Tech Friday with Dave Hatter - March 12th 2021 - SPONSORED BY INTRUST IT


Thousands of apps leak your data from the cloud:

  • Zimperium is one of three mobile security firms that participates in Google's App Defense Alliance initiative, conducting automated app scanning for the company's Google Play store
  • They ran automated analysis on over 1.3 million Android and iOS apps looking for common cloud misconfigurations that expose user data
  • Zimperium found roughly 84,000 Android apps and close to 47,000 iOS apps using public cloud services to store data
  • Researchers found misconfigurations in 14% of these apps, translating to 11,877 Android apps and 6,608 iOS apps ranging from a few thousand users to millions of users
  • Sadly, configuration errors have been a major source of exposure of sensitive PII including passwords and medical information. Anything captured could be exposed
  • Zimperium's CEO Shridhar Mittal said "A lot of these apps have cloud storage that was not configured properly by the developer or whoever set things up and, because of that, data is visible to just about anyone. And most of us have some of these apps right now"
  • Researchers contacted some of the developers who had misconfigurations, but said the response was minimal and many apps still leak data
  • One of the apps is a mobile wallet from a Fortune 500 company which exposed user's financial data
  • Some are medical apps with test results and even users' photos
  • Due to the large number misconfigured apps found, Zimperium did not determine if attackers exploited the expose data
  • Zimperium isn't naming affected apps in their report so that attackers are not tipped off
  • The most terrifying part is that hackers can use the same publicly available information that Zimperium to find these leaky apps, and it's well known that hackers already scan to find cloud misconfigurations
  • To add insult to injury, researchers found that some of the misconfigured systems allow attackers edit data
  • There is no one to blame for these shoddy practices except for the developers building these apps and the companies that employ them
  • You should limit the number of apps you have, vet them carefully and carefully consider the information you share with an app

Is the Illinois privacy law the model we need?

  • The Biometric Information Privacy Act of Illinois (BIPA) was passed way back in 2008 when smartphones were rare for most of us and there was little concern about surveillance capitalism
  • While it only applies to Illinois residents, BIPA is one of the toughest privacy laws in the US
  • It's limited in scope, only dictating what companies can do with biometric data such as face scans and fingerprints, but it demonstrates that laws can return some control over our data
  • It;s genesis was a company that allowed customers to pay in stores with their fingerprints went belly up in 2007. As part of the bankruptcy, they explored selling database of customer fingerprints
  • Adam Schwartz, a senior staff attorney with Electronic Frontier Foundation (EFF) said "BIPA is the gold standard and the kind of thing we’d like to see in all privacy laws"
  • BIPA has three main provisions:
    • Companies can’t use biometric data without consent. This is very rare in privacy law
    • Companies are limited in the data they can collect
    • Individuals, not just governments, can sue
  • BIPA works. Google’s Nest security cameras do not offer facial recognition in IL
  • BIPA is the basis of lawsuits challenging Clearview AI, which scraped billions of photos from the internet and may be why Facebook disabled facial recognition
  • Schwartz said that 50 individual privacy laws like BIPA might be better than a single weak Federal law and that "The status quo is not preordained"
  • Tech Titans have been pushing privacy laws that are weak because they make billions off your data
  • California has passed the CCPA, with tough restrictions and large fines, and other states have bills moving through the legislative process
  • BIPA shows that the states can help us take back our privacy
  • Read the law here:https://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=3004&ChapterID=57

I'm doing another free EmpowerU privacy and security webinar next week:

  • Anyone with an Internet connection can read the latest news, listen to their favorite music, chat with friends, search for anything online, shop, pay bills, play games, and watch videos, all for “free”
  • But it’s not really free. If you’re not paying with money, you’re paying with data. You’re NOT the customer, you’re the product.
  • Companies like Google and Facebook Hoover up every little bit of data that they can get their hands on, and monetize it in a variety of ways including selling it to other companies, who may or may not secure it correctly. 
  • An ever increasing number of “smart” devices we interact with are collecting volumes of very detailed information about how and where we live, work and play 24 hours a day, seven days a week. It’s relentless and pervasive and in many cases, not obvious
  • Americans are sleepwalking into an Orwellian future nearly as frightening as the one the Chinese are constructing
  • At this session, I will explore how you can improve your privacy and security with tools and techniques to limit your digital footprint and lock down your devices
  • After the presentation I will take questions via the the Zoom meeting
  • Join us on March 18th at 7:00 PM, register here: https://form.jotform.com/210417187894160