On 15 July 2019 an anonymous hacker successfully breached the security systems of the Bulgarian National Revenue Agency (’‘NRA’’) and downloaded the personal data of over 5 million Bulgarian citizens. Part of the hacked information (about 11 GB) was leaked to local media. This is one of the biggest personal data breach in Bulgaria up to present date. After the initiated inspection and discovery of highly insufficient measures for protection of personal data the CPDP fined the Bulgarian NRA with a 5.1 million BGN (about 2.5 million EUR).

This issue could have been pevented by putting in place a firmware software updates by Iotex. Since there would not have been any centralized server where hackers can penetrate
Also Iotex would have used decentralized identity DID as a channel of storing the information of Bulgarian National Revenue Agency (’‘NRA’’)

Telegram ID : @SangosanyaM

Whatsapp

In May, whatsapp was hacked and spyware was installed on users’ phones. Hackers were able to install surveillance technology on the phones of WhatsApp users who answered their phone calls through the app,

WhatsApp has over 1.5 billion users worldwide which were vulnerable to this data and privacy breaches.
This could have been avoided by thorough privacy management; Which IoTex obviously has

This could have been avoided by applying 'privacy by design ’ and ‘user-centric features’ which are both part of IoTex features.
This allows the users to own their privacy by making them to chose who can view their data including their phone numbers, or who they want to receive call from.
whatsapp having an open source whereby anyone can view one’s phone number is not ideal to start with.
Obviously there are lots of gaps to be covered by IoT as regards data, privacy and security breach.

@JessiSam

Hi IoTeX fans
The market for IoT devices is growing rapidly. Along with the development of the industry, the need for security remains high. Experts have yet to find reliable solutions to IoT security problems. Enterprises are concerned about the potential risks of implementing IoT solutions. Consumers, on the other hand, need stable devices.

Cybersecurity researchers offer a look at five major incidents in the IoT segment.

Mirai DDoS Botnet
Probably the most famous botnet attack using IoT devices is the Mirai DDoS (distributed denial of service attack). It has successfully slowed down or paralyzed the Internet over almost the entire East Coast of the United States. As a result, Dyn, a network service provider, suffered significant losses.

The botnet was deployed for selfish reasons by 21-year-old Paras Jha (New Jersey), Dalton Norman (Dalton Norman, Louisiana) and 20-year-old Josiah White (Pennsylvania). Attackers planned to disable private servers with Minecraft and entice users to their server.

Among the victims are not only Minecraft servers served by the DNS provider Dyn, but also Twitter, Reddit, Yelp, Imgur, PayPal, Airbnb, Pinterest, Soundcloud, Spotify, GitHub, HBO, CNN, Starbucks, Yammer, etc. Without stable mobile communications, subscribers of the largest European telecom operator Deutsche Telekom remained for several hours. Problems with access to the network were observed among users in the United States and Western Europe.

The botnet scanned many open Telnet ports and performed the authentication procedure using 61 default login / password combinations of devices. It turned out that an army of hacked devices was created by students at Rutgers University.
Jeep and virtual hijacking:red_car:
In 2016, two hackers, Charlie Miller (Charlie Miller) and Chris Valasek (Chris Valasek), successfully seized control of the Jeep Cherokee. This was the first virtual hijacking. The driver was in the car. After vulnerabilities were detected in the vehicle, the “attackers” took control of the ventilation system flaps, radios, wipers, etc. All this happened while the driver was driving. Soon, the faces of Miller and Valasek appeared on the display of the multimedia system, and the driver lost control of the brakes, accelerator and steering system. In the end, hackers were able to remotely stop the car.

Attackers published a list of the most vulnerable cars, prompting automakers to make software fixes. They recommended brand owners of these machines to pay attention to the need for regular system updates.
Owlet WiFi cardiac monitor for children
Owlet is a heart rate sensor used in infant socks. You can use the device from birth to 18 months. Socks are compatible with iOS and Android 30 and work via Bluetooth 4.0 within a radius of 30 m. Socks control the frequency of heartbeats, oxygen level in the blood, body position during sleep. Parents can set alerts in the smartphone application if the indicators deviate from the norm.

Telegram : @H1xindahouse

My input for Data Hacks is Comodo “global leader in cybersecurity solutions” Forums data Breach.

a hacker exploited a vulnerability (https://www.cvedetails.com/cve/CVE-2019-16759/) in vBulletin, a popular forum software used by Comodo. The flaw, allows an attacker to remotely run malicious code on a vulnerable forum. In this case, the exploit was used to dump the entire user database. the hackers stole usernames, names and email addresses, as well as the user’s last IP address used to access the forum. Some social media handles were also stolen in the breach.

Comodo said it has about 245,000 registered forum users.

Solution:
IoTex Vision: a decentralized Internet of Trusted Things is to deliver data ownership back to the user.

TG: @murugan25589

“Hardware attacks are about access”
Full text

The implants on Supermicro hardware manipulated the core operating instructions that tell the server what to do as data move across a motherboard, two people familiar with the chips’ operation say.

The security of the global technology supply chain had been compromised, even if consumers and most companies didn’t know it yet

Apple made its discovery of suspicious chips inside Supermicro servers around May 2015

Main product of Elemental: the expensive servers that customers installed in their networks to handle the video compression.

Elemental’s servers could be found in Department of Defense data centers, the CIA’s drone operations, and the onboard networks of Navy warships.

These servers were assembled for Elemental by Super Micro Computer Inc., a San Jose-based company (commonly known as Supermicro) that’s also one of the world’s biggest suppliers of server motherboards, the fiberglass-mounted clusters of chips and capacitors that act as the neurons of data centers large and small. In late spring of 2015, Elemental’s staff boxed up several servers and sent them to Ontario, Canada, for the third-party security company to test, the person says.

The testers found a tiny microchip, that wasn’t part of the boards’ original design.

The chips allowed the attackers to create a stealth doorway into any network that included the altered machines. Multiple people familiar with the matter say investigators found that the chips had been inserted at factories run by manufacturing subcontractors in China.

In the three years since the briefing in McLean, no commercially viable way to detect attacks like the one on Supermicro’s motherboards has emerged—or has looked likely to emerge. Few companies have the resources of Apple and Amazon, and it took some luck even for them to spot the problem. “This stuff is at the cutting edge of the cutting edge, and there is no easy technological solution,” one of the people present in McLean says. “You have to invest in things that the world wants. You cannot invest in things that the world is not ready to accept yet.”

Apparently it isn’t so easy to find data breach info in Spain, but you can see gubernamental numbers and the objective of the attacks. Also, an interesting finding is that still HALF of the companies are not aware their IoT devices have been hacked, being the principal objective IP cameras (Spanish source). Anyway, I found a recent one to a Spanish bank.

It is still to be determined or made public, but, somehow, data from one of the principal Spanish banks, Caja Rural, was leaked. To see how big the entity is, it has 2.299 offices, 8.148 employees and is worth 59.394 million euros in total actives. So the security should be considerably good.

637 clients data, including:

• Full name
• ID
• ‘Hash’ of their pasport to the online bank services
• Phone number
• Complete adress
  were leaked to the internet.

If the data had been on IoTeX network it would have been ciphered and, in addition, with a proper DID access to the data could have only been possible if user devices and password to the IoTeX Network account were stolen or remotely accessed.

@WildLifeblood

Once, several years ago, government agencies in Ukraine were hacked thanks to the PETIA virus.
The virus covered 90% of all institutions; specialists tried to eliminate this virus as soon as possible.
As a result, a lot of confidential data was lost, power plants stopped working for a day, etc.
Thanks to the IoTeX decentralization and reliable confidentiality, such attacks can be avoided in all areas of activity. Therefore, I believe that the IoTeX is moving in the right direction!

@Artanovskaya

I see from internet
IOTX HAVE COMMUNITY BIG
@Lehieu2410

Hi guys! We are extending this discussion topic for another week, until Monday, December 16 midnight PST in order to give everyone more time to participate.

Recently, I read an article that smart TVs take screen prints every second and send them to the server. In terms of the amount of data collected, TV manufacturers are catching up with Google and Apple.
Many TV manufacturers say they do not violate user privacy because ACR data is technically not personal information because all family members use TVs. However, data mining makes it possible to post-factum separate user profiles from each other. Data mining is performed by specialized firms. They analyze the browsing history of users, linking the history of watching TV with the activity of the user on the phone, tablet and laptop, including shopping in stores.
90% of TV buyers voluntarily agree to take screen prints and send data to the server. Since the settings for disabling these options are often hidden in the TV menu. Surveys of users showed that most of them really do not realize the full extent of profiling and do not see anything wrong with the fact that the company finds out what series they like to watch on TV. Some say that “Google already knows everything about us,” so there’s nothing to hide.
Identification and trust are critical aspects of the security of the Internet of things. The use of proven technologies for device identification, communication encryption, and data integrity protection is the key to security.
I think IoTeX technologies could be used in smart TVs, similar to how they are used in the Ucam private camera. What do you think about this?

@worksshop

Thanks for sharing!
Yes, IoTeX technologies certainly can be used there. I can make a post of how to do that. However, TV manufacturers would only use them if all users are aware and demanding the features.
There should be someone who can take a leap of it. I really appreciate if everyone here can share with more people about IoTeX’s vision.

Equifax
I will use the popular Equifax data breach of 2017 as a use case, that exposed the personal information of millions of customers to hackers. Equifax is one of three major credit reporting agencies (CRAs) in the US.

On September 7, 2017, Equifax reported that hackers had exploited a vulnerability in its US website application to gain access to certain files from mid-May through July 2017.

Quoting the news:

“The hackers accessed personal data, including Social Security numbers, birth dates, addresses, and, in some cases, driver’s license numbers. They also stole credit card numbers for approximately 209,000 US consumers, as well as dispute documents with personal identifying information for approximately 182,000 US consumers. Some UK and Canadian residents may have also had personal data compromised.”

Due to the volume of data involved and the importance of the company, this was a really serious data breach that could be totally avoided with using the IoTeX technology:

1. Thanks to it’s distributed nature, there would be no “intermediary” (i.e. “Equifax”) server to hack

2. Thanks to private computation hardware like Avoboard, the same “scores” that Equifax calculated could be calculated by keeping all the required user data totally private “by hardware” at the time of the computation without the need for storing them

3. Users identification data, along with data required for the credit score computation could instead be stored on secure servers architecture, accessible through the IoTeX DID architecture.

The whole “Equifax intermediary” would have no reason to exist, or at least no reason to store anything on their servers with the consequent responsibility for privacy protection, that instead would be totally protected by military-grade encryption provided by blockchain DID access, secure storage, and no need for any party to get access to those data once the person had been identified by an authority and data verified in the first place.

TG: @zimne

This is a good decision!
More community members will be able to participate. Perhaps before this not everyone had the opportunity.

An interesting topic indeed!

Every identified person is under constant attack by the government entities who shamelessly hacks into our homes uninvited and unconcerned with our response, using IoT to unlock unencrypted doors and prey upon our private-matters as if they gave us lives.

Similar hacker attacks are happening every few seconds somewhere around the world, just last week one of the largest data centers in the United States, “CyrusOne” was exposed to an attack by a variant of the REvil (Sodinokibi) ransomware, which previously hit a number of service providers including the “all eyes” governments offices.

The data risk is very real with IoT and it’s growing rapidly with 100 + billion connected devices. I believe the risk can be mitigated with IoTeX’s decentralized trusted IoT and trusted computing. Just like @Alina pointed out, I think it’s about time we as the concerned people start taking this matter a little more serious. Back in 2018, a well-known blockchain evangelist and not so close friend of mine Ian Balina were hacked $2 million by storing his private and public crypto keys on cloud storage app Evernote.

Every time we use any of these single point of failure devices we unlock our doors to those entities, I dream of the day when people start boycotting any system or devices that solely relies on the traditional centralized data centers, it’s time to get a real lock by switching to the likes of made by IoTeX devices.

However you choose to stand up for this, IoTeX is positioning to play a bigger role on the global stage in the fight for our privacy and security.

TG: @c_okenwa

In November 2018, Marriott International announced that cyber thieves had stolen data on approximately 500 million customers. The breach actually occurred on systems supporting Starwood hotel brands starting in 2014. The attackers remained in the system after Marriott acquired Starwood in 2016 and were not discovered until September 2018.

For some of the victims, only name and contact information were compromised. The attackers were able to take some combination of contact info, passport number, Starwood Preferred Guest numbers, travel information, and other personal information. Marriott believes that credit card numbers and expiration dates of more than 100 million customers were stolen, although the company is uncertain whether the attackers were able to decrypt the credit card numbers.
The catastrophic big data loss could have avoid if securities measure provided by Iotex have been in place.
Some of these measure:
All sensitive data could have secured by uses of private hardware such as Avoboard.
The data could have been stored so as to be able to re-access back on secure servers such as Iotex DID.
Telegram Id: @tadex01

Why Ring Doorbells Perfectly Exemplify the IoT Security Crisis

A new wave of reports about the home surveillance cameras getting hijacked by creeps is painfully familiar.

Well, while we still are discussing the problems with privacy of different devices, I think we can talk about not so huge cases also. Sorry, this story will be sad. Argentinian footballer Emiliano Sala died in a plane crash in the beginning of this year. This was a big shock for his family. An additional terrible shock for them was that the surveillance footage from the morgue was stolen and made public. These are not only safety issues, they are also additional suffering for people in such cases.

It is very important that our security has not to be in conflict with our privacy. Cryptographic protection of information could help people to leave private what is private. IoTeX’s Ucam should help people not to get in a similar situation.

Hi everyone!

Thank you for participating in this discussion! We will shortly pick the winners together with our Ambassadors & announce them! In the meantime, please join a new discussion thread that started today join now

Underwriters Laboratories, the developer of security standards for industry and electronics, offers a new principle for standardizing the security of Internet of Things devices in several categories at once. The company recognizes that most of the products currently on the market will not pass this certification.

Underwriters Laboratories (UL), a safety standardization and certification company, has introduced its standard for IoT devices.
With permanent offices in 46 countries and serving more than a hundred, UL is one of the most respected structures in its field. She has developed security standards for many different industries, including ecology, construction, industrial equipment, electrical and electronic products, etc.

It is proposed to certify devices in seven categories: software component updates, data and cryptography, logical security, system management, user personal data, security protocols and process, documentation.
Each of these factors corresponds to a set of practical recommendations for ensuring security.

For example, the minimum requirement in the “data and cryptography” category is the absence of a default password. To obtain the maximum certificate, Diamond in the same category must stand up against brute force.

Telegram @ms1may

I have to add a very recent one - Wyze camera user data breach. 12/28/2019.
The data breach includes customer emails, camera nicknames, WiFi SSIDs, Wyze device information, body metrics for a small number of product beta testers, and limited tokens associated with Alexa integrations.

Check it out! We need to a new system to protect our data!