Welcome to This Week’s [in]Security. We’ve collected and grouped together a selection of this week’s news, opinions, and research. Quickly skim these annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

• PCI blog on mitigating SSL and early TLS https://blog.pcisecuritystandards.org/reducing-risk-ssl-early-tls-mitigation-and-migration
• What's next for PCI DSS? Nothing major and perhaps more flexibility https://blog.pcisecuritystandards.org/what-is-next-for-pci-dss
• Gas pump skimmers using SMS https://krebsonsecurity.com/2017/07/gas-pump-skimmer-sends-card-data-via-text/
• BlackHat - 2 attacks against ApplePay https://www.theregister.co.uk/2017/07/28/applepay_vuln/
• Crypto-currencies under the regulator spotlight https://www.theguardian.com/technology/2017/jul/31/cryptocurrencies-more-investment-way-pay-bitcoin-regulation

Breaches / Leaks

• Westjet Rewards breach http://globalnews.ca/news/3633823/westjet-rewards-member-profiles-posted-online-after-privacy-breach/
• HBO hacked, Game of Thrones episodes and more stolen https://www.engadget.com/2017/08/02/hbo-data-breach-thousands-internal-docs/
• Office 365 cross-tenant information leak https://www.petri.com/data-breach-office-365-admin-center
• Canadian Insurer offering breach insurance http://www.canadianunderwriter.ca/insurance/economical-launches-data-breach-coverage-canadian-businesses-1004118483/

Lawful Access / Back-doors / Laws & Regulations

• Microsoft takes Russian hacking team "Fancy Bear" to court in order to seize command and control domains http://www.databreachtoday.com/microsoft-battles-fancy-bear-hackers-lawyers-a-10156
• Senate bill to set IoT security standards https://krebsonsecurity.com/2017/08/new-bill-seeks-basic-iot-security-standards/
• NIST releases DRAFT Security Assurance Challenges for Container Deployment http://csrc.nist.gov/publications/PubsDrafts.html#NIST-IR-8176
• NIST releases  SP 800-70 Rev. 4 DRAFT National Checklist Program for IT Products: Guidelines for Checklist Users and Developers http://csrc.nist.gov/publications/PubsDrafts.html#SP-800-70-Rev-4

Bugs

• Defcon exercise lays waste to electronic voting machines https://threatpost.com/voting-machines-hacked-with-ease-at-def-con/127101/
• More Defcon/Blackhat bugs in ATMs, cell-phones, and more https://www.theregister.co.uk/2017/07/31/best\_of\_rest\_black\_hat\_def\_con/ and radiation monitors https://www.theregister.co.uk/2017/07/28/radiationmonitoringinfosec/
• Vulnerability in Broadcom chipsets leave IOS and Android exposed https://blog.exodusintel.com/2017/07/26/broadpwn/
• Windows bounty program announced at blackhat! https://blogs.technet.microsoft.com/msrc/2017/07/26/announcing-the-windows-bounty-program/
• Siemen's medical imaging system exploits lead to patches https://threatpost.com/exploits-available-for-siemens-molecular-imaging-vulnerabilities/127225/ 
• Cars exploitable via Hayes AT modem commands https://www.theregister.co.uk/2017/08/01/telematicsvulnerabilitiesinbmwinfinitifordnissan/

Privacy

• Disney named in class action lawsuit https://www.theregister.co.uk/2017/08/05/disneychargedslurpingkidsinfo/
• German researchers social engineer to other companies to get extensive browsing histories  https://www.theguardian.com/technology/2017/aug/01/data-browsing-habits-brokers 

Hacking / Malware / Cybercrime

• Man who stopped Wannacry[pt] arrested by FBI on 6 counts relating to the Kronos Banking Trojan http://www.databreachtoday.com/fbi-arrests-marcus-hutchins-who-stopped-wannacry-a-10168
• German court suspends sentence of BotNet suspect, UK seeking extradition https://krebsonsecurity.com/2017/07/suspended-sentence-for-mirai-botmaster-daniel-kaye/
• Software Library typo-squatting attack to grab developer credentials https://threatpost.com/attackers-use-typo-squatting-to-steal-npm-credentials/127235/
• Increasing trend to deliver malware and attacks via SSL/TLS http://www.csoonline.com/article/3212965/cyber-attacks-espionage/why-ssl-tls-attacks-are-on-the-rise.html 

Other Security / Risk

• Techniques to discover vulnerabilities in "transparent" supplemental web infrastructure http://blog.portswigger.net/2017/07/cracking-lens-targeting-https-hidden.html
• Feisty Duck #30, leaked private keys, using fake keys to revoke public keys, and more TLS/SSL news https://www.feistyduck.com/bulletproof-tls-newsletter/issue30leakedprivatekeysandrevocationsbasedonfakeprivate_keys.html
• Discussion of passwords and authentication methods https://www.troyhunt.com/passwords-evolved-authentication-guidance-for-the-modern-era/
• Weaponizing a carwash?  https://www.theregister.co.uk/2017/07/27/killercarwash/
• Researcher sandboxes Windows defender https://blog.trailofbits.com/2017/08/02/microsoft-didnt-sandbox-windows-defender-so-i-did/
• The 2017 Pwnie Awards https://www.darkreading.com/vulnerabilities--- threats/2017-pwnie-awards-who-won-lost-and-pwned/d/d-id/1329553

Off-Topic

• Optical Illusions using braided circles make your mind jump the track http://www.syfy.com/syfywire/can-you-make-your-brain-not-see-this-circle-illusion
• Smallest star discovered by WASP, smaller than Jupiter http://www.syfy.com/syfywire/astronomers-find-the-maybe-smallest-star-ever-seen