This is your Shared Security Weekly Blaze for October 15th 2018 with your host, Tom Eston. In this week’s episode: Google+ shutdown, weapons systems vulnerabilities, and new data on voice phishing scams.
Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order. Visit silent-pocket.com to take advantage of this exclusive offer.
Hi everyone, this is Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”.
Google announced this past week that it’s shutting down Google+, due to a bug in the “people” API that may have exposed private profile information for more than 500,000 Google+ users. The bug allowed third-party apps to have access to certain optional profile data such as name, email, address, occupation, gender, and age. This access was limited to only Google+ and not any other data you may have had with other Google services. While the bug was patched back in March, Google decided to start the process to shut down Google+, in the next 10 months. Mostly because it was found that 90% of Google+ user sessions only last about 5 seconds. Google states that even though approximately 500,000 Google+ accounts were affected by the bug and that up to 438 applications may have used this API, they found “no evidence that any developer was aware of this bug, or abusing the API, and (we) found no evidence that any Profile data was misused”.
Also included in the announcement about the Google+ bug were two other improvements targeting user privacy. First, Google is adding more fine-grained control over what account data you share with apps through the use of new individual dialog boxes. These dialog boxed will show each requested permission, one at a time, within its own dialog box. This will allow more detailed permissions to be selected instead of the traditional “all or nothing” permissions approach. Lastly, Google is limiting the ability of third-party apps requesting to receive call log and SMS data. Google will now only allow whichever default app you use for making phone calls or sending text messages to make these requests. In addition, the Android contacts permission is also changing. Going forward, apps will no longer be able to access basic interaction data like showing you your most recent contacts. In all, I don’t think Google+ will be missed by anyone but it’s good to see that Google is making these small but impactful privacy changes.
A new report released from the Government Accountability Office (or also known as the GAO) here in the United States shows that previous cybersecurity vulnerabilities identified in the Department of Defense’s newest weapons systems, were never fixed. Testing was apparently conducted on weapons systems from 2012 to 2017 and shows that these problems seem to be widespread in nearly all weapons systems under development. Some of these vulnerabilities are extremely easy to exploit. For example, guessable and default passwords were easily exploitable and in some cases the report noted that some default passwords were easily identified through simple Internet searches. The report had also stated that during tests conducted on these weapons systems “using relatively simple tools and techniques, testers were able to take control of systems and largely operate undetected”.
Given that the Department of Defense plans on spending $1.6 trillion to create more weapons systems, cybersecurity and the significant importance of related computer systems needs to be a top government priority. Many of the vulnerabilities in these systems are very common in Internet of Things devices so it’s not that far of a stretch to see weapons systems that may be using some of the same technology that is available in the consumer market. As we all know, Internet of Things devices often time have very easy vulnerabilities to exploit like default passwords. On top of that, there is a large issue right now with the cybersecurity workforce in the government not nearly getting the level of pay that they do out in the private sector. This means that many entry level cybersecurity analysts spend a short amount of time building their skills in a government job, then end up leaving to get paid much more in the private sector. It really goes back to the weapons systems manufactures making sure they are building security into the products that they are developing. Of course, that’s easier said than done.
Edgewise Networks is the first zero trust platform that stops data breaches by allowing only verified software to communicate in your cloud and data center.
Micro segmentation projects can be costly and difficult, but Edgewise offers a new approach: zero trust segmentation. Without any changes to your network environment, Edgewise puts your data at the heart of your security strategy, giving you:
- Visibility into workload communication pathways;
- Security policies built on the cryptographic fingerprint of the software;
- The ability to apply policies and segment your networks in one click; and
- A way to continuously monitor and assess risk.
Edgewise recommends policies based on the identity of your software, and stops attackers’ lateral movements by requiring authentication and authorization with every workload communication. Visit edgewise.net to learn how Edgewise can eliminate network attack surface, stop lateral movement, and protect your applications.
According to research released at the recent DerbyCon security and hacking conference by previous podcast guest Chris Hadnagy, CEO of Social-Engineer.org and his co-worker Cat Murdock, you’re more likely to receive voice phishing scams on Fridays and that they are most successful in the afternoon vs. the morning. According to an interview conducted by Dark Reading, Chris and his team started recording and collecting data on vishing calls that were conducted by his company over a three-year period which ended up totaling more than 20,000 calls. Out of these calls, 5,690 were completed, meaning that the social engineer talked with someone on the other line. Of the calls that were compromised, 3,017 were compromises which ended up being a success ratio of 53%. These compromises gathered 8,685 pieces of information such as social security numbers, information about company internal projects and answers to security questions.
Why is the end of the week and late afternoon, around 5pm, the best time for scammers to be successful? Chris notes that most office workers are less alert on a Friday compared to a Monday and that at the end of a work day, most people are ready to head out of the office and sometimes more willing to tell you anything you want to know so that they can go home. The other takeaway from Chris’ research is what are the most common pretexts that vishing victims seem to fall for. Calls with a pretext of someone calling from HR regarding an employee’s health care open enrollment had a compromise rate of 28% and the other was IT related pretexts where a social engineer uses a pretext related to audits, security updates and employee badges. This research seems like a great reminder for all of us to re-evaluate our awareness about voice phishing scams and to ensure we don’t let our guard down especially towards the end of the week and towards the end of our working day.
That’s a wrap for this week’s show. Be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or on our YouTube channel. Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze.