Welcome to This Week’s [in]Security. We’ve collected and grouped together a selection of this week’s news, opinions, and research. Quickly skim these annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

• PCI Info-graphic for Small & Medium Businesses 50% breach rate https://blog.pcisecuritystandards.org/infographic-3-payment-data-security-essentials-smbs-should-not-ignore

Breaches / Leaks

• Yahoo update, 2013 breach was everyone (3B accounts) https://www.pymnts.com/news/security-and-risk/2017/3b-users-affected-by-2013-yahoo-hack-and-security-breach/ and Kreb's on this https://krebsonsecurity.com/2017/10/fear-not-you-too-are-a-cybercrime-victim/
• Canadian breach notification regulations don't go far enough http://www.michaelgeist.ca/2017/10/breach-canadas-security-breach-disclosure-regulations-fall-short/

• More Equifax

  • Another 2.5M Americans impacted https://www.bleepingcomputer.com/news/security/study-concludes-an-additional-2-5-million-americans-affected-by-equifax-breach/
  • Lenders worry freezes will hurt business https://www.pymnts.com/news/security-and-risk/2017/equifax-credit-freezes-worry-lenders-after-data-breach/
  • Kreb's on questions he'd have the 4 Congressional committees ask CEO https://krebsonsecurity.com/2017/09/heres-what-to-ask-the-former-equifax-ceo/
  • The debate on security rules begins http://www.bbc.com/news/business-41489112
  • CEO blames a single employee for failure https://www.theregister.co.uk/2017/10/04/solesecurityworkeratfaultforequifaxfailsaysformerceo/
  • Attack looks state sponsored https://www.bloomberg.com/news/features/2017-09-29/the-equifax-hack-has-all-the-hallmarks-of-state-sponsored-pros
  • How much responsibility do auditors have? http://www.marketwatch.com/story/equifax-auditors-are-on-the-hook-for-data-security-risk-controls-2017-10-02
  • Problems down under, Equifax Australia's website hosted scammer materials https://www.databreachtoday.com/scammers-hosted-files-on-equifaxs-australian-website-a-10350

Laws & Regulations / Standards

• DNS Key Signing Keys implementation delayed due to impact https://www.theregister.co.uk/2017/09/28/internetupdateon_hold/
• FBI won't have to disclose iPhone investigation methods https://www.darkreading.com/endpoint/fbi-wont-have-to-reveal-iphone-cracking-tool-used-in-terror-case-/d/d-id/1330028
• Rebuking Bell's position on piracy http://www.michaelgeist.ca/2017/10/fake-data-fakes-digging-bells-dubious-canadian-piracy-claims/
• Securing  the Border Gateway Protocol (BGP) https://www.darkreading.com/vulnerabilities--- threats/new-standards-will-shore-up-internet-router-security-/d/d-id/1330038
• NAFTA 2.0 and Copyright https://www.eff.org/deeplinks/2017/10/defending-users-nafta-20-who-are-we-against

Bugs

• Apache Tomcat remote code execution bug https://thehackernews.com/2017/10/apache-tomcat-rce.html
• More on Project Zero's exploiting the Apple Wi-Fi stack https://googleprojectzero.blogspot.ca/2017/10/over-air-vol-2-pt-2-exploiting-wi-fi.html
• Now Apple iPhone 8 has a battery problem https://www.theguardian.com/technology/2017/oct/05/iphone-8-plus-apple-reports-batteries-bursting-smartphones
• The Rowhammer memory attack has been improved https://www.bleepingcomputer.com/news/security/new-rowhammer-attack-bypasses-previously-proposed-countermeasures/

Privacy

• It's time to get rid of Social Insurance Numbers https://www.bloomberg.com/news/articles/2017-10-03/white-house-and-equifax-agree-social-security-numbers-should-go
• UK data protection laws being used to sue Trump's election data analysis company  https://www.theguardian.com/technology/2017/oct/01/cambridge-analytica-big-data-facebook-trump-voters
• US privacy Shield again under legal attack in Europe https://www.theregister.co.uk/2017/10/03/schremsbustsprivacyshieldwide_open/ and https://www.eff.org/deeplinks/2017/10/europes-courts-decide-does-us-spying-violate-europes-privacy
• USPS informed delivery website design problems https://krebsonsecurity.com/2017/10/usps-informed-delivery-is-stalkers-dream/

Hacking / Malware / Cybercrime

• Why the US Government is banning Kaspersky https://www.nbcnews.com/news/investigations/amp/russian-hackers-stole-nsa-tools-contractor-who-used-kaspersky-software-n808101,  https://www.washingtonpost.com/world/national-security/russian-government-hackers-exploited-antivirus-software-to-steal-us-cyber-capabilities/2017/10/05/a01bf546-a9fc-11e7-92d1-58c702d2d975_story.html, and discussion https://www.schneier.com/blog/archives/2017/10/yetanotherrus.html
• Another Etherium ICO hijacked https://www.bleepingcomputer.com/news/security/hackers-hijack-another-ethereum-ico-damages-unknown-/
• A deeper look at the CCleaner malware https://threatpost.com/inside-the-ccleaner-backdoor-attack/128283/
• Unsurprisingly there is no honor among spies https://www.darkreading.com/threat-intelligence/nation-state-attackers-steal-copy-each-others-tools/d/d-id/1330052
• Attack hijacks email accounts to insert malware in ongoing message threads for cover and credibility https://www.bleepingcomputer.com/news/security/hackers-hijack-ongoing-email-conversations-to-insert-malicious-documents/

Other Security / Risk

• Surveying System Administrators on patching https://freedom-to-tinker.com/2017/10/04/avoid-an-equifax-like-breach-help-us-understand-how-system-administrators-patch-machines/
• Why there should be more bug bounties https://www.theregister.co.uk/2017/10/04/rosensteintocorporateamericaopenyourdoorstowhite_hats/
• Why a national ID (like SSN/SIN) is hard https://motherboard.vice.com/en_us/article/pakwnb/replacing-social-security-numbers-is-harder-than-you-think and discussion https://www.schneier.com/blog/archives/2017/10/replacing_socia.html
• National Cyber Security Month https://www.datex.ca/blog/october-is-national-cyber-security-awareness-month
• HPE let Russia review ArcSight source code code https://www.theregister.co.uk/2017/10/02/hpehandedoversourcecodeforpentagonsecuritysystemtorussia/ and discussion https://www.schneier.com/blog/archives/2017/10/hpsharedarcsi.html
• Security and privacy awareness severely lacking https://www.darkreading.com/vulnerabilities--- threats/70--of-us-employees-lack-security-and-privacy-awareness/d/d-id/1330031
• Google Advance Protection Program https://www.databreachtoday.com/google-reportedly-plans-stronger-authentication-options-a-10356
• Stupid patent of the month: AI technique patents https://www.eff.org/deeplinks/2017/09/stupid-patent-month-will-patents-slow-artificial-intelligence
• New patent law trickery https://www.eff.org/deeplinks/2017/10/troubling-new-tactic-keep-bad-patents-being-tossed-out

Off-Topic

• NASA concept for environmentally friendly supersonic aircraft https://apod.nasa.gov/apod/ap171001.html
• XKCD "Self-Driving" https://xkcd.com/1897/
• Almost 100 years after the discovery of Insulin, a possible genetic solution https://scienmag.com/rare-benign-tumors-hold-the-genetic-recipe-to-combat-diabetes/