This is your Shared Security Weekly Blaze for November 26th 2018 with your host, Tom Eston. In this week’s episode: Vehicle infotainment privacy, Instagram’s accidental password exposure, and the Firefox monitor data breach notification service.
Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order. Visit silent-pocket.com to take advantage of this exclusive offer.
Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”.
A new Bluetooth vulnerability and exploit that affects millions of vehicles worldwide, called CarsBlues, was announced by Privacy4Cars founder Andrea Amico. The exploit, which has been disclosed to auto manufactures through the Automotive Information Sharing and Analysis Center (or Auto-ISAC as its also known) can be performed in a few minutes using inexpensive and readily available hardware and software and apparently does not require significant technical knowledge as well. Information that could be accessed through the vulnerability include stored contacts, call and text logs and text messages. While exact details on the vulnerability have not been released, Privacy4Cars has said that people most vulnerable would be those that may have synched their phones to cars that are no longer under their control like rental cars or leased vehicles. Privacy4Cars, which offers a free mobile app, that shows you how to delete your private data that you may have synced to a car, notes that “industry and consumers alike need to be proactive when it comes to deleting personally identifiable information from vehicle infotainment systems”.
This recent news is a great reminder that we all need to be cautious syncing our phones and devices to our car. Especially when we’re syncing our phones to rental cars or we’re in situations where we may be dropping our cars off for repair. I know I’ve noticed that when simply plugging in my phone to the built in USB charger in a rental car, the infotainment system will often times automatically sync your contacts and text messages. If you’re not familiar with how to delete your synced information or if you need to find out how to reset the cars infotainment system, check out the Privacy4Cars app which we have linked in the show notes for this episode.
Edgewise Networks is the first zero trust platform that stops data breaches by allowing only verified software to communicate in your cloud and data center.
Micro segmentation projects can be costly and difficult, but Edgewise offers a new approach: zero trust segmentation. Without any changes to your network environment, Edgewise puts your data at the heart of your security strategy, giving you:
- Visibility into workload communication pathways;
- Security policies built on the cryptographic fingerprint of the software;
- The ability to apply policies and segment your networks in one click; and
- A way to continuously monitor and assess risk.
Edgewise recommends policies based on the identity of your software, and stops attackers’ lateral movements by requiring authentication and authorization with every workload communication. Visit edgewise.net to learn how Edgewise can eliminate network attack surface, stop lateral movement, and protect your applications.
Instagram said last week that they have fixed a vulnerability in its new “download your data” feature that may have inadvertently exposed user’s passwords. The download your data feature is a recently added privacy enhancement that allows you to download all your photos, comments, posts and other information you may have shared with Instagram. The issue was caused by a feature for added security where Instagram asks you for your password before downloading your data. A vulnerability in this security feature allowed the plain text password to be included in the URL as well as stored on Facebook’s servers. Both of these issues were identified by internal Instagram staff. As you all should be aware, Instagram is part of Facebook and uses Facebook’s servers and infrastructure. The good news is that the issue has been corrected and the password data has been deleted. If you happened to be affected, Instagram will notify you to update your password as well as clear your browser cache.
It’s worth noting that Instagram added the “download your data” feature to comply with the new European data privacy regulations we all know and love as GDPR. Back in October, Facebook fixed a more serious vulnerability in the “View As” feature which allowed unknown attackers to steal access tokens to approximately 30 million Facebook users. Like any new feature, especially ones that are used for better privacy or security, should be carefully reviewed for security vulnerabilities just like all other code within an application. Let’s hope that Facebook’s developers and security teams are taking the approach of ensuring future features are vulnerability free before putting them out to the public.
Did you know that Mozilla, the maker of the Firefox web browser, has offered a free breach notification service called “Firefox Monitor” since September of this year? Mozilla is apparently partnering with Troy Hunt’s “Have I Been Pwned” database of compromised accounts from past data breaches. You can visit monitor.firefox.com to see if your email address was part of a past data breach. You can also sign up for a more detailed report and to be alerted when new breaches happen that contain your email address.
Just this past week, Mozilla announced that they will now deliver breach alerts from within the Firefox web browser while you surf the web. This will work starting with version 62 and later of Firefox. How this works is when you visit a website that previously had a data breach, you will be notified through an icon that will appear in the address bar. The alert will then give you the breach history of the website as well as a link back to Firefox Monitor to see if your information was part of the data breach. You can, of course, turn off these alerts within the Firefox preferences if you feel you don’t want to be notified.
I think this is a great step forward for data breach notification as often times, we may never know that a particular website we frequent has had our information compromised from a past data breach. I also think that this move by Mozilla may make customers think twice before signing up or purchasing products from a website that may have not had the best track record for security. As we always recommend, if your data was compromised in a data breach you should always change the password that you used for that site and enable whatever form of two-factor authentication that the website hopefully offers. As mentioned on last week’s show, always choose app based two-factor authentication over SMS or text message based solutions if available.
That’s all for this week’s show. Be sure to follow the Shared Security Podcast on Facebook, Twitter and Instagram for the latest news and commentary. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or watch and subscribe on our YouTube channel. Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze.