In this week’s Security Ledger podcast, sponsored by our friends at CyberArk, we talk about the German government’s recent decision to declare kids smart watches “surveillance devices” and to order their destruction. Also: Adrian Shabaz of Freedom House comes in to talk to us about the latest Internet Freedom report, which finds that governments are increasingly manipulating online content to shape online discussions and even the outcome of elections at home and abroad. And finally: leaked credentials in a GitHub repository may have been behind Uber’s loss of information on some 50 million customers. In a preview of a Security Ledger spotlight podcast, we hear from Elizabeth Lawler of CyberArk about the proliferation of so-called “Dev Ops secrets” and how companies need to do a better managing the permissions assigned to applications.
Up first: shoppers were off to the races on Black Friday spending an eye-popping $5 billion in online sales on Friday alone – up 17 percent from last year. Smart toys and wearables will, once again, be on many shoppers’ lists of toys to buy this year. But security experts warn buyers to beware: lax design and absent security features often result in connected toys that bleed sensitive information to whomever cares to listen. Toys, from connected dolls and trucks to wearables risk allowing hackers to get access to your sensitive data or spy on you – or your children – from afar.
That was the concern behind a decision by regulators in Germany in October to declare a range of smart watches sold to children in that country surveillance devices that are banned under German law. The government ordered consumers who purchased the wearable devices to destroy them – and get proof they did so. As Security Ledger reported, the order, addressed to manufacturers, buyers and sellers of the smart watches, is just the latest from German telecommunications regulator (Bundesnetzagentur) regarding connected play things, which commonly include features that allow parents or others to remotely listen or observe their child’s surroundings.
“Parents can use these children’s watches to listen in to the child’s surroundings without detection via an app(lication),” said Jochen Homann, Bundesnetzagentur President in a published statement. “Our investigations found, for example, that parents were using them to eavesdrop on teachers in lessons.”
Part 1: Why Smart Toys Can’t Be Trusted: a Conversation with Ken Munro
Our first guest on this week’s podcast is Ken Munroe of the firm Pen Test Partners. Ken has been on the vanguard of those assessing the security of connected playthings. He and his colleagues notably hacked a connected doll known as My Friend Kayla, modifying the doll’s software and getting her to parrot obscenities. Munro is sounding the alarm about the lack of privacy and security standards in smart toys. Ken came into the Security Ledger studios to talk about the German government’s decision regarding smart watches – a decision that he strongly supports – and about whether regulators in the US might also consider whether smart toys with microphones and cameras might also be considered illegal surveillance devices.
He also has advice for parents hunting down gifts for the holiday season. “Be really careful. The products that really bother me are the ones with sensors you can use…Products that involve cameras, speakers and microphones, if they’re interfered with, there’s a lot more trouble there. I would be a little wary.”
Part 2: One Nation Under Trolls
In our second segment: Donald Trump’s surprise victory in the U.S. Presidential race last year prompted a flurry of reports about how the Internet and social media are being used to shape the perceptions of the public. The latest Internet Freedom Report out from the folks at Freedom House supports that argument, finding that Internet freedom receded in 2017 as more governments turned to the use of paid operatives on the Internet and social media networks to promote official narratives or discredit critics. Adrian Shabaz, the Research Manager at Freedom House stopped by the Security Ledger studio to talk about how repressive governments have shifted from trying to curtail Internet access to using the Internet as a tool of oppression.
Freedom House counted 18 elections globally that experienced some form of online manipulation, including the U.S. elections. “This manipulation is incredibly hard to detect,” Shabaz said. “It’s so much more dispersed and when we look at the number of accounts it’s this pervasive phenomenon that undermines trust in the Internet itself.”
Part 3: DevOps Secrets Tripped up Uber – they’re not alone
In our final segment: the big news about the theft of data on 57 million Uber customers and an estimated 600,000 drivers was that company’s decision to conceal the breach for months before telling regulators and victims. That decision now seems likely to deliver a wealth of lawsuits to Uber’s doorstep.
But behind the incident was a now common culprit: exposed administrative credentials tucked into computer code that was checked into GitHub, a popular cloud based code repository. Our next guest, Elizabeth Lawler of the firm CyberArk said that this kind of lapse is all to easy for modern software development organizations like Uber to make. Software code, Lawler argues, is one of the most valuable and exposed privileged users in many organizations.
In this week’s podcast, we’re excerpting a segment of a conversation Security Ledger had with Elizabeth about so-called “dev ops secrets” and why they pose serious risk to modern organizations of all stripes. You can check out our full conversation later this week in our Security Brief podcast on Privileged Access Management, sponsored by CyberArk.