This is the Shared Security Weekly Blaze for September 3, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions and Silent Pocket. This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here!
This is your Shared Security Weekly Blaze for September 3rd 2018 with your host, Tom Eston. In this week’s episode: US Federal Privacy Law, WhatsApp’s Google Drive Warning and Improved Security for Instagram.
Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order. Visit silent-pocket.com to take advantage of this exclusive offer.
Hi everyone, this is Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”.
The New York Times reports that the technology industry in the United States is beginning to lobby the Trump administration to create federal privacy legislation. Sources say that this proposed federal privacy law would first overrule the recent California privacy law and second, be much softer and less restrictive than the California law in regards to the way personal data is handled by technology companies. You may remember that back in July of this year that the state of California passed their own privacy law which is very similar to the European Union’s GDPR privacy legislation that went into effect this past May. It’s no surprise that technology companies like Google, Facebook, and others who have come under great scrutiny over the way that they protect and use our data are now “freaking out” over the possibility that if they don’t act soon, to heavily influence the creation of a federal privacy law, their businesses and profitability suffer greatly. The California Privacy Act and GDPR have been huge wins for data privacy around the world but have caused much pain for companies like Google and Facebook that rely on advertising revenue which is built from the collection of your private data.
Look, there will most likely be a federal privacy law enacted in the US at some point. What that eventually looks like is anyone’s guess. I will say that it’s going to get complicated very quickly when the technology lobbyists that have tons of money, from companies like Facebook and Google, push their own agendas. Moreover, add in the various trade groups such as the US Chamber of Commerce and others that are trying to enact voluntary standards that businesses can follow vs. the federal laws. Federal laws would most likely enact fines for breaking the law. It’s unfortunate that our digital privacy seems up for grabs by corporations and governments more than ever before.
Are you an Android user that is storing your WhatsApp data backups in Google Drive? If so, you need to know that backups of your WhatsApp messages are not encrypted once it leaves your device and is stored within Google Drive. Last week, WhatsApp reminded its users that backup services like Google Drive may not have the same protections, such as end-to-end encryption, that WhatsApp provides while using the app. This announcement came to the forefront due to recent news that Google has now allowed WhatsApp backups from counting towards Google Drive space limits. On the other hand, if you’re a WhatsApp user on Apple iOS, your backups are sent to iCloud which does provide end-to-end encryption of WhatsApp backup data by ensuring anything that is stored at the server level is encrypted. This means, that the WhatsApp backup data file itself is not encrypted but the location within Apple’s iCloud storage is. I think that you know why Google Drive is not encrypted, right? Google is using data from your documents, just like your email in Gmail, to serve you more ads.
This news from WhatsApp should make you think about how any of your backups are stored and what would happen if backups for your computer, phone or an application that was storing sensitive data was lost or stolen? It’s an interesting question as cloud based storage seems to be all over the place in regards to who encrypts data stored at the server level (or also known as ‘at rest’)and who doesn’t. For example, I was surprised to learn that Microsoft OneDrive is only encrypted for Office 365 business users and not for personal accounts. So what are some quick solutions? With any backup that you make through a cloud based solution, take a few minutes to investigate if they are using encryption to store your data through a simple web search. If they are not, consider using a tool to encrypt sensitive files before uploading them to a cloud backup solution. Check out our show notes for a good guide on several encryption tools that work well with many different types of cloud storage providers.
Instagram finally announced that they will begin rolling out the ability for users to enable app based two-factor authentication as a more secure way to protect access to Instagram accounts. App based two-factor authentication uses an app like Google Authenticator, Authy or Duo to provide a code or to allow a button push (in the case of Duo) instead of receiving a text message. As we’ve reported on the podcast just last week, Instagram has had a major problem with many users reporting that their accounts have been compromised, even with SMS based two-factor authentication enabled. Instagram, like many other apps, only allow SMS based two-factor authentication. SMS based two-factor authentication is no longer considered secure and many apps and business are just starting to think about moving off of it. As we’ve mentioned several times on the podcast, there has been an large increase in attacks targeting SMS two-factor authentication called SIM hijacking or also known as SIM port out scams. Instagram users should start to see this new feature being rolled out to their accounts in the coming weeks in addition to a few other updates including a new way for high profile accounts to request verification.
One interesting bit of research this past week from reporter Brian Krebs showed that SMS two-factor authentication is still the only way to reset your password via the Instagram app. This is a fairly large hole given that app based two factor authentication is now available for the standard login process. Let’s hope that Instagram fixes this issue as well because even with app based two-factor authentication enabled, it won’s stop a dedicated attacker from SIM hijacking your phone number and then resetting your password. Check out our show notes for a link to a site called twofactorauth.org to see the types of two-factor authentication in use by many of the popular apps that you may be using. We always recommend using some form of two-factor authentication instead of just using a password alone.
That’s a wrap for this week’s show. Be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or on our YouTube channel. Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze.