Privacy Exposed: Ramifications of Social Media and Mobile Technology Brian Dean and Tom Eston
May 08, 2015
Privacy Exposed:Ramifications of Social Media and Mobile Technology
Brian Dean and Tom Eston
Agenda• Privacy in a Mobile World
– Apps and Your Data
– Location Based Services
– Data Harvesting
– Hot New Mobile Technology
– Mobile Application Privacy Policies
• Privacy in a Social World
– Evolution of Social Technology
– More Privacy Controls = More Confusion
– Hot New Social Technology
– Comparison of Social Network Privacy Policies
• Regulatory Ramifications
21,000,000,000,000,000,000,000,000 bytes
About Your Presenters• Brian Dean
– Audit and Compliance Team Manager, Privacy Officer
– PCI QSA, PMP, PCIP, ACE, Certified Information Privacy Professional
– Privacy Officer, HIPAA Officer, and GLBA Officer for $100 billion bank.
Over 13 years in privacy
– Frequent Speaker at IAPP, Info Security Summit, ACI, INFOSEC World
• Tom Eston
– Attack & Defense Team Manager
– Web Applications, Mobile Applications and Device Security
– Founder of SocialMediaSecurity.com
– OWASP Mobile Threat Model Project Lead
– SANS Mentor – SEC542 Web Application Penetration Testing
– Frequent Speaker at Black Hat, DEF CON, ShmooCon, DerbyCon, SANS,
OWASP AppSec, InfoSec World 3
Disclaimer• This presentation is for informational purposes only.
• Before implementing or executing on any ideas presented, it would be prudent to seek council from your technical, security, compliance, and Legal representation.
• Always perform adequate due diligence, including a formal risk assessment.
• Views and opinions presented today are not necessarily that of SecureState or other entities we may represent.
– Good chance it doesn’t represent our opinions either.
4
Privacy in a Mobile World
• Mobile Data: Storage
– Mobile devices have become “virtual wallets”
– Personal data via social networks and email are easily stored and shared with others
– Smartphone are personal tracking devices that just happen to also take phone calls
– Smartphones are one expensive wallet to lose!
5
6
Example: Mobile Pen Test
7
Trivial to Access Private Data
• With physical access…it’s “game over”
– Rooting or Jailbreaking of the device
– Passcode bypass (iOS 7- several!)
– Circumvention of “remote wipe” controls
– Malware can harvest personal data(especially on Android)
* Subject to the security policies or MDM (Mobile Device Management) enforcement!
8
Example: MyFitnessPal
• Application stores (too much) PPI on the device
9
Phone Stored Data
10
Date of Birth
Mobile Data: Transmission
• Do you know what your apps are sending?
– To the app developers?
– To third-party ad/marketing companies?
• Do mobile apps send your data securely?
– Is SSL being used?
– In our research of the Top 20 Apps…very few use SSL!
11
Example: UDID
• What is UDID?
– Unique Device IDentifier for the hardware
– Apple iOS (iPhone/iPad)
• Found to be transmitted from mobile apps
– To third party ad and marketing companies
– To the mobile app company
– Usually transmitted with other personal information (user name, IP, geolocation, etc.)
12
13
Example: iTunes
Pinterest and Flurry.com
14
15
UDID
16
iOS 7
1 Million UDIDs Exposed?
• Hackers said it’s from the FBI. FBI denies…
• This was actually a third-party breach!
17
Location Based Services
• Also known as “geolocation”
• Coordinates are frequently sent via third party services
• GPS coordinates sometimes stored locally or sent back to the company
• Apple had a problem with storing location data without user approval in 2011
18
Apple iOS Location Data Storage Issue
• Fixed in iOS 4.3.3
– When turning off location services, iOS will not store or back up this data
• Some researchers created a cool tool to demo this
– http://petewarden.github.com/iPhoneTracker/
19
Facebook Timeline and Graph Search
• Easier then ever to view where someone has been
• Pulls location data from photos, status updates and more…
20
Instagram Photomaps
21
“…you can now much more easily access photos you and others took months or
even years ago.”
– Kevin Systrom, co-founder and CEO of Instagram
Image: Mashable
Address Book Harvesting
• More apps are doing this
• “See if your friends are using this app”
• Apple iOS apps could access contact data without permission (fixed in iOS 6)
• Install prompt on Android
• Developers can notify you on their own…
22
23
Brewster
• Takes your:
– Address book
– LinkedIn contacts
– Facebook Friends List
– Who you follow on Twitter
– Gmail address book
– FourSquare Locations
– And more…
24
Image: Brewster.com
Evolution: Facebook Design Tricks
25
Image: TechCrunch http://techcrunch.com/2012/08/25/5-design-tricks-facebook-uses-to-affect-your-privacy-decisions/
Evolution: Facebook Design Tricks
26
Image: TechCrunch http://techcrunch.com/2012/08/25/5-design-tricks-facebook-uses-to-affect-your-privacy-decisions/
Evolution: Facebook Design Tricks
27
Image: TechCrunch http://techcrunch.com/2012/08/25/5-design-tricks-facebook-uses-to-affect-your-privacy-decisions/
Evolution: Facebook Design Tricks
28
Image: TechCrunch http://techcrunch.com/2012/08/25/5-design-tricks-facebook-uses-to-affect-your-privacy-decisions/
Apple “Find and Call Malware”
29
• First “Trojan” for Apple iOS?
• It was a spammy app that sent your contact list to a third-party server
• Your friends get SMS spammed from the server
• App removed from the App Store and Google Play
Image: Kaspersky Labs
• Uses your active WiFi “beacons” to identify you by your MAC address
• Google Analytics for “People”
30
http://www.itworld.com/it-management/336828/attention-shoppers-retailers-can-follow-you-around-mall-way-web-trackers-do-onl
New Tech: Shopper Tracking
31
• Apple iOS 5 – Twitter integrated into the OS
• Apple iOS 6 – Facebook integrated into the OS
• Apple iOS 7 – Pretty interface integrated in OS
Evolution: Social Media Integrated into Mobile Operating Systems
32
• Google Now: “Predicts” things based on your location and actions you take on your device
• Weather, what’s the traffic like on your way to work?
• Passbook: Actions are taken when you enter a location: IE: Enter a Target, coupon pops up
33
Evolution: Google Now and Passbook
34
Evolution: Facebook Home
35
36
Digital Shadow
You Don’t Have Any Privacy – Get Over it!
37http://www.emc.com/digital_universe/downloads/web/personal-ticker.htm
Generally Accepted Privacy Principles
38
Privacy in the Wild
39
• Notice – 6,867 word Privacy Policy (LinkedIn, 10-14-13)
• Consent – IF offered often buried down 19 screens
• 3rd Party access (service provider in China? Pakistan?)
– Hey you “consented.” It was on the 19th screen!
• Collection – Some collect too much (MyFitnessPal)
• Retention – Not typically addressed in the US
• Disclosure to 3rd Parties – Almost unilaterally!
• Security – Who knows (more on that later)
• Quality – I loaned my phone to my son. I never went…
40
Privacy Policies
Privacy Policies
• Notices Bottom Line
– Painful to read, so no one reads. We have no idea what we agree to, I just want to play Angry Birds Star Wars 2…
41
42
Government Data Requests
• Policies almost unilaterally allow sharing with authorities
– Per Washington Post (as of 9-6-2013)
– Yahoo responded 12,444 requests for data from
the U.S. government YTD
– 40,322 users
– YTD Yahoo has rejected 2% of the requests
http://www.nydailynews.com/life-style/google-unveils-smart-shoes-sxsw-article-1.1287259#ixzz2eaJBFnfa
43
Government Data Requests (con’t)• Google, Facebook, Apple, Microsoft
– Foreign Intelligence Surveillance Act
– National Security Agency
– Foreign Intelligence Surveillance Court
• Sought to release data on the requests they receive from government agencies to release consumer data
– Take away: Data is being collected and subject to other possibly accessing. In the US it may NEVER be deleted!
44
More Privacy Control = More Confusion
• Consumers:
– Take initiative to read the Policies
– Understand the legalese Policies
– Need to act to protect PPI/PHI
• Businesses :
– Google munged 60 Privacy Policies into 1!
– Opt out check-box is 11 pixels wide!
– No incentive to manage if consumers don’t care!
45
Mobile Apps(where’s the security indicators?)
46
Privacy in a Social World
• Facebook,
Twitter and
LinkedIn have
grown
exponentially!
• 900 Million!
• Privacy issues
have increased
as well
• Mobile users to
top 8 billion by
2016 (1)
47
Image: Ben Foster http://www.benphoster.com/facebook-user-growth-chart-2004-2010/
(1) CNET News, quoting Cisco Forecast from 2-14-2012
48
Hot New Tech: Facial Recognition
• “Facedeals”
– Camera real-time matches face to Facebook
– Matches get discounts sent to smartphone
49
Fiction: Minority Report
50
Reality: Disney’s MagicBands (MyMagic+)
51
Google Glass
• Camera inconspicuously imbedded in glasses
– Pictures and stream video to social networks
• Already banned in a Seattle Restaurant (5 Point Cafe)
– What about at airports (TSA Security check points)
– School yards
• Smartphone and
video cameras
52
53
Privacy Ramifications
• How to deal with new technology
– e.g., Facedeals, MagicBands
• Opt out of facial scans?
• Misuse of technology!
• Tracking children
• Apple Passbook
– iPhone = your wallet
• Digital coupons, tickets, loyalty cards
• Allow payment with near field chip (NFC).
• GPS detects your location and presents coupon
• Malware
– Nefarious data extractions
• GAPP
– Can we really apply Privacy Principles? 54
Regulatory Ramifications
• International
– Appeasing the law patchwork
– You think 6000 word Policy is long
• Read one that addresses 10 countries!
• Now reading page 1 of 101
• United States
– Data aggregation and correlation not addressed in US law.
• We want ease, we will sacrifice privacy, until it’s too late.
55
On the Horizon
• US Businesses will collect more data and retain
• Technology will better correlate data
• Consumers won’t read privacy policies (have you?)
• Breaches will continue unabated
• New federal encompassing privacy regulations unlikely
– Mobile device data regulations may be looming
• Technology outpace regulators
• More data in the cloud
56
New Paradigm
• Consumers
– Personal responsibility
• Read Privacy Policies and Security Safeguards
– Choice
• Select businesses based on privacy
– Cognitively execute your preferences
– Correct the accuracy of the data, not just when getting a loan (e.g., HIPAA, GLBA, credit bureaus)
– Limit the data you provide (do they really need it?)
57
New Paradigm
• Businesses need to rethink business model
– Capture less data, retain shorter durations
– Adopt GAPP principles
– Better data protection
– De-identify data
– Strong encryption
• Security/Privacy Professionals
– Be aware of the risk – Bad things will happen!
– Formally Document the risks for management
– Share the risk! (e.g., Annual Risk Posture Statement)
– Be a Champion of Privacy and Security
58
Closing Thoughts
• Short federal law migrating towards EU Privacy
Directive, big business will collect and retain all
the data they can gather, including passive data
sources we discussed.
• Security/Privacy professionals, businesses, and
YOU the consumer must be proactive in
managing our digital footprints.
• Collective responsibly!
59
Links
60
• Link to Tom’s Facebook Privacy & Security Guide
– http://www.securestate.com
– http://socialmediasecurity.com
61
Tom Eston: [email protected]
Twitter: @agent0x0
Brian Dean: [email protected]
[Mostly off the grid ]