Welcome to This Week’s [in]Security. We’ve collected and grouped together a selection of this week’s news and opinion links on security and privacy related topics. We hope you enjoy and find them useful.

PCI Compliance and Payments

• New PCI FAQ#1449 Is two-step authentication acceptable for PCI DSS Requirement 8.3? https://pcissc.secure.force.com/faq/articles/FrequentlyAskedQuestion/Is-two-step-authentication-acceptable-for-PCI-DSS-Requirement-8-3 (See a full index of FAQ's https://controlgap.com/index-pci-frequently-asked-questions/)
• Proposal for cards with dynamic security codes http://www.telegraph.co.uk/news/2017/06/29/banks-considering-adopting-debit-credit-cards-security-code/

Breaches / Leaks

• Avanti self-serve kiosks breached for payment card and biometric data https://krebsonsecurity.com/2017/07/self-service-food-kiosk-vendor-avanti-hacked/
• Health Care breach analysis http://www.databreachtoday.com/analysis-top-health-data-breaches-so-far-in-2017-a-10078
• Every Australian's medical data is out there http://www.smh.com.au/technology/consumer-security/medicare-details-of-every-australian-currently-up-for-sale-on-the-dark-web-20170703-gx40ow.html
• Update on 7 month breach at Sabre included cardholder data and some security codes http://www.databreachtoday.com/sabre-says-stolen-credentials-led-to-breach-a-10087,
• Sabre breach impacts Hard Rock and Lowes Hotels  https://threatpost.com/hard-rock-loews-hotels-among-sabre-corp-hospitality-breach-victims/126715/
• Information Week Security Breach Impact Paper for 2017 http://www.informationweek.com/whitepaper/network-and-perimeter-security/security-management-and-analytics/how-data-breaches-affect-the-enterprise/390563
• WWE leaks PII data on 3M fans from NA and the EU from an unsecured AWS server  https://threatpost.com/leaky-wwe-database-exposes-personal-data-of-3m-wrestling-fans/126710/
• US based B&B Theaters cardholder data breach https://krebsonsecurity.com/2017/07/bb-theatres-hit-in-2-year-credit-card-breach/

Lawful Access / Back-doors / Laws & Regulations

• CAN-SPAM act under review https://krebsonsecurity.com/2017/07/is-it-time-to-can-the-can-spam-act/ and up for FTC comment https://ftcpublic.commentworks.com/ftc/canspamrulereview/

Bugs

• GnuPG libgcrypt vulnerable to "sliding window" side channel attack fully breaks RSA 1024 implementation https://www.theregister.co.uk/2017/07/04/gnupgcryptolibrarycrackedlookforpatches/
• Assault via IoT at BlackHat https://www.darkreading.com/iot/iot-physical-attack-exploit-to-be-revealed-at-black-hat/d/d-id/1329282

Privacy

• Judge rules Facebook's tracking visitors to pages with "Like" widgets isn't wiretapping   https://www.theguardian.com/technology/2017/jul/03/facebook-track-browsing-history-california-lawsuit
• Snap Chat's Snap Map could be a boon for stalkers https://www.theguardian.com/culture/2017/jul/07/apparently-my-smartphone-is-telling-everyone-exactly-where-i-am-right-now-should-i-care

Hacking / Malware / Cybercrime

• Original Petya private key released http://www.databreachtoday.com/private-key-for-original-petya-ransomware-released-a-10091
• Interesting nPetya counterargument using survivor-ship bias http://blog.erratasec.com/2017/07/yet-more-reasons-to-disagree-with.html
• CitizenLab on spoofing - a real case of "Fake News" being harmful https://deibert.citizenlab.org/2017/07/more-than-meets-the-eye/
• Bithumb Bitcoin Exchange hacked https://www.theregister.co.uk/2017/07/06/bithumb_hack/
• Cyber attacks on US nuclear plants http://www.bbc.co.uk/news/world-us-canada-40538061

Other Security / Risk

• The problem of accountability in instant messaging apps https://freedom-to-tinker.com/2017/07/07/on-encryption-archiving-and-accountability/
• Assessing file sharing and cloud risks (healthcare focused example) http://www.databreachtoday.com/assessing-file-sharing-cloud-computing-risks-a-10090
• More on BlockChain Identity Management https://sector.ca/the-blockchain-your-new-id-card/ and Decentralized Identity https://decentralized-identity.github.io/
• Password Reset Man-in-the-Middle attacks https://www.schneier.com/blog/archives/2017/07/a_man-in-the-mi.html
• Interesting new Windows 10 white-listing access control mechanism should help fight ransomware http://thehackernews.com/2017/06/windows10-controlled-folder-access-ransomware-protection.html
• Article on problems with medical devices and risky functionality http://www.csoonline.com/article/3202081/security/medical-devices-at-risk-5-capabilities-that-invite-danger.html
• Copying real world keys from photos https://www.schneier.com/blog/archives/2017/07/nowitseasier_.html
• Open source SS7 application firewall for https://www.darkreading.com/mobile/researchers-build-firewall-to-deflect-ss7-attacks/d/d-id/1329272
• Commentary on US Election Security issues (and vigorous comments) https://www.schneier.com/blog/archives/2017/07/commentaryonu.html
• UK to investigate NHS / Wannacry impact https://www.theregister.co.uk/2017/07/05/nhswannacryptnao_audit/
• UK Doctors using Snapchat to send patient data https://www.theguardian.com/technology/2017/jul/05/doctors-using-snapchat-to-send-patient-scans-to-each-other-panel-finds

Off-Topic

• The Great Wall, the Summer Triangle,  and the Milky Way https://apod.nasa.gov/apod/ap170703.html
• The space probe New Horizons is now on route to fly-by the mysterious "2014 Mu69" an object discovered while en-route to Pluto https://astroengine.com/2017/07/06/mu69-new-horizons-next-kuiper-belt-target-is-one-big-mystery/