Welcome to This Week’s [in]Security. We’ve collected and grouped together a selection of this week’s news, opinions, and research. Quickly skim these annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

• PCI SSC seeking feedback on Card Production ROC's https://blog.pcisecuritystandards.org/request-for-comments-pci-card-production-and-provisioning-rocs

Breaches / Leaks

• Deloitte breach https://krebsonsecurity.com/2017/09/source-deloitte-breach-affected-all-company-email-admin-accounts/ and it appears they leaked credentials https://www.theregister.co.uk/2017/09/26/deloitteleakgithubandgoogle/
• Sonic Drive-In Restaurants https://krebsonsecurity.com/2017/09/breach-at-sonic-drive-in-may-have-impacted-millions-of-credit-debit-cards/
• Whole Foods restaurant POS software breached https://www.databreachtoday.com/whole-foods-market-investigates-hack-attack-a-10346
• Sharing breach information with Law Enforcement https://www.databreachtoday.com/developing-business-relationship-law-enforcement-a-10339
• Study finds 7% of AWS S3 buckets are public https://www.bleepingcomputer.com/news/security/7-percent-of-all-amazon-s3-servers-are-exposed-explaining-recent-surge-of-data-leaks/

• More Equifax

  • CEO "retires" https://www.theregister.co.uk/2017/09/26/equifaxceoresigns/
  • This may be a first, city of SF sues https://www.pymnts.com/news/security-and-risk/2017/san-francisco-sues-equifax/
  • New York state supoena https://www.databreachtoday.com/report-equifax-subpoenaed-by-new-york-state-regulator-a-10343
  • Analysis https://www.packetlabs.net/equifaxdatabreach/

Lawful Access / Back-doors / Laws & Regulations / Standards

• Canada resisting US NAFTA copyright position https://www.eff.org/deeplinks/2017/09/canada-pushes-back-against-us-copyright-demands-nafta
• Bell Canada pushing CRTC on NAFTA web blocking and copyright criminalization http://www.michaelgeist.ca/2017/09/bellcopyrightpolicy/ and http://www.michaelgeist.ca/2017/09/bell-calls-crtc-backed-website-blocking-system-complete-criminalization-copyright-nafta/
• Will Equifax make a difference to how the law views harm? https://www.eff.org/deeplinks/2017/09/will-equifax-data-breach-finally-spur-courts-and-lawmakers-recognize-data-harms
• Fiesty Duck Bulletproof TLS #32 is out, Certificate Authority Authorization DNS Records are now mandatory, more CA distrusting, less 3DES available, post-quantum crypto, quantum attacks on hashes https://www.feistyduck.com/bulletproof-tls-newsletter/issue32caaisnow_mandatory
• NIST releases their Application Container Security Guide https://csrc.nist.gov/publications/detail/sp/800-190/final

Bugs

• Finance Sector full of (patchable bugs) https://www.theregister.co.uk/2017/09/22/financewebsecurity/
• Netscaler authenication bypass https://support.citrix.com/article/CTX227928
• Mac OS, including High Sierra password leaks https://arstechnica.com/information-technology/2017/09/password-theft-0day-imperils-users-of-high-sierra-and-earlier-macos-versions/
• More IoT security bugs in Bluetooth (BLE) equiped  adult toys (consider yourself warned)  https://www.theregister.co.uk/2017/09/29/bleexploitsscrewdriving/

Privacy

• Want to know what data Tinder collects? https://www.schneier.com/blog/archives/2017/09/thedatatinder.html
• Email tracking is much worse than you likely suspected https://freedom-to-tinker.com/2017/09/28/i-never-signed-up-for-this-privacy-implications-of-email-tracking/

Hacking / Malware / Cybercrime

• CCleaner malware was used to deliver extremely targeted secondary payloads https://arstechnica.com/information-technology/2017/09/ccleaner-malware-outbreak-is-much-worse-than-it-first-appeared/
• Network connections deliver ATM malware http://blog.trendmicro.com/trendlabs-security-intelligence/an-elaborate-atm-threat-crops-up-network-based-atm-malware-attacks
• A look at coupon fraud and cybercrime http://blog.trendmicro.com/trendlabs-security-intelligence/business-process-compromise-underground-coupon-fraud/

Other Security / Risk

• Security conference list (including 3 Canadian events) https://www.csoonline.com/article/3155500/it-careers/the-cso-guide-to-top-security-conferences.html
• Android lock patterns vs. PIN unlock https://threatpost.com/android-lockscreen-patterns-less-secure-than-pins/128123/
• UK Cybersecurity center expects (more) major cyber attack within the next few years  https://www.theguardian.com/technology/2017/sep/22/major-cyber-attack-happen-soon-warns-uks-online-security-boss
• 21 states fess up to election hacks https://www.darkreading.com/vulnerabilities--- threats/after-dhs-notice-21-states-reveal-they-were-targeted-during-election--/d/d-id/1329972
• We are a step nearer to a heart scanning bio-metric, expect more debate and discussion  http://thehackernews.com/2017/09/cardiac-scan-heart-password.html
• Improving web security with HSTS https://security.googleblog.com/2017/09/broadening-hsts-to-secure-more-of-web.html
• Face ID has problems with youth https://www.theguardian.com/technology/2017/sep/27/apple-face-id-iphone-x-under-13-twin-facial-recognition-system-more-secure-touch-id
• Problems with time, In Search of a Secure Time Source https://blog.hboeck.de/archives/890-In-Search-of-a-Secure-Time-Source.html

Off-Topic

• There's a binary comet hiding in our asteroid belt https://www.universetoday.com/137278/hubble-spots-unique-object-asteroid-belt/
• Massive, hot, and glowing infra-red, a super-Jupiter orbits WASP-12 in a very tight orbit http://www.syfy.com/syfywire/pitch-black-planet
• Space-X to develop new fully reusable rocket, the "BFR", for Mars, Moon, orbit, and intercontinental travel booster http://www.bbc.co.uk/news/science-environment-41441877
• Weird fast comet discovered, 2.4B km out it has developed a coma http://www.syfy.com/syfywire/astronomers-spot-the-most-distant-active-inbound-comet-ever-25-billion-km-away