Welcome to This Week’s [in]Security. We’ve collected and grouped together a selection of this week’s news, opinions, and research. Quickly skim these annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

• PCI added a new 3DS document for the 3DS SDK https://www.pcisecuritystandards.org/documents/PCI3DSSDKSecurityStandard_v1.0.pdf and an article on this https://blog.pcisecuritystandards.org/pci-3ds-sdk-standard-now-available

Breaches / Leaks

• Forever 21 payment card breach in POS, tokenization didn't help https://thehackernews.com/2017/11/data-breach-forever21.html
• Browse-Secure for Chrome harvesting your data https://www.bleepingcomputer.com/news/security/browse-secure-extension-harvests-contact-info-from-facebook-and-linkedin/
• Forbes 30 under 30 website leaks attendee PII https://motherboard.vice.com/en_us/article/evb8yw/forbes-30-under-30-conference-website-exposed-attendees-personal-information
• Drone maker DJI leaks cert private keys on GitHub and other keys on AWS S3 https://www.theregister.co.uk/2017/11/16/djiprivatekeysleftgithub/
• The Data Breach Clearing House  posted a flurry of new breach information on Friday    https://www.privacyrights.org/data-breaches the source seems to have almost entirely been the HHS wall of shame the https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
• Another AWS S3 breach, this time US miltary contractor exposes it was monitoring social media for years https://www.pcmag.com/news/357465/pentagon-accidentally-exposes-web-monitoring-operation

• Equifax followups:

  • The market punishing Equifax https://www.darkreading.com/informationweek-home/customers-punish-breached-companies/d/d-id/1330387 and http://www.brandindex.com/article/equifaxs-perception-dropping-faster-recent-data-breaches-and-other-crises
  • Reaction to Equifax CEO testimony https://www.tenable.com/blog/hiding-behind-the-apt-helplessness-defense-really
  • Opting out of an Equifax service https://krebsonsecurity.com/2017/11/how-to-opt-out-of-equifax-revealing-your-salary-history/

Laws & Regulations / Standards

• Whitehouse updates Vulnerability Equities Process https://www.schneier.com/blog/archives/2017/11/newwhitehouse_1.html
• Another copyright ruling overreach?> https://www.eff.org/deeplinks/2017/11/another-court-overreaches-site-blocking-order-targeting-sci-hub
• EFF analysis challenges claims that patents are being improperly invalidated at a high rate https://www.eff.org/deeplinks/2017/11/stupid-patent-data-month-misunderstanding-data-leads-misunderstanding-patent-law
• Intellectual property and the TPP http://www.michaelgeist.ca/2017/11/rethinking-ip-in-the-tpp/
• Singapore considering limiting use of NRIC their national ID numbers https://www.databreachtoday.com/singapore-considers-limiting-use-nric-numbers-a-10454
• Canada Revenue Agency court order forces PayPal to give up data on small business transactions with PII implications http://www.michaelgeist.ca/2017/11/canada-revenue-agency-obtains-broad-court-order-years-paypal-data/
• In NY, cellphone monitoring requires a warrant https://arstechnica.com/tech-policy/2017/11/if-nypd-cops-want-to-snoop-on-your-phone-they-need-a-warrant-judge-rules/
• First Amendment appeal on anonymous speech lost https://www.eff.org/deeplinks/2017/11/appeals-courts-disturbing-ruling-jeopardizes-protections-anonymous-speakers
• In Australia, businesses are responsible for the decisions of their AIs  https://www.itnews.com.au/news/aussie-businesses-to-take-the-rap-for-their-algorithms-actions-477820

Bugs / Design Flaws

• Bug in Huddle session tokens exposes sensitive customer data http://www.bbc.co.uk/news/technology-41969061
• Another big month for patches (over 100 CVEs between MS and Adobe)  https://www.theregister.co.uk/2017/11/15/novemberpatchtuesday/
• Amazon delivery key flaw https://www.wired.com/story/amazon-key-flaw-let-deliverymen-disable-your-camera/ and Amazon promises fix https://threatpost.com/amazon-promises-fix-for-wireless-key-hack/128928/
• Cisco Voice OS platform bugs https://threatpost.com/cisco-warns-of-critical-flaw-in-voice-os-based-products/128913/
• Oracle/PeopleSoft in Tuxedo Jolt bugs https://www.theregister.co.uk/2017/11/16/oraclepeoplesofttuxedosecurityvulnerabilities/
• ROCA strikes again, impacting Spain's national ID card http://www.zdnet.com/article/id-card-security-spain-is-facing-chaos-over-chip-crypto-flaws/
• GitHub takes aim at vulnerable dependencies http://www.zdnet.com/article/github-to-devs-now-youll-get-security-alerts-on-flaws-in-popular-software-libraries/

Privacy

• This is actually quite disturbing, widely used session replay services collect IDs, passwords, and payment card data https://freedom-to-tinker.com/2017/11/15/no-boundaries-exfiltration-of-personal-data-by-session-replay-scripts/
• Beware connected toys http://www.bbc.co.uk/news/technology-41976031 and https://www.theguardian.com/technology/2017/nov/14/retailers-urged-to-withdraw-toys-that-allow-hackers-to-talk-to-children
• EFF Street-Level Surveillance Project https://www.eff.org/deeplinks/2017/11/effs-street-level-surveillance-project-dissects-police-technology

Hacking / Malware / Cybercrime

• Weak RDP exploited to deliver randsomware https://www.darkreading.com/attacks-breaches/crooks-turn-to-delivering-ransomware-via-rdp/d/d-id/1330451
• Was the Etherium lockout a hack? https://www.theregister.co.uk/2017/11/10/parity280methereumwalletlockdown_hack/
• The Etherium bug was on Parity's "To Do List" https://www.theregister.co.uk/2017/11/16/parityflawnot_fixed/
• US CERT advisory on North Korean's Hidden Cobra /  FALLCHILL RAT https://www.us-cert.gov/ncas/alerts/TA17-318A
• Apple Face ID busted? https://www.wired.com/story/hackers-say-broke-face-id-security/
• Your kid may be able to fool Apple's face ID and lighting conditions may make this easier  https://www.wired.com/story/10-year-old-face-id-unlocks-mothers-iphone-x/
• A year ago, a DHS team powned a 757 remotely https://www.bleepingcomputer.com/news/security/dhs-team-hacks-a-boeing-757/
• Wikileaks Vault 8 opens with disclosuer of "Hive" framework https://wikileaks.org/vault8/ and review https://www.bleepingcomputer.com/news/government/wikileaks-releases-source-code-of-cia-cyber-weapon/
• Article on Shadow Brokers vs NSA https://www.nytimes.com/2017/11/12/us/nsa-shadow-brokers.html and discussion https://www.schneier.com/blog/archives/2017/11/longarticleon_1.html
• Microsoft using neural-fuzzing for tests https://www.darkreading.com/application-security/microsoft-uses-neural-networks-to-make-fuzz-tests-smarter/d/d-id/1330429
• Article on another technique for lateral movement using Outlook and DCOM https://posts.specterops.io/lateral-movement-using-outlooks-createobject-method-and-dotnettojscript-a88a81df27eb
• OnePlus phones have built-in backdoor https://www.wired.com/story/oneplus-phones-have-an-unfortunate-backdoor-built-in/ and a second logging app https://thehackernews.com/2017/11/oneplus-logkit-app.html
• Update on Kaspersky and DHS https://www.databreachtoday.com/dhs-official-no-proof-kaspersky-software-used-to-hack-fed-it-a-10456 and the ex-NSA employee https://www.darkreading.com/analytics/121-pieces-of-malware-flagged-on-nsa-employees-home-computer/d/d-id/1330450
• More on drive by crypto mining https://www.theregister.co.uk/2017/11/15/coinmining30000sitescryptojacking/
• There seems to be a flaw in McAfee's ClickProtect system https://www.databreachtoday.com/mcafee-url-security-service-gave-pass-to-banking-trojan-a-10458
• Another imploded cybersecurity firm https://krebsonsecurity.com/2017/11/r-i-p-root9b-we-hardly-knew-ya/
• Drone company's bug bounty program NDA under fire https://www.theregister.co.uk/2017/11/16/djibugbounty_nda/

Other Security / Risk

• Phishing may be the weakest link http://www.zdnet.com/article/resilience-to-phishing-attacks-is-failing-to-improve/
• Blockchain based Botnets https://sector.ca/building-botnets-on-the-blockchain/
• And in related news, UK supermarkets to test facial ID for restricted products http://www.bbc.co.uk/news/technology-41981983
• PayPal suspends TIO service over vulnerabilities https://www.express.co.uk/news/world/878210/PayPal-TIO-service-suspend-news-cybersecurity-trading-security-money
• Monero miner hidden in cookie consent code https://www.bleepingcomputer.com/news/security/cookie-consent-script-drops-in-browser-cryptocurrency-miner/
• Widespread election meddling hits 18 countries in 2016 http://www.bbc.com/news/technology-41983599
• GDPR and not-so-locked-down mobile devices https://www.darkreading.com/mobile/companies-blindly-believe-theyve-locked-down-users-mobile-use/d/d-id/1330421
• Users of Firefox NoScript will have noticed that the all new Firefox 57 https://blog.mozilla.org/blog/2017/11/14/introducing-firefox-quantum/ broke NoScript and they'll need to install the new Noscript webextension https://hackademix.net/2017/11/14/double-noscript/
• Authentication tool for AWS S3 buckets https://medium.freecodecamp.org/user-management-with-aws-cognito-1-3-initial-setup-a1a692a657b3
• In Australia, social media disagreement between security researchers turns into restraining orders https://www.bankinfosecurity.com/australian-infosec-analysts-hit-restraining-orders-a-10455
• Article and comments showing just how messy practical crypto discussions can get https://www.theregister.co.uk/2017/11/16/banksecuritycrypto_reloaded/
• Tim Berners-Lee on the current state of the web https://www.theguardian.com/technology/2017/nov/15/tim-berners-lee-world-wide-web-net-neutrality

Off-Topic

• Photos from new Zwicky Transient Facility telescope: near 7° field of view and 600 Mpixel camera http://www.syfy.com/syfywire/a-new-observatory-keeps-a-very-very-large-eye-on-the-sky
• Concept Car using self-healing body work and carbon super-capacitor body panels  http://www.telegraph.co.uk/news/2017/11/11/lamborghini-creates-self-healing-sports-car/
• New insights into the dinosaur killer shows local geology made it deadlier https://www.universetoday.com/137851/dinosaur-killing-asteroid-hit-earth-exactly-wrong-spot/
• New US space plane completes free flight test https://www.universetoday.com/137858/nasas-next-generation-spaceplane-passes-free-flight-test/
• Closer look for nearby exo-planet to see if it's habitable http://www.bbc.com/news/science-environment-41995572