A GOOD RULE of thumb when it comes to internet-connected toys is not to buy them. Security too often sits too low on the priority list of the companies that make them. But in a new report, Mozilla, the nonprofit behind the popular Firefox browser, has a more finely tuned privacy appraisal of not just toys but dozens of popular holiday gifts—some of which may not rate much better than coal.

Mozilla’s “Privacy Not Included” guide, now in its second year, rates 70 products, ranging from toys and smart speakers to a sous vide, across multiple categories. It’s also rolling out—along with advocacy groups Internet Society and Consumers International—new “minimum security requirements,” and awarding badges to items that score high marks.

“We want to provide people information about how to make informed decisions when shopping for gifts that are connected to the internet,” says Ashley Boyd, vice president of advocacy at Mozilla. “These products are becoming really popular. And in some cases, it’s easy to forget that they’re even connected to the internet.”

Among the important signifiers of a trustworthy stocking stuffer, according to Mozilla’s rubric: the use of encryption, pushing automatic software security updates, strong password hygiene, a way to deal with vulnerabilities should they arise, and a privacy policy that doesn’t take a PhD to parse.


"We’re trying to give people essentially a way to look at any product and what to look for, what questions to ask."


The most surprising result of Mozilla’s testing may be how many products actually earned its seal of approval. Thirty-three of the 70 items in the “Privacy Not Included” guide passed muster; fans of the Nintendo Switch, Google Home, and Harry Potter Kano Coding Kit can sleep a little easier. On the other end of the scale, Mozilla highlighted seven products that may not hit the mark—yes, including the sous vide wand, the Anova Precision Cooker. Also scoring low marks in Mozilla's accounting: the DJI Spark Selfie Drone (no encryption, does not require users to change the default password), the Parrot Bebop 2 drone (no encryption, complex privacy policy), and unsurprisingly, at least one baby monitor.

DJI says that there's no indication that the Spark has ever been hacked, other than intentionally by enthusiasts looking for a performance boost. And to its credit, the company is also proactive in fixing issues that do arise; just last week, it patched an authentication bug that would have allowed hackers to access user accounts.

Anova CEO Steve Svajian says that the company plans to add encryption to the next generation of its product, and is exploring ways to add it retroactively to those already on the market. "We take privacy and security very seriously," says Svajian. "It's crucially important for the community to trust what we do."

The remaining 30 items on the list all exist somewhere in the murky middle, usually because Mozilla was unable to confirm at least one attribute. Which may be the real takeaway from the report: Typically, you have no reasonable way to find out if a given internet-connected device is secure. “If you can’t tell, that says that there’s a problem of communication between manufacturers and consumers,” says Boyd. “We would love for makers of these products to be more clear and more transparent about what they’re doing and not doing. That’s a big place we think change is needed.”


FireEye researchers unveil an extensive list of security risks waiting in the new year's wings.


There may still be nearly seven weeks left in 2018, but security leaders are already looking ahead to the new year. Enterprise concerns, from cloud attacks to nation-states, are already piling high.

This year, on track to be the worst-ever for data breaches, has already proved exhaustive for the infosec community. From Jan. 1 to Sept. 30, a total of 3,676 breaches were reported, involving over 3.6 billion records – the second-mostnumber of reported breaches in a year.

The threats ahead are numerous, according to a new report entitled "Facing Forward: Cyber Security in 2019 and Beyond." The report was compiled by FireEye CEO Kevin Mandia, chief security officer Steve Booth, vice president of global intelligence Sandra Joyce, and numerous analysts and strategists.

What's top of mind for senior leaders? Nations building offensive capabilities, breaches continuing due to lack of attrition and accountability, the widening skills gap, lack of resources (particularly for SMBs), holes in the supply chain, cloud attacks, social engineering, and cyber espionage, cybercrime, and other threats targeting the aviation sector

FireEye's Threat Intelligence, Mandiant, and Labs teams, which have a close eye on the frontlines, are particularly worried about how Chinese cyber espionage is restructuring, the increase in Iranian activity targeting the US, attackers using publicly available malware, the increase of business email compromise, abuse of legitimate services for command-and-control, and e-commerce and online banking portals being caught in the crosshairs of cyberthreats.

China Is Changing and Other Nation-State Threats
Ben Read, senior manager of cyber espionage analysis at FireEye, says he has noticed the threat from China evolve throughout this year. It's no longer "smashing and grabbing" intellectual property, he says. Attackers' actions are far subtler – and more nefarious.

"They're doing a lot, going after people's data after it goes outside their premises," he explains. Organizations including law and investment firms, which have troves of client data, are prime targets.


Mozilla earlier this week launched the first full edition of its Internet Health Report.

The report is "an open source effort to explore the state of human life on the Internet," wrote Mozilla Executive Director Mark Surman in an online post.

It consists of research and analysis about the Internet compiled by researchers, engineers, data scientists, policy analysts and artists in Mozilla's extended community.

The digital rights, open source, and Internet freedom movements stand for the idea that it is possible to build a digital world that is open, accessible and welcoming to all, according to Mozilla.

The Internet Health Report is based on the principles of the recently expandedMozilla Manifesto.

"The optimist in me sincerely hopes this will be successful," said Charles King, principal analyst at Pund-IT.

That said, "you also have to ask how many outside the Mozilla community are paying attention," he told LinuxInsider.

Mozilla "is seeking to see the moral high ground as governments explore regulating the Internet by jumping on the ethics bandwagon early and often," suggested Michael Jude, research manager at Stratecast/Frost & Sullivan.

Fake News, Fuzzy Facts

In this first issue of the Internet Health Report, fake news and misinformation are in the spotlight.

The topic engendered considerable interest, Surman said, and data collection became the central focus. The discussion encompassed several issues:

  • Precision-targeted ads;
  • Bots and fake accounts;
  • Facebook's domination of news distribution; and
  • Insufficient Web literacy among the general public.

Taken together, these activities and circumstances provide the fuel for fraud and abuse, along with very bad real world outcomes, Surman said.


Researchers at the University of York have shown that a new quantum-based procedure for distributing secure information along communication lines could be successful in preventing serious security breaches.

Securing highly sensitive information, such as hospital records and bank details, is a major challenge faced by companies and organisation throughout the world.

Standard communication systems are vulnerable to hacks, where encrypted information can be intercepted and copied. It is currently possible for hackers to make a copy of transmitted information, but it would not be possible to read it without a method of breaking the encryption that protects it.

This means that information might be secure for a period of time, but there is no guarantee that it would be secure forever, as supercomputers in development could potentially decipher particular encryptions in the future.

Researchers at York investigated a prototype, based on the principles of quantum mechanics, that has the potential to side-step the vulnerabilities of current communications, but also allow information to be secure in the future.

Dr Cosmo Lupo, from the University of York's Department of Computer Science, said: "Quantum mechanics has come a long way, but we are still faced with significant problems that have to be overcome with further experimentation.

"One such problem is that a hacker can attack the electronic devices used for information transmission by jamming the detectors that are used to collect and measure the photons that carries information.

"Such an attack is powerful because we assume that a given device works according to its technical specifications and will therefore perform its job. If a hacker is able to attack a detector and change the way it works, then the security is unavoidably compromised."

"The principles of quantum mechanics, however, allows for communication security even without making assumptions on how the electronic devices will work. By removing these assumptions we pay the price of lowering the communication rate, but gain in improving the security standard."