Welcome to This Week’s [in]Security. We’ve collected and grouped together a selection of this week’s news, opinions, and research. Quickly skim these annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

• Having trouble understanding the nuances of PCI DSS Scope https://controlgap.com/blog/connected-to-pci/
• PCI Associate QSA program is launching https://blog.pcisecuritystandards.org/preparing-for-launch-associate-qsa-program

• PCI revises

  • QSA program guide https://www.pcisecuritystandards.org/documents/QSAProgramGuidev2.0Dec.pdf
  • QSA qualification requirements https://www.pcisecuritystandards.org/documents/QSAQualificationRequirementsv30.pdf
• PCI and the travel industry https://blog.pcisecuritystandards.org/pci-dss-and-the-travel-industry
• EMV now used in majority of card present transactions https://www.pymnts.com/news/payment-methods/2017/emvco-emv-transaction/
• Criminals countering anti-skimmer technology https://krebsonsecurity.com/2017/12/anti-skimmer-detector-for-skimmer-scammers/
• Europol shuts down ATM skimmer ring http://www.zdnet.com/article/europol-smashes-global-atm-skimmer-ring/

Breaches / Leaks

• PayPal's recent acquisition TIO, previously shutdown for vulnerabilities, was breached for 1.6M records https://thehackernews.com/2017/12/paypal-tio-data-breach.html
• On the evolution of data breaches https://www.wired.com/story/evolution-of-data-leaks/
• Ai keyboard exposes trove of data collected on 31M users https://thehackernews.com/2017/12/keyboard-data-breach.html
• More on Uber's hack pay off https://www.bankinfosecurity.com/blogs/report-uber-paid-florida-20-year-old-100000-over-hack-p-2573
• Large interactive database of 1.4B clear text passwords found https://www.itwire.com/security/81116-1-4b-clear-text-usernames-and-passwords-found-in-single-database.html

Laws & Regulations / Standards

• UK police to face restrictions on phone and web searches https://www.theguardian.com/technology/2017/nov/30/police-to-lose-phone-and-web-data-search-authorisation-powers
• EU and UK going after altcoins https://www.theguardian.com/technology/2017/dec/04/bitcoin-uk-eu-plan-cryptocurrency-price-traders-anonymity
• One German law to backdoor and surveil them all https://www.bleepingcomputer.com/news/government/germany-preparing-law-for-backdoors-in-any-type-of-modern-device/

Bugs / Design Flaws

• Microsoft issues emergency patch for its malware engine https://thehackernews.com/2017/12/windows-update-malware-protection.html
• Apple admin bug fixed earlier this month returns http://www.bbc.com/news/technology-42193796
• Big patch month for Android http://www.zdnet.com/article/android-security-alert-googles-latest-bulletin-warns-of-47-bugs-10-critical/
• Vulnerabilities in widely used interpreted programming languages https://www.bleepingcomputer.com/news/security/secure-apps-exposed-to-hacking-via-flaws-in-underlying-programming-languages/
• Hacking a Bluetooth enabled gun safe https://www.bleepingcomputer.com/news/security/but-of-course-this-bluetooth-enabled-gun-safe-got-hacked-are-you-surprised/
• Computer manufacturers shipping Intel without ME inside https://www.bleepingcomputer.com/news/hardware/dell-other-vendors-start-shipping-laptops-with-intel-me-firmware-disabled/
• Lantronix serial-to-ethernet devices leak telnet passwords https://www.bleepingcomputer.com/news/security/thousands-of-serial-to-ethernet-devices-leak-telnet-passwords/
• Two critical bugs in RSA Authentication Agent SDK https://www.theregister.co.uk/2017/12/03/rsaauhenticationbugs/
• Android fixes KRACK wi-fi bug https://www.androidauthority.com/google-december-security-patch-819967/
• Widespread old email client bug facilitates easy spoofing https://www.theregister.co.uk/2017/12/06/mailsploitemailspoofing_bug/
• Banking app man-in-the-middle attacks https://threatpost.com/banking-apps-found-vulnerable-to-mitm-attacks/129105/
• The paper behind it on  certificate pinning vulnerabilities https://www.schneier.com/blog/archives/2017/12/securityvulner10.html
• Survey of code quality https://www.theregister.co.uk/2017/12/08/bankcodingpsd2/
• Google patches Android application signature bypass vulnerability https://threatpost.com/android-flaw-poisons-signed-apps-with-malicious-code/129118/

Privacy

• Google counterattacking nosy apps https://threatpost.com/google-cracks-down-on-nosy-android-apps/129081/
• Location tracking apps don't need GPS access https://www.bleepingcomputer.com/news/security/apps-can-track-users-even-when-gps-is-turned-off/
• Supreme Court of Canada rules on text message privacy http://www.michaelgeist.ca/2017/12/supreme-court-canada-rules-text-messages-may-attract-reasonable-expectation-privacy/

Hacking / Malware / Cybercrime

• Hijacking ISPs to steal Bitcoins/crypto-currencies (paper) https://btc-hijack.ethz.ch/files/btc_hijack.pdf
• Bitcoin exchanges DDoS'd https://www.bleepingcomputer.com/news/security/74-percent-of-all-bitcoin-related-sites-suffered-a-ddos-attack/
• Bitcoin mining company hacked for $62M https://www.darkreading.com/cloud/bitcoin-miner-nicehash-hacked-possibly-losing-$62-million-in-bitcoin/d/d-id/1330585
• Leakbase stolen credentials for sale shut down https://krebsonsecurity.com/2017/12/hacked-password-service-leakbase-goes-dark/
• Vulnerabilities in ioT IV infusion pump and medical smart pens can breach sesitive patient information  https://www.darkreading.com/mobile/hacked-iv-pumps-and-digital-smart-pens-can-lead-to-data-breaches/d/d-id/1330536
• New attack mechanism exploits NTFS transactions to hide malicious code from AV tools https://www.bleepingcomputer.com/news/security/-process-doppelg-nging-attack-works-on-all-windows-versions/
• Phishers using more HTTPS sites https://krebsonsecurity.com/2017/12/phishers-are-upping-their-game-so-should-you/
• Another keylogger on HP laptops https://thehackernews.com/2017/12/hp-laptop-keylogger.html

Other Security / Risk

• OWASP Cheat Sheets for developers https://www.owasp.org/index.php/OWASPCheatSheet_Series
• Security through distrust in design https://www.theregister.co.uk/2017/12/07/security_distrusting/
• India flags 42 Chinese apps as spyware https://securereading.com/india-government-listed-42-chinese-apps-as-spyware-and-asked-to-remove-them/
• The EU Payment Services Directive (PSD2) and code quality https://www.theregister.co.uk/2017/12/08/bankcodingpsd2/
• UK Political scandal a poster child for not sharing passwords https://www.troyhunt.com/the-trouble-with-politicians-sharing-passwords/
• More on the terrible idea of hacking back http://www.zdnet.com/article/hacking-back-is-a-terrible-idea-but-some-companies-are-still-keen-to-try-it/
• Quick tutorial on the new NoScript UI https://hackademix.net/2017/12/04/noscript-quantum-vs-legacy-in-a-nutshell-2/
• DHS suggests DJI drones are spying on US infrastructure https://thehackernews.com/2017/12/dji-drone-china-spying.html
• Media is hijacking the term "Crypto" https://www.schneier.com/blog/archives/2017/12/cryptoisbeing.html
• The alt-coin graveyard https://magoo.github.io/Blockchain-Graveyard/
• Altcoin fraud in Quebec http://www.cbc.ca/beta/news/canada/montreal/alleged-cryptocurrency-fraud-by-quebec-company-highlights-need-for-more-regulation-experts-say-1.4434038
• Matt Blaze testimony before house of representatives on voting machine security https://www.schneier.com/blog/archives/2017/12/mattblazeon_s.html
• Too small to afford randsom-ware protection https://www.pymnts.com/news/b2b-payments/2017/cybersight-ransomware-smb-cybersecurity/
• Ghostery ad-blocker to use AI https://www.wired.com/story/ghostery-deploys-ai-in-fight-against-ad-trackers/

Off-Topic

• 100 years ago Halifax was destroyed by a 2.9kt explosion, report and animation http://newsinteractives.cbc.ca/halifaxexplosion/
• Newly discovered caves under Montreal http://www.bbc.co.uk/news/world-us-canada-42227846
• AlphaZero AI now beats best chess program https://www.theguardian.com/technology/2017/dec/07/alphazero-google-deepmind-ai-beats-champion-program-teaching-itself-to-play-four-hours