This is your Shared Security Weekly Blaze for October 1st 2018 with your host, Tom Eston. In this week’s episode: Facebook’s fake account crackdown, privacy upgrade to HTTPS, and new security features in Apple iOS 12.
Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order. Visit silent-pocket.com to take advantage of this exclusive offer.
Hi everyone, this is Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”.
Facebook has recently taken a tougher stand against fake profiles, specifically ones being used by law enforcement. In a letter that Facebook sent to the Memphis Police Department, Facebook states they have disabled fake accounts that were set up by the police department because they violate Facebook’s terms of service which notes, you must use your real name while using the social network. Privacy advocates like the EFF have been critical of this position in the past since in some cases, free speech may put certain users at risk if real identities are being used. However, regardless of how you feel about this policy, it’s good to see Facebook applying these rules to everyone, including law enforcement. In fact, as the EFF has pointed out, Facebook recently updated their help page titled “Information for Law Enforcement Authorities” and under their misrepresentation policy they state “People on Facebook are required to use the name they go by in everyday life and must not maintain multiple accounts. Operating fake accounts, pretending to be someone else, or otherwise misrepresenting your authentic identity is not allowed, and we will act on violating accounts”.
Law enforcement aside, fake accounts on Facebook have always been a problem ever since Facebook started getting popular around 2008. In fact, I remember giving a talk at a hacker conference about social network bots and the underground criminal networks that had created automated tools and scripts to target unsuspecting social network users. Check out our show notes for a link to this talk and a nostalgic look into the younger version of yours truly. Oh, and in full disclosure, I may have pushed the limits of fake account creation back then as well. Now I gave that talk back in 2009 but bots and fake accounts are still running rampant on Facebook and other social networks. They are even using those same techniques I talked about back then to friend thousands of strangers in order to solicit SPAM or to get them to click on links which lead to malware and phishing scams. The best advice to avoid becoming a victim of a fake account or bot in your friends list is to only accept friend requests from people you actually know in real life. But even that can lead to problems though, especially if someone is impersonating one of your friends. Our advice is to contact that friend out of band, for example, via a text message or phone call, to verify that they are who they say they are.
In other late breaking Facebook news last Friday, a serious vulnerability in the “View As” profile feature was identified by Facebook’s own engineers that affects almost 50 million accounts. The vulnerability allowed attackers to steal the access tokens which could then be used to take over other people’s accounts. Facebook states that they’ve already fixed the vulnerability and have reset the passwords of around 90 million accounts that may be affected by the issue. Facebook states that they are also working with law enforcement and greatly apologize for any inconvenience this may cause Facebook users.
How private do you think your web browsing history is? As we all know, HTTPS encryption helps protect the content of the information we share with websites we are accessing. There has also been new ways to encrypt DNS queries, like DNS over TLS and HTTPS. However, even with an HTTPS connection, your ISP can still see the sites that you’re going to because DNS queries are typically not encrypted. That’s why one company called Cloudflare introduced a new public DNS server called 188.8.131.52 which supports DNS over TLS and HTTPS that encrypts DNS queries as well. But did you know that there are other ways that ISPs can snoop in on the sites that you’re visiting?
One large gaping hole that has been identified is something called the “Server Name Indication” extension or SNI. In simplistic terms, you can think of SNI as a way to route HTTPS traffic to the correct website on a server that may host multiple domains. SNI was created as a way to route your web request to the correct site so that the correct SSL certificate can be used to secure your connection. If this sounds confusing, don’t worry. All you need to know is that your ISP and others that may be monitoring your connection can see the sites you visit if SNI is being used. The good news, Cloudflare has introduced encrypted SNI or ESNI which is now part of the Cloudflare network. In addition, Mozilla’s Firefox browser will be the first browser to support this new protocol with other browser manufactures to hopefully follow Mozilla’s lead. This is great news for privacy as one of the long standing privacy issues on the Internet is about to be a problem no longer. If you’re interested in learning more about Cloudflare’s 184.108.40.206 DNS service, check our show notes to our previous episode where we covered this service in more detail.
Edgewise Networks is the first zero trust platform that stops data breaches by allowing only verified software to communicate in your cloud and data center.
Micro segmentation projects can be costly and difficult, but Edgewise offers a new approach: zero trust segmentation. Without any changes to your network environment, Edgewise puts your data at the heart of your security strategy, giving you:
- Visibility into workload communication pathways;
- Security policies built on the cryptographic fingerprint of the software;
- The ability to apply policies and segment your networks in one click; and
- A way to continuously monitor and assess risk.
Edgewise recommends policies based on the identity of your software, and stops attackers’ lateral movements by requiring authentication and authorization with every workload communication.
Visit Edgewise.net to learn how Edgewise can eliminate network attack surface, stop lateral movement, and protect your applications.
Apple has released iOS 12 and that means that it’s time to talk about the new security and privacy features that come with a new operating system. First, Apple now asks if you want to turn on automatic iOS updates. This feature will allow users to ensure that critical security updates are applied without having to manually install them. Second, if you happen to use a third-party password manager like LastPass or Dashline, these apps can now take advantage of the autofill feature built into iOS 12 through a new API Apple has created for password managers. Some apps like LastPass have already updated their apps to support this new API so be sure to check your password manager app to see if this feature is now supported. Note, this feature must be activated manually by navigating to Settings -> Password & Accounts and then activating the “Autofill Passwords” feature. Third, the built in password manager for iOS 12 now includes an audit feature which will identify when the same or similar passwords are being used across multiple sites. And last but not least, the updated Safari browser in iOS 12 now includes something called Internet Tracking Prevention, or ITP, which will prevent cross-site tracking from large companies like Facebook and Google. ITP basically separates cookies from each website which in turn will prevent things like Facebook’s pixel tracking and like buttons from tracking you across different websites.
As we’ve always reminded you on the podcast, updating to the latest version of your operating system almost always includes critical security updates. In the case of iOS 12, Apple noted a very large list of security vulnerabilities that were fixed. Check out our show notes to view this list but in the meantime make sure you update to iOS 12 to ensure you’re running the very latest security updates to protect your device.
That’s a wrap for this week’s show. Be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or on our YouTube channel. Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze.