controlgap.com

Welcome to This Week’s [in]Security. This week: PCI PINv3 key blocks, PFI program updates, payment terminal inspections, Desjardin insider theft, DHS breach, prosecutors expose underage victims, pre-owned Nest Cam's pwned, AMCA breach leads to bankruptcy, a web hosting company has been charged along with the operators of a massive child-porn operation, Knowledge-Based-Authentication (KBA) is now officially dead, $1.5T lost in a decade of US breaches, a batch of NIST drafts for comment over the last few weeks, Big Data, surveillance, and drone privacy, US and APTs hacking the grids, Facebook-coin, quantum safe crypto, Mongo encrypts, Google goes with commutative encryption, TV-AV, the impending worm, QuadrigaCX crypto-fraud, do we really need digital license plates, C programmers being bitten by undefined behavior, a real life Iron-Man suit, and more.

NIST recently published a document "Transitioning the Use of Cryptographic Algorithms and Key Lengths" which formalizes the sunset of Triple DES by the end of 2023. Afterwards it will only be recommended for legacy use which means decryption only.

Welcome to This Week’s [in]Security. This week: NIST FPE update may render some deployed solutions weak, NIST formalizes TDES sunset, Magecart breaches at MyPillow and Amerisleep, stalkerware exposes spied data, Facebook storing plain-text passwords, 100K GitHub repositories exposed API and cryptographic keys, DHS client breach, FEMA overshared PII with contractor, more credential collections, Gearbest breach, motel spycam arrests, TLS middle-boxes, Google fined, did Facebook learn anything from the CA scandal, MySpace fumbles, the immutable Blockchain vs unstoppable laws, Boeing 737 Max investigations, FUD and sales, the risks meteors, CMEs & SPEs, and more.

Now here's this week’s selection of news, opinions, and research. Quickly skim annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

Welcome to This Week’s [in]Security. This week: PCI DSS 4.0 begins its journey, debates on cashless and contactless payments, 2018 data breaches up by over 4x , policy and cyber risk disclosure, breach followups, another mega breach of contact information, what's Facebook up to, more undisclosed microphones, NIST updates, NSA's reverse engineering tool opens up, Equifax fumbles again, a new class of firmware attacks, more IoT, several zero-days in the wild, bots, big data, echo chambers, behavior prediction, and more.

Welcome to This Week’s [in]Security. This week: detailed alert on trending e-commerce attack methods, PCI glossary for small business, PCI seeks input on SPoC MSR, large surveillance db leak, watchlists exposed, many NIST announcements, FPE update, patent on opting-in, fix-it-already project, fighting fake news with MetaFact, fighting trolls in the midterms, USB-C Thunderbolt risks, a slew of bugs, SuperMicro vulnerabilities used to pwnd IBM cloud servers, Comcast and Kanye West have nothings in common, financial group undermining TLS 1.3, Quadriga's empty cold-wallets, Marriott's GDPR liability, moderator PTSD, carbon sequestering, the solar system gets bigger, and more.

Welcome to This Week’s [in]Security. We’ve collected and grouped together a selection of this week’s news, opinions, and research. Quickly skim these annotated links...

Barely a year after NIST approved Format-Preserving Encryption (FPE) based on AES they've issued a news release that one of the approved modes has been broken. Since FPE is actively deployed within the payment industry this will have implications for payment security and users of this technology. But how bad is the problem? And if you happen to be affected, what can you do?