Tag Archives: Ring

Security News for the Week Ending November 6, 2020

TikTok Ban – Remember That?

Well now that the election is over – at least the voting part – we can get back to the important stuff like whether our kids can create 30 second dance videos on TikTok. The President signed a memo a couple of months ago to add trade pressure on China by banning TikTok in the US, but a Federal judge signed a preliminary injunction putting the memo on hold. The government has asked the DC Circuit to overturn that injunction but there are other restrictions like hosting the TikTok software on US cloud servers that go into effect on November 12th, so assume this subject will heat up over the next week or so. Credit: Law360

Feds Seize $1 Billion in Bitcoin from Silk Road

The feds shut down the Silk Road online crime bazaar in 2013 and convicted its founder, Ross Ulbricht in 2015. He was sentenced to two life terms plus 40 years. Now, this past week, the feds transferred 69,000+ Bitcoin out of a wallet that has been quiet since 2015. Is Ross trying to make a deal? Those Bitcoin are worth not quite a billion dollars. Now the feds have to convince a judge that the money is proceeds subject to forfeiture. If they do, the feds will likely auction off the cryptocurrency and put the proceeds in its piggy bank and, possibly, the piggy banks of other agencies that helped take Ulbricht down. Credit: ARS Technica

How Fast is Our 5G

I know that 5G is not a security issue – except that how we use 5G WILL make it a security issue. Right now, the 3 big carriers continue to roll out some form of 5G nationally and they are succeeding. It is important to understand what they mean by 5G. It does NOT mean that if you spend $1,000 or $1,500 on a 5G phone (although there are a couple of low price models), you should expect really fast speed on your phone. It means that the carriers are layering the 5G protocols on top of the existing 4G infrastructure.

So how fast is our 5G? PC Magazine does tests every few months and has released a new set of tests. They say that our 5G average speed is slower than Saudi Arabia, South Korea, Australia, Canada, Switzerland, United Kingdom and Germany. That is not impressive and is not likely to change for a number of years for several technical reasons. Read the details at PC Magazine.

Jackson, Mississippi Integrating Your Ring Camera into their Surveillance Network

To be clear, they are doing it with the owner’s permission. They are partnering with two companies who claim to be able to suck up your Ring camera data and feed it into the police department’s surveillance network. Obviously, if the city can get the benefit of thousands of surveillance camera feeds without paying for them AND they can really digest the data, then that may help them stop crime. If the cameras point towards the street and record people that are not on your property, YOU may be committing a crime (depending on the state), but since the cops want your data, they are unlikely to complain. On the other hand, the person who is captured on your video which is fed to the police may sue you. Just sayin’. While Ring has made a big deal of trying to get you to give your video feeds to your local police, this is not one of their projects. Credit: Vice

Attention Those 220 Million Web Sites That Use Let’s Encrypt

This is probably not a big deal but still worth mentioning. When Let’s Encrypt first came out it borrowed a friend’s root signing certificate since the browsers did not trust it. Years ago it became trusted when it issued its own root certificate. Now that original signing certificate is expiring and if your computer or phone does not have their new certificate, you will get an error message when browsing to one of the 220 million web sites that use Let’s Encrypt. NOTE that only affects old operating systems and old browsers that use those operating system’s certificate stores (this may be the reason why Chrome is moving away from using the OS certificate store). This doesn’t become a problem until September 2021, but IT managers should make a note of it because they will likely get at least a few calls. Credit: The Register

FBI: Ring Doorbell Good, Ring Doorbell Bad

Yup, sometimes tech is a double edged sword.

While smart doorbells and other web based security cameras discourages crooks, it is not all good news says the FBI in a secret report.

On the good side, you get to see who is outside your place (home or work). Typically, these devices are motion sensitive. They usually record the video, either locally or in the cloud.

If your place is broken into, many times the police have pictures both of the bad guys and also what they took.

In fact, Ring, a division of Amazon, is working with the police in hundreds of cities to encourage sales. Amazon is giving the police some devices to give away free. All in hopes that other people buy one.

Why are the police excited? They hope that they can get homeowners and businesses to give them access to their accounts so that they can review footage to try and find bad guys. If the home or business owner gives them access to the video, they don’t need probable cause to get a warrant. They don’t need to spend the time getting it and they don’t need to convince a judge that they meet the requirement for getting a warrant.

Okay, so all of that is good. Why is the FBI saying it is bad.

Lets say the cops suspect you of being a drug dealer. No, not that you; the other you.

So the cops might want to surveil your place for a while. But there are cameras. Some of those likely have motion detection. Even ones that don’t might record the cops in their car across the street or down the block. And the cameras might be across the street or down the block – recording the cops every move.

For sure if they plan to burst in on you, that will trigger the motion sensor.

Which may give the bad you time to flush the evidence.

If there is a standoff between the police and bad you, those security feeds, maybe from a house across the street owned by a friend or accomplice, could give the bad you all sorts of tactical information.

And, of course, there are less nefarious issues. We have all seen people post snaps of videos on social media bypassing police all together and sometimes compromising their future case.

So, as is often the case, nothing in tech is simple. Good? Bad? Both?

Credit: Threatpost

Security News for the Week Ending February 21, 2020

US Gov Warns of Ransomware Attacks on Pipeline Operations

DHS’s CISA issued an alert this week to all U.S. critical infrastructure that a U.S. natural gas compressor station suffered a ransomware attack. While they claim that the attackers did not get control of the gas compression hardware, they did come damn close. The ransomware took all of the machines that manage the compressor station offline. The utility was able to remotely WATCH the compressor station, but that remote site was not configured to be able run the site. The result was that other compressor stations on the same pipeline had to be shut down for safety reasons and the entire pipeline wound up being shut down for two days.

It appears that there was no customer impact in this case (perhaps this station fed other downstream stations that were able to be fed from other pipelines), CISA says that there was a loss of revenue to the company. The article provides guidance on protecting industrial control networks.

While this time the bad guys were not able to take over the controllers that run the compressors, that may not be true next time. Source: Bleeping Computer

Amazon Finally Turns on Two Factor Authentication for Ring Web Site After PR Disaster

After many intrusions into customer’s Ring video cameras where hackers took over cameras and talked to kids using very inappropriate language, Ring finally made two factor authentication mandatory for all users. While other competitors turned on two factor authentication years ago, Amazon didn’t, probably because they thought customers might consider it “inconvenient”. Source: Bleeping Computer

Real-ID Requirement To Get On An Airplane is Oct 1st

After 9-11, Congress passed the Real ID act (in 2005) to set a single national standard for IDs used to get on airplanes and get into government buildings. For years, Homeland Security has been granting extensions and now, the current plan is for Real ID to go into effect for getting on airplanes and into government buildings in about 8 months.

DHS says that only 34% of the ID cards in the US are Real ID compliant.

That means that IF the government doesn’t change the rules and if people don’t have some other form of approved ID, potentially 66% of the people will not be able to get on an airplane after October 1 or even enter a federal office building.

That might cause some chaos. Driver’s license officials say that even if they work 24-7, they could not issue all of the remaining ID cards by October 1. Will DHS blink? Again? After all, we are coming up n the 20th anniversary of 9-11 and if terrorists have not been able to blow up airplanes or government buildings using non-Real-ID compliant IDs in the last 19 years, is this really a critical problem? Better off to have a Real ID compliant ID card and not have to argue the point. Source: MSN

Sex Works

One more time Hamas tricked Israeli soldiers into installing spyware on their phones. The Palestinians created fake personas on Facebook, Instagram and Telegram, including pictures of pretty young women such as this one.

View image on Twitter

Unfortunately for the Palestinians, the Israeli Defense Forces caught wind of their plan and actually took out their hacking system before they were able to do much damage.

What is more interesting is that this is the third time in three years that the Palestinians have tried this trick. And, it keeps working. Source: Threatpost

AT&T, Verizon Join IBM in Exiting RSA Over Coronavirus

As fears of Coronavirus spread, the effect on the economy is growing. Mobile World Congress, the largest mobile-focused tech conference in the world, being held in Barcelona this year, was cancelled. Source: The Verge

Last Week, IBM cancelled their attendance and booth at RSA in San Francisco. This week their cancellations were joined by Verizon and AT&T. My guess is that attendance will be down significantly as well, without regard to whether tickets were already paid for or not. The total of exhibitors and sponsors who have decided to cancel is now up to 14. Source: Business Insider

These events generate huge income for businesses in the host cities and are very important for vendors looking for business.

This is likely going to continue to be an issue for event organizers and more events are likely to be cancelled.

Security news for the Week Ending January 11, 2019

Australian Emergency Notification System Hacked

The Australian Emergency Warning Network, run by a private company, was hacked.  The hacker sent out a message that said “EWN has been hacked.  Your personal data stored with us is not safe.  We are trying to fix the security issues.  Please email support at .. if you want to unsubscribe.”

This service seems similar to the CodeRED system that many Colorado cities subscribe to. In Colorado it is a voluntary sign up process.  It seems like that is the case with this one too.

The alerts went out by email, text and voice.  The company shut down the system during the attack to limit the number of messages that went out;  still tens of thousands did go out.

This happened right after the Australian government passed a law requiring companies to create backdoors to their software and make data available to the government on request.  Are these related?  Unknown.  Details here.

 

Federal Shutdown is Impacting Cyber Defenders

As a follow up to this week’s opinion piece on the Federal shutdown impacting cybersecurity, the Department of Homeland Security cancelled its 2019 Cybersecurity and Innovation Showcase due to the shutdown.  That was supposed to be their largest cybersecurity event of the year.  They said the hope to reschedule it after the government reopens.

The Department of Commerce has also cancelled events and powered down web servers that have cybersecurity standards on them.

DHS’s new cyber security agency, the Cybersecurity and Infrastructure Security Agency (CISA)has furloughed 45 percent of its workforce.  CISA is still manning its “Watch floor” and has some unpaid people who will respond to a major attack on critical infrastructure.

A former attorney at the FTC pointed out the obvious – that “the government shutdown is anxiety inducting, and drives great employees away from government service.”  If it wasn’t bad enough that people who do cybersecurity work get paid less than those doing the same work in the private sector, now they have to worry about getting paid too.  Details here.

Comcast Debuts Xfinity xFI Advanced Security

Comcast announced a new service using the buzzword of the week, AI, saying that their AI powered service is designed to monitor, block and inform customers about online threats while providing protection for all connected devices in the home.  It appears to run inside the Comcast router.  A solution like that is a smart way to do it since you do not have to install anything on a device, but it is limited in what it can do since most data is encrypted.

Cost is $5.99 a month, but you have to have the xFi Gateway, which rents for $11 to $13 a month, depending on the market.  Details here.

 

Coinbase Suspends Ethereum Classic

In the ongoing saga of cryptocurrency attacks, this one creates a new low.

One thing people have always said is that since cryptocurrency uses distributed ledgers, it is immune from people changing history and reusing coins.

W.R.O.N.G.!!!

Multiple sources said that they saw more than 100 ledger blocks “reorganized” (i.e. changed after the fact) – something that should never happen.

Coinbase suspended trading on that particular cryptocurrency.  It is only one of over 2,500 different currencies.

Coinbase said that they saw about 88,000 Ethereum coins being double spent, worth about $460,000, but I saw other reports that said the attack is ongoing and the numbers were much larger.  Source: Coindesk.

Weather Channel (App) Caught Selling User Data Without Permission

The Weather Channel collected user location data under the guise of telling you what the weather is where you are, but in fact, was selling that location data.  The City of Los Angeles is suing them over the misrepresentation.

The NY Times article said that they also sold the data for targeted marketing and to hedge funds for gathering consumer preference information.  The Weather Channel is owned by IBM.

Amazon’s Ring Video Camera Allow Employees in Ukraine Unrestricted Access to All Videos

Let me start by saying that an Amazon spokesperson says that this is not the case, but the Intercept says that multiple former employees say that Ring has given R&D employees in Ukraine unrestricted access to all videos, including those from inside your home to employees, executives and engineers.  The videos are not encrypted because, they say,  that would make the company less valuable.

A Ring spokesperson refused to answer questions about their data security practices but offered a written statement that says that they have strict policies in place for all employees.

After the article was published, Ring tried to do some damage control by still not answering questions, but issuing another email saying “Ring employees never have and never did provide employees with access to livestreams of their Ring devices,” a claim contradicted by multiple sources.

I have a Ring device and was considering buying more.  Not anymore.  Looking for a competitor.

One more time, caveat emptor.  Source:  The Intercept.