Welcome to This Week’s [in]Security. We’ve collected and grouped together a selection of this week’s news, opinions, and research. Quickly skim these annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

• A reminder that the new PCI DSS Attestation of Compliance (AOC) forms wil be mandatory next week (October 1) https://blog.pcisecuritystandards.org/what-do-new-pci-dss-saq-changes-mea
• New FAQ on TDEA (TDES) and ASV Scans https://pcissc.secure.force.com/faq/articles/FrequentlyAskedQuestion/How-does-Triple-DEA-TDEA-impact-ASV-Scan-results (you may want to recall https://controlgap.com/blog/nist-moves-on-sweet32/)
• New FAQ on PFI's and QSA services https://pcissc.secure.force.com/faq/articles/FrequentlyAskedQuestion/Can-a-PFI-Company-provide-QSA-services-to-an-entity-after-performing-a-PFI-investigation-for-that-entity
• Visa: Card not-present fraud on the rise https://www.databreachtoday.com/visa-on-growth-card-not-present-fraud-a-10304
• A tip for Canadians needing zip codes for payments in the states  https://controlgap.com/blog/canadians-zip-codes/

Breaches / Leaks

• EDGAR was breached in 2016 (All your corporate filings belong to us?) http://thehackernews.com/2017/09/sec-corporate-filing-hack.html
• Yet Another AWS S3 leak, this time keys to the cloud https://www.darkreading.com/threat-intelligence/viacoms-secret-cloud-keys-exposed/d/d-id/1329920
• Adobe lets their PGP private key slip loose https://www.theregister.co.uk/2017/09/22/ohdearadobesecurityblogleaksprivatekeyinfo/
• Car tracking credentials leaked http://thehackernews.com/2017/09/hacker-track-car.html
• National Bank (Canada) website glitch exposes PII for 400 customers https://beta.theglobeandmail.com/report-on-business/national-bank-says-nearly-400-customers-data-exposed-by-website-error/article36340383/
• Gemalto publishes breach level index for first 6 months of 2017 https://www.theregister.co.uk/2017/09/20/gemaltobreachindex/
• Annual Report to Congress on Health Care breaches https://www.databreachtoday.com/agency-releases/annual-report-to-congress-on-breaches-unsecured-protected-r-2539
• US court denies OPM victims standing and diismisses lawsuits  https://epic.org/2017/09/court-dismisses-suits-against-.html

• More on Equifax ...

  • 100K Canadians impacted by Equifax http://www.cbc.ca/beta/news/business/equifax-canada-cyberbreach-1.4296475
  • Various outlets are reporting previous Equifax breaches as if this were new news (it isn't) 2017 https://krebsonsecurity.com/2017/05/fraudsters-exploited-lax-security-at-equifaxs-talx-payroll-division/ and 2016 https://krebsonsecurity.com/2016/05/crooks-grab-w-2s-from-credit-bureau-equifax/
  • Krebs follow-up on Equifax https://krebsonsecurity.com/2017/09/equifax-breach-setting-the-record-straight/
  • And an embarassing facepalm https://www.theregister.co.uk/2017/09/21/equifaxfooledagaincompanyteetsoutlinkstowebsiteparodyingit/

Lawful Access / Back-doors / Laws & Regulations / Standards

• The W3C passed EME recommendation into web standard DRM https://www.theregister.co.uk/2017/09/18/w3capproveseme/
• Canadian breach reporting law supporting regulations now up for comments https://www.datex.ca/blog/ottawas-draft-pipeda-amendments-highlight-the-importance-of-security-safeguards
• Citizen Lab on Canada's new Anti-terror law https://deibert.citizenlab.ca/2017/09/c59-canada/
• Australia continues to push anti-encryption http://www.zdnet.com/article/australia-looks-to-deny-encryption-to-terrorists/

• New from NIST

  • Enhancing Resilience of the Internet and Communications Ecosystem http://nvlpubs.nist.gov/nistpubs/ir/2017/NIST.IR.8192.pdf
  • Cybersecurity Framework Manufacturing Profile http://nvlpubs.nist.gov/nistpubs/ir/2017/NIST.IR.8183.pdf
  • Special Publication (SP) 800-177 Revision 1, Trustworthy Email is now available for public comment https://beta.csrc.nist.gov/publications/detail/sp/800-177/rev-1/draft
  • Second Public Draft of Special Publication (SP) 800-125A, Security Recommendations for Hypervisor Deployment https://beta.csrc.nist.gov/publications/detail/sp/800-125A/draft

Bugs

• Another example of KBA (Knowledge Based Authentication) limitations.  Using previously breached information (*cough* Equifax) Experian allows anyone to get your credit freeze PIN https://krebsonsecurity.com/2017/09/experian-site-can-give-anyone-your-credit-freeze-pin/
• A look at not patching https://www.theregister.co.uk/2017/09/20/equifaxvulnerabilitycouldbewidespread/
• Some data on how widespread the  Equifax Struts bug is http://blog.trendmicro.com/trendlabs-security-intelligence/apache-struts-vulnerabilities-run-rampant/
• Hold that upgrade, new IOS 11 doesn't play nice with Microsoft mail https://www.macrumors.com/2017/09/20/apple-microsoft-email-server-issue-mail-app-ios-11/

Privacy

• New Apple IOS includes ad blocking https://www.theguardian.com/technology/2017/sep/18/apple-stopping-ads-follow-you-around-internet-sabotage-advertising-industry-ios-11-and-macos-high-sierra-safari-internet
• Canadian Privacy Commissioner raises concerns over US boarder Mobile device searches https://www.thestar.com/news/canada/2017/09/18/privacy-czars-concern-at-cellphone-searches-by-us-border-agents.html
• US Customs and Border to exempt social media from privacy rules https://epic.org/2017/09/cbp-plans-to-exempt-social-med.html

Hacking / Malware / Cybercrime

• Sysadmin gets prison time https://www.databreachtoday.com/former-systems-administrator-gets-prison-time-a-10299
• Trojanized CCleaner signed, sealed, and delivered https://www.databreachtoday.com/avast-distributed-trojanized-ccleaner-windows-utility-a-10298
• MS Office exploited to leak details of target system https://threatpost.com/attackers-use-undocumented-ms-office-feature-to-leak-system-profile-data/128011/
• Beware InMail's https://www.tripwire.com/state-of-security/latest-security-news/hacked-linkedin-accounts-spreading-malicious-links-via-inmail/
• Hospital malware https://www.technologyreview.com/s/429616/computer-viruses-are-rampant-on-medical-devices-in-hospitals/
• NotPetya ransom-ware cost Fed-Ex's TNT division $300M http://www.bbc.com/news/technology-41336086

Other Security / Risk

• ISO distrusts NSA and moves closer to rejecting their ciphers https://www.schneier.com/blog/archives/2017/09/isorejectsnsa.html
• The Pirate Bay caught in undisclosed, live, and flawed experiment with Crypto-currency mining as alternatives to ads http://thehackernews.com/2017/09/pirate-bay-cryptocurrency-mining.html
• AI not yet up to the task of Cyber Defense https://www.scmagazine.com/ai-powered-cyber-defenses-arent-the-answer-google-security-veteran-heather-adkins/article/689552/
• Pros and Cons of Apple Face ID https://www.schneier.com/blog/archives/2017/09/apples_faceid.html
• Security Blindspots report http://www.zdnet.com/article/hackers-reveal-leading-enterprise-security-blind-spots/
• Filter Bubbles are the artificial world view that social media networks apply to our online existence, Freedom-to-Tinker looks at these https://freedom-to-tinker.com/2017/09/19/breaking-your-bubble/ and https://freedom-to-tinker.com/2017/09/19/what-our-students-found-when-they-tried-to-break-their-bubbles/
• More air-gap research, this time using IR cameras http://thehackernews.com/2017/09/airgap-network-malware-hacking.html
• On robots and jobs https://www.theguardian.com/technology/2017/sep/19/robots-could-take-4m-private-sector-jobs-within-10-years
• Predicting AI-luddites https://www.technologyreview.com/s/608618/hackers-are-the-real-obstacle-for-self-driving-vehicles/
• A discussion on cybersecurity within the organization and CIO/CISO roles http://blog.isc2.org/isc2_blog/2017/09/ciso-vs-cio-turf-war-casts-shadow-cybersecurity.htm
• Project Zero looks at DOM fuzzing https://googleprojectzero.blogspot.ca/2017/09/the-great-dom-fuzz-off-of-2017.html

Off-Topic

• Apparently we all missed the end-of-the-world on Saturday - Phil Plait debunked it so we weren't worried about missing a good party http://www.syfy.com/syfywire/will-the-earth-be-destroyed-this-saturday-hint-no
• Cool proposal for a fleet of inexpensive nano-satellites to explore asteroids https://www.universetoday.com/137253/300-asteroids-explored-fleet-nanosatellites/
• Bizzare prank causes months of lost luggage and prison time http://www.bbc.co.uk/news/world-asia-41330272
• Quebec relaxing their language laws a bit  http://www.bbc.co.uk/news/world-us-canada-41323915