This is your Shared Security Weekly Blaze for November 5th 2018 with your host, Tom Eston. In this week’s episode: Microsoft and Apple security Updates, Signal’s sealed sender and the Girl Scouts data breach.
Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order. Visit silent-pocket.com to take advantage of this exclusive offer.
Hi everyone, this is Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”.
This past week Microsoft announced that its built-in anti-virus application called Windows Defender now has the ability to run within a ‘sandbox” environment. Sandboxing allows an application to run in a separate environment away from the rest of the Windows operating system and other applications installed on a PC. Sandboxing in Windows Defender is a very important security update given that Windows Defender runs as a high-privileged service and is a large target for attackers to compromise. Windows Defender is also the only anti-virus solution on the market with this capability. In order to enable sandboxing in Windows Defender you need to make a quick environment variable change within Windows if you want to use this feature right away. However, Microsoft plans on deploying this update to all Windows Defender users in the near future. See our show notes for details on how to enable sandboxing if you’re interested in using this new feature.
In other security update news, Apple has released several new security updates on the heels of the announcement of new Macs and iPads at Apple’s event last Thursday. Security updates for macOS Mojave, High Sierra, Sierra, iOS, watchOS, tvOS, Safari, iTunes, and iCloud for Windows were all released. One particular serious vulnerability for macOS could potentially allow remote code execution or crash your device. During the Apple event on Thursday, Apple also announced that with new MacBooks that have a new T2 security chip, will automatically disable the microphone when the lid of the MacBook is closed. This new privacy control will prevent any type of software, especially spyware or “stalkerware” with root or kernel privileges from engaging the microphone when the lid is closed. This privacy feature is a large step forward to help combat malware that may be installed without user’s knowledge for surveillance and stalking. Be sure to listen to episode 40 of this podcast for more details on stalkerware and how to know if one of these apps may be installed on your device.
These two stories once again emphasize that it’s important to keep the operating systems and anti-virus software on your devices and even hardware up-to-date for the most current security and privacy protections.
Edgewise Networks is the first zero trust platform that stops data breaches by allowing only verified software to communicate in your cloud and data center.
Micro segmentation projects can be costly and difficult, but Edgewise offers a new approach: zero trust segmentation. Without any changes to your network environment, Edgewise puts your data at the heart of your security strategy, giving you:
- Visibility into workload communication pathways;
- Security policies built on the cryptographic fingerprint of the software;
- The ability to apply policies and segment your networks in one click; and
- A way to continuously monitor and assess risk.
Edgewise recommends policies based on the identity of your software, and stops attackers’ lateral movements by requiring authentication and authorization with every workload communication. Visit edgewise.net to learn how Edgewise can eliminate network attack surface, stop lateral movement, and protect your applications.
Signal, the highly recommended messaging app that provides end-to-end encryption announced last week a new privacy feature called “Sealed Sender” that is now available in the public beta release of Signal. The ‘sealed sender’ functionality will now hide details on who is messaging whom on the Signal service. Signal, by design, does not store any information about your contacts, conversations, locations, and group information. However, one small piece of metadata within the Signal service was not able to be hidden which is, who is messaging whom. Sealed sender can be described like a traditional piece of physical mail where the outside of the envelope has the address of both the sender and recipient. You can’t initially see what’s inside the envelope but you can see who it’s from and who the envelope is being sent to. What Sealed Sender does is remove the information on who sent the message but still includes the destination in which the message can be delivered. It’s a pretty complicated technical process to hide who is sending messages within Signal but it’s all done through cryptographically secure sender certificates, delivery tokens and additional layers of encryption. Signal notes in their blog post announcing sealed sender that “as clients upgrade, messages will automatically be delivered using sealed sender whenever possible”. But in the meantime, interested Signal users can participate in the latest public beta to try out this new privacy feature. Find out more information about Signal’s beta program in our show notes. And in case you didn’t know, Signal is a great app that we highly recommend for secure and private end-to-end encrypted messaging and phone calls.
The Girl Scouts of America, who are responsible for those selling those delicious cookies each year, were the recent victim of a data breach which compromised the personal information of around 2,800 girls and their families. Personal information compromised included names, birth dates, home addresses, insurance policy numbers, driver’s license numbers, and health history. The data breach apparently happened when an email account, used by the Orange County California branch of the Girl Scouts, used make travel arrangements, was illegally accessed by an unknown third-party. The email account that was compromised was only accessed from September 30th to October 1st and all parties who had their data compromised have been notified. The Girl Scouts say that they have changed the password for the compromised account and have said that they will be implementing a secure online system for travel forms containing personal information to replace the email system previously used.
Ironically, last year the Girl Scouts created a “cybersecurity” badge that girls can earn which teaches them how to be safe online, how to protect their personal and financial information, and how to avoid hoaxes or scams. Now that the Girl Scouts themselves are educated, perhaps Girl Scout administrators and staff can earn this badge themselves so that they can avoid another data breach in the future.
That’s a wrap for this week’s show. Be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or on our YouTube channel. Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze.