Is it worth exposing your personal data in exchange for the convenience of using pet apps on your smartphone?

Pet apps leaking your sensitive information has probably been a no-brainer for you. But it may now, thanks to two recent studies presented at the 2022 IEEE European Symposium on Security and Privacy Workshop conference.

On 28 February computer scientists from Newcastle University and Royal Holloway, University of London exposed a number of security and privacy issues. Researchers from both universities evaluated popular Android apps for pets and other companion animals, as well as farm animals. They found that 40 users are leaking information.

Dubbed pet tech, pet industry developers use technology to improve the health, well-being and overall quality of life of pets. Obviously, they also use it as a source of data acquisition which puts users’ security at risk.

Pet tech is expanding and includes a wide range of products including GPS trackers, automatic feeders and pet cameras, according to a written statement from Newcastle University. Other examples of pet technology include wearable devices that monitor pets’ activity levels, heart rates, and sleep patterns.

Some of these pet apps control smart feeding systems that dispense food at a set time or in response to the animal’s behavior. These apps and platforms also allow owners to track and manage their pet’s health records and connect with veterinary professionals.

According to Ashish Patel, general manager/EMEA at mobile security solutions firm Zimperium, the leaky apps problem is widespread, going far beyond just pet apps.

The problem is evident across all markets, countries and applications. This includes sharing unencrypted information in clear text and sharing data on open cloud-based servers.

“It’s a problem that’s coming to the forefront now, but we see more organizations implementing security from development, with scanning techniques in app development to create more secure apps, to ensure app keys are encrypted and it is equally important that it is running on a secure [non-breached] With device run-time protection, Patel told TechNewsWorld

What researchers discovered at Pet Apps

The researchers did not disclose the names of the pet apps analyzed. Nor did he clarify what type of content was leaked from specific apps.

However, they verified that the apps sent developers sensitive user information, including email addresses, location data and pet details, without encryption or user consent.

Many of these apps put users at risk by exposing their login or location details.

According to the Newcastle University statement, the three applications had users’ login details visible in plain text within non-secure HTTP traffic, meaning anyone using one of these apps could inspect anyone’s internet traffic. and get their login information.

Furthermore, the two apps also showed user details, such as their location. This allows someone to gain access to their devices and expose them to a cyber attack.

The tracking software embedded in the four apps raised another concern: the trackers could collect user data related to how the app or smartphone was used.

The analysis revealed that 21 apps track users without their consent, violating current data protection rules.

Researchers’ privacy and security warnings

Scott Harper, a Ph.D. student at Newcastle University’s School of Computing and lead author of the study, said pet tech products such as smart collars and GPS trackers are a fast-growing industry. This brings with it new security, privacy and security risks for pet owners.

“While owners may use these apps for peace of mind about their dog’s health or where their cat is, they may not be happy to learn about the risks they pose,” he said in the university statement. Apps that keep for cyber security.

Harper urged users to make sure they set up unique passwords, check settings and consider how much data they want to share.

Dr. Maryam Mehranzad, co-author of the report from the Department of Information Security at Royal Holloway, University of London, said that using modern technologies to improve many aspects of our lives often involves cheap technologies that compromise users’ privacy, security and privacy. comes at a cost of , and safety.

“Animal technologies can pose complex risks and harms that are not easy to identify and trace. In this interdisciplinary project, we are working on solutions to reduce such risks and enable animal owners to use such technologies without risk or fear. allowed to use.”

Second study shows user complacency

The research team conducted a second study which surveyed 600 participants from the UK, US and Germany. They questioned the technologies used, the events that occurred, and the methods used to protect their online security and privacy in general and pet apps in particular. The researchers published the survey findings in the journal Proceedings of the 12th International Conference on the Internet of Things. Their results revealed that participants believed there were a variety of attacks likely to target their pet technology.

Despite this concern, respondents said they take some precautions to protect themselves and their pets from the potential risks and harms of these technologies. The university statement did not disclose the numerical results.

Co-author Dr Matt Leach, Director of the Center for Comparative Biology, Newcastle University, said: “We would urge those developing these technologies to enhance the security of these tools and applications to prevent their personal information or location from being shared. risk can be reduced.”

Cyber ​​Security Insider Responses

According to Casey Ellis, founder and CTO of crowdsourced cybersecurity firm BugCrowd, application developers, especially for apps that are not “security first” in their nature, often prioritize features and usability over security to differentiate in-market. give priority. Speed ​​is the natural enemy of security, so these kinds of issues are often seen in fast-to-market areas like mobile applications.

“At the end, [vulnerabilities vary and] Come down to risk to the individual user. For example, to some people, a breach of privacy may not seem like such a big deal. For others, it could create an immediate personal safety issue,” Ellis told TechNewsWorld.

Regardless, app developers must ensure that security and privacy controls are behaving as users expect, which is clearly not a consistent theme here, he said.

App users should realize that if they are not paying for an app or service, then they are the product. Zane Bond, head of product at cybersecurity software firm Keeper Security, warned that your data and usage is how the company will make money.

“Be aware and understand that most services are not free. You just have no idea of ​​the cost. Even with many paid services, your data is still for sale,” Bond told TechNewsWorld.

Sharing high-resolution media online could inadvertently expose sensitive biometric data, according to a report released by a cyber security company on Tuesday.

This can be especially dangerous, said a 75-page report by Trend Micro, because people do not know they are exposing the information.

In the report, for example, the #EyeMakeup hashtag on Instagram, which has nearly 10 million posts, and the #EyeChallenge with more than two billion views, is enough to pass an iris scanner to uncover iris patterns.

“By publicly sharing certain types of content on social media, we give malicious actors the opportunity to source our biometrics,” the report states. “By posting our voice messages, we uncover voice patterns. By posting photo and video content, we highlight our face, retina, iris, ear-shaped patterns and, in some cases, palms and fingerprints. ,

“Since such data may be publicly available, we have limited control over its distribution,” it added. “Therefore we do not know who has already accessed the data, nor do we know for how long or for what purposes the data will be kept.”

not a panacea

The report covers what types of biometric data can be exposed on social media and outlines more than two dozen attack scenarios.

“The report suggests that biometric identification is not a panacea,” said Will Duffield, a policy analyst at the Cato Institute, a Washington, DC-based think tank.

“As we design detection systems, we need to be aware of technologies going down the pike and potential abuse in the real world,” he told TechNewsWorld.

“Trend Micro raises some valid concerns, but these concerns are not new to biometrics professionals,” Sami Alini, a biometrics specialist with Contrast Security, a maker of self-protection software solutions in Los Altos, Calif., told TechNewsWorld.

He said there are several ways to attack a biometric system, including a “presentation” attack described by the report, which substitutes a photo or other object for the biometric element.

To counter this, he continued, “viability” must be determined to ensure that the biometric presented is that of a living person and not a “replay” of a previously captured biometric.

Avi Turgman, CEO and co-founder of IronVest, an account and identity security company in New York City, agreed that “viability” is one key to thwarting attacks on biometric security.

“The Trend Micro report raises concerns about fraudulent biometrics created through social media content,” he told TechNewsWorld. “The real secret in fraud-proof biometrics is detecting liveliness, something that cannot be recreated through images and videos collected on social media.”

one factor not enough

Even when tested for liveability, biometrics can still be very easy to bypass, security awareness advocates at KnowBe4, a security awareness training provider in Clearwater, Fla., maintained.

“Holding the phone in front of a person’s face while sleeping can unlock the device, especially when they use it with the default settings, and collecting fingerprints is not a difficult task,” he told TechNewsWorld.

“What is even more worrying is that once the biometric factor is compromised, it cannot be changed like a password,” he said. “You can’t change your fingerprints or facial structure for a long time if you violate it.”

If the Trend Micro report shows anything, it’s that multi-factor authentication is a necessity, even if one of those factors is biometric.

“When used as a single factor for authentication, it is important to note that biometrics may be subject to failure or manipulation by a malicious user, particularly when that biometric data is publicly available on social media, Darren Guccione, CEO of Keeper Security, a password management and online storage company based in Chicago.

“As the capabilities of malicious actors using voice or facial biometric authentication continue to grow, it is imperative that all users implement multiple factors of authentication and use strong, unique passwords in their accounts to limit the blast radius. Apply if an authentication method is violated,” he told TechNewsWorld.

metaverse problems

“I don’t like to put all my eggs in one basket,” said Bill Malik, Trend Micro Vice President of Infrastructure Strategies. “Biometric is nice and useful, but having an additional factor of authentication gives me more confidence.”

“For most applications, a biometric and a PIN are fine,” he told TechNewsWorld. “When a biometric is used alone, it’s really easy to create.”

He stressed that the collection of biometric data will become an even greater problem when the metaverse becomes more popular.

“When you get into the metaverse, it’s going to get worse,” he said. “You’re putting on these $1,500 glasses that are designed to not only give you a realistic view of the world, but to find out what you like and don’t like about the world you see.” We are constantly monitoring your subtle expressions to find out.

However, he is not concerned that additional biometric data is being used by Digital Desperado to create deepfake clones. “Hackers are lazy, and they get everything they need with simple phishing attacks,” he declared. “So they’re not going to spend a lot of money for a supercomputer so they can clone someone.”

Device tied biometrics

Another way to secure biometric authentication is to tie it to a piece of hardware. With a biometric enrolled on a specific device, it can only be used to authenticate the user with that device.

Reed McGinley-Stempel, co-founder and CEO of Stitch, a passwordless authentication company in San Francisco, said, “This is the way Apple and Google’s biometric products work today — it’s not just the biometrics that you get when you use Face ID. Let’s check the time.”

“When you actually do a Face ID check on your iPhone, it checks that the current biometric check matches the biometric enrollment that’s stored in your device’s secure enclave,” he told TechNewsWorld.

“In this model,” he continued, “the threat of someone accessing your photos or fingerprinting yours doesn’t help them unless they have control over your physical device, which is something for attackers to climb into.” There is a very steep hill for the remote nature in which the cyber attackers operate.”

losing control of our data

The Trend Micro report states that as users, we are losing control over our data and its future uses, and the common user may not be well aware of the risks posed by the platforms we use every day. Is.

Data from social media networks is already being used by governments and even startups to extract biometrics and create identity models for surveillance cameras, it continued.

The fact that our biometric data cannot be changed means that in the future, such a wealth of data will be increasingly useful to criminals, it added.

Whether that future is five or 20 years ahead, the data is available now, it said. We are indebted to our future selves for taking precautions today to protect ourselves in tomorrow’s world.

trend micro report, Leaked Today, Exploited for Life: How social media biometric patterns affect your futureAvailable here in PDF format. No form is required to be filled at the time of this publication.

A new phishing-as-a-service offering on the dark web poses a threat to online accounts protected by multi-factor authentication, according to a blog posted Monday by an endpoint security company.

Called EvilProxy, the service allows threat actors to launch phishing campaigns, with the ability to largely bypass MFAs without the need to hack upstream services, the Resecurity researchers noted in the blog. .

The service uses methods supported by APT and cyber espionage groups to compromise accounts protected by MFA. According to the researchers, such attacks have been discovered against Google and Microsoft customers whose accounts have MFA enabled via SMS text messages or application tokens.

Phishing links produced by EvilProxy lead to cloned web pages that have been compromised by accounts associated with multiple services, including Apple iCloud, Facebook, GoDaddy, GitHub, Dropbox, Instagram, NPM, PyPI, RubyGems, Twitter, Yahoo, and Yandex. has been prepared to do.

Threat actors using EvilProxy to gain access to their repositories are targeting software developers and IT engineers with the ultimate goal of hacking “downstream” targets, the researchers wrote.

He explained that these tactics allow cybercriminals to capitalize on end users who believe they are downloading software packages from secure resources and do not expect them to be compromised.

faster, faster, better

“This incident poses a threat to software supply chains because it targets developers by giving the service’s cybercriminal customers the ability to launch campaigns against GitHub, PyPI and NPM,” said Avid Gershon, leader of the security research team at Checkmarks. Said, an application security company, in Tel Aviv, Israel.

“Just two weeks ago,” he told TechNewsWorld, “we saw the first phishing attack against PyPI contributors, and now we see the service take it a few steps further by making these attacks accessible to less tech operators and adding capability. To bypass the MFA.”

Checkmarx’s head of supply chain security Tzachi Zorenstein said the nature of supply chain attacks increases the reach and impact of cyber attacks.

“Abusing the open-source ecosystem represents an easy way for attackers to increase the effectiveness of their attacks,” he told TechNewsWorld. “We believe this is the beginning of a trend that will increase in the coming months.”

A phishing-as-a-service platform can also increase attacker effectiveness. “Since PhaS can operate at scale, it enables adversaries to be more efficient at stealing and defrauding identities,” said Resecurity CEO Jean Yu.

“Old-fashioned phishing campaigns require money and resources, which can be overwhelming for one person,” he told TechNewsWorld. “Fas is just faster, faster, better.”

“It’s something that’s very unique,” he said. “It’s very rare to produce a phishing service on this scale.”

well packed

Many illegal services, hacking and malicious intent are solution products, explained Alon Nachmani, field CISO at AppviewX, a certificate lifecycle management and network automation company in New York City.

“By using a PhaS solution malicious actors have less overhead and less to spring an attack,” he told TechNewsWorld.

“Quite honestly,” he continued, “I’m surprised it took so long to become a thing. There are so many marketplaces where you can buy ransomware software and link it to your wallet. Once deployed , you can collect the ransom. The only difference here is that it is completely hosted for the attacker.”

While phishing is often considered a low effort activity in the hacking world, it still requires some work, said Monia Deng, director of product marketing at Bolster, a provider of automated digital risk protection in Los Altos, Calif. You’ll need it to do things like stand up to a phishing site, create emails, automate managers, and nowadays, steal 2FA credentials on top of primary credentials, she explained.

“With Faas,” she continued, “everything is neatly packaged on a subscription basis for criminals who do not require any hacking or even social engineering experience. It Opens the ground for many more threat actors who want to exploit organizations for their own gain.”

bad actors, great software

Security researchers explained that payment for EvilProxy is conducted manually through an operator on Telegram. Once the subscription funds are received, they will be credited to the account in the customer portal hosted on TOR. The kit is available for $400 per month.

EvilProxy’s portal has many tutorials and interactive videos on using the service and configuration tips. “To be clear,” the researchers wrote, “the bad actors did a great job in terms of service usability, and configuration of new campaigns, traffic flow, and data collection.”

“This attack just shows the maturity of the bad actor community,” said George Gerchow, CSO and senior vice president of IT at Sumo Logic, an analytics company focused on security, operations and business information in Redwood City, Calif.

“They are packing these kits nicely with detailed documentation and videos to make it easier,” he told TechNewsWorld.

The service uses a “reverse proxy” principle, the researchers noted. It works like this: Bad actors lead victims to a phishing page, use a reverse proxy to get all the legitimate content the user expects to see, and sniff their traffic through the proxy.

“This attack highlights how low the barrier of entry is for unsophisticated actors,” said Heather Iannucci, a CTI analyst at Tanium, creator of an endpoint management and security platform in Kirkland, Wash.

“With EvilProxy, a proxy server sits between the legitimate platform’s server and the phishing page, which steals the victim’s session cookie,” she told TechNewsWorld. “This can then be used by the threat actor to login to a legitimate site as a user without an MFA.”

“Defending against EvilProxy is a challenge because it combines cheating a victim and MFA bypass,” Yu said. “The real compromise is invisible to the victim. Everything sounds good, but it’s not.”

still in effect

Nachmany warned that users should be concerned about the effectiveness of MFAs that use text messaging or application tokens. “Fas is designed to use them, and this is a trend that will grow in our market,” he said.

“The use of certificates as an additional factor is what I expect to see an increase in use soon,” he said.

While users should be careful when using an MFA, it is still an effective mitigation against phishing, said Patrick Harr, CEO of SlashNext, a network security company in Pleasanton, Calif.

“It increases the difficulty of leveraging compromised credentials to disband an organization, but it is not foolproof,” he said. “If a link leads the user to a counterfeit replica of a legitimate site—which is nearly impossible to identify as not legitimate—the user may be the victim of an adversary-in-the-middle attack, such as this one by EvilProxy.” is used to .”