You’re listening to the Shared Security Podcast, exploring the trust you put in people, apps, and technology…with your host, Tom Eston.
In episode 92 for October 28th 2019: Details on the Nord VPN security incident, using Amazon Echo and Google Home smart speakers for phishing attacks, and new privacy features in Apple iOS 13 you should know about.
What does it mean to go off the grid? For most of us that are constantly relying on our phones, tablets, and laptops it means shutting them off and doing some other activity like enjoying nature or spending valuable time with friends and family. I don’t know about you but I struggle with turning off or putting down my phone because I’ve become so tied to it. I mean, have you ever forgotten your phone at home while you were driving to work or did you happen to find yourself in the wilderness or somewhere where you can’t get a cell phone signal? How did this make you feel? I know I have had that awkward feeling of “what if someone tried to message me?” or “how will anyone get ahold of me in an emergency”? In fact, how many of you would drive back home to retrieve your phone or walk around until you found a cell phone signal out in the middle of nowhere? Look it’s hard to go off the grid but the good news is that there are products that can help. That’s why I recommend using a Silent Pocket Faraday bag which can instantly block are wireless signals, quickly taking you off the grid. Check out their full product line at silentpocket.com. And because you listen to this podcast remember to use discount code “sharedsecurity” at checkout to receive 15% off your order.
Welcome to the Shared Security Weekly Blaze Podcast where we update you on this week’s most important cybersecurity and privacy news. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”.
Popular VPN service provider Nord VPN disclosed that they were the victim of a security incident which happened about 16 months ago, back in March 2018. The attack compromised a server in Finland in which attackers were able to access encryption keys which could have been used to potentially decrypt user traffic, launch man-in-the-middle attacks, and even impersonate the nordvpn.com website. Attackers were able to access the server by exploiting an unnamed remote management system that was being used by the data center that housed one of the Nord VPN servers. One of the certificates the attackers gained access to was one that provides HTTPS encryption for nordvpn.com. This certificate wasn’t set to expire until October 2018, seven months after the breach. This means that for months, attackers could have been luring unsuspecting victims to phishing sites thinking they were signing up or accessing nordvpn.com. And to make matters worse details about the incident have been apparently floating around underground forums on the Internet since May of 2018.
Nord VPN posted a blog about the incident and stated that no user accounts or user data was affected or that anyone attempted to monitor user traffic in any way. They also stated that the only attack possible would have been a personalized and highly sophisticated man-in-the-middle attack to intercept a single connection. And also restating that they are a “no logs” VPN provider so there would be nothing for an attacker to see anyway. This is contrary to what others in the media and security research community are saying noting that man-in-the-middle attacks are not that hard to pull off and that these types of attacks are actually what VPNs are supposed to help protect users from. The Nord VPN blog post also seemed to pass complete blame of the incident on the third-party datacenter which housed the server that was accessed. Nord VPN also stated that they did not disclose the breach to their customers and to the public quote “until we could be sure that such an attack could not be replicated anywhere else on our infrastructure. ” They also stated that they are preparing a bug bounty program and also conducting internal and external audits of all systems. In related news, two other VPN providers, TorGuard and VikingVPN also disclosed that they too had been hacked where encryption keys were also stolen around the same time period.
The lesson here is that, besides a VPN provider perhaps not disclosing a breach or incident in a timely manner, the bigger issue here is twofold. First, understand that a VPN is not an end all be all solution to protect your privacy, contrary to what many of these VPN companies may say in their advertising. As seen with this incident, anyone can become a victim when there is a third-party involved, like an insecure remote management application which is managed by someone else. One perspective is that this incident wasn’t Nord VPNs fault, especially since they had no control over what the datacenter uses for remote management. However, it’s a lesson for all of us that we inherently trust many different types of third-party companies with access to our information and unfortunately we have no control over how they secure these systems and ultimately how they protect our information.
We always seem to be talking about these smart speakers like Amazon Echo, Google Home, and Siri having lots of privacy issues. I mean, why not? We’ve all placed these devices all over our house because we see some value in what they do for us, right? But usefulness aside, do they have the potential to become “Smart Spies“? Well last week German security researchers from a company called Security Research Labs just added phishing to the list of privacy concerns with these devices. The researchers created several “malicious” apps delivered through “Skills” for Amazon’s Echo devices and “Actions” for Google Home voice assistants. These apps were designed to maliciously phish for sensitive information like passwords and also eavesdrop on users after they believe the smart speaker has stopped listening. The apps that were built were a seemingly innocent horoscope app called “My Lucky Horoscope” and the other was a random number generator app. Both types of apps even passed review by Amazon and Google. Here’s how the eavesdropping attack works. First, you need to install the skill that allows Alexa to generate a random number. Alexa then responds with a random number for you but then the skill does not end, Alexa will continue to record. The researchers also showed how whatever is recorded is transcribed and sent directly to the app developer. Now adding phishing to this same attack is even easier. Let’s say you ask Alexa for your daily horoscope. Alexa responds with an error that this skill is not available in your country, a long pause ensues, then Alexa tells you an update is available for your device. Alexa prompts you to say “start update, followed by your Amazon password”. And there you have it, everything you say is recorded, transcribed, and sent to the attacker. The phishing possibilities are quite endless.
Now obviously this was done to prove a point of what may be possible with these devices and there is no indication that malicious apps like these exist, at least not right now. The good news is that the researchers did send their test results to Google and Amazon. Both companies responded stating that they are changing their approval process for skills and actions from having similar capabilities in the future. So what do you think? Does this latest privacy concern outweigh the benefits of using these smart speakers? Or will we all continue to put these potential “smart spies” in our homes.
And now a word from our sponsor, Edgewise Networks.
The biggest problem in security that remains unsolved is unprotected attack paths that allow threats to compromise vulnerable targets in the cloud and data center.
But traditional microsegmentation is too complex and time consuming, and offers limited value that’s hard to measure.
But there’s a better approach… Edgewise “Zero Trust Auto-Segmentation.”
Edgewise is impossibly simple microsegmentation … delivering results immediately, with a security outcome that’s provable, and management that’s zero touch.
At the core of Edgewise Auto-Segmentation is Zero Trust Identity, which automatically builds unique identities for all communicating software and devices by combining cryptographic properties of the workload with risk classifications.
Edgewise protects any application, in any environment, without any architectural changes. Edgewise provides measurable improvement by quantifying attack path risk reduction and demonstrates isolation between critical services—so that your applications can’t be breached.
Visit edgewise.net to find out more about how Edgewise can help stop data breaches.
Apple iOS 13 has been out for about a month now and I wanted to highlight a few really helpful privacy features that all Apple device owners should be taking advantage of. First, are new pop-up notifications whenever an app is tracking your location. For example, apps like Facebook, Uber, or Google Maps have the ability to track your location, even if you don’t have the app open. Your device will now notify you if a particular app is tracking your location, provide you how long it’s been doing this, and a map showing you the location the app is trying to track. You now have the option from this pop-up to select “Change to Only While Using” or “Always Allow”. Now this setting has been available manually in your settings for the last few years but now with iOS 13, Apple made the change to more prominently show apps that track your locations.
Similar to the location tracking pop-up you may also see a pop-up for apps that want to use Bluetooth wireless. For example, you may see apps that ask to use your Bluetooth that, well, don’t have any use for Bluetooth at all. Why is that you may ask? Well many apps are using Bluetooth to track your location when visiting stores or other public venues and these stores may be using wireless beacons to know that you visited a particular location. Yes, this is very creepy and unless you have an app that requires Bluetooth (like a wireless speaker system) you should always deny the app from accessing your Bluetooth. Lastly, there is a new setting in iOS 13 called “Silence Unknown Callers” that can help fight spam calls and robocalls by sending them directly to voicemail. The nice thing about this feature is that calls that come in with an unknown number won’t ring and will go straight to your voicemail. However, keep in mind that if you don’t have a number that you’ve called previously or in your contact list you may miss a call with this setting enabled. My advice is to always add numbers of anyone that calls you to your contacts so that your phone always rings for calls you are expecting.
If you want to manually see which apps on your Apple device are tracking you open Settings, choose Privacy, select Location Services, and change the location tracking setting for each app. To manage which apps have access to your Bluetooth, open Settings, open Privacy, and choose Bluetooth. To turn on “Silence Unknown Callers” open Settings, choose Phone, and toggle the “Silence Unknown Callers” button to on.
That’s a wrap for this week’s show. Visit our website, SharedSecurity.net for previous episodes, links to our social media feeds, our YouTube channel, and to sign-up for our email newsletter. First time listener to the podcast? Please subscribe where ever you like to listen to podcasts and if you like this episode please it share with friends and colleagues. Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze.