TOTW #2: IoT, Data and Privacy Breaches

Hello, IoTeX community! Here comes the second Thread of The Week, in which we will talk about IoT, Data and Privacy incidents, leaks and breaches.

image|x3871030×579 171 KB

You can share a personal story, something that happened in your country/region or source the incident from the news and the Internet. In your post, please:
Tell us about the breach, what happened and how
Consequences and the impact
How could have it been avoided or solved?
Could have IoTeX’s technology been used to prevent it and how?

Make sure to include your Telegram ID in your post so we can add you to the weekly Scoreboard combined with IoTrivia & contact you if you are a winner.

A new TOTW will start every Monday at midnight PST
Rewards: Our Brand Ambassadors will pick 2 winners with interesting stories/use cases who will receive IoTeX t-shirts

You can post more than once but make sure to share different stories/use cases, do not duplicate posts. Feel free to comment & reply to posts from other community members.

Let me start with the first use case

Uber
In late 2016, personal information of 57 million Uber users and 600,000 drivers got exposed. The hackers were able to access Uber’s GitHub account, where they found username and password credentials to Uber’s AWS account, which should not have been in there in the first place…

Could this have been easily avoided? Certainly! For such a big and influential corporation, it should be crucial to properly manage and store their client’s information. A few ways to do that 1) allow their customers to store their own information and identity without using a centralized server {IoTeX DID} 2) use secure servers {Intel SGX} by encrypting all the data. But the first step for everyone is not to share and post their passwords and usernames online

TG: @Alina_IoTeX

Dubsmash

Dubsmash data breach December 2018

Impact: 162 million users

In December 2018, Dubmash suffered a data breach that exposed 162 million unique email addresses, usernames and DBKDF2 password hashes. In 2019, this data appeared for sales on the dark web and was circulated more broadly. Sales their data to the dark web:scream: it’s too scary

So how to prevent it?
Lets Blockchain solve it or IoTeX especially
This methods look similarly with @Alina hehe
So allow their customers to store their information and identity using Decentralized Identifiers (IoTeX DIDs).
How special IoTeX DID is?
Yeah DIDs are designed to function without a central registration authority.
DIDs are registered in blockchain, DIDs should be permanent, persistent, and non-reassignable.
DIDs are made useful through resolution.
And the last reason you should use DID is they can prove ownership
How cool
Use configuration management to ensure cloud services are not exposing data to the Internet.
Prevent phishing
Use password manager that encrypted your data
Install anti malware/virus

But remember to investing carefully your chosen third party service before using it!

TG : @strept0

Sometimes I get an email and I see that someone has gained access to my account. Another problem I see in integrated cameras. And basically, you have to say that you can always be the victim of a hacking attack and it does not matter how much effort you put into protecting your data. It’s just a matter of effort.
I believe Iotex can help solve these problems.

Take as an example the integrated cameras found in laptops, smartphones and tablets. With the Iotex hardware you would have an almost unbeatable protection against hacker attacks right from the start and you do not have to worry about being watched. In my opinion, this is a priceless property that is not so easy to find in our time. Given that people are becoming increasingly paranoid these days, I assume that this new possibility will be accepted by society.

And that’s how the whole thing works. Each device is assigned a DID. All records are stored exclusively in the blockchain. It only has the access that owns the key. If you want to send your video to friends, then you simply send the record to its public address.

At this point I’m looking forward to the journey to the moon with Iotex

TG ID @altcoin_maximalist

My IoT data breach / hack example is from one of my idols, Elon Musk. While he is busy innovating new futuristic electric vehicles and spacecraft, he is also cognizant of the security risks associated with emerging technologies.

His biggest cybersecurity fear? A fleet-wide hack of Teslas – “In principle, if somebody was able to hack, say, all of the autonomous Teslas, they could, say—I mean just as a prank—they could say like ‘send them all to Rhode Island’ from across the United States." Or something much more malicious …

IoTeX can help prevent this issue by authorizing any firmware/software updates applied to Tesla vehicles. As there is no centralized server where a hacker could enter, it would be impossible for them to maliciously hack the entire fleet of vehicles. This is just one instance of how IoTeX can prevent large-scale, systemic breaches/hacks, in addition to protecting the security/privacy of consumers and enterprises.

TG ID: @larry_iotex

导读：物联网(Internet of Things，简称IoT)故名思义就是物物相连的互联网。具体是指通过信息传感器设备，按照约定的协议，把任何物品与互联网连接起来，进行信息通信和交换，以实现智能化识别、定位、追踪、监控和管理的一种网络。

什么是物联网?

物联网(Internet of Things，简称IoT)故名思义就是物物相连的互联网。具体是指通过信息传感器设备，按照约定的协议，把任何物品与互联网连接起来，进行信息通信和交换，以实现智能化识别、定位、追踪、监控和管理的一种网络。
这个定义主要包含2层意思：其一，物联网的核心和基础设施仍然是互联网，只不过是在其基础上进行延伸和扩展罢了;其二，其用户端延伸和扩展到了任何物品与物品之间，可进行信息交换和通信，也就是物物相息。物联网通过智能感知、识别技术与普适计算等通信感知技术，广泛应用于网络的融合中，也因此被称为继计算机、互联网之后世界信息产业发展的第三次浪潮。

物联网的应用

物联网的应用场景是很多的，可以切入到我们生活的方方面面。包含农业、交通、医疗、物流等领域。下面几个例子可以大致说明。

智能家居

你家里面的冰箱，电器，包括门槛等等都可以被远程控制，你想想，你在外面就可以监视到你家里的一切状况，还能调节，是不是一件很美妙的事情。

智能医疗

在医疗卫生领域中。物联网是通过传感器与移动设备来对生物的生理状态进行捕捉。如心跳频率、体力消耗、葡萄糖摄取、血压高低等生命指数。把它们记录到电子健康文件里面。方便个人或医生进行查阅。还能够监控人体的健康状况，再把检测到的数据送到通信终端上，在医疗开支上可以节省费用，使得人们生活更加轻松。

智能交通

以图像识别技术为核心。综合利用射频技术、标签等手段，对交通流量、驾驶违章、行驶路线、牌号信息、道路的占有率、驾驶速度等数据进行自动采集和实时传送，相应的系统会对采集到的信息进行汇总分类，并利用识别能力与控制能力进行分析处理，对机动车牌号和其它高档车进行识别、快速处置，为交通事件的检测提供详细数据。该系统的形成，会给智能交通领域带来极大的方便。

物联网的应用场景实在太多，而且目前已经有了相当多的产品落地，比如：供应链/物流、可穿戴设备、智能办公场所、辅助驾驶/自动驾驶等。

物联网面临的困难

我们都知道，物联网的愿景是实现万物互联，而目前的一些落地应用，都是单一的产品。

产品的运营和维护成本过高

在物联网的条件下每个智能设备的计算能力都非常有限。

数据问题。目前物联网的数据都是通过智能设备将采集到的数据传到中心化的机构的服务器，而这些机构可能会拿着我们的数据，甚至是隐私去做大数据分析，给我们带来了一些安全隐患。

以上这些都是一些相对简单的问题，我认为互联网发展面对的核心问题是来自数据层面的挑战。主要是在数据的存储、数据流动、数据安全方面。

数据的存储

物联网的核心和基础设施仍然是互联网。在物联网的世界中，各种产品都会接入一个庞大的智能网络。在物联网中进行交易时，交易的频率和交易的数量都会非常的大，相关的清算、结算系统也要不停的运转;而且需要无时无刻的进行数据的采集，处理、传递。这无疑会对相关的基础设施提出巨大的挑战，这将是一个复杂的网络，以至于目前还没有一个中心化的机构的服务器能够承担这个任务，包括Google、Apple、阿里、腾讯都不行。

数据流动

一起来看看目前使用的支付清算系统的处理能力：Visa实验室的测试数据是5.6w笔/秒，而支付宝在双十一的活动中支撑起了8.59w笔/秒懂交易峰值，这已经是非常了不起的成绩了。想想在物联网的世界中交易数量和频率远不止于此。

数据安全

在目前看来，互联网上的黑客攻击、数据泄漏、恶意软件、网络监测等等问题，已经给大家带来了很多困扰，如果把万物都接入网的话，如何能够保证数据的安全呢?如何保护我们个人的隐私和财产安全呢?

当区块链遇上物联网

哈哈，救世主来了。为什么说区块链是物联网的救世主?这要从区块链的一些特性来说明了。

加密算法保护用户隐私。虽然物联网运营商一直宣称他们能够有效保护用户的数据安全和隐私，但是一系列的安全漏洞和隐私泄露事件的发生使用户无法真正信任运营服务提供商能够实现他们的承诺。而区块链的非对称性加密技术可以通过数学算法来保护用户的隐私。

去中心化使得智能设备可以拥有一定的自调节和管理能力。在物联网的世界中，接入的节点的数量会非常大，所以希望连入物联网的设备能够具有一定的智能，在既定的规则逻辑下进行自主协作，完成各种商业应用，也就是说构建一个自组织，自调节的系统。在这个系统中会进行大量的信息和价值的交换，然而在目前中心化构架下的物联网很难完成上述自主协作和有效交易，原因是目前协作和交易的设备必须是同一个物联网运营服务商，这就大大降低了物联网应用的真正商业价值。而区块链技术为物联网提供了去中心化的可能性，使整个系统变成一个去中心化的，有自组织能力的体系。区块链技术可以实现无需信任的，点对点的价值传输，进而构建出一个健壮、可扩展的物联网。

举个例子

早在2014年，IBM就发表过报告，指出区块链可以称为物联网的最佳解决方案，并且于2015年，IBM与三星合作，联合打造了ADEPT系统，这套系统利用区块链的去中心化、智能合约、点对点传输的特性构建了一个去中心化的物联网。通过这套系统可以打造一个自动检测问题、自动更新、不需要过多的人为操作的设备，这些设备也能与附近的其他设备通信。

由于区块链的出现，或许物联网离实现万物互联互通的时间就更近了。
TG:Ricco007

Well, I’d say, that problems with centralized databases have lots of breaches, but main is human element. And we can see it in almost all the examples given in this topic.

I can give a similar example with a situation in Serbia in the december of 2014. Privatization agency has left in the public domain a link to a database of 5 million citizens of the country, a significant part of whom have never even used the Internet. Names, surenames, IDs, — everything was accessible to intruders.

Of course we can say, that the easiest way to avoid such a problem is not to leave such a link, but Murphy’s law makes such a mistake inevitable sooner or later. So we need a better decision for preventing it.

And cryptography and decentralized databases could help much better, because there would be much less chances for a human mistake and even if such a mistake will take place its consequences will be much less serious. So, I guess IoTeX’s technologies can help in such situation! For instance Trusted Computing can prevent getting access by casual people. Decentralized Identity can prevent getting all data of 5 million people by one time. And so on.

Telegram… @bez_nicka

The case of 50 millions facebook profiles published by The Guardian and The New York Times by march 17, 2018 to have been harvested for Cambridge analytical in a major data scandal, which Christopher Wylie claimed that the data was sold to the Cambridge analytical which was reportedly used to develop psychographic profiles of people and deliver pro Trump to them online
This could have been avoided if facebook team have come up with the idea of allowing individual user to store their own information in decentralized database like Iotex DID. Secondly use of a secure server like Intel SGX 2 by encrypting all their information and data.
Government should put appropriate regulations in place with stiff penalty for any breaches:writing_hand:
Telegram Id: @tadex01

On 15 July 2019 an anonymous hacker successfully breached the security systems of the Bulgarian National Revenue Agency (’‘NRA’’) and downloaded the personal data of over 5 million Bulgarian citizens. Part of the hacked information (about 11 GB) was leaked to local media. This is one of the biggest personal data breach in Bulgaria up to present date. After the initiated inspection and discovery of highly insufficient measures for protection of personal data the CPDP fined the Bulgarian NRA with a 5.1 million BGN (about 2.5 million EUR).

This issue could have been pevented by putting in place a firmware software updates by Iotex. Since there would not have been any centralized server where hackers can penetrate
Also Iotex would have used decentralized identity DID as a channel of storing the information of Bulgarian National Revenue Agency (’‘NRA’’)

Telegram ID : @SangosanyaM

Whatsapp

In May, whatsapp was hacked and spyware was installed on users’ phones. Hackers were able to install surveillance technology on the phones of WhatsApp users who answered their phone calls through the app,

WhatsApp has over 1.5 billion users worldwide which were vulnerable to this data and privacy breaches.
This could have been avoided by thorough privacy management; Which IoTex obviously has

This could have been avoided by applying 'privacy by design ’ and ‘user-centric features’ which are both part of IoTex features.
This allows the users to own their privacy by making them to chose who can view their data including their phone numbers, or who they want to receive call from.
whatsapp having an open source whereby anyone can view one’s phone number is not ideal to start with.
Obviously there are lots of gaps to be covered by IoT as regards data, privacy and security breach.

@JessiSam

Hi IoTeX fans
The market for IoT devices is growing rapidly. Along with the development of the industry, the need for security remains high. Experts have yet to find reliable solutions to IoT security problems. Enterprises are concerned about the potential risks of implementing IoT solutions. Consumers, on the other hand, need stable devices.

Cybersecurity researchers offer a look at five major incidents in the IoT segment.

Mirai DDoS Botnet
Probably the most famous botnet attack using IoT devices is the Mirai DDoS (distributed denial of service attack). It has successfully slowed down or paralyzed the Internet over almost the entire East Coast of the United States. As a result, Dyn, a network service provider, suffered significant losses.

The botnet was deployed for selfish reasons by 21-year-old Paras Jha (New Jersey), Dalton Norman (Dalton Norman, Louisiana) and 20-year-old Josiah White (Pennsylvania). Attackers planned to disable private servers with Minecraft and entice users to their server.

Among the victims are not only Minecraft servers served by the DNS provider Dyn, but also Twitter, Reddit, Yelp, Imgur, PayPal, Airbnb, Pinterest, Soundcloud, Spotify, GitHub, HBO, CNN, Starbucks, Yammer, etc. Without stable mobile communications, subscribers of the largest European telecom operator Deutsche Telekom remained for several hours. Problems with access to the network were observed among users in the United States and Western Europe.

The botnet scanned many open Telnet ports and performed the authentication procedure using 61 default login / password combinations of devices. It turned out that an army of hacked devices was created by students at Rutgers University.
Jeep and virtual hijacking:red_car:
In 2016, two hackers, Charlie Miller (Charlie Miller) and Chris Valasek (Chris Valasek), successfully seized control of the Jeep Cherokee. This was the first virtual hijacking. The driver was in the car. After vulnerabilities were detected in the vehicle, the “attackers” took control of the ventilation system flaps, radios, wipers, etc. All this happened while the driver was driving. Soon, the faces of Miller and Valasek appeared on the display of the multimedia system, and the driver lost control of the brakes, accelerator and steering system. In the end, hackers were able to remotely stop the car.

Attackers published a list of the most vulnerable cars, prompting automakers to make software fixes. They recommended brand owners of these machines to pay attention to the need for regular system updates.
Owlet WiFi cardiac monitor for children
Owlet is a heart rate sensor used in infant socks. You can use the device from birth to 18 months. Socks are compatible with iOS and Android 30 and work via Bluetooth 4.0 within a radius of 30 m. Socks control the frequency of heartbeats, oxygen level in the blood, body position during sleep. Parents can set alerts in the smartphone application if the indicators deviate from the norm.

Telegram : @H1xindahouse

My input for Data Hacks is Comodo “global leader in cybersecurity solutions” Forums data Breach.

a hacker exploited a vulnerability (CVE-2019-16759 : vBulletin 5.x through 5.5.4 allows remote command execution via the widgetConfig[code] parameter in an ajax/render/widge) in vBulletin, a popular forum software used by Comodo. The flaw, allows an attacker to remotely run malicious code on a vulnerable forum. In this case, the exploit was used to dump the entire user database. the hackers stole usernames, names and email addresses, as well as the user’s last IP address used to access the forum. Some social media handles were also stolen in the breach.

Comodo said it has about 245,000 registered forum users.

Solution:
IoTex Vision: a decentralized Internet of Trusted Things is to deliver data ownership back to the user.

TG: @murugan25589

“Hardware attacks are about access”
Full text

The implants on Supermicro hardware manipulated the core operating instructions that tell the server what to do as data move across a motherboard, two people familiar with the chips’ operation say.

The security of the global technology supply chain had been compromised, even if consumers and most companies didn’t know it yet

Apple made its discovery of suspicious chips inside Supermicro servers around May 2015

Main product of Elemental: the expensive servers that customers installed in their networks to handle the video compression.

Elemental’s servers could be found in Department of Defense data centers, the CIA’s drone operations, and the onboard networks of Navy warships.

These servers were assembled for Elemental by Super Micro Computer Inc., a San Jose-based company (commonly known as Supermicro) that’s also one of the world’s biggest suppliers of server motherboards, the fiberglass-mounted clusters of chips and capacitors that act as the neurons of data centers large and small. In late spring of 2015, Elemental’s staff boxed up several servers and sent them to Ontario, Canada, for the third-party security company to test, the person says.

The testers found a tiny microchip, that wasn’t part of the boards’ original design.

The chips allowed the attackers to create a stealth doorway into any network that included the altered machines. Multiple people familiar with the matter say investigators found that the chips had been inserted at factories run by manufacturing subcontractors in China.

In the three years since the briefing in McLean, no commercially viable way to detect attacks like the one on Supermicro’s motherboards has emerged—or has looked likely to emerge. Few companies have the resources of Apple and Amazon, and it took some luck even for them to spot the problem. “This stuff is at the cutting edge of the cutting edge, and there is no easy technological solution,” one of the people present in McLean says. “You have to invest in things that the world wants. You cannot invest in things that the world is not ready to accept yet.”

Apparently it isn’t so easy to find data breach info in Spain, but you can see gubernamental numbers and the objective of the attacks. Also, an interesting finding is that still HALF of the companies are not aware their IoT devices have been hacked, being the principal objective IP cameras (Spanish source). Anyway, I found a recent one to a Spanish bank.

It is still to be determined or made public, but, somehow, data from one of the principal Spanish banks, Caja Rural, was leaked. To see how big the entity is, it has 2.299 offices, 8.148 employees and is worth 59.394 million euros in total actives. So the security should be considerably good.

637 clients data, including:

• Full name
• ID
• ‘Hash’ of their pasport to the online bank services
• Phone number
• Complete adress
  were leaked to the internet.

If the data had been on IoTeX network it would have been ciphered and, in addition, with a proper DID access to the data could have only been possible if user devices and password to the IoTeX Network account were stolen or remotely accessed.

@WildLifeblood

Once, several years ago, government agencies in Ukraine were hacked thanks to the PETIA virus.
The virus covered 90% of all institutions; specialists tried to eliminate this virus as soon as possible.
As a result, a lot of confidential data was lost, power plants stopped working for a day, etc.
Thanks to the IoTeX decentralization and reliable confidentiality, such attacks can be avoided in all areas of activity. Therefore, I believe that the IoTeX is moving in the right direction!

@Artanovskaya

I see from internet
IOTX HAVE COMMUNITY BIG
@Lehieu2410

Hi guys! We are extending this discussion topic for another week, until Monday, December 16 midnight PST in order to give everyone more time to participate.

Recently, I read an article that smart TVs take screen prints every second and send them to the server. In terms of the amount of data collected, TV manufacturers are catching up with Google and Apple.
Many TV manufacturers say they do not violate user privacy because ACR data is technically not personal information because all family members use TVs. However, data mining makes it possible to post-factum separate user profiles from each other. Data mining is performed by specialized firms. They analyze the browsing history of users, linking the history of watching TV with the activity of the user on the phone, tablet and laptop, including shopping in stores.
90% of TV buyers voluntarily agree to take screen prints and send data to the server. Since the settings for disabling these options are often hidden in the TV menu. Surveys of users showed that most of them really do not realize the full extent of profiling and do not see anything wrong with the fact that the company finds out what series they like to watch on TV. Some say that “Google already knows everything about us,” so there’s nothing to hide.
Identification and trust are critical aspects of the security of the Internet of things. The use of proven technologies for device identification, communication encryption, and data integrity protection is the key to security.
I think IoTeX technologies could be used in smart TVs, similar to how they are used in the Ucam private camera. What do you think about this?

@worksshop

Thanks for sharing!
Yes, IoTeX technologies certainly can be used there. I can make a post of how to do that. However, TV manufacturers would only use them if all users are aware and demanding the features.
There should be someone who can take a leap of it. I really appreciate if everyone here can share with more people about IoTeX’s vision.

Equifax
I will use the popular Equifax data breach of 2017 as a use case, that exposed the personal information of millions of customers to hackers. Equifax is one of three major credit reporting agencies (CRAs) in the US.

On September 7, 2017, Equifax reported that hackers had exploited a vulnerability in its US website application to gain access to certain files from mid-May through July 2017.

Quoting the news:

“The hackers accessed personal data, including Social Security numbers, birth dates, addresses, and, in some cases, driver’s license numbers. They also stole credit card numbers for approximately 209,000 US consumers, as well as dispute documents with personal identifying information for approximately 182,000 US consumers. Some UK and Canadian residents may have also had personal data compromised.”

Due to the volume of data involved and the importance of the company, this was a really serious data breach that could be totally avoided with using the IoTeX technology:

1. Thanks to it’s distributed nature, there would be no “intermediary” (i.e. “Equifax”) server to hack

2. Thanks to private computation hardware like Avoboard, the same “scores” that Equifax calculated could be calculated by keeping all the required user data totally private “by hardware” at the time of the computation without the need for storing them

3. Users identification data, along with data required for the credit score computation could instead be stored on secure servers architecture, accessible through the IoTeX DID architecture.

The whole “Equifax intermediary” would have no reason to exist, or at least no reason to store anything on their servers with the consequent responsibility for privacy protection, that instead would be totally protected by military-grade encryption provided by blockchain DID access, secure storage, and no need for any party to get access to those data once the person had been identified by an authority and data verified in the first place.

TG: @zimne