This is the Shared Security Weekly Blaze for April 16, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions, Silent Pocket and CISOBox. This episode was hosted by Tom Eston.
This is your Shared Security Weekly Blaze for April 16th 2018 with your host, Tom Eston
In this week’s episode: Facebook goes to Congress, More Data Breach Announcements and a New Hope for Replacing Passwords
The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details.
Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”.
If you like this podcast we would really appreciate you leaving a review in iTunes or your favorite podcatcher app. Reviews really help move us up the podcast ratings list and are greatly appreciated. Shout outs this week to @ZodMagus, @Yohun, @BNI212, @StrongArmSecure, @Borderless_i and @drheleno_ca on Twitter as well as @itincloud, @dahveezy, @grassfedmama and @simpletechla on Instagram and Johann, Richard, Julie, Jason and Stephane on Facebook for commenting, liking and sharing our posts on social media. Thank you for your support of the show!
The Facebook news continues this week with the announcement of a new tool to see if you or your friends shared personal information with Cambridge Analytica. This tool won’t tell you who of your friends took the quiz called “This Is Your Digital Life” but will just say how many of your friends may have taken the quiz. If this tool tells you if some of your friends took the quiz which allowed your data to be harvested, be sure to scold them until you find out who did it. Just kidding but you may want to make a post about it so that your friends are aware of what they did. Also within this tool Facebook gives you a link to review the information you share with other third-party apps. So check out our show notes for the link to this tool and for more information.
In other Facebook news, Facebook confirmed recently that it uses automated tools to scan private chats within their Facebook Messenger application for malware links, child porn and other violations of its terms of service. This news was surprising to many users of the Messenger app as most people thought that these conversations were not being monitored by Facebook. Just so you’re aware, the only conversations that are not able to be monitored by Facebook are “secret” conversations which only work on the Apple iOS and Android versions of Facebook Messenger. Facebook’s secret conversation feature is actually the same end-to-end encryption protocol used by Signal, which is one of the most popular secure messaging applications that you can use. To use secret conversations you have to enable this on a per conversation basis. For details on how to do this check out our show notes. One important thing to note about Facebook secret conversations is that if the other party you’re having a private conversation with reports your conversation for something inappropriate, these messages are decrypted and sent to Facebook’s support team. Just something to be aware of if you’re using the secret conversations feature.
Last but not least, Facebook CEO Mark Zuckerburg testified to Congress last week which included legislators from both the Senate and House of Representatives. Legislators asked Mark Zukerburg questions about how Facebook secures user data, what type of regulations should the government put in place for Facebook and for Mark to explain the details around the Cambridge Analytica controversy. One thing that I noted during the testimony was that these legislators really have no idea how Facebook or any social network works. It was surprising to me that Mark Zuckerburg had to explain very basic functions and features that are part of using Facebook as well as how Facebook makes revenue. For example, many legislators seemed to be unaware that Facebook has very detailed privacy controls for everything that a user can share and were confused regarding how messaging apps like WhatsApp even work. I believe one Senator even noted that the messaging application WhatsApp can be used to send email. Now I realize this is a very similar situation for those fellow gen X’ers like myself that may have a non-technical parent that may not have a clue about social media or technology.
However, if a legislator is proposing to regulate a technology that they know nothing about…we’re in for a very long and scary ride. If the US government does purse regulation let’s hope that they embrace or replicate common sense privacy laws like the European Union’s GDPR privacy law which goes into effect in May. Frankly, it’s probably best that we try to keep the government as far away as possible from regulation of social media technologies.
Are you a CISO or Information Security Manager challenged with tracking and managing information security incidents within your organization? If you are, you need to take a look at CISOBox which is a software appliance built for NIST-compliant management of all types of information security incidents. CISOBox secures and protects sensitive incident data using technology accredited by US Federal Intelligence Agencies and gives your organization an efficient and streamlined process for incident handling.
No matter if your business is large or small, we highly recommend the CISOBox solution as it’s extremely easy to use, scalable, and a secure way to implement incident handling within your organization. For more information on the CISOBox solution and to schedule a demo visit cisobox.com/sharedsecurity. That’s cisobox.com/sharedsecurity.
In news not related to Facebook but as a follow up to last weeks news about the Saks Fifth Avenue and Panera data breaches, Delta Airlines, Sears, Best Buy and Kmart all announced a data breach that happened through a third-party chat service provider called 7.ai. This chat service is similar to other help desk chat systems that many companies use for customer support and in some cases allow customers to order products or services. Apparently, 7.ai was victim to a malware attack within its software from September 26th through October 12th of last year. During the attack time frame if you happened to put your credit card information in one of the online chat sessions from one of the affected companies web sites, like delta.com, your name, address and credit card information would have been compromised. If you were affected by this breach, stand by for your email notification and complimentary “free credit monitoring” for the next year.
These types of breaches, that involve a third-party organization, are very challenging to prevent. You may remember the Target credit card breach back in 2013 that exposed credit card information for around 70 million Target customers. That breach in particular was also conducted through a third-party which led to Targets own systems being compromised. This recent breach is yet another wake up call for organizations to do better vetting of their vendors and the security of third-party software that is often used on internally owned systems.
Check out our show notes for a really good overview of the breach that Delta Airlines put together for their customers if you’re interested in learning more or if you think you’ve been affected by this data breach.
In some positive news this past week it was announced that Google, Microsoft, Mozilla and Opera have all agreed to support a new standard for web authentication called “WebAuthn”. What this means is that web developers will soon be able to develop their applications to use a more user friendly and secure method of authentication. As you’re probably aware, passwords have always been one of the largest risks for users and businesses in that passwords are challenging to store or manage and are always targeted in phishing attacks and disclosed through data breaches. This new standard will allow you to use your mobile phone, fingerprint readers already built into many PCs, facial recognition and other hardware that you use to “unlock” your device can now be used to replace passwords for website authentication. This new method of authentication is much more secure as user credentials and biometric data never leave the user’s device and are never stored on servers. There hasn’t been a timeline given yet as to when we may be able to start using this form of authentication but many popular sites like Dropbox, PayPal, Google, Bank of America and others already support WebAuthn through a specification called FIDO which is being used for two-factor authentication on these sites already.
This is definitely great news as we may finally see passwords slowly start to go away on the sites and services that we use. Just like how Apple and Samsung Pay makes your credit card transactions much more secure, it will be good to already use a device that we’re familiar with to authenticate to web sites as well. We’ll be providing more updates as we get them about this new form of authentication and when it will be available for all of us to start using.
That’s a wrap for this week’s show. Please be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on iTunes, Google Play, Stitcher, TuneIn, Spotify or iHeartRadio. Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze.