What’s up with WhatsApp privacy (Avast blog)

Last month, I wrote about the evolution of Instant Messaging interoperability. Since posting that article, the users of WhatsApp have fled. The company (which has been a subsidiary of Facebook for several years now) gave its users an ultimatum: accept new business data sharing terms or delete their accounts. For some of its billion global users, this was not received well, especially since some of your data would be shared across all of Facebook’s other operations and products. The change was indicated through a pop-up message that requires users to agree to the changes before February 8. The aftermath was swift: tens of millions of users signed up for either Signal or Telegram within hours of the news.

If you are interested in getting more of the details and my thoughts about whether to stay with WhatsApp or switch to Telegram or Signal, you should take a gander over on the Avast blog and read my post.

WhatsApp pushed off the change until May, which was probably wise. There was a lot of bad information about what private data is and isn’t collected by the app and how it is shared with the Facebook mothership. For example: while the change deals with how individuals interact with businesses, Facebook has and will continue to share a lot of your contact data amongst its many properties. What this whole debacle indicates though is how little most of us that use these IM apps every day really understand about how they work and what they share. My Avast blog tracks down the particular data elements in a handy hyperlinked reference chart.

The problem is that to be useful your IM app needs to know your social graph. But some apps — such as Signal — don’t have to know much more than your friends’ phone numbers. Others — such as Facebook Messenger — want to burrow themselves into your digital life. I found this out a few years ago when I got my data dump from Facebook, and that was when I deleted the standalone smartphone app. I still use Messenger from my web browser, which is a poor compromise I know.

Speaking of downloading data, I requested my data privacy report from WhatsApp and a few days later got access. There are a lot of details about specific items, such as my last known IP address, the type of phone I use, a profile picture, and various privacy settings, This report doesn’t include any copies of your IM message content, and was designed to meet the EU GDPR requirements. I would recommend you request and download your own report.

One of the sources that I found doing the research for my blog post was from Consumer Reports that walked me through the process to make WhatsApp more private. You can see the appropriate screen here. Before today, these items were set to “everyone” rather than “my contacts” — there is a third option that turns them off completely. This screen is someplace that I never visited before, despite using WhatsApp for years. It shows you that we have to be vigilant always about our privacy — especially when Facebook is running things — and that there are no simple, single answers.

Never before have we so many choices when it comes to communicating: IM, PSTN, IP telephony and web conferencing. We have shrunk the globe and made it easier to connect pretty much with anywhere and anyone. But the cost is dear: we have made our data accessible to tech companies to use and abuse as they wish.

Network Solutions blog: why are online containers so often unsecured?

In any given week, security researchers discover caches of data on cloud servers that are completely open to the public, usually containing the most sensitive information about a company’s customers. Leaks were found earlier this summer that revealed data coming from Avon as well as from Ancestry.com. This latter leak wasn’t the first breach for Ancestry — it had an earlier 2017 leak here. The problem is simple to describe and appears — at least at first glance — simple to fix. When you initially set up your online storage, you are asked who has access and what rights are accorded to each user. However, developers have hundreds if not thousands of containers to keep track of, and sometimes they forget to lock all of them down.

In my blog for Network Solutions, I discuss how to find these unsecured containers and how to prevent these leaks from happening.

CSOonline: Top 7 security mistakes when migrating to cloud-based apps

With the pandemic, many businesses have moved to more cloud-based applications out of necessity because more of us are working remotely. In a survey by Menlo Security of 200 IT managers, 40% of respondents said they are facing increasing threats from cloud applications and internet of things (IoT) attacks because of this trend. There are good and bad ways to make this migration to the cloud and many of the pitfalls aren’t exactly new. In my analysis for CSOonline, I discuss seven different infosec mistakes when migrating to cloud apps.


Avast blog: The rise and fall of Parler

In the past week, we have seen the takedown of a social network by its largest technology partners. I refer to Parler, of course. The events weren’t entirely a surprise, but their velocity and totality were unusual.First, Apple and Google removed the Parler apps from the iTunes and Play stores. Then, its hosting partner, Amazon, shut down its servers on Amazon Web Services. I wrote about the issues surrounding the Parler takedown for Avast here, examining its surge in popularity and its takedown, and whether this constitutes censorship.

Avast blog: Covid tracking apps update

After the Covid-19 outbreak, several groups got going on developing various smartphone tracking apps, as I wrote about last April. Since that post appeared, we have followed up with this news update on their flaws. Given the interest in using so-called “vaccine passports” to account for vaccinations, it is time to review where we have come with the tracking apps. In my latest blog for Avast, I review the progress on these apps, some of the privacy issues that remain, and what the bad guys have been doing to try to leverage Covid-themed cyber attacks.

Avast blog: Which security certification will help you grow your career?

One of the things not lacking in the information security community is the dozens of cybersecurity industry certifications that are available to burnish your qualifications. These include vendor-driven certifications from leading security companies like Cisco and Microsoft, courses that will lead towards certifications from SANS, and many others. In this post for Avast’s blog, I will guide you through this maze.

From the archives: my work for the US Congress’ Office of Technology Assessment

Seeing the attacks on our Capitol brought memories of working for Congress back in the early 1980s for this small bipartisan agency. I contributed chapters of two major research reports:

I am thankful that the Woodrow Wilson Center at Princeton has preserved these digital copies.

RSA blog: Paying Down your Technical Security Debt

As we begin 2021, one of the first orders of business is to remove some of the quick decisions we made during the beginnings of the pandemic last year. Nowhere is this more the case than with dealing with their technical infosec debt, a term coined by Ward Cunningham decades ago.  It is basically a fancy term for taking the easy route, for cutting corners and saving time by not really looking at the longer-term consequences of certain decisions that could make your IT infrastructure inherently insecure. It reflects the implied costs of reworking the code in your program due to taking these shortcuts, shortcuts that eventually will catch up with you and have major security implications in the future.

You can read the latest in my blog for RSA here.

Avast blog: It’s time to consider getting a Covid-19 vaccine passport for travel

As the number of people getting vaccinated against Covid-19 rises, it’s time to review the ways that people can prove they have been inoculated when they want to cross international borders. These so-called “vaccine passports” have been in development over the past year and are starting to go through various trials and beta tests. The passports would be used by travelers to supplement their actual national passport and other border-crossing documents as they clear customs and immigration barriers. The goal would be to have your vaccination documented in a way that it could be accepted and understood across different languages and national procedures.

In my blog for Avast, I talk about how these passports (such as the CommonPass open source one being developed above)  could prove to be a solution for travelers crossing borders, but they also come with their own set of challenges


Kaspersky blog: Despite all the cool tools, tech collaboration is still missing something

Since the pandemic began, organizations have been working hard on how they collaborate. But something’s still missing, and it’s to do with people. Looking at successful tech and creative collaborations of the past, common trends emerge. Any organization can use these to kickstart better collaboration within and between their teams. I highlight a few of these classic great situations, including the effort to produce new Covid vaccines, how the Unabomber was found by the FBI, the Bletchley Park code-breakers, and others for my latest blog post for Kaspersky.