Monday, July 18, 2022

Amazon Ring Gave Video Footage to Cops Without Consent or Warrant

What would you think if a company would access your door camera footages without your consent? But (allegedly) for good purposes of course. i.e. to save a life or catch a criminal or, or...

Well this is not a fictional scenario from a movie or a series but a reality which happened in the real life. Amazon shared the door camera footages with the police without a judge refarral or without the consent of the owners 11 times in 2022. For good(!) of course. (Well they claimed so.)


Yeah. Big brother can watch us (or is still watching us) but no worries. It's for your good(!)


Here, another unending "privacy vs. security" story. This time from real life.


https://www.theregister.com/2022/07/14/amazon_gave_police_unauthorized_doorbell/


#privacy #ring #amazon


"Amazon's home security wing Ring turned over footage to US law enforcement without permission from the devices' owners and seemingly without a warrant 11 times so far in 2022.


Though the internet giant has a policy that police generally cannot view recordings without owners' consent, that safeguard can be overridden with court orders and emergency requests – and it was through 11 emergency requests that Amazon gave the cops people's video data, without permission and no indication of a warrant. What constitutes an emergency request is left up to Ring itself, too.


'In each instance, Ring made a good-faith determination that there was an imminent danger of death or serious physical injury to a person requiring disclosure of information without delay,' Amazon's vice president of public policy Brian Huseman told Senator Ed Markey (D-MA) in a written response to a list of surveillance-practice related questions submitted in June (2022)."


(Here is the PDF: https://www.markey.senate.gov/imo/media/doc/amazon_response_to_senator_markey-july_13_2022.pdf)


"'Recent research indicates that in addition to capturing troves of video recordings, Ring products also surveil the public by capturing vast amounts of audio recordings,' said Markey in a letter to Amazon CEO Andrew Jassy, who in turn noted that Ring did not currently offer voice recognition.


Ring doorbells are motion activated and do record audio up to 20 feet (about 6 meters) away, a distance which could potentially encroach into a neighbor's property or the street. Other doorbells can detect audio even further.


Markey's concerns include where the technology is eventually going. He offered the following tweet after publishing Amazon's letter online:

https://twitter.com/SenMarkey/status/1547276418425536519?s=20&t=0PILEVc5PN2ne7UILHGJkQ "


"According to Markey, who helped introduce the bill, it 'responds to reports that hundreds of local, state, and federal entities, including law enforcement agencies, have used unregulated facial recognition technologies and research showing that that roughly half of US adults are already in facial recognition databases.'"

Wednesday, July 13, 2022

Ransomware by Maastricht University

DO take actions against ransomware. Otherwise you will lose money or maybe more.

Cybersecurity is not a game. Cyber attacks are for REAL. They can really hurt you and they can cost you too much.


https://www.bleepingcomputer.com/news/security/maastricht-university-wound-up-earning-money-from-its-ransom-payment/


"Maastricht University (UM), a Dutch university with more than 22,000 students, said last week that it had recovered the ransom paid after a ransomware attack that hit its network in December 2019.


After a thorough investigation of the incident, the attack was linked by cybersecurity company Fox-IT with a financially motivated hacker group tracked as TA505 (or SectorJ04), known for primarily targeting retail and financial organizations since at least Q3 2014.


The hackers infiltrated the university's systems via phishing e-mails in mid-October and deployed Clop ransomware payloads on 267 Windows systems on December 23, after moving laterally through the network.


One week later, on December 30, the university decided to pay the ransom to have its files decrypted after deciding that rebuilding all infected systems from scratch or creating a decryptor were not viable options.


UM said at the time that it paid a 30 bitcoin ransom (roughly €200,000 at the time) for the ransomware decryptor, which allowed the university to avoid delaying exams and losing all the research, educational, and staff data, as well as info on salary payments for approximately 4,500 employees."


"However, as UM recently revealed, in a 'remarkable development,' the Netherlands Public Prosecution Service traced and seized a wallet containing the cryptocurrency paid by the university as ransom in 2019."

Sunday, July 10, 2022

North Korean Ransomware: Maui

If they attack the HPH (Health and Public health) organizations in USA then it is for sure that they attack the HPH organizations in EU too.

Actions have to be taken against.


CISA (Cybersecurity & Infrastructure Security Agency) publishes some warnings and guidelines against this threat in their websites. But what about EU?


https://www.bleepingcomputer.com/news/security/us-govt-warns-of-maui-ransomware-attacks-against-healthcare-orgs/

https://www.cisa.gov/uscert/ncas/alerts/aa22-187a


"The FBI, CISA, and the U.S. Treasury Department issued today a joint advisory warning of North-Korean-backed threat actors using Maui ransomware in attacks against Healthcare and Public Health (HPH) organizations.


Starting in May 2021, the FBI has responded to and detected multiple Maui ransomware attacks impacting HPH Sector orgs across the U.S.


'North Korean state-sponsored cyber actors used Maui ransomware in these incidents to encrypt servers responsible for healthcare services—including electronic health records services, diagnostics services, imaging services, and intranet services,' the federal agencies revealed."


"Maui also stands out compared to other ransomware strains by not dropping a ransom note on encrypted systems to provide victims with data recovery instructions."


Friday, July 8, 2022

Dutch Security Service Uses Pegasus Software

A never ending story: Privacy vs. Security

Especially in the digital era where we cannot live without being online.

The theme is "Pegasus" this time. Well, Pegasus has been exposed for a couple of years. But bear in mind that there are many Pegasus-like software all around the world.

https://www.securityweek.com/dutch-used-pegasus-spyware-most-wanted-criminal-report

https://www.dutchnews.nl/news/2022/06/197938/

https://www.volkskrant.nl/nieuws-achtergrond/bedoeld-voor-terroristen-gebruikt-tegen-journalisten-wat-je-moet-weten-over-pegasus~b43d7519/

"Dutch secret services have used the controversial Israeli spyware known as Pegasus to hack targets including the country's most-wanted criminal, a news report said on Thursday.

The Netherlands' AIVD secret service in 2019 used the software bought from Israel's NSO Group to access fugitive alleged drugs kingpin Ridouan Taghi, the Volkskrant daily reported.

Pegasus, which can switch on a phone's camera or microphone and harvest its data, was engulfed in controversy last July after several media outlets reported that governments around the world had used it to spy on opponents."

"The newspaper said the AIVD used Pegasus to spy on Taghi "among others" but did not say who else may have been targeted.

The use of the software has raised eyebrows in the privacy-sensitive Netherlands."

Capital One Bank Hack

 

Think more than twice if you want to do something illegal and then... give up. =) Otherwise? Well... Read the below articles then.

Lessons learnt: A misconfigured cloud asset can cause a big multi-million dollar problem.

https://www.theregister.com/2022/06/20/captial_one_wire_fraud/
https://www.securityweek.com/jury-convicts-seattle-woman-massive-capital-one-hack

About the Capitol One breach read the following news:
https://www.securityweek.com/qa-what-know-about-capital-one-data-breach

"The conviction follows the infamous 2019 hack of Capital One in which personal information of more than 100 million US and Canadian credit card applicants were swiped from the financial giant's misconfigured cloud-based storage."

"Paige Thompson (aka 'erratic') was arrested in July 2019 after data was leaked between March and July of that year. The data was submitted by credit card hopefuls between 2005 and early 2019, and Thompson was able to get into Capital One's AWS storage thanks to a 'misconfigured web application firewall.'"

"The complaint added: 'Capital One determined that the April 21 file contained code for three commands, as well as a list of more than 700 folders or buckets of data.'"

"'Ms Thompson used her hacking skills to steal the personal information of more than 100 million people, and hijacked computer servers to mine cryptocurrency,' thundered US Attorney Nick Brown. 'Far from being an ethical hacker trying to help companies with their computer security, she exploited mistakes to steal valuable data and sought to enrich herself.'
'She wanted data, she wanted money, and she wanted to brag,' Assistant United States Attorney Andrew Friedman said in closing arguments."