You’re listening to the Shared Security Podcast, exploring the trust you put in people, apps, and technology…with your host, Tom Eston
In episode 90 for October 14th 2019: How protesters in Hong Kong are avoiding facial recognition, Instagram’s new anti-phishing tool, and my recent epic smart device failure incident.
Being a frequent traveler myself, I’m always surprised at how many people at airports are not very aware of their privacy. Just last week while I was waiting for my flight I listened as someone was giving their credit card number over the phone, and another person had their laptop open and I was able to see a presentation they were working on which looked to have very sensitive business information. The message here is that we always need to be aware of our surroundings and be careful what you say or expose when you’re in a public place like an airport. And if you’re a privacy aware traveler like me I highly recommend using Silent Pocket’s product line of faraday bags, backpacks and wallets which are built with your digital privacy in mind. Check them out at silentpocket.com and receive 15% off your order at checkout using discount code “sharedsecurity”
Welcome to the Shared Security Weekly Blaze Podcast where we update you on this week’s most important cybersecurity and privacy news. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”
Violent protests continued in Hong Kong last week with the local authorities implementing a new anti-mask law which targets protestors wearing masks to avoid being recognized by the police and surveillance cameras. Now such bans are nothing new as Sri Lanka, France, the Netherlands, and Canada have similar controversial bans as well. Some protesters have even been seen wearing face paint in the form of Pepe the Frog which has recently been adopted as an international symbol of liberation for the Hong Kong protesters. Some protesters are even using laser pointers as a way to disable or make facial recognition technology harder to identify themselves.
In related news, Apple has been criticized for removing an app from the Apple App Store because of pressure from the Chinese government. The app allowed protesters to crowdsource the locations of police. Apple is just the latest US based company joining the ranks of the NBA, and the video game company Blizzard who have given into Chinese pressure. This is very unfortunate and while I don’t bring up politics too much on this show, freedom loving people and companies should be supporting the protesters. And as a reminder, you as a consumer, have a choice on what products and entertainment you spend your money on.
Now I bring up the Hong Kong protests because we all need to know that the technology that governments possess in order to identify protesters should be concerning to all of us. So when does the use of this technology truly become an invasion of our privacy all in the name of more security? Perhaps we’re already there. The good news is that we are seeing more privacy laws that several states in the US are now implementing. Just last week the state of California signed a bill into law that prevents police from using facial recognition technology on video recordings gathered by police officers. The bill states that quote “The use of facial recognition and other biometric surveillance is the functional equivalent of requiring every person to show a personal photo identification card at all times in violation of recognized constitutional rights.” end quote I think this is a positive sign that, at least in the US, facial recognition is beginning to become more regulated.
Instagram has added a new security feature which will help you identify if an email was sent by Instagram or may be a phishing email. Here’s how this feature works. Let’s say you receive an email claiming to be from Instagram. You can now see if Instagram sent you that email by going into the “Emails from Instagram” option in your app’s settings. Within this setting you’ll be able to see every email that was sent to you by Instagram over the last 14 days. The new feature also separates emails into two categories; security emails and other. If you see an email that matches with what’s in your inbox than you can assume that this was a legitimate email. As you know, phishing emails are a constant threat and some recent Instagram phishing attacks are looking so legitimate that it’s very difficult to identify a real email vs. a fake one. Be on the lookout for this new and welcome security feature to show up in your Instagram account over the next several weeks.
And now a word from our sponsor, Edgewise Networks.
The biggest problem in security that remains unsolved is unprotected attack paths that allow threats to compromise vulnerable targets in the cloud and data center.
But traditional microsegmentation is too complex and time consuming, and offers limited value that’s hard to measure.
But there’s a better approach… Edgewise “Zero Trust Auto-Segmentation.”
Edgewise is impossibly simple microsegmentation … delivering results immediately, with a security outcome that’s provable, and management that’s zero touch.
At the core of Edgewise Auto-Segmentation is Zero Trust Identity, which automatically builds unique identities for all communicating software and devices by combining cryptographic properties of the workload with risk classifications.
