The Quora Data Breach, Facebook’s Private Emails, Google Location Tracking – WB46

This is your Shared Security Weekly Blaze for December 10th 2018 with your host, Tom Eston. In this week’s episode: In this week’s episode: the Quora data breach, Facebook’s private emails, and Google location tracking.

Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order. Visit silent-pocket.com to take advantage of this exclusive offer.

Be sure to enter our Silent Pocket Faraday Bag giveaway currently taking place until December 17th 2018. This prize package is valued at over $100! See our show notes for the link to enter and good luck!

ENTER THE SILENT POCKET GIVEAWAY: https://kingsumo.com/g/ydnieb/silent-pocket-faraday-bag-prize-package

Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”.

Another week and yet another massive data breach. This time the company is Quora, the popular question-and-answer website. In an announcement last week Quora disclosed that 100 million users may have had their private information stolen when a malicious third-party gained access to one of Quora’s systems. Quora states that the issue was discovered on November 30th and that investigation is ongoing. However, they did disclose that account information which is name, email address, encrypted password hashes (apparently using bcrypt with a salt), data imported from linked networks, public content and actions as well as non-public content such as direct messages have all been compromised.  One interesting point they made was that anonymous questions and answers were not affected by this breach because Quora does not store details of anonymous users using their site.  If you’re a Quora user, the typical data breach recommendations apply. Change your password and don’t use the same password for every site and service that you use. I did find it surprising that they did not mention enabling two-factor authentication. That’s because, unfortunately, two-factor authentication is not available for Quora’s users (at least as of this podcast recording).

Just two weeks ago Marriott announced that 500 million customers had their personal information stolen as well. Just as an update to this news, recent reports from Reuters now indicate that Chinese nation-state hackers may have been to blame as private investigators looking into the breach have found hacking tools and techniques previously attributed to China.  Having yet another announcement of a data breach that reaches into the hundreds of millions is becoming so common, I think many of us believe that this is just the new normal. While there isn’t much we can do about how third-party companies are protecting our information, what is under our control though is the very basics of good cybersecurity practices and that is, password management. Which means you should be using a password manager, create complex and unique passwords for every site that you use, and always enable two-factor authentication if available.

Edgewise Networks is the first zero trust platform that stops data breaches by allowing only verified software to communicate in your cloud and data center.

Micro segmentation projects can be costly and difficult, but Edgewise offers a new approach: zero trust segmentation. Without any changes to your network environment, Edgewise puts your data at the heart of your security strategy, giving you:

• Visibility into workload communication pathways;
• Security policies built on the cryptographic fingerprint of the software;
• The ability to apply policies and segment your networks in one click; and
• A way to continuously monitor and assess risk.

Edgewise recommends policies based on the identity of your software, and stops attackers’ lateral movements by requiring authentication and authorization with every workload communication. Visit edgewise.net to learn how Edgewise can eliminate network attack surface, stop lateral movement, and protect your applications.

Facebook was in the news again this past week when private internal Facebook emails were disclosed in documents provided by the UK Parliament during a recent government panel that is investigating Facebook. The emails paint a very clear picture that back in 2012, many years before the Cambridge Analytica scandal, that Facebook was looking for ways to monetize the private information it had about its users. One of the ideas discussed with Facebook CEO Mark Zuckerburg was about charging apps and developers for access to user data, at about 10 cents per every data user request per year, but Zuckerberg rejected that approach and went with the one that is currently being used today, which is to get people to share more information on Facebook. Other interesting emails within the disclosure show that there were internal discussions on how to move Facebook to more mobile platforms instead of desktop and laptop computers which was more of a threat to their revenue model. In one of these emails they go as far as discussing how Facebook could gain access to call logs on Android phones without the user being alerted. These emails indicate that Facebook would rather decide to risk it, try to hide it through an app upgrade and deal with the public relations fallout later if anyone ever found out.

Look, we should all know by now that you and your information is the product when we talk about Facebook’s business model. Even with all the scandals surrounding Facebook, their business model, to monetize your data, is not going to change. What can change is what you want to do about it. Will you continue to allow your private data to be used so that Facebook can make more money? Have your really thought about the risk vs. the rewards of using Facebook?  These are all questions to ponder but no matter what Facebook does, ultimately, it becomes your risk decision to use Facebook or not because no one else can make that decision for you.

The BEUC, a large consumer organization in Europe that has members from 43 countries, said that 7 of those member countries will be filing complaints against Google for breaching the GDPR which is the well-known General Data Protection Regulation in Europe. The issue of complaint is regarding the way that Google tracks and handles users location data, which was specifically called out in a report from the Norwegian Consumer Council. The report states that Google’s design around privacy controls such as ‘Web & App Activity’, which is turned on by default, and ‘Location History’ which stores details about you and your location down to nearby Wi-Fi hotspots and even the battery level on your phone, are deceptive in that users may not be aware that this information is being tracked and also that the settings themselves to turn certain features on or off are confusing to users. This is also not the first time Google has been in hot water regarding how they handle location data of its users. Just this past October, a class action lawsuit here in the US was started, which is accusing Google as well as Facebook of tracking users locations even after users have turned off or opted out of location tracking. If you would like to see all the personal data that Google has collected about you, visit myaccount.google.com and click on the “My Activity” link.

That’s all for this week’s show. Be sure to follow the Shared Security Podcast on Facebook, Twitter and Instagram for the latest news and commentary. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or watch and subscribe on our YouTube channel.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze.

*** This is a Security Bloggers Network syndicated blog from Shared Security authored by Tom Eston. Read the original post at: https://sharedsecurity.net/2018/12/10/the-quora-data-breach-facebooks-private-emails-google-location-tracking-wb46/