Welcome to this week’s edition of Liberty Nation TecWeek, a weekly column that will catch you up on all things tech related — specially designed for those who do not consider themselves tech savvy. TecWeek focuses on news stories and topics that affect you, like digital security, government and corporate surveillance, privacy, and much more.
In this week’s column:
- Yet another data leak, yet another toy: Was your child’s information leaked?
- Swastikas all over Twitter show how easy is it to take over accounts en masse
- Advertisers will soon be buying your private web data — from your internet provider
- Dun & Bradstreet loses control of a database with over thirty-three million corporate Americans in it
If you’re getting sick of hearing about yet another way your information is being leaked to the world, or being told about yet another device in your home that is literally spying on you, then you’re not alone. Unfortunately, it all keeps happening — and will continue to occur. This week’s “Terrible Toy” is called CloudPets, by a company called Spiral Toys. CloudPets are cute stuffed animals that you and your child can use to record messages to each other. There’s no possible way that could go wrong, right?
“Free shipping for active duty military!” their website proclaims, bragging that you can use the toy to let your child hear messages from “anywhere in the world.” What deployed parent doesn’t feel pain at being separated from his or her children? How amazing a concept, to send your child a stuffed animal with the sound of your voice recorded in it? There’s only one problem; Vice has the story.
Since Christmas day of last year and at least until the first week of January, Spiral Toys left customer data of its CloudPets brand on a database that wasn’t behind a firewall or password-protected…The exposed data included more than 800,000 emails and passwords, which are secured with the strong, and thus supposedly harder to crack, hashing function bcrypt. Unfortunately, however, a large number of these passwords were so weak that it’s possible to crack them…
Take into account the fact that most people — against all good practices and common sense — use the same passwords for multiple accounts, and you can see how fast this becomes a far bigger issue. And that’s still not the worst of it. Over two million voice recordings were also leaked, many of them children’s voices and messages. While your first thought may be to ask why a criminal would care about little Sally’s conversation over fake tea parties, keep in mind that there are a wide variety of criminals who would be interested in the data leak, and some who would be more interested in the children. Security researchers also point out that the stuffed animals themselves are easy to hack and turn into listening devices. If at this point you’re about ready to walk through your house and take out any internet-capable household gadgets, you’re making a wise choice. Experts have been warning about the Internet of Things for a few years now; no one listened, choosing convenience and excitement over prudence. Now, we’re all seeing the logical end of that path.
Speaking of criminals getting into things, Twitter had a bit of a problem on Wednesday, as a peripheral service called Twitter Counter was hacked. Twitter Counter offers posting services, account management and analytics; a “security blunder” at the third-party company led to hackers being able to post anything they wanted from any Twitter account that the analytics company had access to. The Turkish criminals chose to plaster swastikas and Nazi propaganda all over Twitter for a few hours — including on the account of Amnesty International. You don’t have to speak the language to understand that this tweet was an issue:
You may have read the story about the spying teddy bear and been secretly thankful that you either never bought your children that toy, or that you don’t have children at all. Never fear, you’re still in the data net. Republican lawmakers Sen. Jeff Flake (R-AZ) and Rep. Marsha Blackburn (R-TN) actually introduced legislation last week that would allow advertisers to purchase your private internet history — what little they aren’t already privy to, they would simply buy.
The fact that Republican legislators are the ones pushing this through should disturb you regardless of whether you’re a card-carrying member of the GOP or not. Advertising companies, naturally, are ecstatic and falling all over themselves in their gratitude. The privacy rules currently pending implementation — as pathetic as they are — “must be stopped,” said Association of National Advertisers Executive VP Dan Jaffe. The current rules, which state that internet service providers have to “get opt-in consent from consumers before sharing information with third parties,” are set to go into effect in December of this year. Senators’ Flake and Blackburn’s legislation would effectively end those rules from ever going into place at all.
It all seems to be a question of territory.
Republicans say the Federal Trade Commission, not the FCC [Federal Communications Commission], should have authority over the privacy practices of ISPs [Internet Service Providers]. But overturning the existing privacy rules would not by itself return authority to the FTC, and the FTC could be more lenient with ISPs than the FCC.
It sounds like there may be some overlap in the agencies, if there’s a question about jurisdiction and whatnot. Perhaps President Trump can find some more unconstitutional, overreaching swamp water to drain. In the meantime, next time you sit down at your computer, ask yourself if you are comfortable with someone purchasing a list of the websites you’re visiting. If not, look into using a virtual private network or other tools. There’s a great primer on those tools here.
Lastly, we bring you this disturbing tidbit. ZDNet reports that a database belonging to Dun & Bradstreet containing “33.7 million unique email addresses and other contact information from employees of thousands of companies, representing a large portion of the US corporate population,” was leaked this week. If you have a corporate job, there’s a possibility that you’re among the many victims. While the database is the kind purchased every day by marketers and businesses, security expert Troy Hunt pointed out that having it all there, in one searchable format, is a reminder that we have lost control of our privacy.
Hunt’s analysis of the records showed that the leading organization by records is the Department of Defense, with 101,013 employee records, followed closely by the US Postal Service with 88,153 employee records.
The US Army, Air Force, and Department of Veterans Affairs are all listed with a combined 76,379 records.
AT&T, Boeing, Dell, FedEx, IBM, and Xerox were among the most named companies in the database, with tens of thousands of employee records each.
If you’d like to check and see if your information has been part of a data leak, you can check out Hunt’s leak database here. Even if you’re not part of corporate America, there’s a good chance your information was part of this spam operation.
That’s it for this week! Tune in next Friday for more tech news that matters.