Welcome to This Week’s [in]Security. This week: new PCI FAQ on PIN, EMV reduces fraud by 97%. Facebook: another massive leak, changing facial recognition, and dating privacy worries. Breaches at Yves Rocher, Teletext Holidays ,DK-Lok. 19M Canadaian impacted by breaches. Google/YouTube fined $170M. Hidden pages bypassing GDPR. DHS-FBI watchlist unconstitutional. New DOD contractor security standards. NIST cyber resilience. Frank Abagnale on privacy. Deflecting an Asteroid. Twitter stops SMS. QR code insecurity. GPS trackers with the worst default password. Deep fake voice fraud score $243K. NTSB and Tesla's Auto-pilot. Refrigerated food and power failures. US electric grid attacked. Going blind from junk food. Declassification by tweet. Tracing disinformation. US reverses two bans on foreigners. And more.

Now here's this week’s selection of news, opinions, and research. Quickly skim annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

News and announcements relating to Payment Security, Payments, PCI, and Card Brands.

• New PCI FAQ #1468 https://pcissc.secure.force.com/faq/articles/FrequentlyAskedQuestion/Can-I-have-the-same-assessor-company-or-individual-assessor-perform-a-PCI-DSS-and-PIN-Assessment-for-our-organization
• We updated our list of all known PCI FAQs https://controlgap.com/index-pci-frequently-asked-questions/
• Control Gap will be at the PCI Community Meeting https://controlgap.com/blog/control-gap-at-vancouver-pci-community-meeting/
• Chip Cards Reduced Counterfeit Fraud By 87% https://www.pymnts.com/visa/2019/visa-chip-cards-reduced-counterfeit-fraud-by-87-pct/
• Seven European mobile payments systems form association called EMPSA https://www.mobilepaymentstoday.com/news/seven-european-mobile-payments-systems-form-association-called-empsa/

Breaches / Leaks

Covering breaches, leaks, data exposures, and their fallout.

• Facebook’s latest leak records on 419M users collected by an unknown party and it’s five times as big as the Cambridge Analytica leak https://www.databreachtoday.com/facebook-419-million-scraped-user-phone-numbers-exposed-a-13024, https://www.engadget.com/2019/09/04/facebook-privacy-databases-phone-numbers/, https://nakedsecurity.sophos.com/2019/09/06/database-exposed-133-million-us-facebook-users-phone-numbers/ and https://www.tomshardware.com/news/facebook-data-leak-cambridge-analytica,40327.html
• Yves Rocher Cosmetic Company Leaks Data On Millions https://threatpost.com/data-leak-impacts-millions/147908/
• Teletext Holidays a) exists and b) left 200k customer call recordings exposed in S3 bucket https://www.theregister.co.uk/2019/09/02/teletextholidays200kcallrecordingss3bucket/
• DK-Lok data breach exposes global enterprise client data, internal emails https://www.zdnet.com/article/dklok-data-breach-leaked-global-enterprise-client-internal-emails/
• 19M Canadians data breached in 8 months https://www.ctvnews.ca/politics/19-million-canadians-have-had-their-data-breached-in-eight-months-1.4572535
• EPIC Says FTC Responsible for Cambridge Analytica https://epic.org/2019/09/epic-says-ftc-responsible-for-.html

Privacy

Articles about privacy related news, risks, and trends.

• Frank Abagnale: Never do these 2 things because 'that's 98% of me stealing your identity' https://ca.finance.yahoo.com/news/frank-abagnale-it-only-takes-2-pieces-of-information-to-steal-98-of-your-identity-142210933.html
• Google Fined $170 Million For Violating Kids' Privacy On YouTube https://thehackernews.com/2019/09/youtube-kids-privacy-fine.html
• Privacy Advocates Criticize FTC's Google Settlement https://www.bankinfosecurity.com/privacy-advocates-criticize-ftcs-google-settlement-a-13022
• Brave browser team says Google is using hidden pages to circumvent GDPR https://www.techspot.com/news/81746-brave-browser-team-google-using-hidden-pages-circumvent.html
• Why phones that secretly listen to us are a myth https://www.bbc.co.uk/news/technology-49585682
• When Apps Get Your Medical Data, Your Privacy May Go With It https://www.nytimes.com/2019/09/03/technology/smartphone-medical-records.html
• Unnerving Chinese Deepfake App Lets You Replace Celebrity Faces With Your Own http://www.sciencealert.com/disturbing-deepfake-app-lets-you-convincingly-superimpose-your-face-onto-celebrities
• Facebook's Dating Service is Full of Red Flags https://www.eff.org/deeplinks/2019/09/facebooks-dating-service-full-red-flags
• Facebook is Changing Its Face Recognition Settings. We Have Questions https://www.eff.org/deeplinks/2019/09/facebook-changing-its-face-recognition-settings-we-have-questions

Laws & Regulations / Standards

News about laws, regulations, and standards affecting security, privacy,  technology, and public interest.

• Final Public Draft of NIST (SP) 800-160 Volume 2, Developing Cyber Resilient Systems: A Systems Security Engineering Approach is available until November 1, 2019. CSRC Update: https://csrc.nist.gov/news/2019/nist-releases-final-public-draft-sp-800-160-vol-2 and publication details: https://csrc.nist.gov/publications/detail/sp/800-160/vol-2/draft
• CISSPs: We Need Your Insight (updating exams) https://blog.isc2.org/isc2_blog/2019/09/cissp-jta.html
• Federal Court Rules FBI-DHS Watchlist Unconstitutional https://epic.org/2019/09/federal-court-rules-fbi-watchl.html
• DOD issues draft of new contractor cyber standards https://www.fedscoop.com/dod-contractors-cybersecurity-standards-draft/
• Palestinian Harvard student barred from US (over other’s social media posts) is allowed in https://www.bbc.co.uk/news/world-us-canada-49563339
• U.S. reverses lifetime ban on Canadian woman who crossed border with CBD oil, her lawyer says https://www.cbc.ca/news/canada/british-columbia/u-s-ban-overturned-canadian-woman-border-cbd-oil-cannabis-1.5268110

Defense / Techniques / Solutions

Covering developments and opportunities that may help improve security.

• An example of ongoing research into secure short message cipher - Forkcipher: a New Primitive for Authenticated Encryption of Very Short Messages https://eprint.iacr.org/2019/1004
• Twitter has temporarily switched off tweeting by SMS thanks to its CEO Jack Dorsey getting hacked https://www.businessinsider.com/twitter-turns-off-tweet-by-sms-after-jack-dorsey-hack-2019-9
• Gamification Can Transform Company Cybersecurity Culture https://threatpost.com/gamification-transform-company-cybersecurity-culture/147904/
• Firefox 69 Now Blocks 3rd-Party Tracking Cookies and Cryptominers By Default https://thehackernews.com/2019/09/firefox-tracking-cookies-cryptominers.html
• Spam In your Calendar? Here’s What to Do. https://krebsonsecurity.com/2019/09/spam-in-your-calendar-heres-what-to-do/
• Texas Ransomware Responders Urge Remote Access Lockdown https://www.bankinfosecurity.com/texas-ransomware-responders-urge-remote-access-lockdown-a-13043
• Europe and US are Going to Try and Deflect an Asteroid https://www.universetoday.com/143313/europe-and-us-are-going-to-try-and-deflect-an-asteroid/
• Ghidra decompiler for IDA Pro https://blog.talosintelligence.com/2019/09/ghida.html
• Boomerang Uniformity of Popular S-box Constructions (Boomerang is an attack used against block ciphers) https://eprint.iacr.org/2019/1002
• "Splintering" Makes Hacking Passwords 14 Million Percent Harder https://www.securityweek.com/splintering-makes-hacking-passwords-14-million-percent-harder

Bugs / Design Flaws / Vulnerabilities / Research

Articles about newly discovered vulnerabilities and research.

• Ever heard of QR-jacking, QR codes need security revamp says creator https://nakedsecurity.sophos.com/2019/09/04/qr-codes-need-security-revamp-says-creator/
• Let's recap reCAPTCHA gotcha: Our cunning AI can defeat Google's anti-bot tech https://www.theregister.co.uk/2019/09/04/recaptcharobothack/
• Bruce Schneier calls out Crown Sterling’s encryption as “snake oil” in a “Doghouse” article (Note: from a PCI DSS perspective it would be considered proprietary cryptography and therefore fails compliance) https://www.schneier.com/blog/archives/2019/09/thedoghousecr_1.html
• Supermicro Bug Could Let "Virtual USBs" Take Over Corporate Servers https://www.wired.com/story/supermicro-bug-virtual-usb/ and https://thehackernews.com/2019/09/hacking-bmc-server.html
• Over 47,000 Supermicro Servers Are Exposing BMC Ports https://www.zdnet.com/article/over-47000-supermicro-servers-are-exposing-bmc-ports-on-the-internet/
• Supermicro fixes BMC flaws that expose servers to virtual USB attacks https://www.scmagazine.com/home/network-security/supermicro-fixes-bmc-software-flaws-that-expose-servers-to-virtual-usb-attacks/
• Hard-coded private keys in QR ticket app used by UK bus company leads to unpaid riders https://www.theregister.co.uk/2019/09/04/corethreebakedprivatersakeyfirstbusticketapp/
• Medical Device Cybersecurity: 3 Alerts Issued https://www.bankinfosecurity.com/medical-device-cybersecurity-3-alerts-issued-a-13046
• Zeroday privilege escalation disclosed for Android https://arstechnica.com/information-technology/2019/09/android-zeroday-gives-hackers-a-way-to-elevate-attacks/
• 600,000 GPS trackers for people (e.g. kids and the elderly) and pets are using 123456 as a password https://arstechnica.com/information-technology/2019/09/600000-gps-trackers-for-people-and-pets-are-using-123456-as-a-password/
• Too bad, so sad, exploit devs: Google patches possibly several million dollars' worth of security flaws in Android https://www.theregister.co.uk/2019/09/05/androidseptember2019_patches/

Hacking / Malware / Cybercrime / Exploitation

News covering active trends and events.

• Blindly accepting network update texts could have pwned your mobe (We ask why would anyone accept system updates over SMS) https://www.theregister.co.uk/2019/09/04/androidmobeotasimvuln/
• CEO ‘Deep Fake’ Swindles Company Out of $243K https://threatpost.com/deep-fake-of-ceos-voice-swindles-company-out-of-243k/147982/
• Hackers Ask for $5.3 Million Ransom, Turn Down $400k, Get Nothing https://www.bleepingcomputer.com/news/security/hackers-ask-for-53-million-ransom-turn-down-400k-get-nothing/
• Feds allege Adconion employees hijacked IP address blocks for spam operation https://krebsonsecurity.com/2019/09/feds-allege-adconion-employees-hijacked-ip-addresses-for-spamming/
• ‘Satori’ IoT Botnet Operator Pleads Guilty https://krebsonsecurity.com/2019/09/satori-iot-botnet-operator-pleads-guilty/
• Back to school: With latest attack, ransomware cancels classes in Flagstaff https://arstechnica.com/information-technology/2019/09/back-to-school-with-latest-attack-ransomware-cancels-classes-in-flagstaff/
• GootKit Malware Bypasses Windows Defender by Setting Path Exclusions https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/
• Thieves broke into an Australian Apple store with a sledgehammer and stole $300,000 worth of Apple products — but they may already be worth nothing https://www.businessinsider.com/apple-products-stolen-australia-apple-store-bricked-2019-9

Other Security / Risk

Articles covering other types of risks.

• An Unprecedented Cyberattack Hit US Power Utilities https://www.eenews.net/stories/1061111289
• NTSB Report On Tesla Autopilot Accident Shows What's Inside And It's Not Pretty For Full Self Drive https://www.forbes.com/sites/bradtempleton/2019/09/06/ntsb-report-on-tesla-autopilot-accident-shows-whats-inside-and-its-not-pretty-for-fsd/
• Eerie Photos Show The Peaceful Calm Right in The Eye of Hurricane Dorian http://www.sciencealert.com/photos-show-the-eerie-peaceful-calm-in-the-eye-of-hurricane-dorian
• As Dorian pummels the Bahamas, forecasters say 3 other storms forming https://globalnews.ca/news/5850929/dorian-other-tropical-storms/
• Lost power during hurricane Dorian? Don’t eat the food in your fridge (if you are fortunate enough to still have one) https://globalnews.ca/news/5873612/lost-power-hurricane-dorian-fridge-food/
• SpaceX satellite was on “collision course” until ESA satellite was re-routed https://arstechnica.com/information-technology/2019/09/spacex-satellite-was-on-collision-course-until-esa-satellite-was-re-routed/
• Tesla owners are complaining that they were locked out of their cars and left 'stranded' after the app stopped working https://www.businessinsider.com/tesla-owners-left-stranded-app-down-for-maintenance-2019-9
• Thanks to Trump, some amateur astronomers, and simple math, we've better idea of the capabilities of US “Key-Hole” surveillance satellites https://www.universetoday.com/143298/thanks-to-trump-weve-got-a-better-idea-of-the-capabilities-of-us-surveillance-satellites/
• KH-11 Satellite Facts updated after astronomers out satellite as source of tweeted photo https://www.popularmechanics.com/military/research/a28937898/kh-11-satellites/
• The Plan to Use Fitbit Data to Stop Mass Shootings Is One of the Scariest Proposals Yet https://gizmodo.com/the-plan-to-use-fitbit-data-to-stop-mass-shootings-is-o-1837710691/
• Why Renewables (alone) Can't Save the Climate https://www.forbes.com/sites/michaelshellenberger/2019/09/04/why-renewables-cant-save-the-climate/
• Mattis says the number one most dangerous country in the world is Pakistan https://www.businessinsider.com/jim-mattis-pakistan-dangerous-country-2019-9
• Teen Who Went Blind From Eating Junk Food was a “Picky Eater” http://www.sciencealert.com/here-s-what-you-need-to-know-about-that-teen-who-went-blind-from-eating-junk-food
• The founders of a billion-dollar Israeli spyware startup accused of helping Saudi Arabia attack dissidents are funding a web of new companies that hack into smart speakers, routers, and other devices https://www.businessinsider.com/inside-the-israel-offensive-cybersecurity-world-funded-by-nso-group-2019-8
• Tracing Disinformation With Custom Tools, Burner Phones and Encrypted Apps https://www.nytimes.com/2019/09/04/technology/personaltech/disinformation-politics-reporting.html
• Huawei accuses Trump administration of 'menacing' employees and hacking computers https://www.independent.co.uk/life-style/gadgets-and-tech/news/huawei-us-china-trade-war-patent-trump-a9090021.html
• Do Drivers Really Want To Give Up Driving? https://www.forbes.com/sites/davidkiley5/2019/08/28/do-drivers-really-want-to-give-up-driving/
• Contaminant That May Be Causing the Mysterious Vaping-Related Illnesses Found https://www.scientificamerican.com/article/contaminant-that-may-be-causing-the-mysterious-vaping-related-illnesses-found/
• Undersea science observatory mysteriously vanishes from seabed https://www.cbc.ca/news/technology/missing-geomar-observatory-1.5272850
• EASA Insists On Testing Boeing 737 MAX Itself Before Lifting Ban https://simpleflying.com/easa-737-max-test/

Off-Topic / Science & Tech / Lighter Side

A variety of scientific, technical, historical, and more light-hearted news.

• These are not scary molecules: Meet the startup turning CO2 emissions into soap https://www.cbc.ca/news/business/cleano2-cnrl-soap-carbinx-1.5265780
• Scientists Identify Promising New Target To Combat Alzheimer’s Disease https://scienmag.com/temple-scientists-identify-promising-new-target-to-combat-alzheimers-disease/
• Geneticists Are Untangling the Mystery of Left-Handedness https://gizmodo.com/geneticists-are-untangling-the-mystery-of-left-handedne-1837882411
• Staring Into Someone's Eyes For 10 Minutes Can Induce Altered State of Consciousness http://www.sciencealert.com/staring-into-someone-s-eyes-for-10-minutes-can-induce-altered-state-of-consciousness
• Superconductivity at the boiling temperature of water is possible (but you don't want to see the pressure cooker) https://physicsworld.com/a/superconductivity-at-the-boiling-temperature-of-water-is-possible-say-physicists/
• The Spaceline: an Elevator From the Earth to the Moon https://www.universetoday.com/143256/the-spaceline-an-elevator-from-the-earth-to-the-moon/
• Planet WASP-12b Might Be on a Death Spiral into its Parent Star https://www.skyandtelescope.com/astronomy-news/planet-wasp-12b-death-spiral/
• Earth’s Orbital Shifts May Have Triggered Ancient Global Warming https://www.scientificamerican.com/article/earths-orbital-shifts-may-have-triggered-ancient-global-warming/