This Week’s [in]Security – Issue 92

From all of us at Control Gap on New Year's eve, our very best wishes for you all in 2019!

Welcome to This Week’s [in]Security. This week: 2018 in retrospect, 2019 predictions, dynamic security codes (dCVV2), smaller breaches, tougher Canadian privacy rules start New Year's day, new OWASP IoT Top 10, How Facebook tracks non-users, tattoos as intellectual property, hand/vein pattern biometric falls, DLP with Office-365, cyber-criminals now using BGP hacking, Twitter SMS password bypass bug, crashing Alexa, proving anything with statistics, and Annie the CPR girl.

Now here's this week’s selection of news, opinions, and research. Quickly skim annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.

PCI Compliance and Payments

News and announcements relating to Payment Security, Payments, PCI, and Card Brands.

• New implementation of an old idea, credit cards with dynamic security codes (dCVV2) using e-ink undergoing trials https://arstechnica.com/information-technology/2018/12/pnc-bank-testing-dynamic-cvv-codes-to-combat-online-card-fraud/
• JCB is launching a QR code https://www.businessinsider.com/jcb-launches-qr-code-payment-service-asia-2018-12
• Anywhere Commerce sues Ingenico over trade secrets involving BBPOS and Roam http://www.digitaltransactions.net/an-anywherecommerce-suit-alleges-interference-and-theft-of-trade-secrets-by-ingenico/

Breaches / Leaks

Covering breaches, leaks, data exposures, and their fallout.

• San Diego Unified School District breached for 500K personal records via phishing attack https://www.zdnet.com/article/hacker-steals-ten-years-worth-of-data-from-san-diego-school-district/
• BevMo, a California based alcoholic beverage seller, e-commerce breach for 14K payment cards https://www.securityweek.com/bevmo-warns-customer-credit-card-data-breach
• South Korean resettlement sector was breached for data on almost 1000 North Korean defectors https://www.bbc.com/news/world-asia-46698646
• A look back at the breaches of 2018 https://threatpost.com/2018-biggest-breaches/140346/

Privacy

Articles about privacy related news, risks, and trends.

• Australian's showed the most interest in data Apple had on them https://www.theguardian.com/technology/2018/dec/25/australia-made-third-highest-number-of-requests-for-apple-data-in-the-world
• Companies should get ‘meaningful consent’ for user data, Canadian privacy watchdog says https://www.thestar.com/news/canada/2018/12/27/companies-should-get-meaningful-consent-for-user-data-privacy-watchdog.html
• Canadian Privacy Commissioner applying more robust rules as of January 1, 2019 https://www.datex.ca/blog/starting-january-1-businesses-must-follow-more-robust-guidelines-on-meaningful-consent-for-personal-information
• Article and discussion on privacy by design https://www.schneier.com/blog/archives/2018/12/humanrightsby.html
• One reporter's reflection on social media judged through the lens of email using Facebook as the example https://www.nytimes.com/2018/12/24/style/facebook-keeps-emailing-me.html
• How Facebook tracks non-users via Android Apps like Kayak, Shazam, and Yelp https://threatpost.com/how-facebooks-tracks-non-users-via-android-apps/140436/
• The value and power of personal data https://www.wired.com/story/2018-power-of-personal-data/
• EFF on 2018 the year of GDPR https://www.eff.org/deeplinks/2018/12/year-gdpr-2018s-most-famous-privacy-regulation-review
• Health data privacy in 2019 https://www.databreachtoday.asia/blogs/whats-ahead-for-health-data-privacy-security-in-2019-p-2699 
• Will there be a privacy showdown between Tech and Congress in 2019? https://www.wired.com/story/privacy-law-showdown-congress-2019/

Laws & Regulations / Standards

News about laws, regulations, and standards affecting security, privacy,  technology, and public interest.

• Copyright and tattoos is an issue for the video gaming industry and the subject of several ongoing lawsuits https://www.nytimes.com/2018/12/27/style/tattoos-video-games.html
• Extended 95 year copyright is now coming off many works https://www.nytimes.com/2018/12/29/books/copyright-extension-literature-public-domain.html

Defense / Techniques / Solutions

Covering developments and opportunities that may help improve security.

• NIST's Ron Ross on protecting critical infrastructure https://www.bankinfosecurity.com/ron-ross-nist-on-protecting-critical-infrastructure-a-11899
• Huawei's  kit removed from emergency services networks https://www.bbc.co.uk/news/technology-46672550
• Whitehouse considering executive order banning Huawei and ZTE telecommunications gear https://www.bankinfosecurity.com/report-trump-weighs-executive-order-banning-huawei-zte-a-11901
• A reminder, Microsoft Office 365 has data loss prevention rules, here's how to set them up  https://www.csoonline.com/article/3329745/windows-security/how-to-set-up-data-loss-prevention-rules-in-microsoft-office-365.html or https://digitalguardian.com/blog/what-office-365-data-loss-prevention-definition-office-365-dlp-benefits-and-more

Bugs / Design Flaws / Vulnerabilities / Research

Articles about newly discovered vulnerabilities and research.

