Welcome to This Week’s [in]Security. We’ve collected and grouped together a selection of this week’s news, opinions, and research. Quickly skim these annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

• New PCI resources - an infographic on secure remote access https://blog.pcisecuritystandards.org/infographic-secure-remote-access and video on strong passwords https://blog.pcisecuritystandards.org/video-strong-passwords

Breaches / Leaks

• Australia's Commonwealth Bank lost tapes containing 20M accounts http://www.bbc.co.uk/news/business-43985233
• Krebs finds Uber employees sharing passwords and sensitive data publicly using Trello https://krebsonsecurity.com/2018/05/when-your-employees-post-passwords-online/
• Twitter tells 330 million users to change their passwords after they discovered internal logs with plain text passwords http://www.bbc.co.uk/news/business-43995168 and https://krebsonsecurity.com/2018/05/twitter-to-all-users-change-your-password-now/

Laws & Regulations / Standards

• Michael Geist on US using Piracy Watch List to exert pressure on NAFTA negotiations http://www.michaelgeist.ca/2018/04/neverenoughustr/
• EFF calls out credibility of USTR intellectual property special “301” report https://www.eff.org/deeplinks/2018/04/us-ip-policy-spins-out-control-2018-special-301-report
• NIST calls for lightweight crypto https://www.schneier.com/blog/archives/2018/05/nistissuescal.html

Privacy

• More  fallout from the Facebook / Cambridge Analytica scandal

  • Cambridge Analytica and parent SCL Elections are no longer viable and will shut down http://www.bbc.com/news/business-43983958
  • Will Cambridge live again in Firecrest Technologies or Emerdata http://www.bbc.com/news/technology-43989046
  • UK MPs may issue summons to Zuckerberg https://www.theguardian.com/technology/2018/may/01/mps-threaten-facebook-chief-zuckerberg-with-summons-over-data
  • 25K Facebook Apps have access similar to the Cambridge Analytica linked app https://threatpost.com/tens-of-thousands-of-malicious-apps-using-facebook-apis/131566/
• Twitter sold data to Global Science Research a firm linked to Cambridge Analytica https://threatpost.com/twitter-sold-data-to-cambridge-analytica-linked-company/131525/
• Michael Geist speaks with Facebook’s Deputy Chief Privacy Officer about Canadian privacy law http://www.michaelgeist.ca/2018/05/facebookhardquestions/

Bugs / Design Flaws

• Meltdown/Spectre updates:

  • Microsoft’s Windows 10 patch had flaw worse than the original bug https://www.bleepingcomputer.com/news/security/researcher-finds-a-way-to-bypass-meltdown-patches-on-windows-10/
  • 8 more bugs in the pipeline (pun intended) including a bigger-badder variant https://www.heise.de/ct/artikel/Exclusive-Spectre-NG-Multiple-new-Intel-CPU-flaws-revealed-several-serious-4040648.html
• Another gigabit home fiber router (GPON) with severe security vulnerabilities https://threatpost.com/millions-of-home-fiber-routers-vulnerable-to-complete-takeover/131593/
• Volkswagen’s can be remotely hacked via the IVI (in-vehicle infotainment) system https://threatpost.com/volkswagen-cars-open-to-remote-hacking-researchers-warn/131571/

Hacking / Malware / Cybercrime

• Man jailed after attempting to hack friend out of prison https://thehackernews.com/2018/04/jail-network-hacking.html
• DDoS attacks drop 60% in Europe after takedown of DDoS for hire https://www.bleepingcomputer.com/news/security/ddos-attacks-go-down-60-percent-across-europe-following-webstressers-takedown/
• Fancy Bear (APT28) strikes again backdooring LoJack software https://www.bleepingcomputer.com/news/security/apt28-hackers-caught-hijacking-legitimate-lojack-software/
• Allegations surface of a Facebook engineer using work access to stalk women https://motherboard.vice.com/en_us/article/kzxdny/facebook-investigating-employee-stalking-women-online leads to firing http://www.bbc.co.uk/news/technology-43988736
• Analysis of North Korea’s anti-virus solution show it contains old Trend Micro code, bad crypto, and some oddities like whitelisted malware https://www.theregister.co.uk/2018/05/02/northkoreasilivaccineavsoftware_analysis/

Other Security / Risk

• 86% fail - Troy Hunt releases some statistics on bad and previously breached passwords https://www.troyhunt.com/86-of-passwords-are-terrible-and-other-statistics/
• Amazon and Google have closed “Domain Fronting” hole used by cybercriminals and apps like Telegram and Signal https://www.databreachtoday.com/amazon-google-block-trick-that-let-encrypted-chats-flow-a-10954 that spurned Russian and Iran to block large IP blocks in shutdown efforts http://www.wired.co.uk/article/telegram-in-russia-blocked-web-app-ban-facebook-twitter-google
• Kaspersky survey shows American’s and Canadian’s stressed about breaches https://www.pymnts.com/news/security-and-risk/2018/kaspersky-consumer-data-identity-theft/
• Logmein survey shows users aware of and ignore risks of reusing passwords https://www.darkreading.com/informationweek-home/password-reuse-abounds-new-survey-shows/d/d-id/1331689
• Opinion:  dealing with GDPR means getting ahead of data before it comes to rest https://www.darkreading.com/endpoint/gdpr-requirements-prompt-new-approach-to-protecting-data-in-motion/a/d-id/1331655
• ARM releases tamper resistant chip https://www.theregister.co.uk/2018/05/02/handsoffarmpitchestamperresistantm35pchips/
• Another issue of Bulletproof TLS is out covering mandatory certificate transparency, deprecating certificates for older protocols, some key generation issues in OpenSSL and Bouncy Castle, problems with Java keystores https://www.feistyduck.com/bulletproof-tls-newsletter/issue40certificatetransparencyloggingisnow_mandatory.html
• LC4 - another high security pen and paper cipher https://www.schneier.com/blog/archives/2018/05/lc4anotherpen.html
• Microsoft releases 900+ page Windows Command Reference https://www.bleepingcomputer.com/news/microsoft/microsoft-releases-a-windows-command-reference-for-over-250-console-commands/
• Malware researchers stumble upon odd obfuscation technique using multiple rounds of base-64 encoding that leaves weird clue for defenders "Vm0wd2QyUXl..."  https://www.imperva.com/blog/2018/04/the-catch-22-of-base64-attacker-dilemma-from-a-defender-point-of-view/

Off-Topic

• Stephen Hawking's final contribution suggests the existence of the multiverse is testable via cosmic background radiation http://www.bbc.co.uk/news/science-environment-43976977
• Studying anti-hydrogen to find out why the Universe is unbalanced and if anti-matter falls up https://www.cnn.com/2018/05/03/opinions/alpha-cern-antihydrogen-opinion-lincoln/index.html
• A long time ago in a galaxy far, far away - about 40M light years - a star survived the supernova explosion of its companion https://www.universetoday.com/139135/for-the-first-time-astronomers-have-found-a-star-that-survived-its-companion-exploding-as-supernova/
• Restoration of a 2 Millennium old landmark helped by Falcon drones https://www.pcmag.com/news/360851/intel-falcon-drones-to-help-restore-great-wall-of-china