Welcome to This Week’s [in]Security. We’ve collected and grouped together a selection of this week’s news, opinions, and research. Quickly skim these annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

• PCI Qualified Integrators and Resellers (QIR) program overhauled https://blog.pcisecuritystandards.org/the-qir-program-is-changing-heres-what-you-need-to-know (all of the QIR program documents just updated https://www.pcisecuritystandards.org/document_library (filter by all documents and QIR))
• More insight into the PCI PTS v5.1 and the Secure Card Reader: PIN https://blog.ul-ts.com/posts/secure-card-reader-pin/

Breaches / Leaks

• Another AWS S3 bucket leaks personal information on 1.3M people from MBM Company a partner of Walmart https://mackeepersecurity.com/post/walmart-jewelry-partner-exposed-millions-customer-details
• 31 breach notifications filed in Australia since Feb 22nd http://www.zdnet.com/article/oaic-received-31-notifications-in-the-first-three-weeks-of-data-breach-scheme/
• First major breach to hit news under new Australian law, sensitive data exfiltrated with a silent email forwarding rule https://www.itnews.com.au/news/first-data-breach-publicised-under-australian-notice-scheme-487143
• Yahoo breach victims can sue https://www.databreachtoday.com/federal-judge-yahoo-breach-victims-sue-a-10712
• Schneier on Trustico's emailing of certificate private keys (also bonus points for using "croggled" in print ) https://www.schneier.com/blog/archives/2018/03/e-mailing_priva.html
• Krebs on checking your credit score post Equifax https://krebsonsecurity.com/2018/03/checked-your-credit-since-the-equifax-hack/
• Presentation and lessons learned on incident and breach response https://sector.ca/preparing-for-a-data-breach/
• SEC charges former Equifax executive with insider trading and fraud https://www.darkreading.com/attacks-breaches/sec-charges-former-equifax-exec-with-insider-trading/d/d-id/1331272
• Unnamed US power company, possibly PG&E, that left sensitive data exposed for over 2 months settles for $2.7M https://www.databreachtoday.com/us-power-company-fined-27-million-over-data-exposure-a-10715

Laws & Regulations / Standards

• The encryption debate continues with more papers https://www.schneier.com/blog/archives/2018/03/two_new_papers_.html
• Continuing attempts at take downs of public documents https://www.eff.org/takedowns/landis-gyr-agrees-leave-documents-then-sends-notice-take-them-down
• New Jersey and Net Neutrality https://freedom-to-tinker.com/2018/03/14/new-jersey-takes-up-net-neutrality-a-summary-and-my-experiences-as-a-witness/
• Under GDPR WhatsApp sharing user data with Facebook would be illegal https://www.theguardian.com/technology/2018/mar/14/whatsapp-sharing-user-data-facebook-illegal-ico-gdpr

Privacy

• PayPal shares your data with 600+ companies https://www.schneier.com/blog/archives/2018/03/the_600_compani.html
• Citizen Lab report on "Quantum" the packet injection technology being used to insert malware and crypto-miners https://deibert.citizenlab.ca/2018/03/introducing-quantum-as-a-service/
• Bugs in 3 popular VPN services leak your IP https://thehackernews.com/2018/03/vpn-leak-ip-address.html
• Canadian Privacy Commissioner looking into Loblaw ID requests for $25 gift card https://globalnews.ca/news/4083050/loblaw-gift-card-privacy-commissioner/
• Graykey iphone unlocking tool https://www.theregister.co.uk/2018/03/16/alarms_sounded_over_graykey_iphone_unlock_box/

Bugs / Design Flaws

• Samba LDAP bug lets allows password change free-for-all http://www.theregister.co.uk/2018/03/14/samba_password_bug/
• 13 critical Spectre variants found in AMD Ryzen and EPYC processors https://thehackernews.com/2018/03/amd-processor-vulnerabilities.htm and technical analysis https://blog.trailofbits.com/2018/03/15/amd-flaws-technical-summary/
• AMD was ambushed with new Spectre disclosures by research company that short traded their stock https://www.databreachtoday.com/amd-chipset-flaws-are-real-but-experts-question-disclosure-a-10714 and Torvalds is furious http://www.zdnet.com/article/linus-torvalds-slams-cts-labs-over-amd-vulnerability-report/
• Intel promising Spectre free chips soon https://www.theregister.co.uk/2018/03/15/intel_spectre_mitigation/
• China is tinkering with their public vulnerabilities database hiding high profile vulnerabilities https://www.theregister.co.uk/2018/03/12/china_vuln_data/
• RDP bug in CredSSP protocol https://thehackernews.com/2018/03/credssp-rdp-exploit.html
• DocuTrac Medical Applications have hardcoded credentials and weak encryption https://www.darkreading.com/endpoint/medical-apps-come-packaged-with-hardcoded-credentials/d/d-id/1331268
• Nasty pair of SAP Vulnerabilities https://www.theregister.co.uk/2018/03/15/sap_crm_vulnerabilities/

Hacking / Malware / Cybercrime

• Guilty plea in case of coder that optimized malware and helped evade antivirus https://www.theregister.co.uk/2018/03/14/russian_antiantivirus_security_tester_pleads_guilty_to_certifying_attack_code/
• Limited distribution Slingshot malware hid within routers for a long time https://arstechnica.com/information-technology/2018/03/potent-malware-that-hid-for-six-years-spread-through-routers/
• Mosquito attack air gaps systems using ultrasonics https://thehackernews.com/2018/03/air-gap-computer-hacking.html
• More on the CCleaner supply chain attack https://www.darkreading.com/endpoint/privacy/chinese-apt-backdoor-found-in-ccleaner-supply-chain-attack/d/d-id/1331250
• Russia sanctioned over cyber attacks https://www.theguardian.com/us-news/2018/mar/15/russia-sanctions-energy-sector-cyber-attack-us-election-interference
• String of cyber attacks on Saudi Petroleum companies https://www.nytimes.com/2018/03/15/technology/saudi-arabia-hacks-cyberattacks.html

Other Security / Risk

• Segmentation a superior but often overlooked control https://www.darkreading.com/endpoint/segmentation-the-neglected-(yet-essential)-control/a/d-id/1331244
• Block-chain isn't well defined and vague definitions aren't just fueling hype, they're being enshrined in laws which will have consequences https://www.theverge.com/2018/3/7/17091766/blockchain-bitcoin-ethereum-cryptocurrency-meaning
• Bitcoin may no longer be profitable https://www.cnbc.com/2018/03/15/bad-news-for-bitcoin-miners-as-its-no-longer-profitable-to-create-the-cryptocurrency.html
• Princton's Blockchain analysis tool gets an update https://freedom-to-tinker.com/2018/03/15/whats-new-with-blocksci-princetons-blockchain-analysis-tool/
• Schneier on Artificial Intelligence and the Attack/Defense Balance https://www.schneier.com/blog/archives/2018/03/artificial_inte.html
• 5 reasons you should be using HTTPS https://www.packetlabs.net/5-reasons-need-ssl-make-website-secure/
• Let's Encrypt makes free wildcard certificates available https://arstechnica.com/information-technology/2018/03/lets-encrypt-takes-free-wildcard-certificates-live/
• Android security, 2017 in review https://security.googleblog.com/2018/03/android-security-2017-year-in-review.html
• Hackers bypass two-factor (SMS) as NIST predicted https://www.ft.com/content/b7be1c96-1b04-11e8-aaca-4574d7dabfb6
• How tech companies deal with leakers https://www.theguardian.com/technology/2018/mar/16/silicon-valley-internal-work-spying-surveillance-leakers
• Teacher accidentally discharges gun in California classroom https://www.washingtonpost.com/news/morning-mix/wp/2018/03/14/teacher-accidentally-discharges-firearm-in-calif-classroom-he-was-trained-in-gun-use/
• Ex-GCHQ head cautions against cyber-escalation for Sailsbury poisonings https://www.theregister.co.uk/2018/03/14/russia_cyberwar_speculation/

Off-Topic

• The remarkable Stephen Hawking died last week http://www.bbc.co.uk/news/uk-43396008
• XKCD on  "Smart Home" security https://xkcd.com/1966/
• Nuking an incoming asteroid may actually work https://www.universetoday.com/138772/scientists-propose-asteroid-nuke-mission-save-earth-potential-destruction/
• The octo-cyclone at Jupiter's north pole http://www.syfy.com/syfywire/whoa-like-jupiter-is-deep-really-really-deep
• Twin study on Scott (astronaut) and Mark Kelly shows significant gene changes in a year https://www.universetoday.com/138791/7-scott-kellys-genes-changed-year-space/