Welcome to This Week’s [in]Security. We’ve collected and grouped together a selection of this week’s news, opinions, and research. Quickly skim these annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

• PCI Updates several FAQ's

  • 1328 https://pcissc.secure.force.com/faq/articles/FrequentlyAskedQuestion/What-version-of-PCI-DSS-should-I-use

  • 1440 https://pcissc.secure.force.com/faq/articles/FrequentlyAskedQuestion/How-does-PCI-DSS-Appendix-A2-apply-after-the-SSL-early-TLS-migration-deadline (renamed as well)

  • 1304 https://pcissc.secure.force.com/faq/articles/FrequentlyAskedQuestion/What-devices-does-PCI-DSS-Requirement-10-6-2-apply-to

  • 1282 https://pcissc.secure.force.com/faq/articles/FrequentlyAskedQuestion/Can-an-entity-be-PCI-DSS-compliant-if-they-use-a-service-provider-that-is-validated-to-a-previous-version-of-PCI-DSS

  • 1221 https://pcissc.secure.force.com/faq/articles/FrequentlyAskedQuestion/Do-shared-hosting-providers-need-to-comply-with-PCI-DSS

• PCI is asking for comments on the proposed 3DS v1.1 update https://blog.pcisecuritystandards.org/request-for-comments-pci-3ds-sdk-security-standard-v1-1
• USENIX Card Skimming detector The SkimReaper (yes - we want some) https://arstechnica.com/information-technology/2018/08/researchers-develop-device-to-aid-in-hunt-for-stealthy-atm-card-skimmers/
• Apparently, in the UK consumers prefer email when talking to card issuers (no word on how they deal with PCI DSS) https://www.mobilepaymentstoday.com/news/study-uk-consumers-prefer-email-to-communicate-with-card-issuers/
• Article on the changing nature of Point of Sale software https://www.theatlantic.com/technology/archive/2018/07/when-software-ate-the-point-of-sale/565919/
• BlackHat - flaws in MPOS readers https://www.darkreading.com/risk/flaws-in-mobile-point-of-sale-readers-displayed-at-black-hat/d/d-id/1332555

Breaches / Leaks

• Long running Adams County Wisconsin Data Breach Leaked Data Of More Than 250K People https://latesthackingnews.com/2018/08/12/massive-wisconsin-data-breach-data-of-more-than-258k-people-accessed/
• Another Trello leak exposes UK and Canadian government security plans https://theintercept.com/2018/08/16/trello-board-uk-canada/
• BlackHat - 2018 Pwnie awards https://www.darkreading.com/threat-intelligence/2018-pwnie-awards-who-pwned-who-got-pwned/d/d-id/1332562

Laws & Regulations / Standards

• Supreme court candidate Kavanaugh’s previous position on the US Patriot Act https://epic.org/2018/08/kavanaugh-white-house-counsel-.html
• DefCon – proprietary algorithms shielded as trade secrets used by criminal justice to decide your fate https://www.theregister.co.uk/2018/08/13/criminaljusticecode/
• EFF opinion on defect and vulnerability disclosure https://www.eff.org/deeplinks/2018/08/telling-truth-about-defects-technology-should-never-ever-ever-be-illegal-ever

Privacy

• Research showing that source and compiled code can be de-anonymized https://www.schneier.com/blog/archives/2018/08/identifying_pro.html
• Google is always tracking your location even when you disable the option to do so https://thehackernews.com/2018/08/google-mobile-location-tracking.html
• The option that actually stops Google tracking your location https://www.wired.com/story/google-location-tracking-turn-off
• Another example of the pitfalls of unencrypted DNS, application finger-printing, paper titled “Peek-a-Boo: I see your smart home activities, even encrypted!” https://www.theregister.co.uk/2018/08/10/internetofthingsencryptionsnooping/
• How WeChat filters images https://citizenlab.ca/2018/08/how-wechat-filters-images-for-one-billion-users/
• How to minimize "stalker ads" https://www.nytimes.com/2018/08/15/technology/personaltech/stop-targeted-stalker-ads.html

