This Week’s [in]Security – Issue 35 | insecurity | Control Gap

This Week’s [in]Security – Issue 35

27 Nov 2017.

Tags:

insecurity
x

Welcome to This Week’s [in]Security. We’ve collected and grouped together a selection of this week’s news, opinions, and research. Quickly skim these annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

Visa Security Alert - Cybercriminals Leveraging Dynamic Data Exchange (DDE) Protocol vulnerability https://usa.visa.com/dam/VCOM/global/support-legal/documents/psi-security-alert-cybercriminals-leveraging-dde-protocol.pdf (from Visa's merchant library https://usa.visa.com/support/merchant/library.html))
Several PCI guidance documents received recent updates that haven't been as broadly publicized as they deserve
Another report on retailer cybersecurity https://sector.ca/cybersecurity-report-card-says-retailers-must-try-harder/
Study tries to quantify lost Bitcoins http://fortune.com/2017/11/25/lost-bitcoins/

Breaches / Leaks

Free Application for Federal Student Aid weak KBA access leaks huge amounts of personal data https://krebsonsecurity.com/2017/11/namedobssnfafsa-data-gold-mine/
The Uber breach:
- Uber actively concealed a breach of 57M records paying off hackers while negotiating with FCC over past breaches https://www.bloomberg.com/news/articles/2017-11-21/uber-concealed-cyberattack-that-exposed-57-million-people-s-data
- EPIC weighs in https://epic.org/2017/11/uber-hid-massive-data-breach-f.html
- UK probe started and deliberate evasion could increase penalties https://www.databreachtoday.com/driving-privacy-regulators-crazy-uk-probes-uber-breach-a-10469
- More nations investigate https://www.theguardian.com/technology/2017/nov/22/uber-scrutiny-data-breach-hacking
- Just a reminder that 48 states have breach notification laws http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx
- This is the second breach of Uber using hardcoded credentials, from 2014 https://securityintelligence.com/news/publicly-stored-security-key-may-enabled-uber-data-breach/
Australia's Department of Social Services breach included credit card data https://www.theguardian.com/technology/2017/nov/22/uber-scrutiny-data-breach-hacking
Troy Hunt (of I've been Pwned) to testify to Congress on breaches https://www.troyhunt.com/im-testifying-in-front-of-congress-in-washington-dc-about-data-breaches-what-should-i-say/

Laws & Regulations / Standards

Technology, transparency and fourth amendment searches https://www.vox.com/the-big-idea/2017/11/22/16687420/fourth-amendment-online-searches-constitution-facebook-gag-orders
Apple vs. FBI again? This time over Texas killer https://www.theregister.co.uk/2017/11/20/warranttexasshooter_iphone/
Congress looking at letting ISPs setup paid "fast lanes" and breaking Net-neutrality https://www.eff.org/deeplinks/2017/11/will-congress-bless-internet-fast-lanes
Canada and US on different paths re: Net-neutrality http://www.michaelgeist.ca/2017/11/net-neutrality-divide-canada-u-s-go-separate-ways-open-internet/
New FCC rules should help limit robocalls https://www.wired.com/story/robocall-getting-worse-but-help-is-here/
Australian patent troll suit to suppress EFF's stupid patent of the month fails https://www.eff.org/deeplinks/2017/11/court-rules-effs-stupid-patent-month-post-protected-speech
OWASP updates it's top 10 in 2017 https://www.owasp.org/images/7/72/OWASPTop10-2017_%28en%29.pdf.pdf and an article https://www.darkreading.com/application-security/new-owasp-top-10-list-includes-three-new-web-vulns/d/d-id/1330479

Bugs / Design Flaws

Even more security flaws in Intel's Management Engine (ME) firmware https://www.theregister.co.uk/2017/11/20/intelflagsfirmware_flaws/
Intel patches multiple bugs in ME https://threatpost.com/intel-patches-cpu-bugs-impacting-millions-of-pcs-servers/128962/
53 models of HP Printers have firmware vulnerable to remote code execution https://thehackernews.com/2017/11/hp-printer-hacking.html
Vulnerability in configuration of Windows Addresses Space Randomization Layer https://www.darkreading.com/vulnerabilities--- threats/researcher-finds-hole-in-windows-aslr-security-defense/d/d-id/1330466
Microsoft's response to the ASRL finding indicates risk is with a limited case and is being worked on https://blogs.technet.microsoft.com/srd/2017/11/21/clarifying-the-behavior-of-mandatory-aslr/
Golden ticket-like bug in SAML authentication https://www.cyberark.com/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-cloud-apps/
F5 RSA cyrpto vulnerable to the Bleichenbacher attack and needs patching https://www.theregister.co.uk/2017/11/20/f5cryptoweakness/
Samsung pay leaks https://www.darkreading.com/threat-intelligence/samsung-pay-leaks-mobile-device-information/d/d-id/1330480

Privacy

Google collects location via cell tower even when location tracking is off https://qz.com/1131515/google-collects-android-users-locations-even-when-location-services-are-disabled/
Germany orders smart watches with covert listening capabilities destroyed http://www.zdnet.com/article/is-germany-right-to-tell-parents-to-destroy-kids-smartwatches-over-snooping-fears/
Removing your collected voice assistant data from Google and Amazon https://www.wired.com/story/amazon-echo-and-google-home-voice-data-delete/

Hacking / Malware / Cybercrime

Another Microsoft office feature being used to spread malware https://thehackernews.com/2017/11/ms-office-macro-malware.html
Tether (a dollar backed cryptocurrency) hacked for $30M tokens https://thehackernews.com/2017/11/tether-bitcoin-hacked.html
Western Union AML settlement fund to reimburse scam victims https://krebsonsecurity.com/2017/11/fund-targets-victims-scammed-via-western-union/
OPP warning of scams https://www.theweeklynews.ca/news-story/7936031-opp-warning-public-of-latest-fraudulent-scams/
Article on the empire exploitation framework https://www.tenable.com/blog/identifying-empire-http-listeners

Other Security / Risk

A problem with Javascript code tags https://www.theregister.co.uk/2017/11/22/cryptojackersgoogletagmanagercoin_hive/
The new year approaches and the security predictions are coming https://www.forbes.com/sites/davelewis/2017/11/21/the-logical-fallacy-of-security-predictions/
IBM links public DNS to threat database https://www.theregister.co.uk/2017/11/20/quad9secureprivatednsresolver/ and press release https://www.globalcyberalliance.org/ibm-packet-clearing-house-global-cyber-alliance-collaborate-protect-businesses-consumers-internet-threats.html
Article on techniques to lock down websites https://www.troyhunt.com/locking-down-your-website-scripts-with-csp-hashes-nonces-and-report-uri/
Noscript for the new Firefox https://hackademix.net/2017/11/23/noscript-1012-temporary-allow-all-and-more/
Amazon classified cloud https://www.schneier.com/blog/archives/2017/11/amazoncreates\.html
Algorithm detecting unknown serial killers https://www.newyorker.com/magazine/2017/11/27/the-serial-killer-detector
Krebs update on the VDOS stresser players https://krebsonsecurity.com/2017/11/correcting-the-record-on-vdos-prosecutions/
Example of a cognative AI https://www.technologyreview.com/s/609507/this-inquisitive-ai-will-kick-your-butt-at-battleship/

Off-Topic

An anti-spam chatbot at your service https://www.theverge.com/2017/11/10/16632724/scam-chatbot-ai-email-rescam-netsafe
The Big Dipper over Pyramid Mountain in Jasper National Park Alberta https://apod.nasa.gov/apod/ap171121.html
Another easily debunked moon landing conspiracy theory http://www.syfy.com/syfywire/no-thats-not-a-stagehand-in-an-apollo-astronaut-photo

Control Gap Inc. Supports Easter Seals Ontario

This Week’s [in]Security – Issue 36