Just last week I wrote about medical information being more sought by hackers than even credit card information. Now there’s even more information supporting the need for consumers to be even more vigilant in using wearable fitness applications.
Why? Because it turns out that some wearable fitness apps do not have the kind of privacy and security features needed to protect the wearer’s personal information. Mathew J. Schwartz reported on a recent study by Candid Wueest, a Symantec security researcher (www.healthcareinfosecurity.com; “Do Wearable Devices Spill Secrets? Sizing up the Privacy Risks of Fitness-Tracking Apps”; October 17, 2014).
Mr. Wueest studied the top 100 most popular fitness-tracking applications on both the Apple Store and Google Play. He found that the information transmitted by the applications often included the wearer’s name, email address, password, date of birth and target weight as well as their Facebook and Google access tokens.
What else did Mr. Wueest unearth? As Mr. Schwartz wrote that Mr. Wuuest’s research and analysis found that:
- Each application shares personal data with — on average — 5 sits including application-related analytics sites, advertising networks, social media sites and marketing networks;
- 20% of the applications Mr. Wueest studied were transmitting login credentials in clear text; this means that the information could be intercepted by anyone connected to the same public WiFi hotspot, for example, as one of the devices or if someone planted a Bluetooth “sniffer” within range of one of the devices;
- Some of the applications encrypted the credentials, but failed to encrypt the personal data being transmitted; and
- That many of the application makers and device manufacturers failed to secure the personal information being stored on their sites.
Again, I’m not suggesting that consumers abandon fitness regimes and fitness-tracking devices. What I am emphasizing is the critical need to try and learn as much about the data security and privacy practices of the manufacturers of wearable devices as possible.
More and more medical and health information is being collected electronically. People are using fitness apps, for example, to watch their calorie intake and gauge their level of physical activity. Those are certainly good and admirable goals.
But what many people don’t realize is the serious security issues about using these kinds of medical and health apps. Health data is increasingly held by technology companies, not by health and medical professionals and entities such as doctors and hospitals as Brian Fung noted in a recent Washington Post article. He gave the example of Apple’s Healthkit that collects and centralizes health information across apps (www.washingtonpost.com; “Facebook may be eyeing your health data. Should you trust it?”; October 3rd). Moreover, these apps don’t have the same privacy and security requirements that apply under the Health Insurance Portability and Accountability Act‘s to medical and health professionals, hospitals and associated records do not cover these types of fitness and health apps.
What is particularly powerful are two statistics in Mr. Fung’s article. First, he writes that ‘[t]here’s also a lot of money floating around the healthcare industry —an estimated $3 trillion worth ….”. Second, he noted that “[h]ealth records are so valuable, security experts say, that hackers will pay up to 20 times more for a person’s medical record on the black market than for a stolen credit card number.”
Those are staggering numbers and only underscore that individuals need to protect their health and medical information. Moreover, individuals need to think carefully before using a fitness or medical or health app. I’m not suggesting that individuals shouldn’t use them. But individuals need to dig in and learn how the information that’s being collected will be stored; how it will be protected; and whether the company whose product they’re using is going to sell or share any of the collected data with a third party.
Individuals need to be pro-active so they don’t unwittingly help hackers make money off of some of their most sensitive personal information.
National Cybersecurity Awareness Month kicks off today. Consumers will be able to read numerous articles and announcements providing helpful guidance and information.
I want to start with “tip #1″ that is practical and useful throughout the year. Protecting one’s privacy starts with the basics and that means using a strong password. It often seems more complicated than it needs to be. I’ve found an article today by Paul Ducklin with an accompanying video that helps explain what a proper and strong password is; the steps for creating one; and reminders about why doing so is very important.
You can find Mr. Ducklin’s article and the video at: nakedsecuritysophos.com. His article is titled “How to pick a proper password [VIDEO]” and is well worth the time.
October is the month during which cybersecurity is highlighted but these practices are ones consumers need to follow year round.
On September 9th, Timothy D. Cook, Apple’s chief executive, unveiled two new Apple products — products that means Apple could become a collector of consumers’ personal health and financial information. And that means Apple will need to protect the personal information it holds — and that’s where the privacy concerns arise.
As Brian X. Chen and Steve Lohr reported in the New York Times, these products include a health-montioring smartwatch and Apple Pay; the latter is a new payment service consumers will be able to use to buy items wirelessly on some Apple devices (www.nytimes.com; “With Apple Pay and Smartwatch, a Privacy Challenge”; online September 11th).
The new Apple smart watch will be available sometime in 2015 and it will have health-monitoring capabilities for consumers such as heart rates and other information. Apple Pay will be available sometime in October.
What are the privacy concerns? First, consumers using Apple Pay will be providing valuable financial information such as credit and debit card numbers. As Mr. Chen and Mr. Lohr note, that’s the kind of information that hackers want to get. With the Apple smart watch, the health information that consumers will enter is not covered by regulations so there are no current controls for the ways in which that information is secured and/or used. As Mr. Chen and Mr. Lohr wrote, regulators are becoming more interested in the range of health monitoring devices out on the market and are starting to raise issues about the need to protect this type of health information and make sure it stays private.
In announcing these new products, Apple said Apple Pay will not be storing any payment information on Apple devices or servers. It said it will only be serving as a conduit between merchants and banks. As far as the new smart watch, Apple has updated its guidance to app developers. The guidance now states that developers of health apps who are working with HealthKit, the new set of tools for tracking fitness and health statistics, can’t use the personal health data gather for advertising or data-mining purposes — with the exceptions of using it to help manage some individuals health and fitness or for medical research.
Those exceptions are ones that could, however, be read very broadly. It remains to be seen if Apple really enforces these privacy protections and whether consumers can really count on Apple to provide the kind of protection needed for these types of personal and sensitive information.
Facebook users will want to know about, and use, the latest privacy control that’s just been announced and will start rolling out soon. This is a blue dinosaur that will pop up on users’ computer screens. The tool will help users review their current Facebook privacy settings and, if desired, make any updates or changes to those settings. It is a helpful way for Facebook users to be even more privacy pro-active.
Graham Cluley’s done an article about this latest feature and includes screen shots of the blue dinosaur (email@example.com; “Facebook’s privacy dinosaur will check your settings for you”; September 6th). The screen shots provide users with the option either of using the feature or not; if selected, the review show take only about one to two minutes.
Mr. Cluley urges Facebook users to select the “Let’s Do It!” option since the relatively easy process allows Facebook users to be doubly sure that they are sharing their information with the people with whom they want do. As he notes, it will be easy for Facebook users to review both the people with whom they’re sharing information as well as any 3rd-party Facebook apps with whom the user is connected. These reviews will allow Facebook users to confirm and/or refine these settings.
Using the new blue dinosaur is a way for Facebook users to augment their privacy. But, as Mr. Cluley notes, Facebook users shouldn’t use the “Privacy Checkup” instead of, or as a substitute for, routinely doing their own checks and reviews of their Facebook privacy settings.
There’s been wide spread coverage over the past few days of the photos that have been hacked and posted online of actresses and other famous women. These individuals used the cloud to store what they thought would remain private photos. What they learned was that their presumption was sadly wrong.
They are not alone either in storing photos in the cloud or thinking that the photos would be safe there. Many people area using the cloud for storing all sorts of personal information, much, if not all, of which they’d like to think will be kept private and protected.
As Arik Hesseldahl reports in his recent article, Apple is investigating how the iCloud accounts of these celebrities were hacked (recode.net; “Apple Says It Is “Actively Investigating” Celeb Photo Hack”; September 1). The tip he includes comes from Darien Kindlund, Director of Threat Research at FireEye, and is one that everyone should try and use.
What’s this tip? Turn 0n and use the two-factor authentication option on iCloud accounts. Mr. Kindlund is quoted in Mr. Hesseldahl’s articles as noting that Apple calls its version of this enhanced security “two-step verification” and that it’s not easy to learn about — Mr. Kindlund said it takes sorting through a number of support articles to learn about this Apple iCloud feature.
Two-factor authentication is usually a combination of a randomly generated numerical code coupled with the consumer’s regular password. The numerical code, per Mr. Kindlund, is sent to the consumer’s phone or another device. Since that code changes all the time, it makes it harder (although not impossible of course) for hackers to get into accounts even if they’ve got the consumer’s password. The not so good news, per Mr. Kindlund, is that Apple permits someone an unlimited number of password guesses.
While nothing is foolproof, consumers who regularly store photos and other information in the cloud should enable two-factor authentication, or the Apple two-step verification, for additional protection.
I wrote last week about the stunning password and user name theft that Hold Security had unearthed (“Cautionary Note About Hold Security”; August 12). In that blog, I mentioned Graham Cluley’s important discovery about the fee that Hold Security would charge consumers who wanted to find out if any of their passwords and user names had been breached. Mr. Cluley mentioned several password management services about which I said I’d be writing more.
I looked at the sites for several password management services. I’m not recommending any of them but these are services about which consumers should be aware. The password manager services allow consumers to store all of their passwords, along with other confidential information, into one secure site. Hayley Tsukayama wrote a very helpful article about password management, including a good summary of several of the services along with the pros and cons (www.washingtonpost.com, “How to keep track of your passwords without going insane”; August 7).
She reviewed two of the three services I had mentioned, e.g., LastPass and 1 Password. She also included Dashlane. I also mentioned KeePass which has similar features as the others but is a completely free and open source password manager. I mention that because, as Ms. Tsukayama wrote, the other services are free unless a consumer wants to sync his passwords across multiple devices, such as between a smart phone and a computer.
For that kind of premium service, there are different fees charged by the services:
- LastPass charges $12.00 a year;
- 1Password charges a one time fee of $50.00 for Mac and Windows, $18.00 for iOS and $10.00 for a full version of the app on Android; and
- Dashlane charges $30.00 a year.
All the services operate along the same lines. They are online storage lockers that retain all of a consumer’s passwords in encrypted databases. The passwords are locked behind a single master password that only the consumer knows. That’s the good news. But as Ms. Tsukayama notes, that also means the consumer has to remember that master password because it can’t be retrieved from anywhere else. The services can also store secure notes, credit card information as well as other information that a consumer has to fill in on various websites. Another attractive feature of these services is their ability to generate random passwords for accounts that are strong and are remembered in their various lockers or vaults. That way, a consumer can access these passwords while browsing the web by clicking onto a button on his browser and choosing the account for which he needs to fill in information.
Are there downsides to these services? Consumers are relying on the security of the various password manager services when using them. KeePass notes on its website that in addition to being free and open source that its encrypted database is not stored in the cloud but strictly locally.
As I said, I’m not endorsing any particular service but I am strongly encouraging consumers to think about the ways in which they are storing their passwords.
There’s been a rush of articles suggesting what consumers can and should do to protect themselves following the news about the Russian hackers. The fact that over a billion usernames and passwords have been stolen has meant that some consumers are overwhelmed given the magnitude of the theft.
Graham Cluley wrote an article explaining his initial hesitation about writing about Hold Security’s discovery or commenting on it when contacted by the news media (grahamcluley.com; “Security firm that revealed “billion password” breach demands $120 before it will say if you’re a victim”: August 7). As he explained, his reservation stemmed from the paucity of information in Hold Security’s initial official statement. So Mr. Cluley dug in more and found that Hold Security wants consumers email addresses and $120 per year for their new breach notification service. Consumers whose email addresses are found are then asked for an encrypted version of all of their passwords so they can be compared against the Hold Security’s database.
There are obvious problems with this approach. Instead, Mr. Cluley highlights Troy Hunt’s free service that checks breach information in its database. I went to the site which is: haveibeenpwned.com and learned that my email address had been found in one of the breaches loaded into the system. It was the Forbes.com breach about which I already knew. I signed up for Mr. Hunt’s free service to get alerts if my email shows up in other breaches.
Password management is becoming more pressing and complex for consumers. Thanks to Mr. Cluley’s investigation, I’ll take a pass on the Hold Security fee breach notification system.
Mr. Cluley mentions LastPass, 1 Password and KeePass as several password management services that consumers should consider. I’ll be looking at those and will write about them in future posts.
A breach of mind boggling magnitude has been unearthed by Hold Security, a Milwaukee firm that specializes in identifying major online security breaches. Nicole Perlroth and David Gelles broke the story yesterday about Hold Security’s latest discovery (www.nytimes.com; “Russian Gang Amasses Over a Billion Internet Passwords”; August 5). Other media are now reporting on this story citing the New York Times article.
No, you’re not mis-reading the headline of their story— over 1.2 billion unique combinations of user names and passwords were stolen by Russian hackers. In their story, Ms. Perlroth and Mr. Gelles report that Hold Security found that the Russian gang had also stolen over 500 million email addresses. Per their report, the New York Times hired an independent security expert to analyze the database that Hold Security had. That expert confirmed the authenticity of the database and the magnitude of the data that has been stolen.
Which companies and websites have been victimized? Hold Security is not disclosing the names of victims because of “non disclosure agreements” and the company’s reluctance to name companies whose websites could still be vulnerable. Ms. Perlroth and Mr. Gelles wrote that it appears that the Russian criminals haven’t been selling many of the records online yet but, instead, appear to be sending spam out on social networks for fees paid by other groups.
So what protective steps can individuals take? It’s hard to know exactly what to do when faced with a breach of this astounding magnitude. Some of the most immediate steps are ones that are sound guidance regardless of the scope of a breach. These include diligently examining financial statements for any suspicious charges or withdrawals; changing passwords as a pro-active step; and not using the same password and user name for multiple sites.