Welcome to This Week’s [in]Security. We’ve collected and grouped together a selection of this week’s news, opinions, and research. Quickly skim these annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

• Krebs on a new POS skimmer found in the wild https://krebsonsecurity.com/2018/02/would-you-have-spotted-this-skimmer/
• New POS malware exfiltrates cardholder data via DNS traffic https://www.darkreading.com/vulnerabilities--- threats/new-pos-malware--steals-data-via-dns-traffic/d/d-id/1331022
• Two men who dressed as Diebold technicians were caught red-handed in recent US ATM Jackpotting thefts https://www.databreachtoday.com/feds-charge-two-atm-jackpotting-malware-suspects-a-10633

Breaches / Leaks

• Equifax's breach leaked more personal data than first disclosed https://www.ctvnews.ca/business/equifax-hack-put-more-info-at-risk-than-consumers-knew-1.3797467
• The Sacramento Bee leaked 19M California voter records https://gizmodo.com/sacramento-bee-leaked-19-5-million-california-voter-rec-1822835127 and https://mackeepersecurity.com/post/california-voter-database-leaked-again-with-more-data-at-risk (related to a previous report in December https://www.bleepingcomputer.com/news/security/california-voter-database-compromised-in-mongodb-incident/))
• Another leaky AWS S3 Bucket exposes personal data and contact info for 12K social media influencers https://threatpost.com/leaky-amazon-s3-bucket-exposes-personal-data-of-12000-social-media-influencers/129810/
• Strava's (the source of last week's Fitness stalker disclosures of military bases and more) privacy measures leak even when enabled   https://www.theregister.co.uk/2018/02/08/stravaprivacystill_leakable/
• Mixpanel analytics blames React.js bug for collection of hidden fields and passwords https://www.bleepingcomputer.com/news/security/analytics-firm-admits-it-collected-password-data-by-accident/ (relates to previously reported web replay software issues https://freedom-to-tinker.com/2017/11/15/no-boundaries-exfiltration-of-personal-data-by-session-replay-scripts/ and https://freedom-to-tinker.com/2018/01/12/website-operators-are-in-the-dark-about-privacy-violations-by-third-party-scripts/))
• Apple's iBoot source code leaked https://thehackernews.com/2018/02/iboot-ios-source-code.html 
• iBoot leak was due to ex-insider https://motherboard.vice.com/en_us/article/xw5yd7/how-iphone-iboot-source-code-leaked-on-github

Laws & Regulations / Standards

• GDPR isn’t just a cybersecurity challenge https://www.datex.ca/blog/gdpr-whose-problem-is-it-anyway
• The CLOUD act allows US law enforcement to to access information anywhere in the world and allows for arrangements to bypass local privacy laws https://www.eff.org/deeplinks/2018/02/cloud-act-dangerous-expansion-police-snooping-cross-border-data
• Massachusetts wants access to emails after your death https://www.theregister.co.uk/2018/02/09/yahooemailaccountaccesssupreme_court/
• Singapore breach reporting mandate https://www.databreachtoday.com/data-breach-reporting-mandate-included-in-new-singapore-law-a-10641
• The new "Reciprocal Notice" process on National Security Letters and FBI gag orders allows challenges https://www.eff.org/deeplinks/2018/02/twilio-demonstrates-why-courts-should-review-every-national-security-letter
• Gibraltar will be first to regulate ICOs https://www.pymnts.com/news/regulation/2018/gibraltar-moves-toward-worlds-first-ico-regulations/

Bugs / Design Flaws

• Intel called out over recent "keep up-to-date" response to Meltdown https://www.theregister.co.uk/2018/02/08/intelspectremeltdownmicrocodeupdate/
• Lenovo expands list of systems affected  by KRACK Wi-Fi vulnerability https://threatpost.com/lenovo-warns-critical-wifi-vulnerability-impacts-dozens-of-thinkpad-models/129860/

Privacy

• EPIC files FOIA request and urges investigation as to why the Consumer Financial Protection Bureau halted Equifax breach investigation https://epic.org/2018/02/epic-files-foia-request-about-.html and https://epic.org/2018/02/epic-urges-senate-to-investiga.html
• Global Council “Privacy and Security by Design” setup to encourage research https://www.itworldcanada.com/article/you-dont-have-to-sacrifice-privacy-for-security-says-former-ontario-privacy-commissioner/401517
• How to disable tracking features on smart TV's https://www.usatoday.com/story/tech/talkingtech/2018/02/07/smart-tv-tracking-features-how-turn-them-off-if-you-want-some-privacy/315277002/

Hacking / Malware / Cybercrime

• Toronto telephone scammers claiming compromised bank accounts http://torontopolice.on.ca/newsreleases/40294 
• Another problem with Amazon’s Key allows break & enter https://www.theregister.co.uk/2018/02/05/amazonkeyhack/
• A yearlong look inside view of a Phishing operation https://deibert.citizenlab.ca/2018/01/year-life-phishing-operation/
• Russian extradited to US from Spain to face SPAM charges https://krebsonsecurity.com/2018/02/alleged-spam-kingpin-severa-extradited-to-us/
• 3 dozen indictments in $530M cyber ID theft and fraud ring https://www.pymnts.com/news/security-and-risk/2018/justice-department-fraud-cybersecurity/ and https://krebsonsecurity.com/2018/02/u-s-arrests-13-charges-36-in-infraud-cybercrime-forum-bust/
• More information on the Uber hackers and a Canadian connection https://www.ctvnews.ca/business/uber-accuses-hacker-in-canada-of-massive-2016-data-breach-1.3792257
• Hacking air-gapped computers https://www.wired.com/story/air-gap-researcher-mordechai-guri
• Utility SCADA system infected with Crypto-miner https://www.schneier.com/blog/archives/2018/02/waterutilityi.html
• Thousands of websites using Browsealoud plugin hijacked for Crypto-mining https://www.theregister.co.uk/2018/02/11/browsealoudcompromisedcoinhive/

Other Security / Risk

• You would think people working with top secret air-gapped supercomputers running nuclear simulations would be smarter than to try an hook one to the Internet for some personal crypto-mining https://arstechnica.com/tech-policy/2018/02/russian-nuclear-weapons-engineers-caught-%c2%ad%c2%ad%c2%ad%c2%adminting-blockchange-with-supercomputer/
• How Linkedin can be used for Social Engineering http://www.ibtimes.co.uk/cybercriminals-other-professionals-viewing-your-linkedin-profile-1658424
• The American Tort Museum, or the ways you can be sued for exploding cars, lethal toys, defective products, and general negligence https://medium.com/berkman-klein-center/the-american-museum-of-exploding-cars-and-toys-that-kill-you-5123f35cb271
• Blockchain may be anonymous but tainted funds can be traced https://www.coindesk.com/downside-tracking-bitcoin-blockchain/
• Many Symantec HTTPS certificates to become untrusted by Google Chrome in two waves April 17 and October 23 https://www.theregister.co.uk/2018/02/07/bewarethecomingchromecertificate_apocalypse/
• Someone left sensitive Homeland Security documents about Super-Bowl security on a plane https://www.schneier.com/blog/archives/2018/02/sensitive_super.html
• Someone bought some locked secondhand furniture full of Australian secrets https://www.schneier.com/blog/archives/2018/02/cabinetofsecr.html
• Another take on source code reviews, requests from foreign governments, and security through obscurity protectionist measures https://www.eff.org/deeplinks/2018/01/code-review-not-evil-security-through-obscurity
• Remember the UK’s NHS and Wannacry[pt], apparently 100% of 200 NHS Trusts tested failed to meet security standards, discussion and link https://www.schneier.com/blog/archives/2018/02/poorsecuritya.html
• Survey of minimum password lengths for major websites https://www.troyhunt.com/how-long-is-long-enough-minimum-password-lengths-by-the-worlds-top-sites/
• Uber restricts GitHub to source code only (but wasn’t following best practices either) https://www.theregister.co.uk/2018/02/07/uberquitgithubforcustomcodeafter2016data_breach/
• Striping HTTP Referrer path information from helps prevent data leaks https://blog.mozilla.org/security/2018/01/31/preventing-data-leaks-by-stripping-path-information-in-http-referrers/
• Autonomous vehicles have huge power demand https://www.wired.com/story/self-driving-cars-power-consumption-nvidia-chip/
• How human activity caused New Orleans to sink below sea level https://www.theatlantic.com/technology/archive/2018/02/how-humans-sank-new-orleans/552323/
• Facial recognition failures underscore bias in data used to train the AI https://www.wired.com/story/photo-algorithms-id-white-men-fineblack-women-not-so-much/
• ISP Fidelity Communications was outed over "astroturf" (fake grass-roots) campaign to stifle municipal broadband project https://www.theregister.co.uk/2018/02/07/fidelityastroturfcity_broadband/

Off-Topic

• Did you feel the hairs on your neck stand up Friday?  A just discovered Asteroid called 2018-CB (it's a 15-40m diameter rock moving at nearly 8km/s or about 0.1-1.5 Mt impact energy),  buzzed by Earth just 69,700 km away  http://www.bbc.co.uk/news/science-environment-43006161 and https://www.jpl.nasa.gov/news/news.php?release=2018-025
• Space-X test launch of Falcon Heavy https://www.cnn.com/2018/02/06/us/spacex-launch-latest/index.html and yes it gets it's very own designation from NASA "Tesla Roadster (Starman, 2018-017A)"  https://www.space.com/39647-spacex-tesla-roadster-spotted-in-space.html and a "Selfie" https://apod.nasa.gov/apod/ap180210.html
• Why finding alien life might be a bad thing (no not space invaders) for our survival chances– The Great Filter (short article and video) https://www.universetoday.com/138447/finding-alien-life-bad-great-filter/
• Supersonic parachutes, Mars, and some old Viking film footage https://www.wired.com/story/the-supersonic-parachutes-carrying-nasas-martian-dreams/