This is your Shared Security Weekly Blaze for June 17th 2019 with your host, Tom Eston. In this week’s episode: the US Customs and Border Protection data breach, the new sign in with Apple button, and more leaked Facebook emails.
Protect your digital privacy with Silent Pocket’s product line of patented Faraday bags, phone cases, and wallets which will make your devices untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order during checkout. Visit silentpocket.com today to take advantage of this exclusive offer.
Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”.
Apple made a few big privacy announcements at its Worldwide Developers Conference the other week including: updates to how Apple’s HomeKit securely transmits and stores video from home security systems, new permission settings in iOS 13 to further limit location sharing, heath data that is used by Apple Watch is now being encrypted and stored on your watch or within iCloud, and that you can now lock your Mac remotely through Apple’s activation lock feature if your Mac happens to be lost or stolen. But the biggest privacy announcement was “Sign in with Apple” which is a new feature that looks to roll out later in the year with iOS 13. Sign in with Apple is a button that is very similar to Facebook or Google’s “one-click” sign-on buttons you might see on many apps and websites. These buttons leverage your Facebook or Google accounts to sign you in without creating a separate login ID. The problem with this is that sometimes your personal information, which Facebook and Google collect about you, gets shared with these sites and can be used to track you. Apple’s one-click sign-on solution authenticates using Face ID without sending any personal information to a third-party company. On top of that Apple’s solution will auto-generate a random “relay” email address that will hide your real email address. I like this a lot as email addresses are commonly used as a user name and is one of the ways you happen to be linked back to a data breach. In addition, Apple says you’ll be able to disable these randomly generated email addresses if you don’t want to use an app anymore.
Now the biggest challenge for Apple will be if developers will start using this new feature when developing their applications. Many have already been using Facebook and Google for one-click sign-on buttons, so Apple may have to find ways to convince developers that there is a more secure, and private approach to help protect their users personal information.
Remember just recently on episode 88 of our monthly show I talked about how US Customs and Border Protection (or CBP) was now using facial recognition at several US airports in order to board flights? Well, it seems that a CBP database, storing images of travelers and license plates, was hacked and compromised. Apparently it was a subcontractor who had the data that had gotten compromised. It’s not known who the subcontractor is nor did CBP provide any other details except that the agency became aware that on May 31st the subcontractor had transferred the photos to its network. CBP also stated that this was a violation of their policies and that several members of Congress have been alerted and that law enforcement is investigating the incident. However, the Washington Post now reports that fewer than 100,000 people were impacted and that initial reports show that the hacked data included photographs of people in vehicles entering and exiting the US over a “single land border crossing” which the CBP did not name. Hmmm, I wonder if that’s Canada or Mexico. What do you think?
This breach comes at a controversial time for the CBP as there have been many privacy concerns regarding the use of facial recognition at US airports and now the collection of social media names from foreigners visiting from other countries or applying for a visa. Now that we know that the data they have been collecting wasn’t properly protected, subcontractor or not, do you think this will halt CBPs expanse to collect and use more of our private data? As past government response to previous privacy concerns and data breaches show, probably not.
And now a word from our sponsor, Edgewise Networks.
The biggest problem in security that remains unsolved is unprotected attack paths that allow threats to compromise vulnerable targets in the cloud and data center.
But traditional microsegmentation is too complex and time consuming, and offers limited value that’s hard to measure.
But there’s a better approach… Edgewise “Zero Trust Auto-Segmentation.”
Edgewise is impossibly simple microsegmentation … delivering results immediately, with a security outcome that’s provable, and management that’s zero touch.
At the core of Edgewise Auto-Segmentation is Zero Trust Identity, which automatically builds unique identities for all communicating software and devices by combining cryptographic properties of the workload with risk classifications.
Edgewise protects any application, in any environment, without any architectural changes. Edgewise provides measurable improvement by quantifying attack path risk reduction and demonstrates isolation between critical services—so that your applications can’t be breached.
Visit edgewise.net to find out more about how Edgewise can help stop data breaches.
Facebook is, yet again, in hot water about more leaked emails that show Mark Zuckerberg wasn’t taking the 2012 settlement with the FTC very seriously and that he knew about controversial privacy practices when he should have been focused on user privacy. An anonymous source apparently provided these emails to the Wall Street Journal last week. The emails show that shortly after the FTC’s 2012 consent decree, Zuckerberg had asked employees about building an app tied to a database of Facebook user information and having that data shared with other developers, regardless of the privacy settings of those users. The email chain showed that this was a complex thing to do but was definitely in the realm of possibility. The app appeared to not have been developed but these emails are pretty significant if the FTC is looking for more ammunition in their recent case against Facebook. Facebook is currently looking to settle the FTCs latest investigation where it’s been reported that Facebook may have to pay around $5 billion dollars as part of this most recent settlement.
That’s a wrap for this week’s show. Visit our website, SharedSecurity.net for previous episodes, links to our social media feeds, our YouTube channel, and to sign-up for our email newsletter. First time listener to the podcast? Please subscribe where ever you like to listen to podcasts and if you like this episode please it share with friends and colleagues. Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze.