Have you ever wondered which companies you trust are stealing from you? Probably not. When we purchase something new, in most cases there is an unspoken understanding about the transaction. For example, if it is food, you can read what is in it and purchase it. If you don’t end up liking the taste, it probably won’t kill you. If we buy a car, it is assumed that it will meet all safety standards. If we purchase a widget of some sort for a specific purpose, it will do what it advertises, else we will return it for a refund. When it comes to software, the rules are generally the same; however, there seems to be an emerging twist in the market: data theft. Data Leakage

When we install software on our computers and mobile devices, most of us believe that the evaluation or free version will try to entice us to purchase the full version with additional features. This is how they make money. However, most of us never thought to question what the software vendor might also be taking from our devices that we wouldn’t want to share. We decided to investigate a couple of vendors and the result for some of us is a bit chilling.

Specifically, we looked at Plantronics, Inc., McAfee (now part of Intel Security), and Microsoft Corporation. We discovered that in one or more of these companies’ products, the company was retrieving information from the user, either with or without their consent and doing so in a way that many would consider an atypical means of communication. For example, Microsoft encrypted their data being transferred, but they send the data over HTTP (port 80), which is an unencrypted channel.

We have presented our findings in our latest document titled, “Companies that you trust are stealing from you.” Our goal is to make the public aware of some of the tactics that companies are using to “steal” the data from you.

You can download the full document by visiting: https://www.plixer.com/trusted-companies-stealing.html 

Let us know your thoughts @Plixer and let us know if of any other companies you’ve found are taking your data.

 

Justin

Justin Jett is Director of Audit and Compliance at Plixer with roles ranging from system administration of web services to technical product marketing for Plixer’s incident response system, Scrutinizer. Jett, a graduate of the University of Maine at Farmington, is an avid learner of all things security, with a particular interest in TLS and DNS attacks.

Related