This is your Shared Security Weekly Blaze for January 14th 2019 with your host, Tom Eston. In this week’s episode: The US government shutdown and cybersecurity, privacy takes center stage at CES 2019, and a mobile location data controversy.
Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order. Visit silent-pocket.com to take advantage of this exclusive offer.
Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”.
As of this podcast recording it’s been over 19 days since the US government shutdown due to Congress not able to agree on a bill for border security. This has meant that about a quarter of all federal departments (which is about 800,000 federal workers) are furloughed and the government is unable to pay people working for these departments. While we patiently wait for Congress to figure out how to end the shutdown, there is now cause for concern that because of this shutdown, US national security and cybersecurity may be affected, now and even into the future.
Even in a government shutdown, cybersecurity threats to the nation are not going to stop and in fact, attackers love it when a company or government is in chaos which means attacks will increase. Key departments like the new, two month old, Cybersecurity and Infrastructure Security Agency (part of the Department of Homeland Security) has had about 45% of its staff furloughed. In addition, the DHS Office of Intelligence and Analysis, and the Office of Operations Coordination (which both provide security intelligence to the private sector and intelligence community is also on furlough. It’s also important to note other critical cybersecurity services like NIST (which stands for The National Institute of Standards and Technology) has 85% of its staff furloughed. NIST regulates federal agencies and provides security standards for the private sector which includes many new and updated risk management frameworks and guidelines on security controls. Besides cybersecurity, 90% of airport security TSA agents (who are actually quite underpaid) are working without pay and that has caused many agents to call off sick or quit their jobs. And that means longer lines for you at the airport.
Let’s hope that Congress and the President can up to some type of compromise soon, or we may see more longer lasting impacts to US national cybersecurity.
Organizations’ internal networks are overly permissive and can’t distinguish trusted from untrusted applications. Attackers abuse this condition to move laterally through networks, bypassing address-based controls to spread malware. Edgewise abstracts security policies away from traditional network controls that rely on IP addresses, ports, and protocols and instead ties controls directly to applications and their data paths.
Edgewise allows organizations to analyze the network attack surface and segment workloads based on the software and how it’s communicating. Edgewise monitors applications and protects data paths using zero trust segmentation.
Visit edgewise.net to get your free month of visibility.
Privacy took center stage at the Consumer Electronics Show in Las Vegas last week when Apple placed a giant ad on a 13-story building, which happens to overlook the CES convention center with the message “What happens on your iPhone, stays on your iPhone.” This ad included a friendly link to apple.com/privacy, which talks about how your data is protected by using Apple products. This is obviously a direct stab at competitors like Amazon, Google, and Facebook which have been continuously in the news about privacy issues and breaches of user data. Many of these stories we cover on this podcast every week.
But CES is also about new products and there have been a lot of privacy and security gadgets being shown off at this year’s show. All these new gadgets are connected to the Internet and almost all new products have some relation to privacy and security of user data. Smart speakers and their accessories in particular were a highlight of this year’s show. For example, a device called Mute+ from a startup called Smarte, creates a layer of protection to stop smart speakers from picking up sensitive conversations. And another product called Snips allows you to build voice activated products that run locally on the device and not in the cloud like Google and Amazon’s voice assistants. Because data is stored on the device, there is less of a data harvesting or privacy concern. According to research firm eMarketer, it’s now estimated that 74 million Americans will use smart speakers in 2019, an increase of over 15% from last year. It should be no surprise that Google Home and Amazon Echo devices control the majority of this market.
I’ve also been reading stories and talking with people about how more consumers are concerned that these smart speakers are always listening and recording every conversation like a very invasive spy device. Well, yes, these devices are always listening for key words to activate them (I could say one right now to activate your Amazon Echo…I’ll be nice) but both Google and Amazon are only recording and saving what you’re saying to the device. This data is then send to their cloud services for processing and you hopefully get the information you were looking for. While you can go into the apps for these devices to see your previous recordings, and of course delete them, the bigger issue I think is what happens when these devices malfunction? I mean, how many times have you seen your Amazon Echo device just light up for no reason or just starts saying something when you didn’t even ask it anything? I find these devices are very prone to error and the technology still has a lot of growing pains. These ‘malfunctions’ prove many of the privacy concerns consumers rightfully have. So any improvements or new products that help increase the privacy of using devices like these will be more than welcome this year.
In surprising but not so surprising news, an investigation by Motherboard last week showed how a reporter, who gave a bounty hunter $300, was able to get the real-time location of a mobile phone through data that was sold by the major telecommunications companies to private third-parties. In what I would call a fairly complex ecosystem, T-Mobile, AT&T, Verizon, and others routinely sell your real-time location data to what are called data aggregators which then sell that data to other companies which then sell the data to people like landlords, car salesmen, people conducting credit checks and of course shady data dealers like bounty hunters. In the Motherboard story data aggregator firm Zumigo had sold data to a credit reporting company called MicroBilt which sold the real-time location of the mobile phone for only $12.95. Of course, as you might expect, the major telecoms like T-Mobile all stated that “protecting our customers’ privacy and security is a top priority, and we are transparent about that in our Privacy Policy…”. T-Mobile and others have since removed data access for this one particular data aggregator but it begs the question, how many more of these relationships do the major telecoms have?
If this story seems strangely familiar, well, it is. Back in May of last year on the show I discussed another very similar situation where a company called Securus was providing real-time mobile phone location data to law enforcement without a warrant. This was in addition to news of another situation where a data aggregator called LocationSmart had a vulnerability in its website which allowed anyone to query the exact location of any phone through any major US carrier. It seems that we will see more of these situations this year which begs the question, why is there no accountability and what will the US government do about it.
That’s all for this week’s show. Be sure to follow the Shared Security Podcast on Facebook, Twitter and Instagram for the latest news and commentary. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or watch and subscribe on our YouTube channel. Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze.
