Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines.

LinuxSecurity.com Feature Extras:

- Social engineering is the practice of learning and obtaining valuable information by exploiting human vulnerabilities. It is an art of deception that is considered to be vital for a penetration tester when there is a lack of information about the target that can be exploited.

- When you’re dealing with a security incident it’s essential you – and the rest of your team – not only have the skills they need to comprehensively deal with an issue, but also have a framework to support them as they approach it. This framework means they can focus purely on what they need to do, following a process that removes any vulnerabilities and threats in a proper way – so everyone who depends upon the software you protect can be confident that it’s secure and functioning properly.

  Saks, Lord & Taylor Payment Card Breach Affects 5 Million (Apr 3)
 

Luxury department store behemoth Saks Fifth Avenue and sister stores Saks OFF 5TH and Lord & Taylor have become the latest retail victim of a data breach. The incident impacts 5 million payment cards that were used at stores in North America, from May 2017 to March 2018.
  Facebook Expands Bug Bounty Amid Spiraling Privacy Scandal (Apr 3)
 

Amid a data privacy scandal that has blown up worldwide, Facebook has decided to make a few changes to "review developers' actions for evidence of misuse, implement additional measures to protect data, and give people more control of their information."
  (Apr 2)
 

A new report says that ransomware attacks are the new normal for IT and for the most part, attacks are coming from criminals in the same country as the victim. There are many more numbers to chew on in the report, but the sheer enormity of the problem may be the most surprising result.
  GoScanSSH Malware Avoids US Military, South Korea Targets (Apr 3)
 

A new strain of malware that targets vulnerable Linux-based systems is loose in the wild, with an interesting habit of avoiding government and military networks.
  (Apr 4)
 

More than 95 percent of White House email domains lack a security feature that prevents them from being used in massive phishing attacks, according to a Wednesday report from a cybersecurity industry group.
  A New Backdoor Around the Fourth Amendment: The CLOUD Act (Apr 2)
 

There's a new, proposed backdoor to our data, which would bypass our Fourth Amendment protections to communications privacy. It is built into a dangerous bill called the CLOUD Act, which would allow police at home and abroad to seize cross-border data without following the privacy rules where the data is stored.
  (Apr 5)
 

Email fraud is a top risk for 2018, resulting in employee termination. More than 77% of businesses expect they will fall victim to email fraud in the next 12 months, and only 40% have full visability into email threats.
  (Apr 2)
 

Phishing attacks are becoming more prevalent and harder to detect. Scammers are developing highly sophisticated methods to target both businesses and individuals. If undetected, these attacks can have devastating results.
  (Apr 6)
 

Republican leaders of the House Energy and Commerce Committee are pressing the nonprofit Linux Foundation on how the tech community can better mitigate vulnerabilities in open-source software.
  (Apr 2)
 

Italian football team Lazio paid $2.5 million for Dutch player Stefan de Vrij to the wrong bank account, after being convinced to switch account numbers by an email scammer. Business email compromise is becoming increasingly common. In addition to sending out phishing emails from compromised accounts, crooks can view email history, copy invoices and documents, and delete incoming emails that could reveal the scam.
  150 million MyFitnessPal accounts compromised – here's what to do (Apr 2)
 

MyfitnessPal has been hacked! Because email addresses were among the information stolen, criminals have been able to send MyfitnessPal spear phishing emails for the past month. These spear phishing attacks are especially dangerous because stolen personal information that users had logged in the app can be used to make phishing emails very convincing and difficult to detect.
  (Apr 4)
 

In August 2017, I reported a vulnerability to Panera Bread that allowed the full name, home address, email address, food/dietary preferences, username, phone number, birthday and last four digits of a saved credit card to be accessed in bulk for any user that had ever signed up for an account. This includes my own personal data! Despite an explicit acknowledgement of the issue and a promise to fix it, Panera Bread sat on the vulnerability and, as far as I can tell, did nothing about it for eight months. When Brian Krebs publicly broke the news, other news outlets emphasized the usual "We take your security very seriously, security is a top priority for us" prepared statement from Panera Bread. Worse still, the vulnerability was not fixed at all -- which means the company either misrepresented its actual security posture to the media to save face or was not competent enough to determine this fact for themselves. This post establishes a canonical timeline so subsequent reporting doesn't get confused.