Welcome to This Week’s [in]Security. We’ve collected and grouped together a selection of this week’s news, opinions, and research. Quickly skim these annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

• Visa is aggressively pushing PIN on COTS “Merchants accepting PIN-based transactions via COTS devices must use or transition to a PCI-validated software-based PIN entry on COTS solution by 31 July 2019.” https://usa.visa.com/support/merchant/library/visa-merchant-business-news-digest.html despite the fact that there are no certified solutions https://www.pcisecuritystandards.org/assessorsandsolutions/spoc_solutions and no certified PTS 5.1 SCRP devices https://www.pcisecuritystandards.org/assessorsandsolutions/pintransactiondevices available yet.
• Card Not-Present fraud rates and EMV adoption continue to improve https://usa.visa.com/visa-everywhere/security/visa-chip-card-stats.html
• JavaScript based card skimming malware https://www.bankinfosecurity.com/card-skimming-malware-campaign-hits-dozens-sites-daily-a-11451
• FDA probing payment facilitator Allied Wallet https://www.paymentfacilitator.com/risk-compliance/fda-probe-of-allied-wallet-is-frightening-news-for-pfs-everywhere/
• Study on the future of mobile payments, software security and biometrics https://www.mobilepaymentstoday.com/news/study-future-smartphone-payments-to-rely-on-software-security/

Breaches / Leaks

• British Airways mobile app and website suffers data breach of 380,000 payment cards https://www.reuters.com/article/us-iag-cybercrime-british-airways/iag-investigating-british-airways-customer-data-breach-idUSKCN1LM2P6
• New e-commerce skimming attack via MagnetoCore https://www.bleepingcomputer.com/news/security/magentocore-malware-found-on-7-339-magento-stores/
• mSPy, a mobile spyware vendor, exposes sensitive data online https://krebsonsecurity.com/2018/09/for-2nd-time-in-3-years-mobile-spyware-maker-mspy-leaks-millions-of-sensitive-records/
• Almost 400K domains expose source code https://www.theregister.co.uk/2018/09/04/websitesourcecodedisclosure/
• Hanlon’s razor (“Never attribute to malice that which is adequately explained by stupidity.”) seems to be true for breaches too https://www.theregister.co.uk/2018/09/04/cckupoverconspiracytopsselfreporteddatabreaches/
• Opinion: Why the entire C-suite is responsible when a breach occurs https://www.datex.ca/blog/why-the-entire-c-suite-is-responsible-in-a-data-breach

Laws & Regulations / Standards

• An example of the impact of failing to protect evidence https://www.databreachtoday.com/destroyed-computer-hampers-lawsuit-in-premera-breach-a-11453
• JUST clicking a link shouldn’t be grounds for a warrant https://www.eff.org/press/releases/click-url-isnt-enough-search-warrant
• Google is refusing to testify before Congress with the other social media companies https://www.wired.com/story/mark-warner-senate-committee-hearing-google-facebook-twitter
• NIST releases draft on Border Gateway Protocol (BGP)  security for comment until October 15, 2018. Update: https://csrc.nist.gov/news/2018/nist-requests-comments-on-draft-sp-1800-14 Details: https://csrc.nist.gov/publications/detail/sp/1800-14/draft and Project https://www.nccoe.nist.gov/projects/building-blocks/secure-inter-domain-routing
• A look at how security protocols evolve and need to be evolved https://www.lightbluetouchpaper.org/2018/09/05/how-protocols-evolve/
• Schneier on Five Eyes position on surveillance over security https://www.schneier.com/blog/archives/2018/09/five-eyes_intel.html
• EPIC reporting on Senate questioning of Supreme Court nominee about privacy and the law https://epic.org/2018/09/senator-leahy-pursues-question.html

Privacy

• EFF comments on US  assurances to EU under Privacy Shield and lack of progress meeting privacy commitments https://epic.org/2018/09/us-defends-privacy-shield-but-.html
• UK based marketer Everything DM fined £60k because they were unable to prove their customers got permission from recipients for 1.4M marketing emails https://www.theregister.co.uk/2018/09/05/icoslapsmarketingbizwith60kfine/
• IBM and NYPD worked together develop video surveillance software  and tested it with NY CCTV footage https://www.theverge.com/2018/9/6/17826446/ibm-video-surveillance-nypd-cctv-cameras-search-skin-tone and https://theintercept.com/2018/09/06/nypd-surveillance-camera-skin-tone-search/
• New CitizenLab newsletter https://mailchi.mp/citizenlab/wechat-image-filtering-a-familiar-malware-campaign-against-the-tibetan-diaspora-and-nso-linked-to-amnesty-international-targets

Bugs / Design Flaws / Vulnerabilities / Defense

• Alexa “skill squatting” attacks could be used to hijack voice commands https://arstechnica.com/information-technology/2018/08/researchers-show-alexa-skill-squatting-could-hijack-voice-commands/
• There are lots of ways to obfuscate IP address and many like have been around for decades, here’s one example https://16843009/ which is better known as https://1.1.1.1/. Now there’s a test tool for these https://www.immunit.ch/blog/2018/09/02/xip-ip-addresses-mutation/
• Application Security isn’t improving and 60% of vulnerabilities are never fixed https://www.databreachtoday.com/application-security-what-causes-inertia-a-11458
• How to secure serverless apps and how they are hacked https://www.csoonline.com/article/3300563/cloud-security/how-to-secure-serverless-apps-and-how-they-are-hacked.html
• Securing developers https://sector.ca/fixing-insecure-code-one-developer-at-a-time/

Hacking / Malware / Cybercrime / Offense

• Unhackable? If there was a “Petard Trophy”, John McAfee would be the most recent winner joining the likes of Oracle’s Larry Ellison https://www.theregister.co.uk/2018/08/31/bitfireluctantlydropsunhackableclaim/ and https://www.csoonline.com/article/3302363/security/bitfi-removes-unhackable-claim-from-crypto-wallet.html
• DIY IMSI catcher deployed at EMF Camp conference  (and others) https://motherboard.vice.com/en_us/article/zmkj38/emf-camp-imsi-catcher-
• Researchers defeat domain validation using DNS Cache Poisoning to trick several unnamed CA's into issuing fraudulent certificates https://www.theregister.co.uk/2018/09/06/boffinsbreakcasdomainvalidation/
• Business e-mail compromise is mostly about wire transfers https://www.databreachtoday.com/business-email-compromise-schemes-most-seek-wire-transfers-a-11452
• 25% of BEC victims hide the compromise out of shame and fear https://www.theregister.co.uk/2018/09/07/scambusinessemailsonthe_rise/
• Krebs on the Satori IoT Botnet operator https://krebsonsecurity.com/2018/09/alleged-satori-iot-botnet-operator-sought-media-spotlight-got-indicted/
• Google warning about government backed phishing operations https://security.googleblog.com/2018/08/a-reminder-about-government-backed.html
• Exploited MikroTik routers maliciously eavesdropping on network traffic https://thehackernews.com/2018/09/mikrotik-router-hacking.html
• The official Chrome extension for the MEGA.nz cloud storage service has been replaced with a malicious credential thief https://thehackernews.com/2018/09/mega-file-upload-chrome-extension.html
• DDoS for hire gang leader pleads guilty to bomb threats https://krebsonsecurity.com/2018/09/leader-of-ddos-for-hire-gang-pleads-guilty-to-bomb-threats/
• North Korean 'spy' charged over NHS cyber attack http://www.bbc.co.uk/news/technology-45440533
• US charges North Korean for Sony hack https://www.cnn.com/2018/09/06/politics/doj-sony-hack-charges/index.html
• ex-NASA contractor arrested and charged in a sextortion scam https://www.theregister.co.uk/2018/09/06/nasacontractorcharged/
• Old school ATM thefts are still a thing http://www.chch.com/opp-investigate-atm-stolen-td-bank-waterford/

Other Security / Risk

• Micormorts and Microlives - measuring relative risks to mortality article http://www.visualcapitalist.com/crunching-the-numbers-on-mortality/ and infographic http://www.visualcapitalist.com/wp-content/uploads/2018/08/crunching-numbers-on-mortality.html
• Schneier book announcement: Click here to kill everybody, where Bruce argues the security game has changed from just data to real life threats https://www.schneier.com/blog/archives/2018/09/newbookannoun.html
• Are we sacrificing election security for convenience? https://theintercept.com/2018/09/04/election-results-voting-system/
• Another example of Hanlon’s Razor – why insiders are your biggest threat https://www.packetlabs.net/yourcompanysgreatest_threat/
• BBC Horizon documentary: A Week without lying, the honesty experiment – using automated lie detection technology https://www.lightbluetouchpaper.org/2018/09/03/bbc-horizon-documentary-a-week-without-lying-the-honesty-experiment/
• Azure Active Directory takes an outage after disruption from Texas storm https://www.zdnet.com/article/microsoft-south-central-u-s-datacenter-outage-takes-down-a-number-of-cloud-services/
• Krebs - Are browser extensions worth the risk? https://krebsonsecurity.com/2018/09/browser-extensions-are-they-worth-the-risk/
• A skyscraper built in 2008 in San Francisco is leaning https://www.businessinsider.com/san-francisco-sinking-millennium-tower-concerning-window-crack-2018-9
• Engineering bacteria to treat illness is now a reality https://www.nytimes.com/2018/09/04/health/synthetic-biology-pku.html

Off-Topic / Science & Tech / Lighter Side

• Recent test of Improved Ion drive technology will improve rockets https://www.universetoday.com/139885/aerojet-rocketdyne-tests-out-its-new-advanced-ion-engine-system/
• Cleaning the ocean of plastic https://www.forbes.com/sites/jeffkart/2018/08/28/the-ocean-cleanup-is-starting-aims-to-cut-garbage-patch-by-90-by-2040/
• Glider sets record by reaching blood-boiling altitude record https://www.cnn.com/travel/article/perlan-2-record/index.html
• A rare near perfect binary asteroid imaged by radar shortly after it’s discovery in a near earth pass https://www.syfy.com/syfywire/2017-ye5-a-rare-binary-asteroid-caught-on-radar
• Voyager 1, our most distant space probe, turns 41 and is still working (and Space X news too) https://www.theregister.co.uk/2018/09/06/voyagerat41/