Welcome to This Week’s [in]Security. This week: PCI in 2019, PCI card production, NIST killing of TDES, hotel breaches, Yahoo settlement, Canadian breach reporting, consent and cross-boarder data, dark design patterns, fine for cooperating with ICE, Android as 2FA, securing email, malicious zero-day disclosures, the latest phishing campaigns, Assange arrested, blocking big tech, spreadsheet risks you hadn't thought about, quantum and AI advances, really fast multiplication, first image of a black hole, carbon sequestering tech, and more.

Now here's this week’s selection of news, opinions, and research. Quickly skim annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

News and announcements relating to Payment Security, Payments, PCI, and Card Brands.

• PCI Standards in 2019: Q&A with CTO Troy Leach https://blog.pcisecuritystandards.org/pci-standards-in-2019-q-and-a-with-cto-troy-leach
• More details on the PCI Card Production Assessor program https://blog.pcisecuritystandards.org/what-to-know-about-the-new-card-production-security-assessor-program
• PCI is looking for speakers for their events https://events.pcisecuritystandards.org/?utm_campaign=2019 Community Meetings
• NIST is Sunsetting Triple DES – so what will the Financial Industry do? https://controlgap.com/blog/nist-is-sunsetting-triple-des-so-what-will-the-financial-industry-do/

Breaches / Leaks

Covering breaches, leaks, data exposures, and their fallout.

• A hotel reservation system exposes user information to third-parties allowing cancellations https://www.securityweek.com/reservation-systems-used-many-hotels-expose-user-data
• Minnesota DHS exposed info on 11K people https://www.securityweek.com/minnesota-state-agency-breach-may-have-put-thousands-risk
• Data breach at Blue of Cross of Idaho reported to the FBI https://www.ktvb.com/article/news/local/data-breach-at-blue-of-cross-of-idaho-reported-to-the-fbi/277-5d57bb05-be6d-4152-b787-4643266a5b3c
• Yahoo reaches $117M settlement with 3 billion accounts hacked in data breach exposed in 2016 https://www.cbc.ca/news/business/yahoo-data-breach-settle-1.5090278
• Planning for the financial impact of a data breach https://www.careersinfosecurity.com/interviews/planning-for-financial-impact-data-breaches-i-4289
• Early numbers from Canada's privacy commissioners on mandatory breach reporting https://www.canadianunderwriter.ca/insurance/early-numbers-from-privacy-commissioners-on-mandatory-breach-reporting-1004161652/

Privacy

Articles about privacy related news, risks, and trends.

• Canada's Privacy Commissioner changes position: cross-border data transfers should require consent http://www.michaelgeist.ca/2019/04/canadian-privacy-commissioner-signals-major-shift-in-approach-on-cross-border-data-transfers/
• Parenting club Bounty fined £400,000 for selling users' data https://www.theguardian.com/technology/2019/apr/12/parenting-club-bounty-fined-selling-users-data
• A deeper look at last week's dark pattern revelation that Facebook was asking users for passwords to email providers https://www.eff.org/deeplinks/2019/04/facebook-got-caught-phishing-friends
• Amazon audio clips from Echo are reviewed by people to improve the service but some of it is creepy and disturbing https://www.bloomberg.com/news/articles/2019-04-10/is-anyone-listening-to-you-on-alexa-a-global-team-reviews-audio
• New Zealand's privacy commissioner lambastes Facebook https://www.businessinsider.com/new-zealand-privacy-commissioner-calls-facebook-morally-bankrupt-pathological-liars-2019-4
• Mark Zuckerberg gets taste of privacy invasion as New York Times reports the contents of his trash https://www.businessinsider.com/mark-zuckerberg-contents-of-his-trash-revealed-by-new-york-times-2019-4

Laws & Regulations / Standards

News about laws, regulations, and standards affecting security, privacy,  technology, and public interest.

• The US Algorithmic Accountability Act http://epic.org/2019/04/lawmakers-introduce-algorithmi.html
• Bipartisan Senate bill to target "dark design patterns" (tricks, misdirection, deception) in big tech user interfaces https://www.bankinfosecurity.com/dark-patterns-how-weaponized-usability-hurts-users-a-12364
• Congress passes a new net neutrality act https://www.eff.org/deeplinks/2019/04/victory-house-representatives-passes-net-neutrality-protections
• UK cops to deploy smartphone detectors to drive awareness https://www.bbc.com/news/uk-england-47896472
• US immigration police broke Facebook rules with fake profiles for college sting https://www.theguardian.com/technology/2019/apr/11/us-immigration-police-broke-facebook-rules-with-fake-profiles-for-college-sting
• Motel 6 fined $12M for alleged warrantless sharing of guest information with ICE http://fortune.com/2019/04/05/motel-6-guest-information-ice/
• Report: FBI Fails to Promptly Notify Cybercrime Victims https://www.databreachtoday.com/report-fbi-fails-to-promptly-notify-cybercrime-victims-a-12334
• Government fights to trap EFF’s NSA spying case in a catch-22 https://www.eff.org/deeplinks/2019/04/government-fights-trap-effs-nsa-spying-case-catch-22
• Use of Facebook targeting on job ads could violate Canadian human rights law https://www.cbc.ca/news/politics/facebook-employment-job-ads-discrimination-1.5086491
• US air travelers without a REAL ID compliant drivers license will need another form of id to fly after September 2020 https://www.forbes.com/sites/suzannerowankelleher/2019/04/08/tsa-check-does-your-drivers-license-have-a-star-on-it/#4103ffd57e92
• Britain looking to change the way the Internet is regulated https://www.businessinsider.com/dcms-white-paper-uk-lays-out-proposed-laws-to-regulate-social-media-2019-4
• Judge rules having someone hold your phone while driving is not "hands-free" https://globalnews.ca/news/5141345/hands-free-phone-rosemere-judge-ruling/

Defense / Techniques / Solutions

Covering developments and opportunities that may help improve security.

• Android 7.0+ phones can now double as Google Security Keys https://krebsonsecurity.com/2019/04/android-7-0-phones-can-now-double-as-google-security-keys/
• Gmail implements the new secure email standards known as MTA-Strict Transport Security and SMTP TLS reporting https://security.googleblog.com/2019/04/gmail-making-email-more-secure-with-mta.html
• Google's Data Loss Prevention tool finds and redacts sensitive data in the cloud https://www.wired.com/story/google-data-loss-prevention-interface/
• Chrome gets a NoScript extension https://www.zdnet.com/article/noscript-extension-officially-released-for-google-chrome/
• Security Protocols workshop 2019 https://www.lightbluetouchpaper.org/2019/04/10/security-protocols-2019/
• A new open-source fuzzer for Windows called Sienna Locomotive released https://blog.trailofbits.com/2019/04/08/user-friendly-fuzzing-with-sienna-locomotive/
• Scientific American article on the math behind password strength https://www.scientificamerican.com/article/the-mathematics-of-hacking-passwords/

Bugs / Design Flaws / Vulnerabilities / Research

Articles about newly discovered vulnerabilities and research.

• A security researcher with a grudge is dropping Wordpress zero-days https://arstechnica.com/information-technology/2019/04/a-security-researcher-with-a-grudge-is-dropping-web-0days-on-innocent-users/
• Serious flaws leave WPA3 vulnerable to hacks that steal Wi-Fi passwords - the "Dragonblood" vulnerability https://arstechnica.com/?p=1489481
• More Intel firmware patches https://www.theregister.co.uk/2019/04/11/intelaprilpatch/
• If you missed a rundown on this month's patch Tuesday https://krebsonsecurity.com/2019/04/patch-tuesday-lowdown-april-2019-edition/
• TP-Link consumer router models vulnerable to zero-day attack https://threatpost.com/tp-link-routers-vulnerable-to-zero-day-buffer-overflow-attack/143575/
• The MyCar Controls mobile app comes complete with hardcoded admin credentials https://www.securityweek.com/cars-exposed-hacker-attacks-hardcoded-credentials-mycar-apps

Hacking / Malware / Cybercrime / Exploitation

News covering active trends and events.

• Honeypot server on a cloud provider was under attack in just one minute https://www.zdnet.com/article/this-server-was-online-for-under-a-minute-before-cyber-criminals-started-to-hack-it/
• Mysterious Triton/Trisis malware attacks critical infrastructure safety systems https://arstechnica.com/?p=1488751
• Surely everyone knows not to plug random USB devices into computers? Apparently the US Secret Service doesn't https://www.schneier.com/blog/archives/2019/04/heysecretserv.html
• iOS version of Italian exodus surveillance malware found https://arstechnica.com/information-technology/2019/04/well-funded-surveillance-operation-infected-both-ios-and-android-devices/
• Malware spam claiming to be from ADP, Paychex, others uses tax lure https://threatpost.com/spam-campaigns-spread-trickbot-malware-with-tax-lure/143551/
• Beware fake Office 365 payment information request https://isc.sans.edu/diary.html?storyid=24818
• City treasurer tricked into wiring $100K US to fraudster https://www.cbc.ca/news/canada/ottawa/city-treasurer-sent-100k-to-fraudster-1.5088744
• Microsoft Support Agent compromised to gain access to Outlook emails https://thehackernews.com/2019/04/microsoft-outlook-email-hack.html
• Underground market sells user profiles complete with "browser fingerprints" (not physical prints) for better impersonation https://www.securityweek.com/over-60000-stolen-profiles-sold-underground-marketplace
• The FIN6 APT group has moved from POS malware to ransomware https://www.zdnet.com/article/cybercrime-group-fin6-evolves-from-pos-malware-to-ransomware/
• Porn site ransomware hits millions of users in 20 countries https://www.forbes.com/sites/zakdoffman/2019/04/10/porn-site-ransomware-cybercriminals-hit-millions-of-users-in-20-countries/
• Kaspersky has released details about a sophisticated nation-state spyware it calls TajMahal https://www.schneier.com/blog/archives/2019/04/tajmahal_spywar.html
• DHS, FBI say election systems in 50 states were targeted in 2016 https://arstechnica.com/?p=1486259
• UK man sentenced to 6 years for global ransomware https://www.bankinfosecurity.com/uk-man-gets-six-year-sentence-for-global-ransomware-scheme-a-12361
• Julian Assange arrested for U.S. extradition on hacking charges https://www.cbc.ca/news/world/assange-arrested-london-1.5093405

