Categories
Security

Not even your PC’s power supply is safe from hackers

Hackers have managed to find a way to successfully gain access to uninterruptable power supply (UPS) computer systems, according to a report from The Cybersecurity and Infrastructure Security Agency (CISA).

As reported by Bleeping Computer and Tom’s Hardware, both the Department of Energy and CISA issued a warning to organizations based in the U.S. that malicious threat actors have started to focus on infiltrating UPS devices, which are used by data centers, server rooms, and hospitals.

UPS devices allow companies to rely on emergency power when the central source of power is cut off for any given reason. If the attacks concentrated on these systems come to fruition, the consequences could prove to be catastrophic. In fact, it could cause PCs or their power supplies to burn up, potentially leading to fires breaking out at data centers and even homes.

Both federal agencies confirmed that hackers have found entry points to several internet-connected UPS devices predominantly via unchanged default usernames and passwords.

“Organizations can mitigate attacks against their UPS devices, which provide emergency power in a variety of applications when normal power sources are lost, by removing management interfaces from the internet,” the report stated.

Other mitigation responses the agencies recommended putting in place include safeguarding devices and systems by protecting them through a virtual private network, applying multi-factor authentication, and making use of effective passwords or passphrases that can’t be easily deciphered.

To this end, it stresses that organizations change UPS’s usernames and passwords that have remained on the factory default settings. CISA also mentioned that login timeout and lockout features should be applied as well for further protection.

Severe consequences

The report highlights how UPS vendors have increasingly incorporated a connection between these devices and the internet for power monitoring and routine maintenance purposes. This practice has made these systems vulnerable to potential attacks.

A prime example of hackers targeting UPS systems is the recently discovered APC UPS zero-day bugs exploit. Known as TLStorm, three critical zero-day vulnerabilities opened the door for hackers to obtain admin access to devices belonging to APC, a subsidiary of an electrical company.

If successful, these attacks could severely impact governmental agencies, as well as health care and IT organizations, by burning out the devices and disabling the power source remotely.

The number of cyberattacks against crucial services has been trending upwards in recent years as cybercriminals progressively identify exploits. For example, cyberattacks against health care facilities almost doubled in 2020 compared to 2019.

It’s not just large organizations that are being targeted — online criminals stole nearly $7 billion from individuals in 2021 alone.

Editors’ Choice




Repost: Original Source and Author Link

Categories
Security

Yubico key organizer keeps your house keys tidy and your YubiKey security key safe

Yubico has teamed up with Keyport on a new key organizer that’s designed to safely stash your YubiKey security key (a small dongle that can act as an extra layer of security for your logins) alongside your house keys in one compact little enclosure.

It’s a neat idea. My house keys have to put up with a lot of abuse from being carried around in my pockets and stuffed in the bottom of backpacks. And while I’m not too worried about a set of metal keys surviving this kind of treatment, I wouldn’t say not to a little more protection for a USB dongle that I need to access my most secure accounts. YubiKeys are built like tanks, but nothing’s invincible.

The $25 Yubico x Keyport Pivot 2.0 key organizer appears to have been released earlier this month, and it’s functionally a very similar accessory to Keyport’s existing Pivot 2.0 organizer. The differences appear to amount to a small Yubico logo on its outside, and Yubico’s website also notes that this version doesn’t include Keyport’s lost and found service.

Alongside a YubiKey security key, the organizer has space for up to seven other key-sized items. As well as keys, Keyport sells a variety of tools that are designed to sit in its holders, like multi-tools, mini-flashlights, and pens. Compatible YubiKeys include the 5 Series, as well as its new Bio Series, which are activated using a fingerprint.

Repost: Original Source and Author Link

Categories
AI

Teleoperation and the future of safe driving

This post was written by Amit Rosenzweig, CEO of Ottopia.

Teleoperation: the technology that enables a human to remotely monitor, assist and even drive an autonomous vehicle.

Teleoperation is a seemingly simple capability, yet it involves numerous technologies and systems in order to be implemented safely. In the first article of this series, we established what teleoperation is and why it is critical for the future of autonomous vehicles (AVs). In the second article, we showed the legislative traction and emphasis gained for this technology. In the third and fourth articles, we explained two of the many technical challenges that needed to be overcome in order to enable remote vehicle assistance and operation. In this article, we will explore how this is all achieved in the safest possible way. 

More than a decade ago, the major AV companies made a promise. They claimed that autonomous vehicles would by now be completely self-sufficient. Human driving was obsolete. As the years pass, we continue to see how this goal is elusive, and that there will always be the need for a human to be kept in the loop. The initial response to this was remote driving.

Remote Driving? Major danger

Teleoperation was originally a system that overrides the autonomy of a vehicle and allows a human to manually drive it remotely. Essentially it would replace all self-driving functions and safety systems with a remote driver. This would appear to make a degree of sense. Currently, the solution for unknown situations, aka edge cases, is to put a “safety driver” in the driver’s seat. This way, when the autonomy does not know what to do and gets stuck, the human can manually solve the problem by driving the car for just a few seconds. By enabling the human driver to be in a remote location, they can monitor and solve problems for multiple vehicles, thereby cutting down on driver costs.

Chances are when people first envisioned this remote driving, they assumed we would have perfect and fully immersive virtual reality with zero latency as seen in a sci-fi movie like Black Panther. Unfortunately, there are critical shortcomings with regard to remote driving. As it is, from the instant a driver recognizes an obstacle in the road until their foot hits the brake pedal – brake reaction time – it takes about 0.7 seconds. This means that at a speed of only 30 mph, which translates to 44 feet per second, over 30 feet of braking distance are needed to prevent a collision. This is if the driver is IN the vehicle, traveling at ONLY 30 mph, and the car stops on the spot.

Ottopia Teleoperation in crowded environments

Above: Figure 1: “Obstacles” can appear in almost every environment

Image Credit: Ottopia

For a remote driver, one must factor in at least a few fractions of a second in latency plus the lack of haptic feedback. In other words, the brake reaction time alone is at least 0.8 seconds, with a minimum of 35 feet needed to avoid a collision at 30 mph. And this does not even factor in braking distance. Maybe this is why in a different sci-fi movie, Guardians of the Galaxy 2, one can see how remote pilots are inferior to those onboard the ship.

Clearly, humans cannot be allowed to drive a vehicle from a remote location. At least not on their own.

Advanced Teleoperator Assistance System (ATAS ®): the first transformation for teleoperation

Yes, originally the teleoperation system would shut off the autonomy stack and enable a person to drive the vehicle, but why? Why would you shut off this incredible piece of technology that already knows how to sense, react and respond in ways a person will never be able to do? This is why the second stage of teleoperation involved systems like ATAS® (an Ottopia registered trademark).

Like the more familiar ADAS (Advanced Driver Assistance System) the purpose of ATAS® is to work with the (remote) driver while leveraging the existing safety functions enabled by the vehicle’s autonomous capabilities. The main directive of an ATAS® is to prevent collisions. There are two main ways to do this, both made possible by the autonomy stack.

The first is collision warning. At every given moment, the powerful LiDAR, perception, and computation capabilities are ascertaining each and every object in the field of view of the AV. As the vehicle progresses on its way, the system identifies the speed and trajectory of the vehicle in addition to things that may pose a safety hazard. The teleoperator display has a layer that shows their heading and can alert if anything might be a reason to slow down, stop or circumnavigate the particular obstacle. This system helps compensate for the reactive shortcomings of a human driver while still allowing them to make the important decisions of how to get where they need to go.

Remote collision warning in action

Above: Figure 2: Remote collision warning in action

Image Credit: Ottopia

The second is collision avoidance. The ultimate safety decision-making power does not and cannot lie with the human driver. Yes, the human is subject to what the autonomy decides is safest! This may seem backwards until you remember that the vehicle is in the moment. It has instant perception abilities. It sees the oncoming crash before any human ever could. Furthermore, even if the human driver could see the potential risk, it is possible they are distracted or blinded or otherwise incapable of recognizing the impending danger. That is why, only with regard to braking in safety situations, the vehicle and its corresponding autonomy system must make the decision to stop the vehicle and prevent a disaster.

Clearly, a remote driver must have a system like ATAS® in order to ensure the safety of those in an AV and those around it. However, there remains serious room for improvement.

Tele-assistance. The final form?

Tele-assistance, also known as remote vehicle assistance (RVA), high-level commands, or indirect control – is when the operator gives certain orders to the AV without directly deciding how it completes that task. Tele-assistance helps reduce many of the risks involved in remote driving, even with ATAS®. Tele-assistance is also dramatically more efficient in terms of how many operators are needed.

This is how Tele-assistance works: In the traditional teleoperation situation, an AV would be driving along when it encounters an event which it does not know how to handle. It pulls over to the safest possible spot, stops, and triggers an alert for human intervention. That human would link in, observe the situation, and decide on how best to remedy the problem. Instead of putting their hands on a steering wheel and feet on pedals, the operator will choose from a menu of commands they can give to the vehicle to guide it out of its predicament.

Examples of such commands include path choosing – where the operator selects one of a few offered choices for an optimal path forward; path drawing – where the operator makes a custom path for the AV to follow; and object override – recognizing when the seeming obstacle is not a problem (e.g., a small cardboard box in the middle of the lane) and, in fact, the vehicle can simply continue on its way.

Tele-assistance in action (Image courtesy of Ottopia)

Above: Figure 3: Tele-assistance in action

Image Credit: Ottopia

Traditional teleoperation created more problems than it solved. It is hubristic to claim that a human can remote-drive any normal-sized automobile or truck without any assistance or dedicated safety technology. While humans are required to handle situations confronted by autonomy, the solution for driving is ideally assistance, and at the very least, driving with a safety system like ATAS®.

When tele-assistance is coupled with maximized network connectivity and dynamic video compression, as described in the previous two articles, autonomous vehicles can be commercially deployed in the safest and most efficient manner.

Amit Rosenzweig is the CEO & Founder of Ottopia

VentureBeat

VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative technology and transact.

Our site delivers essential information on data technologies and strategies to guide you as you lead your organizations. We invite you to become a member of our community, to access:

  • up-to-date information on the subjects of interest to you
  • our newsletters
  • gated thought-leader content and discounted access to our prized events, such as Transform 2021: Learn More
  • networking features, and more

Become a member

Repost: Original Source and Author Link

Categories
AI

Safe Security raises $33M to manage and mitigate cyber risk

All the sessions from Transform 2021 are available on-demand now. Watch now.


Safe Security, which provides a platform to measure cyber risk, today announced that it raised $33 million in a strategic investment from BT Group, the U.K.-based telecom provider. As a part of the investment, BT will be granted the exclusive rights to use and sell Safe Security products to organizations in the U.K. as it incorporates the platform into its wider portfolio. BT will also work with Safe Security to develop new products and with Safe’s customers to improve their cybersecurity postures, according to Safe Security CEO Saket Modi.

With the frequency of large-scale data breaches increasing — from 662 in 2010 to over 1,000 by 2020 — businesses are looking for ways to assess how vulnerable they might be. The cost of cyber crime is estimated to have reached just under $1 trillion in 2020 as criminals exploited the pandemic to target enterprises.

Safe Security, which is headquartered in Palo Alto, California, seeks to leverage AI to help organizations mitigate cyber risk in real time. It uses a scoring model that was built as a joint research project at MIT — one that runs cybersecurity sensor, external threat intelligence, and business data through an AI-powered engine to generate scores and the dollar value risk that an organization faces. The scores are calculated both at a macro and micro level and can be measured for particular lines of business as well as departments, Modi says.

“Safe Security was incubated from IIT Bombay in 2012 as a cybersecurity services company with my two other cofounders, Rahul Tyagi and Vidit Baxi,” Modi told VentureBeat via email. “We offered various cybersecurity services such as red teaming, vulnerability assessment, penetration testing and boardroom training and more to Fortune 500 companies [and governments] globally … In early 2020, we launched our cybersecurity & digital business risk quantification platform, Safe, and pioneered a new category of products in cybersecurity [that] brings a unique way to proactively manage, measure, and mitigate cyber risks. This enables security and risk management leaders to not only make cybersecurity an informed business decision, but also help them communicate more effectively with all stakeholders.”

Calculating risk

Modi asserts that while cyberattacks have evolved over the years, cybersecurity remains an opaque concept for most senior business leaders. Organizations often invest in products such as endpoint detection and response, antivirus, firewalls, and more without knowing the “before and after” impact of their breach likelihood, he says.

