controlgap.com

Welcome to This Week’s [in]Security. Magecart exfiltration. More FPE Weakness. Big-Hacks: Exchange Hack. F5 Attacks. SolarWinds. New breaches: WeLeakInfo. New Ransomware. Acer. Ransomware cost. Big Brother UK. Find My Device. Privacy Theatre. Background Checking Your Date. Internet Blocking. Apple & Russia. Interrupts. Ransomware protection. DevSECops. SMS Hijacking. Power Grid. Pickle Files. File Nesting. Spectre POC. Fiserv. ZeroDays. Trends. Worms. Nation States. Hacking Spree. Telcos. Crime. FBI Crime Report. Camera Arrest. DarkWeb. Smart Doorbell Risk. H2O. Voting Machines. Insider Risk. Infrastructure and Platform Risk. Illegal Blockchain. Big Microsoft Outage. Health, Safety & Environment. Covid-19: Spread, Curves, Spikes, Waves, & reinfections. Impact. Immunity, Vaccines, and Vaccination. And more.

Welcome to This Week’s [in]Security. This week: NIST FPE update may render some deployed solutions weak, NIST formalizes TDES sunset, Magecart breaches at MyPillow and Amerisleep, stalkerware exposes spied data, Facebook storing plain-text passwords, 100K GitHub repositories exposed API and cryptographic keys, DHS client breach, FEMA overshared PII with contractor, more credential collections, Gearbest breach, motel spycam arrests, TLS middle-boxes, Google fined, did Facebook learn anything from the CA scandal, MySpace fumbles, the immutable Blockchain vs unstoppable laws, Boeing 737 Max investigations, FUD and sales, the risks meteors, CMEs & SPEs, and more.

Now here's this week’s selection of news, opinions, and research. Quickly skim annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

Last month NIST announced they were seeking feedback on a proposed updated guidance for FPE. More formally this is SP 800-38G rev 1 "Recommendation for Block Cipher...

Welcome to This Week’s [in]Security. This week: detailed alert on trending e-commerce attack methods, PCI glossary for small business, PCI seeks input on SPoC MSR, large surveillance db leak, watchlists exposed, many NIST announcements, FPE update, patent on opting-in, fix-it-already project, fighting fake news with MetaFact, fighting trolls in the midterms, USB-C Thunderbolt risks, a slew of bugs, SuperMicro vulnerabilities used to pwnd IBM cloud servers, Comcast and Kanye West have nothings in common, financial group undermining TLS 1.3, Quadriga's empty cold-wallets, Marriott's GDPR liability, moderator PTSD, carbon sequestering, the solar system gets bigger, and more.

Barely a year after NIST approved Format-Preserving Encryption (FPE) based on AES they've issued a news release that one of the approved modes has been broken. Since FPE is actively deployed within the payment industry this will have implications for payment security and users of this technology. But how bad is the problem? And if you happen to be affected, what can you do?

Previously we looked at Format Preserving Encryption (FPE) its characteristics and suitability for application in solutions intended for PCI DSS. To recap, FPE is an...

Format Preserving Encryption or FPE is recent technology that is beginning to show up in payment solutions with the promise of simplifying PCI DSS compliance. If you...