Bugs / Design Flaws

• Severe vulnerabilities not getting checked into commonly used databases https://www.theregister.co.uk/2018/08/14/recordsoftwarevulnerabilities/
• USENIX - Foreshadow a new Intel user space and enclave speculative execution vulnerabilities https://thehackernews.com/2018/08/foreshadow-intel-processor-vulnerability.html
• More vulnerabilities with remote server management, specifically Baseband Management Controllers https://www.theregister.co.uk/2018/08/10/datacenterhacking/
• BlackHat – x86 C3 processors advertised for use in high security applications have poor security and firmware level holes https://www.theregister.co.uk/2018/08/10/viac3x86processorbackdoor/
• MacOS zero-day allows malware to click “ok” on your behalf https://thehackernews.com/2018/08/macos-mouse-click-hack.html
• DefCon – more about the 2018 Vote Hacking Village and US government inaction https://www.theregister.co.uk/2018/08/13/defconelectionvote_hacking/
• BlackHat – mischief and insecurity in SatCom systems leading to a host of problems including possibly “operator flambé” https://www.theregister.co.uk/2018/08/10/satellitecommunicationsmicrowaveovenhacking/
• HP recently patched many faxes, printers and all-in-ones, many older and unsupported versions are vulnerable to exploitation, take over, and as a pivot into networks via a dial up connection https://www.wired.com/story/fax-machine-vulnerabilities
• Vulnerabilities in police body cams https://www.schneier.com/blog/archives/2018/08/hackingpolice\.html
• India's second largest bank hit for $13.5M in ATM and SWIFT attack https://www.bleepingcomputer.com/news/security/hackers-steal-135-million-across-three-days-from-indian-bank/

Hacking / Malware / Cybercrime

• Heads up, FBI advance alert about an expected mass ATM jackpotting attack https://krebsonsecurity.com/2018/08/fbi-warns-of-unlimited-atm-cashout-blitz/
• Consider methodology & accreditations when choosing a penetration tester https://www.packetlabs.net/choosing-a-penetration-testing-company/
• Nigerian citizen convicted for phishing US universities https://www.darkreading.com/attacks-breaches/nigerian-national-convicted-for-phishing-us-universities/d/d-id/1332539
• Risks of demand side hacking - power hungry IoT connected consumer devices and the power grid https://www.wired.com/story/water-heaters-power-grid-hack-blackout
• AT&T sued over $24M over cryptocurrency SIM hijacking attacks https://www.databreachtoday.com/att-sued-over-24-million-cryptocurrency-sim-hijack-attacks-a-11365

Other Security / Risk

• Pentagon is rethinking its multibillion-dollar relationship with U.S. defense contractors to stress supply chain security https://www.washingtonpost.com/world/national-security/the-pentagon-is-rethinking-its-multibillion-dollar-relationship-with-us-defense-contractors-to-stress-supply-chain-security/2018/08/12/31d63a06-9a79-11e8-b60b-1c897f17e185_story.html
• DefCon talk by ex-NSA on nation state hacking https://www.theregister.co.uk/2018/08/13/formernsatophackernamesthefilthyfourofnationstatehacking/
• Loosely related to de-anonymization, Bayesian statistics can be used to determine the authorship of music https://www.npr.org/2018/08/11/637468053/a-songwriting-mystery-solved-math-proves-john-lennon-wrote-in-my-life
• Wi-fi could be used to detect weapons and bombs https://www.bbc.co.uk/news/technology-45196164
• Debate on healthcare and personal device access to records https://www.databreachtoday.com/should-staff-ever-use-personal-devices-to-access-patient-data-a-11346
• Shades of Cambridge Analytica, the rise of "neuropolitics"  https://www.technologyreview.com/s/611808/the-neuropolitics-consultants-who-hack-voters-brains/
• Krebs - is it time to separate mobile devices from valuable assets? https://krebsonsecurity.com/2018/08/hanging-up-on-mobile-in-the-name-of-security/
• Enabling private DNS with 1.1.1.1 on Android 9 Pie https://blog.cloudflare.com/enable-private-dns-with-1-1-1-1-on-android-9-pie/
• FutureX is hosting a webinar "Crypto Agility and the Role of Financial AES" https://register.gotowebinar.com/register/3435499240551300098

Off-Topic

• Opportunity still MIA as months long Martian dust storm nears end https://www.universetoday.com/139760/as-the-martian-dust-storm-subsides-theres-still-no-word-from-opportunity/
• New measurements of Polaris (the North Star) nail down its distance https://www.syfy.com/syfywire/how-far-away-is-polaris
• No planets will survive inside globular clusters https://www.syfy.com/syfywire/the-last-place-to-look-for-planets-omega-centauri
• New papers put String Theory, Dark Matter, and Expansion at odds https://www.quantamagazine.org/dark-energy-may-be-incompatible-with-string-theory-20180809/
• Physicist Richard Feynman’s spaghetti breaking enigma solved using a robot and breaking a lot of spaghetti https://www.washingtonpost.com/news/morning-mix/wp/2018/08/16/this-spaghetti-breaking-problem-stumped-physicist-richard-feynman-two-mit-students-have-now-solved-it/
• Our resident astronomy geek is crushed, Alberio isn't actually a true binary star (but it's still spectacular)  https://www.syfy.com/syfywire/long-standing-astronomical-mystery-solved-albireo-is-not-a-binary-star