You’re listening to the Shared Security Podcast, exploring the trust you put in people, apps, and technology…with your host, Tom Eston. In episode 82 for August 19th 2019: The BioStar2 biometric security data breach, wormable vulnerabilities in Microsoft Windows, and the FBI trying to harvest your social media data.
Can you believe that this week we’re celebrating the 10 year anniversary of this podcast? For the last 10 years we’ve been talking about how your private information can be exposed through data breaches, vulnerabilities, exploits, and even through the wireless capabilities of our smartphones and laptops. It seems that in the last 10 years it’s only gotten worse. That’s why I recommend the use of a Silent Pocket faraday bag to protect my smartphone and laptop so I can have true piece of mind that my devices are protected when I’m not using them. Visit silentpocket.com to check out Silent Pocket’s amazing line of faraday bags and other products built to protect your privacy. Don’t forget, as a listener of this podcast you receive 15% off your order at checkout using discount code “sharedsecurity”.
Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”.
On August 5th security researchers from vpnMentor disclosed a massive data breach in a biometrics security platform called BioStar2. vpnMentor has been doing a large web-mapping project across the internet which had identified this unsecured database. BioStar2 is a web based biometric security smart lock platform, built by a company called Suprema, and is used to administer physical access controls to facilities. The core technology of the product uses facial recognition and fingerprints to identify users. Suprema recently partnered with a firm to integrate the software into over 5,700 organizations in 83 countries. Most of these customers also happen to be in Europe. Shockingly, many European governments, banks and even the UK Metropolitan Police use this system for the security of their facilities. The data that was leaked in the breach, which totaled over 27.8 million records, included personal information of employees, unencrypted usernames and passwords, and to top it all off over 1 million fingerprint records and facial recognition data. We’re talking about the actual fingerprints and images of users which as you know can’t be changed like a password can. This alone is extremely concerning as this data combined with other personal information from the data leak are perfect for identity theft or other fraud. The good news is that after vpnMentor attempted several times to contact the company about the breach they finally took the database offline. Check out our show notes for links to further information as well as a listing of the companies and countries affected by this data breach.
Last week Microsoft announced four new critical vulnerabilities for Windows that are wormable, meaning, they can be exploited by malware to install and propagate from one computer to another without any user interaction. The last time we had to deal with a wormable vulnerability like this was back in May of this year when Microsoft patched another serious vulnerability called ‘Bluekeep’ which at the time had a close resemblance to the WannaCry malware. WannaCry caused major issues for companies and individuals across the world back in 2017. The vulnerabilities in all of these cases reside in Remote Desktop Services (abbreviated as ‘RDP’) and more specifically have to do with vulnerabilities in the protocol itself. RDP is the service that allows a user to remotely connect to another Windows computer to view the desktop in real-time and these vulnerabilities can allow malware to do this without authentication making this vulnerability extremely dangerous. Microsoft stated that quote “no evidence that these vulnerabilities were known to any third party” and that quote “It is important that affected systems are patched as quickly as possible because of the elevated risks associated with wormable vulnerabilities like these.” Affected systems include all newer Microsoft operating systems starting with Windows 7 all the way to the current version of Windows 10 and related server versions. Like Microsoft said, you should update your version of Windows as soon as possible. To check to see if your version of Windows is updated, head to Settings -> Update & Security -> Windows Update and then look to see if KB4512501 from August 13th is installed. As a reminder you should always enable automatic updates for your Windows system so you always get the latest security patches as they are released.
And now a word from our sponsor, Edgewise Networks.
The biggest problem in security that remains unsolved is unprotected attack paths that allow threats to compromise vulnerable targets in the cloud and data center.
But traditional microsegmentation is too complex and time consuming, and offers limited value that’s hard to measure.
But there’s a better approach… Edgewise “Zero Trust Auto-Segmentation.”
Edgewise is impossibly simple microsegmentation … delivering results immediately, with a security outcome that’s provable, and management that’s zero touch.
At the core of Edgewise Auto-Segmentation is Zero Trust Identity, which automatically builds unique identities for all communicating software and devices by combining cryptographic properties of the workload with risk classifications.
Edgewise protects any application, in any environment, without any architectural changes. Edgewise provides measurable improvement by quantifying attack path risk reduction and demonstrates isolation between critical services—so that your applications can’t be breached.
Visit edgewise.net to find out more about how Edgewise can help stop data breaches.
The Federal Bureau of Investigation is making plans to find technology and third-party vendors that are able to harvest publicly available information in massive amounts from Facebook, Twitter, and other social media platforms. The Wall Street Journal reports that the FBI will be using the data collected to quote “proactively identify and reactively monitor threats to the United States and its interests.” In addition President Trump has directed the US Department of Justice to work with thrid-party vendors quote “to develop tools that can detect mass shooters before they strike.” The request was apparently made just a few weeks before the recent mass shootings took place in El Paso Texas and in Dayton Ohio. Vendors have until August 27th to submit their proposals to the FBI.
This news comes on the heels of Facebook’s recent $5 billion dollar settlement with the US Federal Trade Commission and is very likely to create a lot of problems for Facebook when one side of the government wants to punish them for privacy violations and mishandling of data, while the other side wants to access all the data they have. Unfortunately, that means that anyone that uses Facebook or other social networks are the ones stuck in the middle between government demands and how are private information might be shared.
That’s a wrap for this week’s show. Visit our website, SharedSecurity.net for previous episodes, links to our social media feeds, our YouTube channel, and to sign-up for our email newsletter. First time listener to the podcast? Please subscribe where ever you like to listen to podcasts and if you like this episode please it share with friends and colleagues. Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze.