This is the Shared Security Weekly Blaze for June 11, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions, Silent Pocket and CISOBox. This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here!
Help the podcast and leave us a review! We would really appreciate you leaving a review in iTunes. Reviews really help move us up the podcast ratings list and are greatly appreciated!
This is your Shared Security Weekly Blaze for June 11th 2018 with your host, Tom Eston. In this week’s episode: MyHeritage data breach, Facebook’s data sharing partnership and Apple iOS 12 and macOS updates.
The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details.
Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”.
MyHeritage, the DNA and ancestry service, announced a large data breach this past week which exposed the email addresses and hashed passwords of approximately 92 million customers. Apparently, a file containing this data was found on a private server by a security researcher who reported it to the Information Security team at MyHeritage. Customers affected include anyone that signed up for an account previous to October 26, 2017. Regarding how user passwords are being stored, MyHeritage stated that “MyHeritage does not store user passwords, but rather a one-way hash of each password, in which the hash key differs for each customer. This means that anyone gaining access to the hashed passwords does not have the actual passwords”. No further details were provided on how the file was found or why it was on a private server to begin with. Other than the typical advice of “change your password” and the announcement that MyHeritage will be implementing two-factor authentication in the near future for added account protection, MyHeritage does not suspect that any IT systems were compromised in the breach.
My take on this situation is that it sounds to me like a developer or other internal employee posted this file either in error or there may be the possibility that a disgruntled employee may have maliciously posted the file. We may never find out what really happened here but I do find it ironic that just a few short weeks ago we had discussed the impact of an ancestry company that holds the DNA records of millions of people having a data breach. I’m also surprised that MyHeritage is finally implementing two-factor authentication given that this type of account protection has been the standard for many years now. Like our other advice discussed on the podcast, we can’t rely on third-party companies to keep our personal data secure. You need to decide if you want to risk your data being exposed, either by accident or through a compromise, by choosing the companies you want to supply your personal information to.
Are you a CISO or Information Security Manager challenged with tracking and managing information security incidents within your organization? If you are, you need to take a look at CISOBox which is a software appliance built for NIST-compliant management of all types of information security incidents. CISOBox secures and protects sensitive incident data using technology accredited by US Federal Intelligence Agencies and gives your organization an efficient and streamlined process for incident handling. No matter if your business is large or small, we highly recommend the CISOBox solution as it’s extremely easy to use, scalable, and a secure way to implement incident handling within your organization. For more information on the CISOBox solution and to schedule a demo visit cisobox.com/sharedsecurity. That’s cisobox.com/sharedsecurity.
Facebook is in the news once again, this time for its data-partnership with 60 companies including Amazon, Apple, BlackBerry, Samsung and several Chinese companies such as Huawei. Huawei was identified as a threat to US national security by government officials which makes this partnership a little bit more interesting. Access to Facebook data was given to these companies as early as 2011 so they could tightly integrate Facebook into their devices. This was a feature implemented before the Facebook app became the most popular way to access Facebook on a mobile device. This type of data access allows devices to pull Facebook data so that they can provide a Facebook like experience. For example, BlackBerry used Facebook data for an app called the “Hub” which can let BlackBerry users view messages and all social media accounts in one place.
Last week through a New York Times investigation, they had found that the data access given to device manufactures included data about a user’s friends and even those who have “denied Facebook permission to share information with any third parties”. This data access also seems to bypass several access restrictions typically in place for developers and can even access data such as ‘friends of friends’ that Facebook has previously restricted. Device manufactures that were involved with this partnership have stated that Facebook data retrieved was only stored on the users device and not on the servers of the device manufactures. How does one know this for sure? Well, we don’t but I find it very hard to believe that some of these companies, especially ones with ties to the Chinese government, would not be abusing this feature.
Unfortunately, Facebook has only recently been trying to hold developers and companies with access to Facebook data more accountable mainly because of the Cambridge Analytica scandal. You may have also noticed that since the Cambridge Analytica scandal Facebook has tried to “rebrand” itself as a friend focused app and not a fake news or data harvesting service through TV commercials and targeted friendly ads on Facebook. As you’re aware, you and your data will always be the product at Facebook no matter what Mark Zuckerberg or their new marketing campaign may tell you. It comes down to making money and that’s ultimately what Facebook will always use your data for.
Apple has announced details about new privacy and security features coming out for iOS 12 and macOS Mojave at the Worldwide Developers Conference this past week. Some of these new features include improved tracking prevention capabilities for the Safari browser, end to end encryption for Facetime group calls and a new password manager integrated into macOS and iOS. Specifically for macOS Mojave there are new data protections that will require apps to ask for user permission before accessing the camera or microphone or before accessing email or iMessage databases. In addition, there is a new USB Restricted Mode in iOS 12 which will prevent a locked iOS device from communicating with a USB port via the lightning connector. Your passcode will still need to be entered at least once a week to allow USB connectivity. This measure was implemented to help prevent or make it more difficult for law enforcement and others from trying to break the passcode on a iOS device. This is typically done using forensic tools like GreyShift and Cellerbrite which are known to be used by law enforcement and nation states to gain access to confiscated iOS devices.
Many of these new privacy and security features in macOS for Apple laptops and desktops are starting to mirror what has been available in iOS on mobile devices for quite a while now. This is a positive development as it seems Apple has really started to become the leader in user privacy controls out of the major tech companies like Google, Amazon and especially Facebook.
That’s a wrap for this week’s show. Please be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on iTunes, Google Play, Stitcher, TuneIn, Spotify or iHeartRadio. Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze.