Welcome to This Week’s [in]Security. We’ve collected and grouped together a selection of this week’s news, opinions, and research. Quickly skim these annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

• PCI contactless payments on COTS https://blog.pcisecuritystandards.org/contactless-payments-pci-ssc-on-plans-to-develop-security-standard-for-payment-acceptance-on-merchant-cots-devices
• Islington Council, London, UK collected PAN and security values by email Word form for parking spots failing PCI DSS https://www.bbc.com/news/technology-44548481

Breaches / Leaks

• Marketing Firm Exactis Leaked a Personal Info Database With 340 Million Records https://www.wired.com/story/exactis-database-leak-340-million-records
• TicketMaster UK breach in Inbenta chat bot software https://www.theregister.co.uk/2018/06/27/ticketmastersupportbot_hack/
• French hotel booking software provider, FastBooking was breached affecting hundreds of hotels including payment data https://www.bleepingcomputer.com/news/security/hundreds-of-hotels-affected-by-data-breach-at-hotel-booking-software-provider/
• Facebook quiz web app leaks data on 120M people http://www.theregister.co.uk/2018/06/28/facebookdataabusebugbounty/

Laws & Regulations / Standards

• Calofornia Privacy Act https://epic.org/2018/06/california-passes-milestone-pr.html
• Wi-Fi Alliance uwraps WPA3 protocol https://www.theregister.co.uk/2018/06/26/wpa3wirelesssecurity_revamp/
• Supreme Court – 4th amendment applies to cell phone tracking https://www.eff.org/deeplinks/2018/06/victory-supreme-court-says-fourth-amendment-applies-cell-phone-tracking
• IEEE supports strong encryption over backdoors https://www.schneier.com/blog/archives/2018/06/ieeestatement\.html
• Bulletproof TLS #42 is out and TLS 1.3 has some weird features https://www.feistyduck.com/bulletproof-tls-newsletter/issue42doestlshavetochangeconstantlytomakeitfutureproof.html
• 17 of 28 EU governments require domestic telecommunications firms to store all communications data https://www.databreachtoday.com/eu-mass-surveillance-alive-well-privacy-groups-warn-a-11137
• EFF sues to invalidate the FOSTA censorship law https://www.eff.org/deeplinks/2018/06/eff-sues-invalidate-fosta-unconstitutional-internet-censorship-law
• Woman accidently crosses unmarked US border from BC and is detained 2 weeks https://www.cbc.ca/news/canada/british-columbia/jogger-who-accidentally-crossed-u-s-border-from-b-c-detained-for-2-weeks-1.4717060
• US customs treatment of accidental crossings is not unheard of, recalling a 2008 case of a near drowning washing up on the US side of the Niagara river https://www.thestar.com/news/gta/2008/08/25/accidentaltouristslandinhotwaterat_border.html

Privacy

• Reporter downloads and examines the over 300MB of their facebook data – “it was a nightmare” https://www.bbc.co.uk/bbcthree/article/93d1393a-1c12-485f-b7fe-5146cd48c12c
• Austrailian medical booking platform HealthEngine in controversy over sharing data with personal injury lawyer https://www.databreachtoday.com/australias-healthengine-caught-in-data-sharing-fiasco-a-11134
• Report on manipulative social media practices https://www.schneier.com/blog/archives/2018/06/manipulative_so.html

Bugs / Design Flaws

• Rhode Island woman’s selfie shows up on stranger’s phone due to possible iPhone glitch https://globalnews.ca/news/4293086/iphone-glitch-selfie-strangers-phone-rhode-island/
• Swann’s security camera app has been sending video to the wrong person’s app https://www.bbc.com/news/technology-44628399
• Every Android Device Since 2012 Impacted by a new RowHammer variant called RAMpage Vulnerability https://www.bleepingcomputer.com/news/security/every-android-device-since-2012-impacted-by-rampage-vulnerability/
• Fake bug - iOS password brute force all-at-once FAIL and a discussion https://www.schneier.com/blog/archives/2018/06/bypassing_passc.html

Hacking / Malware / Cybercrime

• How government-exclusive spyware is used to surveil civil society in Mexico https://citizenlab.ca/2018/06/government-spyware-surveillance-mexico/
• Feds ran a bitcoin-laundering sting for over a year https://www.theverge.com/2018/6/27/17509444/dark-web-drug-market-money-laundering-hsi-dark-gold
• Winnipeg mattress store hit with ransomware and pays https://globalnews.ca/news/4298279/hacker-hits-local-mattress-store-with-ransomware/

Other Security / Risk

• Stake out your territory to deter fraud https://krebsonsecurity.com/2018/06/plant-your-flag-mark-your-territory/
• Research into secure speculative execution https://www.schneier.com/blog/archives/2018/06/secure_speculat.html
• Mozilla and 1Password are integrating with Have I Been Pwned https://www.databreachtoday.com/mozilla-1password-integrate-have-i-been-pwned-feature-a-11136
• EFF’s STARTTLS Everywhere and observations on the poor stated of email security, STARTTLS, not validating certificates, unsecured hops and more https://www.eff.org/deeplinks/2018/06/technical-deep-dive-starttls-everywhere
• Troy Hunt webinars on making HTTPS easy https://www.troyhunt.com/https-is-easy/
• Study finds 65% of second-hand memory cards have residual personal data https://www.darkreading.com/mobile/65--of-resold-memory-cards-still-pack-personal-data/d/d-id/1332179
• The impact of Iran’s ban on Telegram https://www.schneier.com/blog/archives/2018/06/theeffectsof_4.html
• Autonomous cars may prove a financial threat to cities https://www.wired.com/story/autonomous-vehicles-might-drive-cities-to-financial-ruin/

Off-Topic

• Quebec based open air observatory enhanced with augmented reality headsets http://www.observetoiles.com/en
• Found: Universe’s missing normal matter https://www.universetoday.com/139519/the-universes-missing-matter-found/
• Analysis of the orbit of Oumuamua, the interstellar visitor discovered last year, shows it is likely a comet not an asteroid https://www.cbc.ca/news/technology/interstellar-visitor-oumuamua-1.4724749
• Finally proof that there are problems solvable only by quantum computers – caution P, NP, PH, and BQP complexity ahead - https://www.quantamagazine.org/finally-a-problem-that-only-quantum-computers-will-ever-be-able-to-solve-20180621/