Your Guide to Secure Software Development Practices, Products & Projects
Credit: Atif Arshad, The Noun Project
March 27, 2018
Some of us might remember a time when we hid out at our friends’ houses or the local pizzeria where we could get a slice and a Coke and sit around for hours before our parents wondered where we were.
Today, thanks to iPhones, Androids, Samsung Galaxies and other mobile devices, laptops, social media applications and wireless technologies everyone knows where we are. Privacy is non-existent. Or is it?
In this BugHeist Beacon edition we share some initiatives that people and organizations have created to bring privacy back.
Sean & Tara
Exercise Your Right to Be Forgotten on the Internet
On May 25, 2018, the European Union will begin enforcing its General Data Protection Regulation (GDPR). Under this new regulation “all companies processing the personal data of data subjects residing in the Union, regardless of the company’s location” will need to protect EU citizens from privacy and data breaches.
If companies fail to protect individuals’ information, including names, photos, email addresses, social networking posts, medical information and IP addresses, they could get fined millions of euros.
How can individuals in the United States protect their online privacy in an environment where U.S. citizens don’t have anything comparable to GDPR yet?
Sean started working on a tool called Deeleet. An open-source project, Deeleet will help individuals monitor and delete their images, names, home addresses and other data from online public records, Facebook, Twitter, Instagram, SnapChat, LinkedIn and other social media accounts, as well as Crunchbase, the Dark Web and other websites.
MIT graduate student Frank Wang, MIT associate professor Nickolai Zeldovich and Harvard University associate professor James Mickens presented Veil, a private browser, at MIT’s Network and Distributed Systems Symposium this past February.
The Veil browser will encrypt data that gets downloaded into a user’s computer, laptop or mobile device’s memory until he or she reads it on his/her screen.
Instead of going to an identifiable web server, a Veil user will go to the Veil website where he/she will type in his/her URL request that gets encrypted and sent to “blinding” or anonymous servers. These servers will overwrite the content, encrypt it and send it back to the user’s device, which will decrypt it.
They will also take a photo of the requested website and send it back to the user. This webpage screenshot will decrease the risk of Veil sending the user malicious code that could steal data from his/her device.
Tara installed Privacy Badger on her laptop after an OWASP NYC chapter meeting attendee told her about it. Created by the Electronic Frontier Foundation (EFF), this browser extension blocks advertising and other trackers and certain cookies.
Another Electronic Frontier Foundation project called Panopticlick tests users’ browsers to see how well they protect them from “non-consensual Web Tracking.” This add-on also shows users details about their browsers’ fingerprints, which includes their HTML 5 canvas fingerprint hash, browser plug-in details, language their device uses to process data and their device’s screen size and color depth.
Go Dox Yourself
If you have ever been hacked or been assaulted by phone calls for four hours from phony healthcare representatives (like Tara), you might have wondered where these individuals got information about you and your life in order to execute their scam.
The Tactical Technology Collective, a non-profit dedicated to raising awareness about privacy, providing tools for digital security and mobilizing people to turn information into action, shares a number of online tools you can use to uncover what other people dig up on you.
The organization’s Gender and Tech wiki features socialmention.com. Search images and content that include your name or other people you are interested in tracking online through a keyword search. TinEye is another search engine that shows you where your images appear online after you type in an image’s URL or upload it to the site. Key in your email address, first or last name or username on Lullar to discover the online locations that include this data.
To learn more about how you can protect your online identity, read the 8-Day Data Detox, a 2017 initiative developed by Tactical Tech and the Mozilla Foundation.
Get a 10 percent discount off your HACKNYC General Admission ticket by using the BugHeist Beacon’s code: BUGHNYC.
OWASP to Recruit Student Software Programmers at Google’s Summer of Code
OWASP will join more than 100 companies to mentor student developers who will contribute their skills to open-source projects during the 2018 Google Summer of Code.
Student programmers whose project submissions get accepted by OWASP and other open-source organizations (these projects will be announced on April 23, 2018) will get paired with mentors who will immerse them in the software development process and evaluate their projects through August 22, 2018.
Sponsor a BugHeist Bug Hunt to Find the Flaws that Expose Your Data!
BugHeist is sponsoring a $25 leaderboard prize for anyone who reports the most bugs on any website or app. Or simply report one bug!
Contact Sean at [email protected] for more details on how to organize a Bug Hunt or become a bug hunter.