This is your Shared Security Weekly Blaze for May 27th 2019 with your host, Tom Eston. In this week’s episode: Investment firm Moody’s downgrades Equifax, Huawei’s US technology ban, and how Google is tracking all your purchases.
Protect your digital privacy with Silent Pocket’s product line of patented Faraday bags, phone cases, and wallets which will make your devices untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order during checkout. Visit silentpocket.com today to take advantage of this exclusive offer.
Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”.
Equifax was back in the news late last week with the announcement that Moody’s has cut its rating outlook for Equifax, from stable to negative, because of their massive data breach of 146 million users which took place in 2017. This is the first time that a company has had its investment rating downgraded because of a data breach. Moody’s noted that the downgrade was due to the large expense that Equifax has had to pay such as $786.8 million in general costs, $82.8 million is data security costs, $12.5 million in legal fees, and $1.5 million in product liability charges.
If you’re not familiar with the details about the Equifax breach we’ll have a link in our show notes to one of our previous episodes on the topic, but for a short recap, Equifax was breached due to a well-known vulnerability in Apache Struts that remained unpatched on an Equifax server. The breach could have been preventable since the patch for the vulnerability was released two months prior to the breach.
Unless you work for Equifax, this is actually really good news and honestly I’m not feeling that sorry for Equifax. I’ve always said that until companies are held financially accountable for poor security, we will continue to see more breaches and unfortunately, more massive ones like Equifax.
A few weeks ago the Trump administration banned US companies from doing business with the Chinese telecom giant, Huawei. This ban resulted in Google and many other tech firms halting business with them. While there has been no evidence produced or further details provided by the US government regarding the Huawei ban, Huawei in the past has been accused of intellectual property violations and theft of trade secrets not that long ago, not to mention some potential ties to the Chinese communist party.
Now last week chip designer ARM has officially suspended all business with Huawei. This is a huge blow and will prevent Huawei from creating their own chips. What’s interesting is that ARM is based in the UK and owned by a Japanese company. However, ARM develops some possessors in the US which they feel put them in hot water with the US government if ARM was to continue selling to Huawei.
Look from a cybersecurity perspective, my take is this has something to do with the potential and perhaps past evidence of Chinese spying on the US. The biggest issue is that Huawei is the one of the main suppliers for the technology that cell towers use to communicate with our devices. Now with the talk of 5G networks and upgrades to support this new technology there may be the threat of Chinese surveillance or backdoors in the backbone of mobile communication in the US. Is there evidence to support this? Who knows at this point. The US government isn’t saying but one thing is for sure, this won’t be the end of this story and neither will the impact of Huawei’s technology in the US.
And now a word from our sponsor, Edgewise Networks.
Organizations’ internal networks are overly permissive and can’t distinguish trusted from untrusted applications. Attackers abuse this condition to move laterally through networks, bypassing address-based controls to spread malware. Edgewise abstracts security policies away from traditional network controls that rely on IP addresses, ports, and protocols and instead ties controls directly to applications and their data paths.
Edgewise allows organizations to analyze the network attack surface and segment workloads based on the software and how it’s communicating. Edgewise monitors applications and protects data paths using zero trust segmentation.
Visit edgewise.net to get your free month of visibility.
It should be no surprise that if you have a Google Gmail account you already know that while you’re signed into a Google account and browse the web, your search history is harvested for Google to serve you ads in your Gmail account. By the way, it’s a common misconception that Google scans your email to serve you ads through your Gmail account. Something that may be surprising though was the revelation from a CNBC report which revealed that Google has created a page called “Purchases” which shows you a list of all the purchases that you’ve made. This list is pulled form your emails which show receipts from previous purchases that were emailed to your Gmail account. This list of purchases goes way back, all the way to the day you created your Gmail account and for some of us that could be decades worth of purchase data.
Now this page is only accessible to you only but what I find interesting is that it’s really difficult to delete this data if you happen to be creeped out about Google collecting all of your past purchase history. The only way you can delete your purchase data is to actually delete the email that contains the purchase receipt. From the “Purchase” page you can individually delete a receipt but that takes you back to your Gmail to delete the actual message. There appears to be no mass delete option or ability to prevent Google from collecting your purchase history. In fact, Google told CNBC that there was a way to turn off this ability in the search preferences, but the reporter found out that changing these settings didn’t work.
In other Google news, Google announced that they discovered that passwords for some G Suite business users’ were being stored in plain text. The data was apparently being stored on internal Google servers and the issue was quickly corrected. Affected G Suite business users have been notified by Google to change their passwords. This is very reminiscent of a similar situation back in March where Facebook discovered hundreds of millions of user passwords were also stored plain text and were accessible by over 20,000 Facebook employees.
That’s all for this week’s show. Be sure to follow the Shared Security Podcast on Facebook, Twitter and Instagram for the latest news and commentary. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or watch and subscribe on our YouTube channel. Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze.