This is the Shared Security Weekly Blaze for May 7, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions, Silent Pocket and CISOBox. This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here!
Leave us a review! If you like this podcast we would really appreciate you leaving a review in iTunes or your favorite podcatcher app. Reviews really help move us up the podcast ratings list and are greatly appreciated!
This is your Shared Security Weekly Blaze for May 7th 2018 with your host, Tom Eston. In this week’s episode: DNA Privacy, This Week’s Social Media Privacy News Roundup and Remote Car Hacking.
The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details.
Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”.
Shout outs this week to @PrivacyAlive, @Yohun and @TASCET on Twitter as well as Michael and Richard on Facebook for commenting, liking and sharing our posts on social media. Thank you for your support of the show!
Have you thought about the privacy and security of your DNA? Well recently it was announced that the “Golden State Killer” suspect Joseph DeAngelo was arrested and is accused of 12 homicides, 45 rapes and more than 100 robberies that took place in California from 1976 through 1989. Investigators disclosed that the arrest was due to DNA information that was from an open source genealogy website called “GEDMatch”. Apparently, a distant relative of DeAngelo was found in the database which allowed law enforcement to pinpoint who the killer was through clues such as location, ethnicity and other characteristics. This brings into question that anyone who may have submitted their DNA test results to an open-source database like this could be used by others for more than just criminal investigations. I think it’s fascinating that even if you don’t submit your DNA to one of these services people that have some distant DNA relationship to you may already be in a database like this used to locate criminals.
This case has set off numerous discussions and debates to review the privacy policies of popular DNA testing companies such as 23andMe, MyHeritage and Ancestry.com. It’s important to note that all these companies require a court order for law enforcement in order to access DNA records, however, it does not stop someone from taking their own DNA records and importing it into a larger open-source database like the one used to find the Golden State Killer. In my opinion, your DNA records are extremely personal and are much more valuable than any other piece of personally identifiable information that may be out there about you. And while many different companies have sprung up recently that are in the business of building out family trees, it begs the question regarding how these companies are protecting your DNA information. Could you imagine the fallout if one of these companies like 23andMe had a data breach? Our advice is for you to determine if it’s really worth submitting your DNA to one of these services as most likely your genetic data, through some distant relative of yours, may get caught up in an investigation or used for another purpose that you may not even be directly involved with. What a time to be alive, isn’t it?
Are you a CISO or Information Security Manager challenged with tracking and managing information security incidents within your organization? If you are, you need to take a look at CISOBox which is a software appliance built for NIST-compliant management of all types of information security incidents. CISOBox secures and protects sensitive incident data using technology accredited by US Federal Intelligence Agencies and gives your organization an efficient and streamlined process for incident handling.
No matter if your business is large or small, we highly recommend the CISOBox solution as it’s extremely easy to use, scalable, and a secure way to implement incident handling within your organization. For more information on the CISOBox solution and to schedule a demo visit cisobox.com/sharedsecurity. That’s cisobox.com/sharedsecurity.
In Facebook and social media privacy news last week it was discovered that Twitter also sold data to Aleksandr Kogan, the researcher who happened to sell the personal information of over 87 million Facebook users to Cambridge Analytica. In Twitter’s case they sold API access to Aleksandr Kogan’s firm called GSR, which allowed access to public tweets from December 2014-April 2015. One thing to note about this is that Twitter doesn’t have very much personal information about its users (unless of course you share that information in your bio or tweets). So this data access, in my opinion, is not very significant. Twitter does sell API access to large organizations quite frequently so there shouldn’t be any surprise that corporations can pay for this level of access.
In related news, on Wednesday of last week Cambridge Analytica shut its doors and officially went out of business. This is no surprise given the massive amounts of bad press, pending investigation from the UK Information Commissioner’s Office and other legal entanglements about to happen to the company. Just be aware that this business was a “cash cow” for Cambridge Analytica so be on the lookout for them to start a new company under a different name.
Facebook was also back in the news with the announcement that they will be starting a dating service to compete with other dating apps like Tinder and Match.com. Facebook also announced that a new tool is going to be developed, called ‘Clear History’, that will allow you to clear your Facebook history (basically the websites and apps that send Facebook information) and remove tracking that Facebook does on you across the web. Mark Zuckerberg made this announcement at the F8 developer conference last week noting “Once we roll out this update, you’ll be able to see information about the apps and websites you’ve interacted with, and you’ll be able to clear this information from your account. You’ll even be able to turn off having this information stored with your account”.
Lastly, it was announced that Instagram will be expanding its antibullying efforts by introducing an enhanced ‘bully filter’. This technology is powered by machine-learning called ‘DeepText’ which was built by Facebook. Since Instagram is owned by Facebook, they share many of the same technologies across the two platforms. Instagram also stated that the new filter will hide comments attacking a person’s appearance or character, and alert Instagram to repeat offenders. It’s good to see Instagram doing something about the issue of bullying as this has been a large problem, especially for teenagers that use Instagram within their social circles.
Dutch security researchers have discovered that certain Volkswagen and Audi cars are vulnerable to remote hacking via the onboard in-vehicle “infotainment” system (also called IVI) installed in newer Volkswagen Golf GTE and Audi A3 Sportback models. The researchers used the Internet accessible wifi system via an exposed port to gain access to the IVI which allowed them to listen in on conversations, view location data and the ability to track where the car is in real time. The researchers also discovered that the IVI system was also indirectly connected to the acceleration and braking system in the cars but they stopped their research as they felt that they might be violating intellectual property of Volkswagen (basically, they didn’t want to get sued).
The good news is that Volkswagen worked to fix the vulnerabilities after the issues were disclosed to them and that the researchers are not planning on releasing details on how to conduct the attack. However, the bad news is that the fix requires Volkswagen customers to come into the dealer for the update. Volkswagen does not have a remote way to push security fixes to affected cars. In addition, it’s been reported that customers that own these specific models of cars have not received notification from Volkswagen and they have not publicly discussed the vulnerabilities. You may remember back in 2015 when researchers Charlie Miller and Chris Valasek demonstrated to the media how easy it was to hack and take full control of a GM Jeep Cherokee remotely over the Internet. This was actually a vulnerability in the IVI of that car as well. It’s also not the first time that Volkswagen has kept critical vulnerabilities a secret. Back in 2015 it was discovered that over 100 models of cars were vulnerable to a key fob attack which would allow criminals to steal the car. I guess what’s old is now new again!
As we’ve mentioned on the podcast before, car manufactures need to be held more accountable for vulnerabilities like these and they need to develop a better process of working with security researchers when vulnerabilities are identified. Transparency also goes a long way with customers, especially with a critical issue like this one that could put customers lives in danger. I don’t know about you but I would be pretty mad if I was a customer who owned one of these cars and found out through the media or other third-party about a serious vulnerability in a product that I just spent a lot of money on. Let’s just hope that other car manufactures are paying attention to this news so that they don’t make the same mistakes.
That’s a wrap for this week’s show. Please be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on iTunes, Google Play, Stitcher, TuneIn, Spotify or iHeartRadio. Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze.