At a glance.
- Apple's new mobile privacy push.
- Privacy protection or restraint of trade?
- Possible direction of US privacy legislation and regulation.
- Karachi ride-hailing and delivery service suffers data exposure.
Apple adds a BlastDoor mobile privacy feature.
Security Week explains that Apple discreetly incorporated mitigations to iOS 14 to protect against zero-click iMessage attacks. In December, research team Google Project Zero uncovered a memory corruption vulnerability that, when exploited, would allow an attacker to remotely steal data from the user’s phone. Now, a researcher from the same team has discovered that Apple has included a “significant refactoring of iMessage processing” in its latest operating system, including a “BlastDoor” feature that will parse out potentially unsafe data in iMessage, making it far more difficult for threat actors to exploit the various vulnerabilities needed to execute such an attack.
Apple and Facebook face off over user privacy.
During a presentation on Data Privacy Day, Apple announced that this spring it will introduce App Tracking Transparency, a new privacy control that will prevent mobile apps from tracking users without express permission, Security Week reports. Though the tech leader initially scheduled the rollout for last September, Apple delayed the launch in the midst of pushback from Facebook and other apps that depend on data tracking for ad revenue. Facebook even went so far as to take out full-page ads in national newspapers like the Wall Street Journal and the New York Times, detailing how Apple’s privacy practices would weaken profit streams for platforms that depend on tracking to personalize ads.
The Wall Street Journal offers a closer look at the latest punches thrown in the ongoing feud between Apple and Facebook over data privacy. Apple CEO Tim Cook took a moment during his speech on Data Privacy Day to point out how platforms like Facebook that rely on user engagement for profit are benefiting from the dissemination of disinformation. He even went so far as to draw a line between these platforms and the civil unrest experienced in the US recently: “It is long past time to stop pretending that this approach doesn’t come with a cost of polarization, of lost trust, and yes, of violence.” Just the day before, Facebook’s CEO Mark Zuckerberg accused Apple of using new user privacy policies as a way of crippling its competitors (which is slightly ironic given that Facebook was recently sued by the Federal Trade Commission for its own alleged anticompetitive policies). “Apple has every incentive to use their dominant platform position to interfere with how our apps and other apps work, which they regularly do to preference their own” he stated.
The future of US data privacy reform.
Speaking of Data Privacy Day, in honor of the special event (yesterday, in case you missed it), Infrascale explained how US government legislation might affect how users protect their personal data and how companies uphold privacy protections. A recent study from Pew Research revealed that 81% of American respondents feel they have little control over the data collected by companies, and 84% feel the same about data gathered by the government. Experts anticipate that the Biden administration will use the EU’s General Data Protection Regulation as a model for user privacy reform, and possibly even exceed the GDPR’s regulations, likely following the aggressive stance taken by the California Consumer Privacy Act and the California Privacy Rights Act.
Data exposure at Bykea.
Safety Detectives researchers report that an exposed Elasticsearch instance at Karachi-based Bykea (one of Pakistan's larger ride-hailing and delivery services) allowed access to more than 200 gigabytes of data, among which were records of customers' full names, locations, and other personal information. "The Elastic instance was left publicly exposed without password protection or encryption," Safety Detectives said, "which meant anyone in possession of the server’s IP-address could access the database and potentially remove data from it."
We received several comments from industry experts on the data exposure. Chloé Messdaghi, Chief Strategist at Point3 Security, views it as another instance of failure to observe encryption fundamentals:
“This is a case study in why every government needs to step in and enforce some fundamental data privacy protection legislation with penalties. Not too long ago, attackers deleted this company’s customer data base – but they had backups and were back in business.
“Now, because of a failure to practice fundamental encryption to protect their customers’ data, some 400 million peoples’ financial, location, national identity cards and personal data has been exposed, and their lives are likely to be upended at some point.
“In 2021 encryption should be a no brainer. The first step must be better regulation governing all organizations collecting financial data and requiring them to use encryption. That mandate must come from all national governments large and small, with superpowers such as the US taking a lead, and with Zero Trust policies enforced as well.
“Here in the US, we also lack requirements of businesses that reflect the practices mandated by the EU-US privacy Shield and GDPR. It’s past due time, and until our legislators take strong and informed actions, people are only going to continue getting hurt.”
Saryu Nayyar, CEO of Gurucul, also sees the incident as a failure of basic security practices:
“The reported data breach from Bykea in Pakistan is not so much a breach as a lapse of basic system administration standard practices. Leaving a server accessible to the open internet with no authentication and no encryption is almost hard to imagine in 2021. Here, a misconfiguration has revealed customer, business, and employee information that could easily be used for social engineering, identity theft, and other attacks. While exposing the infrastructure made their environment vulnerable to a range of attacks, including data theft and ransomware.
“This highlights how important following industry best practices is for basic administration tasks, let alone for information security. Fortunately, there are a range of tools that can help prevent these lapses, from system automation tools in the SysAdmin world to security analytics on the security side.”