Welcome to This Week’s [in]Security. We’ve collected and grouped together a selection of this week’s news and opinion links on security and privacy related topics. We hope you enjoy and find them useful.

PCI Compliance and Payments

• NIST announces break in Format-Preserving Encryption (FF3) https://controlgap.com/blog/7-things-to-do-with-fpe-break/ and https://beta.csrc.nist.gov/News/2017/Recent-Cryptanalysis-of-FF3. The conference proceedings including short version of the paper can be found at https://www.cryptolux.org/mediawiki-esc2017/images/8/83/Proceedings_esc2017.pdf
• New FAQ https://pcissc.secure.force.com/faq/articles/FrequentlyAskedQuestion/What-is-meant-by-at-risk-and-at-risk-timeframe-referenced-in-the-Final-PFI-Report
• Updated FAQ https://pcissc.secure.force.com/faq/articles/FrequentlyAskedQuestion/How-do-PCI-DSS-Requirements-2-and-8-apply-to-SAQ-A-merchants
• Cybersecurity Skill shortage and QSA Associate program https://blog.pcisecuritystandards.org/hacking-is-an-industry-the-cybersecurity-skills-pipeline-is-not-strong-enough-to-keep-it-at-bay

Breaches

• Verizon Breach report out http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/ and reviewed http://www.darkreading.com/attacks-breaches/verizon-dbir-shows-attack-patterns-vary-widely-by-industry/d/d-id/1328757
• Trading card e-commerce breach http://www.databreachtoday.com/blowout-cards-issues-card-skimming-breach-alert-a-9864
• Chipolte's payment systems hacked http://www.darkreading.com/endpoint/chipotle-serves-up-security-incident-warning/d/d-id/1328739
• Northrop Grumman tax records breached https://www.theregister.co.uk/2017/04/24/northropgrummanbreachworkerw2s/
• HIPAA fine for lack of 3rd party agreement http://www.databreachtoday.com/lack-baa-at-center-new-hipaa-settlement-a-9861
• HIPAA fines for lack of risk analysis http://www.databreachtoday.com/hhs-smacks-heart-monitoring-firm-25-million-settlement-a-9863
• R2Games breached again http://www.csoonline.com/article/3192246/security/r2games-compromised-again-over-one-million-accounts-exposed.html

Lawful Access / Back-doors / Regulations

• Tool detects 30K-100K DoublePulsar implant infections http://www.csoonline.com/article/3191707/security/theres-now-a-tool-to-test-for-nsa-spyware.html

Bugs

• IoT bug in Samsung Wi-Fi Direct authentication https://www.theregister.co.uk/2017/04/26/samsungsmarttvwifidirectsecurityflaw/
• Hyundai patches Blue Link smart phone app https://www.theregister.co.uk/2017/04/25/hyundaiblinklinkappsecurity/
• SquirrelMail webmail vulnerability https://www.theregister.co.uk/2017/04/24/squirrelmail_vuln/
• Another Anti-virus malfunction http://www.csoonline.com/article/3192309/security/webroot-deletes-windows-files-and-causes-serious-problems-for-users.html and https://www.theregister.co.uk/2017/04/25/webrootwindowswipeout/

Privacy

• EU fines under new General Data Protection Regulation brings massive fines in 2018 https://www.theregister.co.uk/2017/04/28/icofinespostgdpranalysis/ 
• Unroll.me sold customer email summaries to Uber https://www.theregister.co.uk/2017/04/24/unrollmecaughtsellingemailto_uber/
• FTC head talks about Internet Privacy http://www.csoonline.com/article/3192310/privacy/why-we-need-the-ftc-to-police-isp-privacy-practices.html
• New Linux malware another reminder against weak credentials https://www.theregister.co.uk/2017/04/25/linux_malware/

Hacking / Malware

• Suspicious BGP hijacking of 36 networks by Russian ISP  https://arstechnica.com/security/2017/04/russian-controlled-telecom-hijacks-financial-services-internet-traffic/ 
• Google and Facebook defrauded in huge phishing scam http://www.bbc.co.uk/news/technology-39744007
• More allegations of Russia hacking to influence elections, this time France http://www.bbc.co.uk/news/technology-39705062
• Pawn Storm group abusing Open Auth http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-abuses-open-authentication-advanced-social-engineering-attacks
• What’s behind 27 year sentence for carder https://krebsonsecurity.com/2017/04/the-backstory-behind-carder-kingpin-roman-seleznevs-record-27-year-prison-sentence/
• Another DDoS vendor gets jail time https://krebsonsecurity.com/2017/04/uk-man-gets-two-years-in-jail-for-running-titanium-stresser-attack-for-hire-service/

Other Security / Risk

• Controversy over 2017 OWASP Top-10 https://medium.com/@JoshCGrossman/behind-the-the-owasp-top-10-2017-rc1-df43236f79ff, http://www.skeletonscribe.net/2017/04/abusing-owasp.html and http://www.csoonline.com/article/3192505/security/contrast-security-responds-to-owasp-top-10-controversy.html
• Contrasting opinions on the value of enhanced web site certificates https://blog.pcisecuritystandards.org/making-the-e-commerce-channel-safer and https://adamcaudill.com/2017/04/09/looking-value-ev-certificates/
• Feisty Duck #27 is out with news of all things TLS including transparency, traffic analysis, the decline of AES-CBC, and more https://www.feistyduck.com/bulletproof-tls-newsletter/issue27certificatetransparencyrequirement_delayed.html
• Interesting new approach to data governance https://www.theregister.co.uk/2017/04/25/immutadatagovernance_tool/

Off-Topic

• Astronomers discover possible dwarf planet 3 times further out than Pluto https://astronomynow.com/2017/04/17/alma-investigates-deedee-a-distant-dim-member-of-our-solar-system/
• Yes there is a real life double-pulsar https://www.sciencenews.org/editors-picks/general-relativity-100