Welcome to This Week’s [in]Security. We’ve collected and grouped together a selection of this week’s news, opinions, and research. Quickly skim these annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

• PCI Software PIN on COTS (SPoC) update:

  • Announcement Q&A: https://blog.pcisecuritystandards.org/pci-software-based-pin-entry-on-cots-program-now-available
  • The program guide is now available https://www.pcisecuritystandards.org/documents/SPoCProgramGuidev1.0April2018.pdf

Breaches / Leaks

• The recently announced HBC / Saks breach was due to POS malware and ran 9 months from July 2017 http://www.cbc.ca/news/business/hbc-saks-data-breach-1.4638249
• Another medical records breach https://krebsonsecurity.com/2018/04/transcription-service-leaked-medical-records/
• Potential insider theft of client data 1.5M from Sun Trust https://www.darkreading.com/attacks-breaches/suntrust-ex-employee-may-have-stolen-data-on-15-million-bank-clients/d/d-id/1331610
• Yahoo fined $35M by SEC https://www.theregister.co.uk/2018/04/24/yahoofined35m/

Laws & Regulations / Standards

• Canadian's who legally buy pot could get banned from US entry https://globalnews.ca/news/4140898/legal-pot-data-banned-us-border/
• Krebs on security trade-offs with GDPR https://krebsonsecurity.com/2018/04/security-trade-offs-in-the-new-eu-privacy-law/
• Schneier on Russia banning the Telegram messaging app and millions of IP addresses in the process https://www.schneier.com/blog/archives/2018/04/russiaisbanni.html
• Iran also blocks Telegram http://www.bbc.com/news/technology-43907246
• NIST has updated the Security Content Automation Protocol (SCAP) a suite of specifications to promote standardization amongst automated vulnerability management, measurement, and policy compliance products Update: https://csrc.nist.gov/News/2018/NIST-Publishes-NISTIR-7511-Rev-5 and details: https://csrc.nist.gov/publications/detail/nistir/7511/rev-5/final
• EFF's Stupid patent of the month - search boxes https://www.eff.org/deeplinks/2018/04/stupid-patent-month-suggesting-reading-material
• Supreme Court says Patent Office can invalidate bad patents https://www.eff.org/deeplinks/2018/04/supreme-court-upholds-patent-office-power-invalidate-bad-patents
• The wierd phenomena of secondary DNA transfer played out in a murder case was due to contamination by paramedics https://www.wired.com/story/dna-transfer-framed-murder
• Police visit funeral parlor for fingerprint to unlock phone http://www.bbc.com/news/technology-43865109
• Minnesota case will shed light on police use of biometrics https://www.eff.org/deeplinks/2018/04/minnesota-supreme-court-ruling-will-help-shed-light-police-use-biometric

Privacy

• DNA and the Golden State Killer arrest

  • Arrest made in cold case from 70's and 80's using DNA and a genealogy web site https://www.theglobeandmail.com/world/article-genealogy-sites-used-to-find-dna-match-in-golden-state-killer-case/
  • Police used crime scene DNA to search for relatives using the GEDmatch genealogy website https://www.ctvnews.ca/world/use-of-dna-in-golden-state-killer-probe-sparks-privacy-concern-1.3904658 and https://gizmodo.com/what-the-golden-state-killer-case-reveals-about-your-ge-1825597821
  • More on familiar DNA matching http://www.cbc.ca/news/technology/dna-testing-genealogy-golden-state-killer-1.4638006
  • Only 12 states allow this kind of testing https://www.nbcnews.com/news/us-news/familial-dna-puts-elusive-killers-behind-bars-only-12-states-n869711

• More on Facebook and Cambridge

  • Cambridge University Ethics Committee rejected proposal by researhcer at core of Facebook/Cambridge Analytica scandal https://www.theguardian.com/technology/2018/apr/24/cambridge-university-rejected-facebook-study-over-deceptive-privacy-standards
  • Canadian "Delete Facebook" movement is strong https://www.ctvnews.ca/sci-tech/delete-facebook-movement-is-strong-in-canada-new-research-shows-1.3894830
  • EPIC is suing the FTC for Facebook's audits https://epic.org/2018/04/epic-sues-ftc-for-release-of-f.html
  • Partially released Facebook 2015-2017 Biennial Privacy Audit https://epic.org/2018/04/epic-obtains-partial-release-o.html
  • With questions unanswered, Zuckerberg may face formal UK summons http://www.bbc.com/news/uk-43906956
  • UK Information Commissioner says AggregateIQ not cooperating and may face legal action http://www.bbc.com/news/technology-43822185
• Has targeted advertising become so good that we are in an "uncanny valley"? https://www.eff.org/deeplinks/2018/04/were-uncanny-valley-targeted-advertising
• EFF on law enforcement cross-border data access under CLOUD act and proposed EU laws https://www.eff.org/deeplinks/2018/04/tale-two-poorly-designed-cross-border-data-access-regimes
• Egyptian bill would give authorities unfettered access to ride-sharing data https://www.eff.org/deeplinks/2018/04/stop-egypts-sweeping-ridesharing-surveillance-bill

Bugs / Design Flaws

• Prioritizing vulnerabilities https://blog.qualys.com/news/2018/04/19/the-sky-is-falling-responding-rationally-to-headline-vulnerabilities
• Princeton to launch ongoing investigation of all things IoT https://freedom-to-tinker.com/2018/04/23/announcing-iot-inspector-a-tool-to-study-smart-home-iot-device-behavior/
• Linkedin AutoFill Plugin enables 3rd party data theft https://thehackernews.com/2018/04/linkedin-account-hack.html
• Web-Ex vulnerable to remotely execute code bug in Flash https://www.theregister.co.uk/2018/04/19/ciscopatchwebex/
• A number of recent VMware escape bugs https://keenlab.tencent.com/en/2018/04/23/A-bunch-of-Red-Pills-VMware-Escapes/
• Bug in PDF standard allows malicious collection of NTLM hashes - no fix coming https://www.bleepingcomputer.com/news/security/pdf-files-can-be-abused-to-steal-windows-credentials/ only current option is to block Windows NTLM SSO authentication https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV170014
• The RSA conference app is insecure (again)  https://www.theregister.co.uk/2018/04/20/rsasecurityconferenceinsecuremobile_app/
• ZTE Gigabit router had hard-coded root password https://www.theregister.co.uk/2018/04/26/hyperopticszterouters/
• Amzon Echo turned into an eavesdropper https://www.wired.com/story/amazon-echo-alexa-skill-spying
• Another hardware bug, this time in the CPU at the heart of the Nintendo Switch https://thehackernews.com/2018/04/nintendo-switch-linux-hack.html
• Vulnerability discovered in hotel locks http://www.bbc.com/news/technology-43896360
• Innsbruck shuts down ski lift after control panel exposed to Internet https://www.bleepingcomputer.com/news/security/ski-lift-in-austria-left-control-panel-open-on-the-internet/

Hacking / Malware / Cybercrime

• Scams, Phishing, and Tax season https://www.packetlabs.net/tax-scams-phishing-schemes/
• Blockchain comes to everyone, including malware https://www.darkreading.com/vulnerabilities--- threats/threat-actors-turn-to-blockchain-infrastructure-to-host-and-hide-malicious-activity/d/d-id/1331622
• Province of PEI's website hit by ransomware http://www.cbc.ca/news/canada/prince-edward-island/pei-government-web-site-outage-1.4631157
• The City of Atlanta spent $2.6M on ransomware cleanup https://www.databreachtoday.com/atlantas-ransomware-cleanup-costs-hit-26-million-a-10888
• DDoS for hire provider shut down https://krebsonsecurity.com/2018/04/ddos-for-hire-service-webstresser-dismantled/
• Global shipping firms under Business Email Compromise assault https://www.darkreading.com/attacks-breaches/golden-galleon-raids-maritime-shipping-firms/d/d-id/1331624
• Ben-Gurion University air-gap exfiltration team extracts keys from "cold wallets" https://arstechnica.com/information-technology/2018/04/new-hacks-siphon-private-cryptocurrency-keys-from-airgapped-wallets/
• Yahoo hacker gets 8 years https://www.theregister.co.uk/2018/04/19/yahooemailhackerkarimbaratov_sentence/
• Ether crypto-currency theft enabled by rerouting MyEtherWallet IPs and users ignoring browser warnings https://www.databreachtoday.com/cryptocurrency-heist-bgp-leak-masks-ether-theft-a-10898
• Dutch take down infamous revenge porn site http://www.bbc.com/news/technology-43907253

Other Security / Risk

• Troy Hunt on why real life analogies for cyber are just bad https://www.troyhunt.com/irl-analogies-to-explain-digital-concepts-are-terrible/
• In a trial run of a facial recognition system, authorities in New Delhi find 3000 missing children https://www.independent.co.uk/life-style/gadgets-and-tech/news/india-police-missing-children-facial-recognition-tech-trace-find-reunite-a8320406.html
• Clear - a proposal for lawful access https://www.wired.com/story/crypto-war-clear-encryption
• Lessons learn from watching network behavior of security professionals at a conference https://www.darkreading.com/threat-intelligence/at-rsac-soc-sees-user-behaviors/d/d-id/1331607
• ISO rejects two IoT Crypto algorithms proposed by the NSA https://www.schneier.com/blog/archives/2018/04/twonsaalgorit.html
• In the UK Lloyds Bank spins off of TSB and the TSB banking systems are screwed up in the process https://www.schneier.com/blog/archives/2018/04/tsbbankdisast.html
• The cost of "Security Debt" https://sector.ca/paying-the-price-for-security-debt/
• Apple is using anti-drone technology to track pilots https://www.marketwatch.com/story/apple-cracks-down-on-drone-pilot-who-shoots-epic-apple-campus-videos-2018-04-16
• Citizen Lab report on countries using Netsweeper to censor Internet content https://deibert.citizenlab.ca/2018/04/planet-netsweeper/ and https://citizenlab.ca/2018/04/planet-netsweeper/
• Fighting compiler optimization attacks https://www.lightbluetouchpaper.org/2018/04/24/what-you-get-is-what-you-c/
• Discussion and link to an article on a new biometric - ears https://www.schneier.com/blog/archives/2018/04/yetanotherbio.html
• Findland's experiment with basic income is failing http://www.bbc.com/news/world-europe-43866700
• Cyber-Buzzphrase BINGO https://www.darkreading.com/threat-intelligence/cybersecurity-buzz-phrase-bingo/d/d-id/1331615
• Codes in sports article https://www.fangraphs.com/blogs/the-rockies-believe-they-have-an-unbreakable-code/ and discussion https://www.schneier.com/blog/archives/2018/04/baseball_code.html

Off-Topic

• Canada researching Quantum Radar to unmask stealth http://www.bbc.com/news/technology-43877682
• Mars Sample Return mission is one small step closer http://www.bbc.com/news/science-environment-43907326
• Jupiter whacked regularly by asteroids https://www.universetoday.com/139045/asteroids-smack-jupiter-more-often-than-astronomers-thought/
• Measuring the magnetic field of Earth's oceans https://www.universetoday.com/139077/did-you-know-the-earth-has-a-second-magnetic-field-its-oceans/