Welcome to This Week’s [in]Security. We’ve collected and grouped together a selection of this week’s news and opinion links on security and privacy related topics. We hope you enjoy and find them useful.

PCI Compliance and Payments

• Trend to attack gift card systems http://www.csoonline.com/article/3193996/security/criminals-turning-to-fraudulent-gift-cards.htm
• New eCommerce malware persistence method uses database triggers to stay alive. Visa emailed an alert this week that should show up on the Merchant Bulletin list  https://usa.visa.com/support/merchant/library.html. Another article on this http://gwillem.gitlab.io/2017/02/14/triggered-malware/
• Proof that simple SMS based 2FA is a bad idea, SS7 bugs being exploited in Europe to drain bank accounts https://www.theregister.co.uk/2017/05/03/hackersfireupss7flaw/
• Microsoft catches malware targeting payment companies injected injected into editing software update process https://www.theregister.co.uk/2017/05/05/malwareattackingpayment_systems/
• Security Guards to protect Dutch ATMs from explosives http://www.bbc.co.uk/news/world-europe-39790786

Breaches

• FBI breach summary $5B http://www.darkreading.com/attacks-breaches/fbi-business--and-email-account-compromise-attack-losses-hit-$5-billion/d/d-id/1328812
• Sabre Corp hospitality systems breached https://krebsonsecurity.com/2017/05/breach-at-sabre-corp-s-hospitality-unit/
• Alliance Direct Lending exposes customer data through insecure  AWS S3 bucket http://www.databreachtoday.com/california-auto-loan-firm-spills-customer-data-a-9874
• VoIP credentials breach affects multiple vendors https://www.theregister.co.uk/2017/05/03/sangomafreepbxbreach/
• Indian Government leaks 130M "Aadhaar" records https://www.theregister.co.uk/2017/05/03/135millionaadhaarindiangovernmentpaymentcarddetailsleaked/

Lawful Access / Back-doors / Regulations

• Schneier on who may be behind the NSA and CIA leaks https://www.schneier.com/blog/archives/2017/05/whoispublishi.html
• Congress looking to modernize IT http://www.databreachtoday.com/legislation-to-modernize-federal-reintroduced-in-congress-a-9872
• NSA curtailing some data collection http://www.csoonline.com/article/3193467/security/nsa-ends-surveillance-tactic-that-pulled-in-citizens-emails-texts.html
• Use of proprietary algorithms in sentencing decisions https://www.nytimes.com/2017/05/01/us/politics/sent-to-prison-by-a-software-programs-secret-algorithms.html
• In Florida, smartphone PINs are not protected by the 5th Amendment https://www.theregister.co.uk/2017/05/03/floridapasscodeunlockphonecops/ 

Bugs

• This one is going to hurt - Intel vPro Chip Remote Code Execution Vulnerability https://www.theregister.co.uk/2017/05/01/intelamtme_vulnerability/ and http://www.databreachtoday.com/intel-alert-critical-security-flaw-affects-many-chipsets-a-9877 and http://www.darkreading.com/endpoint/intel-patches-critical-elevation-privilege-bug-in-high-end-chips/d/d-id/1328783 - Vulnerability guide https://communities.intel.com/docs/DOC-5693 and Mitigation guide https://downloadcenter.intel.com/download/26754 also https://mattermedia.com/blog/disabling-intel-amt/
• A new attack vector found in Outlook forms https://www.theregister.co.uk/2017/05/02/microsoftvbmacro_cracked/
• It's not just IoT, industrial robots are hackable http://www.darkreading.com/vulnerabilities--- threats/researchers-hack-industrial-robot-/d/d-id/1328790
• And Pacemakers too https://www.schneier.com/blog/archives/2017/05/securityofst_.html 

Privacy

• Will advances in neuro-technology require changes of human rights?  https://www.sciencedaily.com/releases/2017/04/170426121759.htm
• EFF on the LImitation of ISP Data Pollution Tools in protecting Privacy https://www.eff.org/deeplinks/2017/05/limitations-isp-data-pollution-tools
• EFF on US Internet privacy https://www.eff.org/deeplinks/2017/05/congress-repealing-our-internet-privacy-rights-meant-congress-repealed-internet

Hacking / Malware

• Criminals post TV shows after NetFlix refused extortion http://www.darkreading.com/endpoint/hackers-steal-and-post-unreleased-episodes-of-netflixs-orange-is-the-new-black/d/d-id/1328773
• IBM ships malware infected Storwize initialization USB sticks http://www.databreachtoday.com/ibm-shipped-malware-infected-flash-drives-to-customers-a-9878
• Hacking security by obscurity https://www.theregister.co.uk/2017/05/02/whibox_challenge/
• Electronic parking ticket phishing scam http://www.winnipegsun.com/2017/05/03/parking-ticket-scam-surfaces

Other Security / Risk

• Dan Greer on National CyberSecurity http://www.csoonline.com/article/3193445/security/dan-geer-cybersecurity-is-paramount-national-security-risk.html
• Varonis 2017 Data Risk Report https://www.varonis.com/learn/data-risk-report-2017/ and review http://www.csoonline.com/article/3193450/data-protection/report-bad-policies-and-practices-put-data-at-risk-infographic.html
• Thales 2017 Data Threat Report https://dtr-gov.thalesesecurity.com/
• Lessons learned from a UDP DDoS honeypot https://www.lightbluetouchpaper.org/2017/05/02/1000-days-of-ddos-attacks/
• On the state of security automation http://www.csoonline.com/article/3193035/security/security-automation-is-maturing-but-many-firms-not-ready-for-adoption.html
• Seeing through the forest of Security Accreditations http://www.csoonline.com/article/3193097/it-careers/making-sense-of-cybersecurity-qualifications.html
• Observations on International Password Day http://www.darkreading.com/endpoint/authentication/striving-for-improvement-on-world-password-day/d/d-id/1328789
• Good article on the Responder tool and the risks of using NBT-NS and LLMNR https://www.notsosecure.com/pwning-with-responder-a-pentesters-guide/
• EFF's "Stupid Patent of the Month" where by Uber and Lyft are infringing https://www.eff.org/deeplinks/2017/04/stupid-patents-month-taxi-dispatch-tech

Off-Topic

• Lego Saturn-V https://www.universetoday.com/135301/lego-apollo-saturn-v-tallest-lego-ideas-set-ever-made/
• Paraprosdokians (humourous figures of speech) https://www.englishforums.com/content/humour/paraprosdokians.htm
• Starbucks Gets Sued For Unicorn Drink http://www.delish.com/food-news/news/a52939/starbucks-unicorn-frappuccino-lawsuit/