Welcome to This Week’s [in]Security. We’ve collected and grouped together a selection of this week’s news, opinions, and research. Quickly skim these annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

• Amazon's 1-Click patent finally expires https://www.geekwire.com/2017/amazons-1-click-patent-expires-today-soon-youll-able-accidentally-order-stuff-across-entire-internet/
• PCI SSC on remote access https://blog.pcisecuritystandards.org/locking-up-remote-access

Breaches / Leaks

• Equifax's Argentia operations suffers breach

  • 2nd breach https://www.databreachtoday.com/equifaxs-latest-data-breach-argentina-a-10288 and https://krebsonsecurity.com/2017/09/ayuda-help-equifax-has-my-data/
  • admin/admin http://www.bbc.com/news/technology-41257576

• More on the earlier Equifax breach including

  • $70B class action https://www.databreachtoday.com/equifax-faces-mounting-anger-70-billion-lawsuit-a-10282
  • Krebs followup https://krebsonsecurity.com/2017/09/the-equifax-breach-what-you-should-know/ and https://krebsonsecurity.com/2017/09/equifax-hackers-stole-200k-credit-card-accounts-in-one-fell-swoop/
  • Schneier weighs in https://www.schneier.com/blog/archives/2017/09/ontheequifax_.html
  • Unpatched https://www.databreachtoday.com/equifaxs-colossal-error-patching-apache-struts-flaw-a-10292 and https://threatpost.com/equifax-confirms-march-struts-vulnerability-behind-breach/127975/
  • Canada investigates and Execs step down https://beta.theglobeandmail.com/report-on-business/canadas-privacy-commissioner-launches-investigation-into-equifax-hack/article36280850/

Lawful Access / Back-doors / Laws & Regulations

• Proposal for US credit freeze bill http://www.pymnts.com/news/cfpb/2017/post-equifax-data-breach-democrats-create-bill/ and https://epic.org/2017/09/senators-introduce-data-breach.html
• US committee considering "value" of a secret ballot https://epic.org/2017/09/voting-system-guidelines-under.html
• Turkey arresting encryption tool downloaders http://thehackernews.com/2017/09/turkish-coup-bylock-messenger.html
• US Government bans Kaspersky products https://www.theguardian.com/technology/2017/sep/13/us-government-bans-kaspersky-lab-russian-spying

Bugs

• BlueBorne family of critical Bluetooth bugs  https://www.theregister.co.uk/2017/09/12/bluetoothbugsbedevilbillionsof_devices/ and https://cyberarms.wordpress.com/2017/09/15/p4wnp1-the-pi-zero-w-usb-attack-platform/
• Android Oreo fixes "Toast Message" UI overlay attack (malware can grant permissions for you)  http://www.theregister.co.uk/2017/09/11/everybodywithoutandroidoreovulnerabletooverlay_attack/
• Excel bug allows attackers to pivot https://www.theregister.co.uk/2017/09/12/excelpivotattacks/
• A busy patch Tuesday https://blog.qualys.com/laws-of-vulnerabilities/2017/09/12/september-patch-tuesday-27-critical-vulnerabilities-from-microsoft-plus-critical-adobe-patches
• More medical device bugs, infusion pumps http://thehackernews.com/2017/09/hacking-infusion-pumps.html
• $1M for Tor zero days! https://threatpost.com/zerodium-offering-1m-for-tor-browser-zero-days/127959/

Privacy

• Facebook fined for violations of privacy in Spain http://thehackernews.com/2017/09/facebook-privacy.html

Hacking / Malware / Cybercrime

• USB attack tool in tiny Raspberry Pi https://cyberarms.wordpress.com/2017/09/15/p4wnp1-the-pi-zero-w-usb-attack-platform/
• OurMine breaches Vevo http://thehackernews.com/2017/09/vevo-music-video-hacked.htm

Other Security / Risk

• On distrusting Symantec Web Certificates https://security.googleblog.com/2017/09/chromes-plan-to-distrust-symantec.html
• Google also to flag FTP sites as insecure https://www.theregister.co.uk/2017/09/15/chrometolabelftpsites_insecure/
• On voting and blockchain https://freedom-to-tinker.com/2017/09/12/blockchains-and-voting/
• Huang- Snowden hardware based i-phone privacy overlay  https://www.schneier.com/blog/archives/2017/09/ahardwarepriv.html and https://boingboing.net/2017/09/08/impaired-judgment-phones.html
• Securing the Raspberry Pi https://www.schneier.com/blog/archives/2017/09/securingarasp.html
• Is the Uncanny Valley getting narrower? https://www.theguardian.com/technology/2017/sep/09/robot-human-artificial-intelligence-philosophy

Off-Topic

• XKCD "Still in Use" https://xkcd.com/1888/
• Cassini crashed into Saturn real video and animation http://www.dailymail.co.uk/sciencetech/article-4886236/Cassini-begins-sending-final-photos-Saturn.html
• 30 lost English words http://www.bbc.co.uk/news/uk-41266000