Published on July 16th, 2019 📆 | 2031 Views ⚑
0Zoom Zero-Day, GDPR Fines, Google Assistant Recordings
This is your Shared Security Weekly Blaze for July 15th 2019 with your host, Tom Eston. In this weekâs episode: Zoom video conferencing zero-day, massive fines being issued for violating GDPR, and who might be listening when you talk to your Google Assistant.
Looking to protect your laptop, smartphone, and key fobs this summer? Well this week Iâm excited to announce that you could win one of two Silent Pocket vacation prize packages which includes a passport wallet, medium faraday sleeve, and 5 liter drybag! Check out our post on Twitter @sharedsec or on Instagram @sharedsecurity for contest rules and how to enter. And donât forget, listeners of this podcast receive 15%Â off at checkout using discount code âsharedsecurityâ. Visit slientpocket.com to see the latest Silent Pocket products built to protect your digital privacy.
Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you ânews that you can useâ.
Do you or your organization use Zoom for video conferencing? If so, and you happen to be using it on a Mac, youâll want to pay close attention to this story. The problem? Well a security researcher last Monday disclosed that a vulnerable web server is automatically installed on Apple Mac computers during the installation of the Zoom client. What this means is that any website could be used to forcibly join a user to a Zoom call, with their video camera activated, and without the userâs permission. On top of that the researcher also discovered that the vulnerability would allow any webpage to conduct a Denial of Service attack on a victimâs Mac by constantly joining a user to an invalid call. And if that wasnât enough when you uninstall the Zoom client, the web server continues to be installed and active. The researcher disclosed the vulnerability to Zoom back in March but after many meetings (and fixes that didnât work) the researcher decided to disclose the vulnerability to the public. The next day Zoom issued a patch to remove the web server and to allow users to uninstall the Zoom client which will now fully remove the web server. Zoomâs CEO posted a blog post apologizing to customers and noting that they will be improving their bug bounty program as well as issuing another update that took place over the weekend of July 13th to further lock-down the âvideo onâ by default setting. Also, Apple made a surprising move on Wednesday by issuing a silent update to all Macs automatically uninstalling the Zoom web server. Many people donât realize that Apple has the power to issue patches and updates to Macs connected to the Internet at any time and while this seems creepy, itâs actually a good thing when Apple can take immediate and swift action to patch a critical vulnerability without user interaction. Check out our social media feeds for the latest updates on this developing story.
The General Data Protection Regulation, or also known as GDPR, is now starting to penalize organizations which are found to have violated these now enforced consumer privacy protections in the European Union. Last week the Information Commissionerâs Office in the UK has issued British Airways a staggering fine of 183.4 million pounds (which is about $230 million dollars) because of the data breach affecting 500,000 customers last year. This $230 million dollar fine is roughly 1.5% of British Airways revenue and is the largest fine issued to date for violating GDPR regulations. And thatâs not all, the global hotel giant Marriot was also issued a fine of $125 million for their data breach which impacted 339 million customers across the world. Of course both companies can contest the fines to make their case but this is the first time weâve seen a large financial impact due to a GDPR violation.
But does issuing fines for violating regulations actually help prevent data breaches? If we use PCI DSS compliance fines as an example, not much will probably change. PCI DSS (which stands for the Payment Card Industry Data Security Standards) is what US merchants who process and store credit card data need to comply with. Fines from the card brands can vary between $5,000 â $100,000 per month depending on lots of things like the size of your business and the type of non-compliance you happen to be violating. And in some extreme cases, violations can prevent a company from taking credit card payments. Now PCI has been around for a long time, and have we seen the amount of data breaches related to credit cards go down? Not reallly. In fact as I talk about on this podcast all the time, data breaches seem to be increasing. So is that the game thatâs being played? The more data breaches that happen, the more money the regulators make? Look, Iâm sure fines are a pretty severe penalty for most businesses, but when it comes to giant companies like Marriott and British Airways, will this just be another accounting write off or will GDPR really set the stage to force more organizations to take data privacy seriously.
And now a word from our sponsor, Edgewise Networks.
The biggest problem in security that remains unsolved is unprotected attack paths that allow threats to compromise vulnerable targets in the cloud and data center.
But traditional microsegmentation is too complex and time consuming, and offers limited value thatâs hard to measure.
But thereâs a better approach⌠Edgewise âZero Trust Auto-Segmentation.â
Edgewise is impossibly simple microsegmentation ⌠delivering results immediately, with a security outcome thatâs provable, and management thatâs zero touch.
At the core of Edgewise Auto-Segmentation is Zero Trust Identity, which automatically builds unique identities for all communicating software and devices by combining cryptographic properties of the workload with risk classifications.
Edgewise protects any application, in any environment, without any architectural changes. Edgewise provides measurable improvement by quantifying attack path risk reduction and demonstrates isolation between critical servicesâso that your applications canât be breached.
Visit edgewise.net to find out more about how Edgewise can help stop data breaches.
These days, itâs rarely a case of âifâ youâll be hacked and more a question of âwhen.â Once a hacker gets past your defenses, they cover their tracks and systematically infiltrate your network to steal information or shut your business down. And, more often than not, they do it quietly and methodically.
There is one single source of truth that can expose the hacker â the packets on the network. They contain the information necessary to understand where a hacker may be, what theyâre stealing, and where theyâre going next.
Thatâs where NETSCOUT comes in.
Their Smart Data approach gives you high resolution, consistent, and continuous monitoring everywhere in the IT infrastructure and in any workload. NETSCOUT gives you Visibility Without Borders. Their solutions detect the most comprehensive array of threats and provide visibility any place a hacker travels, even in the public cloud.
With NETSCOUTâs Visibility Without Borders youâll get the visibility you need to see across any network, data center, Cloud, 5G and more. Rethink the way security is delivered for your digitally transformed business. Get a clearer view at www. NETSCOUT.com.
If you think Amazon is the only company that is taking heat about privacy issues with their popular voice assistants, think again as Google is also in the hot seat as they admitted last week that Google contractors can access voice recordings from Google Assistant. This all started with a Belgian journalist who obtained audio files which contained voice recordings of about 1,000 users. The recordings were found to have had personal data like names and addresses disclosed as well as conversations that would be deemed extremely private. Google hires contractors to assist with making translations as well as making the technology better by having humans review thousands of voice recordings. The Google Assistant works just like Amazon and Appleâs voice assistants by saying a wake word or key phrase like âOK, Googleâ. But like all of these voice assistants they will sometimes record unintentionally if you happen to say a word similar to a key phrase or when recordings for some reason continue when youâre finished asking a question. Google issued a statement noting that the contractor who disclosed these recordings violated their data security policies and that they do hire language experts to do transcriptions on about .2 percent of all recordings, which are not associated with user accounts. So what do you think? If your personal information was disclosed in a Google Assistant or other Amazon Alexa recording would you be concerned? Or are you OK with giving up a little bit of your privacy for the convenience of using a voice assistant.
Thatâs a wrap for this weekâs show. Visit our website, SharedSecurity.net for previous episodes, links to our social media feeds, our YouTube channel, and to sign-up for our email newsletter. First time listener to the podcast? Please subscribe where ever you like to listen to podcasts and if you like this episode please it share with friends and colleagues. Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze.
The post Zoom Zero-Day, GDPR Fines, Google Assistant Recordings appeared first on Shared Security Podcast.
*** This is a Security Bloggers Network syndicated blog from Shared Security Podcast authored by Tom Eston. Read the original post at: https://sharedsecurity.net/2019/07/15/zoom-zero-day-gdpr-fines-google-assistant-recordings/
Gloss