0
Privacy Exposed:
Ramifications of Social Media and Mobile Technology
Brian Dean and Tom Eston
Agenda
• Privacy in a Mobile World
–
–
–
–
–

Apps and Your Data
Location Based Services
Data Harvesting
Hot New Mobile Te...
About Your Presenters
• Brian Dean
– Audit and Compliance Team Manager, Privacy Officer
– PCI QSA, PMP, PCIP, ACE, Certifi...
Disclaimer

• This presentation is for informational purposes only.
• Before implementing or executing on any ideas
presen...
Privacy in a Mobile World
• Mobile Data: Storage
– Mobile devices have become
“virtual wallets”
– Personal data via social...
Example: Mobile Pen Test

6
7
Trivial to Access Private Data
• With physical access…it’s “game over”
– Rooting or Jailbreaking of the device
– Passcode ...
Example: MyFitnessPal
• Application stores (too much) PPI on the device

9
Phone Stored Data

Date of Birth
10
Mobile Data: Transmission
• Do you know what your apps are sending?
– To the app developers?
– To third-party ad/marketing...
Example: UDID
• What is UDID?
– Unique Device IDentifier for the hardware
– Apple iOS (iPhone/iPad)
• Found to be transmit...
Example: iTunes

13
Pinterest and Flurry.com

14
UDID

15
iOS 7

16
1 Million UDIDs Exposed?

• Hackers said it’s from the FBI. FBI denies…
• This was actually a third-party breach!
17
Location Based Services
• Also known as “geolocation”
• Coordinates are frequently
sent via third party services
• GPS coo...
Apple iOS Location Data Storage Issue
• Fixed in iOS 4.3.3
– When turning off location services, iOS will not store
or bac...
Facebook Timeline and Graph Search
• Easier then ever to view where someone has been
• Pulls location data from photos, st...
Instagram Photomaps
“…you can now much more easily access
photos you and others took months or
even years ago.”
– Kevin Sy...
Address Book Harvesting
• More apps are doing this
• “See if your friends are using this app”
• Apple iOS apps could acces...
23
Brewster
• Takes your:
– Address book
– LinkedIn contacts
– Facebook Friends List
– Who you follow on Twitter
– Gmail addr...
Evolution: Facebook Design Tricks

Image: TechCrunch http://techcrunch.com/2012/08/25/5-design-tricksfacebook-uses-to-affe...
Evolution: Facebook Design Tricks

Image: TechCrunch http://techcrunch.com/2012/08/25/5-design-tricks-facebookuses-to-affe...
Evolution: Facebook Design Tricks

Image: TechCrunch http://techcrunch.com/2012/08/25/5-design-tricks-facebookuses-to-affe...
Evolution: Facebook Design Tricks

Image: TechCrunch http://techcrunch.com/2012/08/25/5-design-tricks-facebookuses-to-affe...
Apple “Find and Call Malware”
• First “Trojan” for Apple iOS?
• It was a spammy app that sent
your contact list to a third...
New Tech: Shopper Tracking
• Uses your active WiFi “beacons” to identify you by your
MAC address
• Google Analytics for “P...
Evolution: Social Media Integrated into Mobile
Operating Systems
• Apple iOS 5 – Twitter integrated into the OS
• Apple iO...
32
Evolution: Google Now and Passbook
• Google Now: “Predicts” things
based on your location and actions
you take on your dev...
Evolution: Facebook Home

34
35
Digital Shadow

36
You Don’t Have Any Privacy – Get Over it!

http://www.emc.com/digital_universe/downloads/web/personal-ticker.htm

37
Generally Accepted Privacy Principles

38
Privacy in the Wild
• Notice – 6,867 word Privacy Policy (LinkedIn, 10-14-13)
• Consent – IF offered often buried down 19 ...
Privacy Policies

40
Privacy Policies
• Notices Bottom Line
– Painful to read, so no one reads. We have no idea
what we agree to, I just want t...
42
Government Data Requests
• Policies almost unilaterally allow sharing with authorities
– Per Washington Post (as of 9-6-20...
Government Data Requests (con’t)
• Google, Facebook, Apple, Microsoft
– Foreign Intelligence Surveillance Act
– National S...
More Privacy Control = More Confusion
• Consumers:
– Take initiative to read the Policies
– Understand the legalese Polici...
Mobile Apps
(where’s the security indicators?)