“Security and risk management leaders continue to evaluate cybersecurity through jargonized subjective measures and keep adding cybersecurity products to reactively respond to cyberattacks, rather than proactively defend them,” Modi said. “By contrast, the Safe platform provides a current and historic assessment of multiple threat vectors, including people, processes, technologies, and third parties — which is then quantified with a ‘breach likelihood score’ between 0 and 5 … The scoring algorithm is trained on data from cyber insurance claims and hack analyses from its research and analytics team, in collaboration with MIT and IIT Bombay.”

Safe has rivals in startups including VisibleRisk and Exabeam, as well as Viso Trust, SecurityScorecard, and RiskLens. But Modi says that the company’s revenue grew by 270% in the last year and is expected to grow “sixfold” over the next 12 months, fueled by clients investing in digital business risk quantification, third-party risk management, and insider threat analysis.

“The pandemic has significantly accelerated digitization across businesses globally and as organizations transform to a digitally native setup, cybersecurity becomes the number one priority,” Modi continued. “[For example, a] Fortune 50 fast-moving consumer goods company uses our platform to manage its third-party risks across suppliers and distributors where they combine the insights of questionnaire-based assessments with outside-in assessments and inside-out assessments to get a unified, real-time risk posture for all critical third parties in their environment. A Fortune 250 bank uses our platform to get a real-time cyber risk posture of its critical business units that contribute the most to its revenue. [And] one of the top five health care providers in the U.S. uses our platform to integrate all signals in regards to its insider threats such as phishing campaigns, device security, cybersecurity awareness campaigns, deep and dark web exposures, email gateway security and more to get a unified, real-time view of the breach likelihood of its 15,000 employees.”

Modi says that the proceeds from the funding round will be used to grow Safe’s U.S. revenue and triple the company’s spend on R&D. Beyond this, Safe plans to double its engineering team to over 200 people and grow its total headcount to over 300 by the end of 2021.

VentureBeat

VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative technology and transact.

Our site delivers essential information on data technologies and strategies to guide you as you lead your organizations. We invite you to become a member of our community, to access:

  • up-to-date information on the subjects of interest to you
  • our newsletters
  • gated thought-leader content and discounted access to our prized events, such as Transform 2021: Learn More
  • networking features, and more

Become a member

Repost: Original Source and Author Link

Categories
Computing

Are Free VPNs Safe? What You Need to Know

You’ve probably at least heard of virtual private networks (more commonly referred to as VPNs) and if you’re at all concerned with digital privacy and security, you might have already done a bit of research on them and have been pricing them out a bit. You’ve likely also noticed that there are some free VPN plans out there, which might seem too good to be true — after all, if these services cost money to operate, why would anybody offer it for free?

That’s a fair question, and as you can imagine, there’s a pretty big catch with those “free” VPNs. Virtual private networks require hardware infrastructure to run (which means money), and free providers have to recoup their costs somehow. They typically do this by collecting and selling your data to marketers, which means they’re likely keeping some sort of activity log. This defeats much of the purpose of using a VPN — protecting your online activity, habits, and information from third parties and other assorted snoops — in the first place. And in any case, are you really willing to risk your online security just to save a few bucks each month?

That’s not to say that free VPNs are necessarily bad, at least in the sense that they’re not doing what they’re supposed to do (which is encrypt your internet connection and reroute it through the VPN operator’s remote servers). Also bear in mind that free VPN plans are going to be rather limited. They may have data caps, and they’ll certainly have speed caps. There will be restrictions on which security protocols you can use, which devices you can use, and which global servers you’re allowed to route your connection through if you can even have control over any of these at all. They also lack advanced features like ad-blocking and malware protection, making them considerably less safe. All of these are reasons why, in general, we recommend that you ditch free plans and set up a VPN through a trusted provider like NordVPN.

All that said, good virtual private network providers often offer free “money-back guarantee” periods that function as free trials, letting you cancel your plan and receive a full refund (usually within 30 days), and some, like NordVPN, also often run specials that include a few free months. This gives you a bit of time to give a VPN service a spin and decide if it’s a good fit for your digital lifestyle before you have to fully commit to a subscription. More good news is that the best VPN services actually aren’t that expensive considering the security and peace of mind that they deliver, and most also have different plans you can choose from. Longer-term yearly plans are the best value and usually only come to only a few dollars per month.

Here are the top four virtual private network providers we trust the most, including some more about each one, how much they cost, and whether they offer a free trial to new subscribers.

Secure VPNs you should be using

  1. NordVPN — from $12/month
  2. ExpressVPN — from $13/month
  3. Surfshark — from $13/month
  4. IPVanish — from $11/month

NordVPN

There’s a very good chance you’ve heard of NordVPN already, which is not a huge mystery considering that this is the most highly trusted virtual private network provider out there today. It’s our own top pick, too, because it has all the features we want in a VPN. You can use split-tunneling to choose which sites and services you want on the VPN and which ones you don’t (if you don’t want to encrypt 100% of your online activities to improve performance for things like gaming, for instance), and it boasts more than 5,000 servers in 59 countries worldwide. It also works great on both PC and mobile devices with intuitive app controls.

Pricing for NordVPN plans ranges from $12 per month for the monthly tier to $89 for the two-year plan (which comes to only $3.30 per month, making this package the best value by far). This allows you to connect and use up to six devices on your NordVPN service at a time.

ExpressVPN

ExpressVPN is a fierce competitor to NordVPN and another contender for the best virtual private network service provider. It’s slightly more expensive, but the trade-off is that you have more server locations to route your connection through — ExpressVPN operates more than 3,000 servers in 94 countries (160 locations total) that are well-spread across the world — with no bandwidth restrictions. It’s also compatible on virtually all devices, from computers and mobile devices to smart TVs and gaming consoles, and offers good speeds along with a pretty straightforward setup process.

ExpressVPN is a little pricier than the competition, but it’s a solid choice if you want more regional servers and no-brainer compatibility across multiple devices. The service plans ring in at $13 per month, $60 for six months, or $100 for one year (which comes to $8.32 monthly) for use with up to five devices simultaneously. You also get a 30-day risk-free money-back guarantee.

Surfshark

If you’re looking for the best cheap VPN and even NordVPN’s two-year plan is more than you want to spend at once, Surfshark is the one. Its server list isn’t quite as impressive as that of the other big-name providers like ExpressVPN, but it delivers solid connection speeds, can be run on an unlimited number of devices (yes, really — no device limits!), and does pretty much everything that we want a virtual private network to do, right up to offering built-in ad-blocking and malware protection. The fact that it’s cheap and runs on an unlimited number of local devices simultaneously makes Surfshark a great choice for families and offices.

The price is also highly appealing. Although the monthly plan costs $13 per month (the same as ExpressVPN), you can grab a two-year package for $120 (billed $60 per year). That comes to a dirt-cheap $2.50 monthly for a solid virtual private network you can use with all of your devices. Who needs a free VPN?

IPVanish

Last but certainly not least is IPVanish, which is another low-cost option that offers some nice value-added features. Chief among these is its optional backup service add-on, which automatically backs up data of your choosing in a secure encrypted cloud. This not only guards you against ransomware attacks but allows you to restore lost data in the event of theft or a hardware/software failure (such as a computer crash and the resulting file system corruption). IPVanish also operates more than 1,600 servers in more than 75 locations worldwide, and, like Surfshark, there are no restrictions as to how many devices you can connect to the VPN at once.

The backup service is an optional add-on, so you’ve got more IPVanish plans to choose from. The VPN itself is available for $11 per month or $45 for your first year ($3.75 per month), but reverts to its usual price of $90 per year after that. The VPN + Backup plan comes to $13 monthly or $50 for your first year (which averages to $4.17 per month), then $100 per year after that.

Editors’ Choice




Repost: Original Source and Author Link

Categories
Computing

Facial Recognition Tech for Bears Aims to Keep Humans Safe

If bears could talk, they might voice privacy concerns. But their current inability to articulate thoughts means there isn’t much they can do about plans in Japan to use facial recognition to identify so-called “troublemakers” among its community.

With bears increasingly venturing into urban areas across Japan, and the number of bear attacks on the rise, the town of Shibetsu in the country’s northern prefecture of Hokkaido is hoping that artificial intelligence will help it to better manage the situation and keep people safe, the Mainichi Shimbun reported.

Bear faces may look very similar, but small differences in appearance, such as the distance between the eyes and nose, allow facial recognition technology to tell them apart.

For the system to work, the technology requires a minimum of 30 photos of each bear’s face, taken from the front. Workers at the South Shiretoko Brown Bear Information Center have placed automatic cameras along known bear trails to capture the required data, but so far they’ve failed to gather enough imagery to launch their facial recognition plan.

While bears are considered by many experts to be highly intelligent creatures, it’s not thought that Hokkaido’s bears have rumbled Shibetsu’s facial recognition initiative, prompting them to steer clear of the cameras. Rather, the chances of a bear looking straight down the lens of a camera along the trail simply appear slim. But the team is persevering and hopes that it will soon have the necessary imagery to launch its plan.

The hope is that workers at the center will be able to use the facial recognition system to learn more about the specific behavior traits of each bear and capture ones considered likely to cause problems in a nearby town or village.

This isn’t the first time such technology has been used on bears, as researchers in the U.S. and Canada deployed a similar system several years ago in a bid to gauge population numbers in national parks.

Earlier this month, Japan’s ongoing difficulties with bear attacks hit the headlines again when one of the creatures injured four people in Hokkaido’s capital city of Sapporo before it was shot dead. Dramatic news footage showed the bear striking a pedestrian, the victim oblivious as the animal bounded up behind it.

In 2019, Japan recorded around 150 bear attacks, marking the biggest increase in such incidents in a decade, while around 6,000 were captured after causing incidents of varying severity. Experts say the increase could be down to a shortage of food in the bears’ natural habitat, prompting them to venture further afield in search of sustenance.

Other efforts to keep bears out of Japanese towns have included this “Monster Wolf” robot that’s supposed to scare the animal away.

Editors’ Choice




Repost: Original Source and Author Link

Categories
Tech News

AI-powered construction supervisor app helps make buildings safe

“It’s not an earthquake that kills people, but the collapse of a poorly built building.”

Build Change, a foundation dedicated to preventing housing loss caused by natural disasters such as earthquakes and windstorms, is announcing the “Intelligence Supervision Assistant for Construction” (ISAC-SIMO) app. It’s an open-source, AI-powered quality assurance tool for construction. And it could save countless lives.

Meet ISAC-SIMO:

The tool utilizes machine learning to help people ensure they’re using the best materials and construction methods to ensure buildings are disaster-ready.

Typically, when we discuss earthquake-proofing, we’re talking about making skyscrapers and bridges safe using advanced engineering and materials. But the challenge of rebuilding communities in emergent areas isn’t necessarily about coming up with new engineering solutions.

Often, one of the biggest challenges in these scenarios is finding enough expertise to ensure that laborers are building back safely and with the correct materials.

According to Elizabeth Hausler, Founder & CEO of Build Change:

ISAC-SIMO has amazing potential to radically improve construction quality and ensure that homes are built or strengthened to a resilient standard, especially in areas affected by earthquakes, windstorms, and climate change.

We’ve created a foundation from which the open source community can develop and contribute different models to enable this tool to reach its full potential. The Linux Foundation, building on the support of IBM over these past three years, will help us build this community.

The app got its beginning as a runner up in the Call for Code challenge, a yearly open-source development event hosted by David Clarke Cause, IBM, The Linux Foundation, and other partners.

Quick take: Anyone who’s ever done construction in emergent areas where regulatory bodies are either stretched thin or non-existent can attest to the fact that you absolutely never know what you’re going to find when it comes to building safety.

Putting an app in people’s hands that will let them know things such as whether the brick and mortar in their walls is safe, down to whether the proper rebar and brackets are in use ahead of a build, will definitely save time, money, and lives.

Repost: Original Source and Author Link

Categories
Tech News

Buying a smart toy or fitness tracker? Research how safe they are first

The wearable technology market is booming, with half a billion wearables sold globally in 2020. Apps on these devices, or the devices themselves, often claim to monitor our health to spot illnesses, track our workouts to help us reach our fitness goals, or keep an eye on our children’s whereabouts to enhance their safety.

But they’re also divisive. Supporters of wearable technology claim that health trackers should be prescribed by the NHS and could even deliver an early warning of a possible COVID-19 infection. GPS tracking devices designed to be worn by children, meanwhile, are seen as a safety asset for parents.

Yet studies have found fitness trackers to be too inaccurate and misleading to be used by medical professionals, and that, because they’ve been rushed to market, wearables of all kinds are an insecure “Wild West” region of technology that requires urgent regulation.

In a recent report, we looked at the security risks associated with wearable devices, as well as “smart toys” that can record children in their homes. We found a concerning lack of security – especially for devices aimed at children – which lack even the most basic cybersecurity precautions, leaving them open to abuse.

Fitness trackers and personal data

One key issue with wearables is the data they generate and share. For instance, many fitness trackers rely on data on a person’s location to map their workouts. That’s great if you’re keen to track the distance of your jogs, but it’s not especially sensible if you’re embarking on those jogs from a military base in hostile territory.

Beyond that specific example, which caused some embarrassment for the US military in 2018, it’s clear that sharing your location publicly, even in a safe civilian setting, comes with significant risks.

And it’s not just the real-time tracking of your running route that could expose your whereabouts. Because these trackers upload your workouts to an app and share them publicly, it’s possible for predators to use historic running, biking or hiking routes to predict where you might be at a given time. This safety issue isn’t only restricted to workouts. Even something as innocuous as sharing a photo through your Apple watch can give away your geolocation.

Are trackers safe for children?

Even more concerning are devices designed to be worn by children, sales of which are expected to reach $875 million (£620 million) by 2025. These watches are marketed as wearable tech to keep kids safe, tracking their location and alerting parents when the watch’s onboard “SOS” button is pressed – or if the child travels beyond a geofenced area.

Smart watches as safety devices on children’s wrists may sound like a boon for anxious parents, but a 2017 survey of children’s smart watches found that the all-important “SOS” button either got stuck or didn’t work at all in most cases.

Additionally, flaws in some smart watches’ accompanying apps have raised serious safety concerns. Security researchers have found they could not only easily access children’s historical route data – like their path to and from school – and monitor their geolocation in real time, but they could also speak directly to the child, through the watch, without the call being reported in the parent’s app.

Connected toys

Fears that internet of things devices can give people unauthorised access to children also extend to the “smart toy” market. Some of these toys contain hidden cameras and microphones which, if hacked, could be used to record the interior of your home, including children’s rooms.

In 2017, German regulators recognised this danger by banning the sale of the Cayla “smart doll”, labelling it as the kind of “de facto espionage device” that Germany’s Telecommunications Act legislates against. In an unusual and unsettling move, the regulator went further by asking parents who’d bought one to destroy the doll to prevent illicit surveillance.

Even if the manufacturers of smart toys and children’s smart watches can guarantee far better security than that which led to the Cayla ban, there remain other surveillance concerns. In 2019, a UNICEF-led report highlighted how children’s rights – to creativity, freedom of choice and self-determination – are challenged by smart devices. Present in schools, at home, and on the wrist, this kind of round-the-clock surveillance, the report argues, restricts carefree childhood and hurts kids’ development.

Making trackers safer

Trackers and toys can be made safer. Before we allow these devices to flood the market, it’s essential we standardise the minimum security requirements that manufacturers must comply with – no matter where in the world these devices are made.

Key among these standards should be the removal of factory-default passwords on devices – which, like “admin” or “1234”, are easily guessed or discovered by even the most novice hacker. Manufacturers should also publish a vulnerability disclosure to help users understand risks, and make regular software updates in response to vulnerabilities unearthed by security researchers.

Clearly, monitoring people’s health via wearable trackers has the potential to radically improve access to medical care. Likewise, every parent wants their child to be safe, and smart devices, like mobile phones before them, could be a reliable tool for checking in with them. But without safety standards, these devices have the potential to cause more harm than they offset. Regulators must act fast to stop this growing market from leading to significant harms.

Article by Saheli Datta Burton, Research Fellow, Department of Science Technology Engineering and Public Policy, UCL and Madeline Carr, Professor of Global Politics and Cybersecurity, UCL

This article is republished from The Conversation under a Creative Commons license. Read the original article.

Did you know we have a newsletter all about consumer tech? It’s called Plugged In –
and you can subscribe to it right here.



Repost: Original Source and Author Link

Categories
Tech News

New WiFi Frag Attacks and one simple way to be safe

A bit of research was published this week about a security issue now called Frag Attacks. It’s a security issue that apparently could be gone by now, if companies that use or associate with WiFi internet connectivity made the effort to update their protocols and keep their hardware up-to-date, but here we are. Security researchers in Belgium revealed the vulnerabilities and showed how some of these insecure bits have been insecure for the last two decades (or more!)

A video demonstration of the vulnerabilities below shows a couple of ways in which the user can be tricked into opening up their own security gate, so to speak. One way shows how the user could be fooled – but could also be aware of being fooled even as the fooling is taking place. The second way shows an Internet of Things WiFi-connected outlet and a lamp switching off and on… maliciously!

Imagine a modern ghost story where all your smart lamps turn off and on in the night – spooky!

As noted by the security researchers publishing their report this week, it’s likely this set of vulnerabilities was actually – sort of – patched in the past. As noted, the defense against the attack was likely not already adopted by all “because it was only considered a theoretic vulnerability when the defense was created.”

But don’t panic! Ways to avoid being the victim of potential malicious attacks are relatively simple. As noted by the security researchers that’ve published this vulnerability set, double-check that websites you are visiting use HTTPS. You can see the HTTPS in your web browser’s URL bar – make sure it appears whenever you’re planning on entering any sort of username and/or password.

You can check out the EFF’s HTTPS everywhere plugin – easy to work with for desktop machines. You’ll also definitely want to have security turned ON for your WiFi network. This is a bummer since some folks have been known to, very kindly, share their internet access with friends and neighbors – in an apartment complex, for example – BUT, those days are effectively done. If you’re all about sharing, you’ll do well to share your password with friends and neighbors person-to-person, rather than leaving that network wide open.

The big deal here is that Frag Attacks as noted in the research are easy to block, but require that companies and individuals update their devices. The patching of the vulnerability requires that everyone be onboard with the software fixes outlined in the research. Make sure you update all your devices, and keep an eye on the “SECURE” bit of your web browser – and make sure you’re always on HTTPS!

Repost: Original Source and Author Link

Categories
Computing

Are Huawei laptops safe? Intel, Microsoft promise support, but the future remains uncertain

As the U.S. Government’s ban on Huawei grinds on, the biggest questions consumers likely have are whether that Matebook laptop on Amazon is safe to buy, or whether the Huawei machine they’ve already bought is safe. After all, if Intel, AMD, Nvidia, Qualcomm and other U.S. tech companies can no longer sell chips to the Chinese tech company, isn’t the company basically dead to you?

The answer likely depends on whether you care about Huawei’s future as a PC maker, or if you only care about your particular future with a Huawei laptop.

What the U.S. ban on Huawei means

The ban on Huawei, enacted in May, essentially forbids U.S. companies from doing business with the tech giant. Obviously, if Huawei is unable to buy CPUs from Intel or AMD, or graphics chips from AMD or Nvidia, let alone memory and storage from other U.S.-based companies, it likely means any future Huawei PC laptops are in limbo.

More important for consumers is what happens to the Huawei laptop in your hands, or the Huawei laptop sitting on the store shelf in front of you.

Huawei Matebook 14Dan Masaoka / IDG

Huawei’s Matebook 14 has one of the most unique ways ever to hide a camera in a laptop.

Microsoft and Intel will suppport Huawei laptops

The best news for potential buyers of Huawei laptops (and those who have them already) is Microsoft’s promise that those all-important Windows Updates will still get to you.

“We remain committed to providing exceptional customer experiences,” a Microsoft spokesperson said in a statement given to PCWorld. “Our initial evaluation of the U.S. Department of Commerce’s decision on Huawei has indicated we may continue to offer Microsoft software updates to customers with Huawei devices.” The company didn’t detail any more of its policy, but that should ease fears that your Huawei laptop will develop unpatched security holes.

Security risks can happen at the motherboard level, too. With scary-sounding exploits like Zombieload, you may be wondering whether firmware updates for the UEFI/BIOS will also be available for a Huawei laptop.

The news there also looks good, as Intel has confirmed with PCWorld that it will provide security updates and drivers to end users running Intel chips.

Repost: Original Source and Author Link