- Marketing and data aggregation firm Exactis left a public server containing more than 340 million records–including phone numbers, emails and addresses, as well as 400 personal characteristics, like religion and hobbies–exposed.
Setu Kulkarni, VP of Corporate Strategy at WhiteHat Security:
“Interestingly, the researcher (who initially reported the vulnerability to Exactis and the FBI) got to the unprotected database by scraping digital logs after he was able to connect to the log management system (in this case, Elasticsearch). Elasticsearch, unfortunately, did not have a high level of security in place. How do digital logs create vulnerabilities, and how do companies prevent this?
- Logs can be thought of as the ‘digital exhaust’ of your applications and infrastructure. They contain critical information about your apps and infrastructure that, if made public, can expose all known and unknown vulnerabilities.
- More broadly, when using cloud-based infrastructure services – a new level of threat modeling is required that focuses not just on the applications, but also on the operating environment.
- Establishing and following the ‘chain of security’ is critical!
- First, secure your data (in this case, the logs);
- Second, secure the applications that access the data (in this case, the Elasticsearch system);
- Third, get strict with identity management (in this case, the database server and the Elasticsearch system);
- Fourth, secure the endpoint (in this case, the Elasticsearch system should have been secured behind the network perimeter).”
- A new report found “dark patterns” in Facebook and some other service providers–revealing that they are employing a number of tactics to nudge end users away from data privacy.
Jeannie Warner, Security Manager at WhiteHat Security:
“This is the type of report I intend to share with personal friends and family on Facebook as well as other places. I do not think it is appropriate for stalker apps like Spokeo and Foursquare to generally announce your whereabouts, and I’ve frequently advised against ‘checking in’ at sporting or concert events. We have whole industries dedicated to penetrating privacy for the purposes of marketing and information gathering. GDPR is the first legislation ever written that grants the right to be forgotten for EU citizens. This is important legislation, especially in a world where tracking and locating individuals can result in negative consequences such as mistaken identity and inappropriate detainment. There is a question of trust on the part of the various apps, namely that you must believe the maker of the app has used the best security measures for safeguarding your data, as well as keeping your rights and preferences at heart when distributing your data to other applications.
Programmers are not privacy lawyers. Marketing people are definitely not privacy lawyers. Somewhere in the chain of application design, development, distribution and data gathering, there may be a link which does not have user privacy and user best interests at heart, and there’s the weak link in the chain of social trust. This sort of behavior is, not coincidentally, why I advocate strongly for people tracing their genetics and DNA to avoid data sharing. Not because I want to deprive clinical researchers of data that could lead to better treatments and cures – but because, honestly, I don’t think we have secure data storage and transmission down such that I want my genetics saved anywhere. And given the frequent changes in policies on pre-existing conditions, I am uncomfortable sharing my genetics with someone who could decide that I am at risk and shouldn’t be covered because my eyes are brown and my grandfather was from Sweden.”