This Week’s [in]Security – Issue 22 | insecurity | Control Gap

Welcome to This Week’s [in]Security. We’ve collected and grouped together a selection of this week’s news, opinions, and research. Quickly skim these annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

• Article on 2018 PCI deadlines https://blog.pcisecuritystandards.org/keeping-up-to-date-with-pci-dss-dates
• PCI Council looking for feedback on PIN standard https://blog.pcisecuritystandards.org/request-for-comments-pci-pin-standard
• PCI Council raising the qualification bar for all QSA by 2019 https://www.pcisecuritystandards.org/documents/FrequentlyAskedQuestionsforQSARequirementforIndustryRecognizedProfessionalCertifications.pdf
• Summary of coming QSA program changes: Associates, minimum required certifications, and 3D secure standard https://blog.pcisecuritystandards.org/what-is-next-for-the-qsa-program
• Good discussion on the challenges of PCI in financial institutions https://pciguru.wordpress.com/2017/08/26/pci-compliance-and-financial-institutions/
• More on deep insert skimmers https://krebsonsecurity.com/2017/08/dumping-data-from-deep-insert-skimmers/

Breaches / Leaks

• Hacker claims breach of 1M+ UK medical records https://www.databreachtoday.com/did-hacker-steal-over-1-million-uk-health-records-a-10212
• Yet another AWS S3 leak (YAAWSS3L) http://www.theregister.co.uk/2017/08/22/openawss3bucketleakedhotelbookingservicedatasayskromtech/
• Carbon Black may in fact have a leak https://krebsonsecurity.com/2017/08/carbon-emissions-oversharing-bug-puts-security-vendor-back-in-spotlight/
• Aetna mails customers, exposes HIV status though faulty positioning beneath envelope window https://www.washingtonpost.com/news/morning-mix/wp/2017/08/25/aetna-accidentally-exposed-customer-hiv-statuses-in-clear-envelope-windows/

Lawful Access / Back-doors / Laws & Regulations

• Ross Anderson on the UK Crypto wars and “going dark”  https://www.lightbluetouchpaper.org/2017/08/22/history-of-the-crypto-wars-in-britain/
• New breach notification legislation in Delaware https://www.databreachtoday.com/delaware-toughens-data-breach-notification-law-a-10217
• 2017’s US Intelligence Authorization Act, some amendments and objections https://www.theregister.co.uk/2017/08/23/intelligenceact2018_amendments/
• Request for 1.3M distruptj20.org user IP addresses dropped https://www.theregister.co.uk/2017/08/23/dojnarrowsprotestwebsiteinfo_grab/

Bugs

• ROPEMAKER - Abusing email after hitting send by using CSS and HTML http://thehackernews.com/2017/08/change-email-content.html and a counter opinion that it may be overstated http://www.csoonline.com/article/3218706/security/email-security-vendor-claims-to-have-discovered-a-new-email-exploit.html

Privacy

• Accuweather app ignores users don’t share location preferences http://www.zdnet.com/article/accuweather-caught-sending-geo-location-data-even-when-denied-access/

Hacking / Malware / Cybercrime

• Lottery hacked by insider https://www.schneier.com/blog/archives/2017/08/insiderattack\.html
• Google pulls adware/malware SDK apps https://www.theregister.co.uk/2017/08/23/adwareapiphoneshometochinesecompany/
• Bizzare Wikileaks article, CIA hacked FBI and NSA for biometric data http://www.zdnet.com/article/why-did-cia-create-a-bogus-software-upgrade-to-steal-data-from-fbi-nsa/
• Police booby trapped file sent to dark web site to catch criminals http://www.cbc.ca/beta/news/technology/hidden-code-ip-address-police-dark-web-investigation-1.4263103
• New York State Driver License Biometrics catch cheaters and identity theft https://arstechnica.com/tech-policy/2017/08/biometrics-leads-to-thousands-of-a-ny-arrests-for-fraud-identity-theft/

Other Security / Risk

• Put risk analysis before ROI http://blog.erratasec.com/2017/08/roi-is-not-cybersecurity-concept.html and an alternate definition of ‘ROI’ http://www.datagovernance.com/data-cartoons-roi/
• Discussion of standardizing blockchain http://blog.erratasec.com/2017/08/on-iso-standardization-of-blockchains.html
• Post-war Turing papers found https://www.theguardian.com/science/2017/aug/27/collection-letters-codebreaker-alan-turing-found-filing-cabinet

Off-Topic

• Space-X reveals new space suit https://www.universetoday.com/136901/elon-musk-reveals-new-spacex-spacesuit/
• Astronomers image the face of the red-supergiant Antares https://www.universetoday.com/136940/new-study-antares-creates-best-map-ever-distant-star/