Welcome to This Week’s [in]Security. We’ve collected and grouped together a selection of this week’s news, opinions, and research. Quickly skim these annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

• PCI publishes Software PIN on COTS (SPoC) Technical FAQs https://www.pcisecuritystandards.org/documents/SPoCTechnicalFAQsv1.2June_2018.pdf
• PCI Council nomination period for 2019-2020 Board of Advisors opens September 17 https://www.pcisecuritystandards.org/pdfs/2019-2020BoAElectionsTimetablePressReleaseJuly20187.17.18.pdf
• Canadian credit cards with better foreign currency fees https://www.thestar.com/life/homes/2018/07/17/3-credit-cards-canadians-can-use-to-avoid-foreign-currency-fees.html

Breaches / Leaks

• Supply change breach of trade secrets hits over 100 manufacturing companies including Telsa, Toyota, Volkswagen https://www.nytimes.com/2018/07/20/business/suppliers-data-leak-automakers.html
• Telefonica breach exposes the personal and financial information for millions of Spaniards https://www.bleepingcomputer.com/news/security/telefonica-spain-exposed-the-personal-details-of-millions-of-customers/
• Breach at cloud based H/R firm, ironically named, ComplyRight https://krebsonsecurity.com/2018/07/human-resources-firm-complyright-breached/
• Sing-Health, the largest healthcare group in Singapore breached for 1.5M records https://thehackernews.com/2018/07/singapore-healthcare-breach.html
• Breach investigation at medical diagnostics company LabCorp http://fortune.com/2018/07/17/labcorp-security-breach/
• Cyberattack at Algonquin College exposes data of students, alumni and faculty https://www.cbc.ca/news/canada/ottawa/algonquin-cyber-attack-1.4748969
• More leaky AWS S3 buckets including voter information and robocalls https://www.theregister.co.uk/2018/07/18/kromtechopenbuckets/
• Most Venmo transactions are being logged and are publicly accessible https://www.bleepingcomputer.com/news/security/paypals-venmo-app-exposes-most-transactions-via-its-api/
• Articles on recent Ponemon Study and the true and rising costs of a data breach https://www.packetlabs.net/packetlabs-state-of-security-series-the-true-cost-of-a-data-breach/ and https://www.itworldcanada.com/article/cost-of-canadian-data-breaches-continues-to-rise-says-study/406976
• The IBM Ponemon Cost of a Breach Study and calculator tool https://www.ibm.com/security/data-breach
• Maps and info graphics of breached data by country compiled from the Breach Level Index shows US most breached nation at 6B records and the most identity theft https://blog.varonis.com/the-world-in-data-breaches/

Laws & Regulations / Standards

• Google hit with €4.3bn Android fine from EU - http://www.bbc.co.uk/news/technology-44858238
• Opinion: Copyright, net neutrality, and free speech http://www.michaelgeist.ca/2018/07/the-first-rule-of-copyright-reform-dont-mess-with-free-speech-and-net-neutrality/
• NIST is seeking comments on drafts strengthening guidance on cryptographic keys and algorithms, including retiring TDES - Draft Special Publication (SP) 800-131A Revision 2, Transitioning the Use of Cryptographic Algorithms and Key Lengths. Update: https://csrc.nist.gov/news/2018/NIST-Releases-Draft-SP-800-131A-Rev-2 and details: https://csrc.nist.gov/publications/detail/sp/800-131A/rev-2/draft
• NIST is withdrawing 11 outdated Computer Security SP 800 publications on August 1, 2018 https://csrc.nist.gov/news/2018/nist-to-withdraw-eleven-outdated-sp-800-pubs
• NIST with the DoD and NARA will host an informational workshop providing an overview of Controlled Unclassified Information (CUI on Thursday, October 18 https://www.nist.gov/news-events/events/2018/10/controlled-unclassified-information-security-requirements-workshop
• Kelsey Smith act lacks safeguards against abuse and undermines security and privacy https://www.eff.org/deeplinks/2018/07/undermining-mobile-phone-users-privacy-wont-make-us-safer

Privacy

• The ongoing debate over facial recognition https://www.databreachtoday.com/facial-recognition-backlash-technology-giants-scramble-a-11218
• FBI wants more than facial recognition, Tattoos are on the radar too https://www.eff.org/deeplinks/2018/07/fbi-wants-app-can-recognize-meaning-your-tattoos
• Senators Ask FTC to Investigate Smart TVs for Invading Users' Privacy https://www.bleepingcomputer.com/news/technology/senators-ask-ftc-to-investigate-smart-tvs-for-invading-users-privacy/
• Security and Privacy now a top FTC priority, agency seeks greater authority https://epic.org/2018/07/ftc-chair-seeks-new-privacy-an.html
• Cambridge Analytica's Facebook data was accessed from Russia, MP says https://money.cnn.com/2018/07/17/technology/cambridge-analytica-data-facebook-russia/index.html
• Facebook suspends Boston-based analytics firm Crimson Hexagon over use of Facebook and Instagram data usage https://www.wral.com/facebook-suspends-boston-analytics-firm-over-data-usage/17710861/
• UK ICO fines Chile Abuse Inquiry £200K over mass email https://www.theregister.co.uk/2018/07/18/icohandssexualabuseinquiry200kfineforsecurity_breach/

Bugs / Design Flaws

• Schneier on defeating iPhone restricted mode https://www.schneier.com/blog/archives/2018/07/defeatingthei.html
• Mitigating Spectre in Chrome https://security.googleblog.com/2018/07/mitigating-spectre-with-site-isolation.html
• Google Whitepaper on detecting kernel memory disclosures https://googleprojectzero.blogspot.com/2018/06/detecting-kernel-memory-disclosure.html
• Diqee 360 Smart Vacuums suck up more than dirt, facilitate spying l https://www.bleepingcomputer.com/news/security/flaws-in-diqee-360-smart-vacuums-let-hackers-spy-on-their-owners/

Hacking / Malware / Cybercrime

• Article on cellphone SIM hijacking https://motherboard.vice.com/en_us/article/vbqax3/hackers-sim-swapping-steal-phone-numbers-instagram-bitcoin
• Vancouver TransLink riders told to check bank statements after card skimmers found on Compass machines https://vancouversun.com/news/local-news/translink-riders-told-to-check-bank-statements-after-card-skimmers-found-on-compass-machines/wcm/569bcc82-c820-40d5-8409-abb7c7d55786
• Hackers net almost $1m in Russian bank raid http://www.bbc.co.uk/news/technology-44899224
• U.S. sentences 21 relating to massive India-based call centre scam that stole hundreds of millions pretending to be tax and immigration services  https://globalnews.ca/news/4344992/india-call-centre-scam-tax-irs-justice-department/
• Greece sending Russian national to France to face cybercrime charges relating to Bitcoin money laundering https://www.databreachtoday.com/greece-will-send-russian-cybercrime-suspect-to-france-a-11219
• Guilty plea in case of ‘LuminosityLink’ RAT author https://krebsonsecurity.com/2018/07/luminositylink-rat-author-pleads-guilty/
• Article and discussion about report on Chinese Cyber-Operations https://www.schneier.com/blog/archives/2018/07/newreporton_c.html
• Microsoft reports Russia tried to hack 2018 mid-term election candidates https://thehackernews.com/2018/07/russia-election-hacking.html

Other Security / Risk

• GPS spoofer costing less than a cell phone can redirect vehicles https://arstechnica.com/information-technology/2018/07/a-225-gps-spoofer-can-send-autonomous-vehicles-into-oncoming-traffic/ and the paper “All Your GPS Are Belong To Us” https://people.cs.vt.edu/gangwang/sec18-gps.pdf
• The man exposing fake news https://www.wired.com/story/shadow-politics-meet-the-digital-sleuth-exposing-fake-news
• Election interference to be sniffed out by early-alert system http://www.bbc.co.uk/news/technology-44820416
• Re-designed Gmail's secure links user behavior changes poses risks to 1.4 billion users https://www.scmagazineuk.com/re-designed-gmail-poses-new-potential-threat-14-billion-users/article/1488238
• South Carolina being sued over insecure voting machines https://www.schneier.com/blog/archives/2018/07/suingsouthcar.html
• The really bad policy of Russian “two-time pads” https://www.lightbluetouchpaper.org/2018/07/17/the-two-time-pad-midwife-of-information-theory/ and https://www.theregister.co.uk/2018/07/19/russiaonetimepadserror_british/
• Documentary finds Facebook moderators were not removing videos of child abuse, hate speech, and more https://www.bbc.co.uk/news/technology-44859407
• Exactly what solutions are branded “Windows Defender”, the naming confusion explained https://blog.minerva-labs.com/untangling-the-windows-defender-naming-mess
• How Israel, in Dark of Night, Torched Its Way to Iran’s Nuclear Secrets https://www.nytimes.com/2018/07/15/us/politics/iran-israel-mossad-nuclear.html
• EU is preparing for worst in US trade talks http://www.businessinsider.com/trade-war-europe-trump-eu-retaliation-auto-tariffs-2018-7
• How to make quantum programming easier https://www.technologyreview.com/s/611673/google-wants-to-make-programming-quantum-computers-easier/
• Caveat-Emptor - $100 fake iPhone chameleon is really a hilariously bad and unsurprisingly insecure Android https://motherboard.vice.com/en_us/article/qvmkdd/counterfeit-iphone-x-review-and-teardown
• Russia investigating leak of hypersonic missile secrets https://www.bbc.co.uk/news/world-europe-44897577
• Internet sleuths help solve cold case https://www.washingtonpost.com/news/morning-mix/wp/2018/07/19/a-skeleton-with-a-hole-in-the-head-found-in-1975-is-no-longer-just-a-jane-doe-thanks-in-part-to-internet-sleuths/

Off-Topic

• XKCD comic: Software development https://xkcd.com/2021/
• New telescope finds 12 new moons around Jupiter, several with peculiar orbits http://www.syfy.com/syfywire/a-dozen-new-moons-for-jupiter
• Astronomers are seeing a iron spikes in young "nearby" stars spectrum and repeated dimming, it may be eating a planet  http://www.syfy.com/syfywire/possible-planet-smashup-in-a-young-star-system