Amazon’s Ring may not be all that secure

Five U.S. Senators are demanding that Amazon disclose how it is securing Ring home-security device footage – and who is allowed to access that footage.

The demands come on the heels of several security vulnerabilities and privacy-related incidents surrounding Amazon-owned Ring devices.

“Ring devices routinely upload data, including video recordings, to Amazon’s servers,” the senators wrote, Wednesday. “Amazon therefore holds a vast amount of deeply sensitive data and video footage detailing the lives of millions of Americans in and near their homes.

Last week, researchers discovered a (now-fixed) vulnerability in Ring doorbells that left Wi-Fi network passwords exposed. Previous vulnerabilities have been discovered over the past year, including a flaw reported in February that could allow an attacker to spy on families’ video and audio footage.

separate report earlier this year alleged that Ring employees in Ukraine were provided with “virtually unfettered access” to a folder containing every video created by every Ring camera globally, and that some U.S. Ring executives and engineers were given “highly privileged access to the company’s technical support video portal, allowing unfiltered, round-the-clock live feeds from some customer cameras.”

Other reports have drawn privacy concerns about the video footage collected by Ring doorbells. Ring has acknowledged that it’s partnering with more than 600 police departments across the country to allow them to request access to camera footage from camera owners, drawing concern from privacy and consumer advocacy groups.

Amazon said that it does not require law enforcement to delete materials shared through a video request after a certain period of time. Furthermore, if videos are downloaded by law enforcement, they may become public records, Amazon said.

“Amazon plays on people’s fears to sell them surveillance products, and then turns around and puts them and their neighbors in danger,” said Evan Greer, deputy director of digital rights advocacy group Fight for the Future, in an email. “Through consumer products like Ring, Amazon is collecting footage and all the data needed to build a nationwide surveillance network. They leverage government relationships to promote their own products, gain consumer trust and secure their position in the market. This is an unprecedented assault on our security, constitutionally protected rights, and communities. Amazon’s admissions to Senator Markey show that we need an immediate full scale Congressional investigation into this tech titan’s surveillance practices.”

According to reports, Ring has also applied for a “facial recognition patent” and employees a “head of facial recognition research.” Senators asked Amazon to describe its plans regarding facial recognition for Ring devices – including Amazon’s own platform, Rekognition.

Full article here

Data-Enriched Profiles on 1.2B People Exposed in Gigantic Leak

Although the data was legitimately scraped by legally operating firms, the security and privacy implications are numerous.

An open Elasticsearch server has exposed the rich profiles of more than 1.2 billion people to the open internet.

First found on October 16 by researchers Bob Diachenko and Vinny Troia, the database contains more than 4 terabytes of data. It consists of scraped information from social media sources like Facebook and LinkedIn, combined with names, personal and work email addresses, phone numbers, Twitter and Github URLs, and other data commonly available from data brokers – i.e., companies which specialize in supporting targeted advertising, marketing and messaging services.

Taken together, the profiles provide a 360-degree view of individuals, including their employment and education histories. All of the information was unprotected, with no login needed to access it.

Full article is here.

WordPress Upgrades to 5.3

5.3 expands and refines the block editor with more intuitive interactions and improved accessibility. New features in the editor increase design freedoms, provide additional layout options and style variations to allow designers more control over the look of a site.

This release also introduces the Twenty Twenty theme giving the user more design flexibility and integration with the block editor.

More details at https://wordpress.org/news/2019/11/kirk/