Welcome to This Week’s [in]Security. We’ve collected and grouped together a selection of this week’s news, opinions, and research. Quickly skim these annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

• PCI Security Council calling for final feedback round on the Software Security Standard (S3) that will eventually replace PA-DSS https://blog.pcisecuritystandards.org/final-request-for-comments-draft-pci-software-security-framework
• PCI updates PIN standard from version 2.0 to 3.0 eliminates some legacy practices and sets up for AES. Announcement https://www.pcisecuritystandards.org/pdfs/PCISECURITYSTANDARDSCOUNCILUPDATESPINSECURITYSTANDARDPressReleaseFinal.pdf. Summary of changes https://www.pcisecuritystandards.org/documents/PCIPINSecurityRqrmtsModificationsv3SummaryofChanges_Aug2018.pdf, Requirements and Testing Procedures https://www.pcisecuritystandards.org/documents/PCIPINSecurityRequirementsTestingv3Aug2018.pdf.
• PCI ASV program guide errata update now available https://www.pcisecuritystandards.org/documents/ASVProgramGuide_v3.1.pdf
• PCI Forensic program qualification requirements updated and will go into effect 2019 https://www.pcisecuritystandards.org/documents/PFIQualificationRequirementsv3.1April_2018.pdf
• PCI’s small merchant initiative resources are now called Data Security Essentials (DSE) https://www.pcisecuritystandards.org/merchants/
• Vendors of PCI approved solutions (i.e. P2PE, PA-DSS, PTS, 3DS, and SPoC) submitting after September 1, 2018 will need to sign a newly revised Vendor Release Agreement which includes GDPR provisions https://www.pcisecuritystandards.org/documents/VendorReleaseAgreement_-July2018.docx

Breaches / Leaks

• Reddit breach is another example of the failings of SMS 2-factor authentication. Taken: user IDs and salted-hashed passwords for users registered before May 2007 https://krebsonsecurity.com/2018/08/reddit-breach-highlights-limits-of-sms-based-authentication/
• SalesForce marketing cloud data exposed to possible disclosure/corruption https://www.databreachtoday.com/salesforce-security-alert-api-error-exposed-marketing-data-a-11278
• TCM Bank leaked data, including names, addresses, birth dates, and social security numbers, for thousands of credit card applicants over 16 months https://krebsonsecurity.com/2018/08/credit-card-issuer-tcm-bank-leaked-applicant-data-for-16-months/
• Attackers claim thousands of patient records held for ransom in Ontario home care data breach https://www.cbc.ca/news/technology/carepartners-data-breach-ransom-patients-medical-records-1.4749515
• UnityPoint Health has second breach of 2018 for 1.4M patient records https://www.darkreading.com/attacks-breaches/unitypoint-health-reveals-14-million-patient-breach/d/d-id/1332457
• Another leaky AWS S3 bucket of medical data leaked data from iCliniq https://www.theregister.co.uk/2018/08/03/icliniqcloudbreach/
• Update on the UK’s Dixon Carphone Warehouse breach balloons from 1.2M to 10M records https://www.theguardian.com/business/2018/jul/31/dixon-carphone-10m-customers-hit-by-data-breach-investigation
• Yale University just might win an award for the longest belated breach disclosure – they just realized they were breached in for 9 months in 2008-2009 https://www.darkreading.com/attacks-breaches/yale-discloses-data-breach/d/d-id/1332439
• Impact of GDPR on breach reporting and on Facebook https://www.pymnts.com/news/regulation/2018/gdpr-facebook-data-breach-fines-compliance/
• Why don’t people change their data breach enabling behavior https://www.nytimes.com/2018/08/01/technology/data-breaches.html
• Activist publishes 11K Wikileaks Twitter direct messages  https://motherboard.vice.com/en_us/article/3kyv9n/activist-publishes-11000-wikileaks-twitter-direct-messages-dms

Laws & Regulations / Standards

• US airport security's 'Quiet Skies' program tracks passengers using an algorithm to assign Sky Marshalls to follow individuals http://www.bbc.co.uk/news/world-us-canada-45011347
• California Consumer Privacy Act: What you need to know to be compliant https://www.csoonline.com/article/3292578/privacy/california-consumer-privacy-act-what-you-need-to-know-to-be-compliant.html
• New report on Police Digital Forensics Techniques by Center for Strategic & International Studies (the other CSIS) https://www.schneier.com/blog/archives/2018/07/newreporton_p.html
• Amazon: Cops should set confidence level on facial recognition to 99% https://arstechnica.com/tech-policy/2018/07/amazon-cops-should-set-confidence-level-on-facial-recognition-to-99/
• Comcast and city of Corvallis in dispute over unauthorized installation of Wi-Fi equipment https://arstechnica.com/tech-policy/2018/07/cable-lobby-lied-to-fcc-about-comcasts-bad-behavior-city-says/
• Australian hotel chain fined $2.2M for manipulating TripAdvisor reviews https://www.cnn.com/travel/article/australia-tripadvisor-hotel-fined-trnd/index.html
• HHS looking at changing healthcare data privacy regulations including reducing regulatory burden https://www.databreachtoday.com/hhs-weighs-changes-to-health-data-privacy-regulations-a-11271
• EFF comments on the law enforcement Octopus Conference and privacy implications of pressure for faster-easier investigations https://www.eff.org/deeplinks/2018/08/behind-octopus-hidden-race-dismantle-global-law-enforcement-privacy-protections
• EFF’s Stupid Patent of the Month – Prepaid Cards https://www.eff.org/deeplinks/2018/07/stupid-patent-month-upaid-sues-offending-laundromats-using-prepaid-cards
• When crossing the Canadian border, encryption is no guarantee, says new handbook https://www.thestar.com/vancouver/2018/08/01/when-crossing-the-canadian-border-encryption-is-no-guarantee-says-new-handbook.html

Privacy

• Important privacy settings for your Amazon Echo, Show, Spot, and Dot https://www.privacyrights.org/blog/how-keep-your-private-moments-more-private-your-amazon-echo
• Paper looks at using metadata to identify individuals, and metadata obfuscation techniques using machine learning by looking at Twitter as a proof of concept https://www.schneier.com/blog/archives/2018/07/identifyingpeo8.html
• Information directories at Cadillac Fairview malls have cameras hidden inside and are using facial recognition without notification or consent  https://www.thestar.com/news/gta/2018/07/26/directories-at-cadillac-fairview-malls-have-cameras-inside.html and https://www.cbc.ca/news/canada/manitoba/cadillac-fairview-facial-recognition-winnipeg-1.4763804
• College planning survey data on thousands of students up for sale https://www.nytimes.com/2018/07/29/business/for-sale-survey-data-on-millions-of-high-school-students.html
• Ontario teen's photos, info ended up in someone else's hands after she traded in her broken iPhone https://www.cbc.ca/news/canada/toronto/ontario-teen-data-broken-phone-dubai-1.4759755
• CCleaner now always on and collecting data with no way to opt out https://thehackernews.com/2018/08/ccleaner-software-download.html

Bugs / Design Flaws

• Precision based errors in graphics packages can have security implications such as overflows https://googleprojectzero.blogspot.com/2018/07/drawing-outside-box-precision-issues-in.html
• Five backdoors in Cisco equipment have been found this year https://www.schneier.com/blog/archives/2018/08/backdoorsinci.html
• Patch and pray, an open letter to Microsoft about poor Windows 10 update experiences https://www.bleepingcomputer.com/news/microsoft/an-open-letter-to-microsoft-about-poor-windows-10-update-experiences/
• Google Project Zero: Adventures in Vulnerability Reporting Processes https://googleprojectzero.blogspot.com/2018/08/adventures-in-vulnerability-reporting.html

Hacking / Malware / Cybercrime / Crime

• Scammers going after education funds https://www.cnbc.com/2018/07/16/safeguard-this-tax-favored-savings-account-its-next-on-thieves-list.html
• Krebs article on the rise of targeted phishing https://krebsonsecurity.com/2018/08/the-year-targeted-phishing-went-mainstream/
• Facebook has identified a coordinated political influence campaign https://www.nytimes.com/2018/07/31/us/politics/facebook-political-campaign-midterms.html
• Crimes involving resale of in-game items go back at least a decade and include child labor and money laundering, recent examples https://kromtech.com/blog/security-center/digital-laundry and discussion https://www.schneier.com/blog/archives/2018/08/usingin-gamep.html
• Exploiting phantom COM objects https://www.darkreading.com/threat-intelligence/hundreds-of-registry-keys-exposed-to-microsoft-com-hijacking/d/d-id/1332441
• Three Ukrainian’s arrested relation to FIN7 hacking group behind breaches at Arby's, Chili's, Chipotle Mexican Grill, Jason's Deli, Red Robin Gourmet Burgers, Sonic Drive-In and Taco John's and theft of 15M payment cards https://www.databreachtoday.com/feds-announce-arrests-3-fin7-cybercrime-gang-members-a-11272
• Fin7: The Inner Workings of a Billion-Dollar Hacking Group https://www.wired.com/story/fin7-wild-inner-workings-billion-dollar-hacking-group
• The malware you didn’t know about, recovery from ransomware uncovers multiple infections https://www.databreachtoday.com/ransomware-attack-leads-to-discovery-lots-more-malware-a-11262
• Massive “malvertising” campaign launched via 100K WordPress sites https://www.theregister.co.uk/2018/07/30/malvertising_wordpress/
• Warning: snail-mail malware laden media https://krebsonsecurity.com/2018/07/state-govts-warned-of-malware-laden-cd-sent-via-snail-mail-from-china/
• Old school business continuity response to ransomware: pen, paper, and typewriters https://www.theregister.co.uk/2018/08/03/alaskantownhasentirenetworkownedbyransomwarecrims/
• Flaw in JPay system at Idaho Department of Corrections used by 364 inmates at 5 facilities to inflate their credit by almost $225K https://www.nytimes.com/2018/07/27/us/idaho-prison-hack-jpay-nyt.html
• Why crypto-currencies are an easy target for criminals https://sector.ca/why-cryptocurrency-is-an-easy-target-for-thieves/
• Google bans stealthy crypto mining apps from Play Store https://thehackernews.com/2018/07/android-cryptocurrency-mining.html
• A look at how Russia attacked US campaigns and elections https://arstechnica.com/information-technology/2018/07/from-bitly-to-x-agent-how-gru-hackers-targeted-the-2016-presidential-election/
• Russian hackers tricked people into giving their passwords https://apnews.com/20c35e9c1df74533a830cf7329f7daad
• The almost forgotten story of how an ex-copy rigged McDonald's Monopoly game (and how Canadian's were being cheated all along) https://www.thedailybeast.com/how-an-ex-cop-rigged-mcdonalds-monopoly-game-and-stole-millions

Other Security / Risk

• How U2F makes 2-factor authentication easier https://www.packetlabs.net/twofactorauthentication/
• Lava lamps are known good sources of randomness which Cloudflare exploits to improve security https://www.wired.com/story/cloudflare-lava-lamps-protect-from-hackers
• Bulletproof TLS #43 – Chrome now marking HTTP insecure, Canadian Government HTTPS policy, Firefox advanced certificate viewer plugin, last week’s invalid ECC attack has been seen before in browsers, Amazon’s Load Balancer doesn’t validate certificates but does something else instead https://www.feistyduck.com/bulletproof-tls-newsletter/issue43chromenowsaysnotsecureforhttp_webpages.html
• Update on Firefox distrusting older Symantec certificates https://blog.mozilla.org/security/2018/07/30/update-on-the-distrust-of-symantec-tls-certificates/
• Discussion and link to GCHQ assessment of Quantum Key Distribution and it’s limits https://www.schneier.com/blog/archives/2018/08/gchqonquantum.html
• New book on how to improve project management capability and processes using use rigorous process capability assessment and ISO 21500 https://www.amazon.com/gp/offer-listing/1138298522/ref=dpolpnewmbcmma?ie=UTF8&condition=new
• Why neutrality in news is so important https://www.theguardian.com/commentisfree/2018/jul/29/the-guardian-view-on-the-fight-against-fake-news-neutrality-is-not-an-option
• Tourist complains about trip to Egypt online and ends up in prison https://www.eff.org/deeplinks/2018/07/lebanese-tourist-sentenced-eight-years-egyptian-prison-viral-video
• US Department of National Intelligence report on business and cyber-espionage https://www.dni.gov/files/NCSC/documents/news/20180724-economic-espionage-pub.pdf
• The poor state of US space assets cybersecurity https://www.schneier.com/blog/archives/2018/07/thepoorcybers.html
• Pentagon’s Chinese and Russian company Do-Not-Buy list https://www.bleepingcomputer.com/news/government/pentagon-creates-do-not-buy-list-of-chinese-and-russian-software-providers/
• Report finds NSA has yet to fix security holes that helped Snowden leaks https://www.engadget.com/2018/07/28/nsa-has-yet-to-fix-security-holes-that-helped-snowden-leaks/
• New DARPA initiative looks to reinvent computer chips, new materials, new architectures, vastly accelerated design https://www.technologyreview.com/s/611725/darpa-has-an-ambitious-15-billion-plan-to-reinvent-electronics/
• Apple owes Canadian patent company US$145.1 million in damages for infringement https://globalnews.ca/news/4366768/apple-wi-lan-patent-infringement/
• An example of risk to connected cars from previous owners (i.e Jaguar, Land Rover) https://www.theregister.co.uk/2018/07/27/jaguarlandroverconnectedcar_privacy/
• Secondary risks of cannabis edibles, four-year-old Halifax girl treated in hospital after gobbling cannabis chocolate bar https://www.thestar.com/news/cannabis/2018/07/23/four-year-old-halifax-girl-treated-in-hospital-after-gobbling-cannabis-chocolate-bar.html

Off-Topic

• Camera detecting and filming meteor impacts on the Moon catches two a day apart http://www.syfy.com/syfywire/watch-two-meteorites-hit-the-moon
• Boeing shifts schedule for Starliner, calls 2019 crew launch “realistic” https://arstechnica.com/science/2018/08/boeing-shifts-schedule-for-starliner-calls-2019-crew-launch-realistic/
• If you ever wondered how a Formula 1 vehicle would do on a normal street- watch this  https://www.roadandtrack.com/motorsports/a22625704/daniel-ricciardo-drives-f1-car-through-america/
• 2 kiloton meteoroid explosion over the US' Thule Air Force Base in Greenland http://www.syfy.com/syfywire/a-bright-meteor-over-greenland-didnt-spark-nuclear-war-phew
• The Very-Large-Array has found the first lone planetary mass object outside our solar system about 20 ly distant https://phys.org/news/2018-08-vla-extrasolar-planetary-mass-magnetic-powerhouse.html