This is the Shared Security Weekly Blaze for May 28, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions, Silent Pocket and CISOBox. This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here!
Help the podcast and leave us a review! We would really appreciate you leaving a review in iTunes. Reviews really help move us up the podcast ratings list and are greatly appreciated!
This is your Shared Security Weekly Blaze for May 28th 2018 with your host, Tom Eston. In this week’s episode: Real-time Location Tracking, VPNFilter Router Malware and Apple’s GDPR Updates.
The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details.
Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”.
In the spirit of good GDPR compliance you can now opt-in to our brand new email list for the podcast! Stay up-to-date on the latest episodes, receive exclusive offers from our sponsors, participate in contests and gain access to content just for our email subscribers! Sign-up at sharedsecurity.net today.
How valuable is your real-time location? For many of us, it’s a very scary thought to think that someone may have access to easily track your whereabouts in real-time with no permission from you or little or no recourse for their actions. Well for mobile phone carriers your location means more profit for them because they have been selling access to real-time location data to different third-party companies. In late breaking news the other week a company called LocationSmart, which is a real-time data aggregator of mobile phone location data, has been able to access the real-time location of every phone from every major US carrier (that includes AT&T, Sprint, T-Mobile and Verizon) without user consent. A researcher named Robert Xiao who is from Carnegie Mellon University was messing around with a web demo of the LocationSmart application and found that he could query the real-time location of some of his friends through a vulnerability in the API of the application. The LocationSmart demo app was not taken down until famed reporter Brian Krebs from KrebsSecurity.com got involved and reported on the issue.
This is also not the first time that we’ve recently seen real-time location data from the mobile carriers being used suspiciously. Back in early May, a company called Securus was identified through a New York Times article that was about a former sheriff who was using location data through the Securus service to track people without a warrant or user consent. To add further insult to injury, a hacker broke into Securus systems and stole 2,800 usernames, emails and hashed passwords of Securus customers. Ironically, Securus gets its location data from, you guessed it, LocationSmart. You also shouldn’t be surprised that these are probably not the only two companies that have access to real-time location data. You can bet that many other organizations, including criminals and nation states are also using services from similar companies.
This entire situation brings into question what mobile phone carriers are doing with our location data. Of course they need to monitor, track and record your location otherwise your phone wouldn’t work and it would defeat the purpose of having a mobile phone altogether. However, it comes as a surprise that the carriers are blatantly giving your location data to third-party aggregators which in turn is giving this to other companies who work for law enforcement and the government. Seems to me that this is a great way for mobile carriers to make money off of your location data and for law enforcement to “bypass” a warrant and other user privacy protections. It’s also sad that you as the consumer of these mobile services have no control on how your location data is shared with third-parties. Especially since we all advocate to change and lock down location sharing features on your devices and apps as a way to prevent third-parties from receiving this information. With the carriers selling off your location information it makes these settings pretty much useless. Your best course of action to prevent a third-party from tracking you is to use a Faraday Bag like ones from our sponsor, Silent Pocket, which prevent all wireless signals and makes your device completely secure while in the Faraday bag (well except for physical theft of course). The good news is that this situation has gotten the attention of Senator Ron Wyden who has urged all of the main wireless carriers in the US as well as the FCC to take action and do something about this. Given the current state of politics in the US though, it’s anyone’s guess if something will be done to hold wireless carriers more accountable. More to come on this topic for sure and we’ll be following this closely and providing updates in future episodes.
Are you a CISO or Information Security Manager challenged with tracking and managing information security incidents within your organization? If you are, you need to take a look at CISOBox which is a software appliance built for NIST-compliant management of all types of information security incidents. CISOBox secures and protects sensitive incident data using technology accredited by US Federal Intelligence Agencies and gives your organization an efficient and streamlined process for incident handling. No matter if your business is large or small, we highly recommend the CISOBox solution as it’s extremely easy to use, scalable, and a secure way to implement incident handling within your organization. For more information on the CISOBox solution and to schedule a demo visit cisobox.com/sharedsecurity. That’s cisobox.com/sharedsecurity.
Last week research was released, from researchers at Cisco Talos, about a large botnet spreading malware named “VPNFilter”. The VPNFilter malware has compromised over 500,000 home and small office wifi routers and NAS storage devices. This particular piece of malware is much different than other similar forms of router malware in that it can maintain persistence on the device once fully installed, even after a reboot. Like other similar types of malware, VPNFilter can spy on web traffic and has the ability to “brick” and completely disable the device from functioning. Cisco Talos researchers also indicate that the VPNFilter malware appears to be targeting routers in the Ukraine. Now one can only guess that a certain large nation state we all know and love is probably behind this recent attack. Check out our show notes to see the full list of affected devices. If you review this list you’ll note that several of these routers are very popular consumer devices manufactured by Netgear, Linksys and TP-Link. The way that these devices are being infected include using default login credentials and accessing the device via the remote management feature.
As we’ve mentioned on the podcast just a few weeks ago when discussing the recent Department of Homeland Security alert about Russian router hacking; default credentials and the ability to access devices remotely over the Internet are the two biggest attack vectors being used. In regards to the VPNFilter malware, if you think you may be a victim of this attack, it’s best to reboot your router and then change the default administration password and disable any remote management ability over the Internet. Hopefully, you’ve already taken our advice from previous episodes and made these changes already. Also be sure to update your router to its latest firmware as your router may have critical security updates that need to be applied. Especially with older routers, these devices will most likely not update themselves with any auto update feature we see in newer home wifi routers. Be safe out there and be sure to take a few minutes to check the security of your wifi router using the guide posted in the episode show notes on sharedsecurity.net.
Apple has taken recent steps to allow its European Union customers to download all of the personal data that Apple has been storing on them. This new feature was launched right before the GDPR European privacy law went into effect last Friday. GDPR is new privacy legislation that requires companies that do business with EU citizens to properly protect, store and allow users to manage or delete the personal data that a company may be storing about them. GDPR also has wide implications to even non-EU citizens as many companies have implemented GDPR privacy changes for all their users. Now that we’re past the GDPR deadline last Friday, I’m sure you’ve had a flurry of “privacy notice” emails so now is a great time to unsubscribe from any service or delete apps that you don’t use anymore.
With this recent announcement, Apple customers in the European Union can now select the personal data that they would like to download and Apple will put it all together and have it delivered to the requester within 7 days. This data can include information on support cases, app store activity as well as a lot of other data that Apple has records of. Check out our show notes for the full list of data that is available to download. Note that countries such as the United States and Canada should see this feature launched in coming weeks. In the meantime, Apple will allow non-EU citizens to request their personal data or delete it via Apple’s privacy site which has more of a manual process for privacy questions. Kudos to Apple for being one of the few tech giants that appear to be addressing GDPR so that it has a positive effect on all customers, not just those located in the EU.
That’s a wrap for this week’s show. Please be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on iTunes, Google Play, Stitcher, TuneIn, Spotify or iHeartRadio. Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze.