Privacy Exposed: Ramifications of Social Media and Mobile Technology

Privacy Exposed:Ramifications of Social Media and Mobile Technology

Brian Dean and Tom Eston

Agenda• Privacy in a Mobile World

– Apps and Your Data

– Location Based Services

– Data Harvesting

– Hot New Mobile Technology

– Mobile Application Privacy Policies

• Privacy in a Social World

– Evolution of Social Technology

– More Privacy Controls = More Confusion

– Hot New Social Technology

– Comparison of Social Network Privacy Policies

• Regulatory Ramifications

21,000,000,000,000,000,000,000,000 bytes

About Your Presenters• Brian Dean

– Audit and Compliance Team Manager, Privacy Officer

– PCI QSA, PMP, PCIP, ACE, Certified Information Privacy Professional

– Privacy Officer, HIPAA Officer, and GLBA Officer for $100 billion bank.

Over 13 years in privacy

– Frequent Speaker at IAPP, Info Security Summit, ACI, INFOSEC World

• Tom Eston

– Attack & Defense Team Manager

– Web Applications, Mobile Applications and Device Security

– Founder of SocialMediaSecurity.com

– OWASP Mobile Threat Model Project Lead

– SANS Mentor – SEC542 Web Application Penetration Testing

– Frequent Speaker at Black Hat, DEF CON, ShmooCon, DerbyCon, SANS,

OWASP AppSec, InfoSec World 3

Disclaimer• This presentation is for informational purposes only.

• Before implementing or executing on any ideas presented, it would be prudent to seek council from your technical, security, compliance, and Legal representation.

• Always perform adequate due diligence, including a formal risk assessment.

• Views and opinions presented today are not necessarily that of SecureState or other entities we may represent.

– Good chance it doesn’t represent our opinions either.

4

Privacy in a Mobile World

• Mobile Data: Storage

– Mobile devices have become “virtual wallets”

– Personal data via social networks and email are easily stored and shared with others

– Smartphone are personal tracking devices that just happen to also take phone calls

– Smartphones are one expensive wallet to lose!

5

6

Example: Mobile Pen Test

7

Trivial to Access Private Data

• With physical access…it’s “game over”

– Rooting or Jailbreaking of the device

– Passcode bypass (iOS 7- several!)

– Circumvention of “remote wipe” controls

– Malware can harvest personal data(especially on Android)

* Subject to the security policies or MDM (Mobile Device Management) enforcement!

8

Example: MyFitnessPal

• Application stores (too much) PPI on the device

9

Phone Stored Data

10

Date of Birth

Mobile Data: Transmission

• Do you know what your apps are sending?

– To the app developers?

– To third-party ad/marketing companies?

• Do mobile apps send your data securely?

– Is SSL being used?

– In our research of the Top 20 Apps…very few use SSL!

11

Example: UDID

• What is UDID?

– Unique Device IDentifier for the hardware

– Apple iOS (iPhone/iPad)

• Found to be transmitted from mobile apps

– To third party ad and marketing companies

– To the mobile app company

– Usually transmitted with other personal information (user name, IP, geolocation, etc.)

12

13

Example: iTunes

Pinterest and Flurry.com

14

15

UDID

16

iOS 7

1 Million UDIDs Exposed?

• Hackers said it’s from the FBI. FBI denies…

• This was actually a third-party breach!

17

Location Based Services

• Also known as “geolocation”

• Coordinates are frequently sent via third party services

• GPS coordinates sometimes stored locally or sent back to the company

• Apple had a problem with storing location data without user approval in 2011

18

Apple iOS Location Data Storage Issue

• Fixed in iOS 4.3.3

– When turning off location services, iOS will not store or back up this data

• Some researchers created a cool tool to demo this

– http://petewarden.github.com/iPhoneTracker/

19

Facebook Timeline and Graph Search

• Easier then ever to view where someone has been

• Pulls location data from photos, status updates and more…

20

Instagram Photomaps

21

“…you can now much more easily access photos you and others took months or

even years ago.”

– Kevin Systrom, co-founder and CEO of Instagram

Image: Mashable

Address Book Harvesting

• More apps are doing this

• “See if your friends are using this app”

• Apple iOS apps could access contact data without permission (fixed in iOS 6)

• Install prompt on Android

• Developers can notify you on their own…

22

23

Brewster

• Takes your:

– Address book

– LinkedIn contacts

– Facebook Friends List

– Who you follow on Twitter

– Gmail address book

– FourSquare Locations

– And more…

24

Image: Brewster.com

Evolution: Facebook Design Tricks

25

Image: TechCrunch http://techcrunch.com/2012/08/25/5-design-tricks-facebook-uses-to-affect-your-privacy-decisions/

Evolution: Facebook Design Tricks

26

Image: TechCrunch http://techcrunch.com/2012/08/25/5-design-tricks-facebook-uses-to-affect-your-privacy-decisions/

Evolution: Facebook Design Tricks

27

Image: TechCrunch http://techcrunch.com/2012/08/25/5-design-tricks-facebook-uses-to-affect-your-privacy-decisions/

Evolution: Facebook Design Tricks

28

Image: TechCrunch http://techcrunch.com/2012/08/25/5-design-tricks-facebook-uses-to-affect-your-privacy-decisions/

Apple “Find and Call Malware”

29

• First “Trojan” for Apple iOS?

• It was a spammy app that sent your contact list to a third-party server

• Your friends get SMS spammed from the server

• App removed from the App Store and Google Play

Image: Kaspersky Labs

• Uses your active WiFi “beacons” to identify you by your MAC address

• Google Analytics for “People”

30

http://www.itworld.com/it-management/336828/attention-shoppers-retailers-can-follow-you-around-mall-way-web-trackers-do-onl

New Tech: Shopper Tracking

31

• Apple iOS 5 – Twitter integrated into the OS

• Apple iOS 6 – Facebook integrated into the OS

• Apple iOS 7 – Pretty interface integrated in OS

Evolution: Social Media Integrated into Mobile Operating Systems

32

• Google Now: “Predicts” things based on your location and actions you take on your device

• Weather, what’s the traffic like on your way to work?

• Passbook: Actions are taken when you enter a location: IE: Enter a Target, coupon pops up

33

Evolution: Google Now and Passbook

34

Evolution: Facebook Home

35

36

Digital Shadow

You Don’t Have Any Privacy – Get Over it!

37http://www.emc.com/digital_universe/downloads/web/personal-ticker.htm

Generally Accepted Privacy Principles

38

Privacy in the Wild

39

• Notice – 6,867 word Privacy Policy (LinkedIn, 10-14-13)

• Consent – IF offered often buried down 19 screens

• 3rd Party access (service provider in China? Pakistan?)

– Hey you “consented.” It was on the 19th screen!

• Collection – Some collect too much (MyFitnessPal)

• Retention – Not typically addressed in the US

• Disclosure to 3rd Parties – Almost unilaterally!

• Security – Who knows (more on that later)

• Quality – I loaned my phone to my son. I never went…

40

Privacy Policies

Privacy Policies

• Notices Bottom Line

– Painful to read, so no one reads. We have no idea what we agree to, I just want to play Angry Birds Star Wars 2…

41

42

Government Data Requests

• Policies almost unilaterally allow sharing with authorities

– Per Washington Post (as of 9-6-2013)

– Yahoo responded 12,444 requests for data from

the U.S. government YTD

– 40,322 users

– YTD Yahoo has rejected 2% of the requests

http://www.nydailynews.com/life-style/google-unveils-smart-shoes-sxsw-article-1.1287259#ixzz2eaJBFnfa

43

Government Data Requests (con’t)• Google, Facebook, Apple, Microsoft

– Foreign Intelligence Surveillance Act

– National Security Agency

– Foreign Intelligence Surveillance Court

• Sought to release data on the requests they receive from government agencies to release consumer data

– Take away: Data is being collected and subject to other possibly accessing. In the US it may NEVER be deleted!

44

More Privacy Control = More Confusion

• Consumers:

– Take initiative to read the Policies

– Understand the legalese Policies

– Need to act to protect PPI/PHI

• Businesses :

– Google munged 60 Privacy Policies into 1!

– Opt out check-box is 11 pixels wide!

– No incentive to manage if consumers don’t care!

45

Mobile Apps(where’s the security indicators?)

46

Privacy in a Social World

• Facebook,

Twitter and

LinkedIn have

grown

exponentially!

• 900 Million!

• Privacy issues

have increased

as well

• Mobile users to

top 8 billion by

2016 (1)

47

Image: Ben Foster http://www.benphoster.com/facebook-user-growth-chart-2004-2010/

(1) CNET News, quoting Cisco Forecast from 2-14-2012

48

Hot New Tech: Facial Recognition

• “Facedeals”

– Camera real-time matches face to Facebook

– Matches get discounts sent to smartphone

49

Fiction: Minority Report

50

Reality: Disney’s MagicBands (MyMagic+)

51

Google Glass

• Camera inconspicuously imbedded in glasses

– Pictures and stream video to social networks

• Already banned in a Seattle Restaurant (5 Point Cafe)

– What about at airports (TSA Security check points)

– School yards

• Smartphone and

video cameras

52

53

Privacy Ramifications

• How to deal with new technology

– e.g., Facedeals, MagicBands

• Opt out of facial scans?

• Misuse of technology!

• Tracking children

• Apple Passbook

– iPhone = your wallet

• Digital coupons, tickets, loyalty cards

• Allow payment with near field chip (NFC).

• GPS detects your location and presents coupon

• Malware

– Nefarious data extractions

• GAPP

– Can we really apply Privacy Principles? 54

Regulatory Ramifications

• International

– Appeasing the law patchwork

– You think 6000 word Policy is long

• Read one that addresses 10 countries!

• Now reading page 1 of 101

• United States

– Data aggregation and correlation not addressed in US law.

• We want ease, we will sacrifice privacy, until it’s too late.

55

On the Horizon

• US Businesses will collect more data and retain

• Technology will better correlate data

• Consumers won’t read privacy policies (have you?)

• Breaches will continue unabated

• New federal encompassing privacy regulations unlikely

– Mobile device data regulations may be looming

• Technology outpace regulators

• More data in the cloud

56

New Paradigm

• Consumers

– Personal responsibility

• Read Privacy Policies and Security Safeguards

– Choice

• Select businesses based on privacy

– Cognitively execute your preferences

– Correct the accuracy of the data, not just when getting a loan (e.g., HIPAA, GLBA, credit bureaus)

– Limit the data you provide (do they really need it?)

57

New Paradigm

• Businesses need to rethink business model

– Capture less data, retain shorter durations

– Adopt GAPP principles

– Better data protection

– De-identify data

– Strong encryption

• Security/Privacy Professionals

– Be aware of the risk – Bad things will happen!

– Formally Document the risks for management

– Share the risk! (e.g., Annual Risk Posture Statement)

– Be a Champion of Privacy and Security

58

Closing Thoughts

• Short federal law migrating towards EU Privacy

Directive, big business will collect and retain all

the data they can gather, including passive data

sources we discussed.

• Security/Privacy professionals, businesses, and

YOU the consumer must be proactive in

managing our digital footprints.

• Collective responsibly!

59

Links

60

• Link to Tom’s Facebook Privacy & Security Guide

– http://www.securestate.com

– http://socialmediasecurity.com

61

Tom Eston: teston@securestate.com

Twitter: @agent0x0

Brian Dean: bdean@securestate.com

[Mostly off the grid ]