S6, E245 - Hard-coded Secrets and Unencrypted Data: A Digital Security Nightmare

Send us a textSeveral popular Chrome extensions, including privacy and security tools, have been found leaking sensitive data through unencrypted HTTP and hard-coded credentials in their code. Security is both hard and easy - hard because of existing unencrypted protocols and trust placed in developers, but easy because fundamental security practices should be common knowledge in 2025.• Chrome extensions including DualSafe Password Manager and Avast Online Security are leaking sensitive user data• HTTP vs HTTPS - the 'S' stands for security and encrypts data transmission over the internet• HTTPS Only extension from EFF forces secure connections when browsing• Hard-coded credentials in extensions create permanent security vulnerabilities• Developers sometimes collect excessive data "just in case" rather than minimizing collection• OWASP (Open Web Application Security Project) provides essential resources for developers• Technology abstraction makes users less aware of security fundamentals• The newly restarted OWASP Nomad chapter offers virtual community for application securityCheck out our GitHub repository of privacy resources at "Awesome Privacy Engineering Tools" for more information on implementing better privacy practices in development. Support the show

Send us a textWe explore the recent LexisNexus data breach that exposed sensitive personal information of over 364,000 individuals through a third-party platform accessing their GitHub account. This incident highlights critical vulnerabilities in how data brokers handle our most sensitive information and raises questions about regulatory oversight.• Data exposed included names, date of birth, phone numbers, social security numbers, and driver's license numbers• The breach occurred when someone accessed the company's GitHub account through a third-party platform• Attackers likely found hard-coded credentials that allowed them to move laterally through systems • Data brokers operate with minimal regulation despite handling massive amounts of sensitive information• Better governance policies and automated privacy operations could significantly reduce these risks• Both technical solutions and regulatory approaches are needed to protect consumer dataBreach Occurred: December 25, 2024.Discovery: April 1, 2025.Public Notification: May 27, 2025.Notice Letters Sent: May 24, 2025.Shameless plus: Check out tools like Transcend's autonomous privacy operations to help prevent similar incidents and continue to monitor your privacy activities. Support the show

Send us a textGabe and Cameron dive into the unseen dangers of AI systems, exploring how inherent biases shape our perception and how prompt injection attacks pose serious security threats.• Generative AI models contain built-in biases based on their training data, favoring Western and particularly North American perspectives• A recent study shows ChatGPT-4 with personalization is more persuasive than humans 64.4% of the time• Most users accept AI outputs without questioning the underlying biases• Prompt injection allows hackers to insert malicious instructions into AI systems that can lead to data leaks and security breaches• Security professionals don't yet understand the full scope of AI vulnerabilities• Google's new video generation technology makes it impossible to distinguish between real and AI-created content• Despite digital concerns, it's important to appreciate real-world experiences like enjoying ice cream on a hot summer day Support the show

Send us a textProPublica's investigation reveals the National Shooting Sports Foundation has been secretly sharing gun buyers' personal information, including underwear sizes, for political purposes. This privacy breach raises serious concerns about data exploitation even in industries that publicly position themselves as defenders of individual rights.• Gun owners group demands federal investigation into firearms industry data sharing• Personal data shared included underwear sizes and was allegedly used for political targeting• NSSF collaborated with Cambridge Analytica to enhance voter data• Privacy concerns should transcend political divides - "Privacy is an everybody problem"• The gun industry publicly defends rights while quietly engaging in data exploitation• Senator Richard Blumenthal supports investigation into these practicesIf you're a privacy professional or legal expert with insights on this issue, we'd love to have you on the show to discuss this further and answer some of the questions we've raised today. Support the show

Send us a textPrivacy Please News, for hitting big topics quickly with a hint of sarcasm to bring some joy and knowledge. This week, we hit on the latest privacy events in tech with a satirical perspective on how your data is being shared, sold, and exploited. From Google's dramatic stance on sharing search data to state-sponsored hackers dominating zero-day exploits, this episode highlights the absurdity of our current digital privacy landscape.• Google CEO Sundar Pichai compares sharing search data to "ripping out the company's brain"• WhatsApp's new AI feature sends "private" messages to cloud servers despite Meta's safety claims• Gun rights group outraged after gun industry shared customer data, including underwear sizes, for political campaigns• OpenAI's Sam Altman promotes eyeball scanning for WorldC, dismissing privacy concerns as regulatory lag• State-sponsored hackers from China and North Korea are leading the zero-day vulnerability exploitation game Support the show

Send us a textCameron and Gabe return after a brief hiatus to explore major developments in security, privacy, and resilience. They dive into insights from the IAPP conference and VeeamOn, examining how AI governance and outdated privacy tools are reshaping the industry landscape.• AI governance frameworks dominated IAPP discussions with companies "building the plane as they're flying"• Verizon's Data Breach Report debunks overblown AI security fears, showing real risks are data leakage and poor access controls• Growing frustration with outdated privacy management tools is driving demand for better solutions• Security posture isn't about using recognized brands but about architecture without dangerous gaps• Sam Altman's virtual appearance at IAPP disappointed attendees expecting an in-person keynoteStay tuned for our bonus episode covering even more developments from this busy week in privacy and security! Support the show

Send us a textPrivacy threats continue to escalate as human error undermines even the most secure systems, from military officials accidentally exposing classified information to Russian hackers targeting encrypted messaging apps.• Signal security breach occurred when defense officials accidentally added a reporter to their encrypted group chat discussing sensitive military operations• Russian-linked attackers targeting Signal users through QR code vulnerabilities, tricking users into linking their secure accounts to attacker-controlled instances• QR codes present broader security concerns as users can't verify where they lead before scanning them• Attackers can place malicious QR codes over legitimate ones in public spaces like restaurants and airports• 23andMe's bankruptcy raises critical questions about the fate of genetic data from 15 million users• When companies holding sensitive personal information go bankrupt, data ownership and protection becomes uncertain• Human error remains the primary vulnerability in most privacy and security systems• Always consider the long-term implications when sharing personal information with any serviceRemember to think beyond the present when sharing your data – consider what might happen to that information in 10, 20, or even 30 years from now. Support the show

Send us a textPrivacy threats are intensifying across multiple fronts, from genetic data vulnerabilities at 23andMe to corporate violations and messaging app security concerns. Cameron Ivey breaks down three urgent privacy issues and provides practical guidance on protecting your digital footprint in an increasingly vulnerable online landscape.• 23andMe users should consider deleting their genetic data immediately due to bankruptcy proceedings that could compromise privacy protections• Law professor Craig Conneth warns that terms of service could change during bankruptcy, with inadequate federal regulations to protect consumers• Honda fined $632,500 by California Privacy Protection Agency for creating unnecessarily complicated opt-out processes• Companies must reform data request procedures and stop creating "mazes of chaos" that trick consumers• Signal messaging app, despite its encryption features, has raised NSA security concerns after being used by senior US officials• No messaging platform is completely secure for highly sensitive information• Stay informed about your rights under privacy legislation like the CCPA• Be mindful about what personal information you share digitally, even on supposedly secure platformsIf you have expertise in these privacy issues and would like to join a deeper discussion on the show, contact Cameron for a potential guest appearance. Support the show

Send us a textWe explore how uncertainty and chaos create both vulnerabilities and opportunities in privacy and security. Amid global turmoil, cybersecurity professionals must adopt a bias toward action to counter increased threats that thrive in chaotic environments.• Chaos serves as a smoke screen for malicious actors, just as DOS attacks once distracted from network intrusions• Recent Ghost ransomware attack affected 70 countries but received less attention due to global uncertainty• Security resource contraction combined with increased noise creates fertile ground for more breaches• AI may cause job losses primarily in roles created to support the initial AI boom• States are tightening data breach reporting requirements with class action lawsuits doubling or tripling since 2022• Some states introducing "safe harbor" laws to shield businesses that implement strict cybersecurity standards• Elon's Department of Government Efficiency (DOGE) faces 11 lawsuits for allegedly violating Privacy Act of 1974 Support the show

Send us a textToday's episode dives into the intersection of AI behavior and digital security concerns. We discuss a startling incident involving a malfunctioning AI robot and explore a new ransomware threat known as Ghost. • Overview of an AI robot incident that raised ethical concerns • Examination of Asimov's Laws of Robotics and their relevance • Introduction to Ghost ransomware and its impact on multiple industries • Discussion on backup security strategies and resilience against ransomware • Insights into the evolving tactics of ransomware attacks, including Ghost's methods • Encouragement for businesses to prioritize future-proofing their data security We encourage listeners to reach out with questions or further discussion on data backups and data security measures. Support the show