At a glance.
- User attitudes toward data privacy.
- COVID Delta variant arrives with scams in its wake.
- Further reaction to Power Apps misconfiguration.
Users want to protect their information (unless they can trade it....)
Appdome has released the results of a study examining users’ expectations when it comes to mobile app security. Though one might predict flashy app features would be more attractive than security tools, the majority of respondents stated they’re more concerned about protecting their data, PR Newswire explains. Nearly three-quarters said they’d drop an app if it didn’t defend them against hacking, and 38% said, when it comes to choosing an app, security is their number one concern. Appdome CEP Tom Tovar summarized, "The voice of the consumer flips the script on the 'security vs. features' debate, making clear that mobile app security and malware protection are on par with other critical features in the mobile app experience and demanded by every consumer that downloads and uses a mobile app."
That said, never underestimate the power of a discount. Breeze takes a look at how insurance companies like John Hancock, Vitality, and Aetna are using smart tech to collect client data to determine insurance rates, and studies show many customers are willing to hand over their info in exchange for lower premiums. Breeze surveyed one thousand US adults and found that while the majority are opposed to insurance companies collecting big data, younger respondents are far more willing to hand over their info, likely because they’ve been raised in an economy where personal data is currency. And when the possibility of lower rates was offered as an incentive, over half of respondents saw no problem with sharing details like fitness tracker and medical data, car activity, or even the habits of their pets.
Delta variant revives pandemic-themed scams.
When it comes to the still lingering COVID-19 pandemic, there’s more to be wary of than the Delta variant. After a brief respite in the spring, when decreasing infection rates gave us all a false sense of security, researchers at Proofpoint have seen a global increase in pandemic-focused operations since June 2021 as cybercriminals take advantage of the public’s focus on vaccination and the new variant. Some campaigns distribute malware like RustyBuer, Formbook, and Ave Maria, while others harvest Microsoft and O365 credentials. Now that it’s commonplace for companies to ask their employees for proof of vaccination, scammers posing as HR department staff or even health agencies are convincing targets to hand over the private data on their vaccination cards. The security experts at Inky offer details about a phishing campaign using hijacked email accounts to bypass email authentication tools and lure victims to a fake Microsoft Outlook login page. All of these schemes capitalize on emotion and bureaucracy to persuade the target to act without thinking. As Proofpoint’s vice president Sherrod DeGrippo told the Washington Post, “They need you to click on them, so in order to get the person to take the action, you’ve got to escalate their emotional state to one that has them emotional, instead of intellectual — thinking with the smart part of the brain.”
Further comment on Power Apps misconfigurations.
Roshan Piyush, security research engineer at Traceable, offered some additional comments on the ways in which Power Apps have left data exposed to the Internet:
“The OData Protocol is an application level protocol for interacting with data via RESTful web services. Power Apps Portals lists are used to display data from tables stored within Microsoft Dataverse. Limiting access to the list data requires enabling Table Permissions. When the OData protocol is enabled on the Power Apps list, they allow any REST client to consume the data in the list. However, contradictory to the table permissions that by default prevent anonymous access, lists ignore the table permissions unless the “Enable Table Permissions” boolean value was checked. The configuration requirement was clearly stated in the document, but most of the time documents are only looked at when users are stuck to move forward. This allowed the configuration to remain unnoticed for affected customers and data being accessible anonymously.
"This is a common occurrence, where users are not aware of every configuration and repercussion behind their choices. Also known in Owasp API Top 10 as “API7:2019 Security Misconfiguration” and Owasp Top 10 as “A6:2017-Security Misconfiguration,” this is already recognized by security professionals but gets often overlooked when it comes to third party configurations. Even the configurations themselves could differ between environments such as Production or QA giving false assertions of security.
"Businesses can have both a direct and indirect impact depending on the kind of data exposed. Data breaches, especially those consisting of sensitive data, could result in financial loss costing millions of dollars and destroying the reputation of the company. Consumers similarly can be variably affected depending on the data. Personal data could be used for phishing or credit card fraud. Even cases of identity theft have been observed with exposure of social security numbers alongside personal information.
"Businesses may often ignore such configurations in their third party integrations. Such issues even go unnoticed in security reviews. It's important to do a security review of your third party service integrations and data flowing in and out from them. With scale this can become impossible. This is where API security solutions that can provide you visibility for east-west and north-south API traffic and risks around them can help. Most solutions ignore visibility around egress traffic which is where such issues can persist, hence it’s important to work with the correct API security solution for complete visibility.”