You’re listening to the Shared Security Podcast, exploring the trust you put in people, apps, and technology…with your host, Tom Eston.
In episode 93 for November 4th 2019: The WhatsApp NSO group lawsuit plus details on Facebook’s preventive health tool, this week’s data breach news, and how attackers are using a voicemail to phish Microsoft Office 365 users.
Halloween may be over but this time of year doesn’t have to be scary when it comes to protecting your digital privacy. Silent Pocket makes it easy to protect your devices with their full line of faraday bags, wallets, and other accessories that will block all wireless signal. As a special treat for our podcast listeners you can receive 15% off your order right now at silentpocket.com using discount code “sharedsecurity” during checkout. No tricks involved in this exclusive offer.
Welcome to the Shared Security Weekly Blaze Podcast where we update you on this week’s most important cybersecurity and privacy news. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”.
Will Cathcart, the head of WhatsApp which is a Facebook company, wrote an opt-ed for the Washington Post stating that WhatsApp has filed a complaint in US federal court against the infamous Israeli company, the NSO Group. You may remember that several months ago a serious vulnerability was found in WhatsApp in which malicious code was delivered via a seemingly innocent video call compromising the app and device. Through WhatsApp’s own investigation, in partnership with activist group Citizen Lab, they detailed how NSO Group servers, Internet-hosted services and certain WhatsApp accounts were traced back to the NSO Group during their investigation of the attacks. In addition, it was discovered that at least 100 human-rights defenders and journalists were targeted using this NSO spyware, most likely a form of Pegasus ,which is known as the spyware of choice for nation states to target specific individuals. Of course, the NSO Group as expected, has denied any involvement in the attack. Check out our show notes for the link to the full federal complaint to read the details for yourself.
In other Facebook news, Facebook announced that they are developing new partnerships and programs to support people that want to connect with resources to support their health. One of those resources is something called the “Preventive Health Tool” available in the US. This new tool will allow Facebook users to find doctors, set appointment reminders to schedule tests, note them as completed, and much more. Facebook says that their reason for doing this is to spread more awareness about preventive care for things like cancer screenings. Now I’m sure the first thing you’re thinking is, will Facebook now have access to my health care data? Well Facebook says quote “Preventive Health allows you to set reminders for your future checkups and mark them as done, but it doesn’t provide us, or the health organizations we’re working with, access to your actual test results. Personal information about your activity in Preventive Health is not shared with third parties, such as health organizations or insurance companies, so it can’t be used for purposes like insurance eligibility” end quote. Now your next question is probably about how many more heath care related ads will I start seeing on Facebook if I use this tool? Well Facebook has an answer to that and says quote “We don’t show ads based on the information you provide in Preventive Health — that includes things like setting a reminder for a test, marking it as done or searching for a healthcare location. As always, other actions that you take on Facebook could inform the ads you see, for example, liking the Facebook page of a health organization or visiting an external website linked to or from Preventive Health.” end quote And that last sentence is key. Ultimately, the more time you spend on Facebook, the more opportunity you have to see ads in general, but by also liking a page of a health care organization or visiting an external website you are still giving Facebook little pieces of information that can be used to track you and eventually, serve you…guess what? More ads.
And now a word from our sponsor, Edgewise Networks.
The biggest problem in security that remains unsolved is unprotected attack paths that allow threats to compromise vulnerable targets in the cloud and data center.
But traditional microsegmentation is too complex and time consuming, and offers limited value that’s hard to measure.
But there’s a better approach… Edgewise “Zero Trust Auto-Segmentation.”
Edgewise is impossibly simple microsegmentation … delivering results immediately, with a security outcome that’s provable, and management that’s zero touch.
At the core of Edgewise Auto-Segmentation is Zero Trust Identity, which automatically builds unique identities for all communicating software and devices by combining cryptographic properties of the workload with risk classifications.
Edgewise protects any application, in any environment, without any architectural changes. Edgewise provides measurable improvement by quantifying attack path risk reduction and demonstrates isolation between critical services—so that your applications can’t be breached.
Visit edgewise.net to find out more about how Edgewise can help stop data breaches.
In data breach news the world’s very first domain registrar, Network Solutions, disclosed a data breach in which a third-party gained unauthorized access to a number of computer systems in which account information (such as name, email, address, phone number, and services assigned to a customer) may have been accessed. However, according to the breach notice, no customer credit card data was compromised and they have hired a third-party independent cybersecurity firm to investigate the incident. If you’re not familiar with a domain registrar, these are the companies that supply domains (like .com and .net), website hosting, and email to individuals and businesses. Network Solutions, which is now owned by Web.com, was the very first company to operate the domain name system (aka: DNS) as a subcontractor for the US Government way back in 1991. Besides posting a breach notice, that for some strange reason isn’t linked from their main website, Network Solutions is contacting those customers affected and will require all customers to reset their passwords as an additional precautionary measure.
In related news, an open Elasticsearch database exposed 7.5 million Adobe Creative Cloud user records. According to the researcher who reported the issue to Adobe on October 19th, no sensitive details like passwords or payment data was found but the data did include email address, the date the account was created, products used, and payment status. This is typically enough information that can be used for targeted phishing attacks. In a statement from Adobe regarding the breach they note quote “We are reviewing our development processes to help prevent a similar issue occurring in the future” end quote. As we’ve seen countless times this year, open or unsecured Elasticsearch or Amazon S3 buckets are prime targets for attackers looking to harvest mass amounts of user data and either sell it on the dark web or use it for phishing attacks.
Speaking of phishing attacks, they seem to be getting much more creative and devious. We just talked on the show last week about how researchers found ways to use our Amazon Echo and Google Home smart speakers in phishing attacks against us! And this week, researchers at McAfee Labs identified a new type of attack that uses a fake voicemail message to lure victims into submitting their Office 365 email credentials. Here’s how the attack works. You’ll receive an email that looks to come from Microsoft stating that a call was missed and that the caller left you a voicemail. Attached to the email is a file which will automatically play an audio recording that appears to be a very short voicemail saying “Hello” and nothing more. After the recording ends you’re told that in order to hear the rest of the voicemail you need to login with your Office 365 credentials. The login page looks just like the Office 365 login page but…you know better, right? And according to McAfee Labs, it not just one type of phishing kit that is using this voicemail trick, two others were found for sale on the dark web leveraging the same technique. Now regardless of new phishing techniques being used like this one, always look that the URL of any landing page to see if it’s actually legitimate before entering in your credentials, and even better, don’t click on links in suspicious emails in the first place.
That’s a wrap for this week’s show. Visit our website, SharedSecurity.net for previous episodes, links to our social media feeds, our YouTube channel, and to sign-up for our email newsletter. First time listener to the podcast? Please subscribe where ever you like to listen to podcasts and if you like this episode please it share with friends and colleagues. Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze.