Welcome to This Week’s [in]Security. We’ve collected and grouped together a selection of this week’s news, opinions, and research. Quickly skim these annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

• Why don't organizations do their home work before their PCI assessments? https://www.paymentssource.com/opinion/pci-audits-should-be-treated-the-same-as-financial-exams

Breaches / Leaks

• Comcast portal exposes sensitive PII for 26M customers https://www.zdnet.com/article/comcast-vulnerabilities-exposed-sensitive-data-customers-allowed-brute-force-attacks/
• Health care records exposed for 2M Mexicans via writable MongoDB database https://www.bleepingcomputer.com/news/security/health-care-data-of-2-million-people-in-mexico-exposed-online/
• 301K forgotten medical records found in hospital demolition, left behind in 2014 move https://www.databreachtoday.com/300000-records-found-at-hospital-slated-for-demolition-a-11293
• Snapchap source code leaked on GitHub in bug bounty dispute (or possible extortion) https://thehackernews.com/2018/08/snapchat-hack-source-code.html
• Amazon salesperson misconfigures AWS S3 bucket and exposes GoDaddy pricing and discount data https://www.darkreading.com/attacks-breaches/aws-employee-flub-exposes-s3-bucket-containing-godaddy-server-configuration-and-pricing-models/d/d-id/1332525
• Follow-up on the Level One Robotics breach https://www.packetlabs.net/level-one-data-breach/
• Challenges and best practices for preventing leaky AWS S3 buckets https://www.tenable.com/blog/leaky-amazon-s3-buckets-challenges-solutions-and-best-practices

Laws & Regulations / Standards

• TLS 1.3 published, here's a detailed look - it's more secure, simpler, and faster. One caveat 0-RTT resumption still lets you run with scissors.  https://blog.cloudflare.com/rfc-8446-aka-tls-1-3/
• Article and discussion about the death of a warrant canary https://www.schneier.com/blog/archives/2018/08/spideroaks_warr.html
• UK based Halifax Bank port scans you when you when you visit their website https://www.theregister.co.uk/2018/08/07/halifaxbankports_scans/
• Alberta mandatory PHI breach notification https://iapp.org/news/a/new-mandatory-breach-notification-for-health-information-in-alberta/
• Were today’s free speech and social media debates foreshadowed by Benjamin Franklin? https://www.washingtonpost.com/news/morning-mix/wp/2018/08/08/the-apology-from-benjamin-franklin-that-predicted-the-fight-over-falsehood-and-hate-on-social-media/
• Article and discussion about TSA reviewing and considering cutting airport security measures  https://www.schneier.com/blog/archives/2018/08/dontfearthe_t.html

Privacy

• Company suspends use of mall directory cameras running facial recognition software in Canadian malls https://www.cbc.ca/news/canada/calgary/cadillac-fairview-mall-directory-facial-recognition-suspended-1.4774692
• Managing misunderstanding and awareness, when a simple tire change becomes a debate over personal privacy https://www.cbc.ca/news/canada/nova-scotia/when-a-simple-tire-change-becomes-a-debate-over-personal-privacy-1.4773329

Bugs / Design Flaws

• West Virginia tests mobile voting app amid multiple security red flags https://www.theregister.co.uk/2018/08/07/voatzwestvirginiavotingapp/
• New attack against Wi-Fi WPA/WPA2 Pairwise Master Key Identifier (PMKID) roaming feature https://thehackernews.com/2018/08/how-to-hack-wifi-password.html
• BlackHat – remotely exploited UEFI update mechanism with buffer overflows and using HTTP in ASUS and ASRock https://threatpost.com/update-mechanism-flaws-allow-remote-attacks-on-uefi-firmware/134785/
• BlackHat – Multiple MacOS firewall vulnerabilities https://threatpost.com/patrick-wardle-breaks-and-bypasses-macos-firewalls/134784/
• BlackHat - security implications of TLS 1.3's new 0-RTT performance option https://blog.talosintelligence.com/2018/08/playback-tls-story.html
• Got printer malware? HP patches 200+ printer models for vulnerabilities https://www.theregister.co.uk/2018/08/03/hpprintermalware/
• Many vulnerabilities patched in update to OpenEMR medical records software https://www.theregister.co.uk/2018/08/07/openemr_vulnerabilities/
• Medtronic's pacemaker programming tool can be hacked. Article https://arstechnica.com/information-technology/2018/08/lack-of-encryption-makes-hacks-on-life-saving-pacemakers-shockingly-easy/ and video https://www.bbc.co.uk/news/av/technology-45118645/medical-hack-poses-pacemaker-risk
• DefCon - Widely used Crestron conference room touchscreen tablets are insecure https://www.wired.com/story/crestron-touchscreens-could-spy-on-hotel-rooms-and-meetings
• Risks of IoT vulnerabilities in smart irrigation control systems https://motherboard.vice.com/en_us/article/xwk5n7/hacking-internet-connected-irrigation-systems
• Risks of IoT vulnerabilities in smart city sensors https://www.wired.com/story/sensor-hubs-smart-cities-vulnerabilities-hacks
• DoS vulnerability in Linux kernel 4.9 and up https://www.scmagazine.com/linux-vulnerability-could-lead-to-ddos-attacks/article/786713/

Hacking / Malware / Cybercrime

• Florida arrest in multi-state SIM hijacking and fraud gang https://krebsonsecurity.com/2018/08/florida-man-arrested-in-sim-swap-conspiracy/
• DefCon Kids Zone - Hacking the US mid-terms is literally child's play http://www.bbc.co.uk/news/technology-45154903
• Bitcoin ATM malware https://blog.trendmicro.com/trendlabs-security-intelligence/malware-targeting-bitcoin-atms-pops-up-in-the-underground/
• Wannacry[pt] ransomware variant cripples top Apple supplier TSMC using unpatched Windows 7 manufacturing machines http://money.cnn.com/2018/08/06/technology/tsmc-chip-supplier-virus/index.html and https://www.bankinfosecurity.com/wannacry-outbreak-hits-chipmaker-could-cost-170-million-a-11285
• Honeytrap spy stole secrets of new RAF stealth jet by hacking a Tinder profile http://www.dailymail.co.uk/news/article-6027207/Honeytrap-spy-stole-secrets-new-RAF-stealth-jet-hacking-Tinder-profile.html
• Honeypot finds malware fingerprinting targets using differences in JavaScript implementations https://www.theregister.co.uk/2018/08/09/howeviljavascripthelpsattackerstagpossiblevictimsandgivesawaytheirintent/
• USENIX WOOT - fingerprinting honeypots https://www.lightbluetouchpaper.org/2018/08/10/bitter-harvest-systematically-fingerprinting-low-and-medium-interaction-honeypots-at-internet-scale/
• DefCon - NSA presentation on Nation State hacking https://www.darkreading.com/threat-intelligence/nsa-brings-nation-state-details-to-def-con/d/d-id/1332533

Other Security / Risk

• The very real risk of positive drug tests from eating poppy seeds https://www.washingtonpost.com/news/morning-mix/wp/2018/08/08/yes-you-can-fail-a-drug-test-by-eating-a-poppy-seed-bagel-as-a-maryland-mother-learned/
• Article and discussion on paper about making rational security decisions https://www.schneier.com/blog/archives/2018/08/measuringther.html
• First responders at risk from poorly configured mobile wireless gateways https://arstechnica.com/information-technology/2018/08/in-vehicle-wireless-devices-are-endangering-emergency-first-responders/
• BlackHat workforce stress as a cyber-threat https://www.technologyreview.com/s/611727/cybersecuritys-insidious-new-threat-workforce-stress/
• FLoC 2018 - Summary of Fifth International Workshop on Graphical Models for Security https://www.lightbluetouchpaper.org/2018/07/10/graphical-models-of-security-gramsec-2018/
• Detecting phishing sites with Machine Learning https://www.schneier.com/blog/archives/2018/08/detecting_phish.html
• Automated vs manual penetration testing pros and cons https://www.packetlabs.net/automated-technologies-vs-manual-testing/
• NSA’s IoT encryption algorithm, Speck, in Linux kernel 4.17 at Google’s request https://itsfoss.com/nsas-encryption-algorithm-in-linux-kernel-is-creating-unease-in-the-community/
• Protecting yourself when you use public Wi-Fi https://www.wired.com/story/public-wifi-safety-tips
• The problem of too many proprietary software solutions https://www.darkreading.com/endpoint/oh-no-not-another-security-product/a/d-id/1332453
• US troops directed to disable fitness tracker GPS https://arstechnica.com/information-technology/2018/08/pentagon-tells-troops-turn-off-the-fitness-trackers-when-you-head-to-warzones/
• FCC claim of DDoS attack last year over net neutrality found false by internal watchdog https://www.washingtonpost.com/technology/2018/08/07/fcc-claimed-it-got-hacked-last-year-over-net-neutrality-an-internal-watchdog-says-that-isnt-true/
• Another symptom of the impending death of diplomacy by twitter? Saudia Arabia vs. Canada https://theintercept.com/2018/08/07/saudi-arabia-canada-tweet/
• Wells Fargo says hundreds of customers lost homes after computer glitch https://money.cnn.com/2018/08/04/news/companies/wells-fargo-mortgage-modification/index.html and http://www.bbc.co.uk/news/technology-45083644
• Buggy/abusive automated DMCA takedown notices lead to company being removed from Google's Trusted Copyright Removal Program https://www.eff.org/deeplinks/2018/08/topple-track-attacks-eff-and-others-outrageous-dmca-notices
• EFF DMCA Takedown Hall-of-Shame https://www.eff.org/takedowns
• Trolling and online comments https://www.nytimes.com/2018/08/08/technology/personaltech/internet-trolls-comments.html
• Three Schneier books available in a humble bumble (if you missed them in the larger bundle last week) https://www.schneier.com/blog/archives/2018/08/threeofmy_boo.html
• ISACA on Auditing Application Containers http://www.isaca.org/About-ISACA/-ISACA-Newsletter/Pages/@-isaca-volume-16-8-august-2018.aspx#2

Off-Topic

• Donald Campbell's world record setting jet engine hydroplane the Bluebird K7 disintegrated in 1967 at 320 mph. Now recovered and restored, it returned to the water and completed speed tests to 150 mph http://www.bbc.co.uk/news/uk-scotland-glasgow-west-45068703, https://www.bbc.com/news/uk-england-cumbria-45097592, and http://www.itv.com/news/2018-08-09/bluebird-has-nothing-to-prove-following-successful-speed-tests/
• Forensic astronomy uncovers that the massive explosion of Eta Carinae seen 170 years ago was caused by the cannibalization of a now missing third star https://www.universetoday.com/139756/170-years-ago-eta-carinae-erupted-dramatically-astronomers-now-think-they-know-why/
• XKCD: Voting Software https://xkcd.com/2030/
• And we're not really sure what this (The Journal of Irreproducible Results) is http://www.jir.com/favorites.html