Welcome to This Week’s [in]Security. We’ve collected and grouped together a selection of this week’s news, opinions, and research. Quickly skim these annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

• PCI 2018 Special Interest Groups up for vote https://blog.pcisecuritystandards.org/vote-now-for-2018-special-interest-group-projects
• PCI Council preparing new software standards https://blog.pcisecuritystandards.org/securing-modern-payment-software-with-new-software-security-framework
• PCI on patching for small and medium sized businesses https://blog.pcisecuritystandards.org/patching-payment-data-security-essential-for-smbs
• Sometimes called "PIN on glass", the payment brands want consumers to be able to enter PINs on merchant mobile devices, PCI is looking at a security requirements https://blog.pcisecuritystandards.org/pci-software-based-pin-entry-on-cots-standard

Breaches / Leaks

• Personal information including national IDs of 33M South Africans  breached http://ewn.co.za/2017/10/18/huge-sa-data-breach-raises-identity-theft-concerns
• Microsoft's bug tracking db breached in 2013 http://www.reuters.com/article/us-microsoft-cyber-insight/exclusive-microsoft-responded-quietly-after-detecting-secret-database-hack-in-2013-idUSKBN1CM0D0
• Another AWS S3 breach, this time patient records, PII, and blood test results https://www.databreachtoday.com/blood-test-results-exposed-in-cloud-repository-a-10382
• Pizza Hut e-commerce breach (small) https://www.bleepingcomputer.com/news/security/users-report-fraudulent-transactions-after-pizza-hut-admits-card-breach/
• Spammers breach Domino's Pizza (Austrailia) for contact info https://www.theguardian.com/technology/2017/oct/18/dominos-blames-data-breach-on-former-suppliers-systems

Laws & Regulations / Standards

• Reforming the Copyright Board of Canada http://www.michaelgeist.ca/2017/10/prioritizing-public-interest-submission-copyright-board-canada-reform/
• The case for Canada's Anti-Spam law (CASL) http://www.michaelgeist.ca/2017/10/caseforcasl/
• DHS requiring all federal agencies to use DMARC HTTPS, and STARTTLS https://www.darkreading.com/attacks-breaches/dhs-to-require-all-fed-agencies-to-use-dmarc-https-and-starttls/d/d-id/1330137
• Supreme Court to hear Microsoft case against the Stored Communications Act https://www.databreachtoday.com/us-supreme-court-to-hear-microsoft-data-warrant-case-a-10384

Bugs / Design Flaws

• This has been a bad week for security with the ROCA and KRACK attacks:

  • ROCA - Key generation flaw in TPM chipset facilitates remote attackers to factoring RSA public keys to get private keys
  • Summary of paper, description of vulnerability, Q&A, resources https://crocs.fi.muni.cz/public/papers/rsa_ccs17
  • Good summay by Dan Goodin https://arstechnica.com/information-technology/2017/10/crypto-failure-cripples-millions-of-high-security-keys-750k-estonian-ids/
  • Schneier summary https://www.schneier.com/blog/archives/2017/10/securityflawi_1.html
  • Vulnerability test suite https://keychest.net/roca
  • KRACK - most WPA2 clients are broken by a family of key re-installation attacks, pay attention to your device use cases and if you use WPA2-TKIP or GCMP
  • Announcement, paper, and details including a good Q&A at https://www.krackattacks.com/
  • High level analysis https://www.alexhudson.com/2017/10/15/wpa2-broken-krack-now/
  • Krebs https://krebsonsecurity.com/2017/10/what-you-should-know-about-the-krack-wifi-security-weakness/
  • Some perspective on Krack https://www.theregister.co.uk/2017/10/17/kracken_patches/
  • The paper https://papers.mathyvanhoef.com/ccs2017.pdf
• Flash zero-day being exploited https://thehackernews.com/2017/10/flash-player-zero-day.html
• New and large IoT Botnet marshals forces of wireless IP cameras https://threatpost.com/iotroop-botnet-could-dwarf-mirai-in-size-and-devastation-says-researcher/128560/
• Office and other applications using Microsoft Dynamic Data Exchange (DDE) being silently  https://thehackernews.com/2017/10/ms-office-dde-malware-exploit.html

Privacy

• US mobile carriers selling non-anonymized, real-time access to consumer telephone data to 3rd parties https://www.csoonline.com/article/3233211/security/mobile-carriers-sell-users-personal-information-to-third-parties.html
• EPIC testifies before senate on reforming credit reporting  https://epic.org/2017/10/in-senate-testimony-epic-calls.html
• The EFF argues against expanding e-verify into the private sector https://www.eff.org/deeplinks/2017/10/expanding-e-verify-privacy-disaster-making

Hacking / Malware / Cybercrime

• UK Parliament brute force attacks attributed to Iran https://www.theregister.co.uk/2017/10/16/iranblamedukparliamentcyberattack/
• Hackers actively scanning for SSH keys https://threatpost.com/hackers-take-aim-at-ssh-keys-in-new-attacks/128537/
• The Canadian Communications Security Establishment (CSE) open sources their anti-malware tool http://www.cbc.ca/news/technology/cse-canada-cyber-spy-malware-assemblyline-open-source-1.4361728

Other Security / Risk

• Drone meets small turbo-prop on final approach in Quebec https://www.theregister.co.uk/2017/10/16/dronehitscommercialpassengerplaneincanada/
• Risks from printers https://www.darkreading.com/endpoint/printers-the-weak-link-in-enterprise-security/d/d-id/1330127
• Schneier on IoT security https://www.schneier.com/blog/archives/2017/10/iot_cybersecuri.html
• This years ACM Conference on Computer and Communications Security (CCS) site includes papers on KRACK and ROCA  https://www.sigsac.org/ccs/CCS2017/
• Risks of perfectionism in security https://blog.qualys.com/news/2017/10/19/gartner-the-pursuit-of-perfection-weakens-infosec-effectiveness
• Patent cases brought against Amazon and Microsoft using tribal sovereignty  loophole http://www.bbc.co.uk/news/technology-41679407
• Michael Geist's presentation to the Canadian Senate on Intellectual Property, e-Commerce, and NAFTA http://www.michaelgeist.ca/2017/10/nafta-modernization-ipe-commerce-appearance-senate-open-caucus/
• From 1995, a look back at the history of Equifax , the creation of the Fair Credit Reporting Act, and how much information they had and still have on people https://www.wired.com/1995/09/equifax/
• After Kaspersky what are other AV companies doing https://www.databreachtoday.com/surveying-17-anti-virus-firms-on-their-security-practices-a-10393
• SecTor 2017 (Nov 13-15) has finalized their speakers https://sector.ca/speakers/
• Gaming DRM cracked within a day https://www.schneier.com/blog/archives/2017/10/denuvodrmcrac.html

Off-Topic

• For the first time merging neutron stars simultaneously observed with gravity waves, gamma-ray bursts, and visually http://www.syfy.com/syfywire/big-news-for-the-first-time-astronomers-detect-gravitational-waves-from-two-neutron-stars
• Another quasi-satellite of Earth confirmed (there are a handful of these weird objects) https://www.universetoday.com/137564/nope-temporary-moon-isnt-space-junk-asteroid/
• The latest version of DeepMind's AlphaGo taught itself and crushed its previous human beating self https://www.technologyreview.com/s/609141/alphago-zero-shows-machines-can-become-superhuman-without-any-help/ and human experts describe moves as alien https://www.theatlantic.com/technology/archive/2017/10/alphago-zero-the-ai-that-taught-itself-go/543450/
• M51: The beautiful Whirlpool https://apod.nasa.gov/apod/ap171019.html