Welcome to This Week’s [in]Security. We’ve collected and grouped together a selection of this week’s news, opinions, and research. Quickly skim these annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

• Last month MasterCard announced the end of signature requirements https://consumerist.com/2017/10/19/mastercard-ending-signature-requirements/ and https://newsroom.mastercard.com/2017/10/19/no-more-signing-on-the-dotted-line/
• PCI to SMB's 81% of breaches due to stolen and weak passwords https://blog.pcisecuritystandards.org/strong-passwords-payment-data-security-essential-for-smbs

Breaches / Leaks

• Data on 32 million Malaysiaians breached, most telecommunications companies  and medical records http://www.bbc.com/news/technology-41816953
• Hilton fines over previous breach https://www.engadget.com/2017/10/31/hilton-data-breaches-700-000-penalty/
• How Canada fares against state sponsored attacks https://www.itworldcanada.com/article/canadian-government-suffers-dozens-of-successful-state-sponsored-cyber-attacks-report/398250
• Hacker extorting Fraser Valley University https://www.bleepingcomputer.com/news/security/hacker-holds-university-for-ransom-threatens-to-dump-student-info/
• Another AWS S3 leak by contractor of 50K Austrailain government and bank employee PII and credit cards  https://www.scmagazine.com/contractor-misconfigures-aws-exposes-data-of-50000-australian-employees/article/704873/
• Recent breach of Bermuda based Appleby law firm, now being called the Paradise Papers https://www.nytimes.com/2017/11/05/world/paradise-papers.html
• Internal Equifax investigation clears execs of insider trading https://www.theregister.co.uk/2017/11/03/equifaxsharetrade_investigation/

Laws & Regulations / Standards

• Google abandons HPKP (Public Key Pinning) https://www.theregister.co.uk/2017/10/30/google_hpkp/
• Mozilla considering untrusting Dutch Certificate Authority over intelligence collection law https://www.theregister.co.uk/2017/10/30/mozillamistrustdutch_ca/
• Michael Geist on Access Copyright's proposed damages http://www.michaelgeist.ca/2017/10/access-copyright-calls-massive-expansion-damage-awards-ten-times-royalties/
• US DoJ now OK with encryption if you keep plaintext too https://www.theregister.co.uk/2017/10/30/encryptionbackdoorsplaintextdeputyag/
• Another case of bad patents https://www.eff.org/deeplinks/2017/10/stupid-patent-month-bad-patent-goes-down-using-procedures-patent-office-threatened
• New US election computing law https://www.theregister.co.uk/2017/10/31/uselectionhacking_law/
• US Federal Court disagrees with Supreme Court of Canada over world wide order against Google https://www.eff.org/deeplinks/2017/11/us-federal-court-rejects-global-search-order
• GDPR set to disrupt marketing in 2018 https://www.marketingprofs.com/articles/2017/33050/your-2018-marketing-plan-wont-work-and-will-break-the-law-the-threat-posed-by-gdpr

Bugs / Design Flaws

• Oracle Identity Manager default account scores a "10" on CVSS  https://thehackernews.com/2017/10/oracle-identity-manager.html
• Bugs in google bug tracker could have allowed access to vulnerabilities before they were patched https://motherboard.vice.com/en_us/article/evbvqj/bug-in-googles-bug-tracker-lets-researcher-access-list-of-companys-vulnerabilities
• Wordpress core bug puts plugins at risk https://www.theregister.co.uk/2017/10/31/wordpresssecurityfix48_3/
• Estonia cancels 760K electronic ID cards in wake of recent ROCA bug https://www.bleepingcomputer.com/news/government/estonia-cancels-760-000-electronic-id-cards-because-of-crypto-flaw/

Privacy

• Facebook and uncannily well targeted ads? https://www.theguardian.com/technology/2017/oct/30/facebook-denies-eavesdropping-on-conversations-to-target-ads-again
• Firefox will block browser "Canvas" fingerprinting https://thehackernews.com/2017/10/canvas-browser-fingerprint-blocker.html

Hacking / Malware / Cybercrime

• Abuse of code signing certificates by malware and many anti-virus solutions trust unvalidated signatures https://www.theregister.co.uk/2017/11/01/digitalcertabuse/
• Weak Remote Desktop Credentials being exploited https://www.databreachtoday.com/hackers-exploit-weak-remote-desktop-protocol-credentials-a-10433
• Easy trick can spoof Facebook URLs and no way for users to know https://thehackernews.com/2017/10/facebook-link-spoofing.html
• ID theft ring indicted, no details on targets https://www.darkreading.com/mobile/identity-theft-ring-hit-with-credit-card-fraud-indictment/d/d-id/1330251
• Scammers claiming to represent SecTor https://sector.ca/psa-beware-fake-sector-scams/
• D-Link site running cryptocurrency miner (likely hacked) https://thehackernews.com/2017/11/dlink-cryptocurrency-miner.html
• Amazing 11 bug chain wins contest https://threatpost.com/chain-of-11-bugs-takes-down-galaxy-s8-at-mobile-pwn2own/128739/
• Social Engineering techniques https://www.darkreading.com/endpoint/social-engineer-spills-tricks-of-the-trade-/d/d-id/1330315

Other Security / Risk

• Krebs on Equifax's reopens Salary lookup service with claimed security improvements https://krebsonsecurity.com/2017/11/equifax-reopens-salary-lookup-service/
• US 2020 Census systems at risk https://www.theregister.co.uk/2017/11/01/us2020census_insecure/
• Schneier and discussion on Google Advanced Protection login https://www.schneier.com/blog/archives/2017/10/googlelog-ins.html
• Pixie, a new 2FA factor https://www.bleepingcomputer.com/news/security/researchers-devise-2fa-system-that-relies-on-taking-photos-of-ordinary-objects/
• Article on measuring risk https://www.darkreading.com/vulnerabilities--- threats/stop-counting-vulnerabilities-and-start-measuring-risk/a/d-id/1330220
• IETF considers standard for IoT patching https://www.theregister.co.uk/2017/10/31/ietfinternetofthingsupdate_security/
• Fireeye releases containerized password cracking tool https://www.csoonline.com/article/3235609/security/free-gocrack-password-cracking-tool-released-to-help-admins-test-security.html
• Detente in the world of the Internet? https://www.wired.com/story/china-tests-limits-of-us-hacking-truce/
• Article on passwords used by Paul Manafort https://motherboard.vice.com/en\_us/article/8x584a/paul-manafort-password-james-bond-007 (which was on a par with John Podesta's real gmail password http://theweek.com/speedreads/671186/no-clinton-aide-john-podesta-not-hacked-because-used-password-email-password))
• Wired tries and fails to beat Apple's face ID (for now) https://www.wired.com/story/tried-to-beat-face-id-and-failed-so-far/
• Article on the passwords we manage https://www.darkreading.com/endpoint/average-employee-manages-nearly-200-passwords/d/d-id/1330304
• Proposed safety rule for connected vehicles taken off the table https://epic.org/2017/11/white-house-cancels-safety-rul.html
• Using fake login fields to dodge browser security warnings https://threatpost.com/taking-https-denial-to-an-absurd-level/128737/
• Twitter employee temporarily shuts down Trump https://www.washingtonpost.com/news/the-switch/wp/2017/11/02/trumps-twitter-account-was-temporarily-deactivated-due-to-human-error/

Off-Topic

• Cosmic rays used to detect "Big Void' in the Great Pyramid http://www.bbc.com/news/science-environment-41845445
• Small star found with hot Jupiter sized companion https://www.universetoday.com/137706/monster-planet-discovered-makes-scientists-rethink-theories-planetary-formation/
• The confirmed exoplanet count is nearing 3,000 (and another 2,300 unconfirmed) http://exoplanets.org/