This is your Shared Security Weekly Blaze for February 11th 2019 with your host, Tom Eston. In this week’s episode: DNA testing and the FBI, the $198 million dollar cryptocurrency password, and a new Chrome extension to protect your accounts from data breaches.
Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order. Visit silent-pocket.com to take advantage of this exclusive offer.
Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”.
Before we get in to the news this week I wanted to update you all on the Apple FaceTime bug that we talked about in last week’s episode. Well Apple has finally released a patch! Make sure you update your Apple iOS device to 12.1.4 and any Apple system running macOS to version 10.14.3 of Mojave. Check our show notes for a link to all the details and instructions on updating.
Now is a story about how one of the largest DNA testing companies, Family Tree DNA, is working with the FBI to allow them to search their massive genealogy database to solve crimes that have been nearly impossible to solve in the past. You may remember that this topic may sound very familiar as last year there was a story about how the “Golden State Killer” (Joseph DeAngelo) was convicted due to DNA information that was from an open source genealogy website called “GEDMatch”. Apparently, a distant relative of DeAngelo was found in the database which allowed law enforcement to pinpoint who the killer was through clues such as location, ethnicity and other characteristics. However, in this most recent story this is the first time that a private company has agreed to voluntarily allow database access to law enforcement. According to the article this new relationship with Family Tree allows the FBI to upload DNA samples and then have them matched to around a million DNA records contained in their database. It’s important to note that anyone can upload their own DNA profile to its service, not just paying customers.
I think we’re starting to see a very dangerous precedent in regards to the privacy of our DNA and who can access these records without user consent. While all of us would agree that finding murderers and solving unsolved crimes is really important, at what cost are we willing to have our most sensitive information, like our DNA, involved in searches or matching of other people’s profiles? Now that DNA testing kits are given as gifts and as it seems like everyone is doing it, what are the privacy ramifications in the future? One important thing to note, if you’ve used one of these DNA testing services in the past, you can delete your DNA records (or also known as your ‘kit’) either by contacting the company’s customer service or through your profile settings within the DNA service web application. This process will vary between DNA companies but be sure to read the terms of service and privacy policies of the DNA company that you have used to see how they handle and potentially share your DNA records with other third-parties. What do you think? If you’ve used one of these DNA services in the past are you concerned about this recent news? Let us know by commenting on our website or social media so we can continue this very important conversation.
And now a word from our sponsor, Edgewise Networks.
Organizations’ internal networks are overly permissive and can’t distinguish trusted from untrusted applications. Attackers abuse this condition to move laterally through networks, bypassing address-based controls to spread malware. Edgewise abstracts security policies away from traditional network controls that rely on IP addresses, ports, and protocols and instead ties controls directly to applications and their data paths.
Edgewise allows organizations to analyze the network attack surface and segment workloads based on the software and how it’s communicating. Edgewise monitors applications and protects data paths using zero trust segmentation.
Visit edgewise.net to get your free month of visibility.
Canadian bitcoin exchange, QuadrigaCX, owes its customers about $198 million dollars’ worth of cryptocurrency due to the sudden death of the company’s CEO, Gerry Cotton. The reason you may ask? Well the only person with the password to the offline storage wallet that stored the private encryption keys to unlock the cryptocurrency was the CEO. No other members of the company, nor the CEO’s wife had the password to the offline storage wallet. In a report from the Hacker News some have even questioned that the CEO may have faked his death or that this was what is known as a ‘exit scam’ where the CEO and his wife wanted to quickly get out of the cryptocurrency business and never to be seen again. While these two claims may be unfounded, this is a problem that is fairly common in the cryptocurrency market where the exchanges actually store the cryptocurrency and don’t just facilitate the transactions like traditional stock exchanges.
The lesson from this story is for all of us is to consider who have you designated as a backup for your passwords and other private information if you were to suddenly die? It’s an uncomfortable reality to think about but how would your immediate family handle your accounts, money and other important things if you were no longer here? This is definitely concerning if you are (hopefully) using a password vault or manager as we always advocate. Our advice is to come up with a plan with your immediate family or someone you trust to determine how they would access any passwords or other things that would be needed if you were no longer around. One suggestion might be to store your password vault passphrase in a safety deposit box or other password vault which your trusted designee may have access to. It’s a lot to consider and one that may require some real thinking about as every individual situation may be different but it’s very important that we all have a plan in place.
Data leaks and breaches are inevitable and that means that usernames and passwords we choose always seem vulnerable to compromise no matter how many precautions we take to protect this information. Often times, it’s the data of past data breaches that comes back to haunt us. Well to help combat this problem Google has released a new extension for the Chrome web browser called “Password Checkup”. The extension triggers a warning if the user name and password combination that you use, when signing into a site, is one of over 4 billion credentials that Google knows to have been compromised. The extension was developed jointly by cryptography experts from Stanford University to ensure that Google never sees any of your credentials being entered or retrieved, and that the extension itself cannot be compromised by attackers. In addition, all statistics being reported by the extension back to Google are anonymous. Google released a blog post showing how the extension works as well as the technical details behind the design. One thing I like about this extension is that it will only alert you if the same user name and password combination happened to be part of a past data breach. It won’t alert you on outdated passwords or weak passwords like “12345”. Check out our show notes for a link to download this great extension if you happen to use the Chrome web browser. The more awareness we can spread about the use of compromised credentials is a win for everyone.
That’s all for this week’s show. Be sure to follow the Shared Security Podcast on Facebook, Twitter and Instagram for the latest news and commentary. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or watch and subscribe on our YouTube channel. Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze.