Welcome to This Week’s [in]Security. We’ve collected and grouped together a selection of this week’s news, opinions, and research. Quickly skim these annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

• PCI is bring a new Software Security Standard forward and is asking for input https://blog.pcisecuritystandards.org/request-for-comments-pci-software-security-standard-framework
• PCI PTS has been updated to support the secure card readers needed for Software PIN on COTS https://www.pcisecuritystandards.org/documents/PointofInteraction_(POI)_ModularSecurityRequirementsSummaryofChangesv5-1.pdf
• PCI webinar on the June 30 SSL and early TLS deadline https://blog.pcisecuritystandards.org/webinar-ssl-and-early-tls-migration-preparing-for-30-june-deadline
• Here's an example of misleading marketing claiming P2PE by TNSi (Note: it may or may not be a perfectly good example of E2EE, but it is not a validated P2PE solution) https://www.mobilepaymentstoday.com/whitepapers/managed-pos-encryption-allows-merchants-and-processors-to-encrypt-credit-debit-and-other-card-transactions-tokenization/ and why you should do your due diligence before you have to assess https://controlgap.com/blog/understanding-encryption-and-pci-compliance/ and https://www.pcisecuritystandards.org/assessorsandsolutions/pointtopointencryptionsolutions

Breaches / Leaks

• Appplebee's cardbreach at 167 restaurants https://threatpost.com/pos-malware-found-at-160-applebees-restaurant-locations/130281/
• Pennsylvania sues Uber over late breach notification https://www.databreachtoday.com/pennsylvania-sues-uber-over-late-breach-notification-a-10703
• Down the Security Rabbit-hole (podcasts) on the differences between breaches and incidents http://podcast.wh1t3rabbit.net/dtsr-episode-286-breach-vs-incident-vs-lawyers

Laws & Regulations / Standards

• Why Canada's Privacy law needsupdating http://www.michaelgeist.ca/2018/03/no-longer-fit-purpose-canadian-privacy-law-needs-update/
• Micheal Geist continues his marathon 17 part criticism of Bell Canada' "Fairplay Canada" coalition web blocking plan http://www.michaelgeist.ca/2018/03/case-bell-coalitions-website-blocking-plan-part-14-failure-telecommunications-act-policy-objectives/,  http://www.michaelgeist.ca/2018/03/case-bell-coalitions-website-blocking-plan-part-15-undermines-telecommunications-act-policy-objectives/, http://www.michaelgeist.ca/2018/03/case-bell-coalitions-website-blocking-plan-part-16-crtc-internet-content-regulatory-authority/, and http://www.michaelgeist.ca/2018/03/caseagainstsiteblockingfinale/
• Washington becomes first of 20 US State passing laws to preserve net-neutrality http://www.bbc.com/news/technology-43306885
• Senate bill proposes to make credit freezes free https://www.databreachtoday.com/senate-bill-would-make-credit-freezes-free-a-10706
• Google vs. province of BC global takedown order is back in the courts http://www.michaelgeist.ca/2018/03/back-to-b-c-court-re-examines-google-takedown-order-in-light-of-u-s-ruling/
• EFF is fighting SESTA/FOSTA which it claims will result in Internet cesnorship and won't help its stated aims https://www.eff.org/deeplinks/2018/03/stop-sestafosta-dont-let-congress-censor-internet
• EFF weighs in on NAFTA and fair-use https://www.eff.org/deeplinks/2018/03/fair-use-and-platform-safe-harbors-nafta
• Publishers may get some legal leverage over the likes of Facebook and Google https://www.wired.com/story/bill-would-let-publishers-gang-up-versus-facebook-and-google/
• FBI continues to push for broken encryption https://arstechnica.com/tech-policy/2018/03/fbi-again-calls-for-magical-solution-to-break-into-encrypted-phones/
• New York Judge advises Trump to mute not block critics on Twitter as part of lawsuit settlement http://www.bbc.co.uk/news/world-us-canada-43344837

Privacy

• MoviePass CEO reveals just how much privacy you're giving up using their app  https://techcrunch.com/2018/03/05/moviepass-ceo-proudly-says-the-app-tracks-your-location-before-and-after-movies/
• The FBI paid Geeksquad employees to act as informants https://www.eff.org/deeplinks/2018/03/geek-squads-relationship-fbi-cozier-we-thought
• Citizenlab is participating in the Internet Freedom festival https://citizenlab.ca/2018/03/citizen-lab-at-the-internet-freedom-festival-2/

Bugs / Design Flaws

• Chrome is distrusting SYmantec certs! If you have older certificates from Symantec-owned brands like Thawte, VeriSign, Equifax, GeoTrust, and RapidSSL https://security.googleblog.com/2018/03/distrust-of-symantec-pki-immediate.html
• Yet another Spectre variant, this one lets you get at the secure enclave https://www.bleepingcomputer.com/news/security/sgxspectre-attack-can-extract-data-from-intel-sgx-enclaves/
• SGX can be used to hide malware https://www.darkreading.com/vulnerabilities--- threats/intel-sgx-can-be-used-to-hide-execute-malware/d/d-id/1331211
• 10 severe vulnerabilities discovered and tested in LTE protocol https://thehackernews.com/2018/03/4g-lte-network-hacking.html
• Another Exim email transfer agent vulnerability discovered https://www.bleepingcomputer.com/news/security/vulnerability-affects-half-of-the-internets-email-servers/
• Cortana used to bypass Windows locks and install malware https://motherboard.vice.com/en_us/article/xw53jk/researchers-bypassed-windows-password-locks-with-cortana-voice-commands
• Handout from last summer's SHARE conference a presentation on serious Z/OS security vulnerabilities http://share.confex.com/data/handout/share/129/Session21042handout104390.pdf
• Z/OS Vulnerability chart of potential zero-day vulnerabilities https://www.krisecurity.com/wp-content/uploads/KRIS-201803Vulnerability_Chart-9.pdf
• Flaws found in Microsoft's Control Flow Guard https://www.darkreading.com/vulnerabilities--- threats/design-weakness-in-microsoft-cfg-allows-complete-bypass-/d/d-id/1331200
• Fix for Alexa creeping out owners with random laughter https://www.theguardian.com/technology/2018/mar/07/amazon-alexa-random-creepy-laughter-company-fixing

Hacking / Malware / Cybercrime

• New DDoS record memcache attack tops 1.7Tbps https://thehackernews.com/2018/03/ddos-attack-memcached.html
• New memcache DDoS attacks used for extortion https://krebsonsecurity.com/2018/03/powerful-new-ddos-method-adds-extortion/
• Article and discussion of memcache at Schneier https://www.schneier.com/blog/archives/2018/03/newddosreflec.html
• Proof of concept code published https://www.bleepingcomputer.com/news/security/proof-of-concept-code-for-memcached-ddos-attacks-published-online/
• Now a kill switch and a data leak have been found in memcache https://www.darkreading.com/vulnerabilities--- threats/memcached-ddos-attack-kill-switch-new-details-disclosed/d/d-id/1331207
• DDoS monitoring https://ddosmon.net/memcachedamplificationattack
• 95,000 memcache servers vulnerable to abuse https://www.bankinfosecurity.com/memcached-ddos-attacks-95000-servers-vulnerable-to-abuse-a-10705
• Overlooked in the Shadowbroker NSA leak was a spy warning tool https://www.wired.com/story/nsa-leak-reveals-agency-list-enemy-hackers
• Crypto-jacking malware goes all hunter-killer on adversaries http://www.theregister.co.uk/2018/03/06/cryptocurrencyminersans_martens/
• XML eXternal Entity (XXE) vulnerability in the wild found on Nike site http://www.zdnet.com/article/nike-website-flaw-exposed-access-to-sensitive-server-data/
• 600 high end Bitcoin mining systems stolen in Iceland https://thehackernews.com/2018/03/bitcoin-mining-computers.html
• Egypt  injecting crypto-currency miners into Internet users' connections https://thehackernews.com/2018/03/cryptocurrency-spyware-malware.html
• State employees in Louisiana fired for crypto-mining at work http://www.theadvocate.com/batonrouge/news/crimepolice/article_d3375e80-1756-11e8-b3fa-27507df48e27.html
• Austrialian meteorology employees investigated for mining at work https://www.theguardian.com/technology/2018/mar/08/bureau-of-meteorology-employees-investigated-for-mining-cryptocurrency-at-work

Other Security / Risk

• Cert website consolidated amid some confusion https://www.darkreading.com/threat-intelligence/certorg-goes-away-panic-ensues/d/d-id/1331190 now can be found at https://www.sei.cmu.edu/about/divisions/cert/index.cfm
• Researcher finds Emirates sending sensitive data to third parties , followed by Emirates denial https://www.theregister.co.uk/2018/03/05/emiratesdingedforslipshodprivacy_practices/ and https://medium.freecodecamp.org/privacy-leaks-round-trip-emirates-com-in-denial-7f99950bcdd
• Krebs on how not to transition customers to new e-banking platforms https://krebsonsecurity.com/2018/03/what-is-your-banks-security-banking-on/
• Kali Linux is available in the Windows store and Defender will protect you from using it https://www.bleepingcomputer.com/news/security/kali-linux-now-in-windows-store-but-defender-flags-its-packages-as-threats/
• Krebs on IDNS puny-code and look alike websites https://krebsonsecurity.com/2018/03/look-alike-domains-and-visual-confusion/
• US DHS security audit failure https://www.theregister.co.uk/2018/03/08/fedsscoldedforslowsecuritypatchingandoutdatedoperating_systems/
• Discussion and link to research on bulk analysis of Smart Contract vulnerabilities https://www.schneier.com/blog/archives/2018/03/securityvulner13.html
• The dangers of hidden code dependencies https://medium.freecodecamp.org/eliminating-hidden-dependencies-a95c7b03aa54
• Article and discussion on the "Intimate Partner Threat" and some unexpected consequences of disconnection as a defense https://www.schneier.com/blog/archives/2018/03/intimate_partne.html and https://freedom-to-tinker.com/2018/02/23/how-tech-is-failing-victims-of-intimate-partner-violence-thomas-ristenpart-at-citp/
• It turns out that you can extract information about an AI's underlying training data https://www.schneier.com/blog/archives/2018/03/extracting_secr.html
• Article on making security sustainable https://www.lightbluetouchpaper.org/2018/03/06/making-security-sustainable/
• Reporting on a talk about the rise of AI https://freedom-to-tinker.com/2018/03/02/the-rise-of-artificial-intelligence-brad-smith-at-princeton-university/
• Proposal for "essential mode" phone operation to combat addictive apps http://www.businessinsider.com/qa-stanford-apple-iphone-less-addictive-2018-3
• IBM improves speed of "homomorphic encryption" which allows calculations on encrypted data without actually decrypting the datahttps://www.theregister.co.uk/2018/03/08/ibmfasterhomomorphic_encryption/
• Google builds a 72 qubit quantum test bed https://www.theregister.co.uk/2018/03/06/googlebristlecone72qubitquantum_processsor/

Off-Topic

• Australian researchers create worlds first Proton battery https://www.theguardian.com/technology/2018/mar/09/look-no-lithium-first-rechargeable-proton-battery-created
• Nearby sun-like star with 6 gas giants (2 in the habitable zone) http://www.syfy.com/syfywire/a-star-like-the-sun-has-six-gas-giants-orbiting-it-with-two-in-its-habitable-zone
• Lost in space, the first discovery of a comet/asteroid about to be kicked out of the solar system by Jupiter http://www.syfy.com/syfywire/an-asteroid-is-about-to-embark-on-a-very-long-voyage-to-interstellar-space
• Wild ride alert, in a few weeks a large star will pass close to the super-massive black hole at the heart of our galaxy and will experience massive acceleration http://www.syfy.com/syfywire/a-star-is-about-to-plunge-head-first-toward-a-monster-black-hole-astronomers-are-ready-to
• China's first space station will coming crashing down soon http://www.businessinsider.com/when-chinese-tiangong-1-space-station-will-crash-2018-1
• Revolutionary War era ship unearthed in southern Maine by recent "bomb (bombogenesis) cyclone" https://www.cnn.com/2018/03/06/us/maine-shipwreck-revealed-trnd/index.html
• Paul Allen expedition finds USS Lexington at bottom of the Coral Sea https://arstechnica.com/information-technology/2018/03/paul-allens-rv-petrel-finds-sunken-uss-lexington-2-miles-down-in-coral-sea/
• New research into old evidence finds Amelia Earhart died on the pacific island of  Nikumororo before 1940 https://www.ctvnews.ca/sci-tech/bones-found-on-pacific-island-belong-to-amelia-earhart-scientist-claims-1.3834379
• Robot solves Rubik's cube in 0.38 seconds https://arstechnica.com/gadgets/2018/03/homemade-robot-smashes-rubiks-cube-record-with-0-38-second-solve/
• Ocean mapping XPRIZE finalists move to demonstration phase http://www.bbc.co.uk/news/science-environment-43317417