This is your Shared Security Weekly Blaze for October 8th 2018 with your host, Tom Eston. In this week’s episode: Chinese Spying, Facebook Shadow Contact Information and iPhone X FaceID Privacy.
Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order. Visit silent-pocket.com to take advantage of this exclusive offer.
Hi everyone, this is Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”.
I have a small favor to ask you. We would really appreciate it if you could leave us a review on iTunes. To leave a review, simply click the iTunes link in our show notes for this episode. We’ll be sure to thank you for your review on a future episode of the podcast. Thanks for your support!
In late breaking news on Thursday last week, a report from Bloomberg has detailed a large scale supply chain attack which is believed to be one of the largest spying programs ever conducted by a nation-state. According to the report, a very small microchip about the size of a pencil tip or grain of rice was installed and hidden in servers that were being used by approximately 30 American companies which include Apple and Amazon. These chips were apparently installed during the manufacturing process in server motherboards manufactured by a company called Super Micro, which happens to manufacture its products in China. Of course, as you might assume, these chips were allegedly installed by the Chinese government to spy on American companies giving China the competitive advantage in the highly competitive technology space. While Amazon, Apple, Supermicro and even China are denying the claims made in this report from Bloomberg, it’s not that far of a stretch when you consider that China has been known to install malicious software into the hardware supply chain in the past and that 75% of all mobile devices and 90% of all PC’s in the world are manufactured in China.
Whether this story is true or not, securing the hardware supply chain is a very difficult problem to solve, even when hardware is manufactured in a country like the United States. For example, back in 2016 one US based mobile phone company, that makes cheap Android based phones, found a software backdoor installed on their devices which would send information from the device, you guessed it, back to China. So while the hardware itself was not manufactured in China, the software on the Android device was. I remember when I was working as a security consultant several years ago we would strongly advise business clients that when traveling to China they should use a “disposable” laptop and mobile device with very little or no corporate data on them. When our clients returned from China we strongly told them to never ever plug their laptop back into their corporate network and to give it to us for forensic analysis. We gave this advice to our clients because we actually had one client in particular that had their laptops and phones hacked while they either went through Chinese customs or during their stay in China. This client in particular had their proprietary design information about a new product on said laptop.
Time will tell how this Bloomberg story pans out, but in the meantime, especially if you’re in the business of having confidential or proprietary business information that might be valuable to a nation-state such as China, be sure to take extra caution with devices that store or handle sensitive or propriety business information.
Facebook was back in the news this past week with the revelation that the phone number that you may have provided Facebook for security purposes, like for two-factor authentication, is being shared with advertisers. To make matters worse, you don’t even have to willingly provide your phone number at all because of something called “shadow” contact information. Shadow contact information is any contact information, like your phone number, that is shared when your friends upload their contact information to Facebook. What this means is that even if you’ve never given your number to Facebook, your friends may have without you knowing. What’s also unfortunate about this news is that once again, we seem to be forced to make a privacy trade-off where we have the need to secure our accounts with two-factor authentication but must also allow our phone number to be harvested by advertisers so that we can be served more ads.
This news should give you pause, once again, that even if you’re someone that is careful with the personal information that you give Facebook, or any social network for that matter, you can’t really stop others like your friends that may inadvertently upload your contact information to a social network. Our advice is that if the constant news about Facebook using any and all of our data is concerning to you, perhaps it may be time for you to join the millions of others that are “deleting Facebook” (#DeleteFacebook). However, like many of us, we still see the value of social networks like Facebook so this news may not be that concerning considering that most of our information, like our phone number, is probably easy for advertisers to obtain, whether Facebook has your number or not. What do you think? Is this the final straw to get you to stop using Facebook, or is the privacy of your phone number not that concerning to you after all. Let us know by commenting on the video of this podcast on our YouTube channel or on the post of this episode on sharedsecurity.net.
Edgewise Networks is the first zero trust platform that stops data breaches by allowing only verified software to communicate in your cloud and data center.
Micro segmentation projects can be costly and difficult, but Edgewise offers a new approach: zero trust segmentation. Without any changes to your network environment, Edgewise puts your data at the heart of your security strategy, giving you:
- Visibility into workload communication pathways;
- Security policies built on the cryptographic fingerprint of the software;
- The ability to apply policies and segment your networks in one click; and
- A way to continuously monitor and assess risk.
Edgewise recommends policies based on the identity of your software, and stops attackers’ lateral movements by requiring authentication and authorization with every workload communication. Visit edgewise.net to learn how Edgewise can eliminate network attack surface, stop lateral movement, and protect your applications.
Forbes reports that for the first time ever, there is now a documented case of law enforcement forcing an Apple iPhone X owner to unlock their device with their face. According to the report, FBI agents searched the house of a suspected child abuser and told the suspect to put his face in front of the phone so that the device would unlock. This action, of course, allowed the FBI agents to search through the suspects phone for anything that might pertain to the investigation. However, only very little was able to be extracted once the iPhone was unlocked. That’s because the passcode was still unknown to the FBI. Upon attempting to connect the iPhone to a computer to forensically extract all the data off of the device, it had been locked for more than an hour, which requires the passcode to be entered. You may remember that back in July of this year Apple released an update for iOS 11.4 which required the passcode to be entered every seven days to maintain a USB connection to a computer. Now with iOS 12, this requirement has been reduced to every hour, which is probably the restriction that the FBI ran into. Keep in mind that forensic software companies like Greyshift and Cellebrite make software and hardware devices that can extract all data from mobile devices by exploiting either known or unknown vulnerabilities in a particular mobile device. The techniques these companies utilize are not really known, however, its most likely that they have access to either 0-day vulnerabilities (that means vulnerabilities unknown to the device manufacturers) or have found techniques to brute force the passcode on a device. It’s important to note that both of these companies have very large contracts with several different government and various state and local law enforcement agencies.
What I find fascinating about this story is I really think we’re entering uncharted territory when it comes to Fifth Amendment rights which protects individuals from incriminating themselves. The law was already sketchy around TouchID and using a fingerprint to unlock a device for law enforcement but now with FaceID, its unknown if it’s really a breach of Fifth Amendment rights. There also has been lots of other challenges for law enforcement such as “dead” suspects. For example, with TouchID, law enforcement could take a dead suspect’s finger and unlock the device successfully. However, with Apple’s FaceID technology, they can’t get a dead suspect to unlock an iPhone X as the technology has a “liveliness test” which can detect if the person is dead or alive.
If this news is concerning to you from a privacy perspective, you can easily shut down TouchID and FaceID using something called “SOS” mode. On a new iPhone such as the iPhone 8 and X, hold down the side button and one of the volume buttons and for older iPhone models press the power button 5 times. Also note if your device hasn’t been opened in 48 hours, a passcode is required to unlock the device. Lastly, don’t forget about creating a long and complex passcode which means not using a four digit PIN. That way if your device was confiscated or stolen, it would be much more difficult to brute force the passcode to access your device.
That’s a wrap for this week’s show. Be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or on our YouTube channel. Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze.