Shared Security Podcast

This is your Shared Security Weekly Blaze for October 8th 2018 with your host, Tom Eston. In this week’s episode: Chinese Spying, Facebook Shadow Contact Information and iPhone X FaceID Privacy. Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order. Visit silent-pocket.com to take advantage of this exclusive offer. Hi everyone, this is Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. I have a small favor to ask you. We would really appreciate it if you could leave us a review on iTunes. To leave a review, simply click the iTunes link in our show notes for this episode. We’ll be sure to thank you for your review on a future episode of the podcast. Thanks for your support! In late breaking news on Thursday last week, a report from Bloomberg has detailed a large scale supply chain attack which is believed to be one of the largest spying programs ever conducted by a nation-state. According to the report, a very small microchip about the size of a pencil tip or grain of rice was installed and hidden in servers that were being used by approximately 30 American companies which include Apple and Amazon. These chips were apparently installed during the manufacturing process in server motherboards manufactured by a company called Super Micro, which happens to manufacture its products in China. Of course, as you might assume, these chips were allegedly installed by the Chinese government to spy on American companies giving China the competitive advantage in the highly competitive technology space. While Amazon, Apple, Supermicro and even China are denying the claims made in this report from Bloomberg, it’s not that far of a stretch when you consider that China has been known to install malicious software into the hardware supply chain in the past and that 75% of all mobile devices and 90% of all PC’s in the world are manufactured in China. Whether this story is true or not, securing the hardware supply chain is a very difficult problem to solve, even when hardware is manufactured in a country like the United States. For example, back in 2016 one US based mobile phone company, that makes cheap Android based phones, found a software backdoor installed on their devices which would send information from the device, you guessed it, back to China. So while the hardware itself was not manufactured in China, the software on the Android device was. I remember when I was working as a security consultant several years ago we would strongly advise business clients that when traveling to China they should use a “disposable” laptop and mobile device with very little or no corporate data on them. When our clients returned from China we strongly told them to never ever plug their laptop back into their corporate network and to give it to us for forensic analysis. We gave this advice to our clients because we actually had one client in particular that had their laptops and phones hacked while they either went through Chinese customs or during their stay in China. This client in particular had their proprietary design information about a new product on said laptop. Time will tell how this Bloomberg story pans out, but in the meantime, especially if you’re in the business of having confidential or proprietary business information that might be valuable to a nation-state such as China, be sure to take extra caution with devices that store or handle sensitive or propriety business information. Facebook was back in the news this past week with the revelation that the phone number that you may have provided Facebook for security purposes, like for two-factor authentication, is being shared with advertisers. To make matters worse, you don’t even have to willingly provide your phone number at all because of something called “shadow” contact information. Shadow contact information is any contact information, like your phone number, that is shared when your friends upload their contact information to Facebook. What this means is that even if you’ve never given your number to Facebook, your friends may have without you knowing. What’s also unfortunate about this news is that once again, we seem to be forced to make a privacy trade-off where we have the need to secure our accounts with two-factor authentication but must also allow our phone number to be harvested by advertisers so that we can be served more ads. This news should giv

This is your Shared Security Weekly Blaze for October 1st 2018 with your host, Tom Eston. In this week’s episode: Facebook’s fake account crackdown, privacy upgrade to HTTPS, and new security features in Apple iOS 12. Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order. Visit silent-pocket.com to take advantage of this exclusive offer. Hi everyone, this is Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Facebook has recently taken a tougher stand against fake profiles, specifically ones being used by law enforcement. In a letter that Facebook sent to the Memphis Police Department, Facebook states they have disabled fake accounts that were set up by the police department because they violate Facebook’s terms of service which notes, you must use your real name while using the social network. Privacy advocates like the EFF have been critical of this position in the past since in some cases, free speech may put certain users at risk if real identities are being used. However, regardless of how you feel about this policy, it’s good to see Facebook applying these rules to everyone, including law enforcement. In fact, as the EFF has pointed out, Facebook recently updated their help page titled “Information for Law Enforcement Authorities” and under their misrepresentation policy they state “People on Facebook are required to use the name they go by in everyday life and must not maintain multiple accounts. Operating fake accounts, pretending to be someone else, or otherwise misrepresenting your authentic identity is not allowed, and we will act on violating accounts”. Law enforcement aside, fake accounts on Facebook have always been a problem ever since Facebook started getting popular around 2008. In fact, I remember giving a talk at a hacker conference about social network bots and the underground criminal networks that had created automated tools and scripts to target unsuspecting social network users. Check out our show notes for a link to this talk and a nostalgic look into the younger version of yours truly. Oh, and in full disclosure, I may have pushed the limits of fake account creation back then as well. Now I gave that talk back in 2009 but bots and fake accounts are still running rampant on Facebook and other social networks. They are even using those same techniques I talked about back then to friend thousands of strangers in order to solicit SPAM or to get them to click on links which lead to malware and phishing scams. The best advice to avoid becoming a victim of a fake account or bot in your friends list is to only accept friend requests from people you actually know in real life. But even that can lead to problems though, especially if someone is impersonating one of your friends. Our advice is to contact that friend out of band, for example, via a text message or phone call, to verify that they are who they say they are. In other late breaking Facebook news last Friday, a serious vulnerability in the “View As” profile feature was identified by Facebook’s own engineers that affects almost 50 million accounts. The vulnerability allowed attackers to steal the access tokens which could then be used to take over other people’s accounts. Facebook states that they’ve already fixed the vulnerability and have reset the passwords of around 90 million accounts that may be affected by the issue. Facebook states that they are also working with law enforcement and greatly apologize for any inconvenience this may cause Facebook users. How private do you think your web browsing history is? As we all know, HTTPS encryption helps protect the content of the information we share with websites we are accessing. There has also been new ways to encrypt DNS queries, like DNS over TLS and HTTPS. However, even with an HTTPS connection, your ISP can still see the sites that you’re going to because DNS queries are typically not encrypted. That’s why one company called Cloudflare introduced a new public DNS server called 1.1.1.1 which supports DNS over TLS and HTTPS that encrypts DNS queries as well. But did you know that there are other ways that ISPs can snoop in on the sites that you’re visiting? One large gaping hole that has been identified is something called the “Server Name Indication” extension or SNI. In simplistic terms, you can think of SNI as a way to route HTT

This is the Shared Security Weekly Blaze for September 24, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions and Silent Pocket. This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here. You can also watch each episode of the podcast on our YouTube Channel! Show Transcript This is your Shared Security Weekly Blaze for September 24th 2018 with your host, Tom Eston. In this week’s episode: Mobile phone call scams, Pegasus mobile spyware, and the Newegg data breach. Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order. Visit silent-pocket.com to take advantage of this exclusive offer. Hi everyone, this is Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Raise your hand if you’re sick and tired of receiving scam and fraudulent phone calls on your mobile phone. I’ll assume that all of you are probably raising your hand right about now, myself included. Well not to be the bearer of bad news but according to a recent report, nearly half of the mobile phone calls received in the US next year will be scams. In a report from First Orion, which makes phone call data transparency solutions, notes a dramatic increase in mobile scam calls “from 3.7% of total calls in 2017 to 29.2% in 2018—and that number is projected to reach 44.6% by early 2019”. Many of these calls are using a technique called “Neighborhood Spoofing” which happens when a scammer makes their number look like a real local number, tricking the victim into picking up the call. Since these numbers are typically spoofs of real numbers, sometimes if you call these numbers back, you’ll get a real innocent person; not the scammer who spoofed the number. While many of us are either manually blocking scam calls through the features on our phones or using a third-party app to screen and block calls, the best way to stop these calls from happening seem to be with the mobile carriers themselves. First Orion seems to be addressing this with an in-network technology called “CallPrinting” that is said to significantly reduce the volume of scam calls. First Orion’s press release states that this technology will be used by one Tier-One US carrier this fall. In regards to third-party apps, I’ve recently installed an app called “AT&T Call Protect” which seems to work fairly well to block scam calls . This is a free app for AT&T mobile customers. I’d say that it’s slightly reduced the number of scam and robocalls that I’ve received but I find it’s not perfect as blacklisting scam numbers seems to be an endless pursuit. So what are your thoughts? Have any of you used these third-party scam call blocking apps? If so, we would be interested in hearing what you think about how effective these apps are so we can discuss on the podcast. Send us a message on Twitter, Facebook or email and let us know if these apps are helping or hindering your fight against scam calls on your mobile phone. In a fascinating report released by privacy and security research group Citizen Lab this week shows that a very sophisticated form of mobile spyware, called Pegasus, has been found on Android and Apple iOS phones in 45 countries including the US, UK and Canada. Some of these countries have been known for questionable human rights practices. Citizen Lab researchers point out that Pegasus being installed on devices to conduct cross-border surveillance and may be breaking the law in the US as well as many other countries where Pegasus was found. Pegasus spyware is sold by an Israeli company called the NSO Group and has been used in the past by powerful nation states and governments to target human rights activists and other individuals under surveillance for one reason or another. In this recent research by Citizen Lab they estimate that Pegasus is being used by at least 33 different NSO Group customers. Back in 2016, one of these individuals targeted with Pegasus was UAE activist Ahmed Mansoor who was able to provide Citizen Lab researchers his iPhone to analyze when he received a very odd and strange link sent to him via a text message. When clicking the link, this particular version of Pegasus launched three zero-day exploits for Ahmed’s particular version of Apple iOS and would have allowed full a

This is the Shared Security Weekly Blaze for September 17, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions and Silent Pocket. This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here. You can also watch each episode of the podcast on our YouTube Channel! Show Transcript This is your Shared Security Weekly Blaze for September 17th 2018 with your host, Tom Eston. In this week’s episode: Malware-less email attacks, Equifax breach updates and the Vizio class action lawsuit. Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order. Visit silent-pocket.com to take advantage of this exclusive offer. Hi everyone, this is Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Security vendor FireEye released research this past week which shows that 90% of the half-a-billion emails, blocked through their product in the first half of 2018, were found to be “malware-less”. Meaning, there were no malicious attachments or other code within the email itself that would attempt to compromise victims. Phishing actually made up 81% of what are considered malware-less attacks. Malware-less attacks also use impersonation of a trusted sender or company and include intimidation, links to malicious sites and sometimes forged requests. Other interesting data points include: malware-based attacks were most common on Mondays and Wednesdays and that malware-less attacks were most likely to occur on Thursdays. Data from the report also notes that phishing attacks will continue to rise. Just for a minute, let’s forget about the day of the week that attacks like these are most likely to occur and focus on what you should do if you do receive a malware or malware-less email in your inbox. As we all know, social engineering techniques are often used to convince you to click a link or submit sensitive information to the attacker. In fact, we just released episode 80 of our monthly show with social engineering expert, Chris Hadnagy in which we talk to him about the different types of social engineering techniques used in phishing and many other types of attacks. It was great having Chris on the show so definitely give this episode a listen. Emails using social engineering techniques are one of the most popular ways to target victims because email is still one of the primary means of communication that we all use, especially in the business world. While many businesses typically have some type of security product to screen emails for potential attacks, it won’t help in situations with personal email or when these products don’t work as expected. Your first line of defense is to “think before you click”. This means for any suspicious email, take a step back for 30 seconds, read the email carefully and look for clues that indicate that the email might be a phishing attack. Check out our show notes for a great guide put together by TripWire on the six most common phishing attacks and how to protect against them. The Equifax data breach last year, which exposed the personal information of almost half of the US population, has yielded very little change in regards to Equifax profits and any federal laws that could be implemented to prevent another breach as large as this one. The Chicago Tribune reported in an article last week that Equifax posted record revenue last quarter of $877 million and will most likely post a record profit next year. In fact, Equifax has recovered about 90 percent of the losses that were because of last year’s data breach. I’m actually a little surprised that Equifax has been able to “skate” around any financial penalty or other serious impact to their business. It does make you wonder how they have been able to keep the public reaction of this data breach to a low roar. It seems that the only positive news coming out of this data breach is that there is more awareness from a consumer and legislative perspective as well as a pending class action lawsuit that is still in the early stages of development. One small but recent win for consumers is that President Trump signed a bill into law this past May which states that consumers can freeze their credit for free this week beginning on September 21st. This new law will remove the $5-$10 fee that was imposed by the various credit agen

This is the 80th episode of the Shared Security Podcast sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions and Silent Pocket. This episode was hosted by Tom Eston and Scott Wright recorded September 5, 2018. Listen to this episode and previous ones direct via your web browser by clicking here! This podcast is also available to watch on our YouTube Channel. In this very special episode we’re joined by Chris Hadnagy (@humanhacker) who is the author of the new book “Social Engineering: The Science of Human Hacking”. We talk with Chris about his new book, how Social Engineering has changed over the years and what he’s been up to with his organization the Innocent Lives Foundation, Social-Engineer.com and the recent DEF CON SECTF (Social Engineering CTF). Here are the links that we mentioned on the show: Our previous interview with Chris in Episode 68 Innocent Lives Foundation Social-Engineer.org Order Chris’ new book on Amazon Thanks to Chris for being a guest on our show! The post Episode 80 – Special Guest Chris Hadnagy and Social Engineering The Science of Human Hacking appeared first on Shared Security Podcast.

This is the Shared Security Weekly Blaze for September 10, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions and Silent Pocket. This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here. You can also watch the podcast by subscribing to our YouTube Channel! Show Transcript This is your Shared Security Weekly Blaze for September 10th 2018 with your host, Tom Eston. In this week’s episode: The five eyes security alliance, Google and your offline purchases, and privacy by default in Firefox. Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order. Visit silent-pocket.com to take advantage of this exclusive offer. Hi everyone, this is Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. The “Five Eyes”, which is a long-running security alliance between the US, UK, Australia, New Zealand, and Canada, agreed in their annual meeting a few weeks ago that “privacy is not absolute” and “Should governments continue to encounter impediments to lawful access to information necessary to aid the protection of the citizens of our countries, we may pursue technological, enforcement, legislative or other measures to achieve lawful access solutions”. In addition, it was also stated that technology companies should be urged to “voluntarily establish lawful access solutions to their products and services”. If that is not possible, due to push back from technology companies, intelligence agencies may take matters into their own hands. What this means is that if technology companies do not build or develop backdoors into their products, law enforcement may develop their own ways to hack into devices or could work to enact legislation to eventually force technology companies to create these backdoors. Encryption and government backdoor access, as you may remember, has been a very hotly debated topic as the needs of law enforcement often times conflict with the needs of encryption and privacy that we all are entitled to. We all realize that the same encryption that we use to safeguard our legitimate private and business data is the very same encryption that criminals use. However, allowing our governments backdoor access to bypass or circumvent encryption weakens security for all of us. You may recall the controversy over the FBI asking Apple to break into the seized iPhone from the San Bernardino shooting that took place in 2015. Apple rejected the FBI’s demand so the FBI apparently found their own way to access the device from professional hackers that may have had a 0day vulnerability to allow access to the iPhone. I would suspect that because of this new rhetoric from government alliances such as the “Five Eyes”, the 0day market for exploits allowing governments ways to bypass encryption solutions, are going to be much more popular as the arms race around encryption and privacy continue. It seems that we can’t stop all the news about how Google uses your information to serve you more ads or to track your location, even if you disable the setting to not allow location tracking. If that wasn’t bad enough it was reported last week that Google has a secret deal with Mastercard to track what users are purchasing offline. According to a report by Bloomberg, sources with knowledge of the deal say that Google and Mastercard have been negotiating for about four years to allow Mastercard transaction data in the US to be encrypted and sent to Google. This data would allow Google to match existing Google users to actual physical purchases. This means that when Google users click on ads, those clicks can be tracked to actual sales in physical stores. In response to this Bloomberg article, Mastercard has stated that they do not provide any transaction data to third-parties and that Mastercard does not “know the individual items that consumers purchase in any shopping cart – physical or digital”. Google has also stated that it does not have access to any personal information from its partners’ credit and debit cards, and that Google does not share any personal information with its partners. So who are we to believe? First, we need to keep in mind that Google’s ad business had 95.4 billion dollars in sales just last year alone. You know as well as I do that Google is going to do

This is the Shared Security Weekly Blaze for September 3, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions and Silent Pocket. This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here! Show Transcript This is your Shared Security Weekly Blaze for September 3rd 2018 with your host, Tom Eston. In this week’s episode: US Federal Privacy Law, WhatsApp’s Google Drive Warning and Improved Security for Instagram. Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order. Visit silent-pocket.com to take advantage of this exclusive offer. Hi everyone, this is Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. The New York Times reports that the technology industry in the United States is beginning to lobby the Trump administration to create federal privacy legislation. Sources say that this proposed federal privacy law would first overrule the recent California privacy law and second, be much softer and less restrictive than the California law in regards to the way personal data is handled by technology companies. You may remember that back in July of this year that the state of California passed their own privacy law which is very similar to the European Union’s GDPR privacy legislation that went into effect this past May. It’s no surprise that technology companies like Google, Facebook, and others who have come under great scrutiny over the way that they protect and use our data are now “freaking out” over the possibility that if they don’t act soon, to heavily influence the creation of a federal privacy law, their businesses and profitability suffer greatly. The California Privacy Act and GDPR have been huge wins for data privacy around the world but have caused much pain for companies like Google and Facebook that rely on advertising revenue which is built from the collection of your private data. Look, there will most likely be a federal privacy law enacted in the US at some point. What that eventually looks like is anyone’s guess. I will say that it’s going to get complicated very quickly when the technology lobbyists that have tons of money, from companies like Facebook and Google, push their own agendas. Moreover, add in the various trade groups such as the US Chamber of Commerce and others that are trying to enact voluntary standards that businesses can follow vs. the federal laws. Federal laws would most likely enact fines for breaking the law. It’s unfortunate that our digital privacy seems up for grabs by corporations and governments more than ever before. Are you an Android user that is storing your WhatsApp data backups in Google Drive? If so, you need to know that backups of your WhatsApp messages are not encrypted once it leaves your device and is stored within Google Drive. Last week, WhatsApp reminded its users that backup services like Google Drive may not have the same protections, such as end-to-end encryption, that WhatsApp provides while using the app. This announcement came to the forefront due to recent news that Google has now allowed WhatsApp backups from counting towards Google Drive space limits. On the other hand, if you’re a WhatsApp user on Apple iOS, your backups are sent to iCloud which does provide end-to-end encryption of WhatsApp backup data by ensuring anything that is stored at the server level is encrypted. This means, that the WhatsApp backup data file itself is not encrypted but the location within Apple’s iCloud storage is. I think that you know why Google Drive is not encrypted, right? Google is using data from your documents, just like your email in Gmail, to serve you more ads. This news from WhatsApp should make you think about how any of your backups are stored and what would happen if backups for your computer, phone or an application that was storing sensitive data was lost or stolen? It’s an interesting question as cloud based storage seems to be all over the place in regards to who encrypts data stored at the server level (or also known as ‘at rest’)and who doesn’t. For example, I was surprised to learn that Microsoft OneDrive is only encrypted for Office 365 business users and not for personal accounts. So what are some quick solutions? With any backup that you make through a cloud based solution, take a

This is the 79th episode of the Shared Security Podcast sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions and Silent Pocket. This episode was hosted by Tom Eston and Scott Wright recorded August 23, 2018. Listen to this episode and previous ones direct via your web browser by clicking here! This episode is available on our YouTube Channel and is the very first episode that we recorded over video via Skype! We apologize for the poor video quality at times and will be testing additional video streaming via Facebook or YouTube live in the future. Please subscribe to our channel and let us know how you like this new format! In this episode Tom and Scott discuss election hacking which has been top of mind for many of us and a hot topic in the news, especially with the midyear elections coming up in the United States. Tom talks about the DEF CON Voting Machine Hacking Village, what was discovered and how hacking voting machines will hopefully make elections more secure in the future. As mentioned on the show, we recommend checking out previous podcast guest Rachel Tobac’s short video on how easy it was to hack a voting machine used in 18 US states in under 2 minutes: At @defcon hacking conference and just learned how easy it is to physically gain admin access on a voting machine that is used in 18 states. Requires no tools and takes under 2 minutes. I’m concerned for our upcoming elections. pic.twitter.com/Kl9erBsrtl — Rachel Tobac (@RachelTobac) August 12, 2018 Scott also discusses the recent phishing “attack” on the Democratic National Committee (DNC) that actually was a authorized phishing test and some of the challenges with disclosing or not disclosing phishing tests to employees. Please send any show feedback, suggestions for future guests and topics to feedback [aT] sharedsecurity.net or comment in our social media feeds. You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next full episode. Be sure to visit our website, follow us on Twitter, Instagram and like us on Facebook. Thanks for listening! The post Election Hacking and Vulnerable Voting Machines appeared first on Shared Security Podcast.

This is the Shared Security Weekly Blaze for August 27, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions and Silent Pocket. This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here! Show Transcript This is your Shared Security Weekly Blaze for August 27th 2018 with your host, Tom Eston. In this week’s episode: New TSA Body Scanners, Back to School Cybersecurity, and Instagram Hacking. The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable, and undetectable. Visit silent-pocket.com for more details. Hi everyone, this is Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. The city of Los Angeles California in partnership with the US Transportation and Security Administration jointly announced that the city of Los Angeles is purchasing body scanners that will be used to screen metro riders. This new body scanning technology will be used to help detect weapon and explosive device security threats on one of the largest public transportation systems in the US. The Los Angeles metro system is also the first transportation agency in the nation to purchase such equipment. The technology is similar to what is used at airports, called millimeter wave technology, but does not emit radiation and no anatomical body images are displayed. What makes this type of scanner technology different is that these work off of your body heat and can detect objects that are hidden when heat waves are blocked. The other big difference is that metro passengers just need to walk by the scanners and not stop to line up like you normally would going through airport security. The other advantage is that the devices are portable, meaning, they can be moved to a different area of a public transportation system if needed. This news reminded of a scene from the 1990 movie “Total Recall” with actor Arnold Schwarzenegger. There was a scene where passengers in the movie walked through a security system that was essentially an “x-ray” of their body. Skeletons of passenger bodies were displayed as security personnel observed passengers to detect weapons that might be coming into the transportation system. Back in 1990, most people watching that scene must have felt a little uneasy and concerned about the privacy ramifications of such invasive security technology. Funny that this was just a pipe dream back in 1990, but now, very much a reality 28 years later. Given the security climate since 9/11, this technology shouldn’t really be a surprise anyone. Come full circle, privacy concerns are still very real today. In fact, there have been many cases of the TSA screening passengers inappropriately and abusing technology like this by violating passengers privacy all in the name of “keeping us all safer”. Let’s hope that when this new scanning technology rolls out across the US, and I would assume across most of the world, we continue to hold the people in charge of these systems accountable to ensure our privacy while balancing the needs of security. It’s that time again as school is starting back up for most students and we begin the yearly tradition of getting kids ready and prepared for school. With the new school year being top of mind for many of us, it’s a great time to think about the how our schools are protecting student data from attackers looking to compromise and steal confidential student information. As of this podcast recoding, according to the K-12 Cybersecurity Resource Center, there have been 356 cybersecurity related incidents targeting K-12 schools since January 2016. Many of these incidents being ransomware attacks. Surprisingly, in 2016 it was noted by the US Department of Education that 60 percent of K-12 schools that were victims of ransomware attacks actually paid their attackers to get stolen student data back. There has also been other disturbing stories like one recent incident in the Tulsa Oklahoma Public School district where confidential student records were found in a dumpster. But it’s not only the outside attackers and careless school personnel you have to worry about, it’s also the students themselves. There has been a sharp increase in recent years where students are hacking into their school networks and applications in order to change grades and attendance records. Based on these recent statistics and news stories you may be curious to know what the schools your kids go to, or the ones i

This is the Shared Security Weekly Blaze for August 20, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions and Silent Pocket. This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here! Show Transcript This is your Shared Security Weekly Blaze for August 20th 2018 with your host, Tom Eston. In this week’s episode: ATM cashout attacks, mobile phone voicemail security and Google location tracking. The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details. Hi everyone, this is Tom Eston, co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. This the 30th episode of the Weekly Blaze Podcast! I wanted to give a quick shout out and thank you to our listeners and sponsors for supporting the show! Thank you for all the feedback that you provide and we look forward to bringing you more great content in the coming weeks and months. Thanks for listening! The Federal Bureau of Investigation is warning banks that criminals are looking to carry out a highly organized global “ATM cash out” in which criminals take previously cloned credit cards and use them at ATMs around the world to withdraw millions of dollars of cash all within a few hours. In the past, this attack has been done around a holiday when banks and financial institutions are closed. This is because the limited staff at banks during a holiday make it difficult for a bank to quickly respond to an attack like this. Similar attacks in the past have targeted small to medium sized banks, which may not have the robust security and fraud teams that a larger bank may have. Brian Krebs from Krebsonsecurity.com reports that this most recent FBI alert was related to a card breach of a bank in India called Cosmos. In this incident attackers drained $13.5 million from accounts using cloned cards at 25 different ATMs located in India, Hong Kong and Canada. Malware was also installed on the bank network which was used to help process the fraudulent ATM transactions. In the alert to banks the FBI noted several common tips to help prevent banks from becoming a victim but the truth of the matter is that many small and medium sized banks do not have the resources or staff to properly defend their systems from a dedicated attacker on their network. The best course of action for the rest of us is to stay vigilant about checking our credit and debit card statements and ensure you set up some type of fraud alerts for any transactions that may happen on your card. As a reminder, using a debit card instead of a credit card can be more risky due to the fact that money is instantly removed from your checking account and can take weeks for the bank to reimburse you. Check out our show notes for a link to our episode on credit card fraud in which we discuss tips how to prevent becoming a victim of this type of crime. When was the last time you thought about the security of the voicemail on your mobile phone? If you’re like most of us, probably not at all. But as one security researcher named Martin Vigo demonstrated at the DEF CON hacking conference in Las Vegas this past week, it’s all too easy to hack into someone’s voicemail. Why would someone want to hack into your voicemail you may ask? Well there are many popular online apps and services that use a phone call to deliver a code that you can use to verify your identity through things like a password reset process. You may be surprised to know that this is a popular option for authentication alongside SMS text messaging, which hopefully all of you know is considered insecure. If you can hack someone’s voice mail, you now have the potential to compromise someone’s email, social networks, banking apps, conversations and much more. Martin’s research showed that sites like PayPal, WhatsApp, Instagram and LinkedIn all have a feature to call you to reset your password. So how does one go about hacking into someone’s voicemail? The first step is to find the backdoor number for the victim’s mobile carrier which allows you to login to the voicemail system to hear messages. Voice mailboxes are protected with a PIN code and many of these mailboxes are configured with default or easy to guess PINs codes, many of which are only 4 or 6 digits in length. In fact, Martin wrote a tool that can brute force common PIN codes and can also try random combinations of numbers until one of them w

This is the Shared Security Weekly Blaze for August 13, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions and Silent Pocket. This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here! Show Transcript This is your Shared Security Weekly Blaze for August 13th 2018 with your host, Tom Eston. In this week’s episode: Facebook and your financial transactions, Smart Home security and critical HP printer vulnerabilities. The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details. Hi everyone, this is Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. The Wall Street Journal reports that Facebook is asking large banks to share customer information and financial records so that they can potentially offer financial services via Facebook Messenger. The proposal from Facebook includes getting access to bank customer’s card transactions, account balances as well as information on where customers are spending their money. In return for customer information, Facebook will provide banks with access to Facebook user information, which may be lucrative to a large bank looking to sell and target their services to existing and new customers. Facebook has said that they would not use any information provided by banks for targeted ads and would not share this data with third-parties. This news comes as Facebook is still conducting damage control on their public relations after the infamous Cambridge Analytica scandal where the personal data of approximately 87 million Facebook users was harvested without user consent. My take on this story is that Facebook needs to find new and innovative ways to collect user data which in turn allows companies to use the Facebook Platform to give you, guess what, more ads. We all know how Facebook makes money and that’s through your data being used to sell you more stuff. It should be no surprise then that Facebook is looking to get into the social financial business recently made popular by PayPal’s Venmo app. Haven’t heard of Venmo? Venmo is an application which allows social sharing of financial transactions. Venmo itself has been also in the news recently for the ease of which anyone can publicly view the financial transactions of anyone using the app. This is because all Venmo transactions are made public by default. This past July a savvy developer created a Twitter bot called “@VenmoDrugs” to showcase any financial transactions related to drug deals, sex or alcohol. The developer eventually removed the Twitter account after being the center of some controversy and news reports, but it does demonstrate that there is money to be made with an app that allows transactions to be public by default. Venmo won’t be the last app that will monetize the social sharing of financial transactions and it seems Facebook doesn’t want to be the last. Have you recently sold your home or moved into a home that has smart devices like thermostats, lights, cameras, alarm systems and other “Internet of Things” devices installed? Have you thought about resetting or changing the passwords that would allow access to those devices? Smart-device security, especially in a home that is being sold or if someone is moving out because of a domestic abuse situation, is being reported as a large problem that many people are now dealing with. For example, it can be very common for an ex-husband to leave a home due to a pending divorce but still have access to all the smart-devices like lights, cameras and even thermostats. This can lead to abuse of this technology and causing real privacy concerns, especially with victims of domestic abuse. In regards to new homes we all know that whenever you purchase a home, that had a previous owner, you should always change the locks, garage and alarm codes and anything else that the previous owner had knowledge of. But if you happen to inherit smart devices as part of the purchase, you need to make sure you reset these devices back to default to ensure any previous access is removed. For other domestic situations, it’s advisable to reset any Internet of Things devices as well ensure you have administrative access to these accounts or disable or change passwords as necessary. With the increase of smart-devices in our homes we need ensure we add smart devices to the list of things to secure whenever our living si

This is the Shared Security Weekly Blaze for August 6, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions and Silent Pocket. This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here! Show Transcript This is your Shared Security Weekly Blaze for August 6, 2018 with your host, Tom Eston. In this week’s episode: The Quiet Skies TSA surveillance program, SIM hijacking and the Reddit data breach and Sextortion scams. The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details. Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. If you like our weekly podcast we would really appreciate you leaving a five star review in iTunes. We’ll be sure to thank you on the show! Click the iTunes link in our show notes for this episode to leave us a review and thank you for your support! Ever feel like you’re being followed when you’re at the airport or while on a flight recently? Well you may actually may have been followed as the Boston Globe reported last week that federal air marshals are following US citizens that are not suspected of a crime at airports and on airplanes. The previously unknown program called “Quiet Skies” has caused controversy within the Transportation Security Administration (aka: the TSA) as thousands of US citizens that are not on any watch list are being surveilled and observed to see if they violate 15 rules which are part of a checklist that air marshals need to follow. Characteristics that air marshals look for include things like: excessive fidgeting, wide-open staring eyes and even if the subject slept on the flight or went to the bathroom. According to the report, about 35 passengers are targeted every day and there are 2,000 to 3,000 federal air marshals that conduct this and other air marshal duties across airports in the United States. What I find interesting is that federal air marshal’s themselves are questioning the need for the Quiet Skies program. One air marshal said to the Boston Globe “What we are doing [in Quiet Skies] is troubling and raising some serious questions as to the validity and legality of what we are doing and how we are doing it”. Groups such as the ACLU are now involved questioning if passenger’s constitutional rights are being violated by this program given that people’s race, religion or mental health may put someone under surveillance. Of course, the TSA declined to discuss the Quiet Skies program but noted that “federal air marshals leverage multiple internal and external intelligence sources in its deployment strategy”. As many of you are hopefully aware, the TSA in the United States has come under much scrutiny over the last several years due to treatment of passengers during screening as well as the federal air marshal program itself. It should be interesting to see how this recent revelation about the previously secret “Quiet Skies” program puts more pressure on Congress to further scrutinize the activities of the TSA and the Department of Homeland Security. Last Thursday, the popular news and social media site Reddit announced that they had a data breach. The data breach apparently happened in June and exposed some user data including current email addresses and a backup database which had usernames and hashed passwords from 2007. The attackers apparently targeted several Reddit employee accounts that were being used with Reddit’s cloud and source code providers. Reddit noted that while they did secure these employee accounts with SMS based two-factor authentication, the attackers were still able to compromise these accounts even with two-factor authentication enabled. It’s important to note that the attackers did not compromise further Reddit systems or user accounts. This most recent data breach example further demonstrates that sites and services need to move away from using SMS based two-factor authentication and start using authenticator apps like Google Authenticator or provide methods to use a hardware token or solution such as a YubiKey. As we’ve mentioned before on the podcast, there has been an large increase in attacks targeting SMS two-factor authentication called SIM hijacking or also known as SIM port out scams. SIM hijacking is where an attacker will either call your mobile phone company or show up at the mobile phone

This is the Shared Security Weekly Blaze for July 30th, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions and Silent Pocket. This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here! Help the podcast and leave us a review! We would really appreciate you leaving a review in iTunes. Reviews really help move us up the podcast ratings list and are greatly appreciated! Click here to leave your review in iTunes! Show Transcript This is your Shared Security Weekly Blaze for July 30th 2018 with your host, Tom Eston. In this week’s episode: Bluetooth vulnerabilities, malicious apps removed from Twitter and Gmail confidential mode. The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details. Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Researchers from the Israel Institute of Technology announced a critical vulnerability in Bluetooth technology which could allow an attacker, within physical proximity of the Bluetooth device, to intercept, monitor, or change the data being used by the Bluetooth device. Several vendors of Bluetooth implementations including Apple, Broadcom, Intel and Qualcomm have firmware and some software drivers that are vulnerable to this attack. The vulnerability is caused because the current Bluetooth specification recommends, but does not require, that a device supporting two specific features (called Secure Simple Pairing and LE Secure Connections) validate the public key received over the air when pairing a Bluetooth device. It’s important to note that there is no evidence that this vulnerability is being exploited in the wild and that vendors are working on patches if their implementations of Bluetooth are affected. So what does this Bluetooth vulnerability mean for you? First, always stay up-to-date on patches for any Bluetooth device that you may be using. For this vulnerability in particular the good news is that Apple, Intel and Broadcom have already released patches. What may be more problematic is more obscure “Internet of Things” devices, which happen to use Bluetooth, that may never receive updates because they were either manufactured cheaply or were not designed with security updates in mind. This, of course, is a much larger problem that does not have an immediate solution. However, the risk here seems very low for most of us because an attacker needs to be in very close proximity of the victim. Last week Twitter announced that it removed more than 143,000 malicious apps from their service. Twitter said that the applications were removed between April and June of this year but did not specify which apps were deleted but only saying that they removed these apps because developers have violated Twitter’s policies. Twitter stated in a blog post that “We do not tolerate the use of our APIs to produce spam, manipulate conversations, or invade the privacy of people using Twitter”. In addition, Twitter announced a new app registration process for developers which have applicants go through a more rigorous approval process including having developers include all details on how their apps will be used and limiting the number of default apps that developers can create to 10. This news from Twitter comes at a time where other large social networking companies like Facebook are cracking down on malicious and spammy apps. In Facebook’s case, the infamous Cambridge Analytica controversy made Facebook audit all apps that had requested user data in the past. Facebook has removed around 200 or so apps since they began this audit earlier this year. Facebook has also significantly changed its developer policies to align with better privacy data practices since the Cambridge Analytica controversy as well. In related Facebook news, it’s worth noting that Facebook suffered its largest drop in market value to the tune of $119 billion dollars when they announced their Q2 quarterly earnings on a call with investors last Wednesday. Facebook stated that they will be taking a “privacy first” approach with their product development which will likely have impact on future revenue growth. This news caused the biggest ever one-day loss in market value for a U.S.-listed company in the history of the US stock market. This is an interesting development as the demand for greater privacy and transparency from Fac

This is the 78th episode of the Shared Security Podcast sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions and Silent Pocket. This episode was hosted by Tom Eston and Scott Wright recorded July 18, 2018. Listen to this episode and previous ones direct via your web browser by clicking here! Subscribe to our new email list! Stay up-to-date on the latest episodes, receive exclusive offers from our sponsors, participate in contests and gain access to content just for our email subscribers! Sign-up via this link today! In this episode Tom and Scott discuss the recent trend in using facial recognition technology at kids summer camps. While there are many advantages for parents that are looking for easier ways to see what their kids are doing at camp, the use of facial recognition technology also opens up many questions and concerns about the privacy and security of this technology, especially when it comes to our children. We also discuss the risks of using the “dark web”, what the dark web is, how do you access the dark web, what are the associated risks, and why you may not want to browse and use dark web (.onion) sites if you don’t know what you’re doing. Please send any show feedback, suggestions for future guests and topics to feedback [aT] sharedsecurity.net or comment in our social media feeds. You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next full episode. Be sure to visit our website, follow us on Twitter, Instagram and like us on Facebook. Thanks for listening! The post The Shared Security Podcast Episode 78 – Summer Camp Facial Recognition, Dark Web Dangers appeared first on Shared Security Podcast.

This is the Shared Security Weekly Blaze for July 23rd, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions and Silent Pocket. This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here! Help the podcast and leave us a review! We would really appreciate you leaving a review in iTunes. Reviews really help move us up the podcast ratings list and are greatly appreciated! Show Transcript This is your Shared Security Weekly Blaze for July 23rd 2018 with your host, Tom Eston. In this week’s episode: Lost and stolen devices, Instagram and SIM hijacking and the LabCorp security breach. The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details. Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. In the spirit of good GDPR compliance you can now opt-in to our brand new email list for the podcast! Stay up-to-date on the latest episodes, receive exclusive offers from our sponsors, participate in contests and gain access to content just for our email subscribers! Sign-up at sharedsecurity.net today. Did you know that over 26,000 electronic devices (including mobile phones, laptops and eReaders) were lost in the London transport system last year? According to a report released from a research firm called Parliament Street showed that the majority of lost devices, to the tune of 23,000, were mobile devices followed by laptops with approximately 1,000 devices that were lost. This announcement has been a wakeup call of sorts for UK business’ to ensure that there are protections in place for the data being stored on lost or stolen devices. Not only does this present a business risk, but also a personal privacy risk as well. I’m sure many of these devices were not properly protected by very basic device security controls such as passcodes for mobile devices and full disk encryption for laptops. While 26,000 devices does seem like a lot, imagine how many devices go missing in an even larger transportation system like the one in New York City. Physical device security is one of most important, and easiest, security controls you can implement on your devices to avoid having your data accessed if your mobile phone or laptop is ever lost or stolen. Some of the basics for a mobile phone is to ensure you’re setting a long, complex passcode or passphrase, ensure that the device is erased after 10 failed login attempts as well as enabling any GPS or location tracking so that you have a way to find your device if its ever lost. You’d be surprised how many people are able to find their lost device by using a feature like this. Also, for laptops always enable full disk encryption that is enabled upon powering on your laptop. For Windows laptops, depending if you have Windows 10 Professional or not, you can enable BitLocker for full disk encryption. If you have Windows 10 Home Edition, you can use a free and open-source full disk encryption solution called VeraCrypt. MacOS users should enable FileVault which is installed with all modern versions of MacOS. See our show notes for links to these different full disk encryption solutions to ensure your devices are protected if they are ever lost or stolen. Instagram is reported to be developing a more secure way of two-factor authentication by moving away from text messages to more app based solutions like Google Authenticator or Duo. As we’ve previously reported on the Weekly Blaze, SIM card “port out” scams or also known as SIM hijacking attacks have been on the rise in just the last year or so. A SIM hijacking scam is where an attacker will call your mobile carrier and use social engineering techniques to transfer your mobile number to another carrier, thus, giving the attacker access to receive SMS text messages. This access is then used to reset passwords on many popular apps like Instagram as well as your email service which can also be used to reset passwords. Many celebrities and others with very valuable Instagram user names have been a target of this attack but it can really happen to anyone, especially if you’re known to be trading bitcoin or other cryptocurrency. With the recent popularity of cryptocurrency, this attack is now financially motivated. So what can you do to prevent becoming a victim of a SIM port out scam? First, contact your mobile carrier to ensure you have set up or configured a P

This is the Shared Security Weekly Blaze for July 16th, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions and Silent Pocket. This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here! Help the podcast and leave us a review! We would really appreciate you leaving a review in iTunes. Reviews really help move us up the podcast ratings list and are greatly appreciated! Show Transcript This is your Shared Security Weekly Blaze for July 16th 2018 with your host, Tom Eston. In this week’s episode: Polar fitness app location data exposed, blocking scam phone calls and the Samba TV privacy controversy. The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details. Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. I wanted to clarify a few details about the new California Privacy Act that I discussed on the Weekly Blaze podcast last week. While this law applies only to California residents, it will most likely have broader implications for all major businesses in the US. Most major companies that deal in personal data, have some California customers. That will leave those businesses with two options: either build systems and procedures to comply with California law, or treat Californians one way and every other customer another. It should be interesting to see how this plays out in the coming months before this law is made official in 2020. Here we go again with more fitness apps exposing the location of spies and military personnel. You may remember back in February on the second episode of the Weekly Blaze podcast we discussed how the popular fitness app Strava inadvertently disclosed locations, daily routines and possible supply routes of known and unknown US military bases and CIA outposts. This information was all found though Strava’s publicly available “world-wide heatmap” of Strava users. This time around it’s fitness tracker Polar’s turn which has an app called “Polar Flow” that has a developer API that can be improperly queried. In addition to viewing the public Polar user map, the data exposed includes all user details including GPS coordinates. Journalists from the Dutch news site De Correspondent were able to identify over 6,400 users across 69 different nationalities that have been using the Polar Flow app to see who they are and where they worked using Google and LinkedIn to correlate the data. Many of these users were found to work for different government agencies including the Dutch military. Dutch authorities have noted that this is a major problem as there are rules about how the Dutch military should not wear their uniforms in public or have other personal information exposed which could identify them due to recent terrorist threats on military members and their families. Polar responded last week by taking it’s publicly available activity map offline and issuing a statement noting that all users have “opted-in” to have their private information shared, as by default all workouts are private. However, no word from Polar about that misconfigured developer API. The Dutch military, as well as other countries, have started banning the use of fitness trackers due to these security concerns. Like we always mention on the show, even if you make sure your privacy setting in fitness apps like these are locked down, there may be ways, like insecure developer APIs, that could be used to pull your private data anyway. Let this issue with Polar be a reminder that you need to determine for yourself if you accept the risk of putting your personal workout data and location out there for anyone to potentially access. Don’t you hate robocalls, telemarketers, and scammers calling our phones day in and day out? Well Google announced last week that they going to be adding a new feature to their phone app called “Call Screen” which will automatically screen calls for unknown and suspicious numbers. This new feature, which looks like it may launch on the Google Phone, will make suspicious calls answer one or more automated questions. The audio and audio transcription of the answers are then relayed to the call recipient so they can decide if they want to answer the call our not. This feature comes on the heels of a new “warning filter” that was implemented for telemarketing calls that is now

This is the Shared Security Weekly Blaze for July 2nd, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions and Silent Pocket. This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here! Help the podcast and leave us a review! We would really appreciate you leaving a review in iTunes. Reviews really help move us up the podcast ratings list and are greatly appreciated! Show Transcript This is your Shared Security Weekly Blaze for July 9th 2018 with your host, Tom Eston. In this week’s episode: Mobile app data leaks, the California privacy act, and third-party Gmail access. The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details. Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Researchers from a mobile security company called Appthority have released concerning details about their research into Android and Apple iOS apps that use a cloud-based backend database called Firebase. Firebase was acquired by Google in 2014. Appthority reviewed more than 2.7 million mobile apps and discovered that around two-thousand of these apps had unsecured Firebase databases. These databases were found to be wide-open allowing anyone to view around 2.6 million user names and plain text passwords, 25 million GPS location records, 50 thousand financial transactions and approximately 4.5 million user tokens for social media sites. In addition, over 4 million PHI (Protected Health Information) records were found containing prescription and private chat records. To add more insult to injury, all that was needed to access these unsecured databases was to append a simple “/.json” to the end of a database host name. The good news is that Appthority reached out to Google to alert them of the issue and Google was able to contact app developers to fix the issue. Ironically, in our last episode of the podcast, we discussed the Exactis data leak which exposed 340 million records due to developers not properly securing ElasticSearch databases. Data leaks due to developers not properly securing and configuring databases seems to have reached epidemic proportions. The unfortunate side effect of data leaks like these is that if your data happened to be exposed, you may never know about it. Of course, unless your data happens to show up on list of compromised databases like Troy Hunt’s “Have I been Pwnd” service, it’s very hard to know if criminals have accessed or used data from all these recent data leaks. Until developers and database software takes a “security by default” approach and companies are held more accountable for securing our private information, data leaks like these are going to continue well into the future. The new California Privacy Act of 2018, recently passed by the California legislature, will apply to more than 500,000 US businesses according to the International Association of Privacy Professionals (IAPP). This new law is similar to GDPR privacy legislation that was recently enacted by the European Union. Beginning in January of 2020 all California residents will now have rights to transparency about data collected, the right to be forgotten, a right to data portability and a right to opt out of having their data sold. This law will apply to any business in California that collects personal information and businesses that sell or disclose personal information for a specific business purpose. Ironically, some of the largest companies that use and sell personal data such as Google and Facebook, are headquartered in California. These new rules will be enforced by the California attorney general and businesses could face fines up to $7,500 for each violation. This bill is currently the strongest privacy law in the United States so it will be interesting to see if other states follow suite or if legislators start discussing a federal privacy law in line with what currently exists with the European GDPR privacy legislation. Google confirmed last week that emails, from Google’s free Gmail email service, can be read by some third-party app developers. Specifically, third-party apps can request access to users Gmail accounts if there is particular functionality that requires email access. For example, there are some apps need to send and receive emails or integrate into a mail account to pull out specific data. Most of the time it&#821

This is the Shared Security Weekly Blaze for July 2nd, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions, Silent Pocket and CISOBox. This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here! Help the podcast and leave us a review! We would really appreciate you leaving a review in iTunes. Reviews really help move us up the podcast ratings list and are greatly appreciated! Show Transcript This is your Shared Security Weekly Blaze for July 2nd 2018 with your host, Tom Eston. In this week’s episode: New WPA3 Wireless Standard, Malicious Smartphone Batteries and the Exactis Data Leak. The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details. Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Did you know that you can now opt-in to our brand new email list for the podcast? Stay up-to-date on the latest episodes, receive exclusive offers from our sponsors, participate in contests and gain access to content just for our email subscribers! Sign-up at sharedsecurity.net today. The anxiously awaited new wireless standard, WPA3, has officially been launched by the Wi-Fi Alliance last week. This new wireless standard will fix several known vulnerabilities with the previous WPA2 standard such as the KRACK attack which can allow an attacker to intercept and decrypt wireless network traffic. Note that many Wi-Fi device manufactures have already patched for the KRACK attack, however, the Wi-Fi Alliance made sure that WPA3, by default, included protection for this particular attack and other known issues with WPA2. WPA3 will have increased protection against brute-force attacks and support for something called SAE (Simultaneous Authentication of Equals) which will prevent attackers from decrypting previously captured network traffic even with a compromised Wi-Fi network password. Other new features include individualized data encryption to prevent local “Man-in-the-Middle” attacks and a feature called “Wi-Fi Easy Connect” which will allow simple and secure pairing of Internet of Things devices that don’t have a visual screen or display. This will replace “Wi-Fi Protected Setup” or also known as WPS which has been proven to be insecure. According to the Wi-Fi Alliance, mass adoption by device manufactures and consumers is predicted to start taking place towards the end of 2019. Are you a CISO or Information Security Manager challenged with tracking and managing information security incidents within your organization? If you are, you need to take a look at CISOBox which is a software appliance built for NIST-compliant management of all types of information security incidents. CISOBox secures and protects sensitive incident data using technology accredited by US Federal Intelligence Agencies and gives your organization an efficient and streamlined process for incident handling. No matter if your business is large or small, we highly recommend the CISOBox solution as it’s extremely easy to use, scalable, and a secure way to implement incident handling within your organization. For more information on the CISOBox solution and to schedule a demo visit cisobox.com/sharedsecurity. That’s cisobox.com/sharedsecurity. Last week, security researchers have shown that maliciously crafted smart phone batteries can allow an attacker to harvest sensitive information such as characters typed on the touch screen, browser history, detecting incoming phone calls and when a photo has been taken. It’s also possible to exfiltrate that data, one bit at a time, through the web browser installed on the device. This exfiltration can take place through something called the Battery API that is available in the Google Chrome mobile browser. The Battery API was deemed a privacy issue by Apple and Mozilla so it was removed from Safari and Firefox. While this particular attack seems pretty farfetched, this research shows the possibilities with attacks that may target mobile devices through the supply chain, especially in China where most mobile phones are manufactured. It’s not that far of a stretch when we already have malware that has been installed in hardware and other devices coming through similar supply chains for many years now. One of the researchers that discovered this issue says “The attack may seem like a stretch (requires physical battery replacem

This is the 77th episode of the Shared Security Podcast sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions, Silent Pocket and CISOBox. This episode was hosted by Tom Eston and Scott Wright recorded June 19, 2018. Listen to this episode and previous ones direct via your web browser by clicking here! Help the podcast and leave us a review! We would really appreciate you leaving a review in iTunes. Reviews really help move us up the podcast ratings list and are greatly appreciated! In this episode Tom and Scott discuss the concept of developing your own privacy threat model and personal risk assessment. We often discuss privacy threats and risk on the podcast so we thought it would make sense to discuss how to put together your own threat model to determine what risk you actually face from potential threats. We define risk, in the context of the topics of this podcast, as how likely is it that a potential threat may compromise your privacy or your personal information. By threat, we define that as something bad that can happen to you like being the receiver of phishing emails, malware being installed installed on your computer or even surveillance being conducted by a nation-state or ISP on your Internet activities. Here’s an example of putting risk and threat together. Lets say you have a nice car and you park it in an area that is known for a high threat of crime and auto thefts, there is a greater risk that your car may be stolen than if it was parked in an area not known for crime and auto theft. The first step in the personal risk assessment is to create a privacy threat model for yourself. We’re going to reference a really great framework for threat modeling put together by the EFF (The Electronic Frontier Foundation) borrowed from their helpful guides on Surveillance Self-Defense. The EFF threat model starts by having you answer the following five questions: What do I want to protect? Who do I want to protect it from? How bad are the consequences if I fail? How likely is it that I will need to protect it? How much trouble am I willing to go through to try to prevent potential consequences? The idea is to answer these questions as best as you can in preparation for an event or action that you may be taking related to your privacy. Based on your threat model you can then determine what tools and techniques are appropriate for your level of risk. This is always a personal decision! Some examples: “I want to hide my browsing habits from third-party ad trackers or my ISP” This scenario may be low risk to you so you may be fine just using a VPN and privacy focused browser plugins like EFF’s Privacy Badger. “I’m not comfortable giving Facebook my personal data” This scenario may be more of a medium risk for you so you may choose to delete your Facebook account or be more careful what you post. “I’m a journalist in a foreign country reporting on human rights abuses” This scenario is most likely high risk to you so you should consider using a burner laptop, Tor and the Signal app for communication. Listen to the full episode where Tom and Scott discuss other real world applications for privacy related threat modeling. We also discuss Stingray surveillance devices which are commonly used by law-enforcement and governments to intercept mobile phone communications. Please send any show feedback, suggestions for future guests and topics to feedback [aT] sharedsecurity.net or comment in our social media feeds. You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next full episode. Be sure to visit our website, follow us on Twitter, Instagram and like us on Facebook. Thanks for listening! The post The Shared Security Podcast Episode 77 – Personal Risk Assessments, Stingray Surveillance Devices appeared first on Shared Security Podcast.

This is the Shared Security Weekly Blaze for June 25, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions, Silent Pocket and CISOBox. This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here! Help the podcast and leave us a review! We would really appreciate you leaving a review in iTunes. Reviews really help move us up the podcast ratings list and are greatly appreciated! Show Transcript This is your Shared Security Weekly Blaze for June 25th 2018 with your host, Tom Eston. In this week’s episode: MyLobot malware, updates on third-party location data sharing, Fortnite scam websites. The Shared Security Podcast is sponsored by Silent Pocket with their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details. Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. A new serious form of malware called MyLobot (apparently named after the researchers pet dog) was discovered by security firm ‘Deep Instinct’. This new form of malware is quite dangerous as it will make infected systems part of a large botnet and has the ability to install trojans, keyloggers, conduct DDoS attacks as well as ensure that it cannot be detected and even run executable files from within system memory. Having executable files run from within memory is a newer technique only discovered by malware researchers in 2016 and makes detecting this type of malware much more difficult. Researchers have indicated that this particular form of malware is quite advanced not the typical work of an amateur. In addition to all of this, there is an interesting delay feature which will not allow the malware to communicate to its command and control services for approximately two weeks. This delay was put in to avoid detection from modern endpoint detection and other techniques which usually pick up malware infections like these. To top it all off, the malware will attempt to detect and disable other types of malware already installed, effectively, eliminating other malware competition. Deep Instinct researchers indicate that this type of advanced malware is being sold on the ‘darkweb’ for purchase and that “Other than the malware itself, malware developers can purchase services that assist in the infection process. An attacker can purchase access to exploit kits, buy traffic of tens of thousands of users to a web page, or even buy a full ransomware-as-a-service for his own use”. As we’ve mentioned on the podcast before, one of the primary ways that malware can get installed on your computer is through phishing and social engineering. There are, of course, other ways such as drive by downloads from malicious ads and compromised web sites hosting malicious code. Besides being more aware of phishing and social engineering, you can help defend your computer by keeping your system patched and up-to-date as well as using ad blocking web browser plugins like uBlock Origin and web tracker prevention plugins like EFF’s Privacy Badger. Check out our show notes for details on where to download and how to install these plugins. Are you a CISO or Information Security Manager challenged with tracking and managing information security incidents within your organization? If you are, you need to take a look at CISOBox which is a software appliance built for NIST-compliant management of all types of information security incidents. CISOBox secures and protects sensitive incident data using technology accredited by US Federal Intelligence Agencies and gives your organization an efficient and streamlined process for incident handling. No matter if your business is large or small, we highly recommend the CISOBox solution as it’s extremely easy to use, scalable, and a secure way to implement incident handling within your organization. For more information on the CISOBox solution and to schedule a demo visit cisobox.com/sharedsecurity. That’s cisobox.com/sharedsecurity. This week I wanted to provide an update on the previous news we mentioned on the podcast a few weeks ago regarding how the major wireless carriers were selling your real-time location data to various third party companies. Just this past week Verizon, AT&T and Sprint announced that they will no longer share customer location data with third-party data aggregators like one particular company we discussed on the podcast called ‘LocationSmart’. This change was most likely due to the in

This is the Shared Security Weekly Blaze for June 18, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions, Silent Pocket and CISOBox. This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here! Help the podcast and leave us a review! We would really appreciate you leaving a review in iTunes. Reviews really help move us up the podcast ratings list and are greatly appreciated! Show Transcript This is your Shared Security Weekly Blaze for June 18, 2018 with your host, Tom Eston. In this week’s episode: Ultrasonic Hard Drive Attacks, Dangerous USB Devices and Email Fraudsters Arrested. The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details. Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Researchers from Princeton and Purdue University have shown how sonic and ultrasonic signals, which are not able to be heard by a human, can be used to physically damage computer hard drives by using the computer’s own speaker or by using a speaker that is near the device. In their research they demonstrated how this vulnerability could be leveraged to attack hard drives in CCTV (Closed-Circuit Television) systems as well as desktop and laptop computers. In their experiments, they were able to cause errors in just 5-8 seconds on hard drives from Seagate, Toshiba and Western Digital. In one particular experiment on a Dell XPS laptop, they were able to cause the laptop to freeze and crash within seconds after a malicious file was played over the laptop’s built in speaker. It’s crazy to think that an audio file can be a new attack vector that may start being leveraged by attackers. The good news is that the researchers indicated that these vulnerabilities could be remediated through firmware updates provided by the hard drive manufactures, so not all is lost. I’m sure the threat of this happening to most people is very low, however, I suspect that a nation state or dedicated adversary could easily take this research and ‘weaponize’ it to target specific individuals in order to destroy incriminating information. Two groups most likely targeted could be journalists and human rights defenders. Are you a CISO or Information Security Manager challenged with tracking and managing information security incidents within your organization? If you are, you need to take a look at CISOBox which is a software appliance built for NIST-compliant management of all types of information security incidents. CISOBox secures and protects sensitive incident data using technology accredited by US Federal Intelligence Agencies and gives your organization an efficient and streamlined process for incident handling. No matter if your business is large or small, we highly recommend the CISOBox solution as it’s extremely easy to use, scalable, and a secure way to implement incident handling within your organization. For more information on the CISOBox solution and to schedule a demo visit cisobox.com/sharedsecurity. That’s cisobox.com/sharedsecurity. This week was a historic one for US President Donald Trump and North Korea’s leader Kim Jong-un as they met face to face in Singapore during their very first summit together. However, what happened behind the scenes may have been more interesting. You see, journalists attending the summit were given very special commemorative gift bags which had a guidebook, water bottle, a trial to a newspaper and a fan that plugs into a USB port on your computer. Wait, did you say USB fan that plugs into your computer? Now we all know that you shouldn’t plug random, untrusted USB devices into your computer right? Not to mention that these USB devices are from a foreign country and we’re talking about the United States and North Korea leadership all in the same area together…what could possibly go wrong? In the show notes we’ve linked to a funny but not so funny article showing the tweets that may security researchers posted about this mysterious USB fan. Even if you have nothing to do with this summit, the advice from us and other professionals is to never put a USB device from a conference or other non-trusted source like this in your computer. There have been many reports of devices like these being infected with malware and given that this is a historic summit with probably spies all over the place, the risk of something n

This is the Shared Security Weekly Blaze for June 11, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions, Silent Pocket and CISOBox. This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here! Help the podcast and leave us a review! We would really appreciate you leaving a review in iTunes. Reviews really help move us up the podcast ratings list and are greatly appreciated! Show Transcript This is your Shared Security Weekly Blaze for June 11th 2018 with your host, Tom Eston. In this week’s episode: MyHeritage data breach, Facebook’s data sharing partnership and Apple iOS 12 and macOS updates. The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details. Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. MyHeritage, the DNA and ancestry service, announced a large data breach this past week which exposed the email addresses and hashed passwords of approximately 92 million customers. Apparently, a file containing this data was found on a private server by a security researcher who reported it to the Information Security team at MyHeritage. Customers affected include anyone that signed up for an account previous to October 26, 2017. Regarding how user passwords are being stored, MyHeritage stated that “MyHeritage does not store user passwords, but rather a one-way hash of each password, in which the hash key differs for each customer. This means that anyone gaining access to the hashed passwords does not have the actual passwords”. No further details were provided on how the file was found or why it was on a private server to begin with. Other than the typical advice of “change your password” and the announcement that MyHeritage will be implementing two-factor authentication in the near future for added account protection, MyHeritage does not suspect that any IT systems were compromised in the breach. My take on this situation is that it sounds to me like a developer or other internal employee posted this file either in error or there may be the possibility that a disgruntled employee may have maliciously posted the file. We may never find out what really happened here but I do find it ironic that just a few short weeks ago we had discussed the impact of an ancestry company that holds the DNA records of millions of people having a data breach. I’m also surprised that MyHeritage is finally implementing two-factor authentication given that this type of account protection has been the standard for many years now. Like our other advice discussed on the podcast, we can’t rely on third-party companies to keep our personal data secure. You need to decide if you want to risk your data being exposed, either by accident or through a compromise, by choosing the companies you want to supply your personal information to. Are you a CISO or Information Security Manager challenged with tracking and managing information security incidents within your organization? If you are, you need to take a look at CISOBox which is a software appliance built for NIST-compliant management of all types of information security incidents. CISOBox secures and protects sensitive incident data using technology accredited by US Federal Intelligence Agencies and gives your organization an efficient and streamlined process for incident handling. No matter if your business is large or small, we highly recommend the CISOBox solution as it’s extremely easy to use, scalable, and a secure way to implement incident handling within your organization. For more information on the CISOBox solution and to schedule a demo visit cisobox.com/sharedsecurity. That’s cisobox.com/sharedsecurity. Facebook is in the news once again, this time for its data-partnership with 60 companies including Amazon, Apple, BlackBerry, Samsung and several Chinese companies such as Huawei. Huawei was identified as a threat to US national security by government officials which makes this partnership a little bit more interesting. Access to Facebook data was given to these companies as early as 2011 so they could tightly integrate Facebook into their devices. This was a feature implemented before the Facebook app became the most popular way to access Facebook on a mobile device. This type of data access allows devices to pull Facebook data so that they can provide a Facebook like experience. For example, Blac

This is the Shared Security Weekly Blaze for June 4, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions, Silent Pocket and CISOBox. This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here! Help the podcast and leave us a review! We would really appreciate you leaving a review in iTunes. Reviews really help move us up the podcast ratings list and are greatly appreciated! Show Transcript This is your Shared Security Weekly Blaze for June 4th 2018 with your host, Tom Eston. In this week’s episode: Telegram Messenger in Russia, Amazon’s Facial Recognition Technology and Digital License Plates. The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details. Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. In the spirit of good GDPR compliance you can now opt-in to our brand new email list for the podcast! Stay up-to-date on the latest episodes, receive exclusive offers from our sponsors, participate in contests and gain access to content just for our email subscribers! Sign-up at sharedsecurity.net today. The Russian communications agency has given an ultimatum to Apple if they do not remove Telegram, which is a secure messaging app, from the Apple App Store in Russia. Several months ago the Russian government banned the Telegram app because Telegram refused to give them the private encryption keys to access messages being sent through the app. Russia claims that terrorists are using the Telegram app and are demanding what is essentially backdoor access to chats for government investigations and surveillance. Apple now has a month to comply with this request or face regulatory action from the Russian government. It’s also being reported that the same request also went out to Google to ban Telegram from the Google Play app store as well. Now despite this request Telegram is still being actively used by Russian citizens through the use of VPN’s which allow circumvention of any blocking of Telegram servers that the Russian government is actively doing. This news reminds me of the controversy back in 2016 here in the US regarding the iPhone of the San Bernardino shooter in which the FBI asked Apple to unlock the shooter’s iPhone for their investigation. Like the Telegram situation it’s a very dangerous proposal when governments begin asking for companies to install backdoors or to do things that circumvent built in security and privacy controls. This is a debate that will be continuing for sure, in the meantime it’s important that we all support the need to protect our own privacy by keeping encryption and other security technologies built into the devices and apps that we use. Are you a CISO or Information Security Manager challenged with tracking and managing information security incidents within your organization? If you are, you need to take a look at CISOBox which is a software appliance built for NIST-compliant management of all types of information security incidents. CISOBox secures and protects sensitive incident data using technology accredited by US Federal Intelligence Agencies and gives your organization an efficient and streamlined process for incident handling. No matter if your business is large or small, we highly recommend the CISOBox solution as it’s extremely easy to use, scalable, and a secure way to implement incident handling within your organization. For more information on the CISOBox solution and to schedule a demo visit cisobox.com/sharedsecurity. That’s cisobox.com/sharedsecurity. Amazon is in the news recently about a cloud based facial recognition technology they’ve developed called “Rekognition”. Rekognition can identify approximately 100 people in a single image leveraging databases containing the faces of millions of people. The controversy is that Amazon has been offering this service to law enforcement agencies and its already being used by the Orlando Police Department and a Sheriff’s office in Oregon which adds to the growing list of surveillance technology now in the hands of local government. In the case of the Orlando Police Department, Amazon actually gave this technology to them for free as a proof-of-concept. In a blog post written by the American Civil Liberties Union, they express great concern since this is a case of the government partnering up with a large tech company t

This is the Shared Security Weekly Blaze for May 28, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions, Silent Pocket and CISOBox. This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here! Help the podcast and leave us a review! We would really appreciate you leaving a review in iTunes. Reviews really help move us up the podcast ratings list and are greatly appreciated! Show Transcript This is your Shared Security Weekly Blaze for May 28th 2018 with your host, Tom Eston. In this week’s episode: Real-time Location Tracking, VPNFilter Router Malware and Apple’s GDPR Updates. The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details. Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. In the spirit of good GDPR compliance you can now opt-in to our brand new email list for the podcast! Stay up-to-date on the latest episodes, receive exclusive offers from our sponsors, participate in contests and gain access to content just for our email subscribers! Sign-up at sharedsecurity.net today. How valuable is your real-time location? For many of us, it’s a very scary thought to think that someone may have access to easily track your whereabouts in real-time with no permission from you or little or no recourse for their actions. Well for mobile phone carriers your location means more profit for them because they have been selling access to real-time location data to different third-party companies. In late breaking news the other week a company called LocationSmart, which is a real-time data aggregator of mobile phone location data, has been able to access the real-time location of every phone from every major US carrier (that includes AT&T, Sprint, T-Mobile and Verizon) without user consent. A researcher named Robert Xiao who is from Carnegie Mellon University was messing around with a web demo of the LocationSmart application and found that he could query the real-time location of some of his friends through a vulnerability in the API of the application. The LocationSmart demo app was not taken down until famed reporter Brian Krebs from KrebsSecurity.com got involved and reported on the issue. This is also not the first time that we’ve recently seen real-time location data from the mobile carriers being used suspiciously. Back in early May, a company called Securus was identified through a New York Times article that was about a former sheriff who was using location data through the Securus service to track people without a warrant or user consent. To add further insult to injury, a hacker broke into Securus systems and stole 2,800 usernames, emails and hashed passwords of Securus customers. Ironically, Securus gets its location data from, you guessed it, LocationSmart. You also shouldn’t be surprised that these are probably not the only two companies that have access to real-time location data. You can bet that many other organizations, including criminals and nation states are also using services from similar companies. This entire situation brings into question what mobile phone carriers are doing with our location data. Of course they need to monitor, track and record your location otherwise your phone wouldn’t work and it would defeat the purpose of having a mobile phone altogether. However, it comes as a surprise that the carriers are blatantly giving your location data to third-party aggregators which in turn is giving this to other companies who work for law enforcement and the government. Seems to me that this is a great way for mobile carriers to make money off of your location data and for law enforcement to “bypass” a warrant and other user privacy protections. It’s also sad that you as the consumer of these mobile services have no control on how your location data is shared with third-parties. Especially since we all advocate to change and lock down location sharing features on your devices and apps as a way to prevent third-parties from receiving this information. With the carriers selling off your location information it makes these settings pretty much useless. Your best course of action to prevent a third-party from tracking you is to use a Faraday Bag like ones from our sponsor, Silent Pocket, which prevent all wireless signals and makes your device completely secure while in the Faraday bag (well except for

This is the Shared Security Weekly Blaze for May 21, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions, Silent Pocket and CISOBox. This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here! Help the podcast and leave us a review! We would really appreciate you leaving a review in iTunes. Reviews really help move us up the podcast ratings list and are greatly appreciated! Show Transcript This is your Shared Security Weekly Blaze for May 21st 2018 with your host, Tom Eston. In this week’s episode: Efail vulnerabilities and PGP encryption, Facebook’s app investigation and Nest password notifications. The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details. Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. If you like this podcast we would really appreciate you leaving a five star review in iTunes. Reviews really help move us up in the podcast ratings and attract more listeners. We’ll be sure to thank you for your review on the show! Thanks for your support! Multiple vulnerabilities dubbed “Efail” were announced by European security researchers in several popular email clients that make it possible for attackers to view the plaintext of email messages encrypted with PGP (also known as Pretty Good Privacy) and S/MIME encryption standards. Email, as you’re hopefully aware, is not encrypted by default. This is often referred to as “plaintext” email. PGP and S/MIME have been the standard for email encryption for many years now and is used by many people and businesses to secure email communication. The Efail vulnerabilities allow an attacker to embed previously obtained encrypted text into a new email and also include a web URL of the attackers server. When the email is sent to the victim the email client decrypts the email like normal but inadvertently sends the plaintext of the previously encrypted email to the attackers server. The issue lies in the way vulnerable email clients decrypt encrypted email. One very important point to make is that PGP and S/MIME encryption is not broken. While it may not be a modern encryption solution, it’s still a viable and secure method to safeguard sensitive emails and other information such as documents and files. This particular issue is about vulnerable email clients, not in the encryption protocol itself. Organizations such as the EFF have advised to disable PGP and S/MIME within your email clients as a temporary solution until a fix for email clients identified as vulnerable are released. You can still encrypt and decrypt emails outside of your email client if you’re already using PGP. However, the disabling of encryption software should be based on your own level of risk vs. just turning off encryption safeguards all together. For example, if you are a human rights activist that knows your email communication is being monitored by say, a nation-state, there may be much more risk to you of being a victim of this attack because its more than likely that all of your encrypted email communications have already been collected. If you were at this level of risk, you absolutely should take heed and disable PGP in your email client and perform encryption and decryption through other means. You should also consider using other secure end-to-end encryption services like Signal to send sensitive messages. If you’re a low risk PGP or S/MIME user you should determine if you have a vulnerable email client and ensure you update when patches are released. Check out our show notes for details on what email clients are vulnerable and for more details about the Efail vulnerabilities. Are you a CISO or Information Security Manager challenged with tracking and managing information security incidents within your organization? If you are, you need to take a look at CISOBox which is a software appliance built for NIST-compliant management of all types of information security incidents. CISOBox secures and protects sensitive incident data using technology accredited by US Federal Intelligence Agencies and gives your organization an efficient and streamlined process for incident handling. No matter if your business is large or small, we highly recommend the CISOBox solution as it’s extremely easy to use, scalable, and a secure way to implement incident handling within your organization. For more

This is the Shared Security Weekly Blaze for May 14, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions, Silent Pocket and CISOBox. This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here! Help the podcast and leave us a review! We would really appreciate you leaving a review in iTunes. Reviews really help move us up the podcast ratings list and are greatly appreciated! Show Transcript This is your Shared Security Weekly Blaze for May 14th 2018 with your host, Tom Eston. In this week’s episode: Recent windows vulnerabilities, exposed Twitter and GitHub passwords and the latest credit freeze controversy. The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details. Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. If you like this podcast we would really appreciate you leaving a five star review in iTunes. Reviews really help move us up in the podcast ratings and attract more listeners. We’ll be sure to thank you for your review on the show! Thanks for your support! Microsoft has recently released patches for two rather serious vulnerabilities that are currently being exploited in the wild. One vulnerability, dubbed “Double Kill”, affects the Windows VBScript engine through the Internet Explorer web browser which impacts most modern Windows operating systems including Windows 10. The other vulnerability is described as an elevation of privilege vulnerability which only affects Windows 7 and Windows Server 2008. With the VBScript engine vulnerability, an attacker leverages a malicious Word document to exploit the flaw through the Internet Explorer web browser. The interesting aspect of this attack is that even if you don’t use Internet Explorer, and use another browser like Chrome or Firefox, you can still fall victim to this attack. This is because Internet Explorer is tightly integrated into the rest of the Windows operating system. Researchers have noted that this vulnerability in particular is looking to be one of the most exploited in the future because of the way it leverages Internet Explorer to conduct the attack. The other critical vulnerability announced is a little harder to exploit as the attacker needs to login to a Windows system as a regular user, then run an application to exploit the vulnerability, which would give the attacker full control of the victim’s system. Lastly to note, there were about 20 more critical updates that were part of this most recent patch release from Microsoft that are not yet known to be actively exploited. The best way to protect yourself against these latest vulnerabilities and future ones is to ensure you’re running the most current version of Windows as well as checking that Windows Update is set to automatically download and install critical updates. See our show notes for details on where you can check to see how Windows Update on your system is configured. Are you a CISO or Information Security Manager challenged with tracking and managing information security incidents within your organization? If you are, you need to take a look at CISOBox which is a software appliance built for NIST-compliant management of all types of information security incidents. CISOBox secures and protects sensitive incident data using technology accredited by US Federal Intelligence Agencies and gives your organization an efficient and streamlined process for incident handling. No matter if your business is large or small, we highly recommend the CISOBox solution as it’s extremely easy to use, scalable, and a secure way to implement incident handling within your organization. For more information on the CISOBox solution and to schedule a demo visit cisobox.com/sharedsecurity. That’s cisobox.com/sharedsecurity. Twitter and popular code repository site GitHub announced that user passwords were exposed to internal employees through an internal log due to a system related bug. In the case of Twitter the issue is related to the hashing function that masks passwords before they are stored in their system and in the case of GitHub they have only said that the passwords were discovered in a recent audit and no further details were given. Twitter proactively sent out a notice to all of its 330 million users to change their passwords even though there was no evidence of misuse but as a precautionary measure. In the cas

This is the 76th episode of the Shared Security Podcast sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions, Silent Pocket and CISOBox. This episode was hosted by Tom Eston and Scott Wright with special guest Kevin Johnson recorded May 7, 2018. Listen to this episode direct via this link or through the media player embedded in this post! Interview with special guest Kevin Johnson Kevin Johnson is the Chief Executive Officer of Secure Ideas. Kevin has a long history in the IT field including system administration, network architecture and application development. He has been involved in building incident response and forensic teams, architecting security solutions for large enterprises and penetration testing everything from government agencies to Fortune 100 companies. In addition, Kevin is a faculty member at IANS and was an instructor and author for the SANS Institute . Kevin has performed a large number of trainings, briefings and presentations for both public events and internal trainings. He is the author of three SANS Institute classes: SEC542: Web Application Penetration Testing and Ethical Hacking, SEC642: Advanced Web Application Penetration Testing and SEC571: Mobile Device Security. Kevin has also presented at a large number of conventions, meetings and industry events. Some examples of these are: DerbyCon, ShmooCon, DEFCON, Blackhat, ISACA, Infragard and ISSA. Kevin is also very involved in the open source community. He runs a number of open source projects. These include SamuraiWTF; a web pen-testing environment, Laudanum; a collection of injectable web payloads, Yokoso; an infrastructure fingerprinting project and a number of others. Kevin is also involved in MobiSec and SH5ARK. Kevin was the founder and lead of the BASE project for Snort before transitioning that to another developer. In his free time, Kevin enjoys spending time with his family and is an avid Star Wars fan and member of the 501st Legion (Star Wars charity group). In this episode we discuss a broad range of hot topics with Kevin including how big of a Star Wars fan he is, Russian router hacking, home router security, security awareness of the typical consumer, GDPR, NSA metadata, Facebook and much more! Kevin is always a fun, uncensored and very entertaining guest. We hope you enjoy this interview as much as we did! Thanks to Kevin for being a guest on our show! The post The Shared Security Podcast Episode 76 – Special Guest Kevin Johnson (@secureideas), Router Hacking, GDPR, NSA Metadata appeared first on Shared Security Podcast.

This is the Shared Security Weekly Blaze for May 7, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions, Silent Pocket and CISOBox. This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here! Leave us a review! If you like this podcast we would really appreciate you leaving a review in iTunes or your favorite podcatcher app. Reviews really help move us up the podcast ratings list and are greatly appreciated! Show Transcript This is your Shared Security Weekly Blaze for May 7th 2018 with your host, Tom Eston. In this week’s episode: DNA Privacy, This Week’s Social Media Privacy News Roundup and Remote Car Hacking. The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details. Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Shout outs this week to @PrivacyAlive, @Yohun and @TASCET on Twitter as well as Michael and Richard on Facebook for commenting, liking and sharing our posts on social media. Thank you for your support of the show! Have you thought about the privacy and security of your DNA? Well recently it was announced that the “Golden State Killer” suspect Joseph DeAngelo was arrested and is accused of 12 homicides, 45 rapes and more than 100 robberies that took place in California from 1976 through 1989. Investigators disclosed that the arrest was due to DNA information that was from an open source genealogy website called “GEDMatch”. Apparently, a distant relative of DeAngelo was found in the database which allowed law enforcement to pinpoint who the killer was through clues such as location, ethnicity and other characteristics. This brings into question that anyone who may have submitted their DNA test results to an open-source database like this could be used by others for more than just criminal investigations. I think it’s fascinating that even if you don’t submit your DNA to one of these services people that have some distant DNA relationship to you may already be in a database like this used to locate criminals. This case has set off numerous discussions and debates to review the privacy policies of popular DNA testing companies such as 23andMe, MyHeritage and Ancestry.com. It’s important to note that all these companies require a court order for law enforcement in order to access DNA records, however, it does not stop someone from taking their own DNA records and importing it into a larger open-source database like the one used to find the Golden State Killer. In my opinion, your DNA records are extremely personal and are much more valuable than any other piece of personally identifiable information that may be out there about you. And while many different companies have sprung up recently that are in the business of building out family trees, it begs the question regarding how these companies are protecting your DNA information. Could you imagine the fallout if one of these companies like 23andMe had a data breach? Our advice is for you to determine if it’s really worth submitting your DNA to one of these services as most likely your genetic data, through some distant relative of yours, may get caught up in an investigation or used for another purpose that you may not even be directly involved with. What a time to be alive, isn’t it? Are you a CISO or Information Security Manager challenged with tracking and managing information security incidents within your organization? If you are, you need to take a look at CISOBox which is a software appliance built for NIST-compliant management of all types of information security incidents. CISOBox secures and protects sensitive incident data using technology accredited by US Federal Intelligence Agencies and gives your organization an efficient and streamlined process for incident handling. No matter if your business is large or small, we highly recommend the CISOBox solution as it’s extremely easy to use, scalable, and a secure way to implement incident handling within your organization. For more information on the CISOBox solution and to schedule a demo visit cisobox.com/sharedsecurity. That’s cisobox.com/sharedsecurity. In Facebook and social media privacy news last week it was discovered that Twitter also sold data to Aleksandr Kogan, the researcher who happened to sell the personal information of over 87 million Facebook users to Cambridge Analytica.

This is the Shared Security Weekly Blaze for April 30, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions, Silent Pocket and CISOBox. This episode was hosted by Tom Eston. Show Transcript This is your Shared Security Weekly Blaze for April 30th 2018 with your host, Tom Eston. In this week’s episode: Child Identity Fraud, Tech Support Scams and Amazon Key In-Car Delivery. The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details. Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. If you like this podcast we would really appreciate you leaving a review in iTunes or your favorite podcatcher app. Reviews really help move us up the podcast ratings list and are greatly appreciated. Shout outs this week to @jandrusk and @privacydivas on Twitter as well as itincloud and pacifictech808 on Instagram and Jason, Johann and Richard on Facebook for commenting, liking and sharing our posts on social media. Thank you for your support of the show! A sobering report was released last Tuesday which showed that more than 1 million children in the United States were victims of identity theft last year. The study by Javelin Strategy & Research shows that in 2017 more than $2.6 billion in total losses and over $540 million in out-of-pocket costs to families are attributed to child identity fraud. What’s surprising about this study is that it showed more than half (which is 60%) of child identity fraud victims have a personal relationship with the person stealing their identity. This is in stark contrast to adults where only 7 percent of adult fraud victims know the fraudster. Also of note, there was a strong correlation between a child being bullied and identity fraud. Bullied children are more than nine times more likely to be victims of fraud than children who were not bullied. One of the big problems this study highlights is the challenges we have with the security of credit reports. Given that there have been large breaches like Equifax which highlight how adults can have their identities stolen through the use of their credit reports, I find it disturbing that we don’t give the topic of child identity fraud more attention. Children don’t have credit reports until they are old enough to apply for credit on their own so it’s often overlooked that if the personal information of a child is stolen, it’s much easier for a fraudster to use a fresh, unused credit history to their advantage. Also, given the fact that the fraudsters are people that know these children personally, it makes using their personal information (and credit) much more easier than adult victims. Some signs or indicators specific to child identity fraud include the child being turned down for benefits, receiving notices from the IRS about unpaid taxes or debit collectors calling about products and other things you or your child has never purchased. If you’re a parent I would highly recommend the following advice from the FTC and others about how to secure your child’s identity such as potentially freezing their credit, determining how they are sharing their personal information, monitoring existing accounts and keeping physical documents like birth certificates and social security cards secure and out of reach of household guests and visitors. Regarding freezing your child’s credit, this is something you should research on your own as not all states allow this and some experts debate if there may be more risk in opening up a credit file before your child is ready to start building their credit. Check out our show notes for links to more advice on this very important topic. Are you a CISO or Information Security Manager challenged with tracking and managing information security incidents within your organization? If you are, you need to take a look at CISOBox which is a software appliance built for NIST-compliant management of all types of information security incidents. CISOBox secures and protects sensitive incident data using technology accredited by US Federal Intelligence Agencies and gives your organization an efficient and streamlined process for incident handling. No matter if your business is large or small, we highly recommend the CISOBox solution as it’s extremely easy to use, scalable, and a secure way to implement incident handling within your organization. For more information on the CISOBox solution and to schedule a demo visi

This is the Shared Security Weekly Blaze for April 23, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions, Silent Pocket and CISOBox. This episode was hosted by Tom Eston. Show Transcript This is your Shared Security Weekly Blaze for April 23rd 2018 with your host, Tom Eston. In this week’s episode: Android’s Toxic Hellstew of Vulnerabilities, Facebook’s New Privacy Controls and Russian Router Hacking. The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details. Hi everyone, I’m Tom Eston, co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. If you like this podcast we would really appreciate you leaving a review in iTunes or your favorite podcatcher app. Reviews really help move us up the podcast ratings list and are greatly appreciated. Shout outs this week to @securityvoid, @HammerITConsult, @davegeek_ and @Yohun on Twitter as well as Tim Maliyil on Instagram and Richard, Jason and Eddie on Facebook for commenting, liking and sharing our posts on social media. Thank you for your support of the show! There was an article this past week that totally got my attention and should get yours as well which was titled quote “Is your Android phone a ‘toxic hellstew’ of vulnerabilities?” end quote. Toxic hellstew does sound rather terrible so if you have an Android phone you may want to pay attention to this. A study was recently released that found that your Android phone may be lying to you about critical patches that should be installed by your device manufacture. This issue called the ‘hidden patch gap’ was discovered by German security firm Security Research Labs. The research shows that some popular Android devices from Google, Sony, Samsung and many others brands would show that they were fully patched when in fact they were missing security patches, and in some cases up to a dozen patches from a specific time period. This means that without current security patches, these Android devices were left vulnerable to various attacks. The researchers believe that manufactures are setting these false patch levels in an attempt to deliberately deceive consumers that their devices are secure. Device manufactures like Google have responded to the research stating that there are other layers of security in Android devices to protect them from attack and patching is just one of those layers. Of course they did not admit to providing consumers with a false sense of security. While patching of Android devices has always been a challenge because of the known issue of device fragmentation, where older Android devices may never get updated, patching should be of up most importance to device manufactures because of the rise of mobile device attacks. So what can you do to see the real patch level of your Android device? Well the researchers behind the ‘toxic hellstew’ patch issue released an app called ‘SnoopSnitch’ that can run a test to see the real patch level of your device. If your device ends up being fully patched once running the app you should be up-to-date on recent patches. If not, you may want to consider being more careful what you click on, what apps you install and how you use your Android device until your manufacture ‘really’ updates your phone. If you really are concerned, you may want to consider getting a different Android device from another manufacture in the future. Check out our show notes for details on downloading the SnoopSnitch app and for a link to a FAQ about the testing results and what they mean to your device. Are you a CISO or Information Security Manager challenged with tracking and managing information security incidents within your organization? If you are, you need to take a look at CISOBox which is a software appliance built for NIST-compliant management of all types of information security incidents. CISOBox secures and protects sensitive incident data using technology accredited by US Federal Intelligence Agencies and gives your organization an efficient and streamlined process for incident handling. No matter if your business is large or small, we highly recommend the CISOBox solution as it’s extremely easy to use, scalable, and a secure way to implement incident handling within your organization. For more information on the CISOBox solution and to schedule a demo visit cisobox.com/sharedsecurity. That’s cisobox.com/sharedsecurity. In Facebook news this week,

This is the 75th episode of the Shared Security Podcast sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions, Silent Pocket and CISOBox. This episode was hosted by Tom Eston and Scott Wright with special guests Gotham Sharma and Dr. Brian Krupp recorded April 16, 2018. The Cybersecurity Education Episode In this episode we’re joined by two cybersecurity educators for their perspective on the current state of education in the cybersecurity industry. This is a really important topic given the current cybersecurity skills shortage where its becoming more difficult to find qualified and skilled individuals to fill cybersecurity jobs. Gotham Sharma serves as the Managing Director of the Exeltek Consulting Group, where he manages daily operations of the New York City based cybersecurity advisory firm. Previously a Wall Street consultant for Global Technology Operations at various Fortune 500 Organizations, Gotham left financial services to consult for the nonprofit world, where he focused on youth development and STEM education. In particular, his work centered around designing Career and Technical Education (CTE) Programs for traditionally disconnected young adults. You can contact Gotham via his LinkedIn page. Dr. Brian Krupp is an Assistant Professor in the Computer Science department at Baldwin Wallace University. He is the faculty advisor of the Mobile Privacy and Security (MOPS) research group where their current research is investigating methods to increase consumer awareness of privacy issues in smartphone and tablet applications. He is also the faculty advisor of CS+ which provides computer science opportunities for elementary to high school students through Tech Camps, school visits, and partnerships in the NEO region. You can contact Dr. Krupp via his Twitter or find out more about the classes he teaches and his work with students via his Baldwin Wallace University home page. On this podcast we discuss if there really is a shortage of cybersecurity talent and what programs are available for young kids as well as teenagers and college students that may be interested in a cybersecurity career. We also discuss the importance of mentorship, being a good mentor as well as the need for more women, minorities and diversity in the cybersecurity industry. Thanks to Gotham and Dr. Krupp for being guests on our show! The post The Shared Security Podcast Episode 75 – Cybersecurity Education with Gotham Sharma (@g0thamsharma) and Dr. Brian Krupp (@briankrupp) appeared first on Shared Security Podcast.

