Welcome to This Week’s [in]Security. We’ve collected and grouped together a selection of this week’s news, opinions, and research. Quickly skim these annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

• PCI AOC extra form for services providers https://www.pcisecuritystandards.org/documents/ServiceProviderAOCSection2gextra_form.docx

Breaches / Leaks

• Personal data of 2 Million T-Mobile customers stolen https://motherboard.vice.com/en_us/article/a3qpk5/t-mobile-hack-data-breach-api-customer-data
• 37,000 Eir customers affected by data breach https://www.rte.ie/news/ireland/2018/0822/986707-eir/
• Cheddar's Kitchen payment card breach (unsized) https://threatpost.com/cheddars-restaurants-bitten-by-credit-card-breach/136876/
• Spyware company, Spyfone, leaves AWS S3 bucket open https://motherboard.vice.com/en_us/article/9kmj4v/spyware-company-spyfone-terabytes-data-exposed-online-leak
• In addition to have I been pwned https://haveibeenpwned.com/, there is a new service provides notifications on hacked sites  https://www.hacknotice.com/. Article here https://www.bleepingcomputer.com/news/security/hacknotice-alerts-you-when-a-site-is-hacked-or-your-info-is-leaked/

Laws & Regulations / Standards

• Proposed EU law to fine Social media compnaies if terror material lingers for an hour https://www.bbc.co.uk/news/technology-45247169
• Brazil's data protection law https://iapp.org/news/a/the-new-brazilian-general-data-protection-law-a-detailed-analysis/
• Ohio Law Offers Safe Harbor to Companies Meeting Cyber Standards https://www.dataprivacymonitor.com/data-breaches/ohio-law-offers-safe-harbor-to-companies-meeting-cyber-standards/
• Woman sues US border agents over seized iPhone https://www.bbc.com/news/technology-45295615
• Facebook declines request to provide data on users non-logged-in web activity. Now under review by Ireland's privacy watchdog  https://www.theregister.co.uk/2018/08/24/irishdataprotectioncommishopensinquiryonfacebookdata_transparency/
• NIST’s National Cybersecurity Center of Excellence (NCCoE) has published Special Publication (SP) 1800-8, Securing Wireless Infusion Pumps in Healthcare Delivery Organizations.  Update: https://csrc.nist.gov/News/2018/NIST-Releases-Special-Publication-1800-8 Details: https://csrc.nist.gov/publications/detail/sp/1800-8/final
• NIST releases draft of SP 1800-19A, Trusted Cloud: Security Practice Guide for VMware Hybrid Cloud Infrastructure as a Service (IaaS) Environments https://csrc.nist.gov/publications/detail/sp/1800-19a/draft and NCCoE Project Homepage: https://www.nccoe.nist.gov/projects/building-blocks/trusted-cloud/hybrid

Privacy

• New web tracking techniques https://www.schneier.com/blog/archives/2018/08/newwaysto_tra.html
• Google Sued Over Misleading Users About Location Tracking Feature https://thehackernews.com/2018/08/google-location-tracking.html
• The Android Pie security settings you need to know about https://www.wired.co.uk/article/android-pie-privacy-settings-security
• HIPAA Security Conference October 18-19, 2018 https://www.nist.gov/news-events/events/2018/10/safeguarding-health-information-building-assurance-through-hipaa-security
• Apple bans Facebook security app over privacy concerns https://www.businessinsider.com/apple-facebook-onavo-protect-security-removed-app-store-2018-8
• Facebook has suspended over 400 apps after Cambridge Analytica scandal http://money.cnn.com/2018/08/23/technology/facebook-mypersonality-cambridge-analytica/index.html

Bugs / Design Flaws

• Average time to patch is 38 days, not quite good enough for PCI DSS https://www.darkreading.com/cloud/it-takes-an-average-38-days-to-patch-a-vulnerability/d/d-id/1332638
• Vulnerability Affects All OpenSSH Versions Released in the Past Two Decades https://www.bleepingcomputer.com/news/security/vulnerability-affects-all-openssh-versions-released-in-the-past-two-decades/
• Canadian Telcos close vulnerability in SOLEO disability service https://threatpost.com/canadian-telcos-patch-an-apt-ready-flaw-in-disability-services/136704/
• Researchers Blame 'Monolithic' Linux Code Base for Critical Vulnerabilities https://threatpost.com/researchers-blame-monolithic-linux-code-base-for-critical-vulnerabilities/136785/
• Another (Equifax-like) Struts vulnerability https://www.tenable.com/blog/new-apache-struts-vulnerability-could-allow-for-remote-code-execution
• Struts vuln should be patched ASAP https://krebsonsecurity.com/2018/08/experts-urge-rapid-patching-of-struts-bug/
• IoT electrical outlet can now pwn your smart TV https://www.theregister.co.uk/2018/08/21/mcafeeflawssmartplugs/

Hacking / Malware / Cybercrime

• Followup on FBI ATM Cashout warning and Indian bank ATM and SWIFT theft https://krebsonsecurity.com/2018/08/indian-bank-hit-in-13-5m-cyberheist-after-fbi-atm-cashout-warning/
• Greed knows no bounds, law firm produces and uploads porn films to sue pirates  https://www.bbc.co.uk/news/technology-45246713
• Apple store evactuated after iPad battery explosion https://www.bbc.co.uk/news/technology-45246709
• Hackers target thousands of bank emails in cyber attack https://nypost.com/2018/08/16/hackers-target-thousands-of-bank-emails-in-cyber-attack/
• UK universities among 76 targeted by hackers https://news.sky.com/story/uk-universities-among-76-targeted-by-hackers-11480844
• Microsoft claims win over 'Russian political hackers' http://www.bbc.co.uk/news/technology-45257081
• DNC claims more Russian hacking attempts https://www.darkreading.com/attacks-breaches/dnc-reports-attempted-cyberattack-on-its-voter-database/d/d-id/1332633 but wait it was a test https://www.wired.com/story/dnc-phishing-test-votebuilder
• (Video) Royal Bank of Canada on reducing payment card fraud https://www.darkreading.com/threat-intelligence/how-better-intel-can-reduce-prevent-payment-card-fraud/v/d-id/1332599
• Two step car theft https://www.schneier.com/blog/archives/2018/08/twostagebmw_t.html
• Arrest made in SIM swap scam https://krebsonsecurity.com/2018/08/alleged-sim-swapper-arrested-in-california/
• Digital legacies https://www.theregister.co.uk/2018/08/17/digitalentropyof_death/
• Reality Winner: NSA contractor sentenced to five years over leak http://www.bbc.co.uk/news/world-us-canada-45289751
• Monitors leak data via audio https://www.wired.com/story/monitor-ultrasonic-sounds-reveal-content-side-channel/

Other Security / Risk

• USENIX keynote on the current state of computer security https://www.schneier.com/blog/archives/2018/08/jamesmickenso.html
• Single point of failure results in Whiteboards used as Gatwick flight information screens fail https://www.bbc.co.uk/news/uk-england-sussex-45247499
• Protecting containers https://www.databreachtoday.com/protecting-containers-from-cyberattacks-a-11411
• 3 day old facial recognition tech catches first impostor at D.C. airport https://www.nbcnews.com/news/us-news/new-facial-recognition-tech-catches-first-impostor-d-c-airport-n903236
• Artificial intelligence research modeling shows why atheism is unpopular https://www.theatlantic.com/international/archive/2018/07/artificial-intelligence-religion-atheism/565076/
• Bsides video taken down by copyright infringemnet complaint from SentinelOne https://www.theregister.co.uk/2018/08/18/sentinelonebsidescopyright_takedown/
• An analysis of Chinese censorship in open source projects https://citizenlab.ca/2018/08/an-analysis-of-censorship-in-chinese-open-source-projects/
• Austrailian government terrible at passwords https://www.theregister.co.uk/2018/08/22/westernaustraliapasswordsecurity/https://www.theregister.co.uk/2018/08/22/westernaustraliapasswordsecurity/
• Facebook removes 652 pages that were spreading misinformation https://money.cnn.com/2018/08/21/technology/facebook-disinformation-iran-russia/index.html
• 'Exploding' iPad prompts Apple shop evacuation http://www.bbc.co.uk/news/technology-45246709
• Over 41,000 infected with Measles in Europe, 450 children die from measles each day https://www.cnn.com/2018/08/20/health/measles-europe-record-who-intl/index.html
• Child drownings in Germany linked to parents' phone ‘fixation’ https://www.theguardian.com/lifeandstyle/2018/aug/15/parents-fixated-by-phones-linked-to-child-drownings-in-germany
• Facebook user trustworthiness score http://www.bbc.co.uk/news/technology-45257894
• A real example of a supply chain risk in web code https://www.packetlabs.net/developers-create-applications-but-who-writes-all-the-code/
• Deep dive  on two-factor authentication https://www.schneier.com/blog/archives/2018/08/goodprimeron_.html
• Protecting yourself from a SIM swapping attack https://www.wired.com/story/sim-swap-attack-defend-phone
• How an unsolved murder mystery changed our pill bottles https://www.cnn.com/2018/08/24/health/tylenol-murders-cyanide-somethings-killing-me/index.html

Off-Topic

• Water ice 'detected on Moon's surface' https://www.syfy.com/syfywire/confirmed-water-ice-on-the-moon
• Evidence of black holes from previous universes may have been found in cosmic microwave background radiation http://www.livescience.com/63392-black-holes-from-past-universes.html
• http://www.livescience.com/63392-black-holes-from-past-universes.html
• Bacteria turns different blood types into type-O https://www.bbc.com/news/health-45244770
• Physicists eliminate potential bias in Bell's theorem of intertwined particles  https://astronomynow.com/2018/08/21/closing-a-loophole-in-bells-theorem-with-light-from-ancient-quasars/