Holiday gifts getting smarter, but creepier when it comes to privacy and security

A Hamilton Beach Smart Coffee Maker that could eavesdrop, an Amazon Halo fitness tracker that measures the tone of your voice, and a robot-building kit that puts your kid’s privacy at risk are among the 37 creepiest holiday gifts of 2020 according to Mozilla.

holiday gifts privacy

Researchers reviewed 136 popular connected gifts available for purchase in the United States across seven categories: toys & games; smart home; entertainment; wearables; health & exercise; pets; and home office.

They combed through privacy policies, pored over product and app features, and quizzed companies in order to answer questions like: Can this product’s camera, microphone, or GPS snoop on me? What data does the device collect and where does it go? What is the company’s known track record for protecting users’ data?”

The guide includes a “Best Of” category, which singles out products that get privacy and security right, while a “Privacy Not Included” warning icon alerts consumers when a product has especially problematic privacy practices.

Meeting minimum security standards

It also identifies which products meet Mozilla’s Minimum Security Standards, such as using encryption and requiring users to change the default password if a password is needed. For the first time, Mozilla also notes which products use AI to make decisions about consumers.

“Holiday gifts are getting ‘smarter’ each year: from watches that collect more and more health data, to drones with GPS, to home security cameras connected to the cloud,” said Ashley Boyd, Mozilla’s Vice President of Advocacy.

“Unfortunately, these gifts are often getting creepier, too. Poor security standards and privacy practices can mean that your connected gift isn’t bringing joy, but rather prying eyes and security vulnerabilities.”

Boyd added: “Privacy Not Included helps consumers prioritize privacy and security when shopping. The guide also keeps companies on their toes, calling out privacy flaws and applauding privacy features.”

What are the products?

37 products were branded with a “Privacy Not Included” warning label including: Amazon Halo, Dyson Pure Cool, Facebook Portal, Hamilton Beach Smart Coffee Maker, Livescribe Smartpens, NordicTrack T Series Treadmills, Oculus Quest 2 VR Sets, Schlage Encode Smart WiFi Deadbolt, Whistle Go Dog Trackers, Ubtech Jimu Robot Kits, Roku Streaming Sticks, and The Mirror

22 products were awarded “Best Of” for exceptional privacy and security practices, including: Apple Homepod, Apple iPad, Apple TV 4K, Apple Watch 6, Apple Air Pods & Air Pods Pro, Arlo Security Cams, Arlo Video Doorbell, Eufy Security Cams, Eufy Video Doorbell, iRobot Roomba i Series, iRobot Roomba s Series, Garmin Forerunner Series, Garmin Venu watch, Garmin Index Smart Scale, Garmin Vivo Series, Jabra Elite Active 85T, Kano Coding Kits, Withings Thermo, Withings Body Smart Scales, Petcube Play 2 & Bites 2, Sonos SL One, and Findster Duo+ GPS pet tracker

A handful of leading brands, like Apple, Garmin, and Eufy, are excelling at improving privacy across their product lines, while other top companies, like Amazon, Huawei, and Roku, are consistently failing to protect consumers.

Apple products don’t share or sell your data. They take special care to make sure your Siri requests aren’t associated with you. And after facing backlash in 2019, Apple doesn’t automatically opt-in users to human voice review.

Eufy Security Cameras are especially trustworthy. Footage is stored locally rather than in the cloud, and is protected by military-grade encryption. Further, Eufy doesn’t sell their customer lists.

Roku is a privacy nightmare. The company tracks just about everything you do — and then shares it widely. Roku shares your personal data with advertisers and other third parties, it targets you with ads, it builds profiles about you, and more.

Amazon’s Halo Fitness Tracker is especially troubling. It’s packed full of sensors and microphones. It uses machine learning to measure the tone, energy, and positivity of your voice. And it asks you to take pictures of yourself in your underwear so it can track your body fat.

Tech companies want a monopoly on your smart products

Big companies like Amazon and Google are offering a family of networked devices, pushing consumers to buy into one company. For instance: Nest users now have to migrate over to a Google-only platform. Google is acquiring Fitbit.

And Amazon recently announced it’s moving into the wearable technology space. These companies realize that the more data they have on people’s lives, the more lucrative their products can be.

Products are getting creepier, even as they get more secure

Many companies — especially big ones like Google and Facebook — are improving security. But that doesn’t mean those products aren’t invasive. Smart speakers, watches, and other devices are reaching farther into our lives, monitoring our homes, bodies, and travel. And often, consumers don’t have insight or control over the data that’s collected.

Connected toys and pet products are particularly creepy. Amazon’s KidKraft Kitchen & Market is made for kids as young as three — but there’s no transparency into what data it collects. Meanwhile, devices like the Dogness iPet Robot put a mobile, internet-connected camera and microphone in your house — without using encryption.

The pandemic is reshaping some data sharing for the better. Products like the Oura Ring and Kinsa smart thermometer can share anonymized data with researchers and scientists to help track public health and coronavirus outbreaks. This is a positive development — data sharing for the public interest, not just profit.

November 2020 Patch Tuesday forecast: Significant OS changes ahead

November Patch Tuesday and the end-of-year holidays are rapidly approaching. Microsoft gave us a late release or maybe an early gift depending upon how you look at the new version of Windows 10. The Patch Tuesday updates appear to be light, so things are looking much better as we enter the final stretch for 2020.

November 2020 Patch Tuesday forecast

The big announcement this month is the release of Windows 10 version 20H2 on October 20. Yes, you read that correctly – not the 2020 Fall Release or Windows 10 version 2009, but Windows 10 version 20H2. Name changes once again!

This update follows the feature enablement model that began last year with Windows 10 versions 1903 and 1909. The new features in Windows 10 version 20H2 are also included in the October cumulative update for Windows 10 version 2004, although they are dormant. They can be turned on via a special enablement package.

A big change regarding servicing stack updates (SSU) and the latest cumulative updates (LCU) has finally been made – LCUs and SSUs have been combined into a single cumulative monthly update! Moving forward we don’t have to worry about managing these separately. Microsoft recommends applying the latest SSU for Windows 10, version 2004 and then you can forget about SSUs in the future because they are automatically applied as needed in the cumulative updates.

This release also includes a few security updates for Microsoft Defender Advanced Threat Protection (ATP), Microsoft Defender Application Guard for Office, and biometric enhancements for Windows Hello.

Each new release comes with its share of reported issues, so please review before you update to this latest version. From some of the forums I monitor, I’ve noted a lot of conversations around device drivers and device support in general. I suspect this is not an issue unique to Windows 10 version 20H2, but is part of a carryover from Microsoft now enforcing properly signed drivers, which began last month in the cumulative update. There are a lot of good reasons to update your OS, but always ‘look before you leap’ to ensure a smooth transition.

November 2020 Patch Tuesday forecast

  • Expect Microsoft to get back on track this month. There was a major dip in common vulnerabilities and exposures (CVEs) addressed last month, and for the first time I can remember there were no updates for Internet Explorer or Edge. Anticipate updates for the standard operating systems, browsers, Office, and extended support updates for Windows 7 and Server 2008. Servicing stack updates to include ESUs are expected.
  • Security updates were released this week for Adobe Acrobat and Reader, so I don’t expect anything next week.
  • Apple released their latest security updates for iTunes and iCloud in late September. The next updates will probably show up late this month or early December.
  • Google Chrome 86 was updated this week with a few security updates; there is a slight chance another release may come out on Patch Tuesday but don’t count on it.
  • Mozilla Firefox and Thunderbird were updated in mid-October. We should see some additional security updates next week.
  • It looks like an average Patch Tuesday for November. If you have some spare time, check out Microsoft’s latest and greatest in Windows 10 version 20H2.

September 2020 Patch Tuesday forecast: Back to school?

Another month has passed working from home and September Patch Tuesday is upon us. For most of us here in the US, September usually signals back to school for our children and with that comes a huge increase in traffic on our highways. But I suspect with the big push for remote learning from home, those of us in IT may be more worried about the increase in network traffic. So, should we expect a large number of updates this Patch Tuesday that will bog down our networks?

The good news is that I expect a more limited release of updates from Microsoft and third-party vendors this month. In August, we saw a HUGE set of updates for Office and also an unexpected .NET release after just having one in July.

Also looking back to last month, there were some reported issues on the Windows 10 version 1903, 1909, and 2004 updates. Applying the updates for KB 4565351 or KB 4566782 resulted in a failure for many users on automatic updates with return codes/explanations that were not very helpful. Let’s hope the updates are more stable this month without the need to re-apply, or worse, redistribute these large updates across our networks using even more bandwidth.

Last month I talked about software end-of-life (EOL) and making sure you had a plan in place to properly protect your systems in advance. Just as an early reminder we have the EOL of Windows Embedded Standard 7 coming up on October Patch Tuesday. Microsoft will offer continued Extended Security Updates (ESUs) for critical and important security updates just like they did for Windows 7 and Server 2008.

These updates will be available for three years through October 2023. Microsoft also provided an update on the ‘sunset’ of the legacy Edge browser in March 2021 along with the announcement that Microsoft 365 apps and services will no longer support IE 11 starting in August 2021. They made it clear IE 11 is not going away anytime soon, but the new Edge is required for a modern browser experience. These changes are all still a few months out but plan accordingly.

September 2020 Patch Tuesday forecast

  • We’ll see the standard operating system updates, but as I mentioned earlier, with the large Office and individual application updates release last month expect both smaller and more limited set this time.
  • Service stack updates (SSUs) are hit or miss each month. The last required update was released in May. Expect to see a few in the mix once again.
  • A security update for Acrobat and Reader came out last Patch Tuesday. There are no pre-announcements on their web site so we may see a small update, if any.
  • Apple released security updates last month for iTunes and iCloud, so we should get a break this month if they maintain their quarterly schedule.
  • Google Chrome 85 was released earlier week, but we may see a security release if they have any last-minute fixes for us.
  • We’re due for a Mozilla security update for Firefox and Thunderbird. The last security release was back on August 25.

Remote security management of both company-provided and user-attached systems provides many challenges. With a projected light set of updates this month, hopefully tying up valuable bandwidth isn’t one of those challenges.

Confirmed: Browsing histories can be used to track users

Browsing histories can be used to compile unique browsing profiles, which can be used to track users, Mozilla researchers have confirmed.

Browser histories track users

There are also many third parties pervasive enough to gather web histories sufficient to leverage browsing history as an identifier.

The research

This is not the first time that researchers have demonstrated that browsing profiles are distinctive and stable enough to be used as identifiers.

Sarah Bird, Ilana Segall and Martin Lopatka were spurred to reproduce the results set forth in a 2012 paper by Lukasz Olejnik, Claude Castelluccia, and Artur Janc, by using more refined data, and they’ve extend that work to detail the privacy risk posed by the aggregation of browsing histories.

The Mozillians collected browsing data from ~52,000 Firefox for 7 calendar days, then paused for 7 days, and then resumed for an additional 7 days. After analyzing the collected data, they identified 48,919 distinct browsing profiles, of which 99% are unique. (The original paper observed a set of ~400,000 web history profiles, of which 94% were unique.)

“High uniqueness holds even when histories are truncated to just 100 top sites. We then find that for users who visited 50 or more distinct domains in the two-week data collection period, ~50% can be reidentified using the top 10k sites. Reidentifiability rose to over 80% for users that browsed 150 or more distinct domains,” they noted.

The also confirmed that browsing history profiles are stable through time – a second prerequisite for these profiles being repeatedly tied to specific users/consumers and used for online tracking.

“Our reidentifiability rates in a pool of 1,766 were below 10% for 100 sites despite a >90% profile uniqueness across datasets, but increased to ~80% when we consider 10,000 sites,” they added.

Finally, some corporate entities like Alphabet (Google) and Facebook are able to observe the web to an even greater extent that when the research for the 2012 paper was conducted, which may allow them to gain deep visibility into browsing activity and use that visibility for effective online tracking – even if users use different devices to browse the internet.

Browser histories track users

Other recent research has shown that anonymization of browsing patterns/profile through generalization does not sufficiently protect users’ anonymity.

Regulation is needed

Privacy researcher Lukasz Olejnik, one of the authors of the 2012 paper, noted that the findings of this newest research are a welcome confirmation that web browsing histories are personal data that can reveal insight about the user or be used to track users.

“In some ways, browsing history resemble biometric-like data due to their uniqueness and stability,” he commented, and pointed out that, since this data allows the singling-out of individuals out of many, it automatically comes under the General Data Protection Regulation (GDPR).

“Web browsing histories are private data, and in certain contexts, they are personal data. Now the state of the art in research indicates this. Technology should follow. So too should the regulations and standards in the data processing. As well as enforcement,” he concluded.

How secure is your web browser?

NSS Labs released the results of its web browser security test after testing Google Chrome, Microsoft Edge, Mozilla Firefox, and Opera, for phishing protection and malware protection.

web browser security

Key takeaways

  • Phishing protection rates ranged from 79.2% to 95.5%
  • For malware, the highest block rate was 98.5% and the lowest block rate was 5.6%
  • Protection improved over time; the most consistent products provided the best protection against phishing and malware.

Email, instant messages, SMS messages and links on social networking sites are used by criminals to lure victims to download and install malware disguised as legitimate software (a.k.a. socially engineered malware). Once the malware is installed, victims are subjected to identity theft, bank account compromise, and other devastating consequences.

Those same techniques are also used for phishing attacks, where victims are lured to websites impersonating banking, social media, charity, payroll, and other legitimate websites; victims are then tricked into providing passwords, credit card and bank account numbers, and other private information.

In addition, landing pages (URLs) from phishing websites are another way attackers exploit victim’s computers and silently install malicious software.

Protecting against malware and phishing

The ability to warn potential victims that they are about to stray onto a malicious website puts web browsers in a unique position to combat phishing, malware, and other criminal attacks.

To protect against malware and phishing attacks, browsers use cloud-based reputation systems that scour the internet for malicious websites and then categorize content accordingly, either by adding it to blocklists or whitelists, or by assigning it a score.

“As a result of the COVID-19 pandemic, employees have been forced to work from home and now have unprecedented remote access to corporate resources. Threat actors are shifting tactics to target these remote employees who may not benefit from corporate protection. This makes the protection offered by web browsers more important than ever,” said Vikram Phatak, founder of NSS Labs.

Tested browsers

  • Google Chrome – version 81.0.4044.113 – 81.0.4044.138
  • Microsoft Edge – version 83.0.478.10 – 84.0.516.1
  • Mozilla Firefox – version 75.0 – 76.0.1
  • Opera – version 67.0.3575.137 – 68.0.3618.125

Which video call apps should you use if you care about privacy?

To help individuals and organizations choose video call apps that suit their needs and their risk appetite, Mozilla has released a new “Privacy Not Included” report that focuses on video call apps.

video call apps

The report includes the following popular offerings:

  • Zoom’s Zoom app
  • Google’s Duo, Hangouts, and Meet
  • Apple’s FaceTime
  • Microsoft’s Skype and Teams
  • Facebook’s Messenger, Messenger Kids, and WhatsApp
  • Epic Games’ Houseparty
  • Discord’s Discord app
  • 8×8’s Jitsi Meet
  • Signal Technology Foundation’s Signal
  • Verizon’s BlueJeans
  • LogMeIn’s GoToMeeting
  • Cisco’s WebEx
  • Doxy.me’s Doxy.me telemedicine app

Report findings

The report is based on Mozilla’s researchers reviewing the app’s privacy policies and specifications, which user controls it offers, etc.

Each app is given an overall security rating, based on five things:

  • Whether it has a clear privacy policy
  • Whether it uses encryption (and what kind of encryption)
  • Whether it requires the use of strong passwords
  • Whether it provides automatic security updates
  • Whether the developers manage security vulnerabilities using tools like bug bounty programs and clear points of contact for reporting vulnerabilities.

Three of the evaluated apps have failed to meet Mozilla’s Minimum Security Standards, but that doesn’t mean that they should not be used. Different users have different needs and wants, and that includes those related to security and privacy.

For example: Discord collects information on the user’s contacts if they link their social media accounts, and that’s something that might not bother some users. Another example: Houseparty collects a lot of personal data and its privacy policy clearly explains that. Again, some users might be ok with that.

Mozilla noted that many of the apps provide admirable privacy and security features and that all apps use some form of encryption (though not all encryption is end-to-end). Still, some apps – like Doxy.me – offer inadequate protection, especially when you consider the extremenly sensitive health information that is usually shared through it.

Making a choice

Consumers and organizations should review Mozilla’s findings and decide for themselves which solution is right for them. I would also advise checking similar research reports and mentions, which may include additional offerings and point out other qualities that one may search for in a solution (e.g., whether it supports self-hosting) or traits one may avoid.

Mozilla’s researchers also pointed out that different apps have very different set of video chat features, making some more fitting for enterprise use and other a more natural choice for consumers. Business users who want a fuller set of features and a higher level of security and have money to pay should look to business-focused apps, they noted.

Ashley Boyd, Mozilla’s Vice President, Advocacy, pointed out that, with a record number of people using video call apps to conduct business, teach classes, and catch up with friends, it’s more important than ever that this technology be trustworthy.

We have witnessed how Zoom moved to quickly patch security flaws reported by researchers and how the addition of new, helpful features has been copied by competitors (e.g., Zoom and Google Hangouts offered one-click links to get into meetings, and Skype recently followed suit).

“The good news is that the boom in usage has put pressure on these companies to improve their privacy and security for all users, which should be a wake-up call for the rest of the tech industry,” Boyd concluded.

Mozilla will fund open source COVID-19-related technology projects

Have you come up with hardware or software that can help solve a problem that arose from COVID-19 and its worldwide spread? Mozilla is offering up to $50,000 to open source technology projects that are responding to the pandemic in some way.

open source COVID-19 technology

Crisis jumpstarts innovation

Ever since COVID-19 became a global problem, there have been efforts aimed at jumpstarting solutions to the everyday challenges brought on by the outbreak.

Innovative medical solutions have been introduced by individuals and due to extreme need almost immediately deployed by hospitals.

Online “hackatons” – launched/sponsored by governments and various organizations in Poland, Estonia, China, the UK, Switzerland, India, Malaysia, and so on – are gathering participants from different sectors (medicine, pharmacy, environmental protection, computer systems, product design, etc.) and with different skills to collaborate and come up with IT-based (or not) open source solutions to COVID-19-related medical, social and other problems.

Depending on the hackaton’s organizers, some of the most promising solutions might get some funding.

The COVID-19 Solutions Fund for open source technology

Mozilla has now decided to offer funding, as well.

“As part of the COVID-19 Solutions Fund, we will accept applications that are hardware (e.g., an open source ventilator), software (e.g., a platform that connects hospitals with people who have 3D printers who can print parts for that open source ventilator), as well as software that solves for secondary effects of COVID-19 (e.g., a browser plugin that combats COVID related misinformation),” the organization explained.

Up to $50,000 each will be awarded to mature projects that can immediately deploy the funding, and applications will be accepted from anywhere in the world (to the extent legally permitted) and from any type of legal entity, including NGOs, for profit hospitals, or a team of developers with strong ties to an affected community.

This fund is part of the Mozilla Open Source Support Program (MOSS), so only projects which are licensed for use under an open source license according to the Free Software Foundation or the Open Source Initiative can apply for funds.

FCC’s “illogical” claim that broadband isn’t telecommunications faces appeal

The Federal Communications Commission meeting room, with an empty chair in front of the FCC seal and two United States flags.

Enlarge / The Federal Communications Commission seal hangs inside a meeting room at the headquarters ahead of an open commission meeting in Washington, DC, on Thursday, December 14, 2017.
Getty Images | Bloomberg

Mozilla and other organizations today appealed the court ruling that upheld the Federal Communications Commission’s repeal of net neutrality rules, arguing that the FCC’s claim that broadband isn’t telecommunications should not have been accepted by judges.

The FCC repeal was upheld in October by a three-judge panel at the US Court of Appeals for the District of Columbia Circuit. The court had some good news for net neutrality supporters because it vacated the FCC’s attempt to preempt all current and future state net neutrality laws. But Mozilla and others aren’t giving up hope on reinstating the FCC rules nationwide.

The Mozilla petition filed today asks for an en banc rehearing of the case involving all of the DC Circuit judges. Mozilla is probably facing an uphill battle because the three-judge panel unanimously agreed that the FCC can repeal its own net neutrality rules.

Joining Mozilla in the appeal were online companies Etsy and Vimeo, industry lobby group Incompas, and the Ad Hoc Telecom Users Committee, which represents business users of communications services. The case is known as Mozilla v. FCC.

Another appeal was filed today by several advocacy groups, namely New America’s Open Technology Institute, Free Press, Public Knowledge, the Center for Democracy & Technology, the Benton Institute for Broadband & Society, the Computer & Communications Industry Association, and the National Association of State Utility Consumer Advocates. Another appeal was filed by the National Hispanic Media Coalition, and another by Santa Clara County, San Francisco, the California Public Utilities Commission, and the National Association of Regulatory Utilities Commissioners.

Mozilla wrote in a blog post today:

Mozilla’s petition focuses on the FCC’s reclassification of broadband as an information service and on the FCC’s failure to properly address competition and market harm. We explain why we believe the court can in fact overturn the FCC’s new treatment of broadband service despite some of the deciding judges’ belief that Supreme court precedent prevents rejection of what they consider a nonsensical outcome. In addition, we point out that the court should have done more than simply criticize the FCC’s assertion that existing antitrust and consumer protection laws are sufficient to address concerns about market harm without engaging in further analysis. We also note inconsistencies in how the FCC handled evidence of market harm, and the court’s upholding of the FCC’s approach nonetheless.

Judge blasted FCC but upheld repeal

Circuit Judge Patricia Millett, one of the three judges who decided the case, wrote that the FCC’s justification for classifying broadband as an information service instead of a telecommunications service “is unhinged from the realities of modern broadband service.” But the FCC has broad authority to classify offerings as either information services or telecommunications, as long as it provides a reasonable justification for its decision, and judges said they had to leave the net neutrality repeal in place based on US law and Supreme Court precedent.

Obviously, consumer advocacy groups are arguing that judges didn’t have to give the FCC so much deference.

“Although the court came to the right conclusion on some key issues, such as the FCC’s lack of authority to preempt state net neutrality rules, in other ways it gave the FCC the benefit of the doubt too many times,” Public Knowledge Legal Director John Bergmayer wrote today. “While agencies should be given deference where appropriate, they do not have the authority to rewrite the law or come to illogical, results-driven conclusions.”

The FCC argued that broadband isn’t telecommunications because Internet providers also offer DNS (Domain Name System) services and caching as part of the broadband package. Millett wrote that this interpretation “confuse[s] the leash for the dog,” but ruled in the FCC’s favor because of the Supreme Court’s 2005 decision in the Brand X case, which let the FCC classify cable broadband as an information service. Brand X “compels us to affirm as a reasonable option the agency’s reclassification of broadband as an information service based on its provision of Domain Name System (‘DNS’) and caching,” Millett wrote.

Circuit Judge Robert Wilkins agreed with Millett’s assessment. Senior Circuit Judge Stephen Williams didn’t join Millett and Wilkins in this line of criticism, but he joined them in upholding the repeal. Williams wanted to uphold the other big portion of the FCC order, too, as he dissented from a 2-1 decision to vacate the FCC’s preemption of state laws.

The advocacy groups’ petition argued that judges “misconstrued Brand X as precluding any judicial review of the reasonableness of classifying a service that overwhelmingly offers telecommunications as an information service simply because it includes DNS and caching.”

If the court decides not to grant the request for a re-hearing of the case, petitioners could appeal to the Supreme Court.

The FCC could also appeal, since judges ruled against the commission on its attempt to preempt state laws. Today is the deadline for filing appeals at the DC Circuit court, and we’ll update this story if the FCC submits one.

GitHub Security Lab aims to make open source software more secure

GitHub, the world’s largest open source code repository and leading software development platform, has launched GitHub Security Lab. “Our team will lead by example, dedicating full-time resources to finding and reporting vulnerabilities in critical open source projects,” said Jamie Cool, VP of Product Management, Security at GitHub. GitHub Security Lab GitHub Security Lab is a program aimed at researchers, maintainers, and companies that want to contribute to the overall security of open source software. Current … More

The post GitHub Security Lab aims to make open source software more secure appeared first on Help Net Security.