At a glance.
- Okta's State of Digital Identity.
- CISA ICS Medical Advisories have privacy implications.
- More on BlueLeaks' privacy implications.
- Twitter discloses browser caching incident.
Okta's State of Digital Identity.
Okta's report on the State of Digital Identity in 2020 was released this morning. The company commissioned a consumer survey of "12,000 people between the ages of 18 and 75 in six countries: Australia, France, Germany, the Netherlands, the United Kingdom, and the United States." As the pandemic spread, they followed up with 6000 of the original respondents to gauge how COVID-19 affected (or failed to affect) their attitudes toward privacy. They found, at a high level, these five "takeaways:"
- "Consumers underestimate the extent to which their data is being tracked." About 42% of Americans, for example, think that online retailers don't collect data about their purchase history.
- "Consumers say privacy outweighs all, including tracking the spread of COVID-19." This is consistent with the widespread suspicion with which contact-tracing apps have been received.
- "Distrust in government is high." Not as mistrusted as social media, but still not highly trusted. There are some national variations here: 45% of Americans said that government involvement made them less comfortable with COVID-19 data collection. In the UK that figure was only 27%.
- "Consumers are sitting on gold mines of data, but many won’t cash in." There's widespread unwillingness to sell personal data.
- "Identity verification is taking a toll on democracy, but mail-in ballots could help."
CISA ICS Medical Advisories have privacy implications.
Three ICS Medical Advisories the US Cybersecurity and Infrastructure Security Agency issued this week have privacy implications. Baxter's ExactaMix, Sigma Spectrum Infusion Pumps, PrismaFlex and PrisMax miss encrypting some data and transmit other sensitive data in cleartext. Mitigations or patches for the vulnerabilities may be found in the Advisories.
More on BlueLeaks' privacy implications.
Twitter told ZDNet that the social network has permanently suspended the @DDoSecrets Twitter account, an account belonging to the group responsible for BlueLeaks, because DDoSecrets violated Twitter's policy against distribution of hacked material.
WIRED reports texts from DDoSecrets’ founder Emma Best, who explained in response to the observation that there’s not a lot of illegal police activity on display in BlueLeaks that this isn’t surprising. In DDoSecrets’ view, the value of the material is that it shows that legal and normal police conduct is itself problematic, especially in terms of its tone and the attitudes it expresses.
A number of bloggers who’ve commented on BlueLeaks don’t like what they see, because what they see is a relatively indiscriminate revelation of names, addresses, phone numbers, license plates, banking information, allegations of crime, and so forth. Best told WIRED that, "Due to the size of the dataset, we probably missed things. I wish we could have done more, but I'm pleased with what we did and that we continue to learn." She does not regret the identification of individual police officers, which she sees as a contribution to transparency, the public having a right to know names and other personally identifiable information about police.
Security Boulevard published a sample of reactions to BlueLeaks under the headline “BlueLeaks is a huge FAIL for Anonymous and DDoSecrets.” “They basically painted huge targets on an unfathomable amount of private citizens,” said one representative comment, calling attention to the leaks' potential use by those interested in retaliation against "snitches," abused spouses, and so on.
Twitter's business customers exposed (at least a little).
The BBC reported that Twitter yesterday sent a note (with an apology) to its business users of Twitter Ads and Analytics Manager, informing them that some of their payment data, including email addresses, phone numbers and the last four digits of clients' credit card numbers had been stored in the browser. The social medium's note read, in part, "We became aware of an issue that meant that prior to May 20, 2020, if you viewed your billing information on ads.twitter.com or analytics.twitter.com the billing information may have been stored in the browser’s cache. Examples of that information include email address, phone number, last four digits of your credit card number (not complete numbers, expiration dates or security codes), and billing address. If you used a shared computer, it is possible that if someone used the computer after you they could have seen the information stored in the browser's cache (most browsers generally store data in their cache by default for a short period of time like 30 days)." Twitter says it's updated the instructions their platform sends to the browser's cache to avoid this problem in the future. The company has no evidence of any abuse, but they're "very sorry" nonetheless.
Some articles (like this one in SC Magazine) have reacted to the incident with alarm, the industry sources we've heard from tend to regard it as relatively minor.
James McQuiggan, Security Awareness Advocate at KnowBe4, wrote, "Unfortunately, this data leak occurred with Twitter and they, like many other technical organizations, have incidents from time to time that impact their users. Last year, mobile phone numbers from Twitter were grievously exposed. Twitter came forth, was transparent, and corrected the issue." He would assess this incident as a "nuisance issue." It would have become a serious one, he thinks, had Twitter known about it and tried to keep it under wraps.
Mark Bower, Senior Vice President at data security shop comforte AG, commented, “The likely culprit here is human error, but it illustrates the frailty of modern, dynamic environments to just one or two configurations that can lead to potential catastrophe. While the data exposed here is limited in nature, it’s a timely reminder that organizations capturing personal data need to examine the complete data lifecycle risks and implement protective and operational controls that limit its exposure end to end.”
Paul Bischoff, Privacy Advocate with Comparitech, reached a conclusion similar to that of KnowBe4's McQuiggan: “Twitter's data security incident is relatively minor in both scope and severity. It only affects Twitter users who use the ads and analytics services, which is a small fraction of all Twitter users. Furthermore, an attacker needs access to the user's browser in order to steal information, and they can only steal it from one user at a time. Compared to a data breach in which hackers obtain information on thousands or millions of users in one go, the incentive for hackers to steal it is small. The information they can access isn't particularly valuable given there's no complete payment data or especially sensitive personal information stored in the cache. If you've logged into Twitter ads or analytics from a device that's used by other people, there's a chance that information could be stolen. Ads and analytics users should be on the lookout for targeted phishing emails from Twitter or a related company, and be sure to clear their browser caches.”
And, finally, Chris Hauk, Consumer Privacy Champion at Pixel Privacy, thinks there's a lesson for users: don't rely on websites to protect their privacy. "I strongly recommend users set their browser to delete its cache when shutting down or restarting the browser," he said. "While clearing cache files will cause websites to load more slowly after you restart your browser, the security advantages easily outweigh this minor inconvenience.”