Welcome to This Week’s [in]Security. We’ve collected and grouped together a selection of this week’s news and opinion links on security and privacy related topics. We hope you enjoy and find them useful.

PCI Compliance and Payments

• PCI FAQ on truncation updated to address 16-digit PAN and 8-digit BIN https://pcissc.secure.force.com/faq/articles/Frequently_Asked_Question/What-are-acceptable-formats-for-truncation-of-primary-account-numbers
• 8-digit BINs will still create issues for some and potential risks for many https://controlgap.com/blog/pci-truncation-rules-clarified
• Last week's Visa Merchant Alert on Persistent eCommerce Malware is now up at https://usa.visa.com/dam/VCOM/global/support-legal/documents/payment-fraud-disruption-technical-analysis-ecommerce-malware-persist.pdf
• PCI Compliance and the Intel AMT Vulnerability https://controlgap.com/blog/pci-compliance-and-the-intel-amt-vulnerability/

Breaches

• More healthcare provider breaches https://krebsonsecurity.com/2017/05/website-flaw-let-true-health-diagnostics-users-view-all-medical-records/

Lawful Access / Back-doors / Regulations

• Review of updated cybersecurity executive order http://www.databreachtoday.com/assessing-latest-draft-cybersecurity-executive-order-a-9899 and it is signed http://www.darkreading.com/vulnerabilities--- threats/trump-issues-previously-delayed-cybersecurity-executive-order/d/d-id/1328860

Bugs

• Microsoft Anti-Malware bug https://krebsonsecurity.com/2017/05/emergency-fix-for-windows-anti-malware-flaw-leads-mays-patch-tuesday/
• There's a lot more this week on the Intel AMT Vulnerability including some must reads, see our summary at y https://controlgap.com/blog/pci-compliance-and-the-intel-amt-vulnerability/
• Cisco patches telnet (really telnet!?) bug exploited by CIA https://www.theregister.co.uk/2017/05/09/cisco_switches_patch_telnet_command/
• New IoT Botnet detected http://blog.trendmicro.com/trendlabs-security-intelligence/persirai-new-internet-things-iot-botnet-targets-ip-cameras/

Privacy

• More IOT problems with rpivacy implications http://globalnews.ca/news/3434362/russian-site-streams-live-video-of-canadian-living-rooms-daycares/
• EFF says NHTSA Vehicle to Vehicle protocol has huge privacy risks https://www.eff.org/deeplinks/2017/05/danger-ahead-governments-plan-vehicle-vehicle-communication-threatens-privacy

Massive surge in ransom-ware attacks

• https://krebsonsecurity.com/2017/05/u-k-hospitals-hit-in-widespread-ransomware-attack/
• https://krebsonsecurity.com/2017/05/global-wana-ransomware-outbreak-earned-perpetrators-26000-so-far/
• https://www.lightbluetouchpaper.org/2017/05/13/bad-malware-worse-reporting/
• https://www.theregister.co.uk/2017/05/14/microsoft_to_spooks_wannacrypt_was_inevitable_quit_hoarding/
• http://www.bbc.co.uk/news/technology-39901382
• https://www.theregister.co.uk/2017/05/12/spain_ransomware_outbreak
• http://www.databreachtoday.com/telefonica-nhs-hit-by-wannacry-ransomware-outbreak-a-9912
• http://www.darkreading.com/attacks-breaches/wannacry-rapidly-moving-ransomware-attack-spreads-to-74-countries/d/d-id/1328874
• http://www.darkreading.com/mobile/jaff-ransomware-family-emerges-in-force/d/d-id/1328867

Other Hacking / Malware

• Articles on attempts to disrupt the French election https://www.theregister.co.uk/2017/05/06/hackers_release_9gb_of_email_from_macron_two_days_before_french_presidential_election/, http://www.bbc.co.uk/news/blogs-trending-39845105 , and  http://www.databreachtoday.com/au-revoir-alleged-russian-fancy-bear-hackers-a-9903
• Related, Facebook releases paper on Information Operations (attacks) https://www.schneier.com/blog/archives/2017/05/facebooks_obser.html
• FCC DDoS attack http://www.csoonline.com/article/3195408/security/fcc-hit-with-ddos-attacks-after-john-oliver-takes-on-net-neutrality.html
• More Russian supply chain attack malware https://www.theregister.co.uk/2017/05/08/russian_rats_bite_handbrake_osx_download_mirror/
• Steal a phone then phish for more http://blog.trendmicro.com/trendlabs-security-intelligence/iphone-phishing-scam-physical-crime
• Hacker enabled insider trading http://www.darkreading.com/attacks-breaches/hackers-face-$89-million-fine-for-law-firm-breaches/d/d-id/1328840

Other Security / Risk

• Open Source Fuzzing goes large https://security.googleblog.com/2017/05/oss-fuzz-five-months-later-and.html
• Android apps listening in the ultrasonic https://www.schneier.com/blog/archives/2017/05/using_ultrasoni.html
• Article on some Free/Low cost security tools http://www.darkreading.com/vulnerabilities--- threats/10-free-or-low-cost-security-tools-/d/d-id/1328829
• Draft NIST standard set to overhaul password security https://pages.nist.gov/800-63-3/sp800-63b.html and article http://www.csoonline.com/article/3195181/data-protection/vendors-approve-of-nist-password-draft.html
• Scams on stupidly designed voice recognition systems https://www.schneier.com/blog/archives/2017/05/stealing_voice_.html
• Essay on enabling secure development http://www.darkreading.com/application-security/what-developers-dont-know-about-security-can-hurt-you/a/d-id/1328824
• Essay on Securing Elections https://www.schneier.com/blog/archives/2017/05/securing_electi.html

Off-Topic

• X37b mini-shuttle returns from 718 day orbit https://www.universetoday.com/135444/air-forces-secret-x-37b-space-plane-lands-718-days-orbit/