Welcome to This Week’s [in]Security. We’ve collected and grouped together a selection of this week’s news, opinions, and research. Quickly skim these annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

• PCI announces Data Security Evaluation Tool for small merchants https://blog.pcisecuritystandards.org/threats-facing-small-merchants-a-new-tool-to-help
• FAQ updated on how to reach the card brands https://pcissc.secure.force.com/faq/articles/FrequentlyAskedQuestion/How-do-I-contact-the-payment-card-brands

Breaches / Leaks

• Chinese Huazhu hotel group breach may impact 130M people https://www.theregister.co.uk/2018/08/29/chinesehoteldata_theft/
• Voter data for 15M Texans leaked https://gizmodo.com/nearly-15-million-texas-voters-reportedly-exposed-by-da-1828579189
• Fiserv flaw exposed customer data at hundreds of banks https://krebsonsecurity.com/2018/08/fiserv-flaw-exposed-customer-data-at-hundreds-of-banks/
• 93K records leaked from babysitting app mongo db https://latesthackingnews.com/2018/08/24/babysitting-app-sitter-exposed-93000-records-online-due-to-mongodb-vulnerability/
• Air Canada mobile app breach affects 20,000 people https://www.cbc.ca/news/business/air-canada-mobile-app-1.4802879
• Pwned Passwords now available as NTLM hashes https://www.troyhunt.com/pwned-passwords-now-as-ntlm-hashes/

Laws & Regulations / Standards

• Data breach complaints up 160% since GDPR came into force https://www.independent.co.uk/news/business/news/data-breach-complaints-increase-gdpr-came-into-force-cybersecurity-a8506711.html
• New Australian law mandates secret backdoors https://www.eff.org/deeplinks/2018/08/trust-us-were-secretly-working-foreign-government-how-australias-proposed-crypto
• Five Eyes countries want back doors https://www.theregister.co.uk/2018/08/31/fiveeyes2018meetingencryptionterroristcontent/
• EFF shines light on the extraordinary case where a patent was granted on a previously patented invention https://www.eff.org/deeplinks/2018/08/supreme-court-should-say-no-patents-take-old-ideas-away-public

Privacy

• Google acquired years of credit card transaction data from MasterCard https://gizmodo.com/google-reportedly-secretly-bought-your-banking-data-an-1828341605
• WhatsApp update brings backups that are not encrypted and so could allow people to read messages https://www.independent.co.uk/life-style/gadgets-and-tech/news/whatsapp-update-latest-encrypted-messages-privacy-security-read-chat-a8510701.html
• Appeals court asking questions about Section 702 surveillance https://www.eff.org/deeplinks/2018/08/appeals-court-asks-right-questions-nsa-surveillance-case
• Privacy in the Cloud for Canadian entities https://www.datex.ca/blog/evaluating-privacy-compliance-in-the-canadian-cloud

Bugs / Design Flaws

• It turns out phones still use "AT" commands the legacy of modems of old.  Unsurprisingly they are full of vulnerabilities https://atcommands.org/
• Windows 0-day pops up out of nowhere Twitter https://www.theregister.co.uk/2018/08/28/windows0daypopsupoutofspanclassstrikenowherespantwitter/
• Android system broadcasts enable user tracking by apps on your phone https://www.theregister.co.uk/2018/08/31/androidusertracking/

Hacking / Malware / Cybercrime

• Deep dive into recent sextortion phishing scam https://krebsonsecurity.com/2018/08/whos-behind-the-screencam-extortion-scam/
• Booz Allen Hamilton researchers detail new RtPOS Point-of-Sale malware https://www.bleepingcomputer.com/news/security/booz-allen-hamilton-researchers-detail-new-rtpos-point-of-sale-malware/
• Deep dive into recent $13.5M Cosmos bank SWIFT and ATM theft https://www.theregister.co.uk/2018/08/29/cosmobankcyberheist/
• Proof of concept for previously patched Intel IME firmware JTAG bug https://www.theregister.co.uk/2018/08/29/inteljtagflaw/
• CIA network exposed through insecure communications system https://www.schneier.com/blog/archives/2018/08/cianetworkexp.html
• Criminal who broke into celebrity iCloud accounts and posted nudes is sentenced  https://thehackernews.com/2018/08/photos-celebrity-hacker.html
• Out-of-band exploitation cheat sheet https://www.notsosecure.com/oob-exploitation-cheatsheet/

Other Security / Risk

• CISO Council to address vendor risk management challenges using HITRUST https://www.databreachtoday.com/ciso-council-to-address-vendor-risk-management-challenges-a-11443
• Top voting machine vendor admits it installed remote-access software on systems sold to states https://motherboard.vice.com/en_us/article/mb4ezy/top-voting-machine-vendor-admits-it-installed-remote-access-software-on-systems-sold-to-states
• Google isn't blocking "booter" / "stressor" DoS as a service vendors https://www.lightbluetouchpaper.org/2018/08/28/google-doesnt-seem-to-believe-booters-are-illegal/
• Impact of Stingrays (IMSI catchers) on 911 calls https://www.eff.org/deeplinks/2018/08/blog-post-wyden-911-disruption-css
• Firefox nightly distrusts all Symantec TLS certificates https://www.bleepingcomputer.com/news/security/firefox-nightly-distrusts-all-symantec-tls-certs/
• Instagram adds 2-factor authentication but still vulnerable to SIM hijacking https://krebsonsecurity.com/2018/08/instagrams-new-security-tools-are-a-welcome-step-but-not-enough/
• Bulletproof TLS #44 is out: TLS 1.3, Let's Encrypt easier to use, new TLS libraries, new TLS research, new and improved attacks: RSA-CRT,Lucky-13, and user tracking  https://www.feistyduck.com/bulletproof-tls-newsletter/issue44tls13ishere.html
• Disturbingly a  large percentage of IT professionals believe they can beat there company security https://www.darkreading.com/application-security/it-professionals-think-theyre-better-than-their-security/d/d-id/1332699
• Opinion: Transaction Costs and Tethers: Why I’m a Crypto Skeptic https://www.nytimes.com/2018/07/31/opinion/transaction-costs-and-tethers-why-im-a-crypto-skeptic.html
• US will lack fiscal space to respond when next recession comes https://www.theguardian.com/business/2018/aug/28/us-will-lack-fiscal-space-to-respond-when-next-recession-comes
• Cyberwar scenario reads like a Tom Clancy story https://www.schneier.com/blog/archives/2018/08/future_cyberwar.html
• This should be obvious, eating foods with liquid nitrogen is dangerous https://www.cnn.com/2018/08/30/health/liquid-nitrogen-food-fda-warning/index.html

Off-Topic

• Astronomers see a baby planet growing http://earthsky.org/space/astronomers-see-baby-planet-pds-70b-growing
• Full-size  drivable Bugatti made from 1M Legos https://www.cnn.com/2018/08/30/europe/lego-bugatti-trnd/index.html