This is your Shared Security Weekly Blaze for June 24th 2019 with your host, Tom Eston. In this week’s episode: Facebook announces a new cryptocurrency called Libra, two new zero-day vulnerabilities affecting Firefox, and should you be scanning your smart TV for malware?
Protect your digital privacy with Silent Pocket’s product line of patented Faraday bags, phone cases, and wallets which will make your devices untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order during checkout. Visit silentpocket.com today to take advantage of this exclusive offer.
Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”.
Facebook was in the news this past week with the announcement of its own cryptocurrency called “Libra”. This new cryptocurrency will be available starting in the first half of 2020 and is being promoted as a way to buy things and send money with nearly zero fees. Users of Libra will be able to buy or cash out the cryptocurrency at exchange points, like at your grocery store, and use it by utilizing a wallet application like Facebook’s new Calibra cryptocurrency wallet which will be available in WhatsApp, Messenger and in a standalone app. What’s also interesting is that Facebook won’t totally control Libra but will get a share in governance and oversight with other large companies like Visa and Uber. You see, these companies all gave at least $10 million dollars to finance the new Libra Association which is responsible for promoting the Libra blockchain and working with developers that want to build functionality to support Libra payments. This association will also act as a financial reserve to prevent situations like the wild fluctuation we see in the current value of bitcoin. Calibra, which handles the wallet application, will also take care of user privacy and is said to never use or access your Facebook data with Libra payments and that your identity will never be tied to payments or transactions. As you know, privacy is not the first thing that comes to mind when we think of Facebook. And Facebook does make money by selling ads so this seems (from what we know so far) to be quite the departure for Facebook. So how will Facebook make money off this new form of cryptocurrency? Well from what we know so far, Facebook is seeing this as more of an investment in how business’ will want to sell more ads because more people will be using Calibra to buy and sell things using Facebook.
I’m wondering if people will really start to use Libra to pay for things becoming something like a new “PayPal”. As we’ve discussed on the show before, there are lots of security issues around cryptocurrency and the blockchain. Crypto exchanges are always being hacked and the applications that are being developed, such as ones that power smart contracts and other apps that use the blockchain, have very unique vulnerabilities which are challenging to remediate. So with the money and influence of Facebook, do you think this is what will make cryptocurrency a mainstream and popular form of payment? If, of course, makes it past world financial regulators. Or is it just another way for Facebook to eventually make more money by selling even more ads.
Using Firefox as your preferred web browser? Well Firefox released two critical updates last week to fix a “zero-day” security vulnerability that has been used in targeted attacks against (guess what) cryptocurrency exchanges like Coinbase. The exploit apparently chained together another similar vulnerability which was used in a phishing attack to drop and execute malicious payloads on machines of victims. This vulnerability, called a sandbox escape, was originally reported by Coinbase’s security team and would allow attackers to escape from the browser’s protective sandbox. But then later in the week it was discovered that chaining this vulnerability to the previous one would allow remote code execution. Even if you don’t happen to use Coinbase, attackers may leverage this vulnerability with other sites so you should update Firefox to version 67.0.4 as soon as possible. As a reminder to update Firefox, go to the Firefox menu, go to Help, then About Firefox. Firefox will then check for an update and install it.
And now a word from our sponsor, Edgewise Networks.
The biggest problem in security that remains unsolved is unprotected attack paths that allow threats to compromise vulnerable targets in the cloud and data center.
But traditional microsegmentation is too complex and time consuming, and offers limited value that’s hard to measure.
But there’s a better approach… Edgewise “Zero Trust Auto-Segmentation.”
Edgewise is impossibly simple microsegmentation … delivering results immediately, with a security outcome that’s provable, and management that’s zero touch.
At the core of Edgewise Auto-Segmentation is Zero Trust Identity, which automatically builds unique identities for all communicating software and devices by combining cryptographic properties of the workload with risk classifications.
Edgewise protects any application, in any environment, without any architectural changes. Edgewise provides measurable improvement by quantifying attack path risk reduction and demonstrates isolation between critical services—so that your applications can’t be breached.
Visit edgewise.net to find out more about how Edgewise can help stop data breaches.
If you happen to own a newer Samsung Smart QLED TV did you know that you should be scanning your TV for malware? Well last week Twitter blew up when Samsung made a Tweet saying “Scanning your computer for malware viruses is important to keep it running smoothly. This is also true for your QLED TV if it’s connected to Wi-Fi! Prevent malicious software attacks on your TV by scanning for viruses on your TV every few weeks. Here’s how”. Now if many of you are asking yourself “how do I actually scan my TV?” well Samsung has a security solution built into their QLED TVs which will attempt to detect and block malicious applications and files attempting to access the device. The TV also includes a scanning tool which will find and locate whatever Samsung calls malware that might already be installed on the TV. Why scans are not set to automatically run, similar to how anti-virus works on a PC, is beyond me. But, if you’re bored and want to see if your TV might be infected you do have a manual way of doing this.
So what’s the risk of your TV being infected with malware? Right now, I’d say that the risk is pretty low. However, back in 2017 during one of the WikiLeak dumps, malware called “Weeping Angel” (which was developed by the CIA and MI5) was found that could infect Samsung F800 TVs. As expected, this malware was capable of recording audio through the TVs microphone, collect browser history and much more. Odds that a nation state may target your TV, which really depends on your personal threat model, is probably not something most of us have to worry about. But the fact that scanning smart devices like our TV for malware seems to be a reality of the “insecure” Internet of Things world in which we live in.
That’s a wrap for this week’s show. Visit our website, SharedSecurity.net for previous episodes, links to our social media feeds, our YouTube channel, and to sign-up for our email newsletter. First time listener to the podcast? Please subscribe where ever you like to listen to podcasts and if you like this episode please it share with friends and colleagues. Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze.