Archive for Privacy

Today Is Data Privacy Day

Posted in Commentary with tags on January 28, 2023 by itnerd

Data Privacy Day, also known in Europe as Data Protection Day, is globally recognized each year on January 28th. Some have now even extended this to a weeklong celebration. The event’s purpose is to raise awareness and promote privacy and data protection best practices. 

Executives from Datadobi, DH2i, Folio Photonics, Nexsan, Nyriad, Hammerspace, Fortra and Retrospect had this to say about this very timely and important topic: 

Carl D’Halluin, CTO, Datadobi: 

“A staggering amount of unstructured data has been and continues to be created. In response, a variety of innovative new tools and techniques have been developed so that IT professionals can better get their arms around it. Savvy IT professionals know that effective and efficient management of unstructured data is critical in order to maximize revenue potential, control costs, and minimize risk across today’s heterogeneous, hybrid-cloud environments. However, savvy IT professionals also know this can be easier said than done, without the right unstructured data management solution(s) in place. And, on Data Privacy Day we are reminded that data privacy is among the many business-critical objectives being faced by those trying to rein-in their unstructured data. 

The ideal unstructured data management platform is one that enables companies to assess, organize, and act on their data, regardless of the platform or cloud environment in which it is being stored. From the second it is installed, users should be able to garner insights into their unstructured data. From there, users should be able to quickly and easily organize the data in a way that makes sense and to enable them to achieve their highest priorities, whether it is controlling costs, CO2, or risk – or ensuring end-to-end data privacy.”

​​Don Boxley, CEO and Co-Founder, DH2i:

“The perpetual concern around data privacy and protection has led to an abundance of new and increasingly stringent regulations around the world. According to the United Nations Conference on Trade and Development (UNCTAD), 71% of countries now have data protection and privacy legislation, with another 9% having draft legislation. 

This increased scrutiny makes perfect sense. Data is being created and flowing not just from our business endeavors, but countless personal interactions we make every day – whether we are hosting an online conference, making an online purchase, or using a third party for ride-hailing, food delivery, or package transport. 

Today, as organizations endeavor to protect data – their own as well as their customers’ – many still face the hurdle of trying to do so with outdated technology that was simply not designed for the way we work and live today. Most notably, many organizations are relying on virtual private networks (VPNs) for network access and security. Unfortunately, both external and internal bad actors are now exploiting VPN’s inherent vulnerabilities. However, there is light at the end of the tunnel. Forward looking IT organizations have discovered the answer to the VPN dilemma. It is an innovative and highly reliable approach to networking connectivity – the Software Defined Perimeter (SDP). This approach enables organizations to build a secure software-defined perimeter and use Zero Trust Network Access (ZTNA) tunnels to seamlessly connect all applications, servers, IoT devices, and users behind any symmetric network address translation (NAT) to any full cone NAT: without having to reconfigure networks or set up complicated and problematic VPNs. With SDP, organizations can ensure safe, fast and easy network and data access; while ensuring they adhere to internal governance and external regulations compliance mandates.”

Steve Santamaria, CEO, Folio Photonics: 

“It is no secret that data is at the center of everything you do. Whether you are a business, a nonprofit, an educational institution, a government agency, or the military, it is vital to your everyday operations. It is therefore critical that the appropriate person(s) in your organization have access to the data they need anytime, anywhere, and under any conditions. However, it is of the equal importance that you keep it from falling in the wrong hands. 

Therefore, when managing current and archival data, a top concern must be data security and durability, not just today but for decades upon decades into the future. The ideal data storage solution must offer encryption and WORM (write-once, read-many) capabilities. It must require little power and minimal climate control. It should be impervious to EMPs, salt water, high temps, and altitudes. And, all archive solutions must have 100+ years of media life and be infinitely backward compatible, while still delivering a competitive TCO. But most importantly, the data storage must have the ability to be air-gapped as this is truly the only way to prevent unauthorized digital access.”

Surya Varanasi, CTO, Nexsan: 

“Digital technology has revolutionized virtually every aspect of our lives. Work, education, shopping, entertainment, and travel are just a handful of the areas that have been transformed. Consequently, today, our data is like gravity – it’s everywhere. 

On Data Privacy Day, we are reminded of this fact, and the need to ensure our data’s safety and security. Fortunately, there are laws and regulations that help to take some of the burden off of our shoulders; such as the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and Health Insurance Portability and Accountability Act (HIPAA).

However, some of the responsibility remains on our shoulders as well as those of the data management professionals we rely upon. Today, it would be extremely challenging to find an organization (or an individual for that matter) that isn’t backing up their data. Unfortunately however, today that just isn’t enough. Cyber criminals have become increasingly aggressive and sophisticated, along with their ransomware and other malware. And now, the threat isn’t just that they will hold your data until payment, cyber criminals are now threatening to make personal and confidential data public, if not paid. It is therefore critical that cyber hygiene must include protecting backed up data by making it immutable and by eliminating any way that data can be deleted or corrupted. 

This can be accomplished with an advanced Unbreakable Backup solution, which creates an immutable, object-locked format, and then takes it a step further by storing the admin keys in another location entirely for added protection. With an Unbreakable Backup solution that encompasses these capabilities, users can ease their worry about the protection and privacy of their data, and instead focus their expertise on activities that more directly impact the organization’s bottom-line objectives.”

Andrew Russell, Chief Revenue Officer, Nyriad: 

“Data Privacy Day serves as a great reminder of the value and power of data. In addition to your people, data is without question the most strategic asset of virtually any organization. Data and the ability to fully leverage, manage, store, share, and protect it, enables organizations to be successful across virtually every facet – from competitive advantage, to innovation, the employee experience, and customer satisfaction, to legal and regulations compliance competency. 

Consequently, savvy data management professionals recognize that while a storage solution that is able to deliver unprecedented performance, resiliency, and efficiency with a low total cost of ownership is priority number one to fully optimize data and intelligence for business success; they likewise need to ensure they have the ability to protect against, detect, and restore data and operations in the event of a successful cyber-attack in order to protect their data, for business survival.” 

Brian Dunagan, Vice President of Engineering, Retrospect: 

“Every organization, regardless of size, faces the real possibility that they could be the next victim of a cyberattack. That is because today’s ransomware, which is easier than ever for even the novice cybercriminal to obtain via ransomware as a service (RaaS), strikes repeatedly and randomly without even knowing whose system it is attacking. Ransomware now simply searches for that one crack, that one vulnerability, that will allow it entry to your network. Once inside it can lock-down, delete, and/or abscond with your data and demand payment should you wish to keep your data private and/or have it returned. 

As an IT professional, it is therefore critical that beyond protection, steps be taken to detect ransomware as early as possible to stop the threat and ensure their ability to remediate and recover. A backup solution that includes anomaly detection to identify changes in an environment that warrants the attention of IT is a must. In order to ensure its benefit,, users must be able to tailor the backup solution’s anomaly detection to their business’s specific systems and workflows; with capabilities such as customizable filtering and thresholds for each of their backup policies. And, those anomalies must be immediately reported to management, as well as aggregated for future ML/analyzing purposes.”

Molly Presley, SVP of Marketing at Hammerspace:  

“With global rules governing how data should be stored, used, and shared, combined with escalating data losses, explosive personal data growth, and customer expectations, addressing data privacy is now an obligatory business requirement. However, as organizations expand and navigate compliance and legal requirements in the rapidly evolving age of big data, AI/ML, and government regulations, the existing processes surrounding data privacy need to evolve to 1) automate processes and 2) scale to meet increasingly complex new challenges.   

Privacy and security concerns increasingly impact multiple vertical markets, including finance, government, healthcare and life sciences, telecommunications, IT, online retail, and others, as they quickly outgrow legacy data storage architectures. As a result, there is increasing pressure to develop and implement a data strategy and architecture for decentralized data that is more cohesive, making access to critical information simplified and secure.

To protect the organizations’ and individual users’ sensitive data, organizations must take the steps necessary to control how data is shared and eliminate the proliferation of data copies outside the controls of IT security systems. Accelerating IT modernization efforts while managing the ever-increasing volumes of data requires a data solution that simplifies, automates, and secures access to global data. Most importantly, to ensure data privacy and secure data collaboration, a data solution must be able to put data to use across multiple locations and to multiple users while simplifying IT Operations by automating data protection and data management to meet policies set by administrators.”

Jason Lohrey, CEO of Arcitecta:   

“In this information age, data is the critical element of transformation, serving as a foundation for strategic decision-making. Data Privacy Day reminds us that data influences everything we do, from building services, products, customer experiences, and employee relationships. With the acceleration of technology, we are more connected than ever before and using data to facilitate high-value achievements for businesses and consumers.  

But with new threats, it is now more imperative than ever to protect data from those who seek to gain an advantage by exploiting others. It is becoming increasingly easier to infiltrate systems around the world. Organizations need to increase the resilience of their data so that it remains continuously available, and IT leaders must shift their focus from successful backups to successful recoveries to ensure that valuable data doesn’t become compromised by landing in the wrong hands.”  

Nick Hogg, Director of Technical Training at Fortra:

“With the rise of remote working, sharing sensitive files is now taken for granted. Therefore, awareness days and weeks, like Data Privacy Week, are a great way to remind organizations and their stakeholders of the importance of storing and handling data properly.

It’s essential for organizations to re-evaluate their security awareness and compliance training programs to move away from the traditional once-a-year, ‘box-ticking’ exercises that have proven to be less effective. The goal is to deliver ongoing training that keeps data security and compliance concerns front and center in employees’ minds, allowing them to better identify phishing and ransomware risks, as well as reducing user error when handling sensitive data.

They will also need to use digital transformation and ongoing cloud migration initiatives to re-evaluate their existing data loss prevention and compliance policies. The goal is to ensure stronger protection of their sensitive data and meet compliance requirements, while replacing complex infrastructure and policies to reduce the management overhead and interruptions to legitimate business processes.”

Wade Barisoff, Director of Product, Data Protection at Fortra (on the recent introduction of new privacy laws in the states of California and Virginia):

“As new states contemplate their own flavors of data privacy legislation, the only consistency will be the fact that each new law is different. We are already seeing this now; for example, in California, residents can sue companies for data violations, whereas in others it’s their attorney general’s offices that can impose the fines. In Utah, standards apply to fewer businesses compared to other states. As each state seeks to highlight how much they value their citizens’ rights over the next, we’ll see an element of (for example), ‘What’s good for California isn’t good enough for Kansas’ creep in, and this developing complexity will have a significant impact on organizations operating across the country.

Before GDPR there were (and still are) many different country laws for data privacy. GDPR was significant, not because it was a unifying act that enshrined the rights of people and their digital identities to govern how their data could be handled, but it was the first legislation with real teeth. Fines for non-compliance were enough to force companies into action.

So far, five states have (or will have) individual laws, but there are 45 more yet to come. The amount of money and time companies will spend enacting the proper controls for these individual privacy laws fuels the argument for a more unified national approach to data privacy standards, as the penalties for non-compliance are significant. Also, as states begin to increase the demands on business, usually without fully understanding the technology landscape and how businesses work with shared and cloud-based technologies, there’s a potential that companies will be forced to make the decision not to conduct business in certain areas. A national approach would allow businesses to tackle data privacy once, but as it stands, with the federated states model, doing business within the U.S. is likely to get more complicated and expensive.”

Home Depot Gave Customer Data To Meta Says Canadian Privacy Commissioner Without Customer Consent

Posted in Commentary with tags , on January 26, 2023 by itnerd

Home Depot is my go to for anything I need to fix stuff around my condo. But perhaps I should rethink that as the Canadian Privacy Commissioner has determined that Home Depot handed over customer data to Meta (aka Facebook) without consent from customers:

It is an issue highlighted in a recent investigation by the Office of the Privacy Commissioner of Canada (OPC) into Home Depot of Canada Inc. (Home Depot). By participating in Meta Platforms Inc.’s Offline Conversions program, Home Depot was found to be sharing details from e-receipts – including encoded email addresses and in-store purchase information – with Meta, which operates the Facebook social media platform, without the knowledge or consent of customers.

And:

The investigation found that Home Depot had been collecting customer email addresses at store checkouts for the stated purpose of providing customers with an electronic copy of their receipt since at least 2018. However, the investigation revealed that during this period, the encoded email addresses, along with high-level details about each customer’s in-store purchases, were also sent to Meta.

Information sent to Meta was used to verify if a customer had a Facebook account. If they did, Meta compared the person’s in-store purchases to Home Depot’s advertisements sent over the platform to measure and report on the effectiveness of those ads. Meta’s Offline Conversions contractual terms also allowed it to use the customer information for its own business purposes, including user profiling and targeted advertising, unrelated to Home Depot.

Each email address Home Depot shared with Meta was encoded so that it could not be read by individuals at Facebook. Meta employed an automated process that allowed it to match email addresses attached to Facebook accounts. Email addresses not already associated with a Facebook account could not be linked to individuals.

While the details of a person’s in-store purchases may not have been sensitive in the context of Home Depot, they could be highly sensitive in other retail contexts, where they reveal, for example, information about an individual’s health or sexuality.

During the investigation, Home Depot said that it relied on implied consent and that its privacy statement, accessible through its website and in print upon request at retail locations, adequately explained that the company uses “de-identified information for internal business purposes, such as marketing, customer service, and business analytics” and that it “may share information for business purposes,” including “with third parties.” Home Depot also relied on Facebook’s privacy statement, which explained the Offline Conversions program.

The OPC, however, rejected Home Depot’s argument as the privacy statements Home Depot relied on for consent were not readily available to customers at the check-out counter, and consumers would have no reason to seek them out. Moreover, the OPC found that Home Depot’s privacy statement did not clearly explain the practice in question.

Now I have always been suspect of getting e-receipts from companies which is why I always prefer printed copies. This revelation makes me want to double down on never getting an e-receipt. Now I tried to find a comment from Home Depot or Meta but I couldn’t find one. Which in itself says something. But in the meantime, here’s what the Privacy Commissioner says that Home Depot has to do:

As a result of the investigation, the OPC recommended that Home Depot:

  • cease disclosing the personal information of customers requesting an e-receipt to Meta until it is able to implement measures to ensure valid consent;
  • implement measures to obtain express, opt-in consent from customers prior to sharing the information with Meta, should it resume the practice; and
  • ensure meaningful consent by providing customers requesting an e-receipt with key information regarding its sharing of information with Meta at the point of sale, and by strengthening its privacy statement to include a detailed explanation of its practices and how customers can withdraw consent.

It will be interesting to see if Home Depot complies with this. Because now that this is out there, Home Depot is going have to deal with customers who do not trust them. And that’s not a good place to be in.

An Experian Glitch Exposed ALL Consumer Credit Files For SEVEN WEEKS Was Only Brought To The Attention Of Consumers This Week… WTF?

Posted in Commentary with tags on January 26, 2023 by itnerd

Brian Krebs has a mind blowing story on his website that you simply must read. It revolves around consumer credit reporting bureau Experian and an issue that Krebs found and reported to the company. Here’s the TL:DR of what happened from the story:

On Dec. 23, 2022, KrebsOnSecurity alerted big-three consumer credit reporting bureau Experian that identity thieves had worked out how to bypass its security and access any consumer’s full credit report — armed with nothing more than a person’s name, address, date of birth, and Social Security number. Experian fixed the glitch, but remained silent about the incident for a month. This week, however, Experian acknowledged that the security failure persisted for nearly seven weeks, between Nov. 9, 2022 and Dec. 26, 2022.

The implication of this is staggering as this information could be used to launch all sorts of identity theft campaigns. Which is not only bad, but the worst case scenario possible. And the fact that only this week Experian told consumers is an absolute #fail.

Jack Nichelson, CISO of Inversion6 added this commentary:

The fact that Experian waited over seven weeks before notifying customers of the security risk is a serious concern. This delay in notification put customers at risk of identity theft and financial loss. By waiting so long to notify customers, Experian gave identity thieves ample time to access and potentially misuse customer information.

Furthermore, the fact that the security vulnerability persisted for nearly a month is also a cause for concern. This indicates that Experian’s security systems were not effectively detecting or addressing the issue in a timely manner.

This incident highlights the importance of prompt and transparent notification in the event of a security breach. Customers have a right to know if their personal and financial information has been compromised so they can take steps to protect themselves. Additionally, this incident raises questions about the effectiveness of Experian’s security systems and the company’s overall commitment to data privacy and security.

What needs to happen here is there needs to be an investigation from the appropriate government agencies as to the behaviour of Experian in this case. Because quite frankly this is unacceptable and needs to be addressed in the strictest possible way.

Nissan Took Six Months To Notify People Of A Data Breach

Posted in Commentary with tags on January 18, 2023 by itnerd

If you go to The Office Of The Maine Attorney General, and look at this data breach notification, you’ll quickly see the following:

Nissan North America has a data breach last June. Almost 18000 people were affected by this breach which was. caused by “Inadvertent disclosure, Insider wrongdoing” which means either someone on the inside screwed up or someone on the inside did something nefarious. The breach wasn’t discovered until the end of September, but Nissan North America didn’t let the public know until December.

That sounds pretty bad. But I will get back to that in a second.

Here’s what Nissan said:

The impacted third-party service provider provides software development services to Nissan. Nissan provided certain information to this service provider for processing during the testing of the software.

On June 21, 2022, Nissan received notice that certain data it provided for software testing had inadvertently been exposed by the third-party service provider. During our investigation, on September 26, 2022, we determined that this incident likely resulted in unauthorized access or acquisition of our data, including some personal information belonging to Nissan customers. Specifically, the data embedded within the code during software testing was unintentionally and temporarily stored in a cloud-based public repository.

And here’s the information that is now out there:

The information that was potentially accessed or acquired during the time that it was temporarily available on a public repository included your name, date of birth, and NMAC account number. This information did not include your Social Security number or credit card information.

Again, that sounds pretty bad. And I have to admit that my initial reaction was to say “WTF? Six months to notify people?” But here’s an alternate view of this from Ani Chaudhuri, CEO, Dasera:

Though Nissan allegedly took six months to disclose the data breach to the affected parties, it is clear that they took the incident very seriously and moved quickly to contain the damage and protect the affected individuals. We should work to appreciate the transparency and honesty with which they communicated the incident to the public, as any form of a data breach is extremely hard on a company due to potential damage to reputation, revenue, culture, etc. 

One of the key takeaways from this incident is that data breaches can happen to any company, regardless of size or industry. It is important for companies not to be afraid to disclose data breaches publicly, as it raises awareness and helps other organizations learn from the incident. By being open and transparent, Nissan has set an example for other companies to follow.

Moving forward, companies like Nissan can prevent data breaches with a robust data governance and security strategy by providing a framework for managing and protecting sensitive information. Some ways data governance can help prevent data breaches include:

  • Establishing clear policies and procedures for data management: Data governance policies and procedures can set standards for how data is collected, stored, and shared within the organization. By having clear guidelines in place, the organization can reduce the risk of accidental data breaches caused by employees not following proper protocols.
  • Identifying sensitive data: Data governance can help identify sensitive data by classifying data based on its level of sensitivity, and then implementing appropriate controls to protect that data. By identifying sensitive data, Nissan can take the necessary steps to protect it from breaches.
  • Implementing access controls: Data governance can help implement access controls to ensure that only authorized personnel have access to sensitive data. By implementing access controls, Nissan can ensure that vendor employees only have access to the data they need to perform their duties, reducing the risk of breaches caused by unauthorized access.
  • Regularly monitoring and auditing data: Data governance can help implement regular monitoring and auditing of data to detect any anomalies or suspicious activities that could indicate a data breach. By regularly monitoring and auditing data, Nissan can detect a data breach early on and take action to contain the damage and protect the affected individuals.
  • Conducting vendor risk assessment: Data governance can help implement a vendor risk assessment program that allows the organization to assess the security risk of their vendors and make sure that their vendors are meeting the company’s security standards. This can help Nissan to identify potential vulnerabilities and take steps to mitigate them before a data breach occurs.

Overall, a mature data governance and security strategy can help companies like Nissan prevent data breaches by providing a framework for managing and protecting sensitive information, and by identifying and mitigating risk.

While all of that is true, I do wish that the public knew of this sooner. Because the faster the public knows that something like this happens, the more able the public are able to take precautions from threat actors who would use this information for nefarious reasons.

States Introduce New Privacy Laws… With Different Ways That They Are Applied

Posted in Commentary with tags on January 12, 2023 by itnerd

From the start of the new year, we’ve seen the introduction of new privacy laws in California and Virginia. The new legislation in California brings changes to the existing 2018 California Consumer Privacy Act, and Virginia is currently the only other state to also bring in new privacy laws. But they won’t be the last. Connecticut’s and Utah’s privacy laws both come into effect later this year, with Colorado following in 2024. Thus it seems that the ball is starting to roll when it comes to ensuing that privacy is by default in the US. Though there appear to be a lot of variance as to how these laws are applied.

Wade Barisoff, Director of Product, Data Protection, at cybersecurity software and services provider Fortra had this comment:

“As new states contemplate their own flavors of data privacy legislation, the only consistency will be the fact that each new law is different. We are already seeing this now; for example, in California, residents can sue companies for data violations, whereas in others it’s their attorney general’s offices that can impose the fines. In Utah, standards apply to fewer businesses compared to other states. As each state seeks to highlight how much they value their citizens’ rights over the next, we’ll see an element of (for example), ‘What’s good for California isn’t good enough for Kansas’ creep in, and this developing complexity will have a significant impact on organizations operating across the country. 

Before GDPR there were (and still are) many different country laws for data privacy. GDPR was significant, not because it was a unifying act that enshrined the rights of people and their digital identities to govern how their data could be handled, but it was the first legislation with real teeth. Fines for non-compliance were enough to force companies into action. 

So far, five states have (or will have) individual laws, but there are 45 more yet to come. The amount of money and time companies will spend enacting the proper controls for these individual privacy laws fuels the argument for a more unified national approach to data privacy standards, as the penalties for non-compliance are significant.  Also, as states begin to increase the demands on business, usually without fully understanding the technology landscape and how businesses work with shared and cloud-based technologies, there’s a potential that companies will be forced to make the decision not to conduct business in certain areas. A national approach would allow businesses to tackle data privacy once, but as it stands, with the federated states model, doing business within the U.S. is likely to get more complicated and expensive.”

Hopefully, there will be a move to have a consistent standard for privacy laws across the US as that benefits consumers and companies. Though I fear that such a move is years away which is bad for both parties.

Hundreds Of Thousands Of People Affected Due To Last Year’s COVID Booking System Data Breach

Posted in Commentary with tags on December 10, 2022 by itnerd

You might recall that there was a text message scam from last year where people who booked a COVID vaccine were getting text messages asking for all sorts of personal information. It didn’t take long for two people to get charged with being behind this scheme. And one person who was arrested was an insider as they worked for the vaccine contact centre which is part of the Ontario Ministry of Government and Consumer Services. Once again proving that your organization’s biggest threat vector is your people. Well, the damage has been tallied and it’s not good. The breach resulted in the names and phone numbers of about 360,000 people being leaked. CBC has details:

Beginning Friday, some 360,000 people will receive notices that their personal information was part of the November 2021 data breach of the COVAXX system, the Ministry of Public and Business Service Delivery said in a statement Friday. 

The ministry said it had been working with the Ministry of Health, police and the Ontario’s privacy commissioner to determine the scale and impact of the breach. The ministry’s statement does not say how it occurred.

I for one would be very interested in what lessons the Ontario government learned so that this doesn’t happen again. Because 360,000 is not a small number of people to be affected by something like this. And I think that all Ontario citizens would be very interested in this information as well. People have to have trust that their information is going to be protected. And given the scale of this breach, I would be wondering if the Ontario government has the right people, tools, and controls in place to stop this from happening again.

Eufy Releases An App Update That Won’t Make Their Issues Go Away

Posted in Commentary with tags , on December 6, 2022 by itnerd

Over the weekend I posted a story about Eufy and the fact that they have lied about the security that their had for years. And that my belief is that they should be banned from sale because this isn’t the first time that this has happened. Part of my belief that they should be banned comes from the fact that I don’t believe that Eufy is serious about gaining the trust of their users. This is being reinforced by the news that Eufy isn’t patching out a potential security issue in the Eufy Security app. Instead Eufy is just telling users that their thumbnails will be uploaded to the cloud when they choose specific notification settings in the app;

As of Monday, an update has been rolled out to the Eufy Security app to add a statement disclosing that thumbnail images will be uploaded to the company’s cloud servers. 

For you to get notifications with thumbnails in them from a security camera, a thumbnail has to be uploaded someplace. That’s true for any camera system. And part of the problem is that Eufy sells these cameras with the expectation that they are completely private. Which clearly they are not. Now that Eufy has clarified this, I am guessing that they hope that this issue will go away. But it won’t because this doesn’t do anything about the ability for a threat actor to stream video. Eufy hasn’t commented on this as far as I know. And there’s no sign that they will do anything about it.

Thus if Eufy was hoping to make this issue go away, I don’t think that this will do it.

Eufy Needs To Be Banned Because They Can’t Be Trusted

Posted in Commentary with tags , on December 3, 2022 by itnerd

This week it came to light that Eufy has been lying about the security of their cameras. That’s not a surprise to me as when I reviewed their cameras last year, they were dealing with similar issue where users could see other people’s cameras without any effort. The issue was corrected quickly. But it wasn’t the first time something like this has happened.

Now in case you didn’t want to read any of that, here’s the TL:DR (too long, didn’t read) on this: Eufy’s cameras aren’t as secure as they have claimed for years. Threat actors with the right information can watch video from your Eufy camera. If that’s not bad enough, Eufy also uploads some data to the cloud that customers were previously unaware of. Now the company has issued an apology and has updated its product language in the Eufy app to better clarify which settings will trigger a cloud upload. Though, in a bizarre twist, Eufy issued a second statement on December 2 that from a PR and customer confidence standpoint sucks:

“eufy Security adamantly disagrees with the accusations levied against the company concerning the security of our products. However, we understand that the recent events may have caused concern for some users. We frequently review and test our security features and encourage feedback from the broader security industry to ensure we address all credible security vulnerabilities. If a credible vulnerability is identified, we take the necessary actions to correct it. In addition, we comply with all appropriate regulatory bodies in the markets where our products are sold. Finally, we encourage users to contact our dedicated customer support team with questions.”

Now where I sit, I can’t say if Eufy is just lazy when it comes to security, or if they are trying to do something nefarious. But seeing as they are a Chinese company, issues like these have to be treated with some degree of extra suspicion. And seeing as this has happened more than once, I think we’re at a point where retailers should not only stop selling their gear, but I would argue that governments should ban this company from being able to sell their gear. Just like Huawei has been banned from many telcom networks.

Eufy keeps saying that that they will do better going forward. But we’re not seeing evidence of that seeing as this keeps happening. At this point I am through giving them chances. And so should governments around the world because there is no way that this sort of behavior by Eufy should be tolerated. A ban will send the message to Eufy and others that they need to talk the talk and walk the walk when it comes to security. Plus if Eufy or others really want to have the confidence of consumers, they need to have their claims validated by a third party. But I suspect that Eufy won’t subject themselves to that level of scrutiny. Thus they need to be banned. And the sooner the better.

Now if you ask me what you should do if you have an Eufy camera? My advice would be to rip them out because your privacy and security is invaluable. That is true for both indoor cameras and outdoor ones too. I would even go as far as to say that you shouldn’t even resell them as you’re just passing along a major problem to someone else which is not fair on that person. My advice is to recycle them at your local electronics recycling facility and take these security and privacy nightmares out of circulation forever.

Finally, if Eufy is reading this, I have to say that you’ve created this mess and it’s way too late for you to say sorry for it. Consumers put a lot of trust in the vendors of this sort of gear and you’ve burned through that trust. And since you can’t fix your issues, hopefully governments around the world will fix it for you by banning you out of existence.

Game over Eufy.

Major Web Browsers Drop Sketchy Certificate Authority

Posted in Commentary with tags , on December 2, 2022 by itnerd

Here is something that got my attention. All the major web browsers, meaning Firefox, Chrome, and Edge, have decided to drop a certificate authority that has ties to a US military contractor.

Mozilla’s Firefox and Microsoft’s Edge said they would stop trusting new certificates from TrustCor Systems that vouched for the legitimacy of sites reached by their users, capping weeks of online arguments among their technology experts, outside researchers and TrustCor, which said it had no ongoing ties of concern. Other tech companies are expected to follow suit.

“Certificate Authorities have highly trusted roles in the internet ecosystem and it is unacceptable for a CA to be closely tied, through ownership and operation, to a company engaged in the distribution of malware,” Mozilla’s Kathleen Wilson wrote to a mailing list for browser security experts. “Trustcor’s responses via their Vice President of CA operations further substantiates the factual basis for Mozilla’s concerns.”

The Post reported on Nov. 8 that TrustCor’s Panamanian registration records showed the same slate of officers, agents and partners as a spyware-maker identified this year as an affiliate of Arizona-based Packet Forensics, which has sold communication interception services to U.S. government agencies for more than a decade. One of those contracts listed the “place of performance” as Fort Meade, Md., the home of the National Security Agency and the Pentagon’s Cyber Command.

That would qualify as sketchy as this company makes software that should ring alarm bells. Pratik Selva, Lead Security Engineer at Venafi added this:

When considering security, one of the areas that is still not given due focus by many organizations is Certificate Authorities (CAs). CAs are / should be a key component in any corporate security strategy as they are machine identity enablers. A root CA is the most significant piece in that hierarchy as it holds the potential to impact the security and the trust of the entire certification hierarchy due to any abuse or compromise. This view needs to be factored in when organizations conduct threat modeling or assessments.  

Additionally, there can be also compliance implications if there are weak or non-existent checks and balances in place for ensuring the security of a CA. What is more alarming is that CA compromise has been found to be achieved using living-off-the-land (LOTL) techniques and tools. LOTL attacks are problematic from a detection standpoint and are an incident response (IR) nightmare. As root CAs pose a cascading risk, they have been a favorable target of nation state APT actors aiming to mount a crippling attack.”

My advice would be to make sure your browsers are up to date as that is how the removal of this certificate authority would take place. But this also underscores that you need to be on your toes when it comes to security and privacy.

Cars Can Be Pwned Via Flaws In SiriusXM And Other Software: Report

Posted in Commentary with tags , on December 1, 2022 by itnerd

Every car these days comes with a SiriusXM receiver. And depending on what car you have, that might be an attack vector for hackers to pwn your car. This according to this article:

Researcher Sam Curry on Wednesday described a recent car hacking project targeting Sirius XM, which he and his team learned about when looking for a telematic solution shared by multiple car brands.

An analysis led to the discovery of a domain used when enrolling vehicles in the Sirius XM remote management functionality, Curry said in a Twitter thread.

Initial tests were conducted on the NissanConnect mobile application, which led to the discovery of a vulnerability that could allow a remote hacker to obtain a vehicle owner’s name, phone, number, address and car details simply by knowing their VIN, which is typically visible on the windshield. The attacker would need to send specially crafted HTTP requests containing the victim’s VIN in a certain parameter.

Further analysis showed that the same vulnerability could be exploited to run vehicle commands, including locate, unlock and start a car, as well as to flash headlights and honk the horn.

The researchers determined that such an attack could be launched against Honda, Nissan, Infiniti, and Acura cars.

Sirius XM immediately patched the vulnerability after being informed of its existence. The company said it released a patch within 24 hours and noted that it has no evidence of any data getting compromised or unauthorized modifications being made.

That’s not good. But neither is this

In a separate Twitter thread this week, Curry reported a different vulnerability, one that allowed researchers to control some functions of Hyundai and Genesis vehicles — including locks, engine, horn, headlights and trunk — by knowing the email address the victim had used to register a user account.

The attack allegedly worked on vehicles made after 2012. Hyundai and Genesis also released patches after being notified.

So upon reading this article, I looked at the research and it illustrates that connected cars are subject to the same sort of problems that everything else is. Thus car companies and SiriusXM need to up their game to keep car owners safe. And they need to be held accountable for making sure that cars are secure. Preferably by a third party.