Welcome to This Week’s [in]Security. We’ve collected and grouped together a selection of this week’s news, opinions, and research. Quickly skim these annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

• PCI Infographic on strong passwords https://blog.pcisecuritystandards.org/infographic-strong-passwords
• Lots new last month on Visa news https://usa.visa.com/support/merchant/library/visa-merchant-business-news-digest.html
• Mainframe PCI  compliance Q&A with our own consultant https://www.linkedin.com/pulse/pci-compliance-mainframe-qa-david-gamey-control-gap-ray-overby/
• Q&A's with PCI Community Meeting Speakers https://blog.pcisecuritystandards.org/qa-with-community-meeting-speaker-swati-sharma and https://blog.pcisecuritystandards.org/qa-with-community-meeting-speakers-sajal-islam-and-david-mcgregor

Breaches / Leaks

• The last of the pre-GDPR breaches

  • 10K Records of Child Data Leaked Amidst TeenSafe Server Exposure https://www.cbronline.com/news/teensafe-child-dataleak
  • Greenwich University fined £120,000 for data breach of 19K student data in shadow IT system http://www.bbc.com/news/technology-44197118
• Discussion of breach costs and the discrepancies between the Verizon and Ponemon reports https://techbeacon.com/data-breach-cost-estimates-get-it-wrong-what-you-need-know

Laws & Regulations / Standards

• GDPR is live!

  • GDPR went live on Friday https://www.databreachtoday.com/europes-strong-gdpr-privacy-rules-go-into-full-effect-a-11035
  • The catch-22 of GDPR consent emails and Privacy and Electronic Communications Regulations https://www.theguardian.com/technology/2018/may/21/gdpr-emails-mostly-unnecessary-and-in-some-cases-illegal-say-experts
  • Privacy advocate takes on tech giants with GDPR lawsuits https://www.irishtimes.com/business/technology/max-schrems-launches-first-legal-cases-under-gdpr-1.3508177
  • Some companies blocking all European connections over GDPR compliance concerns, problem is this is misguided https://www.bloombergquint.com/business/2018/05/25/blocking-500-million-users-is-easier-than-complying-with-gdpr
  • When and where will the first enforcement actions land https://www.darkreading.com/risk/compliance/gdpr-oddsmakers-who-where-when-will-enforcement-hit-first-/d/d-id/1331898
• EU Network and Information System directive and critical infrastructure carries fines for utilities and others https://www.theregister.co.uk/2018/05/22/gdprpuhthatssolastseasontrynewcybersecurityregulationshearshouseoflords/
• New Michigan Law Makes Possession of Ransomware (with intent) Illegal https://www.bleepingcomputer.com/news/security/new-michigan-law-makes-possession-of-ransomware-illegal/
• FBI admits it exaggerated the numbers of phones they couldn’t get into https://www.eff.org/deeplinks/2018/05/fbi-admits-it-inflated-number-supposedly-unhackable-devices and https://www.wired.com/story/significant-fbi-error-reignites-data-encryption-debate
• In a case aimed at President Trump, NY district court rules that public figures that use social media can't block users https://www.eff.org/press/releases/victory-first-amendment-court-rules-government-officials-who-tweet-public-cant-block
• Michael Geist has started another series of articles on copyright, education, and fair dealing http://www.michaelgeist.ca/2018/05/copyrightfairdealingeducationpartone/, http://www.michaelgeist.ca/2018/05/canadian-copyright-fair-dealing-and-education-part-two-the-declining-value-of-the-access-copyright-licence/,  http://www.michaelgeist.ca/2018/05/copyrightfairdealingeducationpartthree/, http://www.michaelgeist.ca/2018/05/canadian-copyright-fair-dealing-and-education-part-four-fixing-fair-dealing-for-the-digital-age/

Privacy

• Recall the fitness tracker leaks exposing military bases, now your pet’s trackers are leaking too https://www.darkreading.com/endpoint/pet-tracker-flaws-expose-pets-and-their-owners-to-cybercrime/d/d-id/1331866
• There is a debate over Amazon selling facial recognition services to police versus say companies or criminals  https://www.nytimes.com/2018/05/22/technology/amazon-facial-recognition.html
• Krebs has two articles about cell phone user data and privacy covering both policy issues and a recent spate of leaking bugs https://krebsonsecurity.com/2018/05/why-is-your-location-data-no-longer-private/ and https://krebsonsecurity.com/2018/05/mobile-giants-please-dont-share-the-where/

Bugs / Design Flaws

• More meltdown/Spectre class bugs, Speculative Store variant 4 https://www.wired.com/story/speculative-store-bypass-spectre-meltdown-vulnerability
• More Meltdown/Spectre bug disclosures coming as researchers hunt them down https://www.schneier.com/blog/archives/2018/05/another_spectre.html
• Without Permission Amazon Alexa Recorded and Sent  Conversation to a Random Contact https://www.bleepingcomputer.com/news/technology/amazon-alexa-recorded-a-conversation-and-sent-it-to-a-contact-without-permission/
• Remote Code execution bugs in Dell/EMC RecoverPoint https://www.theregister.co.uk/2018/05/21/dellemcrecoverpoint_flaws/
• E-mail suffers from some bad design flaws that aren't addressed fixed https://www.theatlantic.com/technology/archive/2018/05/email-is-dangerous/560780/
• Just to reiterate the recent EFAIL vulnerability was with the email client not PGP or S/MIME https://www.theregister.co.uk/2018/05/25/pgpisnotbrokensays_inventor/

Hacking / Malware / Cybercrime

• FBI seizes control of domain controlling the 500K VPNfilter malware https://www.databreachtoday.com/fbi-seizes-domain-controlling-500000-compromised-routers-a-11030
• Analysis of VPNfilter malware https://blog.talosintelligence.com/2018/05/VPNFilter.html
• 14 Felony counts for California High Schooler for Phishing Teachers and Changing Grades https://gizmodo.com/california-high-schooler-changes-grades-after-phishing-1825996373
• Routine power outage warning in Florida included Zombies alert. City apologizes and investigates if it was hacked https://globalnews.ca/news/4223536/florida-city-fake-alert-extreme-zombie-activity/
• Extracting SSH Private Keys from Windows 10 ssh-agent https://blog.ropnop.com/extracting-ssh-private-keys-from-windows-10-ssh-agent/
• 3 Charged In Fatal Kansas ‘Swatting’ Attack https://krebsonsecurity.com/2018/05/3-charged-in-fatal-kansas-swatting-attack/

Other Security / Risk

• A sad reminder that the hot weather is with us again when too many children and pets are left in vehicles to die http://torontosun.com/news/local-news/baby-dies-in-suv
• Another reminder of the limitations of Tesla's Auto-Pilot: the system is not designed to avoid a collision  https://www.theguardian.com/technology/2018/may/24/tesla-that-crashed-in-autopilot-mode-sped-up-before-hitting-truck-police
• Mitre has updated the ATT&CK Navigator tool (v2) https://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-blog/just-released-version-2-of-the-attck%E2%84%A2
• Stenography that transcends media using FontCode https://www.wired.com/story/fontcode-invisible-messages-steganography
• Lie detecting through mouse movements https://www.schneier.com/blog/archives/2018/05/detectinglies\.html
• There's a new VPN called VPNhub and you may be surprised who's behind it https://thehackernews.com/2018/05/free-vpn-pornhub.html
• The security firm Keeper sues news reporter over vulnerability story https://www.zdnet.com/article/security-firm-keeper-sues-news-reporter-over-vulnerability-story/
• Shining some light on Japan’s NSA counterpart https://www.schneier.com/blog/archives/2018/05/japans_director.html
• Another stupid patent of the month, this one from Facebook and their dating service https://www.eff.org/deeplinks/2018/05/stupid-patent-month-facebook-joins-arms-race-social-dating-patent

Off-Topic

• A weird retrograde asteroid in a stable orbit resonating with Jupiter could be extra-stellar or ancient and local http://www.syfy.com/syfywire/so-about-that-interstellar-asteroid-announced-yesterday
• We may be headed into another short term solar minimum, fewer sun spots and cooler temperatures ahead https://www.universetoday.com/139189/are-we-headed-towards-another-deep-solar-minimum/