Welcome to This Week’s [in]Security. We’ve collected and grouped together a selection of this week’s news, opinions, and research. Quickly skim these annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

• EFF calls on Stripe and Paypal to publish transparency reports https://www.eff.org/deeplinks/2018/05/its-time-payment-processors-stripe-and-paypal-start-publishing-transparency
• Schneier comments on Ross Anderson paper on regulating Bitcoin and why some exchanges aren’t transacting https://www.schneier.com/blog/archives/2018/06/regulating_bitc.html

Breaches / Leaks

• PageUP, a job application platform, may have suffered a breach https://www.bbc.com/news/technology-44382237
• Fitness app PumpUp leaves customer data on insecure AWS S3 server https://www.databreachtoday.com/another-fitness-app-exposes-users-data-a-11055
• MyHeritage DNA leaks email addresses and hashed passwords of 92M users https://krebsonsecurity.com/2018/06/researcher-finds-credentials-for-92-million-users-of-dna-testing-firm-myheritage/
• Honda’s two insecure AWS S3 buckets, and Agilisium (a contractor for Universal Music Group) left keys, passwords, and other credentials in an Apache Airflow server (insecure by default) https://threatpost.com/honda-universal-music-group-expose-sensitive-data-in-misconfig-blunders/132451/
• Transamerica hacked for 45K sensitive customer records https://www.theregister.co.uk/2018/06/05/transamericaretirementplan_hack/

Laws & Regulations / Standards

• NIST has published Special Publication 800-125A Revision 1, Security Recommendations for Server-based Hypervisor Platforms. Update: https://csrc.nist.gov/News/2018/NIST-Publishes-SP-800-125A-Rev-1 and detail https://csrc.nist.gov/publications/detail/sp/800-125A/rev-1/final

Privacy

• Newmarket, Ontario has deployed Soofa benches that collects information on nearby devices https://www.thestar.com/news/gta/2018/06/05/soofa-benches-collecting-data-from-cellphones-in-downtown-newmarket.html
• Amazon and eBay pull smart toys from sale - http://www.bbc.co.uk/news/technology-44382135
• Fakebook’s secret arrangement to share personal data with device makers and ignore user privacy settings https://www.nytimes.com/interactive/2018/06/03/technology/facebook-device-partners-users-friends-data.html, https://epic.org/2018/06/facebook-overrode-users-privac.html, and http://www.bbc.com/news/technology-44355560
• Apple to stop Facebook tracking on new iOS 12 https://www.theguardian.com/technology/live/2018/jun/04/apple-wwdc-2018-keynote-ios-12-iphone-update-macbook-macos-1014-tim-cook-siri-live
• Some privacy settings you should be considering https://www.washingtonpost.com/news/the-switch/wp/2018/06/01/hands-off-my-data-15-default-privacy-settings-you-should-change-right-now/

Bugs / Design Flaws

• Unpatched Vulnerabilities Will Likely Cause Your Next Breach https://www.infosecurity-magazine.com/opinions/unpatched-vulnerabilities-cause/
• More firmware vulnerabilities, this time in Supermicor servers https://www.bleepingcomputer.com/news/security/firmware-vulnerabilities-disclosed-in-supermicro-server-products/
• US government is looking into vulnerabilities in aircraft systems as some researchers believe a hack is inevitable https://motherboard.vice.com/en_us/article/d3kwzx/documents-us-government-hacking-planes-dhs
• Electronic Charting system for shipping can be hacked to spoof positions and sizes of ships http://www.bbc.co.uk/news/technology-44397872
• Products using older versions of 7-zip are vulnerable to exploits, F-Secure is the latest to fix this https://www.bleepingcomputer.com/news/security/f-secure-fixes-serious-vulnerability-in-antivirus-products/
• ISP Frontier's customer support website allowed password resets on arbitrary users https://www.neowin.net/news/frontiers-website-allowed-anyone-to-reset-a-users-password
• Progress on securing PGP and S/MIME with mail clients vulnerable to EFAIL https://www.eff.org/deeplinks/2018/05/how-turn-pgp-back-safely-possible
• Schneier article on EFAIL, what’s safe and what’s not https://www.schneier.com/blog/archives/2018/06/e-mail_vulnerab.html

Hacking / Malware / Cybercrime

• Think that shoulder-surfing passwords is hard, think again https://www.theglobeandmail.com/business/technology/article-think-youre-protecting-your-smartphone-password-think-again/
• Botnet authors are about as bad at security as their victims - root/root - https://www.bleepingcomputer.com/news/security/botnet-authors-don-t-learn-anything-from-victims-and-secure-databases-with-root-root/
• IoT refrigerator used to attack businesses ttps://www.businessinsider.in/For-The-First-Time-Hackers-Have-Used-A-Refrigerator-To-Attack-Businesses/articleshow/28909337.cms
• John Kelly's phone was hacked https://boingboing.net/2018/06/08/john-kelly-phone-hacked.html
• China hacked into a US military contractor and stole 614GB of sensitive submarine warfare related information https://www.washingtonpost.com/world/national-security/china-hacked-a-navy-contractor-and-secured-a-trove-of-highly-sensitive-data-on-submarine-warfare/2018/06/08/6cc396fa-68e6-11e8-bea7-c8eb28bc52b1_story.html
• Bank network crashed in order to provide a distraction for a SWIFT attack https://www.bleepingcomputer.com/news/security/hackers-crashed-a-bank-s-computers-while-attempting-a-swift-hack/
• The man that found the WannaCry[pt] kill switch is facing more charges for writing malware https://www.bangkokpost.com/news/world/1480053/wannacry-hero-hit-with-malware-charges

Other Security / Risk

• Trending upward, “Newsjacking” based phishing https://www.databreachtoday.com/rsa-fraud-report-newsjacking-based-phishing-on-rise-a-11058
• RSA Quarterly fraud report https://www.rsa.com/content/dam/en/report/rsa-fraud-report-q1-2018.pdf
• Microsoft's Red Team didn't exist five years ago - look what they're up to  https://www.wired.com/story/microsoft-windows-red-team
• Microsoft sunk a data center under the North Sea as an experiment to save on cooling and more https://www.bbc.com/news/technology-44368813
• Problems with passwords and social engineering risks https://www.theverge.com/2018/6/6/17430694/google-mark-risher-gmail-spam-passwords-converge-podcast
• Examples of NSA Security awareness posters from the past https://www.bbc.com/news/world-us-canada-44369361
• Another DCMA abuse https://www.eff.org/takedowns/critic-uses-dmca-avoid-criticism

Off-Topic

• Interesting carbon neutral technology, sucks CO2 from the air to make fuels http://www.cbc.ca/news/canada/british-columbia/b-c-company-says-it-is-sucking-carbon-from-air-making-fuel-1.4696817
• Single occupant flying car http://money.cnn.com/2018/06/06/technology/flying-car-las-vegas-kitty-hawk/index.html
• Asteroid 2018 LA explodes over Botswana hours after discovery http://www.skyandtelescope.com/astronomy-news/asteroid-2018-la-explodes-south-africa/