This is the Shared Security Weekly Blaze for May 21, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions, Silent Pocket and CISOBox. This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here!
Help the podcast and leave us a review! We would really appreciate you leaving a review in iTunes. Reviews really help move us up the podcast ratings list and are greatly appreciated!
Show Transcript
This is your Shared Security Weekly Blaze for May 21st 2018 with your host, Tom Eston. In this week’s episode: Efail vulnerabilities and PGP encryption, Facebook’s app investigation and Nest password notifications.
The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details.
Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. If you like this podcast we would really appreciate you leaving a five star review in iTunes. Reviews really help move us up in the podcast ratings and attract more listeners. We’ll be sure to thank you for your review on the show! Thanks for your support!
Multiple vulnerabilities dubbed “Efail” were announced by European security researchers in several popular email clients that make it possible for attackers to view the plaintext of email messages encrypted with PGP (also known as Pretty Good Privacy) and S/MIME encryption standards. Email, as you’re hopefully aware, is not encrypted by default. This is often referred to as “plaintext” email. PGP and S/MIME have been the standard for email encryption for many years now and is used by many people and businesses to secure email communication. The Efail vulnerabilities allow an attacker to embed previously obtained encrypted text into a new email and also include a web URL of the attackers server. When the email is sent to the victim the email client decrypts the email like normal but inadvertently sends the plaintext of the previously encrypted email to the attackers server. The issue lies in the way vulnerable email clients decrypt encrypted email.
One very important point to make is that PGP and S/MIME encryption is not broken. While it may not be a modern encryption solution, it’s still a viable and secure method to safeguard sensitive emails and other information such as documents and files. This particular issue is about vulnerable email clients, not in the encryption protocol itself. Organizations such as the EFF have advised to disable PGP and S/MIME within your email clients as a temporary solution until a fix for email clients identified as vulnerable are released. You can still encrypt and decrypt emails outside of your email client if you’re already using PGP. However, the disabling of encryption software should be based on your own level of risk vs. just turning off encryption safeguards all together.
For example, if you are a human rights activist that knows your email communication is being monitored by say, a nation-state, there may be much more risk to you of being a victim of this attack because its more than likely that all of your encrypted email communications have already been collected. If you were at this level of risk, you absolutely should take heed and disable PGP in your email client and perform encryption and decryption through other means. You should also consider using other secure end-to-end encryption services like Signal to send sensitive messages. If you’re a low risk PGP or S/MIME user you should determine if you have a vulnerable email client and ensure you update when patches are released. Check out our show notes for details on what email clients are vulnerable and for more details about the Efail vulnerabilities.
Are you a CISO or Information Security Manager challenged with tracking and managing information security incidents within your organization? If you are, you need to take a look at CISOBox which is a software appliance built for NIST-compliant management of all types of information security incidents. CISOBox secures and protects sensitive incident data using technology accredited by US Federal Intelligence Agencies and gives your organization an efficient and streamlined process for incident handling.
No matter if your business is large or small, we highly recommend the CISOBox solution as it’s extremely easy to use, scalable, and a secure way to implement incident handling within your organization. For more information on the CISOBox solution and to schedule a demo visit cisobox.com/sharedsecurity. That’s cisobox.com/sharedsecurity.
In Facebook news this week, an ongoing investigation by Facebook into apps that have had access to large amounts of personal information continues. Facebook provided an update stating that the investigation process is in two phases. The first phase is to review all apps that have had access to large amounts of data and second, to conduct interviews, ask more detailed questions and even perform on-site audits of companies if necessary. Currently, Facebook has reviewed thousands of apps and around 200 have been suspended. Once they compete an investigation, if any of these apps are banned, Facebook will notify affected users through the same process they did for the Cambridge Analytica situation by showing users if they or their friends installed a banned app. Hopefully, you or your friends are not notified that you shared personal information with one of these new banned apps.
In related Facebook news, the personal data of about 4 million users that took yet another personality quiz, this one called “myPersonality”, was found unsecured due to a developer posting a username and password on the popular code sharing site GitHub. These credentials allowed direct access to the data. The kicker is that this username and password was publicly available on GitHub for four years before it was recently identified. Fortunately, unlike the personality quiz data used Cambridge Analytica, this data only included personal information of the people that took the quiz, not the data of their friends.
I think that it’s a positive development that Facebook is finally taking a stronger stance on Facebook app developers and attempting to hold them more accountable. The bigger problem here is that no matter what Facebook does, it is near impossible to ensure that developers are properly securing the data that they are collecting. And that means, not posting login credentials on publicly available sites that are a simple Google search away from this data falling into the wrong hands.
Nest (which is the Google owned company of Internet enabled thermostats) sent out an email notification to users that had their Nest account passwords found in leaked password databases. It’s not known what specific databases were used by Nest but it may be from a service such as Troy Hunt’s “Have I been Pwned” service which will notify you if your user accounts and password show up in their database of over a half a billion passwords that are collected from previous data breaches. Nest apparently took its list of hashed user account passwords and compared it to ones that have been previously disclosed. So, if you received this email it may not mean that someone has accessed your Nest account, rather, it means that you should change your Nest password immediately and also change it on sites and services that you may have used that same password. Hopefully as a listener of this podcast you know better than to reuse the same password across multiple sites and services. Check out our previous episode on password managers if you would like more details.
I really commend Nest for being proactive by notifying affected users about the security of their accounts. Nest also went as far to let users know how to enable two-factor authentication on their accounts as an additional layer of protection. We need to see more companies doing this because ensuring users are following good password management not only protects their own users but it sets the precedence for other companies to do the same thing. I’d also argue that it’s good for business too. The password problem is not going away anytime soon but the more education that can be done like this recent example from Nest, the better off we’ll all be.
That’s a wrap for this week’s show. Please be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on iTunes, Google Play, Stitcher, TuneIn, Spotify or iHeartRadio. Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze.