This is your Shared Security Weekly Blaze for July 22nd 2019 with your host, Tom Eston. In this week’s episode: The FaceApp privacy panic, Facebook’s 5 billion dollar fine from the FTC, and what you need to know about two new types of Amazon scams.
Traveling internationally this summer? If so, make sure you protect one of the most valuable documents that you’re going to carry, and that’s your passport. Not only do you have to worry about losing your passport but you also need to consider the privacy issues if your passport information is exposed. Passport information is often exposed through simple information disclosure where you can be identified by shoulder surfing and having your nationality and other personal information on your passport exposed. Not only that, you need to protect your passport from damage and physical theft. My recommendation is to check out Silent Pocket’s Passport Wallet which provides a stylish way to protect your passport while you travel with the added benefit of RFID blocking. Pick one up today at slientpocket.com and use discount code “sharedsecurity” to receive 15% off of your order during checkout.
Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”.
The Federal Trade Commission has approved a 5 billion dollar settlement with Facebook over its investigation into their handling of the Cambridge Analytica privacy scandal which exposed the private information of 87 million users. According to the Wall Street Journal, the settlement also allows the FTC to have more oversight and restrictions on Facebook’s privacy practices. While 5 billion dollars seems like a lot, it’s really just a drop in the bucket for a company like Facebook. In fact, when the news hit last week about the FTC settlement, Facebook’s stock shares went up 1.8%. So let’s run the numbers, Facebook made $15.1 billion just in Q1 of this year and $5 billion is only about 9% of their total revenue for 2018 which came in at $55.83 billion. Again, this is not that big of a deal for Facebook when we’re talking about billions and billions in revenue.
Now we do have to keep in mind this is the largest fine ever issued by the FTC. The last fine, which wasn’t even close to this magnitude, was the $22.5 million issued to Google in 2012 for their mishandling of privacy issues. A drop in the bucket compared to 5 billion but has the privacy issues and controversy stopped with Google? No, it hasn’t as we talk about privacy missteps from both Google and Facebook on this podcast almost every week.
So are “massive” fines the solution for companies that mishandle our privacy? It certainly doesn’t seem like it. What do you think is needed besides fines? Perhaps jail time for CEOs? One thing is for sure, something else needs to be done besides fines.
Do you read the privacy policies and the terms of service of the apps that you use? If not, the recent drama over an app called FaceApp may want to make you start reading these policies before you start using an app. FaceApp is an app that will make a selfie look younger, older, or turn yourself into the opposite sex all by using facial recognition and AI technology. The app went viral last week all over social media and has been downloaded over 95 million times across the world. So what’s the controversy? Well first, there were unfounded claims on social media that because the app is created by a Russian company, called Wireless Lab, that somehow there are ties to the Russian government in some giant conspiracy to harvest all the pictures on the devices of millions of users.
The truth is that FaceApp only uploads the pictures you want to manipulate and those photos are actually sent to an Amazon AWS server which happens to be based in the US. But the bigger problem is what is said and in some cases, not said, in the FaceApp privacy policy and terms of service. First, you give FaceApp all rights to use the photos you upload for anything they want including using your photos for commercial purposes. Going further, your name, likeness, and other data like your voice can also be used for commercial purposes, forever. Now, this type of policy is not that much different than Facebook or other social apps but the recent drama of this particular app should be a good reminder for all of us to read these policies to make sure you know what data is collected about you and how it may be used. While I think the controversy over FaceApp is a little overblown think about all the similar or other “fun” apps like these that you may be using and think twice before allowing your data to be used for something you don’t approve of.
And now a word from our sponsor, Edgewise Networks.
The biggest problem in security that remains unsolved is unprotected attack paths that allow threats to compromise vulnerable targets in the cloud and data center.
But traditional microsegmentation is too complex and time consuming, and offers limited value that’s hard to measure.
But there’s a better approach… Edgewise “Zero Trust Auto-Segmentation.”
Edgewise is impossibly simple microsegmentation … delivering results immediately, with a security outcome that’s provable, and management that’s zero touch.
At the core of Edgewise Auto-Segmentation is Zero Trust Identity, which automatically builds unique identities for all communicating software and devices by combining cryptographic properties of the workload with risk classifications.
Edgewise protects any application, in any environment, without any architectural changes. Edgewise provides measurable improvement by quantifying attack path risk reduction and demonstrates isolation between critical services—so that your applications can’t be breached.
Visit edgewise.net to find out more about how Edgewise can help stop data breaches.
These days, it’s rarely a case of “if” you’ll be hacked and more a question of “when.” Once a hacker gets past your defenses, they cover their tracks and systematically infiltrate your network to steal information or shut your business down. And, more often than not, they do it quietly and methodically.
There is one single source of truth that can expose the hacker — the packets on the network. They contain the information necessary to understand where a hacker may be, what they’re stealing, and where they’re going next.
That’s where NETSCOUT comes in.
Their Smart Data approach gives you high resolution, consistent, and continuous monitoring everywhere in the IT infrastructure and in any workload. NETSCOUT gives you Visibility Without Borders. Their solutions detect the most comprehensive array of threats and provide visibility any place a hacker travels, even in the public cloud.
With NETSCOUT’s Visibility Without Borders you’ll get the visibility you need to see across any network, data center, Cloud, 5G and more. Rethink the way security is delivered for your digitally transformed business. Get a clearer view at www. NETSCOUT.com.
Did you take advantage of Amazon Prime Day deals last week and you happen to live in Florida or Texas? If so, and according to cybersecurity firm MonsterCloud, you could have been targeted with spoofed Amazon ads, and fraudulent email marketing with fake deals and coupons that were actually malware and ransomware links. MonsterCloud CEO Zohar Pinhasi says “Florida in particular is off the charts – 200% higher rate of attack around Prime Day compared with the rest of the country. That likely may be because criminals are trying to take advantage of an older demographic that may not be as familiar with online shopping and the Internet, let alone cybercrime.”
It’s obvious that shopping days like Amazon Prime Day and Black Friday are huge targets for attackers to use and leverage for more success in delivering all types of attacks including ransomware. What I find interesting about the MonsterCloud report is that it shows very specific states like Florida being targeted because of a large demographic of retired and elderly people. Like I’ve covered on the podcast before, the elderly are common targets of scams like these. One thing we can do is check in on our elderly friends and family members, especially around shopping events like these, to make sure they have some awareness of these types of scams.
Besides malware and ransomware scams you should also be aware of an increasingly popular Amazon scam called “brushing”. A brushing scam is where a third-party seller on Amazon will somehow get the name and address of a consumer. The seller will purchase an item and then send it to that person, claiming it’s a gift. Amazon allows the person who purchases a gift to leave a review for that item so the seller will leave a fake review after the item ships. This creates fake positive reviews which increase the reputation of the seller and pushes their products up higher in the Amazon search results. Products that show up to your house can be totally random with no return address or other identifying information except that it’s in an Amazon shipping box. And while getting a ton of free stuff might be awesome, the bigger problem is that it’s obvious that some of your personal information like name, address and phone number have been compromised either from some shady seller that you bought something from on Amazon, you happen to be targeted, or your data was found in a data breach. So what do you do if you happen to receive random packages you didn’t order from Amazon? First, contact Amazon immediately. Next, change your Amazon password just in case your account happens to be compromised (you did of course enable two-step verification, right?) and last, it’s always a good idea to research the product and vendor before you buy something on Amazon by doing a search on Google to see if there are reports of scams with that particular vendor. Also, check to see if you’re purchasing from Amazon directly or through a third-party.
That’s a wrap for this week’s show. Visit our website, SharedSecurity.net for previous episodes, links to our social media feeds, our YouTube channel, and to sign-up for our email newsletter. First time listener to the podcast? Please subscribe where ever you like to listen to podcasts and if you like this episode please it share with friends and colleagues. Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze.