Read Time:3 Minute, 13 Second
A helpful citizen who returns a stash of cash in the trash may receive a reward, but they don’t get to keep the loot. However, the story would be different if that same citizen found a digital treasure.
Many fictional bank heists have taken place in Las Vegas, but the city is hosting the Black Hat Security Conference. At the Black Hat conference, Dylan Ayrey (CEO of Truffle Security) and Whitney Merrill (data protection officer and lead privacy counsel for Asana) shared stories about personal data gone wrong and ways to prevent future exposure.
The researchers concentrated solely on bug bounty initiatives. Several governments worldwide, in addition to the United States, have authorised such a program. In one variant, a big firm like Microsoft establishes rules allowing competent researchers to break into their products and services. By finding and reporting security vulnerabilities, white-hat hackers help companies fix them before they can be exploited.
“Bug Bounty programs say—do not tamper with data from other users,” Ayrey explained. “Test with your account to avoid involving other users. Common language like this is present in many programs, so we’re good for this talk about data privacy in bug bounty systems! We’ve advised our hackers not to touch any sensitive data.”
To much amusement, he showed a slide with the words “Crap” written. “Whitney, I think I may have seen some private information. What can I do to fix the situation? Am I in any legal trouble?”
The pair began their conversation with a scripted sequence that any hacker could have with a legal-minded buddy. The testers found that Ayrey’s script, designed to stop and document anyone who tried to make his data unsafe, was activated by an administrator who accessed many accounts unsafely. Although he told the program about the access, they never asked him to remove it. In short, deletion would be complicated because the data is scattered: a third-party scripting system, a copy on an AWS server, the copy in Gmail, his hard drive, his Time Machine backups and the bug-tracking system (to name a few places).
They explained that the company closed the ticket associated with the bug but didn’t delete any data. Ayrey discovered that he could access all the personal information he included in the closed ticket. He didn’t need any special software to do this; he did it on his computer. With the same old plug-in, he could now search for a ticket and determine who opened it, when they opened it, how many people viewed it, where they were from and what service centre they came through. He also had access to every personal data from his closed tickets. Other bug hunters had similar experiences.
“In the case of Google, an employee was working on tens of thousands of records with a one-time tool,” said Ayrey. “Because of insecure rendering, the data goes to me. I wasn’t asked to remove it; I kept access, and they gave me no notice. That was the story until a few days ago. However, after Google saw an early draft of my presentation, they’ve altered their procedures internally after two years to guarantee that data are deleted.”
“The lesson here is that these are not isolated incidents,” said Ayrey. “These occurrences are all too common.”
If you’re reading this, chances are you don’t hunt bugs for a living. It’s reassuring to know that the tech industry is starting to take privacy seriously. These are just a few examples of how easily personal data can be mishandled. To protect yourself, you must know what companies are doing with your data and what rights you have to control it. It’s also important to know how companies can inadvertently expose your data. By staying informed and taking steps to protect your data, you can help keep your information safe.
Happy
0 %
Sad
0 %
Excited
0 %
Sleepy
0 %
Angry
0 %
Surprise
0 %
0
0
