The Lack of US Privacy Regulations, Nest Camera’s Hijacked – WB53

by Tom Eston on January 28, 2019

Watch this episode on our YouTube Channel!

This is your Shared Security Weekly Blaze for January 28th 2019 with your host, Tom Eston. In this week’s episode: Where are the US federal privacy regulations and details on Nest camera’s being hijacked in credential stuffing attacks.

Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order. Visit silent-pocket.com to take advantage of this exclusive offer.

Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”.

January 28th is international data privacy day and ironically, it seems that we still have a major problem with protecting the privacy of our data. Data breach after data leak after countless examples of mishandling of our data by companies large and small, have led many of us to ask the question “Why isn’t there more laws and regulations in the US that are focused on data privacy?.” While Europe has the GDPR the United States seems drastically behind in a battle for the protection of our private data that seems to be getting worse every day. Eventually, something big with data privacy will have to happen to finally get the attention of Congress, right? How big of a data breach is big enough? Equifax, which impacted 143 million Americans, was one example of a huge breach of our private data, yet nothing has changed. Facebook’s Cambridge Analytica scandal sent Mark Zuckerberg to face questions by Congress, and again nothing changed. And now there are reports that major telecom companies are selling our location data to shady third-parties. So I ask you, will there finally be a bigger data breach that makes an even bigger impact this year which will drive a regulation from the federal level?

Sponsorships Available

Here’s Ameesh Divatia, CEO and co-founder of Baffle, a data encryption company, with his thoughts on the development of new data privacy laws and regulations in the United States this year.

Ameesh: I think that would be very, very important because right now we have a mishmash of where every state has a notification law which means that you have to tell somebody and notify somebody about the fact that you’ve lost customers data. So a uniformed notification approach would definitely help. I think the key issue is the whole issue of fines. I think GDPR took it to a whole new level as how to fine entities that lose data. We need a more practical approach to that and I think that you’re going to see that. Where it hurts but doesn’t put you out of business because you do want data collection like I said very early on is very critical there is no way you’re going to get a lot of services without data being collected. But processing that data responsibly is what it’s all about. I always say security has traditionally been sort of sold with fear in the background. And that’s not good for anybody. What we see is a transition where being more secure and being able to protect the customers data is going to become a differentiator, a competitive differentiator versus the necessary evil that always gets in the way of business. And if that really starts happening that’s a true win, win for the industry as well as for the data aggregators.

Tom: So what do you see happening with privacy this year?

Ameesh: So what we see for 2019 is obviously a continued focus on the fact that privacy has to be taken seriously. I think you’re going to see some big fines being levied. Whether it’s the European Union or even the US states that are starting to catch up, I think that’s going to be another game changing event for 2019 where one of the large data aggregators is going to be fined. And that’s going to get the focus more and more on the fact that collecting data is the first step but making sure you protect it is a necessary second step.

Tom: That was Ameesh Divatia from Baffle.

Now, ironically just this past week we saw news stories that two major tech companies, Google and Facebook, are being fined or in the process of being fined. According to a report by the Washington Post, the Federal Trade Commission is planning on issuing a fine to Facebook because of the violation of an agreement dating back to 2012 stating that Facebook would keep certain user information private. No details on when this fine may happen or how much the fine will be, have been released. However, it’s sure to be much larger than the recent fine of €500,000 pounds issued by the United Kingdom to Facebook back in October of last year. Google, however, is right now being fined $57 million dollars, which happens to be the largest GDPR related fine ever issued, because Google failed to go far enough obtaining user consent to collect data for targeted advertising. So the question is, when will we see more enforcement in the US like we see in Europe? With the current government shut down, we’re not going to see anything happen soon and regardless of countless data breaches, it’s anyone’s guess if this year will be the year for a federal data privacy law.

Organizations’ internal networks are overly permissive and can’t distinguish trusted from untrusted applications. Attackers abuse this condition to move laterally through networks, bypassing address-based controls to spread malware. Edgewise abstracts security policies away from traditional network controls that rely on IP addresses, ports, and protocols and instead ties controls directly to applications and their data paths.

Edgewise allows organizations to analyze the network attack surface and segment workloads based on the software and how it’s communicating. Edgewise monitors applications and protects data paths using zero trust segmentation.

Visit edgewise.net to get your free month of visibility.

You may have seen reports on all the major national news channels here in the US about Nest camera’s being hacked which allow an attacker to talk though the camera saying scary phrases like “I’m going to kidnap your baby, I’m in your baby’s room.”. Most of these stories carry a lot of sensational headlines but without much context. So how are attackers gaining access to so many Nest camera’s all of a sudden? The answer is actually pretty trivial and it has something to with an attack called credential stuffing. Credential stuffing is where an attacker will use user names and passwords obtained from previous data breaches in order to compromise user accounts of many different types of sites and services. Databases of user names and passwords from previous data breaches are easily available either for sale on the Dark Web or by using some creative Google searching on the Internet. Once these credentials are obtained, the attacker uses a script or program to try logging into hundreds of websites until successful logins are found. Once the attacker has a successful login, other sites and services are then tried to see if the same password was used. And that, is the key to this attack. If you happened to use the same password for all sites and services you may happen to use, you can easily become a victim of an attack like this. This is exactly what happened in the case of all these Nest camera’s being hacked. So how do you prevent yourself from becoming a victim and having your Nest or other camera hijacked?

Well, it all goes back to basic password security. So make sure you’re using a password manager and always ensure you’re using random and complex passwords for each site and service that you use. Second, always enable two-factor authentication whenever it’s available. In the case of Nest, they do have an option to enable two-factor authentication, but it’s not enabled by default. Check your Nest account settings and enable this feature. Other smart cameras, specifically, Ring camera’s don’t have any options for two factor authentication so your best defense in these cases are only strong passwords. Your mileage may vary as account security for all smart camera’s and other Internet of Things devices is typically not very good at all and always subject to change.

That’s all for this week’s show. Be sure to follow the Shared Security Podcast on Facebook, Twitter and Instagram for the latest news and commentary. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or watch and subscribe on our YouTube channel. Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze.