Smart home appliance maker Wyze has responded to what it calls an "alleged" data breach against its production databases by logging all users out of their accounts and has strengthened security for its servers. Customers endured a lengthy reauthentication process as the company responded to a series of reports claiming that the company stored sensitive information about people's security cameras, local networks, and email addresses in exposed databases.

Texas-based Twelve Security, a self-described "boutique" consulting firm, posted the claim of a breach against Wyze's two Elasticsearch databases on Medium yesterday. The unsecured data is said to have come from 2.4 million users. A plurality of them are located on the east coast of the United States, though data was sourced from across the country as well as in the United Kingdom, the United Arab Emirates, Egypt, and parts of Malaysia.

The dataset included any email addresses that have been registered to or shared access to a camera, the models, firmware versions, and assigned names of every cameras in a household, time of devices' last activation, times of users' last login and logout, account login tokens for users' Android and iOS devices, camera access tokens for users' Alexa devices, Wi-Fi SSID, and internal subnet layout. A particular subset of users who gave or have had tracked their height, weight, gender, bone health, and protein intake information may have had those data exposed as well. Twelve Security also noted that there were "clear indications" that data was being trafficked through Alibaba Cloud servers in China.

Video surveillance news blog IPVM followed up with Twelve Security and was able to spot accounts and devices linked to its staff who reviewed Wyze products.

Twelve Security opted not to notify Wyze before going public with its claims on suspicion of either the company's gross negligence or a concentrated espionage effort, based on the alleged Alibaba Cloud link as well as a previous security blunder where Alexa users could view camera feeds from devices they've resold to other people that vulnerability has since been patched.

In a bulletin on its community forums, Wyze stated that it was notified by IPVM late yesterday morning and has failed to verify a breach. It also denied any association with Alibaba Cloud.

The company said it decided out of caution to adjust access permissions for its databases and wipe all active login tokens this also cleared users' Alexa, Google Assistant, and IFTTT integrations as well. Customers who employed two-factor authentication complained shortly after the token refresh that their login attempts were denied due to various errors. Wyze updated its bulletin late last night to report it had fixed the 2FA login process.

The Seattle-based Wyze sells smart plugs, lights, security cameras, and the like at prices well below its competition. It's able to do so by turning to vendors for advanced software features Xnor.ai recently canceled its contract with Wyze to provide its cameras with subject detection and vesting a number of resources, including manufacturing, in China. While we'd like to see more details come along, Twelve and IPVM's reporting to this point may cast doubt, at the very least, on how Wyze handles its resources.

Wyze's response, new allegations

Wyze has updated its bulletin twice over the weekend.

It explained that an employee managing a new server project had made a "mistake" with data copied over from its main production servers on December 4 and had left that data unsecured until Wyze beefed up security on the 26th. It initially admitted only one database was exposed, then later was notified by a Wyze user of a second database. The company says it is still investigating why that happened and is currently auditing its servers and databases.

The company says the dataset included customer emails, camera nicknames, Wi-Fi SSIDs, Wyze device information, body metrics for a small number of product beta testers, and limited tokens associated with Alexa integrations. To the company's knowledge, the dataset did not contains passwords or government-regulated personal or financial information or API tokens for Android and iOS devices.

Wyze once again denied that it used Alibaba Cloud to handle user data. It also refuted Twelve Security's claims though it did not mention the security consultancy by name that it collected bone density and daily protein intake information from any products, including those in beta testing. It also denied having a "similar breach" six months ago, perhaps referring to the Alexa camera viewing issue mentioned above, but that was more of a vulnerability than a breach for the record, neither are good things.

Affected users should expect an email from the company shortly, notifying them of what data has been compromised. More emails may come as the investigation moves forward. The company has apologized for the oversight.

At the same time, Twelve Security posted a second essay about Wyze on Medium detailing how its U.S. servers weren't secured as well as their Chinese servers were. It challenged Wyze's suggested vulnerability period, claiming instead that the U.S. servers were vulnerable ever since they went online in January. It also claims to have tracked Wyze's data pipeline infrastructure through Alibaba Cloud to be large enough for the company to be able to track live footage from every camera and that Wyze and anyone with knowledge to do so may intercept any one of those feeds. It also noted comments suggesting that the company does have plans to record daily protein intake and bone density information at some point.

The company has yet to respond to Twelve Security's latest claims.

See the original post here:
Privacy scare leads Wyze to unpair all devices from Google Assistant and Alexa, you'll need to add them back (Update: Further responses) - Android...

Your personal data is all over the cloud, and it's not always secured the way it should be.

This year wasn't a good one for keeping sensitive information private: The names, addresses and demographic data of 80 million US households got revealed. So did the expected salaries of more than a million job seekers. And so, too, thousands of Facebook passwords, along with even more users' likes and comments.

Here's the galling part: None of this data was exposed by hackers with exceptional technical prowess. It was just left sitting on the internet, by mistake. Some database manager pressed the wrong button and left your most intimate information sitting on a cloud server somewhere. Often, as in the case of the Facebook data, a third-party company stored the information incorrectly.

The problem is pervasive, according to Chris Vickery, a researcher at security company UpGuard who tracks database exposures. "It is the ugly elephant in the room that every security professional knows about, but doesn't want to talk about," he said.

Companies are moving more and more user information to the cloud, putting it on remote servers owned by Amazon, Microsoft and Google that allow customers to rent both storage and computing power. That's good for everyone, lowering costs and raising the quality of service. But as with all new technologies, there's a learning curve. When a database manager forgets to password-protect data on the cloud, the information just sits there for anyone to see. And many organizations don't consider such cases data breaches or hacks, because there's no way to prove criminals accessed the exposed data.

Now playing: Watch this: A database with info on 80M+ US households was left open...

1:48

Still, the data can be very personal, like the nearly 5 million health care records that a researcher found for drug rehab patients in Pennsylvania in April. In addition to outing patients struggling with drug addition, the data could have made it possible for bad actors to find patient addresses and names of family members with a few Google searches.

Sometimes the exposed data is already public, like the caches of Facebook and Instagram user phone numbers and other information from profile pages that researchers found in separate incidents this year. That data was collected from millions of profiles by automated tools. The practice, called scraping, is against the terms of service of the social media companies, and all that data together can serve as a giant list of potential victims for spammers.

What's more, the databases can reveal proprietary information that companies like LexisNexis and Dow Jones charge businesses a premium to access. Both companies maintain lists of high-risk banking customers, and both sets of data were exposed on unsecured databases in 2019.

The problem is unique to cloud servers, which have revolutionized the way every organization stores data. Now instead of keeping information on racks of servers in a back room, businesses, schools and governments buy space on remote ones.

One common problem is database managers leaving default settings in place after they move information to a cloud server. Often those settings make the data public and require extra steps to enable password protection. Other times the database handlers seem to have gone out of their way to avoid putting a password on the data, perhaps not understanding the risk, said Troy Hunt, who tracks data breaches at the website Have I Been Pwned.

That's particularly worrying when the information involves children. In 2017, Hunt found recordings of children's messages to and from loved ones on an exposed database run by toymaker CloudPets, exposing the intimate back-and-forths to anyone with the search skills to find the recordings.

If your data is exposed in an unsecured database, experts say you have to treat the situation the same way you would if the data had been stolen.

"You need to engage proactively in minimizing your risk," said Eva Velasquez, president of the Identity Theft Resource Center.

Medical service provider Tu Ora Compass Health said the same thing to nearly 1 million patients when it revealed that its poorly configured website had exposed patient health insurance data. Patients should "assume the worst" and act as though hackers had accessed the data, the company said.

What's the worst that can happen? Stolen information makes it easier for identity thieves to pretend to be you. When combined with what you share on social media, for example, your medical record number could allow someone else to use your health insurance.

The Identity Theft Resource Center hosts a service called Breach Clarity that helps you decide what steps to take after your data is compromised. The advice depends on what kind of information was involved.

If your log-in credentials are exposed, you'll want to reset your passwords. If it's your Social Security number, you'll want to watch your credit report for signs that someone's opening up new lines of credit in your name. You may also want to consider freezing your credit.

And if it's payment information, you'll want to look for unusual charges on your credit card statement and consider requesting a replacement card.

How many exposed databases are out there right now is an open question, in part because only a relatively small group of security researchers are searching for them. Some of those researchers treat the hunt, which usually involves manually sifting through search results from directories of cloud servers and any other device connected to the internet, as a hobby rather than a job. Others do it professionally, and security companies are building automated tools to find exposures.

That means we'll be hearing about them on a regular basis in the coming year.

Read more here:
Exposed databases are as bad as data breaches, and they're not going anywhere - CNET

Read Story Transcript

Over the past decade, Amazon has found its way into your homes with Alexa, in your ears with Audible, on your screens with Amazon Prime Video, and maybe even in your fridge if you shop at Whole Foods.

But the tech giant's reach does not end with products and streaming services. With Amazon Web Services (AWS), the company now holds a 50 per cent share of the cloud hosting market, according to a Gartner report published in July 2019.

"Any website that you don't know where it's hosted might be on Amazon's servers or Microsoft's or Google's. That's the primary way in which you may be interacting with Amazon and not know it," says Brad Stone, author of The Everything Store: Jeff Bezos and The Age of Amazon.

The San Francisco-based tech reporter with Bloomberg started researching Amazon for his book a decade ago. Stone spoke to The Current's interim host Nil Kksal about the company's foray into cloud hosting and its future in the next 10 years.

Here's part of their conversation.

Tell us more about AWS Amazon Web Services.

Amazon has been a pioneer in the market to get companies, universities and government agencies to stop relying on the data centre in the back office or down the street and to move all their technology operations to the cloud hosted centrally by Amazon. Microsoft, Google, IBM and Oracle are also in pursuit of this market. It's been a massive change for all of computing over the past few years.

How much of that cloud does Amazon own?

I don't have the market share numbers handy but Amazon was the first player and it is the market leader with Microsoft hot on its heels. Microsoft recently scored a significant industry win by winning the very contested Jedi contract from the Pentagon a $10 billion contract. Amazon is now appealing that verdict and saying that the Trump administration made a political judgment in awarding the prize to Microsoft.

What sort of things might we be doing online that has us interacting with Amazon, but are unaware of it happening?

Any website that you don't know where it's hosted might be on Amazon's servers or Microsoft's or Google's. That's the primary way in which you may be interacting with Amazon and not know it. But just in terms of something like walking up to your neighbour's house they could have a Ring camera and doorbell that's recording your image. Alexa is no longer just in someone's home. They're increasingly moving into cars, hotel rooms and even workplaces. So that's another way in which Amazon's influence is being extended.

Most North American households are Amazon Prime members. There's no illusion about how often they use Amazon. They watch the movies and the TV shows, they order packages for one and two-day deliveries. A lot of people I know are relying on Amazon to make their holidays and to get gifts on time. So it's a company whose influence and impact we can't really avoid these days.

We checked the numbers Amazon owns nearly 50 per cent of the cloud. How much should we worry that this is the reality?

I think when it comes to AWS and the cloud business, it is a competitive market. You can make an argument that Microsoft and Google were more naturally positioned to pioneer and innovate in cloud computing. They didn't. Amazon took the lead there. Microsoft has caught up. In some respects, it's growing faster than Amazon now. I don't think there's any easy way to call that a monopoly.

In other parts of Amazon's empire, it does have a worryingly large impact. I think the book business Amazon's earliest business clearly has a majority of sales, both physical and digital. And it makes its influence known in very tough negotiations with booksellers. I think that could be a worry. The fact is that you know, Amazon plays in massive markets. It's still a single digit percentage of overall retail in the U.S., North America and around the world. And that's going to be a very strong argument when it comes to any kind of antitrust scrutiny of the company.

The U.S. Federal Trade Commission is looking into Amazon's influence and control over the market. Do you see a future where Amazon could be forced to break up?

It's certainly possible over the long term. I think it's fair to say in the short term that the federal government has more pressing priorities as we're entering into an election year. It's unclear what direction antitrust enforcement will take. It does seem like all the major presidential candidates agree on that one thing: the big tech companies are too big. But Amazon is now in a cluster of kind of worrying companies along with Google and Facebook and to some extent Apple, with the App Store. These are complex markets and complicated businesses. They're not going to be easy cases for the Department of Justice or the FTC to win.

So in talking about a breakup, it's kind of hard to imagine. You could see some regulation that requires the company to abandon some of its retail businesses so it doesn't end up competing with some of its customers. But again that's assuming there's a functional U.S. government, which we don't have right now. So I don't think anything will happen quickly.

On the issue of antitrust, we've got a statement from Amazon. They wrote, "We understand that success invites scrutiny and we aim to run our business so that when scrutinized we pass with flying colours."

That statement is interesting because there's a long record of companies like Microsoft responding to scrutiny more obstinately, stubbornly and combatively. Amazon clearly doesn't want to do that. They want to be submissive. But that's clearly not the nature of the company. So it will be interesting to see how transparent and amenable they are to regulation.

What is the Amazon of the next 10 years look like?

I think the opportunities and the possibilities are limitless and hard to predict. I don't think 10 years ago when I was starting to work on The Everything Store, I would have imagined Alexa, Echo or the extent to which AWS has grown. Part of what Amazon looks like in the next 10 years is going to be dependent on its ability to keep inventing and investing in the new thing. I think that the physical store initiative is very intriguing in the U.S. now.

We have these ghost stores where you can walk in, grab a package, walk out. Cameras track your every move and charge your account. We could be looking at a future where Amazon stores are on every corner and not just to buy groceries and maybe electronics, but to return packages that you get via online delivery. We could see the emergence of a kind of two-way fulfilment network where Amazon isn't just bringing things to you but it could also allow you to easily return products. Some of that already exists today.

But if that happens, then watch out. We're going to see FedEx, UPS. and the national postal services really suffer because Amazon is in a position to invest in that transportation capability. So there are all sorts of possibilities for disruption. Some we can imagine, some we probably can't yet.

Written by Tahiat Mahboob. Interview produced by Ben Jamieson.

Read more:
From bookstore to cloud hosting: How Amazon 'took the lead' in the technology world - CBC.ca

BARCELONA, CATALONIA, SPAIN - 2019/11/19: The Microsoft company logo during the Fair.First day of ... [+] the Smart City Expo World Congress which exists to empower cities and collectivise urban innovation. More than 400 international experts and 844 global companies joined the congress which will take place from 19 to 21 November 2019. (Photo by Paco Freire/SOPA Images/LightRocket via Getty Images)

Microsofts (NASDAQ: MSFT) Intelligent Cloud business is expected to contribute $41.9 billion to Microsofts 2020 revenues (ending June 2020) representing 31.2% of Microsofts $290.4 billion in expected revenues for the year. More Personal Computing, and Productivity & Business Processes segments are expected to contribute 35.1% and 33.7% respectively to Total Revenue making the relative contribution of all the 3 reporting segments to Microsofts top line nearly identical. Notably, Microsoft is expected to add $37.8 billion in revenue between 2017 to 2020, out of which the Intelligent Cloud segment is expected to provide $14.5 billion, or 38.3% of the total expected increase. In fact, it is the strong growth in Microsofts Intelligent Cloud segment revenues that has been primarily responsible for the 200% jump in the tech giants stock since 2017. While the segment has considerable growth potential, its higher profit margins have unlocked sizable value over recent years. We discuss Microsofts valuation analysis in full, separately.

Below we discuss Microsofts business model, followed by sections that review past performance and 2020 expectations for Microsofts revenue drivers and competitive comparisons of its revenue with Apple and Oracle. You can look at our interactive dashboard analysis ~ Microsofts Revenues: How Does Microsoft Make Money? ~ for more details.

Microsoft Business Model

What does Microsoft offer:

Has 3 major Operating Segments:

What Are The Alternatives?

Microsoft competes with:

What Is The Basis of Competition?

Details about how Microsoft revenue changes over recent years compare with competitors Apple and Oracle are available in our interactive dashboard.

Whats behind Trefis? See How Its Powering New Collaboration and What-Ifs ForCFOs and Finance Teams|Product, R&D, and Marketing Teams More Trefis Data Like our charts? Exploreexample interactive dashboardsand create your own

Read the rest here:
How Important Is The Intelligent Cloud Segment To Microsofts Stock? - Forbes