Your most sensitive data is likely exposed online. These people try to find it

id=”article-body” class=”row” section=”article-body”> CNET Justin Paine sits in a pub in Oakland, California, searching the internet for your most sensitive data. It doesn’t take him long to find a promising lead.

On his laptop, he opens Shodan, a searchable index of cloud servers and other internet-connected devices. Then he types the keyword “Kibana,” which reveals more than 15,000 databases stored online. Paine starts digging through the results, 카지노사이트 a plate of chicken tenders and fries growing cold next to him.

“This one’s from Russia. This one’s from China,” Paine said. “This one is just wide open.”

From there, Paine can sift through each database and check its contents. One database appears to have information about hotel room service. If he keeps looking deeper, he might find credit card or passport numbers. That isn’t far-fetched. In the past, he’s found databases containing patient information from drug addiction treatment centers, as well as library borrowing records and online gambling transactions.

Paine is part of an informal army of web researchers who indulge an obscure passion: scouring the internet for unsecured databases. The databases — unencrypted and in plain sight — can contain all sorts of sensitive information, including names, addresses, telephone numbers, bank details, Social Security numbers and medical diagnoses. In the wrong hands, the data could be exploited for fraud, identity theft or blackmail.

The data-hunting community is both eclectic and global. Some of its members are professional security experts, others are hobbyists. Some are advanced programmers, others can’t write a line of code. They’re in Ukraine, Israel, Australia, the US and just about any country you name. They share a common purpose: spurring database owners to lock down your info.

Anybody in the world can find this data. Bob Diachenko, database hunter The pursuit of unsecured data is a sign of the times. Any organization — a private company, a nonprofit or a government agency — can store data on the cloud easily and cheaply. But many software tools that help put databases on the cloud leave the data exposed by default. Even when the tools do make data private from the start, not every organization has the expertise to know it should leave those protections in place. Often, the data just sits there in plain text waiting to be read. That means there’ll always be something for people like Paine to find. In April, researchers in Israel found demographic details on more than 80 million US households, including addresses, ages and income level.

No one knows how big the problem is, says Troy Hunt, a cybersecurity expert who’s chronicled on his blog the issue of exposed databases. There are far more unsecured databases than those publicized by researchers, he says, but you can only count the ones you can see. What’s more, new databases are constantly added to the cloud.

“It’s one of those tip-of-the-iceberg situations,” Hunt said.

Now playing: Watch this: A database with info on 80M+ US households was left open… 1:48 To search out databases, you have to have a high tolerance for boredom and a higher one for disappointment. Paine said it would take hours to find out whether the hotel room service database was actually a cache of exposed sensitive data. Poring over databases can be mind-numbing and tends to be full of false leads. It isn’t like searching for a needle in a haystack; it’s like searching fields of haystacks hoping one might contain a needle. What’s more, there’s no guarantee the hunters will be able to prompt the owners of an exposed database to fix the problem. Sometimes, the owner will threaten legal action instead.

Database jackpot

Your login credentials could be in the cloud for anyone to grab.

CNET The payoff, however, can be a thrill. Bob Diachenko, who hunts databases from his office in Ukraine, used to work in public relations for a company called Kromtech, which learned from a security researcher that it had a data breach. The experience intrigued Diachenko, and with no experience he dove into hunting databases. In July, he found records on thousands of US voters in an unsecured database, simply by using the keyword “voter.”

“If me, a guy with no technical background, can find this data,” Diachenko said, “then anybody in the world can find this data.”

In January, Diachenko found 24 million financial documents related to US mortgages and banking on an exposed database. The publicity generated by the find, as well as others, helps Diachenko promote SecurityDiscovery.com, a cybersecurity consulting business he set up after leaving his previous job.

Publicizing a problem

Chris Vickery, a director of cyberrisk research at UpGuard, says big finds raise awareness and help drum up business from companies anxious to make sure their names aren’t associated with sloppy practices. Even if the companies don’t choose UpGuard, 카지노사이트 he said, the public nature of discoveries helps his field grow.

Earlier this year, Vickery looked for something big by searching on “data lake,” a term for large compilations of data stored in multiple file formats.

Your data found exposed

Cloud database removed after exposing details on 80 million US households

Millions of Facebook records were exposed on public Amazon server

Patient names, treatments leak among millions of rehab records

The search helped his team make one of the biggest finds to date, a cache of 540 million Facebook records that included user’s names, Facebook ID numbers and about 22,000 unencrypted passwords stored in the cloud. The data had been stored by third-party companies, not Facebook itself.

“I was swinging for the fences,” Vickery said, describing the process.

Getting it secured

Facebook said it acted swiftly to get the data removed. But not all companies are responsive.

When database hunters can’t get a company to react, they sometimes turn to a security writer who uses the pen name Dissent. She used to hunt unsecured databases herself but now spends her time prompting companies to respond to data exposures that other researchers find.

“An optimal response is, ‘Thank you for letting us know. We’re securing it and we’re notifying patients or customers and the relevant regulators,'” said Dissent, who asked to be identified by her pen name to protect her privacy.

Not every company understands what it means for data to be exposed, something Dissent has documented on her website Databreaches.net. In 2017, Diachenko sought her help in reporting exposed health records from a financial software vendor to a New York City hospital.

It’s a little bit like a drug. Justin Paine The hospital described the exposure as a hack, even though Diachenko had simply found the data online and didn’t break any passwords or encryption to see it. Dissent wrote a blog post explaining that a hospital contractor had left the data unsecured. The hospital hired an external IT company to investigate.

Tools for good or bad

The search tools that database hunters use are powerful.

Sitting in the pub, Paine shows me one of his techniques, which has let him find exposed data on Amazon Web Services databases and which he said was “hacked together with various different tools.” The makeshift approach is necessary because data stored on Amazon’s cloud service isn’t indexed on Shodan.

First, he opens a tool called Bucket Stream, which searches through public logs of the security certificates that websites need to access encryption technology. The logs let Paine find the names of new “buckets,” or containers for data, stored by Amazon, and check whether they’re publicly viewable.

Then he uses a separate tool to create a searchable database of his findings.

For someone who searches for caches of personal data down between the couch cushions of the internet, Paine doesn’t display glee or dismay as he examines the results. This is just the reality of the internet. It’s filled with databases that should be locked behind a password and encrypted but aren’t.

Ideally, companies would hire experts to do the work he does, he says. Companies, he says, should “make sure your data isn’t leaking.”

If that happened more often, Paine would have to find a new hobby. But that might be hard for him.

“It’s a little bit like a drug,” he said, before finally getting around to digging into his fries and chicken.

Comments Software Internet Cloud Computing Hacking Privacy Notification on Notification off Security

How to Choose The Best Site For Online Casino Games?

Let us discuss how you can develop your understanding and skills for online gaming to win a lot more by playing at the best online casino sites. We must realize what we actually expect from a casino site. I believe the first thing that every player looks for is the welcome bonus and types of games offered on a site.

You will see many sites offering huge joining incentives and promotions to their new members however; there might be some hidden conditions to claim those incentives. Some sites may ask you to make a deposit first before claiming your bonuses while others may have different bonus schemes for different days of the week. Secondly, we want all games to be honest and provide equal chances of winning to each player. For this, we must check the software being used to operate the games on the site. There are multiple gaming software used by these casino sites, so must focus on those sites which use renowned and trusted software.

Third and the most important factor while choosing a site is the free money offered by site. Everyone wants to win big in online games however; there are only few people who can actually risk a huge amount. If the site gives you free money as deposit match, referral amount or through any other promotion, you can use that money to play casino games online paid and win without risking anything from your pocket.

And finally, you must confirm the payment modes accepted by the site for smooth financial transactions. A smart player also looks for the certification and governing bodies associated with the site.

How can I compare these features on various casino sites?

Our profound reviews on various sites will make it much easy for you to select an appropriate casino room for 샌즈카지노주소 you. We also advise you to read all terms and conditions of the site before you register yourself on any of those. The best online casino sites have all critical information available for you to read; be it related to registration, games, finance or the promotions offered from time to time. You can also call or mail their support staff for 우리카지노 detailed help.Some sites have a special column for winning stories where their members share the experience and tell you in detail about the games and 샌즈카지노주소 strategies used.

Discover the best online casino sites and how to play casino games online to win big cash. Read tips and tricks to win casino games at casino player online.

Facial recognition could take over one ‘convenience’ at a time

id=”article-body” class=”row” section=”article-body”> At Konami’s headquarters in Las Vegas, its facial recognition powered cameras tracked me around the room.

Alfred Ng / CNET This story is part of CES 2020, our complete coverage of the showroom floor and the hottest new tech gadgets around. Konami Gaming, a slot machine maker, wants to weave facial recognition into its one-armed bandits. During a visit to its Las Vegas headquarters to hear more about its plans, I quickly discovered what the world would be like if facial recognition is everywhere. 

“Hello, Alfred,” said a measured, robotic voice, startling me. It came from a kiosk called “Biometrics Welcome Console” positioned right next to the door of the conference room where my meeting was held. The kiosk knew who I was because Konami had set up a profile for me, using a public photo from my CNET bio without telling me. The facial recognition tagged me before I’d even said hello to the Konami team members in the room. 

I looked at the screen showing the photo the kiosk took of me when I walked in. The camera had caught just my eyes and nose. Still, the facial recognition software calculated it detected me with 60.5% accuracy.

“Any picture you use online can be used to identify you already,” Sina Miri, Konami’s vice president of innovation and strategic research and design, told me. Konami had also set up profiles of my colleagues at the visit, again without telling them.

Now playing: Watch this: Google’s Nest Hub Max smart display tracks your face 6:01 Throughout the interview, Konami’s facial recognition cameras followed us. They captured our images so many times that the kiosk kept greeting us long after the meeting started. Eventually, a Konami staffer resorted to covering her face with paper to keep the machine quiet while we stood out of its view.

The exchange, which Konami saw as a positive demonstration of its capabilities but which I viewed as an invasion of privacy, illustrates the fine line that facial recognition needs to walk. Technology companies can’t wait to incorporate the feature, which can be as benign as Face ID on your iPhone, into more gadgets and systems. But consumer advocates worry it’ll have a chilling effect on our private lives.

Konami set up a facial recognition profile for me using my CNET profile picture without telling me.

Alfred Ng / CNET Meanwhile, facial recognition’s spread marches on. Over the last decade, anything you can think of — toothbrushes, televisions, cars, refrigerators and even beds — has been connected to the internet. Within the next 10 years, facial recognition companies hope to do the same with their technology. CES 2020, where many of these companies showed their wares, was a glimpse into what the future of surveillance could look like. The annual tech conference was a prime spot to help make the biometric service mainstream. 

Just as connecting a television to the internet was a fairly new concept in 2011, a world filled with facial recognition is essentially uncharted territory now. That might change fast. By 2019, analysts found that you couldn’t buy a new TV without an internet connection. Facial recognition companies want that sort of acceptance for their technology.

That means inserting FR, as the technology is called in shorthand, into every part of your life. You’ll experience it at the shopping mall, at school and in your own home. 

“Once it’s used in other industries, it’ll be in places everywhere,” said Tom Soukup, Konami’s senior vice president and chief systems products officer. “There’s going to be widespread customer acceptance within the next two, three years.”  

But facial recognition is used by police departments and government agencies for investigations, 샌즈카지노주소 often without legal guidelines that protect citizens when it’s used. Lawmakers have raised concerns about, for example, the effect on free speech if police could use facial recognition to pinpoint and track protesters in a crowd. 

“This is a tech that threatens to supercharge our cameras and turn them into surveillance devices like never before,” said Jay Stanley, a senior policy analyst at the American Civil Liberties Union. 

Forward facing 

When everything became connected online in the last decade, the convenience came with some strings attached. For televisions, it meant that companies could start tracking people’s viewing habits and selling that data to advertisers. 

With facial recognition, it could happen on a broader scale. You can’t change your face the way you can change an advertising ID associated with your device. 

At CES, facial recognition appeared to be on the verge of wedging itself into spots it had never been before. The trade show itself implemented facial recognition for badge pickups for the first time, while LG showed off a door that could scan your face to unlock. A storage box for marijuana using facial recognition won a CES innovation award.

On Wednesday, Konami Gaming showed off its plans for implementing facial recognition in slot machines, explaining that gamblers could use their faces for loyalty and rewards programs from a casino. 

All it took was a capture of my eyes and nose and the facial recognition detected me in an instant.

Alfred Ng / CNET Konami’s Miri envisions a future in which facial recognition could enable pervasive, real-world online tracking for targeted advertising via Google and Facebook. 

“Once we face ID you, what we do is build a profile,” Miri said. “If we know your favorite drink is rum and coke, we can put an advertisement of a specific brand of rum where you are, for example.” 

Throughout the interview, Soukup referred to our faces as “QR codes,” reducing one of our most intimate, 샌즈카지노주소 personal features to a machine-scannable jumble.

Soukup said Konami doesn’t have privacy officers who work on facial recognition development at its headquarters. Instead, the company has compliance officers, whose job is to make sure its technology meets the minimum standards of privacy laws like the European Union’s General Data Protection Regulation, which includes provisions covering biometric information.

In the US, almost no regulations on facial recognition exist, outside of Illinois’s biometrics law. Everything that Konami did — taking my image without my permission to build a profile and then constantly tracking me in its office even though I never opted in — is completely legal. 

“We’re living in a wild west when it comes to privacy protections,” the ACLU’s Stanley said. “Most deployments of facial recognition aren’t empowering individuals, but they’re empowering the companies that lie behind those devices.”

How convenient?

Konami’s executives said that facial recognition would speed up the process for gamblers looking to get loyalty rewards points. Under the current system, it takes about a minute and a half. With the biometric, Miri says, it would take 30 seconds. 

You’d be exchanging a potential lifetime of facial tracking to save a minute. 

PopID, a facial recognition company based in California, is behind facial recognition for businesses like Deli Time and Stoner’s Pizza Joint. It’s also got its technology on the campuses of schools like Stanford University and University of Southern California. 

The company provided a similar comparison, saying it takes about 90 seconds to order food through facial recognition, compared to 3 minutes without it.

See also

CNET’s 20 favorite products of CES

All the cool new gadgets at CES 2020

The Best of CES 2020

All of the new smart home products, from smart locks to the Alexa shower head

TVs of CES: Impressive, expensive, and less practical than ever

Full coverage of CES 2020

Yale Goldberg, PopID’s vice president of strategy and business development, says the company’s facial recognition is in more than 100 locations that ring up more than 1,500 transactions per week. 

He says facial recognition will spread, pointing out the success it’s had at PopID’s parent company, Cali Burger.

“We have significantly more loyal top customers than we did before we had these kiosks. It’s because they know they can get this great experience every time,” Goldberg said. “They don’t need to add their onions and light ketchup and everything else. We know that for them. We make their lives easier.”

Facial recognition companies believe this technology will be everywhere in the next five years, arguing that the convenience will win over the public. 

But with unease building over technology companies’ invasion of privacy, more people are becoming aware of the strings attached to that convenience, the ACLU’s Stanley said.  

“We’ve seen a growing backlash against facial recognition in the country and growing understanding of the technology’s consequences,” Stanley said. “We need to be very, very wary about exchanging convenience for a world that we don’t recognize anymore.” 

Before leaving Konami’s office, I asked the company’s staff to delete the profile it had made of me, along with any other biometric data that its cameras collected during my visit. 

The staff deleted my profile but said they’d need to contact Konami’s biometric supplier to get rid of the data they collected on me. I wasn’t able to stay to see that happen.

After the story published, Konami apologized for building a facial recognition profile of us without our permission, and said that the company should have provided notice. 

“We did not mean to offend the team or make light of important values,” a Konami spokeswoman said. “We will ensure that the data associated with Wednesday’s visit is purged from our internal system and that of our biometric technology partner.”