This Week’s [in]Security – Issue 18

Welcome to This Week’s [in]Security. We’ve collected and grouped together a selection of this week’s news, opinions, and research. Quickly skim these annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

• PCI Blog on how encrypted data affects scope https://blog.pcisecuritystandards.org/faq-how-does-encrypted-cardholder-data-impact-pci-dss-scope

Breaches / Leaks

• America's Job Link Alliance breached for 6M SSN's across 10 states http://www.csoonline.com/article/3209983/security/hacker-made-off-with-over-5-5-million-social-security-numbers-across-10-states.html and https://www.privacyrights.org/data-breaches?title=Kansas%20Department%20of%20Commerce
• Sweden leaks entire car ownership database https://www.theregister.co.uk/2017/07/23/swedenleakedeverycarownersdetailslastyearthentriedtohushit_up/
• US Voter registration data on sale in dark web https://www.darkreading.com/attacks-breaches/voter-registration-data-from-9-states-available-for-sale-on-dark-web/d/d-id/1329451
• US healthcare "wall of shame" restructured and clarified http://www.databreachtoday.com/hhs-makes-changes-to-wall-shame-breach-reporting-site-a-10146

Lawful Access / Back-doors / Laws & Regulations

• Discussion of alternatives to encryption backdoors https://www.schneier.com/blog/archives/2017/07/alternativesto1.html
• US NATFA renegotiation targets provincial privacy restrictions http://www.cbc.ca/news/politics/nafta-data-storage-privacy-1.4220272

Bugs

• What's your fridges Cyberstar rating?  https://www.theguardian.com/technology/2017/jul/24/smart-tvs-fridges-should-carry-security-rating-police-chief-says
• Tenable to unveil Docker Hub Vulnerabilities at Blackhat http://www.tenable.com/blog/black-hat-sneak-preview-new-vulnerabilities-exposed-in-docker-hub
• Windows SMB DoS zero day https://threatpost.com/windows-smb-zero-day-to-be-disclosed-during-def-con/126927/
• How not handle a bug report https://www.theregister.co.uk/2017/07/25/hungarianteenagerarrestsparksprotests/
• Badly designed app used by Police and Municipalities http://www.csoonline.com/article/3210813/security/police-municipalities-are-using-highly-insecure-bright-city-app.html

Privacy

• Creepy, iRobot  contemplating selling maps of Roomba users homes https://www.theguardian.com/technology/2017/jul/25/roomba-maker-could-share-maps-users-homes-google-amazon-apple-irobot-robot-vacuum
• EU court strikes down EU-Canada agreement on airline passenger records, could EU-US agreement be next https://epic.org/2017/07/european-court-halts-retention.html

Hacking / Malware / Cybercrime

• The story behind the arrest of Citadel banking trojan author https://krebsonsecurity.com/2017/07/how-a-citadel-trojan-developer-got-busted/
• Krebs talks with Dutch Cops on Hansa takeover https://krebsonsecurity.com/2017/07/exclusive-dutch-cops-on-alphabay-refugees/
• Successful but mediocre hackers https://www.darkreading.com/vulnerabilities--- threats/iranian-cyber-espionage-group-copykittens-successful-but-not-skilled/d/d-id/1329466 

Other Security / Risk

• Why vulnerability scans alone are not enough https://www.packetlabs.net/more-than-a-va-scan/
• Fighting BEC (Business email compromises) https://sector.ca/how-to-fight-business-email-compromise/
• Understanding Android Trust Zones https://googleprojectzero.blogspot.ca/2017/07/trust-issues-exploiting-trustzone-tees.html

Off-Topic

• Large Coronal Mass Ejection not pointed at Earth https://astroengine.com/2017/07/23/the-sun-just-unleashed-a-massive-explosion-at-mars/
• Photo of the Milkyway over Monument Valley https://apod.nasa.gov/apod/image/1707/MonumentValleyMasterson2048.jpg