You listen to the shared security podcast and discover the confidence you place in people, applications and technology… with your host, Tom Eston. Facebook announces new off-Facebook privacy controls, how Apple made everybody’s iOS system vulnerable and details of the massive MoviePass data breach in episode 83 of August 26, 2019.
This week I read another news article that talked about how robbers robbed Tesla with the so-called relay or fob attack in about 30 seconds. The attack works by using a device to amplify the car’s signal that the fob is close by. The door is unlocked when the device returns the signal to the car and the thief can steal the car. This is also a problem for other car manufacturers, it’s actually any car using the PKES or passive keyless entering and starting technology. Apart from disabling this feature, the easiest way of preventing this attack is to place the key fob in a remote bag designed to block all wireless signals to prevent an attack such as this. You will want to use one of Silent Pocket if you want the finest faraday bags available. In fact, Silent Pocket offers a key fob guard to prevent a relay attack in particular. Order one today by going to silentpocket.com and receive 15 percent off your order with the “shared security” discount code during checkout.
Visit silentpocket.com to see the incredible line of Silent Pocket bags and other products that are designed to protect your privacy. Do not forget that you receive 15 percent off your order as a listener to this podcast when checking out using “shared safety” discount code.
Hello everyone, welcome to the Blaze weekly Shared Security where we update you on the top 3 cybersecurity and privacy issues of the week. These podcasts are published every Monday and give you “news you can use” for 15 minutes or less quickly.
Ever wondering how mysteriously certain products you thought about buying appear as ads in your Facebook newsfeed? Is black magic going to happen here? Well, that’s not black magic, but it’s one of the many ways Facebook offers more ads for you. Last week Facebook announced that it is finally implementing new confidentiality controls around what it calls the “off-Facebook activities.” Off-Facebook activity is data collected from websites and online search applications. This can only occur when websites and apps use the Facebook login feature or Facebook business tools have been enabled. These sites and services send some details of this activity to Facebook so that they can display ads about the specific products. Therefore, ads for items or products that you have looked for on the internet are displayed on Facebook. Now it’s how Facebook activity works. Say you’re looking for a new backpack on a site where backpacks are sold. This site can send your device information, what you were looking for and other details so that Facebook can match that device to your Facebook account. This will send you an announcement about this backpack or company. Facebook has always said that companies who use this feature do not receive your personal information such as your name and e-mail address. Everything they know about you is a unique device identifier that allows Facebook to match your device.
This is the first time that Facebook allows you to control these data and even delete and disconnect them from your Facebook account. In the coming months, Facebook will slowly implement this feature. The new privacy settings will enable you to view a summary of information that is sent on Facebook by other apps and websites, to disconnect that information from your account and to disconnect future Facebook activities, or to specific apps and websites. So if all this data is disconnected from Facebook, do you no longer see ads? You won’t always see ads, but they’re going to be less personalized than before. Keep in mind, this also applies to Instagram as Instagram belongs to Facebook and is tightly embedded in Facebook’s platform. Is Facebook trying to concentrate on user privacy at last or is it too little, too late? Naturally, this new privacy control is a response to the Cambridge Analytica scandal and the blow that has been taken by privacy experts on Facebook for months now. My belief is that any control is only as good as the users who plan to use it. Unless Facebook makes this an “opt-out” set-up, which automatically disconnects your Facebook activity by default, I do not think many users are using their Facebook settings to turn off the connections. Of course, when these settings start to develop, we will update our free Facebook Privacy and Security Guide. In the meantime, please check our Facebook Privacy and Security Guide for the link to download our current Facebook version.
Apple made a big mistake last week with its latest 12.4iOS update. The problem? The problem? Well, it appears that a serious vulnerability was accidentally unpatched that was first patched in iOS 12.3. The vulnerability enables unsigned code to run on an iOS device and allows a jailbroken device to install unauthorized apps and functions. From a security point of view, this is the first time I remember that an Apple update made the entire platform vulnerable because of an earlier vulnerability. This means that the latest and largest iOS update, 12.4, makes almost every iOS device vulnerable to compromising in Apple’s walled garden. So what kind of attacks do we speak of? Well, for one malicious code, that could be included in apps you download from the Apple App Store, could be a risk and the other a malicious text message, or bug leveraging in another installed application, might be attacking nation states and others. Naturally, the largest risk to most of us is that malicious apps may be side-laden with malware to take advantage of the Apple App Store’s vulnerability. The affected devices include all Apple iOS devices that do not run the latest A12 processor from Apple. The iPhone 10 is, unfortunately, vulnerable, but not newer iPhones such as XR, XS or XS Max. The fix for this issue in 12.4.1 was not published as of this podcast record, therefore all we can do is wait and keep watchful with the applications we download and text messages that we receive.
In other Apple reports, the FAA has prohibited these laptops from all flights in the USA if you have a certain older MacBook Pro from 2015-2017, as the battery could explode as a result of an Apple retract. It’s unclear how the FAA will do this since most MacBook Pro’s look very similar, but if you do have an older MacBook Pro you can visit the support website of Apple to find out if your MacBook Pro is on the reminder list. Check out the link to this support page for our sample notes.
And now a word from Edgewise Networks, our sponsor.
The biggest unresolved security problem is unprotected attack paths that threaten to compromise vulnerable cloud and data center targets.
However, traditional microsegmentation is too time consuming and too complex and offers limited measurable value.
But there’s a better approach… Edgewiss “Zero Trust Auto-Segmentation” Edgewise is unlikely to be simple… it delivers results immediately, with a proven safety result and zero touch management.
Zero Trust Identity for all communication software and devices automatically creates a unique identity by combined cryptographic characteristics of the workload with risk classifications.
Edgewise protects all applications without architectural changes in any environment. Edgewise offers measurable improvement by quantifying the risk of an attack path and demonstrates isolation between critical services to prevent any breakdown in your applications.
Visit edgewise.net to learn how Edgewise can help to prevent data infringements.
Another week and another infringement of data. This time, MoviePass has exposed tens of thousands of personal credit card numbers because of a wide-open, unprotected database. Security researchers from a company called SpiderSilk based in Dubai have found 58,000 credit card records and own customer card numbers used in the same way as a debit card. The data also included personal information such as name, billing address and more that could be used to commit fraud on credit cards. The most surprising aspect was that none of those data have been encrypted and since May of this year the data seems to have been exposed. Since in many such violations, MoviePass did not seem at first to take the problem seriously. MoviePass has not replied to security research emails (even when an email was sent to the CEO) and took only the database offline when TechCrunch contacted the company. There was apparently a statement about an infringement on the MoviePass, but when you visit the MoviePass website, you get a notice that the entire MoviePass service “do not accept new customers.” I would be very concerned about the security of my credit card detail if you were a MoviePass customer. And as we always say about any breach of a credit card, make sure that you regularly review your credit card details and enable any type of fraud alert that your credit card company may offer.
This is a wrap for the show this week. For previous episodes visit our website, SharedSecurity.net, links to our social media information, our YouTube channel and sign up for our email newsletter. Podcast listener for the first time? Please sign up to listen to podcasts wherever you like and please share this episode with friends and colleagues. Thank you for hearing and seeing you for another episode of the Blaze weekly shared security.