Welcome to This Week’s [in]Security. We’ve collected and grouped together a selection of this week’s news, opinions, and research. Quickly skim these annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

• PCI video on secure remote access https://blog.pcisecuritystandards.org/video-secure-remote-access
• New P2PE merchant case study https://blog.pcisecuritystandards.org/pci-p2pe-in-practice-case-study-northwestern-university-and-cardconnect
• App scarfs card data for reuse on e-commerce sites that don't check the security codes (e.g. CVV2) https://www.thesun.co.uk/news/5998850/crooks-use-legal-google-app-to-steal-your-card-details/
• Verifone acquired https://www.mobilepaymentstoday.com/news/private-equity-firm-acquires-verifone-for-34b/
• A look at penetration testing and PCI https://controlgap.com/blog/penetration-testing/

Breaches / Leaks

• UK based Cinema voucher service breached for unknown amount of card data https://www.theregister.co.uk/2018/04/09/cinemavoucherbiztellscustomerstocancelcreditcardsfollowingbreach/
• Finnish website hacked for 130K plain text passwords is third largest breach for Finland https://thehackernews.com/2018/04/helsingin-uusyrityskeskus-hack.html
• Zappos data breach lawsuit can proceed, Ninth Circuit Rules https://www.manatt.com/Insights/Newsletters/Advertising-Law/Zappos-Must-Face-Data-Breach-Lawsuit-Ninth-Circui

Laws & Regulations / Standards

• Uber discovers that being dishonest with regulators carries a price https://www.databreachtoday.com/uber-faces-stricter-ftc-oversight-after-concealing-breach-a-10800

• NIST had a busy week:

  • Releases Criticality Analysis Process Model a best practice to help organizations to identify their most vital systems and components which may need additional protections. Update: https://csrc.nist.gov/News/2018/NISTIR-8179-Criticality-Analysis-Process-Model and details: https://csrc.nist.gov/publications/detail/nistir/8179/final
  • Opens comment period for draft revision of Special Publication 800-57 Part 2, Cryptographic Key Management Best Practices. Update: https://csrc.nist.gov/News/2018/NIST-releases-Draft-SP-800-57-Part-2-Rev-1 and details: https://csrc.nist.gov/publications/detail/sp/800-57-part-2/rev-1/draft
  • Releases draft SP 800-125A Revision 1, Security Recommendations for Server-based Hypervisor Platforms. Update: https://csrc.nist.gov/News/2018/NIST-Releases-Draft-SP-800-125A-Rev-1 and details: https://csrc.nist.gov/publications/detail/sp/800-125a/rev-1/draft
• Both the US and EU are ignoring territoriality and privacy to fast track law enforcement data requests https://www.eff.org/deeplinks/2018/04/us-cloud-act-and-eu-privacy-protection-race-bottom
• Discussion and links to study of Children's Online Privacy Protection Act compliance in mobile apps https://www.schneier.com/blog/archives/2018/04/coppa_complianc.html
• Police forces have been buying up iOS phone unlocker https://motherboard.vice.com/en_us/article/vbxxxd/unlock-iphone-ios11-graykey-grayshift-police
• FOI request requires 80 year extension https://www.thestar.com/news/canada/2018/04/12/federal-department-tells-researcher-his-document-request-will-be-ready-in-80-years.html
• Two different outcomes in two cases of people with convictions suing Google in UK over right to be forgotten https://www.theguardian.com/technology/2018/apr/13/google-loses-right-to-be-forgotten-case
• Former Ontario Chief of Staff jailed for data destruction role in scandal https://www.thestar.com/news/queenspark/2018/04/11/former-chief-of-staff-to-premier-dalton-mcguinty-gets-four-months-in-jail-for-wiping-hard-drives-in-wake-of-gas-plants-scandal.html
• Dismissed DBA sentenced for hacking airline database https://www.darkreading.com/attacks-breaches/former-airline-database-administrator-sentenced-for-hacking-reservation-system/d/d-id/1331530
• Nova Scotia man charged for downloading private documents from a public web site http://www.cbc.ca/news/canada/nova-scotia/concerns-teen-in-privacy-breach-being-railroaded-to-cover-government-slip-1.4616972
• Washington DC court rules using automated tools to access public documents in violation of terms of service isn’t a crime https://www.eff.org/deeplinks/2018/04/dc-court-accessing-public-information-not-computer-crime

Privacy

• New CitizenLab news https://mailchi.mp/citizenlab/middlebox-redirects-in-turkey-and-syria-toronto-police-caught-using-imsi-catchers-and-protecting-yourself-with-security-planner
• Krebs article on social media "surveys" that are boldly harvesting answers to "secret questions" used to recover access to your accounts https://krebsonsecurity.com/2018/04/dont-give-away-historic-details-about-yourself/
• A look at when the business model *is* the privacy violation and "privacy theatre" https://freedom-to-tinker.com/2018/04/12/when-the-business-model-is-the-privacy-violation/

• More on Facebook

  • How FB will tell users if their data was shared with Cambridge Analytica http://www.bbc.com/news/technology-43698733
  • Data Analytics companies CubeYou and Aggregate IQ suspended https://www.cnbc.com/2018/04/08/cubeyou-cambridge-like-app-collected-data-on-millions-from-facebook.html and https://www.theguardian.com/us-news/2018/apr/06/facebook-suspends-aggregate-iq-cambridge-analytica-vote-leave-brexit
  • Whistleblower says data taken by Cambridge may be in Russia https://www.cnn.com/2018/04/08/politics/cambridge-analytica-data-millions/index.html
  • FB introduces new controls on political ads and fake news https://www.theguardian.com/technology/2018/apr/06/facebook-launches-controls-regulate-ads-publishers
  • Facebook: Cambridge Analytica data included user’s private messages http://www.bbc.co.uk/news/technology-43718175
  • Class action suits against Facebook and Cambridge Analytica under the US Stored Communications Act https://www.theguardian.com/news/2018/apr/10/cambridge-analytica-and-facebook-face-class-action-lawsuit
• How Facebook 'likes' can analyze your personality https://www.cnn.com/2018/04/10/health/facebook-likes-psychographics/index.html, foreshadowed by a 2013 article that likes could determine your race, gender, and sexual orientation https://www.theatlantic.com/technology/archive/2013/03/armed-with-facebook-likes-alone-researchers-can-tell-your-race-gender-and-sexual-orientation/273963/
• Compliant lodged against YouTube claims they violate US child protection laws http://www.bbc.com/news/technology-43699233
• How to see the data Google collects including location data and “incognito” browsing  https://www.zerohedge.com/news/2018-04-10/googles-file-you-10-times-bigger-facebooks-heres-how-view-it
• Hashed emails widely used for tracking and are not secure nor pseudonymous under GDPR https://freedom-to-tinker.com/2018/04/09/four-cents-to-deanonymize-companies-reverse-hashed-email-addresses/
• Approaches to consider for sharing data with researchers https://freedom-to-tinker.com/2018/04/10/is-it-time-for-an-data-sharing-clearinghouse-for-internet-researchers/

Bugs / Design Flaws

• Smartphone manufacturers still aren’t getting Android updates right and some are lying about it to their users https://thehackernews.com/2018/04/android-security-update.html
• GitHub dependency vulnerability graph finds 4M open-source vulnerabilities and is yielding fixes https://techbeacon.com/github-dependency-graph-delivers-4m-open-source-vulnerabilities-exposed
• One-Fifth of Open-Source Serverless Apps Have Critical Vulnerabilities https://www.infosecurity-magazine.com/news/onefifth-of-serverless-apps/
• CyberArk Enterprise Password Vault remote code execution bug https://thehackernews.com/2018/04/enterprise-password-vault.html
• Fuze card design oversight allows for third-parties to easily siphon card numbers, expiration dates, and CVV codes https://arstechnica.com/information-technology/2018/04/whatever-you-do-dont-give-this-programmable-payment-card-to-your-waiter/
• Previewing an RTF file yields up password hashes for cracking https://threatpost.com/outlook-bug-allowed-hackers-to-use-rtf-files-to-steal-windows-passwords/131169/
• EEG systems vulnerable to multiple vulnerabilities https://arstechnica.com/information-technology/2018/04/hacking-your-brain-researchers-discover-security-bugs-in-eeg-systems/

Hacking / Malware / Cybercrime

• Internet routing attacks https://freedom-to-tinker.com/2018/04/11/routing-attacks-on-internet-services/
• Kreb's on having your accountant hacked https://krebsonsecurity.com/2018/04/when-identity-thieves-hack-your-accountant/
• Thousands of hacked websites are infecting visitors with malware using subtler upgrade your browser scam https://arstechnica.com/information-technology/2018/04/nasty-malware-campaign-using-thousands-of-hacked-sites-hid-for-months/
• Scam exploiting Gmails email address "dot blindness" to get someone else to pay for services  https://www.schneier.com/blog/archives/2018/04/obscuree-mail\.html
• Multi-Stage Email Word Attack Without Macros https://www.trustwave.com/Resources/SpiderLabs-Blog/Multi-Stage-Email-Word-Attack-Without-Macros/
• Island of Sint Maarten hit by cyber-attack https://www.theregister.co.uk/2018/04/10/cyberattacktakesoutnationalgovernmentforaweek/
• Researchers can now exfiltrate computer data through power lines https://thehackernews.com/2018/04/hacking-airgap-computers.html

Other Security / Risk

• Several annual security reports and reviews are out:

  • Verizon’s Data Breach Investigations Report https://www.verizonenterprise.com/verizon-insights-lab/dbir/
  • Trustwave’s Global security Report https://www2.trustwave.com/GlobalSecurityReport.html
  • Symantec’s Internet Security Threat Report https://www.symantec.com/security-center/threat-report
  • Review of Symantec's report: https://www.packetlabs.net/packetlabs-state-security-series-symantec-internet-security-threat-report/
  • Review of Verizon breach report : insider risk at 25% or breaches http://www.theregister.co.uk/2018/04/10/verizon_dbir/
• A day in the life of your stolen data https://www.datex.ca/blog/a-day-in-the-life-of-your-stolen-data
• In twitter exchange, T-Mobile Europe admits they store your credentials in the clear and claims great security https://gizmodo.com/did-t-mobile-really-just-admit-it-stores-customer-passw-1825058206 and https://motherboard.vice.com/amp/en_us/article/7xdeby/t-mobile-stores-part-of-customers-passwords-in-plaintext-says-it-has-amazingly-good-security
• Follow-up on T-mobile twitter exchange leads to disclosure and quick patching of severe vulnerability https://techgage.com/news/severe-t-mobile-austria-vulnerabilities-fixed/
• Raising the bar for face swapping videos https://www.technologyreview.com/s/610784/this-algorithm-automatically-spots-face-swaps-in-videos/
• Taking advantage of encrypted DNS isn't user friendly yet https://arstechnica.com/information-technology/2018/04/how-to-keep-your-isps-nose-out-of-your-browser-history-with-encrypted-dns/
• Cloudflare now offering service that will protect any TCP ports https://www.theregister.co.uk/2018/04/13/cloudflarewilltakeanyportina_storm/
• Ontario hospital's exposure of tens of thousands of unused IP addresses was risky, says study http://www.itworldcanada.com/article/ontario-hospitals-exposure-of-tens-of-thousands-of-unused-ip-addresses-was-risky-says-study/403606
• A cautionary tale on contracts: in 1981 American Airlines made a huge pricing error with unlimited air travel passes, this is what happened https://thehustle.co/aairpass-american-airlines-250k-lifetime-ticket/

Off-Topic

• NASA "low boom" supersonic X-plane to test possibility of quieter supersonic passenger planes https://www.universetoday.com/138944/nasa-begins-construction-of-its-new-quiet-supersonic-plane/ (reminiscent of  X-3 Stiletto  https://www.nasa.gov/centers/armstrong/news/FactSheets/FS-077-DFRC.html))
• Virgin Galactic's Spaceship Two conducts supersonic test flight http://www.bbc.com/news/av/world-us-canada-43675329/virgin-galactic-spaceship-completes-test-flight
• Stunning images from Jupiter and how they're put together http://www.syfy.com/syfywire/turn-south-at-jupiter
• Tom Lehrer, PhD mathematician and satirical song writer of "The Elements" and "New Math" fame turns 90  https://www.nature.com/articles/d41586-018-03922-x
• Last week was the 101st anniversary of the Battle of Vimy Ridge http://www.veterans.gc.ca/eng/remembrance/history/first-world-war/fact_sheets/vimy
• A look at food, hydration, and Alzheimers http://www.latimes.com/local/abcarian/la-me-abcarian-tap-water-20180405-story.html