You’re listening to the Shared Security Podcast, exploring the trust you put in people, apps, and technology…with your host, Tom Eston.
In episode 94 for November 11th 2019: Facebook’s Group API data leak and 7,000 pages of leaked Facebook documents, lasers that can control your smart speakers, and details about the BlueKeep vulnerability now being exploited in the wild.
Are you like most of us that have to be constantly checking our smart phones for the latest Tweet or Facebook update? How many of us are actually doing this while we’re driving? Distracted driving is one of the most common ways accidents and even deaths happen on the road these days and a lot of states in the US have started enacting laws prohibiting the complete use of smart phones while driving. It’s just not worth putting ourselves and others at risk so I’ve committed to not use my smart phone while driving, and so should you. One easy solution I recommend is to store your smart phone in a Silent Pocket Faraday Sleeve. It’s small enough to store in your glove compartment or arm rest and it’s quick and easy to use. Pick one up today by visiting silentpocket.com and receive 15% off your order at checkout using discount code “sharedsecurity”.
Welcome to the Shared Security Weekly Blaze Podcast where we update you on this week’s most important cybersecurity and privacy news. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”.
It seems that we can’t go a single week from reporting news about yet another Facebook data leak or controversy. This week is no exception as Facebook disclosed details about a leak of private group information such as post details, number of group users, and depending if group users opted-in: names and profile pictures. This data may have been accessed by about 100 partners which had video streaming and social media management apps integrated into certain Facebook Groups. Apparently, the issue happened when Facebook was restricting access to the Groups API back in 2018. Facebook said that they believe 11 of these partners had accessed group information in the last 60 days and that they would kindly ask all 100 partners to delete any Facebook user data that they may have collected. Facebook also stated that there has been no evidence that Facebook user data was abused in any way but will be conducting audits to confirm that said partners have deleted user data as requested.
In other Facebook news, NBC News released close to 7,000 pages of leaked documents that showed how Facebook was using user data as a bargaining chip with third-party developers. The data, which included 4000 internal Facebook emails, web chats, and documents show that Facebook would give certain types of user data to certain high-value customers while also restricting certain types of user data to rival companies. For example, Amazon got special access to more user data because they were paying for ads on Facebook and another company called MessageMe was completely cut off from user data because Facebook felt it was a competitor to its own Messenger product. Meanwhile, it was revealed that Facebook was using these moves to publicly show that they were protecting user privacy. This latest news is once again leaving Facebook in hot water with a continuing onslaught of lawsuits by former customers and government inquires.
Oh and on top of this all this news, Facebook announced a new logo which I’m certain will make all of their privacy problems go away. The new logo, which is attempting to show that all of the Facebook “property” apps are similar, seems to be an attempt to make it harder for government regulators to breakup Facebook if that day ever comes.
And now a word from our sponsor, Edgewise Networks.
The biggest problem in security that remains unsolved is unprotected attack paths that allow threats to compromise vulnerable targets in the cloud and data center.
But traditional microsegmentation is too complex and time consuming, and offers limited value that’s hard to measure.
But there’s a better approach… Edgewise “Zero Trust Auto-Segmentation.”
Edgewise is impossibly simple microsegmentation … delivering results immediately, with a security outcome that’s provable, and management that’s zero touch.
At the core of Edgewise Auto-Segmentation is Zero Trust Identity, which automatically builds unique identities for all communicating software and devices by combining cryptographic properties of the workload with risk classifications.
Edgewise protects any application, in any environment, without any architectural changes. Edgewise provides measurable improvement by quantifying attack path risk reduction and demonstrates isolation between critical services—so that your applications can’t be breached.
Visit edgewise.net to find out more about how Edgewise can help stop data breaches.
I’m not sure why, but whenever I hear about attacks using lasers I seem to think about Star Wars or that one scene from the movie Austin Powers, “Sharks with friggin’ laser beams attached to their heads”. In this case though, we’re talking about a team of security researchers who discovered a way to inject inaudible and invisible commands into smart speakers just by pointing a laser beam at the device. According to researchers from Japanese and Michigan universities, an attacker armed with a laser, only a few meters away from a smart speaker, can modulate the laser to create an acoustic pressure wave. This in turn tricks the microphone on a smart speaker to think that its receiving real audio. The vulnerability has been dubbed a “light-based signal injection” attack and every popular smart speaker is vulnerable including Amazon Echo, Siri, and Google Home. Not only that but researchers also tested the laser trick on popular smart phones that use voice assistants like an iPhone, Samsung Galaxy, and Google Pixel. These devices were vulnerable too but only at very short distances. On the flip side it seems that physical barriers like windows, distance, and of course your skill at aiming a laser all come into play when trying to exploit a vulnerability like this.
So should we all start to think about a laser defense system for our homes to combat this new risk? No, not really. First, I think research like this is often done to quickly grab media attention making it seem like the sky is falling. The term we use in the cybersecurity industry for this is called “stunt hacking” where some researchers come up with far-fetched hacks just to gain media attention or speaking slots at major cybersecurity and hacking conferences. Now, I’m not denying that this is a real vulnerability and its some pretty cool research, but once again, common sense applies. First, it may have never been a good idea to connect your smart speaker to your home alarm system, smart locks, and even your garage door without thinking someone else may be able to just speak to your voice assistant to bypass your security. Second, there is some equipment and technical knowledge that someone would have to research, configure, test and also have the perfect environmental and situational conditions to actually pull this off. Like we’ve mentioned before. If someone is going to break into your house, they are more than likely going to do this through breaking a window or opening a unlocked door instead of hacking your smart speaker with a laser.
The BlueKeep remote code execution vulnerability, which Microsoft patched for older unsupported systems like Windows XP back in May of this year, is now being found in the wild exploiting systems on the Internet through the Windows Remote Desktop Protocol (or abbreviated RDP). According to security researchers, vulnerable systems are being compromised so that cryptocurrency mining malware is installed. You may remember that earlier this year, warnings went out from Microsoft and even the National Security Agency about the seriousness of this vulnerability in that BlueKeep has the potential to be “wormable”. Wormable means the exploit could propagate from one system to another which would be similar to the infamous WannaCry worm in 2017. According to security researchers Kevin Beaumont and Marcus Hutchins who made the discovery that BlueKeep was in the wild said that instead of this being a wormable threat it appears to only target exposed RDP servers on the Internet to only install cryptocurrency miner based malware. That is definitely good news as these recent attacks may be only limited to RDP servers that have exposed port 3389 to the Internet and have not patched for the BlueKeep vulnerability. However, 700,000 systems were found on the Internet that are not patched! Systems affected include unpatched versions of Windows Server 2003, Windows XP, Windows Vista, Windows 7, Windows Server 2008 and Windows Server 2008 R2.
So the lesson here, besides not having RDP port 3389 exposed to the Internet, is to always keep your systems patched and up-to-date. Also, pay close attention to end-of-life announcements when vendors like Microsoft say that a particular operating system like, Windows XP, is being unsupported because it’s so old and potentially vulnerable to attack.
That’s a wrap for this week’s show. Visit our website, SharedSecurity.net for previous episodes, links to our social media feeds, our YouTube channel, and to sign-up for our email newsletter. First time listener to the podcast? Please subscribe where ever you like to listen to podcasts and if you like this episode please it share with friends and colleagues. Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze.