This Week’s [in]Security – Issue 99 | insecurity | Control Gap

Welcome to This Week’s [in]Security. This week: PCI PIN and 3DS-SDK reporting templates, new RFC process, EMV still cutting fraud, breaches at Instagram and Facebook 3rd parties, breaches at CoffeeMeetsBagel, 500px, Eyeem, and more. Privacy-not-included list updated for Valentines day. More tech company scrutiny. US GDPR a step closer? Password hashes cracked much faster, massive Japanese mobile payment app fraud, suing Apple over 2FA, and more.

Now here's this week’s selection of news, opinions, and research. Quickly skim annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

News and announcements relating to Payment Security, Payments, PCI, and Card Brands.

• PCI Updates

  • PIN Report on Compliance Template https://www.pcisecuritystandards.org/documents/PCIPINv3.0ROCReporting_Template.pdf and Attestation https://www.pcisecuritystandards.org/documents/PCIPINv3.0_AOC.pdf
  • 3-D Secure SDK reporting template and attestation documents https://www.pcisecuritystandards.org/documents/PCI-3DS-SDK-ROV-Reporting-Template-v1_1.pdf and https://www.pcisecuritystandards.org/documents/PCI-3DS-SDK-Security-Standard-v1_1-AOV.docx
  • Understanding the new Request for Comments process - how the Council reviews stakeholder feedback on new and changeds standards https://blog.pcisecuritystandards.org/understanding-the-rfc-process-new-guidance
• 2018 added 400K locations in the US to those accepting EMV http://www.digitaltransactions.net/the-u-s-emv-accepting-merchant-base-grew-by-400000-locations-in-2018/
• Visa reports EMV cuts card-present fraud by 80% https://www.pymnts.com/?p=595078

Breaches / Leaks

Covering breaches, leaks, data exposures, and their fallout.

• Instagram data from 14 million profiles found in unsecured database, researcher says - possibly scraped by a third party https://www.cyberscoop.com/instagram-insecure-database-14-million-profiles-researcher-says/
• Dunkin Donuts rewards suffers credential stuffing attack and possible account information disclosure https://www.bleepingcomputer.com/news/security/dunkin-donuts-issues-alert-for-credential-stuffing-attack-passwords-reset/
• Australian property valuation firm LandMark White breached for 100K records https://www.darkreading.com/threat-intelligence/up-to-100000-reported-affected-in-landmark-white-data-breach/d/d-id/1333859
• Troy Hunt gives an update on the plague of credential collections that have recently emerged - unsurprisingly there's a lot of duplication and spam https://www.troyhunt.com/the-race-to-the-bottom-of-credential-stuffing-lists-and-collections-2-through-5-and-more/
• Some more collections of apparently legitimate credentials from Dubsmash , 500px, EyeEm, 8fit, Fotolog, Animoto, MyHeritage, MyFitnessPal, Artsy, Armor Games, Bookmate, CoffeeMeetsBagel, DataCamp, HauteLook, ShareThis, Whitepages https://www.theregister.co.uk/2019/02/11/620millionhackedaccountsdark_web/

• While some of the above are just rehashes (please forgive the pun) of older known breaches, several re newer:

  • https://www.pymnts.com/news/security-and-risk/2019/coffee-meets-bagel-user-data-breach/
  • https://nakedsecurity.sophos.com/2019/02/15/photography-site-500px-resets-14-8-million-passwords-after-data-breach/
  • https://haveibeenpwned.com/PwnedWebsites#EyeEm
• Facebook dealing with a breach of data acqyuired by a 3rd party through the Facebook API https://www.zdnet.com/article/facebook-tackles-account-takeover-data-exposure-security-failures/
• The data hasn't surfaced. Was the Equifax breach espionage? https://threatpost.com/equifax-data-nation-state/141929/
• Wendy's announces $50M settlement for 2015 breach http://www.digitaltransactions.net/wendys-announces-50-million-data-breach-settlement-and-other-digital-transactions-news-briefs-from-2-15-19/
• Perspective on breach costs and efforts that will save you money https://www.lexology.com/library/detail.aspx?g=ccd2ee73-f082-4cf0-8e97-f8864b85d7ee

Privacy

Articles about privacy related news, risks, and trends.

• Senators question Apple, Facebook and Google over invasive apps https://www.wired.com/story/senators-project-atlas-facebook-google-apple/
• Report calls Facebook duplicitous //www.theguardian.com/technology/2019/feb/17/parliamentary-report-facebook-stricter-regulations
• Mozilla expands it's Privacy-not-included list to include "teledildonics" (honestly - we didn't even know that was a word let alone that it had been around since 1975) https://www.wired.com/story/internet-connected-sex-toys-security/
• The Privacy-Not-Included list, complete with an amusing creepiness emoji of face changing from happy to disturbed can be found at https://foundation.mozilla.org/en/privacynotincluded/
• One of the architects of the Internet takes issue with privacy implications of Google Chromcast's hard coded DNS https://www.businessinsider.com/paul-vixie-blasts-google-chromecast-2019-2

Laws & Regulations / Standards

News about laws, regulations, and standards affecting security, privacy,  technology, and public interest.

• Company suing employee for paying scam email https://www.bbc.com/news/uk-scotland-glasgow-west-47161340
• NIST releases draft SP 800-205, Attribute Considerations for Access Control Systems for comment until April 1. Update https://csrc.nist.gov/news/2019/draft-nist-sp-800-205-available-for-comment. Details https://csrc.nist.gov/publications/detail/sp/800-205/draft. And call for Patent claims https://www.nist.gov/itl/publications-0/itl-patent-policy-inclusion-patents-itl-publications
• GAO gives Congress go-ahead for a GDPR-like privacy legislation https://www.zdnet.com/article/gao-gives-congress-go-ahead-for-a-gdpr-like-privacy-legislation/
• Cloudflare wins case agasint patent troll https://blog.cloudflare.com/winning-the-blackbird-battle/
• DNA testing uncovers sperm donor resulting in a lawsuit https://www.nytimes.com/2019/02/16/health/sperm-donation-dna-testing.html
• New Georgia Law would protect those who break into hot cars to save pets https://www.thestar.com/news/world/us/2019/02/17/law-would-protect-those-who-break-into-hot-cars-to-save-pets.html

Defense / Techniques / Solutions

Covering developments and opportunities that may help improve security.

• FCC pushing anti-robocall measures https://arstechnica.com/tech-policy/2019/02/ajit-pai-orders-phone-companies-to-adopt-new-anti-robocall-tech-in-2019/
• Mozilla explains why they maintain their own root certificate store for their products https://blog.mozilla.org/security/2019/02/14/why-does-mozilla-maintain-our-own-root-certificate-store/

Bugs / Design Flaws / Vulnerabilities / Research

Articles about newly discovered vulnerabilities and research.

• 8-character Windows NTLM password hashes can be cracked in under 2.5 hours using HastCat 6.0.0 and 8 GTX 2080Ti GPUs https://www.theregister.co.uk/2019/02/14/password_length/
• Researchers find 'runC' vulnerability that can escape containers affecting Docker, Kubernetes, ContainerD, and more https://thehackernews.com/2019/02/linux-container-runc-docker.html
• Researchers have found a way to hide malware inside Intel SGX (Software Guard Extension) enclaves https://www.zdnet.com/article/researchers-hide-malware-in-intel-sgx-enclaves/
• Prototype USB cable with embedded Wi-Fi controller allows reote command execution on connected device https://www.schneier.com/blog/archives/2019/02/usbcablewith_.html
• Lenovo smart-watch has multiple vulnerabilities https://threatpost.com/lenovo-watch-x-riddled-with-security-vulnerabilities/141822/

Hacking / Malware / Cybercrime / Exploitation

News covering active trends and events.

• Japan hit by a cash-back for card-present fraud involving the PayPay application use of QR codes - no card, no chip, no PIN https://www.bankinfosecurity.com/japans-credit-card-fraud-debacle-a-12021
• In an apparent act of corporate vandalism, VFEmail may have lost all their US customer's emails going back to 2001 https://krebsonsecurity.com/2019/02/email-provider-vfemail-suffers-catastrophic-hack/
• According to Experian, US businesses and consumers are experiencing the pointing end of the online fraud stick more than other parts of the world https://www.darkreading.com/endpoint/experian-us-suffers-the-most-online-fraud/d/d-id/1333846
• Dating sites under attack, users report being locked out and receiving strange text messages OK Cupid may have suffered from a breach or a credential stuffing attack https://www.darkreading.com/endpoint/okcupid-denies-data-breach-amid-account-hack-complaints/d/d-id/1333842
• and OKCupid app vulnerable to account takeover https://threatpost.com/critical-okcupid-flaw-exposes-daters-to-app-takeovers/141794/
• Credential stuffing explained https://www.wired.com/story/what-is-credential-stuffing/
• McDonald's mobile app users had accounts compromised and bills run up https://nakedsecurity.sophos.com/2019/02/11/mcdonalds-app-users-hatin-it-after-losing-hundreds-to-thieves/
• Arrest of prolific bomb threat hoaxer and DDoS attackers identities finally exposed after breach of gaming site they used https://krebsonsecurity.com/2019/02/bomb-threat-hoaxer-exposed-by-hacked-gaming-site/
• Province seeks forfeiture of Bitcoin wallet, worth $1.4 million, taken in first-ever seizure by Canadian police https://www.thestar.com/news/gta/2019/02/15/province-seeks-forfeiture-of-bitcoin-wallet-worth-14-million-taken-in-first-ever-seizure-by-canadian-police.html

Other Security / Risk

Articles covering other types of risks.

• Customers suing Apple over forcing use of 2FA https://nakedsecurity.sophos.com/2019/02/12/apple-sued-for-forcing-2fa-on-accounts/
• Poll asking if it's possible to secure mobile devices https://threatpost.com/threatpost-poll-is-it-impossible-to-secure-mobile-devices/141694/
• AI can write very convincing fake news articles https://www.technologyreview.com/s/612960/an-ai-tool-auto-generates-fake-news-bogus-tweets-and-plenty-of-gibberish/
• Opinion article. While there isn't anything new about political lies and disinformation, the game has changed with social media and we don't seem to be as well prepared to deal with it https://www.thestar.com/opinion/star-columnists/2019/02/10/cyberattacks-are-hitting-canadian-politics-today.html
• Link and discussion to article describing the reconstruction of the WWII era US voice encryption system called SIGSALY https://www.schneier.com/blog/archives/2019/02/reconstructing_.html
• A cautionary tale about mixing multiple "safe" products together - culprit found for honeybee deaths in almond groves https://news.osu.edu/culprit-found-for-honeybee-deaths-in-almond-groves/
• Pregnant women are being aggressively targeted by Anti-vax ads on Facebook during a Measles outbreak https://www.sciencealert.com/pregnant-women-are-being-targeted-by-antivax-ads-online-during-a-measles-outbreak

Off-Topic / Science & Tech / Lighter Side

A variety of scientific, technical, historical, and more light-hearted news.

• The Mars Opportunity Rover has been declared dead after going silent eight months ago in a global dust storm. Opportunity is arguably one of the most successful space missions ever, surviving 15 years on Mars using solar power alone. https://www.syfy.com/syfywire/opportunity-lost-but-more-will-arise
• AI has teased out evidence of another human related speicies in our DNA https://www.sciencealert.com/artificial-intelligence-identifies-unknown-ghost-ancestor-in-the-human-genome