You’re listening to the Shared Security Podcast, exploring the trust you put in people, apps, and technology…with your host, Tom Eston. In episode 83 for August 26th 2019: Facebook announces new off-Facebook activity privacy controls, how Apple made everyone’s iOS device vulnerable, and details on the massive MoviePass data breach.
This week I read yet another news article that talked about how thieves stole a Tesla in about 30-seconds using what is known as a relay or key fob attack. The attack works by using a device to amplify the signal from the car thinking that the key fob is nearby. Once the device relays the signal back to the car, the door is unlocked and the thief can steal the car. This is also an issue for other car manufactures, it’s really any car that uses a technology called PKES or Passive Keyless Entry and Start. Besides disabling this feature, the easiest way to prevent this attack is to put your key fob in a faraday bag which is designed to block all wireless signals making an attack like this completely preventable. And if you want the finest faraday bags available, you’ll want to use one from Silent Pocket. In fact, Silent Pocket offers a key fob guard which is made to specifically to prevent a relay attack. Order one today by visiting silentpocket.com and receive 15% off your order using discount code “sharedsecurity” during checkout.
Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”.
Ever wonder how certain products that you were thinking about buying mysteriously show up as ads on your Facebook newsfeed? Is there some black magic going on here? Well it’s not black magic and is actually one of the many ways that Facebook serves you more ads. Last week Facebook announced that they are finally implementing new privacy controls around what they are calling “Off-Facebook Activity”. Off-Facebook activity is data that is collected from websites and apps about your online searches. This can only happen when websites and apps use the Facebook login feature or have enabled Facebook’s business tools. These sites and services send certain details about that activity to Facebook so that they can in turn show you ads about those specific products. This is why you see ads show up in Facebook for items or products that you’ve been searching for on the Internet. Now this is how off-Facebook activity works. Say you’re searching for a new backpack on a site that sells backpacks. That site can send information about your device, what was searched for and other details so that Facebook can match up that device to your Facebook account. This in turn sends you an ad about that backpack or company. Facebook has always said that the companies utilizing this feature do not get your personal information like name or email address. All they know about you is a unique device identifier which allows Facebook to match your device to your account.
Now for the first time ever, Facebook is allowing more control over this data and is even allowing you to delete and disconnect this data from your Facebook account. Facebook will be slowly rolling this feature out to uses over the coming months. These new privacy settings will give you the ability to see a summary of information other apps and websites have sent Facebook, disconnect this information from your account, and choose to disconnect future off-Facebook activity, or just for specific apps and websites. So if you disconnect all this data from Facebook does that mean you’ll no longer see ads? Not really, you’ll still see ads but they will be less personalized than before. Keep in mind, this applies to Instagram too since Instagram is owned by Facebook and is tightly integrated into the Facebook Platform.So what do you think about this news? Is Facebook finally trying to focus on user privacy or is it too little, too late? This new privacy control is of course a response to the Cambridge Analytica scandal and the beating that Facebook has taken from privacy experts for months now. My take is that any control is only as good as the users that plan on using it and unless Facebook makes this an “opt-out” setting where by default your off-Facebook activity is automatically disconnected, I don’t see many users going through their Facebook settings turning these connections off. We will, of course, be updating our free Facebook Privacy and Security Guide when these settings start rolling out. In the meantime, check out our show notes for the link to download the current version of our Facebook Privacy and Security Guide today.
Last week Apple made a huge error with their latest 12.4 iOS update. The problem? Well, it appears that they accidentally unpatched a serious vulnerability that was first patched in iOS 12.3. The vulnerability allows unsigned code to be ran on an iOS device and allows the device to be “jailbroken” which allows unauthorized apps and features to be installed. From a security perspective, this is the first time that I can remember that an Apple update actually made their entire platform vulnerable by unpatching a previous vulnerability. This means that the latest and greatest iOS update, 12.4, leaves almost every iOS device in Apple’s walled garden vulnerable to compromise. So what kind of attacks are we talking about? Well for one, malicious code that might be contained in apps that you might download from the Apple App Store could be one risk and the other being targeted attacks by nation states and others via a malicious text message or by leveraging a bug in another installed application. Of course, the biggest risk for most of us are malicious apps potentially being side-loaded with malware that would take advantage of this vulnerability from the Apple App Store. Devices affected include all Apple iOS devices not running Apple’s latest A12 processor. Unfortunately, the iPhone 10 is vulnerable but not the newer iPhones like the XR, XS, or XS Max. As of this podcast recording, the fix for this issue in 12.4.1 has not been released so for now all we can do is wait and continue to be vigilant with the apps we download and the text messages we receive.
In other Apple news, if you have an certain older MacBook Pro from 2015-2017 the FAA has banned these laptops from all flights in the US because of the potential that the battery might explode due to a recall made by Apple. It’s not clear how the FAA plans on enforcing this since most MacBook Pro’s look very similar but if you do happen to have an older MacBook Pro you can visit Apple’s support website to find out if your MacBook Pro happens to be on the recall list. Check out our show notes for a link to this support page.
And now a word from our sponsor, Edgewise Networks.
The biggest problem in security that remains unsolved is unprotected attack paths that allow threats to compromise vulnerable targets in the cloud and data center.
But traditional microsegmentation is too complex and time consuming, and offers limited value that’s hard to measure.
But there’s a better approach… Edgewise “Zero Trust Auto-Segmentation.”
Edgewise is impossibly simple microsegmentation … delivering results immediately, with a security outcome that’s provable, and management that’s zero touch.
At the core of Edgewise Auto-Segmentation is Zero Trust Identity, which automatically builds unique identities for all communicating software and devices by combining cryptographic properties of the workload with risk classifications.
Edgewise protects any application, in any environment, without any architectural changes. Edgewise provides measurable improvement by quantifying attack path risk reduction and demonstrates isolation between critical services—so that your applications can’t be breached.
Visit edgewise.net to find out more about how Edgewise can help stop data breaches.
Another week and yet another data breach. This time movie subscription service MoviePass has exposed tens of thousands of personal credit card numbers due to an unprotected, wide-open database. Security researchers from a Dubai-based cybersecurity firm called SpiderSilk discovered 58,000 credit card records including MoviePass’s own customer card numbers which are used just like a debit card. The data also contained personal information such as name, billing address, and more which could be used to commit credit card fraud. The most surprising aspect was that none of this data was encrypted and that the data appears to have been exposed since May of this year. As in many of these types of breaches, MoviePass didn’t seem to take the issue seriously at first. MoviePass did not respond to emails from the security researcher (even when an email was sent to the CEO) and only took the database offline when TechCrunch contacted the company. A statement about the breach from MoviePass was apparently released but if you go to the MoviePass website you get a notice that the entire MoviePass service is “not accepting new customers”. If you happen to be a MoviePass customer, I’d be very concerned about the security of my credit card details. And like we always say for any credit card breach, make sure you check your credit card statements on a regular basis and enable any kind of fraud alerting that your credit card company might offer.
That’s a wrap for this week’s show. Visit our website, SharedSecurity.net for previous episodes, links to our social media feeds, our YouTube channel, and to sign-up for our email newsletter. First time listener to the podcast? Please subscribe where ever you like to listen to podcasts and if you like this episode please it share with friends and colleagues. Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze.