Wyze db Exposed

Wyze's camera db exposed Smart Home Device Maker Wyze Exposed Camera Database | OnDemand Webinar | Evaluating the Security of Software View the online version » E-News December 31, 2019 In this issue:    News   |   Featured Summit   |   Around the Network   |   Jobs Wyze's camera db exposed NEWS Smart Home Device Maker Wyze Exposed Camera Database by Jeremy Kirk Seattle-based smart home device maker Wyze says an error by a developer exposed a database to the internet over a three-week period earlier this month. The data included customer emails, nicknames of online cameras, WiFi SSIDs, device information and Alexa tokens. NEWS OnDemand Webinar | Evaluating the Security of Software Presented by Information Security Media Group INTERVIEW FBI's Elvis Chan on Securing the 2020 Election by Tom Field WHITE PAPER A User-Centric Approach to Preventing Threats Beyond Account Takeover Presented by Castle WHITE PAPER Transforming Cloud Ops Management for Maximum Business Agility Presented by BMC NEWS US Coast Guard Warns Over Ryuk Ransomware Attacks by Akshaya Asokan WEBINAR Webinar | Use Security Ratings to Achieve Your Security Goals by BitSight INTERVIEW Do Breach Remediation Efforts Affect Patient Outcomes? by Marianne Kolbasuk McGee BLOG Job Search: Head of UK's National Cyber Security Center by Mathew J. Schwartz Featured Summit 2020 Fraud Summit: New York Learn more   See Courses Access Exclusive Education Premium Members Gain Unrestricted Access to All Education WEBINAR Modernize with Monitoring: Keys to Third-Party Risk Management Success by OneTrust Around the Network The latest news, interviews and analysis from the ISMG network. Citrix Vulnerability Could Affect 80,000 Companies: Report Analysis: 2020 Cybersecurity Issues US Cybercom Considers Bold Election Security Moves: Report Featured Jobs Manager Security Operations and Vulnerability Management - Zelis - Bedminster, NJ Zelis - Bedminster, NJ Senior Information Security Engineer - Identity and Access Management - Tivity Health - Chandler, AZ Tivity Health - Chandler, AZ Chief Information Security Officer - CIBC - Chicago, IL CIBC - Chicago, IL View More Jobs Post a Job BankInfoSecurity   |    CUInfoSecurity   |    GovInfoSecurity   |    HealthcareInfoSecurity InfoRiskToday   |   CareersInfoSecurity   |    DataBreachToday © 2019 Information Security Media Group 902 Carnegie Center, Princeton, NJ 08540 • (800) 944-0401 Unsubscribe | Not a subscriber? Sign up here.

Smart Cities: How to Disappear

How to Disappear

Is it possible to move through a smart city undetected?

CityLab |

• 
  

It can be hard to evade the sight of wall-mounted cameras--but other smart cities technologies are almost undetectable. 

Even in the middle of major city, it’s possible to go off the grid. In 2016, the Atlantic profiled a family in Washington, D.C., that harvests their entire household energy from a single, 1-kilowatt solar panel on a patch of cement in their backyard. Insulated, light-blocking blinds keep upstairs bedrooms cool at the peak of summer; in winter, the family gets by with low-tech solutions, like curling up with hot water bottles. “It’s a bit like camping,” one family member said.

If extricating yourself from the electrical grid is, to some degree, a test of moxie and patience, extracting yourself from the web of urban surveillance technology strains the limits of both. If you live in a dense urban environment, you are being watched, in all kinds of ways. A graphic released by the Future of Privacy Forum highlights just how many sensors, CCTCV cameras, RFID readers, and other nodes of observation might be eying you as you maneuver around a city’s blocks. As cities race to fit themselves with smart technologies, it’s nearly impossible to know precisely how much data they’re accumulating, how it’s being stored, or what they’ll do with it.

“By and large, right now, it’s the Wild West, and the sheriff is also the bad guy, or could be,” says Albert Gidari, the director of privacy at Stanford Law School’s Center for Internet and Society.

The various nodes where sensors and other tech could detect your movements through the city. 

Smart technologies can ease traffic, carve out safer pedestrian passages, and analyze environmental factors such as water quality and air pollution. But, as my colleague Linda Poon points out, their adoption is also stirring up a legal maelstrom. Surveillance fears have been aroused in Oakland, California, Seattle, and Chicago, and the applications of laws protecting citizen privacy are murky. For instance: data that’s stored on a server indefinitely could potentially infringe on the “right to be forgotten” that’s protected in some European countries. But accountability and recourse can be slippery, because civilians can’t necessarily sue cities for violating privacy torts, explains Gidari.

What would it look like to leapfrog that murkiness by opting out entirely? Can a contemporary urbanite successfully skirt surveillance? I asked Gidari and Lee Tien, a senior staff attorney at the Electronic Frontier Foundation, to teach me how to disappear.

During the course of our conversations, Tien and Gidari each remind me, again and again, that this was a fool’s errand: You can’t truly hide from urban surveillance. In an email before our phone call, Tien points out that we’re not even aware of all the traces of ourselves that are out in the world. He likens our data trail—from parking meters, streetlight cameras, automatic license plate readers, and more—to a kind of binary DNA that we’re constantly sloughing. Trying to scrub these streams of data would be impossible.

Moreover, as the tools of surveillance have become more sophisticated, detecting them has become a harder task. “There was a time when you could spot cameras,” Tien says. Maybe a bodega would hang up a metal sign warning passersby that they were being recorded by a clunky, conspicuous device. “But now, they’re smaller, recessed, and don’t look like what you expect them to look like.”

Other cameras are in the sky. As Buzzfeed has reported, some federal surveillance technologies are mounted in sound-dampened planes and helicopters that cruise over cities, using augmented reality to overlay a grid that identifies targets at a granular level. “There are sensors everywhere,” Gidari says. “The public has no ability to even see where they are.”

The surest way to dodge surveillance is to not encounter it in the first place—but that’s not a simple ask. While various groups have tried to plot out routes that allow pedestrians to literally sidestep nodes of surveillance, they haven’t been especially successful. In 2013, two software developers released a beta version of an app called Surv, which aspired to be a crowdsourced guide to cameras mounted in cities around the world. The app would detect cameras within a 100-meter radius of the user’s phone, but it failed to meet its crowdfunding threshold on Kickstarter.

The most effective solutions are also the least practical ones. To defeat facial recognition software, “you would have to wear a mask or disguises,” Tien says. “That doesn’t really scale up for people.” Other strategies include makeup that screws with a camera’s ability to recognize the contours of a human face, or thwarting cameras by blinding them with infrared LED lights fastened to a hat or glasses, as researchers at Japan’s National Institute of Informatics attempted in 2012. Those techniques are hardly subtle, though—in trying to trick the technology, you would stick out to the naked eye. And as biometrics continue to advance, cameras will likely be less dupable, too. There are also legal hiccups to consider: Drivers who don’t want city officials to know where they parked or when, Gidari says, would have to outwit license plate recognition tools by obscuring their license plate, such as with the noPhoto camera jammer, a new $399 device that fires a flash at red light cameras in an attempt to scramble a readable image. Obscuring license plates is already illegal in many cities and states, and others are chewing on new procedures.

LED glasses might not trick biometric cameras—but they will definitely attract the attention of folks on the street. 

In their book Obfuscation: A User’s Guide for Privacy and Protest, Finn Brunton and Helen Nissenbaum, both professors at New York University, champion a strategy of “throwing some sand in the gears, kicking up dust and making some noise,” essentially relying on the melee of data jamming to “hide in a cloud of signals.” A number of apps, websites, and browser extensions attempt to aid users in this type of misdirection—say, for instance, by running in the background of your regular web activities, trying to cover your digital tracks by throwing surveillance off your scent.

For example: A site called Internet Noise searches for randomized phrases and opens five fresh tabs every ten seconds. (I left it running as I wrote this, and now my browser history includes pictures of badgers, an online mattress store, an NPR article about the Supreme Court, and a research paper about gene mutation in hamsters.) As a cloaking technique, it’s not a perfect veil, writes Emily Dreyfess in Wired: “It’s actually too random. It doesn’t linger on sites very long, nor does it revisit them. In other words, it doesn’t really look human, and smart-enough tracking algorithms likely know that.” The site is more of a protest over Congress rolling back a not-yet-implemented FCC regulation that would have stymied ISPs from selling users’ browsing history.

Still, Tien advocates a certain degree of self-protection. He views these measures as a kind of digital hygiene—the “equivalent of washing your hands when you go to the bathroom,” or getting a flu shot. But he stresses that they’re only a partial prophylactic: “Nothing that will make you immune from the problem.”

Other techniques include employing Tor—a network that tries to anonymize the source and destination of your web searches by routing traffic along a convoluted path—and Signal, which offers encrypted messaging and phone calls. The Electronic Frontier Foundation’s Surveillance Self-Defense toolkit also suggests particular tools and behaviors for specific scenarios. People participating in protests, the guide suggests, might consider stripping meta-data from photos, to make it harder to match them with identities and locations. But this isn’t a perfect solution, either, Tien says, because you can only control what you post. “If I take a picture and scrub the metadata, that’s one thing,” Tien says. “If my friend takes a picture of me, I can’t do anything about that.” The Intercept produced a video illustrating step-by-step instructions for phone security at a protest, from adding an access passcode to turning on encryption settings.

On a daily basis, Tien tells me, “I don’t think you or I can exercise much meaningful self-help against the kind of tracking we’ll be seeing in real-world physical space.” That’s fodder for a point he makes about a fundamental asymmetry in the information that’s available to the bodies that install the cameras and those who are surveilled by them. There are relatively few laws relating to the expectation of privacy in a public space. The officials and organizations that install sensors, cameras, and ever-more-sensitive devices, he says, “have much more money than you do, much more technology than you do, and they don’t have to tell you what they’re doing.”

Ultimately, Tien and Gidari both take a long view, arguing that the most payoff will come from pushing for more transparency about just what this technology is up to. Part and parcel of that, Tien says, is resisting the idea that data is inherently neutral. The whole messy, jumbled mass of it contains information that could have tangible consequences on people’s lives. Tien says citizens need to remind their elected officials what’s at stake with data—and in the process, maybe “dampen their enthusiasm” for the collection of it.

He points out that sanctuary cities could be a prime example. There, he says, some advocates of immigrant rights are realizing that data collected via municipal surveillance “might not be such a good thing when we’re interested in protecting immigrants and the federal government is interested in deporting them.”

The practical strategies for opting out—of becoming invisible to some of these modes of surveillance—are imperfect, to say the least. That’s not to say that data collection is inherently nefarious, Gidari says—as he wrote in a blog post for the CIS, “no one wants to live in a ‘dumb’ city.” But he says that opting out shouldn’t need to be the default: “I don’t think you should have been opted in in the first place.”          

Capital One Breach Casts Shadow Over Cloud Security Issues

.....

• TECH

Capital One Breach Casts Shadow Over Cloud Security

Massive data exposure highlights sustained risk from poor information-protection practices

Capital was an early adopter cloud computing among PHOTO: RICHARD DREW/ASSOCIATED PRESS

SHARE

• 
 
• 
 
• 
 
• 

By

Robert McMillan

Updated July 30, 2019 6:57 pm ET

One of the highest-profile hacks of consumer-banking data has sent financial institutions scrambling to figure out how millions of records at one of the biggest proponents of cloud-computing were exposed.

Capital One Financial Corp. , the fifth-largest U.S. credit-card issuer, said Monday that information of roughly 106 million card customers and applicants was exposed in one of the largest data breaches of a big bank.

The data was stored on Amazon.com Inc.’s cloud, according to a federal criminal complaint and people familiar with the matter. The avenue of entry, the companies and investigators said, was a poorly configured firewall—a mechanism designed to wall off privately operated digital systems—that a hacker breached.

Both companies say controls around the data, rather than use of the cloud, were the problem. Still, the data was stored in the cloud, raising questions about whether Capital One put insufficient safeguards in place to lock down customer records when it adopted cloud technology. And the accused hacker’s tenure as a former employee of Amazon’s cloud business highlights the risk—previously little appreciated—of an insider threat.

Cloud computing has boomed as companies have increasingly turned to providers such as Amazon and MicrosoftCorp. to do the work of configuring computers inside their own data centers. The processing power of those servers and storage devices is then rented out to cloud customers, who pay depending on how much work the computers do.

Capital One was an early adopter of cloud-computing among financial institutions as many other banks hesitated to move customer data out of their data centers. But the global cloud business has expanded—including among banks—as companies such as

ADVERTISEMENT

JPMorgan Chase & Co. and Bank of AmericaCorp. became converts. That has heightened the stakes from the Capital One breach for the broader financial-services and cloud-computing industries.

One of the highest-profile hacks of consumer-banking data has sent financial institutions scrambling to figure out how millions of records at one of the biggest proponents of cloud-computing were exposed.
Capital One Financial Corp., the fifth-largest U.S. credit-card issuer, said Monday that information of roughly 106 million card customers and applicants was exposed in one of the largest data breaches of a big bank.
The...

To Read the Full Story

Subscribe Sign In 

The hacker who cracked into Capital One—gaining access to more than 100 million credit cards—may have unleashed havoc on many more companies.
 

What to Read Next...

Tech

Capital One Hacking Suspect Showed Strange Online Behavior

Finance

Capital One Hack Hits the Reputation of a Tech-Savvy Bank

Markets

The Capital One Data Breach: What It Means for You

Pro Cyber News

Capital One Breach Highlights Dangers of Insider Threats

Upward Mobility

Opinion | A Reality Check on ‘Racism’ and Urban Decay

Independent of The Wall Street Journal newsroom

markets

Here’s how the stock market tends to perform when the Fed cuts rates

Mansion Global Article

Sting Buys Another Robert A.M. Stern-Designed New York City Apartment—For $65.7M

 https://www.wsj.com/articles/capital-one-breach-casts-shadow-over-cloud-security-11564516541

By 2023, banks globally are forecast to spend more than $53 billion on public cloud infrastructure and data services, up from $24.3 billion this year, according to market research firm International Data Corp.

The disclosure of the breach has caused a behind-the-scenes scramble at several financial institutions to understand what happened at Capital One, according to a person familiar with the discussions.

“Everyone who is migrating to the cloud is really going to look at their controls,” said Sameer Malhotra, the chief executive of TrueFort Inc., a company that provides cloud security services. However, he added, “I don’t think it’s going to change their intention to move to the cloud.”

Capital One started working with Amazon Web Services in 2014 and has since become a marquee customer.PHOTO: SALVADOR RODRIGUEZ/REUTERS

Although court documents indicate a Capital One error led to the breach, the alleged hacker, Paige A. Thompson, is a former employee at Amazon’s web services unit, the world’s biggest cloud-computing business. That raises questions about whether she used knowledge acquired while working at the cloud-computing giant to commit her alleged crime, said Chris Vickery director of cyber-risk research at the security firm UpGuard Inc. A lawyer representing Ms. Thompson didn’t return messages seeking comment.

ADVERTISEMENT

An Amazon spokesman attributed the hack to a firewall issue, not a cloud-computing problem.

Cloud computing caught on in part because it allowed software engineers to sidestep cumbersome security restrictions and sluggish development processes that made companies’ in-house technologies clunky. But the ease and speed of opting instead to fire up a server through Amazon Web Services has led to many cloud misconfiguration problemsthat can leave sensitive data exposed to unauthorized access.

“It’s easy to misconfigure things and it’s easy to have catastrophic results from those misconfigurations,” Mr. Vickery said.

As the list of companies that have inadvertently exposed data on the cloud has grown, Amazon has taken steps to minimize that risk. In 2017, the company introduced a series of technologies to detect such configuration problems and make them easier to fix.

ADVERTISEMENT

Capital One started working with AWS in 2014 and has since become a marquee customer. In 2015, Capital One Chief Information Officer Rob Alexander said “the financial services industry attracts some of the worst cybercriminals. So we worked closely with the Amazon team to develop a security model, which we believe enables us to operate more securely in the public cloud than we can even in our own data centers.”

“This type of vulnerability is not specific to the cloud,” Capital One said of the hack. “The elements of infrastructure involved are common to both cloud and on-premises data center environments.” The bank added that its use of the cloud helped it respond to the breach faster. The company learned of the incident on July 19 and notified affected customers 10 days later.

Over the years, Capital One has developed systems to prevent data from being inadvertently released to the wider internet, according to a person familiar with the company’s operations.

“Any company that has or is looking to move into the cloud must ensure that their security strategy is developed alongside of that transformation,” said Vincent Liu, a partner with the security-consulting firm Bishop Fox.

ADVERTISEMENT

Mr. Liu, whose company assesses security vulnerabilities on corporate networks, says that while configuration problems happen in corporate data centers as well, he often finds that “basic cyber hygiene gets thrown out the window” as companies move to new technologies such as the cloud.

The financial stakes for companies to safeguard customer information are quickly rising. Credit-reporting companyEquifax Inc. struck a $700 million settlement this month with state and federal authorities concerning its 2017 data breach that exposed information on some 150 million Americans. In Britain,Marriott International Inc. faces a potential £99.2 million ($102.5 million) fine over a data breach. The same U.K. regulator this month also proposed a record £183.4 million fine following a hack at British Airways last year.

Capital One said it expected to spend up to $150 million to cover breach-related costs, largely for issues such as notifying customers and paying for credit monitoring. The bank didn’t discuss potential fines.

Write to Robert McMillan at Robert.Mcmillan@wsj.com

Popular on WSJ.com

US
Wealthy Parents Transfer Guardianship of Teens to Get Aid
Read More
HEALTH
Anxiety Looks Different in Men
Read More
US
California Requires Trump to Release Tax Returns for Spot on Primary Ballot
Read More
LIFE
More Older Couples Stay Together Because They Live Apart
Read More
ECONOMY
Mortgage Rates Were Falling Before Fed Signaled Rate Cut
Read More

• WSJ Membership BenefitsCustomer Center
• Legal PoliciesDownload WSJ Apps

Copyright ©2019 Dow Jones & Company, Inc. All Rights Reserved.