google Drive for command and control in attempt to avoid detection https://thehackernews.com/2019/01/macro-malware-microsoft-office.html
• Nest Camera passwords exploited to broadcast fake nuclear missile alert https://www.securityweek.com/hacker-uses-nest-camera-broadcast-hoax-nuke-alert
• Nation state hackers with poor operational security expose themselves https://arstechnica.com/information-technology/2019/01/researchers-discover-state-actors-mobile-malware-efforts-because-of-yolo-opsec/
• Russian hacking of US elections is ongoing - DNC targeted in 2018 https://www.securityweek.com/dnc-russian-hackers-attacked-us-again-after-midterm-elections
• Cop pleads guilty to misconduct after using Police db for personal inquiry https://globalnews.ca/news/4874105/toronto-officer-misconduct-guilty/
• Darknet business adopting spycraft techniques like dead-drops https://www.schneier.com/blog/archives/2019/01/theevolutiono.html
• Cyber-money-laundering https://www.darkreading.com/attacks-breaches/how-cybercriminals-clean-their-dirty-money-/a/d-id/1333670
• 3 mem charged in connection with serial-swatter https://krebsonsecurity.com/2019/01/three-charged-for-working-with-serial-swatter/

Other Security / Risk

Articles covering other types of risks.

• Some of the hidden costs of the US government shutdown will cripple law enforcement and cyber-defense https://krebsonsecurity.com/2019/01/how-the-u-s-govt-shutdown-harms-security/
• Mergers & Acquisitions: security and privacy due diligence https://www.bankinfosecurity.com/interviews/mergers-acquisitions-privacy-security-considerations-i-4227
• Now drones are disrupting US airports https://www.theregister.co.uk/2019/01/23/newjerseyairportdroneshutdown/
• Shadow IT, cloud, IaaS and security https://www.darkreading.com/vulnerabilities--- threats/shadow-it-iaas-and-the-security-imperative/a/d-id/1333673
• Apparently China owns half of all VPN services https://www.csoonline.com/article/3335480/virtual-private-network/china-owns-half-of-all-vpn-services.html
• Careful, Canada! This counterfeit cash could fool you https://www.ctvnews.ca/canada/careful-canada-this-counterfeit-cash-could-fool-you-1.4256236
• Rapid DNA machines facilitate DNA matches in 90 minutes but processes, protocols, and rules aren't defined and are open to mistakes and abuse https://www.nytimes.com/2019/01/21/science/dna-crime-gene-technology.html
• Criminal risk assessment algorithms produce scores used in many sentencing decisions. These are AI's trained on historical data and there is a real risk of bias because they are proprietary they aren't transparent https://www.technologyreview.com/s/612775/algorithms-criminal-justice-ai/
• Stochastic terrorism: the use of mass media to incite attacks by random nut jobs https://www.wired.com/story/jargon-watch-rising-danger-stochastic-terrorism/
• Tracing and visualization of stolen bitcoins https://www.lightbluetouchpaper.org/2019/01/22/visualizing-diffusion-of-stolen-bitcoins/
• Canada isn't collecting enough data to answer some key questions affecting our population https://www.theglobeandmail.com/canada/article-in-the-dark-the-cost-of-canadas-data-deficit/
• Over 11K Microsofties trapped in reply-all avalanche https://www.cbsnews.com/news/more-than-11000-at-microsoft-said-ensnared-in-reply-all-email-loop/

Off-Topic / Science & Tech / Lighter Side

A variety of scientific, technical, historical, and more light-hearted news.

• Can "The Empire Strikes Back" be far behind https://www.theguardian.com/technology/2019/jan/20/hyundai-elevate-prototype-the-worlds-first-walking-car-preview
• Swedish researchers discover liquid solar battery https://www.sciencealert.com/scientists-create-liquid-fuel-that-can-store-the-sun-s-energy-for-up-to-18-years
• Iceland is useing geothermal energy for direct carbon capture to clean the air https://www.scientificamerican.com/video/scrubbing-carbon-from-the-sky1/
• Scientists simulate the perfect of rogue wave https://www.sciencealert.com/lab-experiments-recreate-a-devastating-freak-wave-for-the-first-time-and-it-s-beautiful
• Lunar eclipses are good opportunities to see meteor impacts, there were two during last week's so-called super blood wolf moon https://www.forbes.com/sites/davidbressan/2019/01/22/a-meteorite-hit-the-super-wolf-blood-moon/
• The weird off-axis synchronized orbits in our outer solar system can be explained without a ninth planet - either possibility requires more discovery https://scienmag.com/mystery-orbits-in-outermost-reaches-of-solar-system-not-caused-by-planet-nine/
• "Snow Rugby" is a thing and surprisingly not invented in Canada https://www.bbc.com/news/av/world-europe-46973265/snow-rugby-catches-on-in-russia