Edgewise protects any application, in any environment, without any architectural changes. Edgewise provides measurable improvement by quantifying attack path risk reduction and demonstrates isolation between critical services—so that your applications can’t be breached.
Visit edgewise.net to find out more about how Edgewise can help stop data breaches.
Researchers last week disclosed a severe remote code execution vulnerability in a range of popular consumer grade D-Link WiFi routers. Routers affected include model numbers DIR-655, 866L, 652, and 1565 which all came out 7-10 years ago. The vulnerability was found in the authentication process of the login page of the router and can allow an attacker to access the admin credentials or install a backdoor. D-Link responded to the researchers report noting that because these routers are at “End of Life” support, no patch will be released for these devices. And this is part of the problem with the “Internet of Things” which is, what happens to our devices which are later found to be vulnerable to attack and the manufacture stops supporting it? And how are customers notified that their devices are end of life and that they should stop using them due to serious security issues? Oh and don’t think this is a problem specific to D-Link. This can happen to any smart device like this including web cams, printers, and really any device that is part of the Internet of Things.
Speaking of Internet of Things devices I wanted to share with you a story that happened to me just last week when I was traveling. So I stayed in a newer hotel that have those “smart locks” on your room door where you can unlock the door with your phone. Now in full transparency, I haven’t yet used my phone to unlock my room door when I travel since I just rather stick to the key card that they give you when you check in. I’m really not that paranoid. Well after hanging out with my co-workers, watching the Cleveland Browns lose yet another football game, I headed back to the hotel, went up to my room and found out that my key card wasn’t working when trying to open up the door. So I went back down to the reception desk, they issued me a new key card, and I proceeded to try again. Guess what, no luck. So I used the lobby phone by the elevators to call down to the registration desk letting the attendant know that my card was still not working. The attendant proceeded to tell me that the battery for the card reader on the door was probably dead and that she would be right up to check it out. As she walked to my room I noticed that she had what looks like a battery pack with a small USB mini connector. She proceeds to try and plug this battery pack into the bottom of the card reader in an attempt to “charge” the battery so that the reader could quickly be powered just enough to read the card. Well that didn’t work either so she had to call maintenance to find out how to get the door open. She also proceeded to tell me that they will most likely have to drill a hole through the door in the connecting door, which is the door that most hotel rooms have to create one large room, and displace myself as well as the occupants in the room next to me so that I could get my stuff out.
So, it was midnight, I was tired and just wanted to go to bed. I was told the maintenance guy was about 30 minutes out so I sat in the lobby and waited. The maintenance guy gets there and I see him with a drill and a very large drill bit as he headed up to my room with the hotel attendant. I’m thinking the worse at this point and about 10 minutes later the other desk attendant tells me that the maintenance guy just called down to say that they were able to successfully open the door. Awesome! So I head up to my room and the maintenance guy tells me that he was able to get the backup battery connected by using pliers to pull out the connector so that he could connect the battery pack. Apparently, the connector was broken. Now I had several questions at this point. First, why was there not a failsafe for these door locks when the battery fails? He said that they would have to drill through one of the doors, that’s the only option. There was no key back up or any other way to get in the door. Now my next question was, so let’s say someone was having a medical emergency, called 911, and couldn’t get to the door to let paramedics or the police into the room? If the battery to the door is dead, the only option is to break the door down! I was a bit surprised by this thinking of the potential liability that this may leave the hotel, but the more I thought about it…this is the reality that we live in. While these smart locks should probably have a third failsafe, like a key, situations like these should make you think about what happens when the technology we rely on fails and what should manufactures think about when developing smart devices like these locks. And if you’re wondering, I did finally have a good night’s sleep.
That’s a wrap for this week’s show. Visit our website, SharedSecurity.net for previous episodes, links to our social media feeds, our YouTube channel, and to sign-up for our email newsletter. First time listener to the podcast? Please subscribe where ever you like to listen to podcasts and if you like this episode please it share with friends and colleagues. Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze.