Welcome to This Week’s [in]Security. We’ve collected and grouped together a selection of this week’s news, opinions, and research. Quickly skim these annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

• The PCI Standard council recently raised the bar for assessors in terms of industry certifications, they've now partnered with ISACA to make those more affordable https://blog.pcisecuritystandards.org/isaca-partners-with-pci-ssc-to-provide-discount-on-industry-certifications
• Interesting Chip card fraud using mail interception https://krebsonsecurity.com/2018/04/secret-service-warns-of-chip-card-scheme/

Breaches / Leaks

• Study found 1.5B files amassing a staggering 12PB (i.e. 12,000 TB) of data online and 93% of it was NON-cloud hosting. Note that more study is needed as the percentage of encrypted vs. unencrypted files is not known https://www.theregister.co.uk/2018/04/05/billionsfilesexposedawsftpwideopen/
• Female ridesharing company “DriveHer” hit by breach of driver PII https://www.thestar.com/news/gta/2018/04/04/driveher-ride-sharing-app-for-women-suspends-service-after-data-breach-exposes-personal-information.html
• Shuterfly PII breach https://www.enterprisetimes.co.uk/2018/04/05/shutterfly-reacts-to-data-breach/
• Sear’s & Delta service provider [24]7.ai hit for small breach affecting online sales using customer chat function http://fortune.com/2018/04/05/sears-delta-data-breach/
• Best Buy affected by [24]7.ai breach. No word on other customers including AT&T, Citi, eBay, Farmers Insurance and Hilton https://www.cnet.com/news/best-buy-data-breach-24-7-ai/
• Panera Bread has had an 8-month long leak of as much as up to 37M records of customer data from it's online ordering system and tried to cover-up the extent of the breach (note: card data appears properly truncated so this wouldn't be considered a payment breach) https://krebsonsecurity.com/2018/04/panerabread-com-leaks-millions-of-customer-records/
• More on Panera Bread’s reaction to being told they were leaking data https://arstechnica.com/information-technology/2018/04/panera-accused-security-researcher-of-scam-when-he-reported-a-major-flaw/
• The Under Armour / MyFitnessPal breached data used a mix of password hashes. While most passwords were hashed with bcrypt, an undisclosed number were hashed with the weak SHA-1 https://www.wired.com/story/under-armour-myfitnesspal-hack-password-hashing
• Drones For Less breach of customer (not cardholder) data https://www.theregister.co.uk/2018/04/06/dronesforlessdatabreach/
• Massachusetts lawsuit against Equifax can proceed https://www.theglobeandmail.com/business/article-massachusetts-lawsuit-against-equifax-over-data-breach-allowed-to/

Laws & Regulations / Standards

• Canada’s breach disclosure rules go into effect November 1, 2018 http://www.michaelgeist.ca/2018/04/coming-soon-or-at-least-by-november-government-sets-a-date-for-data-breach-disclosure-rules-to-take-effect/
• California addresses Net Neutrality https://www.eff.org/deeplinks/2018/04/californias-legislature-seeks-protect-network-neutrality-and-promote-isp
• Court rules some fees charged for public access to court records are illegal https://freedom-to-tinker.com/2018/04/01/judge-declares-some-pacer-fees-illegal-but-does-not-go-far-enough/
• US Supreme Court considering case for world-wide damages for infringement of US patents https://www.eff.org/deeplinks/2018/04/eff-supreme-court-dont-turn-us-patents-worldwide-patents
• The FBI had the capability to get into the San Bernardino shooters iPhone, a look into the Inspector General’s report https://www.eff.org/deeplinks/2018/04/fbi-could-have-gotten-san-bernardino-shooters-iphone-leadership-didnt-say
• US Consumer Product Safety Commission to hold hearings on IoT risks, link and discussion https://www.schneier.com/blog/archives/2018/04/publichearing\.html

Privacy

• Telus supports national website blocking proposal with dubious arguments http://www.michaelgeist.ca/2018/04/telus-website-blocking-submission-no-copyright-expertise-needed-and-no-net-neutrality-violation-if-everyone-blocks-websites/
• Gay dating app under fire for sharing user’s HIV status and leaking location information https://www.buzzfeed.com/azeenghorayshi/grindr-hiv-status-privacy and https://www.nbcnews.com/feature/nbc-out/security-flaws-gay-dating-app-grindr-expose-users-location-data-n858446
• UK raids Cambridge Analytica, looks to GDPR and possible other regulation https://www.economist.com/news/britain/21739707-new-and-rapidly-growing-british-industry-gets-shock-britain-moves-rein-data-analytics

• The Facebook Scandal and reaction continues to grow:

  • Facebook’s shutsdown of its partner categories program has more to do with GDPR than Cambridge https://www.eff.org/deeplinks/2018/04/facebook-isnt-telling-whole-story-about-its-decision-stop-partnering-data-brokers
  • Facebook’s GDPR support will not roll out world-wide https://www.databreachtoday.com/facebooks-zuckerberg-gdpr-wont-apply-worldwide-a-10763
  • Facebook ups estimate of Cambridge’s data grab to 87M including people outside the US http://www.bbc.com/news/technology-43649018 and https://fbnewsroomus.files.wordpress.com/2018/04/ca-country-list.jpg
  • As many as 2.2B users data harvested through abuse of phone number search https://thehackernews.com/2018/04/facebook-data-privacy.html and http://www.bbc.co.uk/news/technology-43656746
  • And what sounds like a phenomenally bad idea for hospitals to share data on vulnerable patients with Facebook https://www.cnbc.com/2018/04/05/facebook-building-8-explored-data-sharing-agreement-with-hospitals.html

Bugs / Design Flaws

• Intel Remote Keyboard app on Android and iOS dropped due to insecurities https://threatpost.com/intel-tells-remote-keyboard-users-to-delete-app-after-critical-bug-found/130974/
• Out-of-band patch for the Meltdown patch https://blog.qualys.com/laws-of-vulnerabilities/2018/03/30/a-patch-for-the-meltdown-patch-released-out-of-band-thursday-night
• Intel won’t be fixing Spectre variant 2 in many processors https://www.theregister.co.uk/2018/04/04/intelsayssomecpuswithspectrev2cantbe_fixed/
• Austrian man reverse engineers his bank's mobile API with BURP suite and finds vulnerabilities https://blog.haschek.at/post/fc874
• Remote code execution in Windows Defender rar file processing https://www.theregister.co.uk/2018/04/04/microsoftwindowsdefenderrarbug/

Hacking / Malware / Cybercrime

• KevDroid malware records calls and audio, tracks locations, steals call logs, inventories apps, and roots Android phones https://thehackernews.com/2018/04/android-spying-trojan.html
• A SWIFT attack thwarted in Malaysia https://www.bankinfosecurity.com/malaysias-central-bank-blocks-attempted-swift-fraud-a-10758

Other Security / Risk

• 40% of employees believe they have ZERO responsibility for securing information https://www.datex.ca/blog/employees-confused-about-cybersecurity-responsibilities
• Study of 130 companies finds internal access is too broad, stale data, and ghost accounts https://www.darkreading.com/operations/identity-and-access-management/one-third-of-internal-user-accounts-are-ghost-users/d/d-id/1331443
• Mystery “IMSI Catchers” found in Washington DC. https://www.theregister.co.uk/2018/04/03/imsicatcherstingraywashingtondc/
• Follow-up on last weeks “.cm” typosquatting article show a lot more people than you might thing omit the “o” https://krebsonsecurity.com/2018/04/dot-cm-typosquatting-sites-visited-12m-times-so-far-in-2018/
• Risks of not “claiming” your business on Google Maps https://www.thestar.com/news/gta/2018/03/28/internet-police-warn-business-owners-of-sabotage-on-google-maps.html
• Challenges for connected hospitals https://blog.trendmicro.com/trendlabs-security-intelligence/challenges-in-securing-connected-hospitals
• EFF launches a new version of the “HTTPS Everywhere” plugin that ensures if a site offers HTTPS then you will use it https://www.eff.org/deeplinks/2018/04/https-everywhere-introduces-new-feature-continual-ruleset-updates
• “Fetch” a new idea for trading data https://www.economist.com/news/science-and-technology/21739644-securing-data-networks-new-ways-trade-data
• DARPA looking at advanced ways to test hardware security https://www.darkreading.com/vulnerabilities--- threats/vulnerability-management/new-darpa-contract-looks-to-avoid-another-meltdown/d/d-id/1331452
• "Oblivious DNS" a proposal to ensure no single party sees both the DNS query and originating subnet/IP address https://freedom-to-tinker.com/2018/04/02/a-privacy-preserving-approach-to-dns/
• Cloudflare's 1.1.1.1 DoH service (DNS over HTTPS) http://www.bbc.com/news/world-us-canada-43622862
• Summary and discussion of research into secret communications over backdoored encryption https://www.schneier.com/blog/archives/2018/04/subverting_back.html
• Leaked Russian emails expose disinformation and dirty tricks http://www.businessinsider.com/leaked-emails-show-russia-uses-paid-thugs-to-sow-dissent-and-chaos-2018-4
• Apple planning to move off Intel chips to a new high end ARM cpu https://thehackernews.com/2018/04/apple-mac-arc-intel.html
• AI lessons learned from Microsoft’s short lived chatbot “Tay” https://www.technologyreview.com/s/610634/microsofts-neo-nazi-sexbot-was-a-great-lesson-for-makers-of-ai-assistants/

• Are we in for a new round of trade wars with the US vs. everyone?

  • China strikes back at US tariffs https://www.ft.com/content/8022a546-3651-11e8-8b98-2f31af407cc8and Whitehouse rebukes them  http://www.bbc.com/news/world-us-canada-43622862
  • Trump doubles down with $100B tariff threat on China http://www.bbc.com/news/business-43664243
  • Ontario hits back at New York "Buy American" legislation https://www.thestar.com/business/economy/2018/04/02/ontario-fires-back-at-new-yorks-buy-american-policy.html

Off-Topic

• The curious phenomena of “Twin Movies” http://www.bbc.com/news/entertainment-arts-43371881
• Something is hiding inside Venus’s cloud layer, could it be life? http://www.syfy.com/syfywire/life-in-hell-could-venus-have-a-bacterial-infection
• Our galactic center is home to as many as 10,000 smaller black holes http://www.bbc.com/news/science-environment-43648152
• The lunar X-prize expired unclaimed and why getting back to the moon is hard https://www.technologyreview.com/s/610720/why-getting-back-to-the-moon-is-so-damn-hard/
• In the wake of last week’s reentry of China’s space station, a look at space junk that rains down https://www.universetoday.com/138919/did-you-know-that-a-satellite-crashes-back-to-earth-about-once-a-week-on-average/