Other Security / Risk

Articles covering other types of risks.

• The biggest data security risk? Downloading data to a spreadsheet. But it's not malware. https://betanews.com/2019/04/12/data-security-risk-spreadsheet/
• An experiment in trying to block big tech from your life shows how deeply dependent we are on them https://www.forbes.com/sites/jasonevangelho/2019/04/09/heres-the-shocking-reality-of-completely-blocking-google-from-your-life/#c7910ff1fec5
• Last week's GPS rollover apparently caused some flight dlays and groundings https://arstechnica.com/?p=1488409
• Canadians should avoid all travel to Sudan amid ongoing military coup, feds warn https://globalnews.ca/news/5155578/canda-travel-warning-sudan-military-coup/
• Helium is in short supply and that's a problem for tech https://www.cbc.ca/news/business/helium-smartphones-fibre-optic-cable-mri-internet-scuba-1.5084212
• Positions on Huawei are changing and the solution seems to be to design for a dirty network https://www.forbes.com/sites/zakdoffman/2019/04/08/did-the-u-s-just-publicly-back-down-from-its-fight-with-huawei-in-europe/#89396aa49dd7
• The bizarre case of the Chinese woman arrested at Mar-a-lago with malicious USBs, multiple phones, $8K in cash, hidden cameras https://www.businessinsider.com/chinese-woman-arrested-at-mar-a-lago-had-hidden-camera-detector-2019-4
• TV's in US airports censored reports on the 737 Max investigation https://www.businessinsider.com/us-airport-tvs-censor-737-max-report-replaced-cake-video-2019-4
• Nasa: India's satellite destruction could endanger ISS https://www.bbc.com/news/world-asia-india-47783137
• Quantum set to destroy blockchain by 2021 https://www.horsesforsources.com/quantumdestroyblockchain_040119
• Introducing The Cybercrime Equation https://www.forbes.com/sites/forbestechcouncil/2019/04/02/introducing-the-cybercrime-equation/
• Man reportedly "hacks" McDonald's kiosk to get a free burger but it looks more like a case of extreme couponing than an exploit https://mashable.com/video/mcdonalds-burgers-self-service/
• Half of all global carbon emissions are due to "extractives" https://www.forbes.com/sites/jaxjacobsen/2019/04/10/extractives-now-account-for-half-of-global-carbon-emissions-what-can-be-done/
• Canada is changing building codes to deal with impact of climate change https://www.cbc.ca/news/canada/canada-building-code-climate-change-resilience-1.5092732
• A new type of quantum computer may benefit AI research https://www.sciencealert.com/this-quantum-computer-can-generate-superposition-of-possible-futures-at-the-same-time
• Two rival AI approaches combine to let machines learn about the world like a child https://www.technologyreview.com/s/613270/two-rival-ai-approaches-combine-to-let-machines-learn-about-the-world-like-a-child/
• Mathematicians have found an incredibly fast way to multiply huge numbers. Old methods took exponential time while the new one takes logarithmic time https://www.sciencealert.com/mathematicians-just-discovered-an-astonishing-new-way-to-multiply-numbers-together

Off-Topic / Science & Tech / Lighter Side

A variety of scientific, technical, historical, and more light-hearted news.

• In a galaxy far far away comes the very first image of a black hole https://astroengine.com/2019/04/10/this-is-the-first-image-of-a-black-hole/ and to put its' size into perspective https://xkcd.com/2135/
• Vote to help astronomers name Trans-Neptunian Object! (225088) 2007 OR10 https://www.syfy.com/syfywire/help-astronomers-name-trans-neptunian-object-225088-2007-or10
• World's widest plane, the Stratolaunch makes first test flight https://www.bbc.co.uk/news/world-us-canada-47923697
• Scientists find way to boost working memory in older people https://www.sciencealert.com/brain-zap-experiment-successfully-reverses-memory-decline-in-older-people
• Newly discovered state of matter is both liquid and solid http://www.sciencealert.com/a-new-state-of-matter-can-be-solid-and-liquid-at-the-same-time
• Canadian company, Carbon Engineering, has found a new way to extract CO2 from the air https://www.bbc.com/news/av/science-environment-47799042/a-magic-bullet-to-capture-carbon-dioxide