This is the Shared Security Weekly Blaze for April 23, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions, Silent Pocket and CISOBox. This episode was hosted by Tom Eston.
Show Transcript
This is your Shared Security Weekly Blaze for April 23rd 2018 with your host, Tom Eston. In this week’s episode: Android’s Toxic Hellstew of Vulnerabilities, Facebook’s New Privacy Controls and Russian Router Hacking.
The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details.
Hi everyone, I’m Tom Eston, co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”.
If you like this podcast we would really appreciate you leaving a review in iTunes or your favorite podcatcher app. Reviews really help move us up the podcast ratings list and are greatly appreciated.
Shout outs this week to @securityvoid, @HammerITConsult, @davegeek_ and @Yohun on Twitter as well as Tim Maliyil on Instagram and Richard, Jason and Eddie on Facebook for commenting, liking and sharing our posts on social media. Thank you for your support of the show!
There was an article this past week that totally got my attention and should get yours as well which was titled quote “Is your Android phone a ‘toxic hellstew’ of vulnerabilities?” end quote. Toxic hellstew does sound rather terrible so if you have an Android phone you may want to pay attention to this. A study was recently released that found that your Android phone may be lying to you about critical patches that should be installed by your device manufacture. This issue called the ‘hidden patch gap’ was discovered by German security firm Security Research Labs. The research shows that some popular Android devices from Google, Sony, Samsung and many others brands would show that they were fully patched when in fact they were missing security patches, and in some cases up to a dozen patches from a specific time period. This means that without current security patches, these Android devices were left vulnerable to various attacks. The researchers believe that manufactures are setting these false patch levels in an attempt to deliberately deceive consumers that their devices are secure. Device manufactures like Google have responded to the research stating that there are other layers of security in Android devices to protect them from attack and patching is just one of those layers. Of course they did not admit to providing consumers with a false sense of security.
While patching of Android devices has always been a challenge because of the known issue of device fragmentation, where older Android devices may never get updated, patching should be of up most importance to device manufactures because of the rise of mobile device attacks.
So what can you do to see the real patch level of your Android device? Well the researchers behind the ‘toxic hellstew’ patch issue released an app called ‘SnoopSnitch’ that can run a test to see the real patch level of your device. If your device ends up being fully patched once running the app you should be up-to-date on recent patches. If not, you may want to consider being more careful what you click on, what apps you install and how you use your Android device until your manufacture ‘really’ updates your phone. If you really are concerned, you may want to consider getting a different Android device from another manufacture in the future. Check out our show notes for details on downloading the SnoopSnitch app and for a link to a FAQ about the testing results and what they mean to your device.
Are you a CISO or Information Security Manager challenged with tracking and managing information security incidents within your organization? If you are, you need to take a look at CISOBox which is a software appliance built for NIST-compliant management of all types of information security incidents. CISOBox secures and protects sensitive incident data using technology accredited by US Federal Intelligence Agencies and gives your organization an efficient and streamlined process for incident handling.
No matter if your business is large or small, we highly recommend the CISOBox solution as it’s extremely easy to use, scalable, and a secure way to implement incident handling within your organization. For more information on the CISOBox solution and to schedule a demo visit cisobox.com/sharedsecurity. That’s cisobox.com/sharedsecurity.
In Facebook news this week, Facebook officially announced that they will be introducing new privacy controls and notifications for all of its users to meet the European Union’s General Data Protection Regulation, also known as GDPR which goes into effect in May. What this means to you is that no matter where you reside in the world you will be asked to review your privacy settings and how you choose to allow your data to be used for advertising. In addition, you’ll be asked specifically if you want to have your political, religious and relationship information stated in your profile. As I’m sure you’re well aware, this was information that was harvested from the infamous Cambridge Analytica quiz debacle several weeks ago. Users in the EU will start to see permissions screens show up when they use Facebook this week and users in other parts of the world, including the United States, will see these screens in the near future.
One point to make about this new effort from Facebook is that even if the Cambridge Analytica controversy didn’t happen, Facebook was planning on rolling out these revamped privacy controls and notifications either way to comply with the new GDPR regulation. Violation of GDPR rules will subject companies, worldwide, to stiff penalties if they use personal information of EU citizens without official consent so it was always in Facebook’s best interest to comply with GDPR. I think that GDPR, while a pain for many organizations to implement, is a positive development from a privacy perspective. Let’s hope that legislators in the US, that may be considering new privacy rules to implement, pay close attention to what the EU is doing with GDPR.
Apparently Russian hackers have been targeting millions of home routers, corporate firewalls, switches and other widely used networking equipment according to a joint Technical Alert issued by the Department of Homeland Security here in the US. The Technical Alert states “The FBI has high confidence that Russian state-sponsored cyber actors are using compromised routers to conduct man-in-the-middle attacks to support espionage, extract intellectual property, maintain persistent access to victim networks, and potentially lay a foundation for future offensive operations.”.
Now state sponsored hacking activities from Russia is nothing new but this alert seems to describe very specific attacks on very common networking devices. The attacks described are also not very complex as the attacks go after device misconfigurations, default passwords and poor security designs which are fairly typical, especially with cheap consumer devices like wifi routers. As we’ve discussed on the podcast before, as a consumer, you need to make sure that any home wifi router or other networking equipment that you use is fully updated with the latest security patches and that any default passwords are changed.
One way to ensure that you stay up-to-date with security patches for your wifi router is to register your purchase with the device manufacture so you get email alerts when there are new updates. We also recommend you investigate the reviews and product descriptions of any IoT or (Internet of Things) devices that you may be purchasing to see how they are updated and secured. This can be challenging because many of these cheap devices have either very little security controls or none at all which could leave your home network vulnerable. In addition, many of us use cable modems or wifi routers (often called ‘gateways’) provided by our Internet Service Providers (or ISPs). These devices typically cannot be updated by us and we have to rely on the ISP that they are properly updated and secured . It’s scary to think that your ISP may have never updated the router that they are providing you. You could call your ISP and ask them how they are securing your router but other than that, we unfortunately have to rely on device manufactures to design more secure devices by default and that we as consumers are more careful about the products we buy from device manufactures that may not be serious about the security of their products.
That’s a wrap for this week’s show. Please be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on iTunes, Google Play, Stitcher, TuneIn, Spotify or iHeartRadio. Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze.