controlgap.com

Welcome to This Week’s [in]Security. PCI and payments: Remote Assessment, PA-DSS/SSF transition. CPE Maintenance, P2PE v3.1, PIN Program, Technical FAQ, DSS FAQ, Neiman Marcus card breach, ApplePay/Visa Express Travel vulnerability. New breaches: Meet the Pandora Papers (Remember the Panama Papers?) , Linkedin Scrape (126M), Barclays, Portpass & Sask QR vaccine apps, GrupoGSS. Mult-party breach impact, New Ransomware: Human-operated ransomware. Follow-ups & Fall-out: Fatal ransomware, Clubhouse, Facebook data collection (3.8B), Dallas Police, Epik. Privacy: android location tracking, pandemic privacy. Laws & Regs: Canada: vaccine passports. US: 4th amendment. World: Russia. Standards: NIST updates, drafts, papers, news. Defense: Webinars, Webinars. CISA. Tools, email, DMARC, TLS 1.3, Tokenization vs. Encryption, Tracking crypto, scambaiting. Vulnerabilities, Zerodays: Other Vulnerabilities: 5G apps, after patching, OWASP 2021, AirTags, Azure, MS MFA, Elastic Stack API, Autodiscover, vCenter. University Wi-Fi, Bitcoin ATMs, Cybercrime: Trends: OTP bots, Fake Pegasus defense, GriftHorse SMS fraud, FinSpy, FoggyWeb. Nation States. Crime: Other Risks: Domain Names, Outsourced, Misinformation, Lying AI, Bulletproof TLS, Health, Safety & Environment. Covid-19: Spread, Curves, Waves, and Variants; Response; Treatments; Immunity; Impact; Covid Ugly; And more.

Cryptographic change is a reality. Since 2006, we have seen the sunset of WEP, SSLv2, RSA-1024, SSLv3 and early TLS. We know that Triple DES and other 64-bit blocked ciphers are on the way out. RSA will likely follow, and our current pre-quantum public key cryptosystems will eventually become deprecated. These changes have impact and require widespread coordination. Old software and hardware will need to be upgraded or replaced. It will require time, effort, money, and pro-active management. Simply reacting will be risky, painful, and expensive. Industry needs to learn from past changes so that organizations can be ready. Most importantly, we need to do better than we have done in the past. But how?

Welcome to This Week’s [in]Security. Union Pay and PCI, New FAQ, Magecart. UI Rant. New breaches, New Ransomware: Ports. Blood Services, gangs. Follow-ups & Fall-out....

Welcome to This Week’s [in]Security. SIGS. FAQ. New breaches: 220M, GOAT Breach? UScellular. EU. Mensa. New Ransomware. SkipTheDishes. Remote Proctoring. Facebook Oversight Board. catfishing. Credential Stuffing Liability. Crypto-wars. NIST&ISO. Pwn2Own. BlastDoor. Sudo. Flash Reflux?? Libgcrypt. WordPress Popup Builder. TikTok. Fuji HMI. ADT. Deepfakes. PrusaSlicer. NAT Slipstreaming. Trends. Ghost Accounts. Realtime Phishing. SolarWinds. Nation States. Arrests, etc. Netwalker. Disrupting Emotet. Influence Operations. Twice Victimized. Big Data. Bulletproof TLS. Health, Safety & Environment. GameStop. Covid-19: Spread, Curves, Spikes, Waves, & reinfections. New Variants. Impact. Immunity, Vaccines, and Vaccination. And more.

Welcome to This Week’s [in]Security. SolarWinds. Riot fallout. New PCI FAQs. SPoC Unsupported O/S RFC. New breaches. New Ransomware. Mining AI. WhatsApp & Facebook. Telegram. Old SSL/TLS. Selfies vs. Fraud. Browsers. Android. reCAPTCHA. Titan. Fortinet WAF. Zend Framework. Nvidia. The Great Suspender. Trends. Nation States. Arrests, etc. Bulletproof TLS. WiFi6. Bad Citations. EC-RAM. Outages. Refund(of sorts) AI. Health, Safety & Environment. Covid-19: Spread, Curves, Spikes, Waves, & reinfections. New Variants. Impact. Immunity, Vaccines, and Vaccination. The Good, Bad, and Ugly (Behaviour). And more.

Welcome to This Week’s [in]Security. This week: PCI DSS 4 Comment Period. New PCI Contactless on COTS standard. EMVco and 3D Secure. A PCI Horror Story. Magecart. Carders. Breaches at top domain registrars, UniCredit (3rd times a charm), Bed Bath& Beyond, Desjardins breach numbers grow. Hall of shame - bank asking for other bank passwords. FB agrees to fine. Several articles on the ups and downs of facial recognition. Textalyzers?! ISPs called out for encrypted DNS lies. Bye, bye Flash!, Small quantum key distribution chip. Experimenting with post-quantum TLS. Delegated TLS credentials. ECC crypto timing attack. General attack on fingerprint readers.Random fail. SMS and Whatsapp hacking. FB sues NSO group. BlueKeep in the wild. Brain hacks. Amazon account fraud using non-Amazon devices. And more.

Welcome to This Week’s [in]Security. This week: NIST FPE update may render some deployed solutions weak, NIST formalizes TDES sunset, Magecart breaches at MyPillow and Amerisleep, stalkerware exposes spied data, Facebook storing plain-text passwords, 100K GitHub repositories exposed API and cryptographic keys, DHS client breach, FEMA overshared PII with contractor, more credential collections, Gearbest breach, motel spycam arrests, TLS middle-boxes, Google fined, did Facebook learn anything from the CA scandal, MySpace fumbles, the immutable Blockchain vs unstoppable laws, Boeing 737 Max investigations, FUD and sales, the risks meteors, CMEs & SPEs, and more.

Now here's this week’s selection of news, opinions, and research. Quickly skim annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.