Welcome to This Week’s [in]Security. We’ve collected and grouped together a selection of this week’s news, opinions, and research. Quickly skim these annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

• PCI 2018 North American Community Meeting Agenda is now available https://events.pcisecuritystandards.org/las-vegas-2018/agenda/
• PCI 3-D Secure Software Development Kit (3DS SDK) is now available https://blog.pcisecuritystandards.org/pci-3-d-secure-software-development-kit-3ds-sdk-program-now-available
• PCI Assessor global executive roundtable announce for 2018-2020 https://www.pcisecuritystandards.org/getinvolved/globalexecutiveassessorroundtable and https://www.pcisecuritystandards.org/pdfs/2018GearPressRelease26July2018.pdf
• New PCI FAQ #1458 - What date should be used for “Date of Report” in the ROC? https://pcissc.secure.force.com/faq/articles/FrequentlyAskedQuestion/What-date-should-be-used-for-Date-of-Report-in-the-ROC -
• We’ve updated our index of every known FAQ https://controlgap.com/index-pci-frequently-asked-questions/
• Visa issues security alert on call center chat and non-voice channels https://usa.visa.com/dam/VCOM/global/support-legal/documents/visa-security-alert-july-2018.pdf

Breaches / Leaks

• LifeLock fixes bug that allowed anyone to index millions of customer emails https://krebsonsecurity.com/2018/07/lifelock-bug-exposed-millions-of-customer-email-addresses/
• Update on US healthcare breach trends https://www.databreachtoday.com/health-data-breach-tally-lots-hacks-fewer-victims-a-11246
• Update in last week’s manufacturing supply chain breach affecting over 100 companies including Tesla, Toyota, Volkswagen - data was writeable https://nakedsecurity.sophos.com/2018/07/25/how-one-hacker-could-have-changed-automotive-history/
• Data breaches reports in UK up 4x since GDPR https://www.databreachtoday.com/under-gdpr-data-breach-reports-in-uk-have-quadrupled-a-11249
• Equifax's Security Overhaul, a Year After Its Epic Breach https://www.wired.com/story/equifax-security-overhaul-year-after-breach also business is down and trust may be part of the reason https://www.pymnts.com/earnings/2018/equifax-sales-earnings-slump-data-breach/
• Early detection and the breach kill chain https://www.imperva.com/blog/2018/07/the-data-breach-kill-chain-early-detection-is-key/

Laws & Regulations / Standards

• NIST Draft Special Publication (SP) 800-163 Revision 1, updates a process for vetting mobile applications open for comments until due September 6, 2018 https://csrc.nist.gov/News/2018/nist-releases-draft-sp-800-163-rev-1-for-comment
• NIST released Draft NISTIR 8214, Threshold Schemes for Cryptographic Primitives for comment period until October 22, 2018. Update: https://csrc.nist.gov/news/2018/nist-releases-draft-nistir-8214-for-comment and details: https://csrc.nist.gov/publications/detail/nistir/8214/draft
• US Senator urging government to drop Adobe Flash https://threatpost.com/sen-wyden-urges-ban-of-adobe-flash-for-gov-use/134439/
• CIS adds guidance for Industrial Control Systems (slightly belated) https://www.tenable.com/blog/cis-adapts-critical-security-controls-to-industrial-control-systems
• Quebec Superior court rules plan to block unlicensed online gambling sites is unconstitutional. The ruling may have implications for the proposed Bell website blocking proposal http://www.michaelgeist.ca/2018/07/courtquebecsiteblocking/
• EPIC urges US Customs and Border Protection to suspend the biometric entry/exit program https://epic.org/2018/07/epic-urges-suspension-of-biome.html
• Police facial recognition system faces legal challenge in UK http://www.bbc.co.uk/news/uk-44928792
• ACLU challenges police departments using Amazon facial recognition. Tests mismatched 28 members of Congress with mug shots https://www.nytimes.com/2018/07/26/technology/amazon-aclu-facial-recognition-congress.html
• Admins beware, a student jailed five months in India over a WhatsApp group message sent by another https://www.bbc.co.uk/news/technology-44925166
• Ecuador expected to withdraw political asylum for WikiLeaks founder Julian Assange https://thehackernews.com/2018/07/wikileaks-julian-assange-ecuador-asylum.html
• Tribunal found GCHQ collected personal data from telecommunication companies without oversight between 2001 and 2012 https://www.bbc.co.uk/news/technology-44936592

Privacy

• Article and discussion of 1Password’s “Travel Mode” https://www.schneier.com/blog/archives/2018/07/1passwords_trav.html
• Privacy commissioner warns Canadians to keep smart phones at home secure when crossing the border https://www.thestar.com/vancouver/2018/07/24/leave-the-phone-at-home-privacy-commissioner-and-advocates-warn-canadians-to-keep-data-secure-when-crossing-the-border.html
• EFF and ACLU file brief in appeals case of border agents warrantless searches of personal electronic devices https://www.eff.org/deeplinks/2018/07/eff-files-amicus-brief-seventh-circuit-supporting-warrant-border-searches
• Tommy Hilfinger is latest brand to offer “smart clothes” to track users https://www.bbc.co.uk/news/technology-44965150
• Machine Learning: privacy and integrity problems, leaked training data and more https://freedom-to-tinker.com/2018/07/26/what-are-machine-learning-models-hiding/
• Another case of law enforcement using DNA websites, Canada is using ancestry DNA websites to help it deport people https://news.vice.com/en_ca/article/wjkxmy/canada-is-using-ancestry-dna-websites-to-help-it-deport-people

Bugs / Design Flaws

• You know that the summer security conferences are here when you get a gaggle of new vulnerabilities:

  • Many communication chips leak encryption keys via side channels over RF at distance https://www.theregister.co.uk/2018/07/27/screamingchannelsattack/
  • A new sub-class of Spectre vulnerability discovered affecting Intel, AMD, and ARM exploiting the return stack buffer https://threatpost.com/new-spectre-level-flaw-targets-return-stack-buffer/134299/
  • NetSpectre attack works over the network but is very slow but may be good enough to exfiltrate small sensitive data https://arstechnica.com/gadgets/2018/07/new-spectre-attack-enables-secrets-to-be-leaked-over-a-network/
  • Bluetooth man-in-the-middle-attack due to pairing without validation of public key ECC parameters https://www.schneier.com/blog/archives/2018/07/major_bluetooth.html and https://threatpost.com/bluetooth-bug-allows-man-in-the-middle-attacks-on-phones-laptops/134332/
• Sony security cameras are remotely exploitable https://www.theregister.co.uk/2018/07/23/sonysurveillancecam_flaws/ and https://blog.talosintelligence.com/2018/07/sony-ipela-vulnerability-spotlight-multiple.html
• Research robots are open for Internet abuse https://www.technologyreview.com/s/611704/hordes-of-research-robots-could-be-hijacked-for-fun-and-sabotage/
• Intel Xenon patch for “Evil Maid” USB attack https://www.theregister.co.uk/2018/07/25/intelxeonusb_debugging/

Hacking / Malware / Cybercrime

• Unmasking Fancy Bear https://www.thedailybeast.com/mueller-finally-solves-mysteries-about-russias-fancy-bear-hackers
• Russian cyber warriors broke into many US utility companies, even some that were air-gapped https://www.bbc.co.uk/news/technology-44937787
• CrowdStrike survey finds 2/3 of organizations hit by supply-chain attacks https://www.darkreading.com/attacks-breaches/two-thirds-of-organizations-hit-in-supply-chain-attacks-/d/d-id/1332352 and https://www.crowdstrike.com/blog/global-survey-reveals-supply-chain-as-a-rising-and-critical-new-threat-vector/
• Virginia bank hit twice in eight months by cyberattacks stealing $2.4M https://krebsonsecurity.com/2018/07/hackers-breached-virginia-bank-twice-in-eight-months-stole-2-4m/
• More on last week’s Russian bank theft – point of entry was a branch router https://arstechnica.com/information-technology/2018/07/prolific-hacking-group-steals-almost-1-million-from-russian-bank/
• Cosco, the shipping company – not the big box store, hit by ransomware https://www.bankinfosecurity.com/shipping-giant-cosco-hit-by-ransomware-attack-a-11256
• Former head of two Bitcoin exchanges pleads guilty to SEC violations and obstruction of justice after theft of 6000BTC https://www.databreachtoday.com/head-hacked-bitcoin-exchange-pleads-guilty-to-us-charges-a-11247
• Rogue programmer of Russian payment firm Qiwi used payment terminals to mine 500K Bitcions https://cointelegraph.com/news/ex-programmer-of-russian-payments-firm-qiwi-used-company-equipment-to-mine-500k-bitcoins-ceo-claims
• The FBI has a list of 41 most wanted cyber suspects. Article https://www.sfgate.com/technology/businessinsider/article/A-Game-of-Thrones-thief-and-a-dam-hacker-These-13095149.php and list https://www.fbi.gov/wanted/cyber (and so many of them look like bad webcam photos)
• Schneier on article about how to get away with financial fraud https://www.schneier.com/blog/archives/2018/07/onfinancialfr.html
• Hacking WinVote voting machines at DefCon https://www.darkreading.com/iot/the-abcs-of-hacking-a-voting-machine/d/d-id/1332386
• US DHS warns of ERP hacking targeting SAP, Oracle, and more https://www.theregister.co.uk/2018/07/25/latesthackercrazeerppwnage/
• NSA Office of Inspector General has delivered it's first unclassified semi-annual report to Congress https://epic.org/2018/07/nsa-inspector-general-issues-f.html

Other Security / Risk

• With Chrome now flagging HTTP as insecure, why are these leading websites not using HTTPS https://www.troyhunt.com/why-no-https-heres-the-worlds-largest-websites-not-redirecting-insecure-requests and HTTP wall of shame https://whynohttps.com/
• Article on going beyond PCI penetration testing to address the enterprise https://www.packetlabs.net/youre-pci-compliant-now-what/
• EFF’s analysis of Googles “Confidential Mode” email cites flaws and possible misleading assurances of privacy and security https://www.eff.org/deeplinks/2018/07/between-you-me-and-google-problems-gmails-confidential-mode
• Google used multi-factor authentication to negate phishing attacks https://krebsonsecurity.com/2018/07/google-security-keys-neutralized-employee-phishing/
• More on the problems with SMS 2FA and SIM hijacking https://lifehacker.com/two-factor-authentication-isnt-enough-to-keep-your-acco-1827867557
• Common errors made in survey analysis https://scienmag.com/alarming-error-common-in-survey-analyses/
• More on the controversy over mobile phones and cancer https://www.theguardian.com/technology/2018/jul/21/mobile-phones-are-not-a-health-hazard
• New 3D scanners could change airport security screening for the better https://www.cnn.com/travel/article/airport-scanners-liquid-heathrow-intl/index.html
• Microsoft releases easier to install PowerShell Core for Linux https://thehackernews.com/2018/07/powershell-core-linux-snap.html
• Preliminary work on virtual traffic lights show promise https://www.technologyreview.com/s/611606/a-replacement-for-traffic-lights-gets-its-first-test/ but many challenges ahead (e.g. pedestrians, cyclists, GPS spoofing (see https://controlgap.com/blog/this-weeks-insecurity-issue-69/))
• Article and discussion Nicholas Weaver (and Bruce Schneier) are skeptical of cryptocurrencies https://www.schneier.com/blog/archives/2018/07/nicholasweaver2.html
• 72% of CEOs steal corporate IP https://www.darkreading.com/endpoint/72--of-ceos-steal-corporate-ip-from-former-employers/d/d-id/1332376
• Google’s “Sheilded VM’s” https://arstechnica.com/information-technology/2018/07/google-launches-shielded-vms-to-protect-cloud-servers-from-rootkits-data-theft/
• Japan has a unique and looming Y2K-like problem https://www.theguardian.com/technology/2018/jul/25/big-tech-warns-japan-millennium-bug-y2k-emperor-akihito-abdication
• The Girl Scouts get cybersecurity badge https://www.businessinsider.com/girl-scouts-ceo-adds-stem-badges-2018-7

Off-Topic

• Sign-language hack lets Amazon Alexa respond to gestures http://www.bbc.co.uk/news/technology-44891054
• K2 is second to Everest only in height. The mountain is very technical, climbed by 16x fewer people and almost 4x more chance of death . Now someone climbed it without oxygen and, for a first, skied down it! https://www.cnn.com/2018/07/23/sport/k2-andrzej-bargiel-ski-descent-intl/index.html and the route taken http://www.alanarnette.com/blog/2018/07/22/k2-2018-summer-coverage-first-k2-ski-descent/
• Hyperloop test pod sets speed record of 457 km/h over 1.5km http://www.bbc.co.uk/news/technology-44924796
• M32 is a tiny remnant of a galaxy, but before it was shredded by Andromeda it was much larger and a sibling of the MilkyWay https://www.universetoday.com/139664/andromeda-shredded-and-consumed-a-massive-galaxy-about-two-billion-years-ago/
• NASA video showing the dramatic increase in discovered Near-Earth Asteroids http://www.space.com/41260-near-earth-asteroid-detection-video-nasa.html
• Liquid water 'lake' discovered under Mars’ southern ice cap https://www.universetoday.com/139677/underground-liquid-water-found-on-mars/ and http://www.bbc.co.uk/news/science-environment-44952710
• Remembering some pioneers in their field, one of the last surviving female WWII pilots dies at 101 https://www.cnn.com/2018/07/26/uk/mary-ellis-pilot-dies-intl/index.html