This is the Shared Security Weekly Blaze for April 2, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions and Silent Pocket. This episode was hosted by Tom Eston.
This is your Shared Security Weekly Blaze for April 2nd 2018 with your host, Tom Eston.
In this week’s episode: Facebook’s Privacy Firestorm, the MyFitnessPal Data Breach and Ramifications of the CLOUD and FOSTA Bills
The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details.
Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”.
Shout outs this week to @Yohun, @zroone, @StrongArmSecure, and @CamilleEsq on Twitter as well as @vanishedvpn and @newcybersource on Instagram and Lou, Shawn, Jun, and Andrew on Facebook for commenting, liking and sharing our posts on social media. Thank you for your support of the show!
Since the news broke about Facebook and the Cambridge Analytica controversy the other week, there has been a firestorm of information coming out about Facebook’s data harvesting practices as well as new tools and information about Facebook’s privacy settings which are in response to Facebook’s recent privacy challenges. For example, Mozilla the creator of the Firefox web browser released a new browser extension called “Facebook Container” which lets you isolate your Facebook activity to just Facebook.com which will limit the amount of tracking that Facebook can do while you browse the web. Keep in mind, when using a browser extension like this any sites that you “sign-in” using Facebook will no longer work.
In other Facebook news, details also came out about Facebook collecting phone call metadata from Android phones that have the Facebook mobile app installed. This data included names, phone numbers and the length of each call made or received on the device. This access is given during the installation of the Facebook app which asks for permission to read contacts off of the device. The reason Facebook does this is so your contact data can be used to find and match more Facebook friends for you. Apparently older versions of Android allowed access to call and message logs in addition to contacts on your device. The issue has been fixed in newer versions of Android but if you had the Facebook app installed before these updates were made, the Facebook app would still be able to access this data. It’s important to note that Apple iOS has never allowed apps to access call logs and other call data. So if you have an Apple iOS device, you’re safe…for now. Check out our show notes for instructions on how to remove these permissions if you have the Facebook app installed on your Android device.
Given all the news about Facebook recently, and where your data may have been collected, you may be thinking it’s time to re-evaluate your use of Facebook and to ponder on the reasons why you may or may not want to continue using the social network. One tip we have to share is that you do have the ability to download all the data that Facebook has about you so you can see for yourself what information has been collected. See our show notes for details on how you can do this but you may be surprised to see all the data that Facebook has collected about you, especially if you’ve been a long time user of Facebook.
In other breaking news this past week, Under Armour announced that their app MyFitnessPal was breached sometime in February of this year. This breach affects 150 million user accounts making it the second largest data breach of consumer data in U.S. history right behind the infamous Yahoo data breach which happened in 2016. The information compromised included usernames, email addresses and hashed passwords. While details about how the breach happened have not been released there are a few good things to mention. First, in the breach disclosure Under Armour mentioned that bcrypt was used as the hashing function for storing passwords. Bcrypt is a much more secure method of storing passwords so depending on how bcrypt was implemented it will be very difficult for an attacker to find out users passwords. Second, Under Armour announced the breach very quickly which is far different than other similar breaches we’ve seen like the Equifax breach last year.
So what should you do if you’re a user of the MyFitnessPal app? First, change your password by going to the MyFitnessPal website. Hopefully, you’ve taken our advice from previous podcast episodes and are not using that same password on other sites and apps. If you are, you’ll need to change those passwords as well. Second, be on the lookout for phishing emails related to the breach. Whenever there are emails, names and other personal details exposed in a data breach like this one, there is always in increase in phishing emails. Be aware and always, think before you click or don’t click on anything in an email at all.
Two significant privacy related bills, the CLOUD Act, which was snuck in and attached to the recent $1.3 trillion dollar government spending bill, and the combined SESTA and FOSTA bill (which is now called FOSTA) were both recently passed by Congress here in the United States. Because the CLOUD Act was attached to the spending bill, it was signed into law by President Trump . The FOSTA bill is also expected to be signed as well.
The CLOUD Act, which stands for Clarifying Overseas Use of Data, allows foreign police to collect and wiretap people’s communications from US companies, without obtaining a warrant. The Act also allows foreign nations to demand personal data stored in the U.S. without review by a judge and allow U.S. police to grab any data, regardless if it’s a U.S. person’s or not and no matter where this data is stored. The bill would also allow the President to enter into what are called “executive agreements” with other governments to allow each government to access data stored in the other country without the need to follow each countries privacy laws. The Electronic Frontier Foundation (EFF) says “This bill has large privacy implications both in the U.S. and abroad. It was never given the attention it deserved in Congress.”
What does the CLOUD Act mean to you?
As you’re aware, we have laws in this country that protect us from warrant less searches of our property and similar laws should apply to our digital lives as well. Many of us will use the argument that “I have nothing to hide” so who cares if law enforcement gets my personal data. But like many investigations by law enforcement, sometimes innocent people get caught up in the trove of data that is obtained and analyzed. This data could include your data as well. Privacy is also a fundamental human right. It’s the reason we have windows and curtains on our house and private stalls in public bathrooms (well most bathrooms anyway). There needs to be proper checks and balances within our government to conduct lawful investigations, but also to uphold this fundamental right.
FOSTA, which was also passed, attempts to stop online sex trafficking. SESTA stands for the Stop Enabling Sex Traffickers Act and FOSTA stands for the Fight Online Sex Trafficking Act. This combined bill will hold Internet Service Providers (or ISPs) liable if they intentionally facilitate sex trafficking. FOSTA will also have ramifications to sites like Backpage and Craigslist that have personals sections, which are well known for soliciting sex trafficking. In fact, Craigslist has already shut down its popular personals section noting that quote “Any tool or service can be misused. We can’t take such risk without jeopardizing all our other services, so we are regretfully taking craigslist personals offline. Hopefully we can bring them back some day.” end quote The EFF and other privacy advocates argue that ISPs are protected by Section 230 of the Communications Decency Act which is one of the most important laws that protect free speech on the Internet. Section 230 states that ISPs and other “intermediaries” are not liable for any third-party content posted on services that they control. Without Section 230 the Internet would be a very different place and it’s argued that companies like YouTube, Facebook and Twitter would not even exist without this provision.
I think we can all applaud the US government for trying to address the serious situation we have with sex trafficking in the US and across the world. However, the question to ask is that will laws like these cause more harm than good? Will free speech and your privacy be stifled because of laws like FOSTA? Will more online businesses be forced to shut down because they are now held liable for content posted that they may not even know about? Only time will tell but our advice is to support groups like the Electronic Frontier Foundation and other privacy groups that advocate and lobby for our rights to privacy. There are also more privacy tools available than ever before that you can use to help protect your communications. We’ve mentioned several of these tools on the podcast before such as products to protect your devices like those from Silent Pocket, apps like Signal, web browsers like Tor and of course VPNs (with some caveats about logging). These are all good ways to protect your privacy in a world where it seems our fundamental rights are slowly eroding away.
That’s a wrap for this week’s show. Please be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on iTunes, Google Play, Stitcher, TuneIn, Spotify or iHeartRadio. If you like our podcast we would really appreciate you leaving a review in iTunes or your favorite podcatcher app. Reviews really help move us up the podcast ratings list and attract more great listeners like you. Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze.