This is the Shared Security Weekly Blaze for April 9, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions, Silent Pocket and CISOBox. This episode was hosted by Tom Eston.
Show Transcript
This is your Shared Security Weekly Blaze for April 9th 2018 with your host, Tom Eston
In this week’s episode: The #DeleteFacebook Movement, Cloudflare’s New Privacy Focused DNS Service and the Saks Fifth Avenue and Panera Data Breaches
The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details.
Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”.
If you like this podcast we would really appreciate you leaving a review in iTunes or your favorite podcatcher app. Reviews really help move us up the podcast ratings list and are greatly appreciated. I also have several shout outs this week to @yohun and @nevon on Twitter as well as Richard, David and Johann on Facebook for commenting, liking and sharing our posts on social media. Thank you for your support of the show!
Ever since the Facebook Cambridge Analytica controversy an online movement has started to form called #DeleteFacebook. The delete Facebook movement is in response to Facebook’s recent privacy firestorm regarding the way the social network collects your personal information. I’m sure many of you have had friends or family either say they are quitting Facebook or are planning on doing so because of everything that’s been going on in the news about Facebook recently. Having said that, I wanted to quickly talk about the #DeleteFacebook movement and how it applies to what we talk about on this podcast.
When Scott and I started this podcast back in 2009 it was called the “Social Media Security” podcast and for very good reason. Social networks like Facebook were just starting to get popular and it seemed like the wild west in regards to the lack of privacy controls as well as awareness of social network security issues. As the years went on we began speaking more about social network risks and privacy issues but also how to use them safely. We soon realized that all of us were going to use social media at some point so how can we use it with some sense of balance between our privacy and the need to share information with friends and family. Education became the theme rather than “delete your accounts and never use social networks”. In fact, Scott and I make it well known that we use social networks like Facebook all the time and even promote engaging us on various social media platforms so that we can have conversations about these important topics. We strongly believe that education, through the use of social media, can make the most impact to others about privacy and security issues.
One of the taglines that the podcast developed over the years is, “we bring you stories, advice and tips to make better risk decisions because no one else can make them for you.” This tagline is what this podcast is all about and tells us that it’s your decision to use Facebook or not. Like most everything in life, there is always a risk of something. If you accept that Facebook is going to harvest your personal information, as what it was designed to do, than you accept that risk. If it seems too risky and you want to delete Facebook and all other social media, that’s fine as well. However, we believe that all of us can use social networks more safely and can limit the amount and type of personal information that we share. Remember that you ultimately have control of what you post and the information you share on social networks.
Internet performance and security company Coudflare released a new privacy focused DNS service this past week called 1.1.1.1 which aims to solve several of the privacy issues related to using the DNS service of your Internet Service Provider (or ISP). If you’re not familiar with what DNS is and why it’s important, here’s a quick overview. DNS stands for the Domain Name System. You can think of DNS as a big directory of the Internet. Whenever you type in a website like sharedsecurity.net into your web browser the first thing that happens is that a DNS server needs to be queried to find the IP address of that name. If we didn’t have DNS we would all have to remember IP addresses such as 69.39.236.80 to get to a website like sharedsecurity.net. With Cloudflare’s DNS service, you can use their DNS server instead of the one your ISP provides (or the ISP of the wifi you use at say a coffee shop).
What Cloudflare has done is built a DNS service to address two specific privacy issues related to using your ISPs DNS service. First, because of the recent ruling by the FCC on net neutrality, ISPs like Comcast, AT&T and others can potentially sell your browsing history. Without the DNS records associated with your browsing history, this makes it much more difficult for an ISP to track you. Second, ISPs (especially ones in certain foreign countries) have been known to censor access to social media and other sites to prevent communication for journalists and human rights activists. By using a third-party DNS service like Cloudflare you could get around restrictions like these. However, it’s important to note that even when using a third-party DNS provider, your ISP will still know who you are by your IP address and could eventually put together the sites and services that you’re using because you’re still using your ISPs infrastructure. The only way to fully avoid being tracked by your ISP is to use a VPN service or Tor. VPNs and Tor have their own challenges so be sure to check out the show notes for links to previous episodes of the podcast where we discuss VPNs and Tor in more detail.
Other advantages of using Cloudflare’s DNS service include the commitment to delete all logs within 24 hours and implementing better security of the DNS protocol itself by adding the protection of encryption to all queries. In regards to the deletion of logs Cloudflare is hiring KPMG, a large consulting firm, to audit them annually to ensure they are deleting logs like they say they are. Last but not least, Cloudflare promises to speed up your browsing as they have been rated the fastest DNS service even above Google and other third-party DNS services. More speed and more security are always a good thing when using the Internet.
So how do you use Cloudflare’s new DNS service? It’s fairly simple to set up and configure on your devices and even your home wifi router so all the devices on your home network will use the Cloudflare DNS service. Check out our show notes for the walk-through Cloudflare provides for full details.
Are you a CISO or Information Security Manager challenged with tracking and managing information security incidents within your organization? If you are, you need to take a look at CISOBox which is a software appliance built for NIST-compliant management of all types of information security incidents. CISOBox secures and protects sensitive incident data using technology accredited by US Federal Intelligence Agencies and gives your organization an efficient and streamlined process for incident handling.
No matter if your business is large or small, we highly recommend the CISOBox solution as it’s extremely easy to use, scalable, and a secure way to implement incident handling within your organization. For more information on the CISOBox solution and to schedule a demo visit cisobox.com/sharedsecurity. That’s cisobox.com/sharedsecurity.
In this week’s data breach news, 5 million credit cards have been compromised from Canadian retail brands company HBC (or known as Hudson’s Bay Company). The company owns popular clothing brands Saks Fifth Avenue, Saks Off 5th and Lord & Taylor. According to a report from security firm Gemini Advisory, only a portion of the compromised cards are being offered for sale on the dark web but expects this to increase over the next several months. From a breach impact perspective it seems that all of Saks Fifth Avenue and Lord & Taylor locations had malware installed on the point of sale systems at each store which allowed the compromise of credit cards from May 2017 to now. If you used your credit card at any Saks Fifth Avenue or Lord & Taylor locations be extra vigilant about checking your credit card statements and it’s highly recommended to call your credit card issuer to obtain a new card.
In other related news Panera Bread finally shut down a data leak of potentially millions of customer records through its website. The vulnerability was actually reported to Panera about eight months ago but wasn’t fixed until the researcher contacted famed reporter Brian Krebs from Krebsonsecurity.com who wrote an article about the breach. Information that was easily accessed included names, emails, addresses, birthdays and the last four digits of credit card numbers from customers that have ordered food through Panera’s online ordering system. Check out the show notes if you’re interested in the gory details about the researcher and his attempts to contact Panera about the vulnerability but this is a great example of how a company should not handle a major security vulnerability that was identified by a researcher in good faith.
Compared to the good response we saw from Under Armour with the MyFitnessPal data breach the other week, this response was extremely poor. This recent data leak from Panera shows that companies need to be more accountable for poor security and incident response practices. How can we hold companies like Panera more responsible you may ask? Well as a consumer you have a choice to take your business elsewhere and you should decide if you want to buy products and services from organizations that have poor track records for security and the protection of your personal information. Until we all can agree to hit these companies where it hurts, their bottom line, then we will most likely continue to see incidents like these continue.
That’s a wrap for this week’s show. Please be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on iTunes, Google Play, Stitcher, TuneIn, Spotify or iHeartRadio. Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze.
