Welcome to This Week’s [in]Security. We’ve collected and grouped together a selection of this week’s news, opinions, and research. Quickly skim these annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

• PCI blog Video on how QIR's benefits merchants https://blog.pcisecuritystandards.org/video-pci-ssc-updates-training-and-certification-program-for-integrators-and-resellers
• Q&A with a PFI and QSA https://blog.pcisecuritystandards.org/q-and-a-with-community-meeting-speaker-steve-marshall
• Vulnerabilities found with smartphone payment systems (e.g. in QR codes and sound) allow tokens to be reused https://www.theregister.co.uk/2018/03/23/mobilepaymentstokeninterceptiontalkblackhat_asia/
• Explanation of the Terminated Merchant File https://www.linkedin.com/pulse/what-terminated-merchant-file-mark-sands/
• Moneris article and video on 5 tips to avoid major chargebacks https://insights.moneris.com/h/i/415603413-the-top-five-reasons-for-chargebacks-video
• Cash is not dying out https://www.mobilepaymentstoday.com/news/study-swedes-prefer-cash-remain-as-payment-option/

Breaches / Leaks

• Expedia subsidiary Orbitz' legacy system breached for 880K payment cards https://www.bankinfosecurity.com/expedias-orbitz-suspects-880000-payment-cards-stolen-a-10729
• How Troy Hunt separated Have I Been Pwned from shady data breach services https://www.troyhunt.com/the-legitimisation-of-have-i-been-pwned
• American's spent $1.4B on Credit Freezes after Equifax https://krebsonsecurity.com/2018/03/survey-americans-spent-1-4b-on-credit-freeze-fees-in-wake-of-equifax-breach/
• 2K servers exposing passwords, AWS keys, and encryption keys via etcd service over the internet https://arstechnica.com/information-technology/2018/03/thousands-of-servers-found-leaking-750-mb-worth-of-passwords-and-keys/
• Using "honey tokens" to detect security breaches at scale https://www.darkreading.com/cloud/hunting-cybercriminals-with-aws-honey-tokens/d/d-id/1331342
• San Diego sues Experian over 2013 data theft https://krebsonsecurity.com/2018/03/san-diego-sues-experian-over-id-theft-service/

Laws & Regulations / Standards

• Poison blockchain? Illegal to keep. Nearly impossible to remove? Bitcoin miners face a range of legal jeopardy because the blockchain metadata stores arbitrary uncensored content including copyrighted works, PII, porn, and at least one child-abuse image https://www.theguardian.com/technology/2018/mar/20/child-abuse-imagery-bitcoin-blockchain-illegal-content
• Australia sues Equifax https://www.databreachtoday.com/australia-sues-equifax-alleges-false-claims-to-consumers-a-10722
• Police using warrants to demand Google location data of anyone who was close to the scene of a crime http://www.wral.com/Raleigh-police-search-google-location-history/17377435/
• GDPR and changes to WHOIS records will mean months and months of more spam and scams https://krebsonsecurity.com/2018/03/who-is-afraid-of-more-spams-and-scams/
• Paper on GDPR and PCI concludes cardholder data is personal information and PCI may not be enough to meet GDPR http://withoutfire.com/2018/03/gdpr-and-pci-dss-appropriate-bedfellows/
• NIST releases draft Cyber Resiliency to help address Advanced Persistent Threats (APTs) https://csrc.nist.gov/news/2018/draft-sp-800-160-vol-2-released and https://csrc.nist.gov/publications/detail/sp/800-160/vol-2/draft
• NIST releases Fog/Mist Computing Conceptual Model for IoT https://csrc.nist.gov/News/2018/Fog-Computing-for-Internet-of-Things-Devices and https://csrc.nist.gov/publications/detail/sp/500-325/final
• "Biohacker" who implanted transit card chip in himself gets fined http://www.bbc.com/news/technology-43428003
• More information has surfaced about the GreyKey iPhone Unlocker tool being used by law enforcement https://www.schneier.com/blog/archives/2018/03/greykeyiphone\.html
• Troll patent of the month: payment tokens https://www.eff.org/deeplinks/2018/03/stupid-patent-month-token-troll-appreciation
• Anti-patent-troll web site with prizes for good prior art https://patroll.unifiedpatents.com/

Privacy

• The big news this week is the Facebook-Cambridge Analytica privacy scandal which may arguably be called a breach and may well be worse than Equifax, our mini-news summary with 22 links https://controlgap.com/blog/cambridge-analytica-facebook-scandal/

• More relating to Cambridge Analytica:

  • Cambridge involved in over 200 elections world-wide http://www.bbc.co.uk/news/world-43476762
  • Cambrigde CEO, Nix, suspended https://www.wired.com/story/cambridge-analytica-suspends-alexander-nix-amid-scandals
  • Cambridge used Protonmail's secure vanishing emails to eliminate paper trails https://www.infosecurity-magazine.com/news/cambridge-analytica-used-protonmail/
  • India takes down Cambridge web site http://www.bbc.co.uk/news/world-asia-india-43482391
  • Cambridge whistleblower ran pilot project with Liberal Party of Canada https://www.thestar.com/news/canada/2018/03/20/facebook-data-whistleblower-oversaw-pilot-project-for-liberals-in-2016-source-says.html

• More relating to Facebook:

  • Researcher at center of Facebook/Cambridge Analytica scandal had data on 57B friendships in every country! https://www.theguardian.com/news/2018/mar/22/facebook-gave-data-about-57bn-friendships-to-academic-aleksandr-kogan
  • FTC investigating https://www.bloomberg.com/news/articles/2018-03-20/ftc-said-to-be-probing-facebook-for-use-of-personal-data
  • Facebook shareholder starts class action suit over Cambridge scandal losses http://www.businessinsider.com/facebook-sued-over-cambridge-analytica-scandal-2018-3
  • Facebook stock now off-limits to large Nordic bank investment unit https://qz.com/1234267/nordea-has-put-facebooks-stock-in-quarantine-as-the-price-plunges/
  • EPIC file FOIA on FTC for Facebook 2015 & 2017 privacy assessments (with links to previously obtained 2012 & 2013 reports) https://epic.org/2018/03/epic-foias-ftc-seeks-facebooks.html
  • Zuckerberg sold off stock ahead of breach/scandal news breaking https://www.marketwatch.com/story/zuckerberg-saved-tens-of-millions-by-selling-facebook-stock-ahead-of-monday-decline-2018-03-19
  • Zuckerberg requested to appear before UK parlimentary committee http://www.bbc.co.uk/news/uk-43474760
  • Zuckerberg silent for five days  http://money.cnn.com/2018/03/20/technology/mark-zuckerberg-facebook-data-controversy/index.html and finally surfaces in a CNN interview http://money.cnn.com/2018/03/21/technology/mark-zuckerberg-apology/index.htm
  • Congress asks Zuckerberg to testify https://www.pymnts.com/facebook/2018/facebook-ceo-mark-zuckerberg-cambridge-analytica/
  • A look at some of Facebooks' proposed changes http://www.businessinsider.com/facebook-is-limiting-developers-access-to-account-data-heres-how-that-will-impact-them-2018-3
  • Stock plunged $58B by Friday morning http://www.bbc.com/news/business-43517995
  • NYT opinion the Facebook Surveillance Machine https://www.nytimes.com/2018/03/19/opinion/facebook-cambridge-analytica.html recommended reading by  Schneier https://www.schneier.com/blog/archives/2018/03/zeyneptufekci\.html

Bugs / Design Flaws

• Ledger Crypto Wallet broken by 15 year old security researcher https://krebsonsecurity.com/2018/03/15-year-old-finds-flaw-in-ledger-crypto-wallet/
• DHS warns of hardcoded credentials in GE healthcare imaging systems https://www.databreachtoday.com/dhs-some-ge-imaging-devices-are-vulnerable-a-10727
• Mozilla master password system uses weak password hashing https://www.bleepingcomputer.com/news/security/firefox-master-password-system-has-been-poorly-secured-for-the-past-9-years/
• Schneier on the CTS bugs and AMD ambush https://www.schneier.com/blog/archives/2018/03/israeli_securit.html
• Geutebrück releases firmware updates for IoT cameras https://www.bleepingcomputer.com/news/security/firmware-updates-released-for-security-camera-dumpster-fire/

Hacking / Malware / Cybercrime

• Google served up fake Amazon malware page as ad http://www.zdnet.com/article/scammers-tricked-google-into-posting-amazon-scam-ads/
• Coverity's Open source code scanning service was down for crypto-jacking https://www.theregister.co.uk/2018/03/19/coverityscancryptomining/
• Discussion and link to paper on browser based crypto-jacking https://www.schneier.com/blog/archives/2018/03/hijacking_compu.html
• PinkKite malware hits Windows POS systems https://www.itworldcanada.com/article/canada-used-by-pos-thieves-to-hide-data-theft/402853 and https://threatpost.com/new-pos-malware-pinkkite-takes-flight/130428/
• Image of Scarlett Johansson uses steganography to hide crypto-mining malware http://www.zdnet.com/article/meet-the-scarlett-johansson-postgresql-malware-attack/ and here are the details of how it was done https://securityboulevard.com/2018/03/a-deep-dive-into-database-attacks-part-iii-why-scarlett-johanssons-picture-got-my-postgre-database-to-start-mining-monero/ and https://www.imperva.com/blog/2018/03/deep-dive-database-attacks-scarlett-johanssons-picture-used-for-crypto-mining-on-postgre-database/
• Agressive ad malware found pre-installed on 5M popular android phones (with removal instructions) https://thehackernews.com/2018/03/android-botnet-malware.html
• Peurto Rico's electric utility attacked impacting customer support functions https://www.darkreading.com/attacks-breaches/puerto-ricos-electric-utility-hacked-in-weekend-attack/d/d-id/1331328
• The City of Atlanta's business operations were hit with a ransomware attack https://www.databreachtoday.com/atlanta-ransomware-attack-freezes-city-business-a-10735
• DoJ indicts 9 Iranians over hacks https://www.darkreading.com/attacks-breaches/doj-indicts-9-iranians-for-hacking-into-hundreds-of-universities-ferc-dept-of-labor-others/d/d-id/1331358
• Guccifer 2.0 outed https://www.thedailybeast.com/exclusive-lone-dnc-hacker-guccifer-20-slipped-up-and-revealed-he-was-a-russian-intelligence-officer

