Welcome to This Week’s [in]Security. We’ve collected and grouped together a selection of this week’s news, opinions, and research. Quickly skim these annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

• Reminder of 2018 key dates for PCI DSS 3.2 https://blog.pcisecuritystandards.org/pci-dss-dates-to-remember
• Software Security Framework futures includes PA-DSS https://blog.pcisecuritystandards.org/what-is-next-for-the-pci-software-security-framework
• Visa’s view of a cashless future https://www.pymnts.com/visa/2017/visa-report-whats-next-in-payments-and-ecommerce/
• New PCI FAQ #1455 https://pcissc.secure.force.com/faq/articles/FrequentlyAskedQuestion/Does-a-QSA-need-to-be-onsite-at-the-client-s-premises-for-all-aspects-of-a-PCI-DSS-assessment or see our full list https://controlgap.com/index-pci-frequently-asked-questions/

Breaches / Leaks

• Micorsoft leaks TLS private key for Dynamics 365 sandbox https://www.theregister.co.uk/2017/12/11/dynamics365sandboxleakedtls_certificates/
• Pinterest may have been hacked https://www.theregister.co.uk/2017/12/11/pinteresthackconcerns/
• Summary of the years data breaches https://www.datex.ca/blog/2017-data-breaches-the-worst-so-far
• Just revealed, Perth Australia's airport hacked for sensitive plans and data last year https://thewest.com.au/news/wa/significant-amount-of-sensitive-security-data-stolen-in-perth-airport-hacking-ng-b88686393z
• California voter registration database compromised https://www.bleepingcomputer.com/news/security/california-voter-database-compromised-in-mongodb-incident/

Laws & Regulations / Standards

• EFF want's your input on tinkering with devices you own https://www.eff.org/deeplinks/2017/12/protect-your-right-repair-and-control-devices-your-life
• Canadian Trade Committee warning on NAFTA IP demands http://www.michaelgeist.ca/2017/12/canadian-trade-committee-warns-unbalanced-u-s-ip-demands-nafta/
• EPIC urges Congress to consider data breaches in Anti-trust hearing https://epic.org/2017/12/epic-urges-congress-to-focus-o-1.html
• Flaws on both sides, another look at the Net Neutraility debate https://freedom-to-tinker.com/2017/12/12/why-the-fcc-should-prevent-isps-from-micromanaging-our-lives/
• EFF takes on Linkedin’s attempt to cast bots as felony hacking under CFAA https://www.eff.org/deeplinks/2017/12/eff-court-accessing-publicly-available-information-internet-not-crime

Bugs / Design Flaws

• Bullet Proof TLS #35 special edition on the ROBOT attack (Return of Bleichenbacher's Oracle aTtack) against TLS/RSA key exchanges https://www.feistyduck.com/bulletproof-tls-newsletter/issue35robotreturnofbleichenbachersoracle_attack (we previously reported that F5 was vulnerable https://controlgap.com/blog/this-weeks-insecurity-issue-35/))
• The ROBOT page recommends disabling all ciphers starting TLS_RSA* and has cute proof Facebook was vulnerable https://robotattack.org/
• XSS: scripts can be imbedded in TLS certificates https://binaryfigments.com/2017/12/11/dont-trust-all-ssl-tls-certificates/
• Another problem with Synaptics code (not Lenovo specific) http://riscy.business/2017/12/lenovos-unsecured-objects/
• DirectTV wireless bridge zero day https://thehackernews.com/2017/12/directv-wvb-hack.html
• What's going on with recent Apple security bugs? https://www.wired.com/story/apples-security-macos-high-sierra-ios-11/
• Intel to protect against firmware roll-backs https://www.theregister.co.uk/2017/12/13/intelmanagementenginegetshardwarebased_lock/

Privacy

• Citizen Lab launches a Security Planner for the people https://citizenlab.ca/2017/12/citizen-lab-launches-security-planner/

Hacking / Malware / Cybercrime

• Did Russia just BJP highjack popular websites https://bgpmon.net/popular-destinations-rerouted-to-russia/
• Spyware company sicks lawyers on researchers http://www.zdnet.com/article/maker-of-sneaky-mac-adware-sends-security-researcher-cease-and-desist-letter/
• Avast has open sourced its machine code de-compiler https://blog.avast.com/avast-open-sources-its-machine-code-decompiler
• Mirai IoT Botnet authors plead guilty https://krebsonsecurity.com/2017/12/mirai-iot-botnet-co-authors-plead-guilty/
• Industrial plant shut down after hack https://www.itnews.com.au/news/hackers-halt-plant-operations-in-landmark-attack-479886
• CTO of Hacked Bitcoin Mining Firm ‘NiceHash’ previously convicted for cybercrimes https://krebsonsecurity.com/2017/12/former-botmaster-darkode-founder-is-cto-of-hacked-bitcoin-mining-firm-nicehash/
• Attackers switching from banks to Bitcoin https://www.databreachtoday.com/cryptocurrency-infrastructure-flaws-pose-bitcoin-risks-a-10534
• Starbuck’s Wi-Fi with a side order of crypto-currency mining https://www.theregister.co.uk/2017/12/12/starbuckswificrypto_mining/
• More crypto-jacking, popular video sites mining Monero as user watch https://www.theguardian.com/technology/2017/dec/13/video-site-visitors-unwittingly-mine-cryptocurrency-as-they-watch-report-openload-streamango-rapidvideo-onlinevideoconverter-monero
• Shady Android apps with 1M downloads stealing credentials https://thehackernews.com/2017/12/google-playstore-malware.html
• AVgater Windows AV vulnerability exploiting NTFS junctions https://www.peerlyst.com/posts/could-some-antivirus-software-be-used-to-deliver-malware-kimberly-crawley and https://bogner.sh/2017/11/avgater-getting-local-admin-by-abusing-the-anti-virus-quarantine/
• Germany accuses China of using fake Linkedin accounts for espionage http://www.bbc.com/news/world-europe-42304297
• Austrian hotel hacked four times, goes with old-school locks  http://www.bbc.com/news/technology-42353478
• Attack tool to facilitate Preshared Key Wi-Fi compromise via DoS and false AP https://gbhackers.com/crack-wpawpa2-kali-linux-tutorial/

Other Security / Risk

• Some banks just don’t understand the basics (like security-impacting) https://www.troyhunt.com/im-sorry-you-feel-this-way-natwest-but-https-on-your-landing-page-is-important
• And it seems public shaming worked on NatWest http://www.bbc.com/news/technology-42353478
• The problem with EV certificates, is that they don’t solve all the problems of knowing who you do business with https://arstechnica.com/information-technology/2017/12/nope-this-isnt-the-https-validated-stripe-website-you-think-it-is/
• BEA-1 shows more focus needed on mathematical backdoors in encryption algorithms https://www.theregister.co.uk/2017/12/15/cryptomathematicalbackdoors/
• Binary analysis and fuzzing now more powerful than source code analysis https://www.computerworld.com.au/article/631101/source-code-inspection-security-risk-maybe-experts-say/
• AI is good at document review, lawyers and others should beware https://www.technologyreview.com/s/609556/lawyer-bots-are-shaking-up-jobs/
• Too many delivery bots https://www.theguardian.com/us-news/2017/dec/10/san-francisco-delivery-robots-laws
• Troy Hunt dislikes FaceID https://www.troyhunt.com/face-id-stinks/ and not because of the $200 mask hack (or outstanding questions about it) https://arstechnica.com/information-technology/2017/11/hackers-say-they-broke-apples-face-id-heres-why-were-not-convinced/
• Individuals are getting into e-mail tracking https://www.schneier.com/blog/archives/2017/12/e-mailtracking1.html

Off-Topic

• NASA and Google announced announce the discovery of an 8th planet around star Kepler-90 by using a neural network to analyze the data https://www.nasa.gov/ames/kepler/briefing-materials-eighth-planet-circling-distant-star-discovered-using-artificial-intelligence and a bit more on how this works http://www.syfy.com/syfywire/and-kepler-90i-makes-eight-another-eight-planet-solar-system-found
• A deep dive into Jupiter’s great red spot, including JPL animation http://www.syfy.com/syfywire/diving-into-jupiters-great-red-spot
• Why asteroids explode high in the air http://www.syfy.com/syfywire/why-do-asteroids-explode-high-in-the-atmosphere
• The "Hum of the Earth" https://www.washingtonpost.com/news/speaking-of-science/wp/2017/12/08/scientists-are-slowly-unlocking-the-secrets-of-the-earths-mysterious-hum/