You’re listening to the Shared Security Podcast, exploring the trust you put in people, apps, and technology…with your host, Tom Eston. In episode 85 for September 9th 2019: Firefox will now block all third-party tracking cookies and more by default, serious vulnerabilities found in Apple iOS, and the latest on the huge database of Facebook users’ phone numbers found online.
Did you know that all electronic devices emit a form of electromagnetic radiation? Well recently we’re starting to see more scientific research come out about the potential health effects of using our mobile devices and other wireless electronics so close to our body. In fact, just recently a class action lawsuit was filed against Apple and Samsung for exceeding the radiation limit on the smartphones that they sell. And while this research is debatable in some circles, more and more experts are recommending keeping our smartphones away from our bodies. If this is something that concerns you one product that can help is a Silent Pocket faraday bag which can block all wireless signals emitting from a device. Visit silentpocket.com to check out their great line of faraday bags and other products to protect your digital privacy. Don’t forget, as a listener of this podcast you receive 15% off your order at checkout using discount code “sharedsecurity”.
Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”.
It should be no surprise that I’m a huge fan of Firefox. In my opinion it’s probably the best web browser out there that is truly focused on your privacy. And with the latest release of Firefox, version 69, Mozilla has made a change to its enhanced tracking protection feature by enabling this for all users by default. Enhanced Tracking Protection is a privacy control which blocks all third-party tracking cookies and more. Back in June Firefox enabled this feature only for new users but over the last few months of testing and improvements they are finally ready to enable this setting for everyone which is a huge benefit from a privacy perspective. Enhanced Tracking Protection works behind-the-scenes to keep websites from developing a profile of you based on how they are tracking your web browser behavior across different websites. These profiles are then collected and even sold to third-party marketing companies without your consent. In addition, Firefox is also now blocking cryptominers by default too. Cryptominers access your computer’s CPU slowing it down and draining your battery to generate cryptocurrency for someone else to profit from. Oh and if that wasn’t enough, Fingerprinting scripts are being blocked too but not by default. These scripts attempt to harvest information about your computers configuration when you visit a website. If you want to take advantage of blocking these types of scripts you’ll need to enable “Strict Mode” within your Firefox privacy settings. Eventually, Firefox plans on turning this blocking on by default in the near future.
Now I’ve also been recommending the EFF’s Privacy Badger as a great add-on for Firefox too. So it will be interesting to see how Privacy Badger compares to Enhanced Tracking Protection built in now by default into Firefox. Perhaps, we’ll do a comparison for you in a future episode of the podcast but in the meantime, if you are using Firefox make sure you update to the latest version to take advantage of these great new privacy protections.
The big news being discussed in the cybersecurity community recently was the big reveal from Google’s Project Zero vulnerability research team which found that over a dozen Apple iOS vulnerabilities have been exploited by attackers for at least two-years to steal everything on a vulnerable device including passwords, photos, text messages, and more. Most surprising though is the method used to infect iOS devices which was by simply visiting certain websites which would exploit the vulnerabilities without you even knowing it. The researchers did not disclose the websites that were used but said that these sites received thousands of visitors per week. Oh, and the exploit only persisted until you rebooted your iOS device but like many of us you remember the last time you powered off or rebooted your device? What’s also interesting is that typically iOS zero-days like this would be used by nation states to target specific groups or individuals but in this case the attackers didn’t have a particular target in mind, rather was a mass attack on any Apple device running iOS 10 through iOS 12. This also brings into question how secure Apple devices really are given that they have a reputation of iOS being one of the hardest operating systems to compromise. Typically vulnerabilities like these are worth tens of millions of dollars and are usually only funded by nation states with deep pockets and specific targets in mind. The question here is who was behind this massive undertaking and was any particular nation state involved? We may never know but the good news is that Apple did patch these particular vulnerabilities back in February of this year with iOS 12.1.4. This is yet another reason you should always keep your devices up to date and patched.
And now a word from our sponsor, Edgewise Networks.
The biggest problem in security that remains unsolved is unprotected attack paths that allow threats to compromise vulnerable targets in the cloud and data center.
But traditional microsegmentation is too complex and time consuming, and offers limited value that’s hard to measure.
But there’s a better approach… Edgewise “Zero Trust Auto-Segmentation.”
Edgewise is impossibly simple microsegmentation … delivering results immediately, with a security outcome that’s provable, and management that’s zero touch.
At the core of Edgewise Auto-Segmentation is Zero Trust Identity, which automatically builds unique identities for all communicating software and devices by combining cryptographic properties of the workload with risk classifications.
Edgewise protects any application, in any environment, without any architectural changes. Edgewise provides measurable improvement by quantifying attack path risk reduction and demonstrates isolation between critical services—so that your applications can’t be breached.
Visit edgewise.net to find out more about how Edgewise can help stop data breaches.
In Facebook news this week, and I know you’ll be so surprised to hear this, but a unprotected server was found exposing more that 419 million Facebook users’ phone numbers that also included a user’s Facebook ID which is a unique number associated with a Facebook user account. These user records break out to 133 million from the US, 18 million from the UK, and more than 50 million from Vietnam. What’s most interesting is that the data appears to be older than at least a year, since Facebook removed public access to phone numbers in April of last year which was due to the Cambridge Analytica scandal. A security researcher names Sanyam Jain, found the database and contacted media outlet TechCrunch after he was unable to find the owner of the database. A spokesperson from Facebook commented that the data set is old and that there are no indications that anyone’s Facebook account was compromised due to this specific database being exposed. TechCrunch also stated that the web hosting company pulled the data once they were notified.
This most recent exposure is on top of the long list of previous data leaks that have been a huge problem for Facebook in recent months. Not only that, it’s another example of a database found completely unprotected and available for anyone to harvest for whatever purpose they wanted.
In other Facebook news, Facebook is migrating users that had a setting called “tag suggestions” to the current face recognition setting. Apparently, some new users and others still had this old setting and now will be fully moved over to the new setting. Back in December of 2017, Facebook introduced a setting specifically for face recognition. In addition to this, Facebook will also provide users with more information on how face recognition works and with the option to turn this feature on. Facebook also notes that if you do not currently have the face recognition setting and do nothing, Facebook will not use face recognition to recognize you or suggest tags unless you opt in. We’ll have a link to the full news release in our show notes if you want more information but we always recommend not enabling face recognition for the obvious privacy reasons. Oh, and if you haven’t downloaded our free Facebook Privacy and Security Guide I highly recommend you do so. Our guide will walk you through all of your Facebook privacy settings so that you can remain as private as possible while still being social. Visit sharedsecurity.net/Facebook to get your copy today!
That’s a wrap for this week’s show. Visit our website, SharedSecurity.net for previous episodes, links to our social media feeds, our YouTube channel, and to sign-up for our email newsletter. First time listener to the podcast? Please subscribe where ever you like to listen to podcasts and if you like this episode please it share with friends and colleagues. Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze.