Welcome to This Week’s [in]Security. We’ve collected and grouped together a selection of this week’s news, opinions, and research. Quickly skim these annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

• MasterCard rolls out biometric authentication https://www.pymnts.com/mastercard/2018/biometric-authentication-facial-recognition/
• Good article on PIN on COTS https://blog.ul-ts.com/posts/pci-pin-on-cots-changing-the-paradigm-for-pin-acceptance
• VISA Bulletin on e-commerce malware https://usa.visa.com/content/dam/VCOM/global/support-legal/documents/psi-alert-protect-against-ecommerce-malware.pdf  (linked from https://usa.visa.com/support/merchant/library.html))
• Updated FAQ #1261 https://pcissc.secure.force.com/faq/articles/FrequentlyAskedQuestion/Does-a-P2PE-validated-application-also-need-to-be-validated-against-PA-DSS
• Payment breach forecast, Oracle Micros vulnerability expected to take months for merchants to patch https://www.bleepingcomputer.com/news/security/security-bug-affects-over-300-000-oracle-pos-systems/

Breaches / Leaks

• 2017 worst breach year on record bring total breaches to 73% US companies https://epic.org/2018/01/data-breaches-on-the-rise.html
• SEC clamps down hard on Texas ICO https://www.pymnts.com/news/regulation/2018/arisebank-ico-sec-fraud-prevention/

Laws & Regulations / Standards

• Argument against backdoors in encryption https://sector.ca/the-flaw-in-encryption-back-doors/
• Argument for going after the vast untapped cleartext troves of data https://www.theregister.co.uk/2018/01/31/backdoorsukhomeaffairscommittee/
• EFF challenges to warrantless border device searches  https://www.eff.org/deeplinks/2018/01/round-effs-advocacy-against-border-device-searches
• The EFF Stupid Patent of the Month goes to Lenovo https://www.eff.org/deeplinks/2018/01/stupid-patent-month-bigger-screen-patent-highlights-bigger-problem
• Bell Canada led private Internet blocking plan http://www.michaelgeist.ca/2018/02/canadas-sopa-moment-crtc-reject-bell-coalitions-dangerous-internet-blocking-plan/

Bugs / Design Flaws

• Meltdown and Spectre continue:

  • Getting to a Linux patch http://www.zdnet.com/article/linux-and-intel-slowly-hack-their-way-to-a-spectre-patch/
  • Intel promises products that address Meltdown/Spectre this year https://www.darkreading.com/endpoint/intel-ceo-new-products-that-tackle-meltdown-spectre-threats-coming-this-year/d/d-id/1330920
  • Backing out the bad patches https://www.theregister.co.uk/2018/01/29/microsoftoutofbandpatchtoremovespectrepatches/
  • Chinese firms alerted before Department of Homeland Security https://www.theregister.co.uk/2018/01/29/inteldisclosurecontroversy/
• More on the Intel Management Engine vulnerabilities http://blog.ptsecurity.com/2018/01/running-unsigned-code-in-intel-me.html
• Lenovo fixes fingerprint security bug https://threatpost.com/lenovo-fixes-hardcoded-password-flaw-impacting-thinkpad-fingerprint-scanners/129680/
• IoT failures - panic buttons https://www.theregister.co.uk/2018/01/29/bluetoothpanicbuttons_hackable/
• Cisco DoS/Remote Code VPN vulnerability affecting multiple Cicso products https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180129-asa
• Details of the DCShadow attack that allows rogue domain controllers to replicate malicious objects into running Active Directory infrastructure https://blog.alsid.eu/dcshadow-explained-4510f52fc19d
• Oracle patches 10 vulnerabilities that allow virtual machine escape https://www.cyberscoop.com/virtualbox-virtual-machine-escape-oracle/
• Attackers exploiting a Flash zero-day again https://krebsonsecurity.com/2018/02/attackers-exploiting-unpatched-flaw-in-flash/

Privacy

• Fitness trackers stalkers  ... military bases, personnel, and more exposed  by Strava's fitness tracker heat maps and deanonymizable http://www.abc.net.au/news/science/2018-01-29/strava-heat-map-shows-military-bases-and-supply-routes/9369490 and http://www.wired.co.uk/article/strava-military-bases-area-51-map-afghanistan-gchq-military
• Citizen lab and other references on fitness leaking https://citizenlab.ca/2018/01/fit-leaking-citizen-lab-research-fitness-tracker-privacy/
• ICE obtains huge trove of licence plates from automated scanners https://www.eff.org/deeplinks/2018/01/ice-accesses-massive-amount-license-plate-data-will-california-take-action