Other Security / Risk

• An article explaining the creepy sounding social science of "psychographics" at the heart of the Cambridge Analytica scandal https://www.wired.com/story/the-noisy-fallacies-of-psychographic-targeting/
• Does anyone else find this coincidence a bit creepy?! Research and tool to assess gullibility from Ross Anderson @ Cambridge University (not Analytica) - relax you can use a paper copy https://www.lightbluetouchpaper.org/2018/03/16/we-will-make-you-like-our-research/
• Bitcoin investors targeted by NSA https://www.express.co.uk/finance/city/934756/Bitcoin-price-crash-cryptocurrency-value-plunge-latest-NSA-report-could-worry-investor-BTC and https://motherboard.vice.com/en_us/article/d358kj/the-nsa-tried-tracking-bitcoin-users-in-2013-snowden-intercept
• The taxman is coming for crypto traders and https://www.theguardian.com/technology/2018/mar/18/cryptocurrency-bitcoin-irs-tax
• Uber halts self-driving car testing after pedestrian death http://www.bbc.co.uk/news/business-43459156
• Technology giants face European 'digital tax' blow - http://www.bbc.co.uk/news/business-43486403
• Code imbalance and another lesson from the recent Facebook problems https://www.eff.org/deeplinks/2018/03/yet-another-lesson-from-the-cambridge-analytica-fiasco
• Intel discusses new Meltdown/Spectre safeguards https://threatpost.com/intel-details-cpu-virtual-fences-fix-as-safeguard-against-spectre-meltdown-flaws/130501/
• AMD also promises firmware security fixes https://arstechnica.com/gadgets/2018/03/amd-promises-firmware-fixes-for-security-processor-bugs/
• How to change your facebook settings to opt out of platform API sharing https://www.eff.org/deeplinks/2018/03/how-change-your-facebook-settings-opt-out-platform-api-sharing
• Opinion: time to dump Facebook https://www.thestar.com/business/2018/03/20/a-growing-list-of-reasons-to-unlike-facebook.html
• DoH! DNS over HTTPS a draft standard is being tested by Mozilla https://www.bleepingcomputer.com/news/software/mozilla-is-testing-dns-over-https-support-in-firefox/
• Chrome extension helps you wipe Facebook Profile https://www.bleepingcomputer.com/news/security/social-book-post-manager-chrome-extension-lets-you-wipe-your-facebook-profile/
• Using AI for content moderation https://freedom-to-tinker.com/2018/03/21/artificial-intelligence-and-the-future-of-online-content-moderation/
• Purdue's R2D2 (Reactive Redundancy for Data Destruction) protects data in VMs from data-wiping malware by blocking secure-delete techniques (but what if you need secure deletes?) https://www.bleepingcomputer.com/news/security/new-r2d2-technique-protects-files-against-wiper-malware/
• IBM cryptoanchors project (think RFID chips on steroids) produces $0.10 1M transistor computer https://www.bleepingcomputer.com/news/technology/ibm-reveals-a-computer-the-size-of-a-grain-of-salt/
• Google's new cloud security dashboard https://www.wired.com/story/google-cloud-security-command-center/
• Apple rolls out supercookie prevention measures to fight HSTS abuse https://thehackernews.com/2018/03/hsts-supercookie-tracking.html

Off-Topic

• Canadian researchers find molecule that inhibits fungal infections https://scienmag.com/research-with-made-in-canada-molecule-targets-fungal-infections-worldwide/
• Rover Curiosity - 2000 sols (days) on Mars http://www.bbc.com/news/science-environment-43494227
• Kepler data points to exo-comets! http://www.syfy.com/syfywire/exocomets-detected-orbiting-nearby-stars-in-other-words-alien-comets
• After finding the wreck of the Lexington, Paul Allen's expedition has found the wreck of the USS Juneau (famed of the 5 Sullivan brothers) https://www.washingtonpost.com/news/retropolis/wp/2018/03/20/five-sullivan-brothers-serving-together-were-killed-during-world-war-ii-their-ship-was-just-found/
• Stirred, not shaken: 339 "objects" will be leaving our solar system because 70,000 years ago Scholz's star passed through the Oort Cloud https://www.universetoday.com/138844/70000-years-ago-nearby-star-messed-orbits-comets-asteroids-solar-system/