Welcome to This Week’s [in]Security. We’ve collected and grouped together a selection of this week’s news, opinions, and research. Quickly skim these annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

• New PCI FAQ https://pcissc.secure.force.com/faq/articles/FrequentlyAskedQuestion/What-is-the-intent-of-administrative-access-in-PCI-DSS
• Updated and renamed PCI FAQ https://pcissc.secure.force.com/faq/articles/FrequentlyAskedQuestion/Can-card-verification-codes-values-be-stored-for-card-on-file-or-recurring-transactions
• Updated list of all known public PCI FAQ's https://www.controlgap.com/index-pci-frequently-asked-questions/
• PCI Blog calls out insecure remote access as top SMB risk https://blog.pcisecuritystandards.org/insecure-remote-access-top-risk-for-smbs
• App (and manual technique) that detects common gas pump skimmers https://www.bleepingcomputer.com/news/security/android-app-lets-users-detect-credit-card-skimmers-at-gas-pumps/
• Consumer alert free trials and subscription traps http://www.cbc.ca/news/business/marketplace-skin-cream-trials-1.4349777

Breaches / Leaks

• Accenture exposed keys, credentials, and client data in AWS S3 buckets https://www.itnews.com.au/news/accenture-exposed-by-misconfigured-aws-storage-475124
• Hyatt breached again https://krebsonsecurity.com/2017/10/hyatt-hotels-suffers-2nd-card-breach-in-2-years/
• Disqus confirms 2012 breach of 17M users https://www.bleepingcomputer.com/news/security/disqus-confirms-2012-data-breach-that-exposed-details-for-17-5-million-users/
• Forrester breached for research reports https://www.bleepingcomputer.com/news/security/market-research-firm-forrester-says-hackers-stole-sensitive-reports/
• Austrailian contractor helpdesk admin/admin responsible for disclosure of F-35 Joint Strike Fighter program data https://www.databreachtoday.com/hacker-steals-joint-strike-fighter-plans-in-australia-a-10376

• More Equifax - the count is now up to 6 incidents including 2 this week

  • Yet another hack, customer help web page serving malware  http://www.cbc.ca/beta/news/business/equifax-hack-web-page-1.4351743 and https://krebsonsecurity.com/2017/10/equifax-credit-assistance-site-served-spyware/
  • Salary history exposed by Equifax division https://krebsonsecurity.com/2017/10/equifax-breach-fallout-your-salary-history/
  • Broken incident response and escalation processs https://www.csoonline.com/article/3230521/cyber-attacks-espionage/equifax-proves-the-cisos-right.html
  • More UK records exposed, now 15.2M name+dob and 700K details  https://krebsonsecurity.com/2017/10/equifax-hackers-stole-info-on-693665-uk-residents/ and https://www.databreachtoday.com/equifax-152-million-uk-records-exposed-a-10372
  • IRS suspends recent contract https://gizmodo.com/irs-suspends-7-million-contract-after-equifax-screw-up-1819436686
• Transunion also serves up malware https://arstechnica.com/information-technology/2017/10/equifax-rival-transunion-also-sends-site-visitors-to-malicious-pages/

Laws & Regulations / Standards

• Mass-spectrometry of fingerprints can reveal things touched,will aid investigation of cold cases http://www.bbc.co.uk/news/uk-england-south-yorkshire-41525517
• EFF weighs in on how to address foreign interference in elections through social media https://www.eff.org/deeplinks/2017/10/facebook-twitter-crosshairs-investigators-probing-russian-interference-lets
• The war on encryption is getting warmer https://www.washingtonpost.com/world/national-security/justice-dept-might-more-aggressively-seek-encrypted-data-from-tech-companies/2017/10/10/f33a91fc-adf7-11e7-9e58-e6288544af98_story.html and https://www.cnet.com/news/responsible-encryption-deputy-attorney-general-rod-rosenstein-back-doors/
• EFF counterpoint https://www.eff.org/deeplinks/2017/10/deputy-attorney-general-rosensteins-responsible-encryption-demand-bad-and-he
• GDPR can apply outside the EU http://blog.isc2.org/isc2_blog/2017/10/why-non-eu-based-businesses-may-be-affected-by-the-eu-general-data-protection-regulation-gdpr.html

Bugs / Design Flaws

• Doh! macOS discloses drive password  https://www.theregister.co.uk/2017/10/05/applepatchespasswordhintbugthatrevealed_password/
• iOS password prompts can be impersonated https://www.schneier.com/blog/archives/2017/10/impersonating_i.html
• Another Doh! Outlook sends plaintext along with encrypted S/Mime message https://www.theregister.co.uk/2017/10/11/outlooksmimebug/
• CSV injection attacks, Excel and Google Sheets can run formulas hidden in CSV files http://georgemauer.net/2017/10/07/csv-injection.html
• Motherboard flaws allow firmware protection bypasses https://www.bleepingcomputer.com/news/security/some-motherboards-plagued-by-bios-firmware-implementation-flaws/
• Lots of vulnerabilities patched this month including in the wild MS office remote code execution https://threatpost.com/microsoft-patches-office-bug-actively-being-exploited/128367/ and https://krebsonsecurity.com/2017/10/microsofts-october-patch-batch-fixes-62-flaws/
• BPC Bank's SmartVista e-commerce multiple serious vulnerabilities did not respond to researchers https://www.theregister.co.uk/2017/10/12/rapid7identifiesbpcbankingsqlinjectionflaw/

Privacy

• Lex Gill speaing at UofW on October 27 on Encryption in Canada and human rights  https://citizenlab.ca/2017/10/lex-gill-speak-university-waterloo-encryption-laws/
• On Border security and privacy http://www.michaelgeist.ca/2017/10/border-airport-privacy-appearance-standing-committee-access-information-privacy-ethics/ and https://www.eff.org/deeplinks/2017/10/pass-protecting-data-border-act
• Podcast from Down the Security Rabbit-hole, Are you paranoid enough about your privacy? http://podcast.wh1t3rabbit.net/dtsr-episode-265-privacy-and-paranoia

Hacking / Malware / Cybercrime

• On the ongoing Kaspersky scandal

  • Israelis caught Russians hacking US via Kaspersky https://thehackernews.com/2017/10/kaspersky-nsa-russian-hackers.html
  • Schneier on Kaspersky https://www.schneier.com/blog/archives/2017/10/moreonkaspers.html
  • Unlikely that Kaspersky Labs will survive https://www.databreachtoday.com/will-kaspersky-lab-survive-russia-hacking-scandal-a-10375
  • Podcast from Risk Business, Kaspersky is toast https://risky.biz/RB473
• Tracking down a stalker https://www.theregister.co.uk/2017/10/08/vpnlogshelpedunmaskallegednetstalkersayfeds/
• Endoscopes being used to jackpot ATMs https://www.databreachtoday.com/hackers-practice-unauthorized-atm-endoscopy-a-10369
• Malware used SWIFT transfers to steel 60M from bank in Taiwan https://www.bankinfosecurity.com/report-malware-wielding-hackers-hit-taiwanese-bank-a-10368
• Fake browser updates injecting malware from online pornography sites http://www.theregister.co.uk/2017/10/10/smutwatcherssuckeredbyevil_advertising/
• Interesting, easy, and hard to detect RDP pivoting technique to hijack outbound sessions once you've gained privilege https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6
• Hybrid banking attacks https://www.theregister.co.uk/2017/10/10/hybridbankcyber_robbery/
• Another risk discussion of AI, including ethics https://www.darkreading.com/threat-intelligence/artificial-intelligence-experts-talk-ethical-security-concerns/d/d-id/1330081
• Ransomware hackers target schools and send personalized text threats to kids https://www.csoonline.com/article/3230975/security/dark-overlord-hacks-schools-across-us-texts-threats-against-kids-to-parents.html
• Followup on CCleaner malware, tracking a stolen code signing certificate https://blog.trailofbits.com/2017/10/10/tracking-a-stolen-code-signing-certificate-with-osquery/
• North Korea probing US utilities https://www.theregister.co.uk/2017/10/11/dprkhackersprobeusutilities/

Other Security / Risk

• Risks from unstructured data https://www.darkreading.com/analytics/security-monitoring/unstructured-data-the-threat-you-cannot-see--/a/d-id/1330070
• Replacing static identity information https://www.datex.ca/blog/moving-from-static-identity-to-digital-identity
• More on replacing SSNs https://www.wired.com/story/social-security-number-replacement
• Unauthorized crypto-currency mining, or "Cryptojacking", continues https://www.theregister.co.uk/2017/10/10/cryptojacking/
• North Korea may have hacked into South Korean military stealing war and assassination plans  http://www.bbc.co.uk/news/world-asia-41565281
• Project Zero looks at "binary diffing" to find disclosure 0-days bugs in older windows https://googleprojectzero.blogspot.ca/2017/10/using-binary-diffing-to-discover.html
• A secure programming web site with examples http://bobby-tables.com/ inspired by XKCD's Exploits of a Mom  https://xkcd.com/327/
• "Crypto Anchor" architecture uses Host Security Modules to better secure data https://www.wired.com/story/crypto-anchors-breach-security
• Quantum computing and the one-time-program https://www.technologyreview.com/s/609054/warning-this-algorithm-will-self-destruct-after-its-used/
• Intel has 17-qubit super-cooled chip https://www.technologyreview.com/s/609094/quantum-inside-intel-manufactures-an-exotic-new-chip/
• Is Donald Trump possibly rebooting Nixon's "Madman" Strategy? https://www.wired.com/story/donald-trump-madman-strategy-north-korea-nuclear-weapons
• On IoT (the Insecurity of Things) https://www.darkreading.com/endpoint/iot-insecurity-of-things-or-internet-of-threats/d/d-id/1330105
• Don't talk to strange (and creepy) drones https://www.washingtonpost.com/news/morning-mix/wp/2017/10/12/ohio-school-beware-of-talking-drone-trying-to-lure-kids-off-the-playground/

Off-Topic

• Planet 9 update, evidence mounts for a massive outer solar system planet  https://www.universetoday.com/137422/new-clues-emerge-existence-planet-9-1/
• Photo of a possible ice volcano https://apod.nasa.gov/apod/ap171009.html
• And from last week, the Monopoly Man at the Equifax Senate testimony https://www.cnbc.com/2017/10/04/someone-dressed-like-the-monopoly-guy-is-photobombing-the-senates-equifax-hearing.html