Equifax Settlement, Android Video File Exploit, Encryption Backdoors

by Tom Eston on July 29, 2019

This is your Shared Security Weekly Blaze for July 29th 2019 with your host, Tom Eston. In this week’s episode: Details on the Equifax breach settlement, why your Android phone could be exploited by simply watching a video file, and encryption backdoors being requested by world-wide governments.

Can you believe that its almost August and that summer is almost over? I was just in Target the other day and noticed that the school supplies are already out! Once you see that you know the Halloween supplies are also right around the corner. It’s totally crazy! I don’t know about you but I want to plan at least a few more short trips with my friends and family which is my own desperate way to hold on to the last few fleeting moments of summer. So don’t let protecting your digital privacy get in the way of your plans. You should be using a Silent Pocket faraday bag or phone case which will block all wireless signals keeping your devices secure and completely off the grid so you can be focused on your time away. As a listener of this podcast you get 15% off your order by using discount code, “sharedsecurity” at checkout. See Silent Pocket’s full line of products at silentpocket.com today before summer gets away.

Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”.

Everyone remember the Equifax breach that affected 147 million people? Do you think you may have been financially or otherwise impacted from this data breach? If so, you may be entitled to up to $20,000 for documented breach related expenses or 10 years of free credit monitoring services. You can also collect $125 if you already have a credit monitoring service (which, by the way, really doesn’t do much for you). This news broke last Monday when the FTC announced a proposed settlement that will cost Equifax $700 million dollars which will be the largest settlement related to a data breach in history. Equifax would be required to pay at least $300 million but up to $425 million and provide free credit monitoring for all victims of the data breach. In addition, Equifax will offer free resources for victims recovering from identity theft and six free credit reports for all US consumers starting in 2020. If you think you want to collect on this settlement, you’ll need to file a claim on the official claim site. Check out our show notes for a link to the FTC website which has all the details on where to file a claim. Note that fake sites are bound to pop up so be sure you only use the site linked from the FTC. If you think you may have a case to file a claim you’ll want to move quickly as you’ll only have 6 months to make your claim once the settlement is approved.

So is this settlement too little, too late? Even with the FTC now requiring Equifax to overhaul their security procedures does a fine like this even matter much? Like I talked about on last week’s show the 5 billion dollar fine about to be issued to Facebook for their handling of the Cambridge Analytica scandal, Facebook was able to make most of this fine up through the jump in their stock price. I think we will see the same with Equifax but with the caveat that I’m sure security teams internally at Equifax will actually have money now to spend on security personnel and additional security controls including incident response. Are you going to at least make a claim for $125 of this settlement? I’d love to hear your thoughts on this topic for discussion on a future episode of the podcast. So visit our contact us page at sharedsecurity.net/contact and tell us what you think is needed to keep companies like Equifax more accountable for protecting our personal information.

Sponsorships Available

Do you happen to use an Android phone? Not only do you need to worry about malware, fake apps, and phishing attacks but now there is a new exploit making the rounds that’s delivered through simply playing a video on your Android device. According to the Hacker News, there is a remote code execution vulnerability that affects over 1 billion devices running Android versions 7 through 9. That would be Android Nougat, Oreo, and Pie. The vulnerability itself resides in the Android media framework which if exploited could allow an attacker full control of an Android device. The attack works by tricking the user to play a malicious video file within the native Android video player application. That is, the video player that’s installed by default on most Android devices.

The good news is that Google has already released a patch earlier in July for this specific vulnerability but the bad news is that with the way Android patching works this update may or may not be pushed to Android devices depending on your carrier and device manufacture. This is one of the biggest problems with Android devices and that is, device fragmentation and the way security updates are delivered to Android devices, if at all. Note that if you receive a video through an app like Facebook Messenger or WhatsApp the video is always compressed and encoded so this type of exploit won’t work. The best course of action is to never click on video links via untrusted sources and of course update your Android operating system as frequently as possible.

And now a word from our sponsor, Edgewise Networks.

The biggest problem in security that remains unsolved is unprotected attack paths that allow threats to compromise vulnerable targets in the cloud and data center.

But traditional microsegmentation is too complex and time consuming, and offers limited value that’s hard to measure.

But there’s a better approach… Edgewise “Zero Trust Auto-Segmentation.”

Edgewise is impossibly simple microsegmentation … delivering results immediately, with a security outcome that’s provable, and management that’s zero touch.

At the core of Edgewise Auto-Segmentation is Zero Trust Identity, which automatically builds unique identities for all communicating software and devices by combining cryptographic properties of the workload with risk classifications.

Edgewise protects any application, in any environment, without any architectural changes. Edgewise provides measurable improvement by quantifying attack path risk reduction and demonstrates isolation between critical services—so that your applications can’t be breached.

Visit edgewise.net to find out more about how Edgewise can help stop data breaches.

These days, it’s rarely a case of “if” you’ll be hacked and more a question of “when.” Once a hacker gets past your defenses, they cover their tracks and systematically infiltrate your network to steal information or shut your business down. And, more often than not, they do it quietly and methodically.

There is one single source of truth that can expose the hacker — the packets on the network. They contain the information necessary to understand where a hacker may be, what they’re stealing, and where they’re going next.

That’s where NETSCOUT comes in.

Their Smart Data approach gives you high resolution, consistent, and continuous monitoring everywhere in the IT infrastructure and in any workload. NETSCOUT gives you Visibility Without Borders. Their solutions detect the most comprehensive array of threats and provide visibility any place a hacker travels, even in the public cloud.

With NETSCOUT’s Visibility Without Borders you’ll get the visibility you need to see across any network, data center, Cloud, 5G and more. Rethink the way security is delivered for your digitally transformed business. Get a clearer view at www. NETSCOUT.com.

I read an interesting op-ed this past week (that we have linked in the show notes for you) about a comment that current US Attorney General Bill Barr told attendees at a cybersecurity conference last week regarding encryption. And that was “warrant-proof encryption is already imposing huge costs on society,” and that he has had enough of “dogmatic pronouncements that lawful access simply cannot be done.” He went on further to say “It can be, and it must be,”. Now this isn’t the first time that the US or other worldwide governments have made similar demands to the tech industry to create what would essentially be “backdoors” into apps and systems that use encryption, all in the name of “lawful access” to prevent terrorists and to enhance “public safety”. A great example is when the Australian government last year asked the maker of Signal, which is an end-to-end encrypted messaging app, to build in a backdoor For government use. Now the problem with backdoors is that they cause a weakness in not just the software, but the entire product or solution allowing an area for real attackers to exploit and find weakness. I like the authors analogy in which she says “Should a technology service provider bow to such demands and citizens are made aware of the existence of a deliberate backdoor, this is akin to asking them to have a front door installed in their home which is always left slightly ajar.” And it’s not just the encryption itself that governments are trying to backdoor. Just this past May Apple, Google, Microsoft, and WhatsApp rejected the UK governments request to add “ghost” users to private chats so that law enforcement could monitor conversations. Not too much different than a backdoor but still a way to circumvent existing security controls and the trust of the users using the app. And guess what, when users find out that an app has been either backdoored or surveilled by a government entity users, will find some other app to use.

The good news here is that that all the major tech companies like Google, Apple, and Microsoft have not given in to these demands nor should they. I like the authors opinion that requests like these are nothing more than self-fulfilling prophecy when encryption was originally adopted to protect government communications from the enemy within a time of war. Ironic, that its now us who may be the new enemy in the continuing battle for encryption and our privacy.

That’s a wrap for this week’s show. Visit our website, SharedSecurity.net for previous episodes, links to our social media feeds, our YouTube channel, and to sign-up for our email newsletter. First time listener to the podcast? Please subscribe where ever you like to listen to podcasts and if you like this episode please it share with friends and colleagues. Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze.

The post Equifax Settlement, Android Video File Exploit, Encryption Backdoors appeared first on Shared Security Podcast.