Weekly Security Review - June 7, 2018

Here is this weeks roundup of some cybersecurity issues to be aware of.  This week we have some very interesting stories to share, mainly on browsers and search engines.

IT Support Organizations Put Client Data at Risk with Trello

Last month there was a story out about people posting sensative data including usernames and passwords to online collaboration spaces using the site Trello.  New data out this week suggest a large number of governments, IT support companies, marketing firms, and healthcare organizations are also posting this data on these sites and allowing it to be indexed by search engines.  What this means is that you can easily find this information using major search engines.  This demonstrates gross incompetence, especially when it comes to the IT support companies.  IT support companies posting credentials via online sharing sites puts all of their clients at risk as well.  There is no excuse for these companies doing this.  To be clear, this is not the fault of Trello.  The only liable parties are the companies, organizations, and governments posting this information.  Fix: Perform an internal audit to insure your organization is not participating in this practice.

Apple Says No to Hidden Tracking

Later this year, Apple will release a new version of the Safari web browser that will prevent like, share, and comment buttons on websites from tracking you.  The announcement came at the Apple WWDC conference this week.  Although Facebook was not mentioned specifically by name, the announcement is clearly targeted at Facebook's practice of silent tracking.  These like, share, and comment buttons can track you even without clicking on them.  Apple will take this large step to prevent that for its users.  The Apple Safari browser continues to be my recommended browser.  It has superior security with privacy built in.  Under no circumstances would I ever recommend a browser like Chrome. Unfortunately, Safari isn't made for Windows.  So Windows users should look at Edge.  Fix: Look for the update to Safari later this year for MacOS and iOS.

Flaw in Firefox and Chrome Expose Facebook Details

Researchers have discovered a weakness in the way Chrome and Firefox interact with Cascading Style Sheets 3 (CSS3) that could have caused them to leak usernames, profile pictures and likes from sites such as Facebook.  This flaw was made known to Google back in 2017 and fixed recently by both companies.  Many issues like these come from browsers that uses your location and usage information as a business model.  Since browsers are free, a company needs to get revenue from some source.  In the case of Google and Firebox, you are the product. Meaning they monetize your usage to advertisers and other sources.  This is also what makes Facebook free.  Unlike Microsoft and Apple that have revenue from other sources.  Fix: The fix to both browsers should be applied automatically.

Check our Book - The Security Pyramid