This is your Shared Security Weekly Blaze for March 25th 2019 with your host, Tom Eston. In this week’s episode: Facebook passwords exposed in plain text, Android Q’s new privacy features, and why Microsoft Office is the most popular target for cybercriminals.
Protect your digital privacy with Silent Pocket’s product line of patented Faraday bags, phone cases, and wallets which will make your devices untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order during checkout. Visit silentpocket.com today to take advantage of this exclusive offer.
Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”.
I want to mention a correction from last week’s show when I talked about the service called CLEAR. CLEAR does not use Facial Recognition technology, they only use iris or fingerprint biometric scans. And now, on to this week’s news.
In late breaking news last week Facebook announced that hundreds of millions of its users had their account passwords stored in plain-text going all the way back to 2012. Apparently, through an internal security review, Facebook had found these passwords exposed on internal servers. Apps affected include Facebook, Instagram and Facebook Lite, which is a version of Facebook made for underpowered phones and low speed connections.
Famed reporter Brian Krebs from Krebsonsecurity.com said a source at Facebook told him that between 200 and 600 million Facebook users had their passwords stored in plain text and the data was searchable by over 20,000 Facebook employees. The source also said that about 2,000 internal developers made about 9 million queries for information that contained those plain text passwords. Facebook stated that it appears no one outside of Facebook had compromised this data and that (for now) there is no evidence that anyone internally at Facebook accessed or abused anyone’s password.
Now, are you shocked to hear this latest news? If you’re not, how much more can we all take before it’s time to finally delete Facebook from our lives? It seems this is just yet another security and privacy blunder that continues to plague the world’s largest social network on pretty much a weekly basis. Our advice is if you plan on sticking around Facebook, change your Facebook and Instagram password, and if you haven’t already, enable two-factor authentication. In fact, if you have two-factor authentication already enabled on your account, you’re already a step ahead protecting your Facebook password from potential compromise.
Android users rejoice! Android Q, Google’s new version of Android set to be released this summer, is coming with several new and exciting privacy features. Here’s our take on the top three features. First up is that Android apps can no longer access clipboard data, unless the app is actively being used. This can help prevent malicious apps from gaining access to copied clipboard data like passwords from a password manager. Next, MAC address randomization will be enabled by default. A MAC address is the unique ID that your Wi-Fi and Bluetooth chips installed on your devices use when communicating on a network. This feature was available in Android 6.0 but now will be enabled by default. This feature will also help prevent some data harvesting and tracking used by some third-party app providers. And probably the biggest new privacy feature is having more control over your location data. Android Q will now have a permissions prompt whenever an app wants to use your location data. So now you can give the app access to location data all the time, only when the app is in use, or completely deny the app access to your location data. Check out our show notes for a link to all the new privacy features coming in the upcoming release of Android Q.
And now a word from our sponsor, Edgewise Networks.
Organizations’ internal networks are overly permissive and can’t distinguish trusted from untrusted applications. Attackers abuse this condition to move laterally through networks, bypassing address-based controls to spread malware. Edgewise abstracts security policies away from traditional network controls that rely on IP addresses, ports, and protocols and instead ties controls directly to applications and their data paths.
Edgewise allows organizations to analyze the network attack surface and segment workloads based on the software and how it’s communicating. Edgewise monitors applications and protects data paths using zero trust segmentation.
Visit edgewise.net to get your free month of visibility.
A recent report by threat intelligence firm Recorded Future, shows that for the second year in a row, Microsoft was the biggest target for cybercriminals, with 8 of the top 10 vulnerabilities affecting their products. Surprisingly, half of those vulnerabilities were in Microsoft Office, followed by Internet Explorer. Oh and if you’re still using Internet Explorer, please stop what you’re doing right now and switch to a new modern browser like Chrome, Firefox, or even Microsoft Edge. What we’re trying to say is that while web browsers are getting more secure there are still older versions, like Internet Explorer, which are still major targets for attackers. Other details worth noting in the report show that the number of new exploit kits, which are typically offered for sale on dark web markets and are used to exploit the top 10 vulnerabilities noted in the report, are continuing to drop in 2018 by 50 percent, with only five new exploit kits, compared to ten from the year before. Lastly, the report shows the progression from what are called web exploit kits to more phishing attacks in 2018. While many older browsers are still major targets, it’s much easier to use exploits tied to a phishing email while using social engineering tactics to lure victims into clicking a link or running an executable. Microsoft Office is a very popular target, not just because it is the world’s most popular business software, but because people are more susceptible to opening a malicious Word or Excel documents mostly because it’s so common to send those types of attachments over email. Some may say that the best advice is to never click on links or attachments in an email but that can be really hard to do, especially you’re in a business environment. But it really does come down to compromise and your own personal risk assessment. We still need to use Microsoft Office and open email attachments so the best advice is to rely on your instinct and remember if an email seems phishy, it probably is.
That’s all for this week’s show. Be sure to follow the Shared Security Podcast on Facebook, Twitter and Instagram for the latest news and commentary. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or watch and subscribe on our YouTube channel. Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze.