Welcome to This Week’s [in]Security. We’ve collected and grouped together a selection of this week’s news, opinions, and research. Quickly skim these annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

• Many articles on the PCI blog this week including:

  • PCI Trends in payment security https://blog.pcisecuritystandards.org/payment-security-areas-to-watch
  • 3D Secure https://blog.pcisecuritystandards.org/what-to-know-about-the-new-pci-3ds-core-security-standard
  • PCI requesting input for PIN on glass standard https://blog.pcisecuritystandards.org/request-for-comments-pci-software-based-pin-entry-on-cots-standard
  • Progress on compliance from the EU community meeting https://blog.pcisecuritystandards.org/payment-security-insights-with-eucm-speaker-chris-novak
• PCI publishes 3DS standard and a matrix (at time of this writing the category filter appears to be broken) https://www.pcisecuritystandards.org/document_library?category=3ds

Breaches / Leaks

• Bermuda law firm, Appleby, was hacked in 2016and being investigated by reporters https://www.theregister.co.uk/2017/10/25/bermudalawfirm_hack/
• UK's Financial Conduct Authority is piling on to the Equifax investigation http://www.bbc.com/news/technology-41737241
• Appearently Equifax was warned https://www.wired.com/story/equifax-warned-of-vulnerability-months-before-breach/
• F-Secure study, 1/3 of CEO external accounts breached https://www.darkreading.com/informationweek-home/30--of-major-ceos-have-had-passwords-exposed/d/d-id/1330234

Laws & Regulations / Standards

• EFF speaks out about FBI position on section 702 surveillance https://www.eff.org/deeplinks/2017/10/fbi-director-wray-wrong-about-section-702-surveillance
• More FBI anti-encryption positioning https://www.schneier.com/blog/archives/2017/10/fbiincreasesi.html
• Hacking the terrible idea of hacking back https://www.schneier.com/blog/archives/2017/10/hackingback1.html
• FDA guidance on patching medical devices https://www.databreachtoday.com/fda-spells-out-when-medical-device-modifications-need-review-a-10412
• Two NIST drafts are out (SP) 800-56A R3, Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography https://csrc.nist.gov/publications/detail/sp/800-56a/rev-3/draft, and (2) Draft Special Publication 800-56C R1, Recommendation for Key Derivation through Extraction-then-Expansion https://csrc.nist.gov/publications/detail/sp/800-56c/rev-1/draft.

Bugs / Design Flaws

• DUHK, another vulnerability in deprecated crypto implementations using bad rng and hardcoded seeds https://thehackernews.com/2017/10/crack-prng-encryption-keys.html
• DUHK and FIPS certifications https://threatpost.com/duhk-attack-exposes-gaps-in-fips-certification/128582/
• ROCA bites another crypto vendor https://www.theregister.co.uk/2017/10/23/rocacryptoflaw_gemalto/
• Windows credentials hijacked via shares https://www.bleepingcomputer.com/news/security/hackers-can-steal-windows-login-credentials-without-user-interaction/
• Shipping at risk http://www.zdnet.com/article/hackers-gain-full-access-to-maritime-ships/
• More IoT Bugs this time LG smart appliances can be hijacked https://www.bleepingcomputer.com/news/security/bug-in-mobile-app-lets-hackers-take-control-of-lg-smart-devices/

Privacy

• iOS apps with camera access can stealthily spy on you https://www.theregister.co.uk/2017/10/25/iosappscamera_spying/

Hacking / Malware / Cybercrime

• Someone is trying to phish/exploit security researchers http://www.zdnet.com/article/hackers-target-security-researchers-with-malware-laden-document/
• More ransomware using recent vectors https://www.tenable.com/blog/detecting-bad-rabbit-ransomware
• Kaspersky on the NSA employee who let the code out of the bag https://theintercept.com/2017/10/25/nsa-workers-software-piracy-may-have-exposed-him-to-russian-spies/
• Dell Backup and Recovery domain hijacked to serve up malware https://krebsonsecurity.com/2017/10/dell-lost-control-of-key-customer-support-domain-for-a-month-in-2017/
• Krebs on the Reaper and other Botnets  https://krebsonsecurity.com/2017/10/reaper-calm-before-the-iot-security-storm/ and Reaper may be bing over hyped https://krebsonsecurity.com/2017/10/fear-the-reaper-or-reaper-madness/
• UK NHS Wannacry[pt] postmortem https://www.databreachtoday.com/postmortem-finds-nhs-could-have-prevented-wannacry-a-10413

Other Security / Risk

• Google is de-emphasizing SMS 2FA https://www.theregister.co.uk/2017/10/23/googleslidestextmessage2faalittleclosertothedoor/
• Windows anti ransomware features have arrived https://www.bleepingcomputer.com/news/microsoft/windows-10s-controlled-folder-access-anti-ransomware-feature-is-now-live/
• Microsoft open sources "Sonar" web security tool https://blogs.windows.com/msedgedev/2017/10/25/introducing-sonar-site-scanner/
• Really bad automatic translation leads to unjustified arrest https://www.theguardian.com/technology/2017/oct/24/facebook-palestine-israel-translates-good-morning-attack-them-arrest
• USB stick found with security plans prompts Heathrow  to review security http://www.bbc.co.uk/news/uk-41792995
• Solution using decoy servers and databases https://www.theregister.co.uk/2017/10/23/illusivenetworksdecoyserversoftware/
• Risk of delayed breach detection https://www.darkreading.com/endpoint/why-data-breach-stats-get-it-wrong/a/d-id/1330227
• Neural network to break CAPTCHAs http://www.bbc.com/news/technology-41775968
• Article on audit preparation, ready or unready? https://dgozone-pci.weebly.com/blog/pci-newsletter-54-about-auditor-expectations-and-audit-dry-runs
• Social media issues after death https://www.thestar.com/news/gta/2017/10/20/mother-takes-tech-giants-to-court-to-get-passwords-for-her-dead-sons-social-media-accounts.html
• Conference: Hot Topics in Security (HotSoS) #5 next April, call for papers https://cps-vo.org/group/hotsos and https://csrc.nist.gov/News/2017/Call-for-Papers-Presentations-for-5th-Annual-HotSo

Off-Topic

• Chicken Little can relax a bit, there are only about  37 more undiscovered potentially hazardous near earth asteroids https://www.universetoday.com/137583/good-news-everyone-less-deadly-undiscovered-asteroids-thought/
• The weird case of a Jupiter sized exo-planet with a Neptune sized exo-moon https://www.universetoday.com/137615/neptune-sized-exomoon-found-orbiting-jupiter-sized-planet/