Welcome to This Week’s [in]Security. We’ve collected and grouped together a selection of this week’s news, opinions, and research. Quickly skim these annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

• FAQ's published for Software PIN on COTS https://blog.pcisecuritystandards.org/new-faqs-on-software-based-pin-entry-on-cots
• PCI DSS 3.2.1 is coming very soon https://blog.pcisecuritystandards.org/coming-soon-minor-pci-dss-revision
• Official PCI Cloud Computing guidance has been updated https://www.pcisecuritystandards.org/pdfs/PCISSCCloudGuidelinesv3.pdf
• FAQ 1091 on PAN truncation has been updated for Mastercard guidance  on 8-digit BINs https://pcissc.secure.force.com/faq/articles/FrequentlyAskedQuestion/What-are-acceptable-formats-for-truncation-of-primary-account-numbers
• ATM jackpotting attacks on the rise in Europe https://www.bankinfosecurity.com/no-card-required-black-box-atm-attacks-move-into-europe-a-10820
• Almost 2/3 of Global POS card transactions are EMV Chip and terminal based http://www.digitaltransactions.net/nearly-two-thirds-of-global-pos-card-transactions-now-involve-emv-chip-cards-and-terminals/

Breaches / Leaks

• There has been a recent peek in healthcare breaches https://www.databreachtoday.com/health-data-breach-tally-spikes-in-recent-weeks-a-10816

Laws & Regulations / Standards

• EFF opinion on the implications of (ab)using the CFAA to stop web scraping you don't like https://www.eff.org/deeplinks/2018/04/scraping-just-automated-access-and-everyone-does-it
• Recommended article and video, Troy Hunt weighs in on pros and cons both sides of the case of a 19 year old Nova Scotia man charged with hacking for enumerating files https://www.troyhunt.com/enumerationis-enumerating-resources-on-a-website-hacking/
• Congress is looking skeptically at FBI's assertions about the "going dark" problem https://www.eff.org/deeplinks/2018/04/congressmembers-raise-doubts-about-going-dark-problem
• NIST updates Cryptographic Key Establishment Recommendations: Special Publications 800-56A and 800-56C, update: https://csrc.nist.gov/News/2018/NIST-Publishes-Updates-to-SP-800-56A-and-800-56C and details: https://csrc.nist.gov/publications/detail/sp/800-56A/rev-3/final and https://csrc.nist.gov/publications/detail/sp/800-56C/rev-1/final
• BC court isn't buying Google's argument that global take-down order violates US laws and rights http://www.michaelgeist.ca/2018/04/bcrulingonequustek/

Privacy

• Cambridge Analytica had other surveys and likely accessed far more data than just the 87M Facebook users disclosed so far https://www.theguardian.com/uk-news/2018/apr/17/facebook-users-data-compromised-far-more-than-87m-mps-told-cambridge-analytica

• More on Facebook

  • 1.5B users moved from Facebook Ireland to avoid GDPR https://www.theguardian.com/technology/2018/apr/19/facebook-moves-15bn-users-out-of-reach-of-new-european-privacy-law
  • Tracking of non-users http://www.theregister.co.uk/2018/04/17/facebookadmitstotrackingnon_users/
  • Third parties (trackers) abusing Facebook's login service https://freedom-to-tinker.com/2018/04/18/no-boundaries-for-facebook-data-third-party-trackers-abuse-facebook-login/
  • Facial recognition may run afoul of EU's GDPR https://www.cnbc.com/2018/04/19/facebooks-facial-recognition-may-not-meet-gdpr-rules.html
  • How to stop Facebook from looking for you with face recognition https://www.theverge.com/2018/3/27/17165150/facebook-face-recognition-how-to-turn-off-disable
• A reporter loaded her home up with IoT, Assistants, and devices that spied on her then did a TED talk about the smart home that spied on its owner - http://www.bbc.co.uk/news/technology-43747421
• Marketing, Data, Security, and the GDPR https://www.darkreading.com/risk/compliance/how-gdpr-forces-marketers-to-rethink-data-and-security/a/d-id/1331475
• Millions of apps leak data through ad interfaces https://threatpost.com/millions-of-apps-leak-private-user-data-via-leaky-ad-sdks/131251/
• Political parties abusing privacy https://www.theglobeandmail.com/politics/article-significant-gap-in-oversight-of-how-political-parties-use-voter-data/

Bugs / Design Flaws

• Nothing screws up cryptography like bad random numbers, it turns out that Javascript’s SecureRandom function isn’t secure https://www.theregister.co.uk/2018/04/12/javascriptcryptolibraryfingeredforweakwallets/
• Google Project Zero finds Windows 10 security feature bypass https://www.zdnet.com/article/googles-project-zero-reveals-windows-10-lockdown-bypass/
• Oracle pushes out 254 security bugs https://www.theregister.co.uk/2018/04/19/oraclewhipsouttheswattersquishes254securitybugs/

Hacking / Malware / Cybercrime

• More Scientology linked fake online addiction rehab reviews bypassing Google's anti-abuse system https://krebsonsecurity.com/2018/04/a-sobering-look-at-fake-online-reviews/
• Facebook deletes 100+ private discussion groups with 300,000 members engaged in fraud and scams after Kreb’s investigation https://krebsonsecurity.com/2018/04/deleted-facebook-cybercrime-groups-had-300000-members/
• Kreb's concludes Twitter is a better way to report abuse to Facebook than their own s anti-abuse after reporting reasserted fraud and scam groups https://krebsonsecurity.com/2018/04/is-facebooks-anti-abuse-system-broken/
• Criminals stole a Casino's high roller database by pivoting through a fish-tank thermometer http://uk.businessinsider.com/hackers-stole-a-casinos-database-through-a-thermometer-in-the-lobby-fish-tank-2018-4
• Another Bitcoin theft, 438 btc ($3.5M) taken from wallet at India's Coinsecure exchange https://www.theregister.co.uk/2018/04/13/coinsecurebtcmissing_bitcoin/
• The Early Bird malware code injection attack https://thehackernews.com/2018/04/early-bird-code-injection.html
• UK identity theft and fraud spikes in 2017 https://www.theregister.co.uk/2018/04/18/idtheftinukatrecordhighcifasreport/
• 20M users installed malicious ad blockers from Chrome store https://thehackernews.com/2018/04/adblocker-chrome-extention.html

Other Security / Risk

• Schneier essay on securing elections https://www.schneier.com/blog/archives/2018/04/securingelecti1.html
• Presentation on the Ethics of Mathematics https://www.lightbluetouchpaper.org/2018/04/20/ethics-of-mathematics/
• Police in the UK were able to extract a fingerprint from a photo https://www.schneier.com/blog/archives/2018/04/liftingafinge.html
• Review of and link to Thales security report https://www.bleepingcomputer.com/news/government/federal-agencies-hit-with-more-data-breaches-than-other-sectors-330-million-at-risk/
• 34 tech companies sign accord not to assist government hacking operations https://www.bleepingcomputer.com/news/government/34-tech-firms-sign-accord-not-to-assist-government-hacking-operations/
• Intel to utilize co-processors to improve threat detection https://www.theregister.co.uk/2018/04/17/intelgpumalwaredetectionsecurity/
• Android P developer preview sporting private DNS support (DNS over TLS) https://security.googleblog.com/2018/04/dns-over-tls-support-in-android-p.html
• Gmail enhancements will cut-off interfaces to existing email using a "walled-garden" analogy https://www.theregister.co.uk/2018/04/16/googlegmailsecurity/
• One year after Wannacry[pt] the NHS has yet to set an action plan https://www.theregister.co.uk/2018/04/18/mpsslamnhsforlackofactionplanoneyearonfromwannacry/
• Is Russia behind hacks of network gear http://www.bbc.com/news/technology-43788338
• GCHQ doesn't like ZTE network kit https://www.theregister.co.uk/2018/04/16/ztegchqwarning/
• The Chilling effects of the DMCA on security research https://www.schneier.com/blog/archives/2018/04/thedmcaand_it.html
• Hijacking emergency sirens by radio https://www.schneier.com/blog/archives/2018/04/hijacking_emerg.html
• T-mobile fined $40M for incomplete calls and fake ring tones https://arstechnica.com/information-technology/2018/04/t-mobile-deceived-customers-with-false-ring-tones-on-failed-phone-calls/
• Hijacking social media threads as SPAM https://www.troyhunt.com/social-media-thread-hijacking-is-nothing-more-than-targeted-spam

Off-Topic

• NASA's Transiting Exoplanet Survey Satellite (TESS)  launched successfully https://www.space.com/40320-spacex-nasa-tess-exoplanet-satellite-launch.html and will scan 200K bright stars covering 85% of the sky looking for exoplanets http://www.syfy.com/syfywire/everything-you-need-to-know-about-tess-nasas-new-planet-finding-space-observatory
• Scientists look at geological record for evidence of possible ancient industrial societies https://www.universetoday.com/139034/could-we-detect-an-ancient-industrial-civilization-in-the-geological-record/
• Burned Ferrari 308 restored and electrified (to the horror of purists) and blows the doors off the original https://www.cnn.com/2018/04/19/motorsport/electric-ferrari-308-intl-supercharged-spt/index.html
• Robots and IKEA, the ultimate goal for Swedish self-assembly furniture may be in sight https://www.nytimes.com/2018/04/18/science/robots-ikea-furniture.html