Apps on your smartphone could be talking to teach other and breaching your privacy: Study

Do you use smartphone apps to organise lunch dates, make convenient online purchases or communicate the most intimate details of your existence? Beware, these apps may be secretly talking to each other and potentially breaching your security, researchers warn.

A study showed that applications on the android phones are able to talk to one another and trade information. The biggest security risks were some of the least utilitarian — apps that pertained to personalisation of ringtones, widgets, and emojis, the researchers said. “Researchers were aware that apps may talk to one another in some way, shape, or form,” said Gang Wang, assistant professor at Virginia Polytechnic Institute and State University, US.

But “this study shows undeniably with real-world evidence over and over again is that app behaviour, whether it is intentional or not, can pose a security breach depending on the kinds of apps you have on your phone”, Wang added. The types of threats fall into two major categories, either a malware app that is specifically designed to launch a cyber-attack or apps that simply allow for collusion and privilege escalation.

In the latter category, it is not possible to quantify the intention of the developer, so collusion, while still a security breach, can in many cases be unintentional, the researchers said. The findings were presented at the Association for Computing Machinery Asia Computer and Communications Security Conference in Dubai.

The team examined a whopping 110,150 apps over three years including 100,206 of Google Play’s most popular apps and 9,994 malware apps from Virus Share a private collection of malware app samples. “Of the apps we studied, we found thousands of pairs of apps that could potentially leak sensitive phone or personal information and allow unauthorised apps to gain access to privileged data,” commented Daphne Yao, associate professor at Virginia Tech.

“We hope this study will be a source for the industry to consider re-examining their software development practices and incorporate safeguards on the front end,” Wang added.

Publish date: April 4, 2017 10:47 am| Modified date: April 4, 2017 10:47 am

US Securities and Exchange Commission may make Yahoo the test case of data breach disclosure rules

#YAHOO

 

 01 Oct 2016 , 11:01

Yahoo’s disclosure that hackers stole user data from at least 500 million accounts in 2014 has highlighted shortcomings in U.S. rules on when cyber attacks must be revealed and their enforcement. Democratic Senator Mark Warner this week asked the U.S. Securities and Exchange Commission to investigate whether Yahoo and its senior executives properly disclosed the attack, which Yahoo blamed on Sept. 22 on a “state-sponsored actor.”

The Yahoo hack could become a test case of the SEC’s guidelines, said Jacob Olcott, former Senate Commerce Committee counsel who helped develop them, due to the size of the breach, intense public scrutiny and uncertainty over the timing of Yahoo’s discovery. Yahoo has not specifically addressed when it learned of the 2014 attack. And the vagueness of SEC’s 2011 rules on disclosure and its failure to enforce them are drawing equal attention, privacy lawyers and cyber security experts said.

The agency has “been looking for the right case to bring forward,” said Olcott. The agency in 2011 told publicly traded companies to report hacking incidents that could have a “material adverse effect on the business” but did not define that. SEC has never acted against a company for failing to disclose a cyber security incident or threat, and it has brought just two enforcement actions against companies for insufficient data protection, an agency spokesman said. Lawyers said this reflected difficulty in determining if breaches were material and many companies’ belief that reporting on cyber threats generally satisfies the disclosure requirement.

Yahoo has not offered a precise timeline about when it was made aware of the breach. On Sept. 9, it said in an SEC filing it did not know of “any incidents of, or third party claims alleging … unauthorized access” of customers’ personal data that could have a material adverse effect on Verizon Communication Inc’s planned $4.8 billion acquisition of Yahoo’s core business. Since then, Yahoo has not clarified if it knew of the attack before that SEC filing. “Our investigation into this matter is ongoing and the issues are complex,” a Yahoo spokesman said last week.

In his letter, Warner asked the SEC to evaluate whether the current disclosure regime was adequate. He cited reports that fewer than 100 of 9,000 public companies disclosed a material data breach since 2010. “I don’t know that we need new rules. But in certain situations, you may need more aggressive enforcement,” said Roberta Karmel, a Brooklyn Law School professor. The SEC in 2014 examined whether cyber disclosure rules needed to be strengthened and imposed new requirements for broker-dealers and investment advisers but not public companies.

‘Punish the victim’

Some policymakers worry rules compelling prompt disclosure of cyber attacks could deter companies from cooperating with authorities.“We cannot blame executives for worrying that what starts today as an honest conversation about a cyber attack could end tomorrow in a ‘punish the victim’ regulatory enforcement action,” Commerce Secretary Penny Pritzker said this week. Congress last year expanded liability protections for companies that share cyber information with the government, and Pritzker urged granting companies temporary immunity during the response to a hack.

Amid SEC inaction, the Federal Trade Commission has brought 60 successful data security cases since 2001 in part, lawyers said, because its authority is clearer than the SEC’s. Those cases have dealt with deceptive statements by companies and security lapses. The FTC is hampered by the lack of a national requirement for companies to notify the public about data breaches. That idea got widespread support after the 2013 hacking of shoppers’ credit card information from Target Corp. But legislation proposed by President Barack Obama in 2015 fizzled.

Reuters