• OWASP's IoT project released the 2018 IoT Top 10 https://www.owasp.org/index.php/OWASPInternetofThingsProject
• Another Biometric falls - palm/vein authentication https://motherboard.vice.com/en_us/article/59v8dk/hackers-fake-hand-vein-authentication-biometrics-chaos-communication-congress
• Twitter SMS vulnerably allows mobile spoofing attack - demonstrated by researchers who posted to celebrity accounts without passwords https://www.theguardian.com/technology/2018/dec/28/celebrities-louis-theroux-twitter-hack-exposing-security-flaw
• 19K modems are leaking credentials https://www.zdnet.com/article/over-19000-orange-modems-are-leaking-wifi-credentials/
• More IoT insecurity, smart EV car chargers hackable https://www.greencarreports.com/news/1120619_report-home-electric-car-chargers-vulnerable-to-hackers
• WibuKey DRM information disclosure, privilege elevation, and  code execution vulnerabilities https://www.securityweek.com/vulnerabilities-wibukey-could-lead-code-execution

Hacking / Malware / Cybercrime / Exploitation

News covering active trends and events.

• BGP hijacking, once the tool of nation state actors, now used for Ad fraud! https://www.schneier.com/blog/archives/2018/12/massiveadfrau.html
• First UEFI (BIOS) rootkit attributed to Russian APT https://threatpost.com/uefi-rootkit-sednit/140420/
• Malware causes publishing delays at major newspaper outlets including LA Times, Chicago Tribune, Baltimore Sun  https://www.cbc.ca/news/world/hackers-la-times-newspapers-1.4961666 and https://www.bbc.com/news/world-us-canada-46713983
• 2018 the year of crypto-jacking https://www.wired.com/story/cryptojacking-took-over-internet/

Other Security / Risk

Articles covering other types of risks.

• Amazon Alexa crashes after Christmas Day overload https://www.theguardian.com/technology/2018/dec/26/amazon-alexa-echo-crashes-christmas-day-overload
• Questions raised by Facebook's approach to policing it's platform is raising questions https://www.nytimes.com/2018/12/27/world/facebook-moderators.html
• Linkedin co-founder apologizes over 2018 Alabama election disinformation campaign misuse of funds by third party https://www.nytimes.com/2018/12/26/us/reid-hoffman-alabama-election-disinformation.html
• The leading 2018 security stories https://www.theregister.co.uk/2018/12/27/2018theyearinsecurity/
• Forensics body 2018 draft proposal still considers MD5 and SHA-1 usable but only for integrity verification and file identification  https://www.schneier.com/blog/archives/2018/12/md5andsha-1_s.html
• New tool for fighting antibiotic resistant superbugs may have been found in Irish soil https://scienmag.com/bacteria-found-in-ancient-irish-soil-halts-growth-of-superbugs-new-hope-for-tackling-antibiotic-resistance/
• Remember the claim that animal agriculture had more environmental impact than transportation - the studdy was flawed by inconsistent methodology https://www.sciencealert.com/sorry-but-giving-up-on-meat-is-not-going-to-save-the-planet
• Filed under both "you can prove anything with statistics" and "pay attention to the fine print" - study shows parachutes and backpacks are equally effective when jumping out of a plane https://www.npr.org/sections/health-shots/2018/12/22/679083038/researchers-show-parachutes-dont-work-but-there-s-a-catch
• KrebsOnSecurity is 9 https://krebsonsecurity.com/2018/12/happy-9th-birthday-krebsonsecurity/
• Security predictions for 2019 https://threatpost.com/2019-the-year-ahead-in-cybersecurity/140272/
• York Regional Police remind us of the risks of driving under the influence in this video called L'Hotel de YRP https://twitter.com/YRP/status/1078648038204178435?s=09

Off-Topic / Science & Tech / Lighter Side

A variety of scientific, technical, historical, and more light-hearted news.

• The true story of Resuci-Annie http://www.sciencealert.com/how-dead-girl-paris-ended-up-most-kissed-lips-in-history-l-inconnue-de-la-seine-resusci-anne-cpr-annie-death-mask
• Sustainable plastics may soon be a thing  https://scienmag.com/sustainable-plastics-are-on-the-horizon/Do you want batteries with your wind power https://arstechnica.com/science/2018/12/__trashed-17/
• Getting 15% more out of Lithion Ion https://scienmag.com/scientists-of-russia-and-china-to-increase-the-capacity-of-lithium-ion-batteries-by-15-percent/
• On time and other things before the Big Bang https://www.sciencealert.com/mind-bending-study-suggests-time-did-actually-exist-before-the-big-bang
• The "curvature blindness" optical illusion https://www.sciencealert.com/this-simple-optical-illusion-shows-if-you-have-curvature-blindness
• Earth-rise Christmas-eve 1968 from Apollo 8 https://apod.nasa.gov/apod/ap181224.html