Hacking / Malware / Cybercrime

• With all the breaches, file your taxes before someone else does! https://krebsonsecurity.com/2018/01/file-your-taxes-before-scammers-do-it-for-you/
• An earlier case of US ATM Jack-potters were caught last year by cops investigating Pot https://krebsonsecurity.com/2018/01/drug-charges-tripped-up-suspects-in-first-known-atm-jackpotting-attacks-in-the-us/
• Man jailed for hacking thousands of email accounts of university aged women via secret questions in search of private and sexually explicit photos in online accounts https://www.theregister.co.uk/2018/01/25/collegenudeselfiehackerjailed/
• "Infant Fullz" complete information on newborns available on dark web http://securityaffairs.co/wordpress/68295/deep-web/dark-web-infant-fullz.html
• Article on problems with malware attribution and the case of Wannacyy[pt] http://blog.erratasec.com/2018/01/the-problematic-wannacry-north-korea.html
• Wanncry[pt] exploits reworked, older systems at risk  https://www.theregister.co.uk/2018/01/31/wannacrysmbexploitbeefedup/

Other Security / Risk

• Estimating the cost of internet insecurity https://www.schneier.com/blog/archives/2018/01/estimatingthe\.html
• Scammers targeting payroll direct deposit https://www.pymnts.com/news/b2b-payments/2018/payroll-fraud-direct-deposit-cybercrime/
• Security and the concept of data lakes (vs. data warehouses) https://www.datex.ca/blog/what-is-a-security-data-lake
• NICE (National Initiative for Cybersecurity Education) 2018 Winter Newsletter is out https://content.govdelivery.com/accounts/USNIST/bulletins/1d6138d
• Bulletproof TLS #37 is out with latest news in the SSL / TLS world including HTTPS only top level domains, more on TLS 1.3, Office 365 dropping early TLS, Let’s Encrypt’s Cloud vulnerability fixed, confusion in the CA/Browser Forum, sketchy domain validation https://www.feistyduck.com/bulletproof-tls-newsletter/issue37cloudprovidervulnerability
• Buying fake followers, bots, and stolen identities https://www.nytimes.com/interactive/2018/01/27/technology/social-media-bots.html
• Consequences for getting caught with fake followers https://www.washingtonpost.com/news/morning-mix/wp/2018/01/30/chicago-sun-times-sidelines-film-critic-richard-roeper-for-allegedly-buying-twitter-followers/ and https://www.nbcnews.com/news/us-news/journalists-struggle-explain-why-they-bought-fake-twitter-followers-n843871
• Senators urge FTC to investigate social media influence peddling https://epic.org/2018/02/senators-urge-ftc-to-investiga.html
• Drill-gone-wrong, it seems the Hawaiian missile alert was not an individual slip-up but miscommunication https://arstechnica.com/information-technology/2018/01/fcc-says-hawaii-officer-who-sent-false-missile-alert-thought-it-was-not-a-drill/
• The Bitcoin bubble https://www.theguardian.com/technology/2018/feb/02/bitcoin-biggest-bubble-in-history-says-economist-who-predicted-2008-crash
• NIMBYism and Security Theater are alive and well in New York https://www.schneier.com/blog/archives/2018/01/subway_elevator.html
• A free forensic education opportunity http://blog.isc2.org/isc2_blog/2018/01/limited-time-opportunity-free-forensics-lab.html

Off-Topic

• Only in Canada!  Street hockey on a major Toronto street as protest https://www.blogto.com/city/2018/01/street-hockey-newest-form-transit-protest-king-st/
• Apparently, "Slow light" is a thing and it has some interesting application possibilities http://www.newsweek.com/physics-speed-light-stop-trapping-particles-inside-crystals-796385
• Interesting new cancer treatment tested successfully on mice https://med.stanford.edu/news/all-news/2018/01/cancer-vaccine-eliminates-tumors-in-mice.html
• Debunking bogus claims about all kinds of ridiculous super-blue-moon-eclipse and silly made up stuff claims http://www.syfy.com/syfywire/no-the-eclipse-and-a-planetary-alignment-will-not-cause-massive-earthquakes-sheesh
• Previously unknown star cluster hidden by the glare of Sirius https://www.universetoday.com/138402/brightest-star-sky-sirius-hiding-cluster-stars-found-gaia/
• Planets have been discovered in another GALAXY far far away!! https://www.universetoday.com/138478/first-time-planets-discovered-another-galaxy/