Unwise Use of Smart Technology
In today's society, speed and convenience rule. It's why we love our so-called 'smart' devices. Whether it's a doorbell that
that
decides whether or not to unlock the door based on facial recognition... or a refrigerator that orders groceries
based on your health and diet... we love the promise of everyday tasks becoming faster, easier or going away altogether. But, at what cost?
Smart devices that are always on, always connected and always sharing may be putting us at some very sizable privacy and security risks. It's up to us to ensure we understand how our private data is being captured, analyzed and distributed.
Automation is great, but how much control are we willing to give up? H
ow do we evaluate which devices are as smart as they claim to be? Which ones are making decisions based on biased or flawed logic, or inaccurate data?
We must be as smart as our devices should be if we're going to maintain our privacy and security.
Read on to learn about the everyday threats posted by unwise use of smart technology.
|
|
Data Security & Privacy Beacons
|
People and places making a difference**
Have you seen an organization or individual taking actions to improve privacy? Send me a note to nominate a privacy beacon of your own!
The Social Security Administration is distributing email reminders to consumers to check their Social Security Statement online. The statement can be helpful not only for future financial planning but also to ensure no one has fraudulently commandeered your identity. The other piece of this I liked was the SSA's use of two-factor authentication for users of its online system.
Drop me a note if you'd like me to forward my copy of the reminder to you. It's a nice template you may be able to replicate in your business or agency.
Bruce Sussman and the SecureWorld team does a great job of providing real-world examples of common cyberattacks. Check out Bruce's recent story on
smishing attacks everyone should see. If you're not familiar, smishing is the term applied to phishing attacks that proliferate via text messaging (or SMS). See below for a smishing attack I received just days after reading Bruce's article.
Nick Robins-Early at the HuffPost does similar great work to educate the public on how to spot a cyberthreat. His recent story on clues to fake news offers excellent reporting on the issue. Beyond simply sharing the trend, Nick offers up tips on how to avoid becoming part of the problem by spreading fake news.
The HackerOne bug bounty program has made it easy and extremely worthwhile for white hat hackers and researchers to report problems they spot within sometimes very popular technology. For example, a white hat recently found a significant security vulnerability with PayPal's login form. Via the HackerOne bug bounty program, he submitted the issue and ultimately received a $15,300 reward for doing so.
Mozilla
has developed a data privacy and security rating system for smart devices called Privacy Not Included. Interestingly, the devices Mozilla rates as "super creepy" are some of the most widely used items! The ratings are easy to understand and very comprehensive. If the company's researchers have not already analyzed a device, users can submit it for review.
**P
rivacy beacon shout-outs do not necessarily indicate an organization or person is addressing every privacy protection perfectly throughout their organization (no one is). It simply highlights a noteworthy example that is, in most cases, worth emulating.
|
|
Too Smart for Privacy Protection?
|
|
Smart devices methodically collect personal data
With so many connected devices in our homes, offices, retail centers, parks, cars, you name it, there's a massive amount of personal information floating around. It raises a lot of questions, like:
- How much of it is protected from prying eyes (like the four Ring employees fired for inappropriately accesses customer video footage)?
- With whom are device vendors sharing information (like the third-party trackers embedded within Ring)?
- How well is data protected from the criminal element?
- If you are a smart device engineer, business or vendor, what are you doing to control and protect all that highly-impactful data?
Many of us in the data privacy and security community are concerned smart devices, or rather the developers of smart devices, may consider their technology too smart for privacy protection. Collecting troves of sensitive information brings with it the responsibility of protecting it. It's one thing if a technology provider has the data; it's quite another if the technology provider has built something that allows an everyday user to become the keeper of our data. Just consider smart doorbell video, or should I say,
surveillance
footage.
Imagine you slip on ice while out walking the dog, and it's all caught on a neighbor's doorbell camera. Depending on your relationship with the camera's owner, it may make for a good laugh, and that's the extent of it. What if, however, your slip gets uploaded to YouTube and goes viral, turning what otherwise may have been a mildly embarrassing moment into a worldwide sensation. Things get even scarier if you imagine your video being used for other purposes, like a denied insurance claim or job offer... or to track your location.
Now imagine you're walking down the street at the precise time a crime occurs. You have zero to do with it, but you were caught on camera approaching the scene at the exact right time. Video taken out of context can create big-time problems for people.
Then there are the run-of-the-mill technology mix-ups like the one reported by the Google Home Hub user. When the user loaded a smart home camera, a still image from a different user's home popped up on the screen. Why wasn't the application code engineered to prevent this or tested to ensure something like this could not happen?
It's really impossible to say how video, information and all kinds of other data we willingly give up today might some time in the future be used against us.
My 2020 Experiment
The need for more education around smart devices has inspired one of my 2020 projects.
This month, I am beginning a year-long experiment with the Echo Dot I purchased for Christmas. I'll be putting Alexa through a variety of tests, speaking certain "out of character" phrases and seeing the impact. Will it lead to targeted phone calls or ads? There's no telling how this information will be used. I anticipate it will be an enlightening experience to say the least, and I look forward to sharing the results with you.
Do you have suggestions for words or phrases I should try? Let me know! (NOTE: I appreciate all suggestions, but I will not say things that could possibly get me arrested or that could otherwise lead to harmful actions for me and my family.)
Ask Yourself: Why do they need this?
Before you purchase or use a smart device, take a moment to understand what data is being collected from you. Traditionally, you can find this information in a provider's privacy policy or privacy notice. You can also reach out to them directly.
Once you have that information, ask yourself why the device needs that data. If you can't come up with a viable reason, consider whether the speed, convenience or fun is worth the privacy pay off.
For example, Wyze recently reported it had leaked the personal data for 2.4 million security cameras. The
data included health information
, such as bone density. Wait a minute! Why would a security home system need that kind of health data?
|
|
 |
Facebook Attempts to Thwart Deep Fake Videos
|
Do new rules go far enough?
How effective the social media giant's rules will be remains to be seen.
Not all manipulated video will be banned
It's important to recognize these rules are designed to remove deep fake videos only. What leaves shallow fakes free to roam the social network. These are videos manipulated to a lesser degree, but still blur the line between truth and lies. An example of a shallow fake is a video slowed down to make the subject appear intoxicated.
What's more, Facebook said it will allow video manipulation in parodies and satire. It will also allow clips edited to cut out or change the order of words. There was also some confusion about how Facebook intends to review political ads.
All in all, Facebook's rules appear to be highly subjective.
Although deep fake videos are rare today, they're becoming more prevalent. It's likely we'll also see them become increasingly sophisticated, and therefore, harder to detect (both for the average user and Facebook).
Pros and cons of Facebook's ban
A big positive of Facebook's announcement is the heightened awareness it likely generated around the existence of fake videos. However, the announcement may have one very serious consequence. Facebook users may now have a false of security around the validity of videos on the social network. They may believe, to a greater degree, in the validity of what they view on Facebook, assuming its been appropriately vetted for manipulation.
It's so important to remember (and to educate our children on the fact) Facebook and its social media cohorts are not news outlets. Although they're often treated as legitimate sources for news, they are platforms for crowd-sourced content that do not follow journalistic practices. Just look at the craziness spreading around the coronavirus.
Take your own precautions when using social media sites for news. Verify the validity of everything you see, video or otherwise, before believing (or sharing!) the content.
|
|
Migrate & Patch
|
Microsoft Windows vulnerabilities making headlines
Starting in January 2020, Microsoft is putting all its support and security eggs in the Windows 10 basket. That means anyone running Windows 7 or Windows Server 2008/R2 will be out of luck should they need any service. Worse, they will be operating
systems that will NOT be patched when new exploits are discovered.
Most of these entities will be migrating to Windows 10 if they haven't already.
But, that's not to say Windows 10 isn't also without it's issues.
In fact, the U.S. National Security Agency (NSA) recently revealed it had found a
serious vulnerability in Windows 10 and Server 16. A built-in security feature that verifies a system is downloading software legitimately from Microsoft was flawed.
As one cryptography expert put it, "This is bad."
The reason such a vulnerability is so serious is because it can allow cybercriminals and attack bots to develop exploits that appear to be coming from Microsoft, but are actually malware that can take control of the system.
It's exactly this kind of issue that makes 'smart' devices to scary. Cyberattackers are fast innovators. They develop new ways to break in and take over systems that allow them access to all kinds of value data. If a company the size and sophistication of Microsoft can be found vulnerable, certainly the makers of smartwatches, smart home security systems and smart appliances can!
|
|
|
The Dark Side of Targeted Advertising
|
| |