46
Privacy in a Social World
• Facebook,
Twitter and
LinkedIn have
grown
exponentially!
• 900 Million!
• Privacy issues
have ...
48
Hot New Tech: Facial Recognition
• “Facedeals”
– Camera real-time matches face to Facebook
– Matches get discounts sent to...
Fiction: Minority Report

50
Reality: Disney’s MagicBands (MyMagic+)

51
Google Glass
• Camera inconspicuously imbedded in glasses
– Pictures and stream video to social networks
• Already banned ...
53
Privacy Ramifications
• How to deal with new technology
– e.g., Facedeals, MagicBands
• Opt out of facial scans?
• Misuse ...
Regulatory Ramifications
• International
– Appeasing the law patchwork
– You think 6000 word Policy is long
• Read one tha...
On the Horizon
•
•
•
•
•

US Businesses will collect more data and retain
Technology will better correlate data
Consumers ...
New Paradigm
• Consumers
– Personal responsibility
• Read Privacy Policies and Security Safeguards
– Choice
• Select busin...
New Paradigm
• Businesses need to rethink business model
– Capture less data, retain shorter durations
– Adopt GAPP princi...
Closing Thoughts
• Short federal law migrating towards EU Privacy
Directive, big business will collect and retain all
the ...
Links
• Link to Tom’s Facebook Privacy & Security Guide
– http://www.securestate.com
– http://socialmediasecurity.com

60
Tom Eston: teston@securestate.com
Twitter: @agent0x0
Brian Dean: bdean@securestate.com
[Mostly off the grid
]
61
Upcoming SlideShare
Loading in...5
×

Privacy Exposed: Ramifications of Social Media and Mobile Technology

2,177

Published on

Mobile devices and applications have taken the world by storm. Millions of consumers are using these devices for everything from conducting financial transactions, accessing health care information and sharing personal experiences over social media. Unfortunately there is still little regard or concern with how mobile platforms and major social networks collect, transmit and store personal and corporate information. This exacerbates existing privacy concerns and the need for new regulations in the age of big data. In this presentation we discuss the latest privacy concerns with this new technology. Topics will include:

• All new privacy concerns with mobile application data, geolocation, address book harvesting , third party information sharing and the latest mobile technology such as NFC (Near Field Communication)
• A close look at the top 20 mobile applications and how they transmit, store and reuse personal or private information
• Comparison of current privacy policies of the major social networks, what they tell you and what they don't
• Ramifications of international and US privacy regulations and how this impacts mobile devices, social networks, you and your business

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
2,177
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
9
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Privacy Exposed: Ramifications of Social Media and Mobile Technology"

  1. 1. Privacy Exposed: Ramifications of Social Media and Mobile Technology Brian Dean and Tom Eston
  2. 2. Agenda • Privacy in a Mobile World – – – – – Apps and Your Data Location Based Services Data Harvesting Hot New Mobile Technology Mobile Application Privacy Policies • Privacy in a Social World – – – – Evolution of Social Technology More Privacy Controls = More Confusion Hot New Social Technology Comparison of Social Network Privacy Policies • Regulatory Ramifications 1,000,000,000,000,000,000,000,000 bytes 2
  3. 3. About Your Presenters • Brian Dean – Audit and Compliance Team Manager, Privacy Officer – PCI QSA, PMP, PCIP, ACE, Certified Information Privacy Professional – Privacy Officer, HIPAA Officer, and GLBA Officer for $100 billion bank.  Over 13 years in privacy – Frequent Speaker at IAPP, Info Security Summit, ACI, INFOSEC World • Tom Eston – Attack & Defense Team Manager – Web Applications, Mobile Applications and Device Security – Founder of SocialMediaSecurity.com – OWASP Mobile Threat Model Project Lead – SANS Mentor – SEC542 Web Application Penetration Testing – Frequent Speaker at Black Hat, DEF CON, ShmooCon, DerbyCon, SANS, OWASP AppSec, InfoSec World 3
  4. 4. Disclaimer • This presentation is for informational purposes only. • Before implementing or executing on any ideas presented, it would be prudent to seek council from your technical, security, compliance, and Legal representation. • Always perform adequate due diligence, including a formal risk assessment. • Views and opinions presented today are not necessarily that of SecureState or other entities we may represent. – Good chance it doesn’t represent our opinions either. 4
  5. 5. Privacy in a Mobile World • Mobile Data: Storage – Mobile devices have become “virtual wallets” – Personal data via social networks and email are easily stored and shared with others – Smartphone are personal tracking devices that just happen to also take phone calls – Smartphones are one expensive wallet to lose! 5
  6. 6. Example: Mobile Pen Test 6
  7. 7. 7
  8. 8. Trivial to Access Private Data • With physical access…it’s “game over” – Rooting or Jailbreaking of the device – Passcode bypass (iOS 7- several!) – Circumvention of “remote wipe” controls – Malware can harvest personal data (especially on Android) * Subject to the security policies or MDM (Mobile Device Management) enforcement! 8
  9. 9. Example: MyFitnessPal • Application stores (too much) PPI on the device 9
  10. 10. Phone Stored Data Date of Birth 10
  11. 11. Mobile Data: Transmission • Do you know what your apps are sending? – To the app developers? – To third-party ad/marketing companies? • Do mobile apps send your data securely? – Is SSL being used? – In our research of the Top 20 Apps…very few use SSL! 11
  12. 12. Example: UDID • What is UDID? – Unique Device IDentifier for the hardware – Apple iOS (iPhone/iPad) • Found to be transmitted from mobile apps – To third party ad and marketing companies – To the mobile app company – Usually transmitted with other personal information (user name, IP, geolocation, etc.) 12
  13. 13. Example: iTunes 13
  14. 14. Pinterest and Flurry.com 14
  15. 15. UDID 15
  16. 16. iOS 7 16
  17. 17. 1 Million UDIDs Exposed? • Hackers said it’s from the FBI. FBI denies… • This was actually a third-party breach! 17
  18. 18. Location Based Services • Also known as “geolocation” • Coordinates are frequently sent via third party services • GPS coordinates sometimes stored locally or sent back to the company • Apple had a problem with storing location data without user approval in 2011 18
  19. 19. Apple iOS Location Data Storage Issue • Fixed in iOS 4.3.3 – When turning off location services, iOS will not store or back up this data • Some researchers created a cool tool to demo this – http://petewarden.github.com/iPhoneTracker/ 19
  20. 20. Facebook Timeline and Graph Search • Easier then ever to view where someone has been • Pulls location data from photos, status updates and more… 20
  21. 21. Instagram Photomaps “…you can now much more easily access photos you and others took months or even years ago.” – Kevin Systrom, co-founder and CEO of Instagram Image: Mashable 21
  22. 22. Address Book Harvesting • More apps are doing this • “See if your friends are using this app” • Apple iOS apps could access contact data without permission (fixed in iOS 6) • Install prompt on Android • Developers can notify you on their own… 22
  23. 23. 23
  24. 24. Brewster • Takes your: – Address book – LinkedIn contacts – Facebook Friends List – Who you follow on Twitter – Gmail address book – FourSquare Locations – And more… Image: Brewster.com 24
  25. 25. Evolution: Facebook Design Tricks Image: TechCrunch http://techcrunch.com/2012/08/25/5-design-tricksfacebook-uses-to-affect-your-privacy-decisions/ 25
  26. 26. Evolution: Facebook Design Tricks Image: TechCrunch http://techcrunch.com/2012/08/25/5-design-tricks-facebookuses-to-affect-your-privacy-decisions/ 26
  27. 27. Evolution: Facebook Design Tricks Image: TechCrunch http://techcrunch.com/2012/08/25/5-design-tricks-facebookuses-to-affect-your-privacy-decisions/ 27
  28. 28. Evolution: Facebook Design Tricks Image: TechCrunch http://techcrunch.com/2012/08/25/5-design-tricks-facebookuses-to-affect-your-privacy-decisions/ 28
  29. 29. Apple “Find and Call Malware” • First “Trojan” for Apple iOS? • It was a spammy app that sent your contact list to a third-party server • Your friends get SMS spammed from the server • App removed from the App Store and Google Play Image: Kaspersky Labs 29
  30. 30. New Tech: Shopper Tracking • Uses your active WiFi “beacons” to identify you by your MAC address • Google Analytics for “People” http://www.itworld.com/it-management/336828/attention-shoppers-retailers-can-follow-you-around-mall-way-web-trackers-do-onl 30
  31. 31. Evolution: Social Media Integrated into Mobile Operating Systems • Apple iOS 5 – Twitter integrated into the OS • Apple iOS 6 – Facebook integrated into the OS • Apple iOS 7 – Pretty interface integrated in OS 31
  32. 32. 32
  33. 33. Evolution: Google Now and Passbook • Google Now: “Predicts” things based on your location and actions you take on your device • Weather, what’s the traffic like on your way to work? • Passbook: Actions are taken when you enter a location: IE: Enter a Target, coupon pops up 33
  34. 34. Evolution: Facebook Home 34
  35. 35. 35
  36. 36. Digital Shadow 36
  37. 37. You Don’t Have Any Privacy – Get Over it! http://www.emc.com/digital_universe/downloads/web/personal-ticker.htm 37
  38. 38. Generally Accepted Privacy Principles 38
  39. 39. Privacy in the Wild • Notice – 6,867 word Privacy Policy (LinkedIn, 10-14-13) • Consent – IF offered often buried down 19 screens • 3rd Party access (service provider in China? Pakistan?) – Hey you “consented.” It was on the 19th screen! • Collection – Some collect too much (MyFitnessPal) • Retention – Not typically addressed in the US • Disclosure to 3rd Parties – Almost unilaterally! • Security – Who knows (more on that later) • Quality – I loaned my phone to my son. I never went… 39
  40. 40. Privacy Policies 40
  41. 41. Privacy Policies • Notices Bottom Line – Painful to read, so no one reads. We have no idea what we agree to, I just want to play Angry Birds Star Wars 2… 41
  42. 42. 42
  43. 43. Government Data Requests • Policies almost unilaterally allow sharing with authorities – Per Washington Post (as of 9-6-2013) – Yahoo responded 12,444 requests for data from the U.S. government YTD – 40,322 users – YTD Yahoo has rejected 2% of the requests http://www.nydailynews.com/life-style/google-unveils-smart-shoes-sxsw-article-1.1287259#ixzz2eaJBFnfa 43
  44. 44. Government Data Requests (con’t) • Google, Facebook, Apple, Microsoft – Foreign Intelligence Surveillance Act – National Security Agency – Foreign Intelligence Surveillance Court • Sought to release data on the requests they receive from government agencies to release consumer data – Take away: Data is being collected and subject to other possibly accessing. In the US it may NEVER be deleted! 44
  45. 45. More Privacy Control = More Confusion • Consumers: – Take initiative to read the Policies – Understand the legalese Policies – Need to act to protect PPI/PHI • Businesses : – Google munged 60 Privacy Policies into 1! – Opt out check-box is 11 pixels wide! – No incentive to manage if consumers don’t care! 45
  46. 46. Mobile Apps (where’s the security indicators?) 46
  47. 47. Privacy in a Social World • Facebook, Twitter and LinkedIn have grown exponentially! • 900 Million! • Privacy issues have increased as well • Mobile users to top 8 billion by 2016 (1) Image: Ben Foster http://www.benphoster.com/facebook-user-growth-chart-2004-2010/ (1) CNET News, quoting Cisco Forecast from 2-14-2012 47
  48. 48. 48
  49. 49. Hot New Tech: Facial Recognition • “Facedeals” – Camera real-time matches face to Facebook – Matches get discounts sent to smartphone 49
  50. 50. Fiction: Minority Report 50
  51. 51. Reality: Disney’s MagicBands (MyMagic+) 51
  52. 52. Google Glass • Camera inconspicuously imbedded in glasses – Pictures and stream video to social networks • Already banned in a Seattle Restaurant (5 Point Cafe) – What about at airports (TSA Security check points) – School yards • Smartphone and video cameras 52
  53. 53. 53
  54. 54. Privacy Ramifications • How to deal with new technology – e.g., Facedeals, MagicBands • Opt out of facial scans? • Misuse of technology! • Tracking children • Apple Passbook – iPhone = your wallet • Digital coupons, tickets, loyalty cards • Allow payment with near field chip (NFC). • GPS detects your location and presents coupon • Malware – Nefarious data extractions • GAPP – Can we really apply Privacy Principles? 54
  55. 55. Regulatory Ramifications • International – Appeasing the law patchwork – You think 6000 word Policy is long • Read one that addresses 10 countries! • Now reading page 1 of 101 • United States – Data aggregation and correlation not addressed in US law. • We want ease, we will sacrifice privacy, until it’s too late. 55
  56. 56. On the Horizon • • • • • US Businesses will collect more data and retain Technology will better correlate data Consumers won’t read privacy policies (have you?) Breaches will continue unabated New federal encompassing privacy regulations unlikely – Mobile device data regulations may be looming • Technology outpace regulators • More data in the cloud 56
  57. 57. New Paradigm • Consumers – Personal responsibility • Read Privacy Policies and Security Safeguards – Choice • Select businesses based on privacy – Cognitively execute your preferences – Correct the accuracy of the data, not just when getting a loan (e.g., HIPAA, GLBA, credit bureaus) – Limit the data you provide (do they really need it?) 57
  58. 58. New Paradigm • Businesses need to rethink business model – Capture less data, retain shorter durations – Adopt GAPP principles – Better data protection – De-identify data – Strong encryption • Security/Privacy Professionals – Be aware of the risk – Bad things will happen! – Formally Document the risks for management – Share the risk! (e.g., Annual Risk Posture Statement) – Be a Champion of Privacy and Security 58
  59. 59. Closing Thoughts • Short federal law migrating towards EU Privacy Directive, big business will collect and retain all the data they can gather, including passive data sources we discussed. • Security/Privacy professionals, businesses, and YOU the consumer must be proactive in managing our digital footprints. • Collective responsibly! 59
  60. 60. Links • Link to Tom’s Facebook Privacy & Security Guide – http://www.securestate.com – http://socialmediasecurity.com 60
  61. 61. Tom Eston: teston@securestate.com Twitter: @agent0x0 Brian Dean: bdean@securestate.com [Mostly off the grid ] 61
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×