This Week’s [in]Security – Issue 16 | insecurity

This Week’s [in]Security – Issue 16

17 Jul 2017.

Tags:

insecurity
x

Welcome to This Week’s [in]Security. We’ve collected and grouped together a selection of this week’s news, opinions, and research. Quickly skim these annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

PCI Council now looking at software based standards for mobile PIN entry with solutions like Square, may signal a change of position with implications to other standards https://blog.pcisecuritystandards.org/mobile-payment-acceptance-a-look-at-pcis-new-software-based-pin-entry-initiative
Official PCI SSC article on Demystifying NESA https://blog.pcisecuritystandards.org/demystifying-the-nesa ( See also our previous article on P2PE, NESA, and E2EE https://controlgap.com/blog/understanding-encryption-and-pci-compliance/)
NIST announces plans to deprecate TDEA (3DES) https://beta.csrc.nist.gov/News/2017/Update-to-Current-Use-and-Deprecation-of-TDEA
UK payments survey http://www.pymnts.com/news/regulation/2017/psr-offers-up-annual-report-and-regulatory-roadmap/
Experiments in offline-mobile payments https://www.lightbluetouchpaper.org/2017/07/12/testing-the-usability-of-offline-mobile-payments/
Deep insert skimmers using infrared https://krebsonsecurity.com/2017/07/thieves-used-infrared-to-pull-data-from-atm-insert-skimmers/

Breaches / Leaks

UK's AA leaks partial credit card (i.e. last 4, expiry) info but PR side of incident response less than satisfying https://www.theregister.co.uk/2017/07/10/aa_breach_analysis/
Possible breach of 100M records from Indian telco https://www.theregister.co.uk/2017/07/11/indian_telco_reliance_jio_denies_alleged_customer_data_breach/
Analysis (long) of the affect of breaches on share prices shows variations such as due to time period and asset sensitivity https://www.comparitech.com/blog/information-security/data-breach-share-price/
3rd card breach for Trump Hotels due to Sabre breach https://www.theregister.co.uk/2017/07/11/trump_hotels_sabre_synxis_victim/ and http://www.databreachtoday.com/trump-hotels-suffers-another-payment-card-breach-a-10101
Verizon 3rd party leaks 14M customer records through insecure AWS S3 bucket https://threatpost.com/third-party-exposes-14-million-verizon-customer-records/126798/
S3 leaks are happening way too often https://threatpost.com/experts-warn-too-often-aws-s3-buckets-are-misconfigured-leak-data/126826/

Lawful Access / Back-doors / Laws & Regulations

ex-GCHQ director backs end to end encryption https://www.theregister.co.uk/2017/07/10/former_gchq_wades_into_encryption_debate/
China and Russia pass anti-privacy laws https://www.theregister.co.uk/2017/07/11/russia_china_vpns_tor_browser/
US restricts use of Kaspersky http://www.databreachtoday.com/trump-administration-restricts-kaspersky-lab-product-use-a-10105

Bugs

Mitre is having trouble keeping up with CVE's http://www.csoonline.com/article/3204568/application-security/closing-the-cve-gap-is-mitre-up-to-it.html
Rare HP Non-Stop vulnerability and it's, you guessed it, Samba https://www.theregister.co.uk/2017/07/11/hpe_stops_nonstop_server_samba_bugs/
Recent penetration test report on RDP showing significant systematic weaknesses and challenges to achieving secure configurations https://www.exploit-db.com/docs/41621.pdf (Note: the attack uses arp spoofing but could easily be implemented using wide area techniques like DNS compromise)