You’re listening to the Shared Security Podcast, exploring the trust you put in people, apps, and technology…with your host, Tom Eston. In episode 89 for October 7th 2019: Microsoft’s new OneDrive personal vault, updated privacy and security controls announced by Google, and the TSA’s announcement about the REAL ID deadline next year.
I have a question for you. What’s in your daily carry? Now I’m not talking about your concealed weapon of choice (if you do legally choose to do so) but I’m talking about your wallet, backpack, clutch, or other travel accessory. If you’re looking to upgrade to something that’s high quality, fashionable, and built with your digital privacy in mind you need to check out Silent Pocket. Visit their full line of products at silentpocket.com and use discount code “sharedsecurity” at checkout to take 15% off your order.
Welcome to the Shared Security Weekly Blaze Podcast where we update you on this week’s most important cybersecurity and privacy news. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”.
Microsoft has increased the security and privacy of its OneDrive cloud storage service with a new feature called a “Personal Vault” which is now available worldwide for all OneDrive users except for those on business plans. Personal Vault is a protected area in OneDrive that requires additional authentication, like biometrics, a PIN code, or SMS-based two-factor authentication in order to access and store files. Microsoft has stated that on Windows 10 devices files that are stored in Personal Vault are synced by default to Bitlocker-encrypted locations, and that the vault will lock automatically in 20 minutes by default. I think the real security advantage here is on mobile devices where the OneDrive app will let you scan files or take pictures and video and store it directly into your Personal Vault instead of your camera roll. And because data that is stored in OneDrive is encrypted at rest and in transit, it seems to be a nice addition to increase the security and privacy of your most sensitive data like storing a picture of your driver’s license, passport, birth certificate, or other electronic documents you should protect. One disappointment though, if you have a free OneDrive account or one that you recently upgraded to one of Microsoft’s standalone 100 GB plans, you can only store a maximum of three files in your Personal Vault. To store more, you’ll need to upgrade to an Office 365 Personal or Home subscription. I guess according to Microsoft, much needed personal file security and privacy comes with an additional cost.
There were lots of new privacy and security updates from Google last week which includes new features and improvements to give you more control over your data and to make privacy and security controls more seamless across all of Google’s products. First up is the new feature which allows you to auto-delete your YouTube browsing history at a set time period of 3 months, 18 months, or the ability to just delete your history manually. Next, Google has integrated a password checkup tool into the Google Password Manager which will let you know if your passwords are weak, reused, or have been compromised in a previous data breach. This is similar functionality to what Firefox rolled out a few months ago by integrating with Troy Hunt’s ‘Have I been pwnd’ service. In addition to these improvements you’ll be able to tell the Google Assistant to delete what you just said or delete a recording from a specific time period, like last week, and Google has added incognito or private mode to Google Maps which removes any personalization and search history which won’t be linked back to your Google account.
In other related Google news, Google has been lobbying congress to let them start forcing Chrome users to automatically use DNS over HTTPS. If you’re not familiar with what DNS over HTTPS is, well it means is that when you type a URL like google.com into your web browser, the query for google.com gets encrypted, therefore, not allowing your ISP (or someone else monitoring your Internet connection) to view the sites you’re going to on the Internet. Keep in mind that this is slightly different than full HTTPS encryption where the contents of data that you send and receive from sites on the Internet is encrypted. Think of DNS over HTTPS as an add-on that will increase the overall security and privacy of the Internet. My take is that I think this and all the recent changes that Google is making is really needed. I don’t know about you but I feel lately that perhaps Amazon, Apple, and now Google are playing a game of “privacy catch up” given how data breaches and privacy concerns are all over the news as of late. Let’s hope this trend continues.
And now a word from our sponsor, Edgewise Networks.
The biggest problem in security that remains unsolved is unprotected attack paths that allow threats to compromise vulnerable targets in the cloud and data center.
But traditional microsegmentation is too complex and time consuming, and offers limited value that’s hard to measure.
But there’s a better approach… Edgewise “Zero Trust Auto-Segmentation.”
Edgewise is impossibly simple microsegmentation … delivering results immediately, with a security outcome that’s provable, and management that’s zero touch.
At the core of Edgewise Auto-Segmentation is Zero Trust Identity, which automatically builds unique identities for all communicating software and devices by combining cryptographic properties of the workload with risk classifications.
Edgewise protects any application, in any environment, without any architectural changes. Edgewise provides measurable improvement by quantifying attack path risk reduction and demonstrates isolation between critical services—so that your applications can’t be breached.
Visit edgewise.net to find out more about how Edgewise can help stop data breaches.
My last story this week is a friendly public service announcement from the Department of Homeland Security. They want to remind you that if you intend to travel by air in the US a year from now you’ll need to upgrade to a “REAL ID” compliment driver’s license by next October 1st 2020. Standard state issued drivers licenses will not be accepted when going through TSA security screening so you will have to use a REAL ID compliment license or use a current US passport, Global Entry card, or military ID to board a flight in the US.
The TSA has been hitting the media to let everyone know about this now to avoid a chaotic situation at the airport with TSA lines, aggravation and the financial impact when people with non-refundable airline tickets are turned away next October.
The REAL ID act was passed after 9/11 as a way to make drivers licenses harder to obtain by terrorists. You can tell a REAL ID from a regular driver’s license by the “star” located in the top right corner. But the biggest difference from a traditional driver’s license is that you need to submit four forms of identification, including two with your address. Valid forms of ID can include a valid driver’s license, passport, Social Security card, birth certificate, utility bill, payroll stub, rent or mortgage payment, or a military ID. If you happen to live in Oregon, Oklahoma, or New Jersey you will have less than a year to get a REAL ID since these states are behind and have not yet implemented REAL ID. Check out our show notes for a link from the TSA to find out more information about REAL ID and the October 1st 2020 deadline.
That’s a wrap for this week’s show. Visit our website, SharedSecurity.net for previous episodes, links to our social media feeds, our YouTube channel, and to sign-up for our email newsletter. First time listener to the podcast? Please subscribe where ever you like to listen to podcasts and if you like this episode please it share with friends and colleagues. Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze.