Help the podcast and leave us a review! We would really appreciate you leaving a review in iTunes. Reviews really help move us up the podcast ratings list and are greatly appreciated!
Show Transcript This is your Shared Security Weekly Blaze for July 2nd 2018 with your host, Tom Eston. In this week’s episode: New WPA3 Wireless Standard, Malicious Smartphone Batteries and the Exactis Data Leak.
The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details.
Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”.
The anxiously awaited new wireless standard, WPA3, has officially been launched by the Wi-Fi Alliance last week. This new wireless standard will fix several known vulnerabilities with the previous WPA2 standard such as the KRACK attack which can allow an attacker to intercept and decrypt wireless network traffic. Note that many Wi-Fi device manufactures have already patched for the KRACK attack, however, the Wi-Fi Alliance made sure that WPA3, by default, included protection for this particular attack and other known issues with WPA2.
WPA3 will have increased protection against brute-force attacks and support for something called SAE (Simultaneous Authentication of Equals) which will prevent attackers from decrypting previously captured network traffic even with a compromised Wi-Fi network password. Other new features include individualized data encryption to prevent local “Man-in-the-Middle” attacks and a feature called “Wi-Fi Easy Connect” which will allow simple and secure pairing of Internet of Things devices that don’t have a visual screen or display. This will replace “Wi-Fi Protected Setup” or also known as WPS which has been proven to be insecure. According to the Wi-Fi Alliance, mass adoption by device manufactures and consumers is predicted to start taking place towards the end of 2019.
Are you a CISO or Information Security Manager challenged with tracking and managing information security incidents within your organization? If you are, you need to take a look at CISOBox which is a software appliance built for NIST-compliant management of all types of information security incidents. CISOBox secures and protects sensitive incident data using technology accredited by US Federal Intelligence Agencies and gives your organization an efficient and streamlined process for incident handling. No matter if your business is large or small, we highly recommend the CISOBox solution as it’s extremely easy to use, scalable, and a secure way to implement incident handling within your organization. For more information on the CISOBox solution and to schedule a demo visit cisobox.com/sharedsecurity. That’s cisobox.com/sharedsecurity.
Last week, security researchers have shown that maliciously crafted smart phone batteries can allow an attacker to harvest sensitive information such as characters typed on the touch screen, browser history, detecting incoming phone calls and when a photo has been taken. It’s also possible to exfiltrate that data, one bit at a time, through the web browser installed on the device. This exfiltration can take place through something called the Battery API that is available in the Google Chrome mobile browser. The Battery API was deemed a privacy issue by Apple and Mozilla so it was removed from Safari and Firefox. While this particular attack seems pretty farfetched, this research shows the possibilities with attacks that may target mobile devices through the supply chain, especially in China where most mobile phones are manufactured. It’s not that far of a stretch when we already have malware that has been installed in hardware and other devices coming through similar supply chains for many years now. One of the researchers that discovered this issue says “The attack may seem like a stretch (requires physical battery replacement – or poisoning hardware at a factory), and at this moment one can imagine multiple simpler methods, nonetheless it is an important study. Is the sky falling? No. Is the work significant? Yes”. Check out our show notes if you’re interested in learning more about this attack and research.
Another large data leak was announced last week, this time exposing approximately 340 million individual records. This data leak was linked to a data aggregator and marketing firm called Exactis which apparently was collecting the names, email addresses, phone numbers, addresses and other demographic information including personal interests. For comparison, the Equifax breach last year exposed 145 million records but also had much more sensitive data exposed such as people’s names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license and credit card numbers. In addition, there is proof that criminal hackers did access and steal the Equifax data. With this latest data leak it’s not known if anyone malicious actually accessed this data besides the security researcher who found the database sitting on a server accessible by anyone without restriction. The data was found by security researcher Vinny Troia who was using the Shodan search tool looking for ElasticSearch databases that may be exposed to the Internet. ElasticSearch is a database that is frequently found by security researchers on servers that are misconfigured allowing unrestricted access to data within the ElasticSearch database. Upon finding this data the researcher contacted the FBI as well as Exactis about his findings and Exactis fixed the issue so that the data was no longer accessible.
Huge data leaks like this one are becoming much more common in just the last year or so and much of this data is found just sitting out on the Internet with the ability for anyone to access. Many of these data leaks we’ve previously discussed on the podcast and in our social media feeds. Let’s see what the remainder of the year brings but in the meantime, we need to continue to do all that we can to limit the amount of private information that firms like Exactis collect.
That’s a wrap for this week’s show. Please be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on iTunes, Google Play, Stitcher, TuneIn, Spotify or iHeartRadio. Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze.