This is the Shared Security Weekly Blaze for May 14, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions, Silent Pocket and CISOBox. This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here!
Help the podcast and leave us a review! We would really appreciate you leaving a review in iTunes. Reviews really help move us up the podcast ratings list and are greatly appreciated!
Show Transcript
This is your Shared Security Weekly Blaze for May 14th 2018 with your host, Tom Eston. In this week’s episode: Recent windows vulnerabilities, exposed Twitter and GitHub passwords and the latest credit freeze controversy.
The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details.
Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”.
If you like this podcast we would really appreciate you leaving a five star review in iTunes. Reviews really help move us up in the podcast ratings and attract more listeners. We’ll be sure to thank you for your review on the show! Thanks for your support!
Microsoft has recently released patches for two rather serious vulnerabilities that are currently being exploited in the wild. One vulnerability, dubbed “Double Kill”, affects the Windows VBScript engine through the Internet Explorer web browser which impacts most modern Windows operating systems including Windows 10. The other vulnerability is described as an elevation of privilege vulnerability which only affects Windows 7 and Windows Server 2008. With the VBScript engine vulnerability, an attacker leverages a malicious Word document to exploit the flaw through the Internet Explorer web browser. The interesting aspect of this attack is that even if you don’t use Internet Explorer, and use another browser like Chrome or Firefox, you can still fall victim to this attack. This is because Internet Explorer is tightly integrated into the rest of the Windows operating system. Researchers have noted that this vulnerability in particular is looking to be one of the most exploited in the future because of the way it leverages Internet Explorer to conduct the attack. The other critical vulnerability announced is a little harder to exploit as the attacker needs to login to a Windows system as a regular user, then run an application to exploit the vulnerability, which would give the attacker full control of the victim’s system. Lastly to note, there were about 20 more critical updates that were part of this most recent patch release from Microsoft that are not yet known to be actively exploited.
The best way to protect yourself against these latest vulnerabilities and future ones is to ensure you’re running the most current version of Windows as well as checking that Windows Update is set to automatically download and install critical updates. See our show notes for details on where you can check to see how Windows Update on your system is configured.
Are you a CISO or Information Security Manager challenged with tracking and managing information security incidents within your organization? If you are, you need to take a look at CISOBox which is a software appliance built for NIST-compliant management of all types of information security incidents. CISOBox secures and protects sensitive incident data using technology accredited by US Federal Intelligence Agencies and gives your organization an efficient and streamlined process for incident handling. No matter if your business is large or small, we highly recommend the CISOBox solution as it’s extremely easy to use, scalable, and a secure way to implement incident handling within your organization. For more information on the CISOBox solution and to schedule a demo visit cisobox.com/sharedsecurity. That’s cisobox.com/sharedsecurity.
Twitter and popular code repository site GitHub announced that user passwords were exposed to internal employees through an internal log due to a system related bug. In the case of Twitter the issue is related to the hashing function that masks passwords before they are stored in their system and in the case of GitHub they have only said that the passwords were discovered in a recent audit and no further details were given. Twitter proactively sent out a notice to all of its 330 million users to change their passwords even though there was no evidence of misuse but as a precautionary measure. In the case of GitHub, no details were released on how many users had passwords exposed but affected users were all contacted individually to initiate a password reset.
Kudos to both of these companies for disclosing this issue to its users. Like anything in the security world it’s better for companies to be up front and honest than to hide or cover it up especially when there is a chance that user security may be compromised. These two events are good reminders on why you should always use unique and complex passwords for each application and service as well as enable two factor authentication wherever possible. Twitter and GitHub both have two-factor authentication available and it’s really easy to set up. Two factor authentication adds another layer that an attacker would have to get through in order to fully compromise your accounts. Check out our show notes for details on how to enable two factor authentication on your Twitter and GitHub accounts and if you’re on Twitter, use this opportunity to not only change your password but to change any bad password habits as well.
Brian Krebs from krebsonsecurity.com reported last week that there is yet another credit agency out there that consumers should be aware of. As we’ve mentioned on the podcast before, one of the most important things you can do to prevent identity theft is to freeze your credit by contacting the three major credit agencies Equifax, Experian and Trans Union and requesting a freeze on your credit. There are also two more bureaus you need to freeze your credit with as well. One is called Innovis which is basically another credit bureau and the other is called ChexSystems. ChexSystems is used by many banks to verify new customers creating checking and savings accounts. Now there is a sixth credit bureau that you need to freeze your credit with called the National Consumer Telecommunications and Utilities Exchange or NCTUE. The NCTUE is being used by mobile phone companies, cable and other utilities instead of the traditional large credit bureaus. Hopefully you’re sitting down for this but Brian Krebs also reported that Equifax just so happens to be the company that manages the NCTUE database. Now that news alone is very disturbing considering the recent horrible security track record that we all know about from the Equifax data breach.
Now from what has been reported it only seems that you can contact NCTUE via their automated phone system to freeze your credit file. The website system they have is really bad and seems to be the same one that Equifax uses when you attempt to freeze your credit. See our show notes for details on a walkthrough of this (unfortunately) painful process. Note that a fee may apply when freezing your credit at the different credit bureaus as this varies by the state you live in. What a mess this is, isn’t it?
Since we now have six bureaus to worry about, you may ask yourself if there is anything being done by the government to make this process easier for everyone and to hold these companies more accountable for protection our private information. Unfortunately, not a lot of movement is going on in that area except for a few bills in Congress that don’t look very promising. However, you may want to call or write your congressperson voicing your concern about the risk we all face with identity theft because of the credit bureaus making it a painful process to protect our own private information.
That’s a wrap for this week’s show. Please be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on iTunes, Google Play, Stitcher, TuneIn, Spotify or iHeartRadio. Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze.