This is your Shared Security Weekly Blaze for July 8th 2019 with your host, Tom Eston. In this week’s episode: Amazon confirms that Alexa recordings are kept forever, details about one of the largest Facebook malware campaigns, and my top three tips for staying private on vacation.
Summer is upon us and that means it’s time for some much needed vacation time with friends and family. Summer also means that you need to be aware of data privacy and how to protect your laptops, smartphones and key fobs while traveling. Airports, concert venues, festivals, beaches, and other public areas can often be targeted by attackers looking to gain access to your devices through their wireless signals. Instead of worrying about disabling or turning off wireless functions on these devices it’s so much easier to place them in a Faraday bag when they’re not being used. And if you want the best protection you can get; you want to be using Silent Pocket’s premium faraday bag product line that blocks all wireless signals keeping your devices secure from attackers. This summer, get your devices the protection they require before you head out on your vacation. Use discount code “sharedsecurity” and receive 15% off your order during checkout right now at silentpocket.com.
In this week’s surprising but not so surprising news, Amazon has confirmed that Alexa voice recordings are kept by Amazon forever unless you manually delete each one. Apparently this revelation was noted in a letter from Amazon to US Senator Chris Coons who had asked Amazon about their data handling and privacy practices around Alexa recordings. Amazon stated that they keep transcripts and voice recordings indefinitely, and only removes them if they’re manually deleted by users. The letter went on to say that even if people manually delete their recordings some records and conversations may still remain on Amazon storage systems. Amazon is apparently conducting an ongoing effort to ensure deleted recordings are removed from various internal systems.
Amazon and other tech companies have been under increasing pressure to take the privacy of user data more seriously due to the EU’s enforcement of GDPR and the fact that all of this new technology seems to always increase the demand for more and more of our private data. So will this latest revelation make you think twice before talking to Alexa? I think manually deleting each individual recording is a very poor solution and hopefully they take the approach of changing the retention policy on this data or allowing users to delete everything with one single action. But until that day comes (if it ever does) Amazon is going to hold our data indefinitely.
Malware distribution has always been a problem on Facebook and this goes way back to the beginnings of the social network. In this most recent example, a malware campaign called “Operation Tripoli” was found that targeted tens of thousands of users in Libya but also had the side effect of impacting users in North America. The most interesting aspect of this particular campaign was that it was started by someone creating a Facebook page impersonating Khalifa Haftar who is the commander of the Libyan National Army. This Facebook page had over 11,000 followers and had links to various types of propaganda that when clicked on, let to the download of various remote access trojans and other spyware. According to researchers from Check Point Software who discovered this campaign, this looks to be the largest seen by the researchers. In fact, this particular campaign may have started all the way back in 2014 and the individual behind this page was found to have 30 other Facebook pages using the same techniques. One of these other pages had close to 140,000 followers. While this particular malware campaign was specifically targeting Libyan citizens, you can bet that other pages targeting you and your country most certainly exist.
This is a great reminder for us all that impersonating other people on Facebook is almost too easy and we should be constantly aware of Facebook pages that may look legitimate but are really set up to impersonate a person or organization. Back in 2009 I jokingly talked about how easy it was to impersonate celebrities like Rick Astley on Facebook and Twitter by exploiting people’s trust and getting them to click on malicious links. This was demonstrated in some of the talks I gave at hacker conferences and was the start of my research on the privacy and security of social networks, and ironically the start of this podcast. By the way, at the end of August we’re celebrating the 10 year anniversary of this show! As part of that celebration we’ve recently released an updated version of our popular Facebook Privacy & Security Guide which walks you through the most appropriate privacy settings so that you can still be social. You can get your copy for free by visiting sharedsecurity.net or check out our show notes for a link you can click (don’t worry, this one is non-malicious) so you can download our updated guide.
And now a word from our sponsor, Edgewise Networks.
The biggest problem in security that remains unsolved is unprotected attack paths that allow threats to compromise vulnerable targets in the cloud and data center.
But traditional microsegmentation is too complex and time consuming, and offers limited value that’s hard to measure.
But there’s a better approach… Edgewise “Zero Trust Auto-Segmentation.”
Edgewise is impossibly simple microsegmentation … delivering results immediately, with a security outcome that’s provable, and management that’s zero touch.
At the core of Edgewise Auto-Segmentation is Zero Trust Identity, which automatically builds unique identities for all communicating software and devices by combining cryptographic properties of the workload with risk classifications.
Edgewise protects any application, in any environment, without any architectural changes. Edgewise provides measurable improvement by quantifying attack path risk reduction and demonstrates isolation between critical services—so that your applications can’t be breached.
Visit edgewise.net to find out more about how Edgewise can help stop data breaches.
Many of you listening to this episode are either on vacation right now or planning to be. You’ve probably seen and heard major news organizations like the NBC Nightly News talking about hackers trying to target you and your data while you travel. We’ve talked a lot about protecting yourself from those threats on this podcast, but what we don’t hear a lot about is what we should all be doing to protect our privacy from…each other. What I mean is that a lot of times in public spaces there are people always around us, and 99.9% of them have no malicious intent to target us specifically, yet, we sometimes unintentionally become victims because of the things we say or do in a public space. Having said that, I thought it would be good to share with you my top three tips for protecting your privacy while you’re on vacation this summer.
First, be aware of what you talk about over the phone or with others while in public spaces. I can’t tell you how many times I’ve overheard private conversations while waiting for a flight at the airport. In some of these conversations I was able to hear peoples full social security and credit card numbers. So that means, you should probably not order something over the phone or discuss personal details about your medical history with your doctor while lots of people are around you. Go somewhere private to have conversations like these. Along with that be cautious pulling out your wallet or purse where you may unintentionally show credit cards, cash and other personal items. Other people can learn a great deal about you by observation and you could potentially become a target for a thief or pickpocket.
My second tip is to use your laptop or smartphone in an area without a lot of people around or use a privacy screen, especially if you’re are working on something private or sensitive. People on business are the worst offenders, especially on airplanes. But depending on what Netflix show or movie you might be watching, think about if you want the entire airplane to also be watching that show or movie with you. Check out our show notes for links to a few recommended mobile and laptop privacy screens.
My last tip is that if you’re renting a car, don’t plug your smartphone into the USB port of the car! Most cars will auto sync all the contacts, text messages, and other data on your device automatically and if you forget to delete it, the rental car company and potentially the next renter, will have access to private information you probably don’t want strangers to see.
As always, being aware of your surroundings and using common sense, will help you stay more private in your travels this summer!
That’s a wrap for this week’s show. Visit our website, SharedSecurity.net for previous episodes, links to our social media feeds, our YouTube channel, and to sign-up for our email newsletter. First time listener to the podcast? Please subscribe where ever you like to listen to podcasts and if you like this episode please it share with friends and colleagues. Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze.