This Week’s [in]Security – Issue 20 | insecurity | Control Gap

Welcome to This Week’s [in]Security. We’ve collected and grouped together a selection of this week’s news, opinions, and research. Quickly skim these annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

• Reminder, August 16th Deadline for 2018 PCI SIG proposals https://blog.pcisecuritystandards.org/pci-special-interest-groups-industry-collaboration-at-its-best
• PCI FAQ renamed, clarified and broadened from ASV to all Vulnerability Scans https://pcissc.secure.force.com/faq/articles/FrequentlyAskedQuestion/For-vulnerability-scans-what-is-meant-by-quarterly
• PCI FAQ on PTS expiry updated https://pcissc.secure.force.com/faq/articles/FrequentlyAskedQuestion/What-are-the-expiry-dates-for-PTS-POI-device-approvals
• Updated index of PCI SSC FAQ's https://controlgap.com/index-pci-frequently-asked-questions/
• PCI on using the Prioritized Approach Document https://blog.pcisecuritystandards.org/payment-security-with-the-prioritized-approach-to-pci-dss
• How will PCI adjust to the new NIST position on passwords? Hint: think "... complexity and strength at least equivalent to ..." https://xkcd.com/936/

Breaches / Leaks

• Healthcare breach wall of shame passes 2000 members http://www.databreachtoday.com/wall-shame-hits-new-milestone-for-health-data-breaches-a-10184
• Video sharing site breached for 85M accounts, emails, and bcrypt password hashes https://haveibeenpwned.com/PwnedWebsites#Dailymotion
• More on GOT breach, admin credentials, contact lists, … https://www.theguardian.com/technology/2017/aug/08/game-of-thrones-stars-personal-details-leaked-hbo-hackers-demand-ransom

Lawful Access / Back-doors / Laws & Regulations

• FBI to keep biometric data despite claims of high error rates https://epic.org/2017/08/fbi-issues-final-rule-on-biome.html
• US implementing Visa holders social media collection https://epic.org/2017/08/state-department-moves-forward.html
• Challenging Canada's global take-down order https://www.eff.org/deeplinks/2017/08/eff-asks-us-court-bar-enforcement-canadas-global-takedown-order
• ex-MI-5 head speaks out in favor of encryption https://www.theguardian.com/technology/2017/aug/11/ex-mi5-chief-warns-against-crackdown-encrypted-messaging-apps
• Time for IoT regulation? https://sector.ca/is-it-time-to-regulate-the-iot/
• House bill preempts states from regulating self-drive cars (privacy concerns) https://epic.org/2017/08/house-releases-text-of-automat.html
• UK prepares new data protection law https://epic.org/2017/08/uk-government-releases-stateme.html

Bugs

• Self-drive car stop sign recognition fail http://thehackernews.com/2017/08/self-driving-car-hacking.html
• Lots of critical bug fixes https://www.darkreading.com/vulnerabilities--- threats/microsoft-fixes-27-remote-code-execution-flaws/d/d-id/1329596
• And some for SAP https://threatpost.com/sap-patch-tuesday-update-resolves-19-flaws-three-high-severity/127357/
• High school student nets $10K bug bounty from Google https://threatpost.com/high-schooler-nets-10000-for-google-bug/127370/

Privacy

• Awareness for securing online accounts. Article https://citizenlab.ca/2017/08/citizen-labsecureaccounts/and site https://netalert.me/secure-accounts.html

Hacking / Malware / Cybercrime

• Injecting Shell Code via Com getobject() to white-listed components https://enigma0x3.net/2017/08/03/wsh-injection-a-case-study/amp/
• Abusing Windows Arbitrary Directory Creation https://googleprojectzero.blogspot.ca/2017/08/windows-exploitation-tricks-arbitrary.html
• Beware fake cryptocurrency scams http://www.pymnts.com/news/security-and-risk/2017/alleged-london-cryptocurrency-fraud/

Other Security / Risk

• Using DNA to encode data, video, and now buffer-overflows! https://www.wired.com/story/malware-dna-hack (Not quite the fictional multi-channel neuro-linguistic virus of the the 1992 novel "SnowCrash")
• Article on DirectDefense's claim that Carbon Black leaks sensitive and proprietary information through multi-scanners https://krebsonsecurity.com/2017/08/beware-of-security-by-press-release/
• The building push for paper based voting in the US https://www.darkreading.com/vulnerabilities--- threats/voting-system-hacks-prompt-push-for-paper-based-voting/d/d-id/1329577
• Salesforce DEFCON presenters fired for presentation https://www.theregister.co.uk/2017/08/10/salesforcefiresitsseniorsecurityengineersafterdefcontalk/
• Correlating dating sites to professional sites to attack businesses http://blog.trendmicro.com/trendlabs-security-intelligence/can-online-dating-apps-be-used-to-target-your-company/
• Hacking Pseudo Random Number Generators for profit https://www.schneier.com/blog/archives/2017/08/hackingslotma.html
• Drivers manipulating Uber surge pricing https://www.schneier.com/blog/archives/2017/08/uberdriversha.html
• GDPR reminder anyone? An info-graphic on 2018 regulatory fine increases https://www.pcisecuritystandards.org/pdfs/161014UKcybersecuritythreatPCIInfographic\(FINAL).pdf
• The long slow goodbye for Flash https://krebsonsecurity.com/2017/08/flash-player-is-dead-long-live-flash-player/

Off-Topic

• Warning: bogus solar eclipse viewing glasses being sold for August 21st eclipse http://nationalpost.com/news/world/vendors-may-be-selling-fake-solar-eclipse-glasses-heres-how-to-make-sure-yours-are-real/wcm/8a9a36f9-8f12-4dee-85c7-b9474b35e75d
• Past and future solar eclipse maps https://eclipse.gsfc.nasa.gov/SEmap/SEmapNA.html
• XKCD: Humans vs. Computers https://xkcd.com/1875/