This is your Shared Security Weekly Blaze for March 11th 2019 with your host, Tom Eston. In this week’s episode: a new Google Chrome Zero-Day, how Facebook uses your phone number, and the shutdown of the NSA’s phone data collection program.
Protect your digital privacy with Silent Pocket’s product line of patented Faraday bags, phone cases, and wallets which will make your devices untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order during checkout. Visit silentpocket.com today to take advantage of this exclusive offer.
Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”.
Google announced last week that a patch released on March 1st for the Google Chrome web browser was actually to fix a zero-day vulnerability that has been under active attack. The vulnerability, which is known as a use-after-free bug, is a type of memory error which can allow malicious code to escape Chrome’s built in security sandbox and will allow commands to be ran on the local operating system. This particular vulnerability was found in what’s known as the “FileReader API” that allows web applications to read the contents of files within a user’s computer. Google updated their original post about the patch to indicate that “Access to bug details and links may be kept restricted until a majority of users are updated with a fix”. This is, of course, done to prevent malicious actors from accessing details on how the vulnerability works so that it cannot be replicated. As always, ensure you keep your web browser of choice updated. In fact, all modern browsers have a nifty auto-update feature. The Chrome browser will show you a “green, orange, red” three dot indicator at the top right of your browser. If its green, an update has been available for 2 days, if it’s orange, 4 days, and if it’s red, 7 days. Click on the three dots and simply click “Update Google Chrome”. If you don’t see this button or any color indicators, you’re at the most current version. Our advice is to take a minute now to ensure you’re using the latest version of Chrome.
First up in Facebook news last week was the controversy with how Facebook uses your phone number. The Electronic Frontier Foundation said that phone numbers in Facebook, which happen to be used for two-factor authentication, have the privacy setting set to searchable by “Everyone” as the default. In fact, Facebook only gives you the choice of “Everyone”, “Friends of Friends” and “Friends” which means there is no option to opt-out. Facebook is essentially forcing us into a trade-off between the security of two-factor authentication and privacy of our phone number. Keep in mind, back in April of last year, Facebook did remove the ability to search for a user by entering a phone number or email address in the Facebook search bar but it did not disable the ability for someone to search for you when they upload a list of their contacts, which happens to have your phone number in it.
In other Facebook news, a report from the Guardian shows that Facebook targeted politicians around the world, promising various forms of investments and incentives so that they would lobby on Facebook’s behalf against data privacy legislation. This was all made public via a brand new leak of internal Facebook documents. And if that wasn’t enough Facebook news, Facebook CEO Mark Zuckerberg released a manifesto of sorts which details his vision for building a privacy-focused messaging and social networking platform. Check out our show notes if you’re interested in reading Mark’s full post but basically he wants to change Facebook so that it can have more private interactions, end-to-end encryption, reducing permanence, safety, interoperability, and secure data storage. So what do you think? With all the controversy and scandal going on with Facebook, do you think Mark’s intentions for a more secure and private Facebook are true? Or, do you feel that ultimately we are the product and at the end of the day, making money off of our private data is what Facebook is really about. Let us know your thoughts by sending us an email at firstname.lastname@example.org or through any of our social media channels and lets continue the conversation.
And now a word from our sponsor, Edgewise Networks.
Organizations’ internal networks are overly permissive and can’t distinguish trusted from untrusted applications. Attackers abuse this condition to move laterally through networks, bypassing address-based controls to spread malware. Edgewise abstracts security policies away from traditional network controls that rely on IP addresses, ports, and protocols and instead ties controls directly to applications and their data paths.
Edgewise allows organizations to analyze the network attack surface and segment workloads based on the software and how it’s communicating. Edgewise monitors applications and protects data paths using zero trust segmentation.
Visit edgewise.net to get your free month of visibility.
The NSA has silently discontinued its very controversial program put in place after the 911 terrorist attacks which collected and analyzed millions of domestic phone calls and text messages. You may remember that this was the program exposed by whistleblower Edward Snowden. Because of the US Patriot Act in 2001, this program collected metadata of communications which included phone numbers on the call, when the calls took place and how long they lasted. Apparently, the system hasn’t been used in months and the Trump administration may not renew or extend this program. The New York Times says sources indicate that there have been problems with the way the data has been collected which may be the reason for the shutdown of the program.
In other NSA news, at the RSA security conference last week the NSA released a free software reverse engineering tool called “Ghidra” which is used internally by NSA employees. In fact, they even plan on releasing the source code for the tool on GitHub. In the meantime, that didn’t stop some researchers who downloaded the tool to discover that a network port was opened when running the application which would allow remote code execution. While the NSA states that they would never release a tool to the security community with a backdoor installed, it left many to speculate what the purpose of the port was. Upon letting the NSA know about this open port the NSA said that this is used for internal teams to collaborate and share information with each other. However, the port specified by the NSA was not the same one discovered by the researcher.
Now besides what port should be or shouldn’t be open, I find it fascinating that the NSA is trying to be more transparent about what they are working on, tools they develop and wanting more collaboration with the cybersecurity community. More transparency from the NSA is a good thing. So let’s hope for more of it in the future.
That’s all for this week’s show. Be sure to follow the Shared Security Podcast on Facebook, Twitter and Instagram for the latest news and commentary. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or watch and subscribe on our YouTube channel. Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze.