Welcome to This Week’s [in]Security. We’ve collected and grouped together a selection of this week’s news, opinions, and research. Quickly skim these annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

• Orlando PCI Community Meeting cancelled due to Hurricane Irma https://www.pcisecuritystandards.org/nacm2017scheduleirma
• 2 month Feedback period for PCI DSS and PA-DSS https://blog.pcisecuritystandards.org/feedback-period-pci-dss-and-pa-dss
• New FAQ on PFI (Forensic) reporting process and amendments https://pcissc.secure.force.com/faq/articles/FrequentlyAskedQuestion/Can-PFIs-provide-reports-to-their-clients-before-sending-the-report-to-the-affected-payment-brands

Breaches / Leaks

• Equifax breached for 143M records https://krebsonsecurity.com/2017/09/breach-at-equifax-may-impact-143m-americans/
• Equifax lingering questions: why so big, allegations of insider trading on breach, TrustID agreement precluding customers from suing https://www.databreachtoday.com/equifax-breach-8-takeaways-a-10278
• Equifax outreach on breach is clumsy and ametuerish https://krebsonsecurity.com/2017/09/equifax-breach-response-turns-dumpster-fire/
• Mexican tax refund site breach discloses passport info and more http://www.theregister.co.uk/2017/09/08/mexicanvatrefundsitebreach/
• Green light for Yahoo breach suit https://www.darkreading.com/application-security/judge-rules-that-yahoo-breach-victims-can-sue-/d/d-id/1329798
• More leaky AWS S3 buckets https://www.darkreading.com/cloud/amazon-s3-bucket-leaks-expose-classified-us-veteran-data-/d/d-id/1329802, https://www.theregister.co.uk/2017/09/04/ussecurityclearanceawsbreach/, and https://www.theregister.co.uk/2017/09/05/twcloses4mcustomerrecords/
• 320M passwords brute forced from prior breach data https://www.theregister.co.uk/2017/09/04/cryptobustersreversenearly320meellionhashedpasswords/
• 16 largest breaches https://www.csoonline.com/article/2130877/data-breach/the-16-biggest-data-breaches-of-the-21st-century.html

Lawful Access / Back-doors / Laws & Regulations

• EU court decision on employee monitoring http://www.bbc.com/news/technology-41160853

Bugs

• Apache Struts critical vulnerabilities and Equifax https://www.theregister.co.uk/2017/09/11/apacherebutsequifax_allegation/
• Injection attack bug with payment fraud implications in payment gateways not checking inputs http://tinyhack.com/2017/09/05/mastercard-internet-gateway-service-hashing-design-flaw/
• Scotiabank web certs were expired for 5 months https://www.theregister.co.uk/2017/09/08/scotiabanksecuritywhizkidsscrewupsecurity_certs/
• 6 Android Bootloader zero days http://www.zdnet.com/article/android-security-multiple-bootloader-bugs-found-in-major-chipset-vendors-code/
• MS Kernel bug in Module Loading Notification could blindside AV  https://www.darkreading.com/endpoint/new-microsoft-kernel-bug-could-permit-malicious-modules/d/d-id/1329812
• MS won't patch Edge for CVE-2017-5033, CVE-2017-2419 https://www.theregister.co.uk/2017/09/07/talossaysmsftedgecontentsecuritybypassisafeaturewontbepatched/

Privacy

• US SSN data to be removed from Medicare ID Cards https://epic.org/2017/09/medicare-to-remove-ssn-from-id.html

Hacking / Malware / Cybercrime

• Kreb's walks back the cat on Marcus Hutchins hero of the Wanncry[pt] outbreak https://krebsonsecurity.com/2017/09/who-is-marcus-hutchins/
• Hidden malware within malware toolkit https://www.theregister.co.uk/2017/08/31/freetrojanfor_hackers/
• Russian APT group attacking powergrids https://www.darkreading.com/attacks-breaches/dragonfly-apt-now-able-to-disrupt-us-power-grid-operations-symantec-warns/d/d-id/1329814
• GPS spoofing weapon https://www.newscientist.com/article/2143499-ships-fooled-in-gps-spoofing-attack-suggest-russian-cyberweapon/

Other Security / Risk

• As if real news isn't grim enought, there are lot's of fake hurricane stories out there http://www.bbc.co.uk/news/blogs-trending-41187164
• Wikileaks exposes CIA malware that targets US made missile systems (?!) https://wikileaks.org/vault7/#Protego
• Vulnerabilities in Estonia's National ID card https://www.schneier.com/blog/archives/2017/09/securityflawi.html
• Virgina to scrap vulnerable voting machines https://www.theregister.co.uk/2017/09/11/virginiatoscraptouchscreenvoting_machines/
• Smartphone voice recognition software vulnerable to highjacking by ultrasonic voice commands https://www.theregister.co.uk/2017/09/07/dolphinshelppwn_electronics/
• German vote tabulating software vulnerable https://www.theregister.co.uk/2017/09/07/germanelectionsoftware_insecure/
• Raising the bar in automated fake review generation and defense https://www.schneier.com/blog/archives/2017/09/newtechniques\.html
• Intriguing product, a verified high secure KVM that virtualizes screens and preserves isolation https://www.theregister.co.uk/2017/09/07/crossdomaindesktopcompositorvdiforthe_paranoid/
• From EFF's Stupid Patent of the Month file, despite prior-art the obvious  inter-application security permission patent https://www.eff.org/deeplinks/2017/08/stupid-patent-month-jp-morgan-patents-interapp-permissions
• Facebook ad reach numbers are inflated (again) https://www.theguardian.com/technology/2017/sep/07/facebook-claims-it-can-reach-more-people-than-actually-exist-in-uk-us-and-other-countries
• Fake news photographer outed https://www.washingtonpost.com/news/morning-mix/wp/2017/09/07/he-claimed-to-be-a-heroic-war-photographer-but-his-photos-and-identity-were-stolen/

Off-Topic

• Another very large black hole found in MilkyWay https://www.universetoday.com/137062/another-monster-black-hole-found-milky-way/ brings to mind Ghostbusters ("We have to get these two together." /"I think that would be extraordinarily dangerous.")