The niner noteworthy stories of 2017 (week 1)

These are the noteworthy stories, in no particular order, that peaked my interest last week.

Cloudflare hit by leap second “software panic” snafu on New Year’s Day


This isn’t the first occurrence of a leap second, as the article states the first one was back in 1972, and not the first one causing outages either. A couple of years ago Aviation cloud provider Amadeus was similarly hit by a leap second causing outages on it’s platform.
We will, according to Google, have to wait for somewhere in 2018 to see which company or companies then fall over on their IT on the next leap second occurrence.
source: Ars Technica UK (external link)

Why Skimming Will Grow in 2017


Okay, America might be host to the biggest tech companies in the world, it seems that on skimming and the usage of magnetic strip debit cards they lack way behind on europe. It seems they didn’t learn or didn’t want to learn from the troubles with skimming and card cloning we have had until a couple of years ago on a massive scale.
And yet, as they are implementing the EMV chips, there are already rumours of skimming appliances being developed to copy those as well.
Another related issue in the US is that a lot of credit card transactions at physical locations still don’t use the card-and-pin payment method either. It therefore is not a real big surprise that services like Apple pay and others see an significant growth in their usage, as these systems are inherently more secure then old magnetic strips or even paper-print copy swipe devices for creditcards.
source: DataBreachToday (external link)

A Few States Now Actually Help You Figure Out If You’ve Been Hacked


Isn’t it about time that the US gets a data breach notification and transparency law for the entire country instead of state-by-state patchwork? Then again we in Europe still have to see what the general data protection regulation (GDPR) will do for data breach notification as it comes in to force in May 2018 for data processing that already took place before May 2016 as for all new processing the GDPR, as I understand it, is already the current law.
It will be interesting to see if European data protection agencies will go as far as to publish the number of breaches as well as from which companies they were. Naming and shaming will indeed focus the attention of criminals as well as nation state hacking groups on these targets, but I think that next to the possibly massive fines, naming and shaming could really help improve the information security posture of companies and governments alike.
source: Wired (external link)

Children in England sign over digital rights ‘regularly and unknowingly’


Really? Does this only hold true for children, or are those policies written in such a way that even most adults would have a hard time understanding them? Isn’t that precisely the point of the business model of these companies in the first place?
If you have been reading posts on my site on a regular basis you will already have guessed that the answer to these questions is “yes” at least as my opinion on the matter goes. Interesting fact is that most of these social media companies let children have an account from 13 years and up, even whilst the European laws won’t allow this without consent of a parent or guardian until the age of 16. Then again, those companies probably breach European privacy laws as well, so are we that surprised?
source: The Guardian (external link)

Analysis: 2016 Health Data Breaches, and What’s Ahead


Whilst the number of attacks and size of the breaches is worrying, I would be interested to see how this compares to the total number of records available with each of the breached companies. This is interesting because it gives and indication of the size of the breach for that specific organisation.
I also would be extremely interested to see figures related to European healthcare organisations related to data breaches. You don’t hear much about those in the regular media or the tech media for that matter, but that fact alone doesn’t mean they are not there. Time will tell obviously.
Can ransomware be seen as a data breach? That would be a long discussion if you really dive into the topic, although if factors like accurateness and correctness of data counts then ransomware does to some extend disrupt these factors and therefore will count as a data breach indeed.
source: Information Security Media Group (external link)

Number of U.S. healthcare data breaches almost doubles in 2016

(update: January 25th 2017) This article shows a nice breakdown of the different breaches, the number of records compromised and, very interesting, the type of breach e.g. carelessness, malicious and insider vs. outsider attack factor.
SC Magazine (external link)

THE REAL NAME FALLACY


This is an extremely interesting article that discusses the use of real names vs. anonymity or pseudonyms in online society and context. Although this is not directly related to information security and privacy topics, I have included it because indirectly this does apply to awareness training and business communications as well as our continued use of online platforms for private communications.
source: The Coral Project (external link)

Designer launches fabric to bamboozle facial recognition


Will this really work if we all would ware a printed dotted piece of clothing to try and beat the system? Or will the system then be optimised to recognise these dotted patterns to face them out of their algorithms?
It is certainly true that these kind of techniques are becoming more and more necessary to leave a normal and not completely spied and somewhat surveillance free life these days. The fact of the matter is that a lot of these recognition techniques are becoming better and better whilst the ethics discussion behind their massive usage is not taking place. Which is extremely worrying in a society where surveillance laws and practices are becoming as ubiquitous and pervasive as wireless internet and smartphones.
source: Naked Security (external link)

LG threatens to put Wi-Fi in every appliance it introduces in 2017


Okay LG you are asking for this. I hereby formally and very kindly ask to all consumers worldwide to

NOT BY ANY WIFI ENABLED LG PRODUCTS

if your privacy and the existence of the Internet in general is worth anything to you in your daily life and business.
The hole InterNot of things craziness is going too far. Agreed it would be handy to have your fridge take notice on when stuff is nearly over it’s due date, but this is over the top. I am wondering at the same time what the new E-Privacy regulation, which was formerly proposed by the EU commission yesterday, will mean for the privacy by default and design for these kind of appliances.
In any case, if this fridge and accompanying dumb connected technology hits the shelfs, I will probably have enough material to write about.
source: Ars Technica (external link)

FTC Charges D-Link Put Consumers’ Privacy at Risk Due to the Inadequate Security of Its Computer Routers and Cameras

Or it will go in an entirely other direction where not only the E-Privacy regulation (whenever it comes into force) as well as consumer protection agencies in other countries (in this case the American FTC) take notice and action to punish IOT vendors that claim to secure their devices which in practice they don’t.
It remains a somewhat humorous situation that security camera’s are not secure at all themselves. But that’s what you get when connecting stuff to the Internet that wasn’t actually meant to be connected in the first place and yes that holds for security IP camera’s too. This is because it’s still just a camera with a piece of software and hardware for network connectivity bolted on.
source Federal Trade Commission (external link)

The weigh forward: MasterCard could estimate passengers’ weight for airlines based on what they buy


There is one very obvious defence against this plan, if it ever becomes reality, by Mastercard: never buy any clothing articles using your card to pay for them, specifically not online where the chance of them getting hold of your shopping basket contents is somewhat greater then offline in a physical store.
Then again, we are witnessing an ever growing trend where any and all pieces of data become valuable information for some party or another without respect and in most cases with absolute disregard for the people concerned Whilst this card issuer thinks this new idea is beneficial to the traveler, the potential for massive misuse is just around the corner rearing it’s ugly head just out of view.
source: The Economist (external link)

Mastercard Could Share Your Height and Weight With Airlines, But Will It?

This article roughly gives the same information, although the last couple of sentences are worth noting as they state that patents are expansive to obtain. So as this one may not see the light of day in an absolute practical application, at least enough people within MasterCard thought it worthwhile to spend the money in obtaining the patent.
As for the privacy notice and consent requirements to share this data with airlines, I am certain that aggregating this data to come to the size estimates in the first place may require consent as well.
source Skift (external link)