This is your Shared Security Weekly Blaze for February 25th 2019 with your host, Tom Eston. In this week’s episode: Google Nest’s secret microphone, a new Facebook login phishing campaign, and vulnerabilities in popular password managers.
Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order. Visit silent-pocket.com to take advantage of this exclusive offer.
Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”.
Do you own or thinking about owning a Nest Secure security system? If so, did you know that Google secretly installed a microphone into the system as a previously undocumented opt-in feature? Well just last week Google announced that an update for its Nest Secure system would allow users to enable the Google Assistant (that’s Google’s voice activated product) so that users could use voice commands to enable and disable the alarm system. In a report from Business Insider last week, a Google spokesperson said that the company had made an error and that “the on-device microphone was never intended to be a secret and should have been listed in the tech specs”. Google said that the microphone was originally included in the system for the future possibility of new features, like the ability to detect broken glass. Google also stated that the microphone was always disabled. This news comes at a very challenging time for the tech giant as many consumers are increasingly worried about their privacy and companies like Google who have continued to demonstrate a lack of commitment to protecting our private information.
In fact, a privacy group called EPIC which stands for the Electronic Privacy Information Center, is asking the Federal Trade Commission here in the United States to divest Nest from the rest of its parent company Google and disclose any data that these undocumented microphones may have been collecting. EPIC has, in the past, called for similar action against Google dating back to 2010 when Google was found to have been collecting Wi-Fi data from its Street View project which included Wi-Fi network names, MAC addresses, URLs, emails, and even passwords from unsecured Wi-Fi networks. So what do you think? Are you concerned about a microphone in your home security system? Or is the bigger issue that companies like Google are not being honest with consumers about the privacy impacting technology being used in their products.
And now a word from our sponsor, Edgewise Networks.
Organizations’ internal networks are overly permissive and can’t distinguish trusted from untrusted applications. Attackers abuse this condition to move laterally through networks, bypassing address-based controls to spread malware. Edgewise abstracts security policies away from traditional network controls that rely on IP addresses, ports, and protocols and instead ties controls directly to applications and their data paths.
Edgewise allows organizations to analyze the network attack surface and segment workloads based on the software and how it’s communicating. Edgewise monitors applications and protects data paths using zero trust segmentation.
Visit edgewise.net to get your free month of visibility.
Last week password management company Myki posted about a new Facebook login phishing campaign making the rounds that looks so realistic that even cybersecurity professionals would have a hard time recognizing it. The attack takes advantage of the popular “social login” feature that is used for most web and mobile applications these days. Social logins gives you the option of logging in with your Facebook account instead of creating a new set of user credentials. This is often times more convenient than always creating a new user name and password combination. However, in the case of this new attack, convenience may come at a price. The way this particular attack works is that the attacker creates a very realistic-looking social login pop-up where everything from the status and navigation bar, graphics and more all look just like the real social login page. The user can even interact with the login box, just like the real one, by moving it around the screen and closing it. Once you fill out the form with your Facebook login credentials, they are then sent to the attacker. Check out the link in our show notes for a video demonstration of what the attack looks like but the only advice given to protect yourself is to try and drag the prompt away from the box that it is currently displayed in. If by dragging the popup beyond the edge of the browser fails, you have yourself a malicious pop-up box. Now, unfortunately, this method is not something I’ve seen that many users or even cybersecurity professionals would know about. One thing I thought of was that that the Facebook social login process will automatically log you in if you happen to also be logged into your Facebook account. If you ever do get prompted to login to Facebook through one of these social prompts, I would first check to see if you’re logged into Facebook first. Other than that, stay vigilant as it may be a good idea to try to stay away from using social logins all together.
A recent audit of popular password managers LastPass, KeePass, Dashlane, and 1Password for Windows shows that they all leave traces of sensitive data within memory which could potentially be compromised if an attacker has physical access to the victim’s computer or if malware was able to extract the contents of memory. Security consulting firm Independent Security Evaluators, who performed the audit, says that they found vulnerabilities in the way that these applications store secrets like user names, passwords, and even the master password (within memory) while the application is in use or while it’s placed into a locked state. The good news? All of the password managers tested protect the master password and all passwords stored in their encrypted database while the apps are not running. However, while they are running or locked each password manager tested varied greatly on how secrets are stored and managed within memory. Some, like the free and open source KeePass application had the least amount of vulnerabilities and was the only password manager that completely scrubs the master password from memory while the app is running or in a locked state. 1Password version 7 was noted as the most vulnerable with how it stores all secrets within memory, including the master password.
Now, this research is by no means telling you to stop using password managers altogether or to dump the password managers noted in this audit. In fact, the opposite is true. Using any password manager is better than not using one at all. Having a password manager will always be a better strategy than using the same password for every site and service that you use.
That’s all for this week’s show. Be sure to follow the Shared Security Podcast on Facebook, Twitter and Instagram for the latest news and commentary. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or watch and subscribe on our YouTube channel. Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze.