September 13, 2022
Good morning, everyone!
This week’s critical vulnerabilities:
Patch all the things!
Misconfigurations often cause of data breaches
Last week I was reading a fairly technical article when this paragraph struck me as valuable to everyone:
When most of us think of a “hack,” we think of some exploit in technology, or a vulnerability in software being used as the method of entry. It is important to realize that misconfigurations can be just as dangerous and are just as commonly abused as technical vulnerabilities. Outdated protocols, incorrect permissions, password reuse, lack of SMB signing, and lack of outbound traffic restrictions are great examples of misconfigurations which can lead to your network being compromised just as easily as an unpatched system.
Verizon wrote a good blog post on this subject awhile back, with one line that really hits home:
Mitigating the impact of security misconfiguration is easier when you have a strong security policy and patch management system in place.
So many organizations, in particular small businesses, are completely lacking a security policy and a patch management system. It doesn't have to be complicated or expensive, though! I wrote a white paper (Protecting Company Data with Simple Security Policies) last year that's worth a read. Do this, and turn on auto-updates everywhere. Boom! You have vastly improved the security of your network without spending a penny.
Amazon just can't get enough of your personal information
Two recent stories illuminate even more ways that Amazon is determined to know more about you than you know yourself:
Amazon’s Roomba Deal Is Really About Mapping Your Home
Really interesting story in Bloomberg about Amazon's deal to buy iRobot Corp., makers of Roomba vacuum cleaners:
Amazon.com Inc. hasn’t just bought a maker of robot vacuum cleaners. It’s acquired a mapping company. To be more precise: a company that can make maps of your home.
Seriously, this is a really good read. Talk about eye-opening!
Slightly more terrifying, the maps also represent a wealth of data for marketers. The size of your house is a pretty good proxy for your wealth. A floor covered in toys means you likely have kids. A household without much furniture is a household to which you can try to sell more furniture. This is all useful intel for a company such as Amazon which, you may have noticed, is in the business of selling stuff.
Are you sure you want one of those things in your house? Because Amazon has such a great track record at protecting customer data (eyeroll so hard I'm about to sprain something).
Whole Foods Wants Your Handprints. What Could Possibly Go Wrong?
More than 65 Whole Foods stores in California have implemented a new palm-reading technology as a payment method:
Customers can activate their palms by registering a handprint via an Amazon One kiosk or at checkout in participating stores. Along with a skin scan, you’ll need to offer a bank card, provide your phone number, and say “yes Jeff” to Amazon’s terms and conditions.
Of course, buying groceries is just a stepping-stone. Amazon patented this technology in 2019, and one imagines they are planning to license this out to everyone for everything -- imagine waving your palm to enter a football stadium on the weekend and your office building during the week. Now we don't just have a payment system, we have an identification system.
So what's the problem? In addition to the privacy implications, the security considerations are enormous. The scanned palm images will be stored in a special cloud Amazon has dedicated to this project. Didn't Jeff Bezos' mama tell him not to put all his eggs in one basket? What an incredible target for hackers of all stripes! The value of this repository of biometric data will be limitless to both cyber criminals and nation state actors.
As Bruce Schneier famously said, “If someone steals your password, you can change it. But if someone steals your thumbprint, you can't get a new thumb.”
Talk to you again soon!
Security Awareness Training Available Here, There, Everywhere!
Thanks to COVID-19, lots of things went virtual, including my employee Security Awareness Training. Live training made a comeback a few months ago, but many organizations are retreating. No worries. Wherever you and your employees may be, I can deliver an interesting and informative training session in whatever format you prefer.
Contact me to schedule your employee training sessions. They're fun! ☺