Welcome to This Week’s [in]Security. We’ve collected and grouped together a selection of this week’s news, opinions, and research. Quickly skim these annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

• PCI DSS 3.2.1 supporting documents are now available:

  • Prioritized Approach https://www.pcisecuritystandards.org/documents/Prioritized-Approach-for-PCI-DSS-v321.pdf and tool https://www.pcisecuritystandards.org/documents/Prioritized-Approach-Tool-v321.xlsx
  • ROC Reporting Template https://www.pcisecuritystandards.org/documents/PCI-DSS-v321-ROC-Reporting-Template.pdf
  • AOC attestations for merchants https://www.pcisecuritystandards.org/documents/PCI-DSS-v321-AOC-Merchant.docx and service providers https://www.pcisecuritystandards.org/documents/PCI-DSS-v321-AOC-ServiceProviders.docx
  • SAQs and SAQ attestations in the document library https://www.pcisecuritystandards.org/document_library
• PCI awareness: patching infographic https://blog.pcisecuritystandards.org/infographic-patching and video https://blog.pcisecuritystandards.org/video-patching

Breaches / Leaks

• 100M records exposed by Android and iOS mobile appsin Google Firebase databases used  https://thehackernews.com/2018/06/mobile-security-firebase-hosting.html
• CIA/Wikileaks Vault-7 leaker charged https://www.databreachtoday.com/massive-cia-hacking-tool-leak-ex-agency-employee-charged-a-11102
• North Bay healthcare provider Care Partners suffers breach of personal information http://www.nugget.ca/2018/06/18/data-breach-at-carepartners
• Analysis of the HIPAA “wall of shame” data for 2018 shows on average a breach every 25h 20m https://www.databreachtoday.com/analysis-health-data-breach-tally-trends-a-11104
• And another US healthcare breach of 270K records https://www.databreachtoday.com/hacking-incident-at-billing-vendor-affects-270000-patients-a-11116
• Flightradar24 breached for emails and hashed passwords https://www.theregister.co.uk/2018/06/21/flightradar24databreach/

Laws & Regulations / Standards

• The insane and long ignored catch-22 situation preventing medical equipment from being patched https://www.theregister.co.uk/2018/06/19/healthcareregulationsworkingagainstcybersecurity/
• A flagrant example of automated take-down notices running amok Volkswagen https://www.eff.org/takedowns/volkswagen-claims-ownership-entire-group-insects
• FBI recovers WhatsApp, Signal data stored on Michael Cohen’s BlackBerry https://arstechnica.com/information-technology/2018/06/fbi-recovered-hundreds-of-encrypted-messages-from-michael-cohens-phone/
• Vermont has become the first state in the U.S. to have a law imposing disclosure and data security obligations on data brokers https://www.privacyrights.org/blog/vermont-leads-way-regulating-data-brokers
• Motion picture industry lobbying Canada for additional site-blocking and de-indexing in Copyright Act http://www.michaelgeist.ca/2018/06/siteblockingsequel/
• EU legislation committee votes to recommend controversial Internet content laws including link taxes and copyright filters https://www.eff.org/deeplinks/2018/06/wednesday-eu-committee-voted-break-internet-sunday-berliners-take-streets-say-no

Privacy

• Facebook violated FTC consent orders which in turn were not enforced https://epic.org/2018/06/at-senate-hearing-former-ftc-c.html
• The practice of browser fingerprinting will have to change under GDPR and ePrivacy rules https://www.eff.org/deeplinks/2018/06/gdpr-and-browser-fingerprinting-how-it-changes-game-sneakiest-web-trackers
• Verizon will stop sharing customer location data with third parties. Sprint and AT&T  follow suit https://krebsonsecurity.com/2018/06/verizon-to-stop-sharing-customer-location-data-with-third-parties/

Bugs / Design Flaws

• 96% of websites have security vulnerabilities https://www.darkreading.com/attacks-breaches/most-websites-and-web-apps-no-match-for-attack-barrage/d/d-id/1332092
• OpenBSD disables Intel hyper-threading possibly in anticipation of a new firmware bug https://www.theregister.co.uk/2018/06/20/openbsddisablesintels_hyperthreading/
• Another signature spoofing affecting Simple Password Store and GnuPG https://www.theregister.co.uk/2018/06/19/gnupgpoppedagaininpass/
• New attack against SSL libraries exposes private keys is a risk to servers https://www.cso.com.au/article/642481/novel-attack-hits-openssl-boringssl-others-exposing-private-keys/
• Malicious browser links can be exploited to get precise location data if Google Home and Chromecast devices are on the same network https://krebsonsecurity.com/2018/06/google-to-fix-location-data-leak-in-google-home-chromecast/
• The new iOS 11.3 USB Restricted mode has already been broken https://www.darkreading.com/endpoint/hackers-crack-iphone-defense-built-to-block-forensic-tools/d/d-id/1332058
• B-Sides presentation on infrastructure hacks of SCADA systems using a small rogue controller, opening small safes, and more https://www.theregister.co.uk/2018/06/18/physicallyhackingscada_infosec/
• Decade old MacOS encryption security bug in Quick Look feature’s cache leaks encrypted photos and file contents to unencrypted folders https://thehackernews.com/2018/06/apple-macos-quicklook.html
• iOS Security code autofill feature to ease 2-factor authentication a bad idea for transaction authentication systems https://www.schneier.com/blog/archives/2018/06/perverse_vulner.html

Hacking / Malware / Cybercrime

• Interesting research on how evil batteries could be used to obtain sensitive information from systems https://freedom-to-tinker.com/2018/06/20/exfiltrating-data-from-the-browser-using-battery-discharge-information/
• Two new IoT attacks https://freedom-to-tinker.com/2018/06/21/fast-web-based-attacks-to-discover-and-control-iot-devices/
• Symantec uncovers systematic intrusions into satellite communications, command and control systems https://www.databreachtoday.com/hackers-hit-satellite-operators-telecoms-symantec-says-a-11111
• More malware from North Korea https://www.zdnet.com/article/windows-warning-us-exposes-north-korea-governments-typeframe-malware/
• Malware delivers adware and takes screenshots https://www.zdnet.com/article/this-sneaky-windows-malware-delivers-adware-and-takes-screenshots-of-your-desktop/
• Hacker Breaches Syscoin GitHub Account and Poisons Official Client https://www.bleepingcomputer.com/news/security/hacker-breaches-syscoin-github-account-and-poisons-official-client/
• Liberty Insurance of South Africa becomes Cyber Attack Victim https://www.cybersecurity-insiders.com/liberty-insurance-of-south-africa-becomes-cyber-attack-victim/
• Bithumb taken for $32M in another crypto-exchange theft https://www.bbc.com/news/technology-44547250
• Europol Dismantles One of the Internet's Oldest Hacker Groups https://www.bleepingcomputer.com/news/security/europol-dismantles-one-of-the-internets-oldest-hacker-groups/
• ATM jackpotter pleads guilty in Massachusetts https://www.darkreading.com/operations/mass-man-pleads-guilty-in-atm-jackpotting-operation/d/d-id/1332079
• Jeopardy champion charged with unauthorized computer access https://motherboard.vice.com/en_us/article/d3kjwm/7-time-jeopardy-winner-pleads-guilty-to-hacking-into-the-email-of-students-and-faculty

Other Security / Risk

• Smart rings are now a thing! And three things come to mind (1) it’s cool, (2) how well will it handle IoT security, and (3) can we turn it into a hacking tool (or one ring to hack them all) https://popbindo.com/products/xenxo-wearable-smart-ring-best
• Replica of Enigma cracking machine, the Bombe, goes on display in new exhibit at Bletchley Park https://www.theregister.co.uk/2018/06/19/tnmocbombegallery_opening/
• Interview with Chris Wysopal formerly of L0PHT on the state of Internet Security https://www.theregister.co.uk/2018/06/18/l0phtchriswysopal_interview/
• The rising risk of fake videos and implications for justice https://www.wired.com/story/faked-video-could-end-justice-by-twitter-mob
• Did Trump give Kim Jong Un his actual personal number and why that would be a bad idea https://www.wired.com/story/trum-kim-jong-un-direct-number-bad-idea
• Bitcoin cannot scale to handle the volumes of traditional payments https://www.bloomberg.com/news/articles/2018-06-17/bitcoin-could-break-the-internet-central-banks-overseer-says
• IBM storage failure causes data loss at University of New South Wales https://www.itnews.com.au/news/unsw-loses-data-after-ibm-storage-failure-494470
• A textbook example of being run over by the process-bus: man fired after an administrative mistake cascades through companies HR algorithms https://www.bbc.com/news/technology-44561838
• Google on new metrics for biometrics https://security.googleblog.com/2018/06/better-biometrics-in-android-p.html

Off-Topic

• Obsolete, jarring, dangerous, and fast, high-wheeled bicycles or Penny Farthing’s are nearly 150 years old. Racing them and setting world records is still a thing! http://www.bbc.co.uk/news/uk-44503724
• Astronomers have found a way to detect exo-planets early in their life span in the gas clouds surrounding young stars https://scienmag.com/new-and-improved-way-to-find-baby-planets/
• A new look at the Drake equation and Fermi's paradox concludes we are likely alone in the universe https://www.universetoday.com/139467/new-model-predicts-that-were-probably-the-only-advanced-civilization-in-the-observable-universe/
• Cyanobacteria’s efficiency in low light may help to terraform Mars https://www.universetoday.com/139481/could-cyanobacteria-help-to-terraform-mars/
• Algorithm figures out how to solve Rubik’s Cube without human assistance https://www.technologyreview.com/s/611281/a-machine-has-figured-out-rubiks-cube-all-by-itself/