Holiday time, it's the most...potentially dangerous...time of all. From a security stand point, the holiday season introduces a great deal of risk. This time of year is fraught with threats at every turn. These may include credit card theft, insecure websites, phishing emails, data breaches, and many others. The threat level increases this time of year in response to people buying more things online and in general being in more of a hurry which puts them at risk of making a bad choice.

As such, it is important to be extremely diligent this time of year to protect your data, your credit cards and bank accounts, and your privacy. This post covers some of the most recent security threats and data breaches, as well as how they might affect you and what you need to know about them.

Security Round Up: Exposed Birth Certificates, Smart Locks & More


750,000+ Birth certificates leaked from Amazon cloud storage

In yet another example of data stored on Amazon's Web Services (AWS) storage not being password protected, this time more than 750,000 birth certificates were left exposed. While the records are hosted by AWS, it is important to clarify the records were stored insecurely by a third-party company. Files were stored in what's called a storage bucket, which is equivalent to a file folder on a desktop computer, albeit on a much larger scale.

Each company has their own storage bucket to store files in which helps protect them. Unfortunately, if they are stored in a state without being password protected, they are at risk. The reason why is because the storage buckets exist on cloud-based storage and are accessible using a weblink. If these buckets are set up without a password for security, all it takes is for someone to have the weblink to gain unauthorized access which is what happened here.

In this breach, the following information about users was exposed:

  • Name
  • Address
  • Date of birth
  • Phone number and more

Moving Forward: If you use AWS, be sure to add a strong password for security! This is an absolute must for using cloud services. As far as victims of the breach, so far there is no information about what is being done to protect those whose information was exposed. If you think you may be affected, keep an eye on your bank accounts, credit cards and credit history.

Smart lock vulnerability leaves homes open for attacks

Smart locks are locks that can be installed and replace traditional door locks. Smart locks often include number keypads, fingerprint readers, and/or a key lock and are connected to your home wireless. This allows additional features like using an app to remotely unlock the door without the need to give someone a key or a key code.

Unfortunately, anything that connects to the internet is at risk of being hacked. Items like smart fans are not much of a threat, but a smart lock that is supposed to block unauthorized entry into your home is a much bigger threat if it is compromised.

Image of a KeyWe smart device courtesy of their website.

A Finland-based security company called F-Secure recently disclosed flaws with the "KeyWe Smart Lock". Based on the smart lock's design, hackers can intercept the network traffic between the smart lock and the mobile app leaving it open to attack.

For those who know how to utilize this attack, it can be done fairly easily and at minimal cost. While KeyWe reported that it fixed the issue through security patches, F-Secure's researchers stated it is not possible to update the firmware on these devices wirelessly.

Moving forward: If you have one of these smart locks installed, you will want to consider replacing it. Losing the $155 investment is FAR CHEAPER than allowing an unauthorized person to access your home where they could steal information, items, and/or cause damage.

Smartwatch security flaw puts kids at risk

A cybersecurity firm called Rapid7 Inc. recently discovered a bug in cheaper smartwatches used by kids that allows strangers to override parental controls and track them. Three different devices were tested, each of which supported messaging, chat and of course, location tracking. The devices also had nearly identical hardware and software and were manufactured in China.

The cause of the issue is the way configuration details are changed - via commands texted directly to the watch from authorized users. Unfortunately, unlisted numbers, who are not authorized users, can also send commands to the watch. This means they can assume control of the device, change the parental controls and more.

Moving Forward: At the time of the article's report, manufacturers were unavailable so there is no guarantee a firmware update will be released to fix this issue. If you are concerned your child has one of the watches affected, visit the article to see all of the models affected. If someone you know is affected, consider getting a device that provides better security protocols as it will most definitely be worth the expense!

While attacks come 24/7/365, this time of year is often plagued with an increased number of attacks and security threats. Additionally, the more our hardware is connected to the internet, the greater the number of introduced risks simply because these devices can be accessed from external sources. When purchasing devices with this capability, be sure to invest in a reputable company who takes data privacy and security seriously.

It is important to be careful clicking links, to go directly to websites rather than clicking links in emails when possible, and especially when they are from an unknown user, and to never let fear push you into doing something you would not normally do. This is often when we make costly mistakes.

Lastly, with as much as you do to proactively protect your privacy and data, some things are out of your control. To combat this, do your best to invest in solid tech devices that prioritize security, and if necessary, consider getting rid of a cheaper device introducing risk that could cost upwards of thousands of dollars.

As always, the more you know about a product and its potential issues, the better your decisions will be about whether or not you want to implement them.