This is the Shared Security Weekly Blaze for April 16, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions, Silent Pocket and CISOBox. This episode was hosted by Tom Eston. Show Transcript This is your Shared Security Weekly Blaze for April 16th 2018 with your host, Tom Eston In this week’s episode: Facebook goes to Congress, More Data Breach Announcements and a New Hope for Replacing Passwords The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details. Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. If you like this podcast we would really appreciate you leaving a review in iTunes or your favorite podcatcher app. Reviews really help move us up the podcast ratings list and are greatly appreciated. Shout outs this week to @ZodMagus, @Yohun, @BNI212, @StrongArmSecure, @Borderless_i and @drheleno_ca on Twitter as well as @itincloud, @dahveezy, @grassfedmama and @simpletechla on Instagram and Johann, Richard, Julie, Jason and Stephane on Facebook for commenting, liking and sharing our posts on social media. Thank you for your support of the show! The Facebook news continues this week with the announcement of a new tool to see if you or your friends shared personal information with Cambridge Analytica. This tool won’t tell you who of your friends took the quiz called “This Is Your Digital Life” but will just say how many of your friends may have taken the quiz. If this tool tells you if some of your friends took the quiz which allowed your data to be harvested, be sure to scold them until you find out who did it. Just kidding but you may want to make a post about it so that your friends are aware of what they did. Also within this tool Facebook gives you a link to review the information you share with other third-party apps. So check out our show notes for the link to this tool and for more information. In other Facebook news, Facebook confirmed recently that it uses automated tools to scan private chats within their Facebook Messenger application for malware links, child porn and other violations of its terms of service. This news was surprising to many users of the Messenger app as most people thought that these conversations were not being monitored by Facebook. Just so you’re aware, the only conversations that are not able to be monitored by Facebook are “secret” conversations which only work on the Apple iOS and Android versions of Facebook Messenger. Facebook’s secret conversation feature is actually the same end-to-end encryption protocol used by Signal, which is one of the most popular secure messaging applications that you can use. To use secret conversations you have to enable this on a per conversation basis. For details on how to do this check out our show notes. One important thing to note about Facebook secret conversations is that if the other party you’re having a private conversation with reports your conversation for something inappropriate, these messages are decrypted and sent to Facebook’s support team. Just something to be aware of if you’re using the secret conversations feature. Last but not least, Facebook CEO Mark Zuckerburg testified to Congress last week which included legislators from both the Senate and House of Representatives. Legislators asked Mark Zukerburg questions about how Facebook secures user data, what type of regulations should the government put in place for Facebook and for Mark to explain the details around the Cambridge Analytica controversy. One thing that I noted during the testimony was that these legislators really have no idea how Facebook or any social network works. It was surprising to me that Mark Zuckerburg had to explain very basic functions and features that are part of using Facebook as well as how Facebook makes revenue. For example, many legislators seemed to be unaware that Facebook has very detailed privacy controls for everything that a user can share and were confused regarding how messaging apps like WhatsApp even work. I believe one Senator even noted that the messaging application WhatsApp can be used to send email. Now I realize this is a very similar situation for those fellow gen X’ers like myself that may have a non-technical parent that may not have a clue about social media or technology. However, if a legislator is proposing to regulate a technology that they know nothing about…we’re in for

This is the Shared Security Weekly Blaze for April 9, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions, Silent Pocket and CISOBox. This episode was hosted by Tom Eston. Show Transcript This is your Shared Security Weekly Blaze for April 9th 2018 with your host, Tom Eston In this week’s episode: The #DeleteFacebook Movement, Cloudflare’s New Privacy Focused DNS Service and the Saks Fifth Avenue and Panera Data Breaches The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details. Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. If you like this podcast we would really appreciate you leaving a review in iTunes or your favorite podcatcher app. Reviews really help move us up the podcast ratings list and are greatly appreciated. I also have several shout outs this week to @yohun and @nevon on Twitter as well as Richard, David and Johann on Facebook for commenting, liking and sharing our posts on social media. Thank you for your support of the show! Ever since the Facebook Cambridge Analytica controversy an online movement has started to form called #DeleteFacebook. The delete Facebook movement is in response to Facebook’s recent privacy firestorm regarding the way the social network collects your personal information. I’m sure many of you have had friends or family either say they are quitting Facebook or are planning on doing so because of everything that’s been going on in the news about Facebook recently. Having said that, I wanted to quickly talk about the #DeleteFacebook movement and how it applies to what we talk about on this podcast. When Scott and I started this podcast back in 2009 it was called the “Social Media Security” podcast and for very good reason. Social networks like Facebook were just starting to get popular and it seemed like the wild west in regards to the lack of privacy controls as well as awareness of social network security issues. As the years went on we began speaking more about social network risks and privacy issues but also how to use them safely. We soon realized that all of us were going to use social media at some point so how can we use it with some sense of balance between our privacy and the need to share information with friends and family. Education became the theme rather than “delete your accounts and never use social networks”. In fact, Scott and I make it well known that we use social networks like Facebook all the time and even promote engaging us on various social media platforms so that we can have conversations about these important topics. We strongly believe that education, through the use of social media, can make the most impact to others about privacy and security issues. One of the taglines that the podcast developed over the years is, “we bring you stories, advice and tips to make better risk decisions because no one else can make them for you.” This tagline is what this podcast is all about and tells us that it’s your decision to use Facebook or not. Like most everything in life, there is always a risk of something. If you accept that Facebook is going to harvest your personal information, as what it was designed to do, than you accept that risk. If it seems too risky and you want to delete Facebook and all other social media, that’s fine as well. However, we believe that all of us can use social networks more safely and can limit the amount and type of personal information that we share. Remember that you ultimately have control of what you post and the information you share on social networks. Internet performance and security company Coudflare released a new privacy focused DNS service this past week called 1.1.1.1 which aims to solve several of the privacy issues related to using the DNS service of your Internet Service Provider (or ISP). If you’re not familiar with what DNS is and why it’s important, here’s a quick overview. DNS stands for the Domain Name System. You can think of DNS as a big directory of the Internet. Whenever you type in a website like sharedsecurity.net into your web browser the first thing that happens is that a DNS server needs to be queried to find the IP address of that name. If we didn’t have DNS we would all have to remember IP addresses such as 69.39.236.80 to get to a website like sharedsecurity.net. With Cloudflare’s DNS service, you can use their DNS s

This is the Shared Security Weekly Blaze for April 2, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions and Silent Pocket. This episode was hosted by Tom Eston. Show Transcript This is your Shared Security Weekly Blaze for April 2nd 2018 with your host, Tom Eston. In this week’s episode: Facebook’s Privacy Firestorm, the MyFitnessPal Data Breach and Ramifications of the CLOUD and FOSTA Bills The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details. Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Shout outs this week to @Yohun, @zroone, @StrongArmSecure, and @CamilleEsq on Twitter as well as @vanishedvpn and @newcybersource on Instagram and Lou, Shawn, Jun, and Andrew on Facebook for commenting, liking and sharing our posts on social media. Thank you for your support of the show! Since the news broke about Facebook and the Cambridge Analytica controversy the other week, there has been a firestorm of information coming out about Facebook’s data harvesting practices as well as new tools and information about Facebook’s privacy settings which are in response to Facebook’s recent privacy challenges. For example, Mozilla the creator of the Firefox web browser released a new browser extension called “Facebook Container” which lets you isolate your Facebook activity to just Facebook.com which will limit the amount of tracking that Facebook can do while you browse the web. Keep in mind, when using a browser extension like this any sites that you “sign-in” using Facebook will no longer work. In other Facebook news, details also came out about Facebook collecting phone call metadata from Android phones that have the Facebook mobile app installed. This data included names, phone numbers and the length of each call made or received on the device. This access is given during the installation of the Facebook app which asks for permission to read contacts off of the device. The reason Facebook does this is so your contact data can be used to find and match more Facebook friends for you. Apparently older versions of Android allowed access to call and message logs in addition to contacts on your device. The issue has been fixed in newer versions of Android but if you had the Facebook app installed before these updates were made, the Facebook app would still be able to access this data. It’s important to note that Apple iOS has never allowed apps to access call logs and other call data. So if you have an Apple iOS device, you’re safe…for now. Check out our show notes for instructions on how to remove these permissions if you have the Facebook app installed on your Android device. Given all the news about Facebook recently, and where your data may have been collected, you may be thinking it’s time to re-evaluate your use of Facebook and to ponder on the reasons why you may or may not want to continue using the social network. One tip we have to share is that you do have the ability to download all the data that Facebook has about you so you can see for yourself what information has been collected. See our show notes for details on how you can do this but you may be surprised to see all the data that Facebook has collected about you, especially if you’ve been a long time user of Facebook. In other breaking news this past week, Under Armour announced that their app MyFitnessPal was breached sometime in February of this year. This breach affects 150 million user accounts making it the second largest data breach of consumer data in U.S. history right behind the infamous Yahoo data breach which happened in 2016. The information compromised included usernames, email addresses and hashed passwords. While details about how the breach happened have not been released there are a few good things to mention. First, in the breach disclosure Under Armour mentioned that bcrypt was used as the hashing function for storing passwords. Bcrypt is a much more secure method of storing passwords so depending on how bcrypt was implemented it will be very difficult for an attacker to find out users passwords. Second, Under Armour announced the breach very quickly which is far different than other similar breaches we’ve seen like the Equifax breach last year. So what should you do if you’re a user of the MyFitnessPal app? First, change your password by going to the MyFitnessPal website. Ho

This is the 74th episode of the Shared Security Podcast sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston and Scott Wright with special guest Rachel Tobac recorded March 25, 2018. Below are the show notes, commentary, links to articles and news mentioned in the podcast: Interview with special guest Rachel Tobac Rachel is the CEO & Co-founder of SocialProof Security where she helps people and companies keep their data safe by training them on social engineering risks. Rachel also placed second place two years in a row in the DEF CON hacking conference’s Social Engineering Capture the Flag contest (SECTF). In her remaining spare time, Rachel works as the Chair of the Board for the nonprofit Women in Security and Privacy (WISP) where she empowers women to lead the converging fields. In this episode, Tom and Scott speak to Rachel about her adventures participating in the Social Engineering Capture the Flag contest at DEF CON. Rachel also discusses her thoughts on how to avoid being a victim of a social engineering attack and how more young women can get into cybersecurity and technology careers. Of course, no interview with Rachel would be complete without discussing her favorite (and least favorite) David Lynch movies as well as her book recommendations. Rachel was super fun to chat with! On the show Tom and Rachel mentioned the call that the Chris Kirsch, the winner of last years DEF CON SECTF, performed. Here’s the re-enactment you should definitely check out! Thanks again to Rachel for being a guest on our show! Please send any show feedback, suggestions for future guests and topics to feedback [aT] sharedsecurity.net or comment in our social media feeds. You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode. Be sure to visit our website, follow us on Twitter, Instagram and like us on Facebook. Thanks for listening! The post The Shared Security Podcast Episode 74 – Special Guest Rachel Tobac (@RachelTobac) appeared first on Shared Security Podcast.

This is the Shared Security Weekly Blaze for March 26, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston. Show Transcript This is your Shared Security Weekly Blaze for March 26th 2018…with your host, Tom Eston. In this week’s episode: Facebook and the Cambridge Analytica Controversy, Vulnerable VPNs and Siri Lock Screen Privacy Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Shout outs this week to @StrongArmSecure, @BrotherBlarneyS and @AANaseer on Twitter as well as @newcybersource and @thebluehawaiipodcast on Instagram and David, Julie, Gary and Jason on Facebook for commenting, liking and sharing our posts on social media. Thank you for your support of the show! Several privacy focused vulnerabilities were identified in three popular VPNs. According to research done by VPN Mentor, PureVPN, Zenmate and Hotspot Shield were all found to leak your real IP address. This vulnerability could allow an attacker to know your real location while you use the Internet which is not the purpose of a VPN at all. Hotspot Shield and PureVPN appear to have remediated this issue but as of this podcast recording, Zenmate VPN has not fixed these vulnerabilities. In addition, functionality was disabled in the Firefox web browser that could invade your privacy. Mozilla has disabled functionality, called the proximity API, which allows websites you visit to know how far your phone is away from your face as well as the ability to detect what the ambient light levels are of the room you’re in. The reason that Firefox is disabling these features is that they can be used to fingerprint or identify you to target more ads to you. In regards to the ambient light sensor, some techniques can be used to leak your browsing history in something called a browser history attack. Mozilla is disabling these features in Firefox version 62. As we’ve mentioned on the show many times before, make sure you’re staying up to date with software updates for the apps you use especially VPNs and your web browser. Ensuring you are applying frequent updates is a one of the most important things you can do to from a cybersecurity perspective. Do you have an iPhone with Siri enabled from your lock screen? If you do, you should know that there is a new vulnerability that can allow Siri to read out messages from the lock screen even if those messages are hidden. This vulnerability allows someone to access hidden messages from many different types of third-party applications including popular secure messaging apps like Facebook Messenger, Signal and WhatsApp. The good news is that the vulnerability doesn’t apply to Apple iMessage or standard text messages. The vulnerability currently affects version 11.2.6 of iOS and Apple is aware and working on a fix. If you are concerned that someone would be able to gain access to sensitive information in your messages you’ll need to do the following two things. First, turn off screen notifications in your settings for any sensitive applications you may be using and second, disable the feature to allow Siri to be used when your device is locked. Check out our show notes for details on where these settings are on your iOS device. Last weekend Facebook confirmed that back in 2013 an academic researcher named Dr. Aleksandr Kogan created a Facebook app called “This is Your Digital Life” which was a personality quiz distributed through Facebook. When Facebook users took the quiz it harvested profile data from their Facebook account. About 300,000 Facebook users took the quiz, but the data of about 50 million users ended up being harvested because the app also accessed profile data of those users friends. In 2014, this was Facebook’s feature called “friends of friends” where apps could access your friends data under certain conditions. This data was then given by Kogan to a political consulting and data analytics firm called “Cambridge Analytica” which apparently has ties to US president Trump and his political campaign. According to sources, Cambridge Analytica used this data to profile 50 million people so that they could target them with political propaganda prior to the US election. Many news articles and other sources have been stating that this was a “data breach” and that this data was effectively “stolen” from Facebook users. These statements are absolutely false because that’s not how Facebook applications work at all. Each user that took this quiz willingly installed the app and accepted that their personal data was going to be accesse

This is the Shared Security Weekly Blaze for March 19, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston. Show Transcript This is your Shared Security Weekly Blaze for March 19th 2018 with your host, Tom Eston. In this week’s episode: The Insecure Internet of Things, Spectre Patch Updates and Android Malware. Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Shout outs this week to @Yohun, @ClarkWillClark, @drheleno_ca and @eg0sum on Twitter as well as @heath_robinson on Instagram and Tom, Shawn and Jamie on Facebook for commenting, liking and sharing our posts on social media. Thank you for your support! A new paper called the “Secure by Design Report” from the UK government’s Department for Culture Media and Sport describes 13 new security guidelines for manufactures of Internet of Things devices ( also abbreviated as IoT). If you’ve have been listening to past episodes of the podcast or have been paying attention to the news, we’ve seen a huge increase in devices such as smart watches, Internet enabled camera’s and hundreds of other connected devices like coffee machines and even toasters. Yes, you can actually buy a connected toaster that you can control from your mobile phone just in case you want to really fine tune your toasting process. Over the last several years Internet of Things devices have been found to have many different kinds of security vulnerabilities such as being configured with default passwords, having no mechanism to be updated and the lack of features to delete private data. In fact, insecure devices like these have been hacked to steal information and can be hijacked to be used in botnets, like the Marai botnet in 2016, that infected over 300,000 IoT devices with malware. These new guidelines aim to educate manufactures so they can build and eventually sell secure products. I think these guidelines are a great start to advocate good security practices for IoT device manufactures, however, guidelines are just guidelines. Will manufactures listen to this advice or will they continue to sell devices that are easily hackable. Unfortunately, it’s very difficult to determine if the IoT device that you’re purchasing is secure or not. From what we’ve seen in the past, many of these new IoT products are cheaply made with the purpose of getting cool technology out to the market to make a quick sale. In fact, it’s really easy to do a quick search on Amazon for pretty much any “connected” device these days to find manufactures or sellers that no one has ever heard of. One tip I’ve found helpful is to check reviews and comments left by owners of products that you may be interested in purchasing to find out if any security or privacy configurations are being discussed or if there are known security issues that the manufacture is aware of and is addressing. Like these guidelines state, it’s up to the device manufactures to bear the burden of securing their products. For us consumers we either need to accept the risk that these products may compromise our security and privacy or just not purchase these devices all together. I mean, it’s still possible to make toast with a regular toaster and not a connected one. Intel is almost ready to release more updated patches for the critical Spectre vulnerability that affects almost all computer processors manufactured within the last 20 years. If you have a Dell, Lenovo or HP PC you should start seeing these updates showing up through your update software within the next few weeks. Spectre and it’s close cousin, Meltdown, are critical hardware vulnerabilities which allow attackers to steal data that is being processed within your computer. This data could include sensitive information such as passwords, emails, photos and documents. You may remember that back in late January after releasing the original updates, Intel told PC manufactures to stop the deployment due to random reboots and the “blue screen of death” happening after the patch was installed. These patches need to update the firmware of your PC so make sure you have your software update feature enabled and working. Many times after we buy our PC’s we automatically assume that software update applications that are installed by default are “bloatware” and we either remove or disable this software. We highly recommend you check to see if this software is running, as well as your Windows security updates to ensure you’re receiving timely security patches for your operating system. If you

This is the Shared Security Weekly Blaze for March 12, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston. Show Transcript This is your Shared Security Weekly Blaze for March 12th 2018…with your host…Tom Eston In this week’s episode: Malicious Healthcare Workers, New Attacks on Mobile Networks, and Facebook Messenger for Kids Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. I have a few shout outs this week to several of our listeners for commenting, liking and sharing our posts on social media @karinavold, @Yohun and @securid on Twitter as well as @Itincloud and @wearethelightpodcast on Instagram and Tom, Shawn, Malcom and William on Facebook. Thanks to all of you for your support of the show! If you go to your doctor or to the hospital, have you ever wondered if your private healthcare information is being properly protected? Well this past week there were two reports released showing that its own workforce is the biggest cybersecurity problem for the healthcare industry. According to the 2018 Protected Health Information Data Breach Report released by Verizon, 58% of data breach incidents involved insiders. Most of the breaches noted by Verizon were because of corrupt healthcare workers stealing data to commit tax fraud, opening lines of credit from patient data or by looking up personal records of celebrities and family members. Another report, based on a survey of healthcare employees from consulting firm Accenture, showed that 18% of respondents were willing to sell confidential patient data for as little as $500 or $1,000. This data could include selling your login credentials, putting your data on portable drives to be sold and installing malware on internal systems to capture confidential patient data. I don’t know about you but reports and surveys like these are very concerning considering the fragile state of healthcare, especially here in the US. Whether it’s failed security policy oversight or lack of security controls, healthcare remains one of the number one sources for criminals to gain access to your private information for medical identity theft. This is despite having healthcare laws such as HIPAA which are supposed to enforce good security practices within the industry. Like other types of fraud we’ve talked about on the show, you need to take steps to defend against someone using your information to commit fraud or identity theft. Unfortunately, we can’t rely on others like the healthcare industry or the government to properly protect our information. Much of the same advice we’ve given to protect against fraud, like putting a freeze on your credit and creating strong and unique passwords, also apply to the issues we’re seeing with healthcare data breaches. Some other tips specific to medical identity theft is to keep accurate records of your medical history, always review your medical statements to ensure they are accurate, be aware of fake or real calls from medical debt collectors and physically shred any healthcare related documentation containing personal information. Check out our show notes for a great guide from the Federal Trade Commission about detecting and preventing medical identity theft. Security researchers announced several new security vulnerabilities in 4G LTE mobile networks this past week. The researchers, who are from Purdue University and the University of Iowa, said quote “Among the 10 newly detected attacks, we have verified eight of them in a real test bed with SIM cards from four major US carriers”. End quote. The researchers also noted that using publicly available software-defined radio devices as well as open source software, anyone with enough knowledge could build a tool around $1,300 – $4,000. A fairly cheap solution for most attackers. The vulnerabilities that were identified could be used by criminals to create spoofed locations, impersonate an existing mobile number and allow someone to create mass hysteria over a fake emergency alert sent to thousands of mobile devices all at once. You may remember a few months ago when the Hawaii Emergency Management Agency accidentally sent out an emergency alert to all mobile devices in Hawaii about an impending missile attack. Could you imagine the fallout from something like this happening on a much broader scale? The good news is that it appears that the US carriers that were identified in the research are working to fix these vulnerabilities and the exploit code was not publicly released. There isn’t much we can do at this point but wait for the mobile carriers to fix

This is the Shared Security Weekly Blaze for March 5, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston. Show Transcript This is your Shared Security Weekly Blaze for March 5th 2018…with your host…Tom Eston In this week’s episode: Facebook Face Recognition, Private Web Browsing and Credit Card Fraud Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. I have a few shout outs this week to several of our listeners for commenting, liking and sharing our posts on social media @securid, @WiFI_NY and @drheleno_ca on Twitter as well as Itincloud and thelaurajeans on Instagram and Tom, Lauretta, Jason, Shawn and William on Facebook. A special shout out this week also goes out to sweepa36 who left us a five star review on iTunes. Thanks to all of you for supporting the show! If you’ve been on Facebook recently you may have seen a message in your news feed about a new feature called “Face Recognition”. This feature will analyze faces to automatically tag you in photos and videos that are posted to Facebook. Facebook says that this “feature” will find photos that you’re in but haven’t been tagged, help protect you from others using your photo and to help people with visual impairments who may be in your photo or video. You can opt out of this feature by turning it off in your Facebook privacy settings. Note, some people have reported that this feature was already set to “on” so it’s a good idea to check out your privacy settings to see if this feature is enabled or not. Check out our show notes for information on where to find this setting. Not to be overly suspicious but you know as well as I do that this feature will eventually be used to target more ads to you or to allow Facebook more ways to gather data about your activities and monetize your personal information. What I also find ironic is that just this past week a federal judge in Illinois made a ruling about an ongoing class-action case that Facebook “must face claims that it violated the privacy of millions of users by gathering and storing biometric data without their consent”. This decision means that Facebook could be liable for fines under Illinois law from $1,000 to $5,000 dollars each time a person’s image is used without permission. Of course Facebook is fighting this ruling but I’m sure this is not the end of more legal troubles for Facebook since the social network continues to push technology like Facial Recognition to its user base. Did you know that when you use “private browsing” or “incognito mode” in your web browser, your browsing activities may not be so private after all? Hopefully, you’re aware that the sites you visit can be monitored and logged through your ISP, VPN provider or employer. It’s also important to know that data from a private browsing session can also be retrieved through common computer forensic techniques once someone has physical access to your computer. Recently a group of MIT and Harvard researchers developed a solution called Veil which allows web developers to implement technology to protect data while it’s stored and processed within a private browsing session. To do this Veil uses “blinding servers” which are located in the cloud to encrypt and protect data on a website. That data then gets retrieved by your private browsing session. Essentially, this would make any data stored within your browsing session (or within computer memory) useless from a forensic perspective. What I like about this technology is that it can add an additional layer of privacy for people, like journalists or human rights defenders, that might have their browsing history or computers targeted by say a state-sponsored government or dedicated adversary. Veil might also be the kick start of other technologies that further support protecting our private information while we browse the web. We’ll be closely following this project for sure to see how it evolves in the future. Visa released new statistics that show there has been a 70% drop in counterfeit credit card fraud during the period from December 2015 to September 2017. Other data of note is that over 2.7 million merchant locations are now accepting chip cards which equates to 96% of all credit card transactions in the US. You may remember that chip cards started being implemented back in 2015 to replace the ancient “magnetic stripe” technology that has been used for credit cards since the 1970’s. The move to chip cards was magnified because of the ma

This is the Shared Security Weekly Blaze for February 26, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston. Show Transcript This is your Shared Security Weekly Blaze for February 26th 2018…with your host…Tom Eston In this week’s episode: AI Enabled Privacy Policies, New Android Updates and Hotel Room Inspections Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Before we jump into the news I wanted to give some shout outs this week to several of our listeners for commenting, liking and sharing our posts on social media @Yohun, @borderless_i, @securid and @b0dach on Twitter as well as @cyberspacearmor and @silentpocket on Instagram and Andrew, Shawn and Jason on Facebook. Thank you for your support of the show! Do you ever read the privacy notices that are found linked in super tiny text at the bottom of a web page or the “privacy notice” emails you receive for the many different services and websites that you use? If you answered no, well you’re not alone. According to studies noted by security firm Sophos, 98% of us don’t read privacy notices. According to another study, it would take a person 30 full working days to read all the privacy notices for services the average person uses. While no one has time for that, let’s not forget that most privacy notices are filled with legal language and typically very difficult to understand. We really need a better way to understand how websites and services are using our personal information. Enter AI to the rescue! A new AI based technology called (POL-IS-IS) “Polisis” aims to visualize privacy notices through machine learning. This tool can create visual flow charts based on what is written in the notice giving users a visual idea of what type of information is being collected and what options are available to users of these services. What I really like about Polisis is that they have thousands of privacy notices on their site that have already been analyzed. For example, you can type in Facebook.com to get analysis of their privacy notice as well as many other sites that you may frequently use. You can even submit links to other policies on the web to have them analyzed as well. Check out the show notes for the link to Polisis and if you’re interested in learning more about privacy notices be sure to check out the interview with did with Rebecca Herold, also known as the Privacy Professor, in Episode 71 of the podcast. Have an Android phone? If you do you’ll want upgrade to the soon to be released Android 9.0 operating system (or currently known as “Android P”) for two new privacy features that are being added. According to several news sources, the new Android operating system will prevent an app from using the camera or microphone when the app is idling in the background. Once the app becomes active, the camera and microphone are available to the app again. This feature fixes a large privacy concern about the ability of malicious apps being able to monitor you via the camera or microphone on your device. Regarding how Android updates are handled, updates are rolled out by the manufacturer of your phone and sometimes in conjunction with your network provider so the updates can be customized to work with any features that your network provider has added. If you happen to own a newer Google device like the Pixel, you’ll get the update immediately, which is similar to how Apple releases updates to its iOS operating system. It’s important to note that almost all Android devices have an issue with what is called “device fragmentation”. This means that if your device manufacturer and/or network provider decides to stop updating and supporting your device, you’ll never get future updates and most of these updates have patches to fix serious security vulnerabilities. Our advice is that with all the different versions of Android out there it’s important that you update your hardware, as well as your Android operating system, to keep up with security and privacy updates. Sounds like a good excuse to buy that brand new Google Pixel 2 you’ve always wanted. How would you feel if hotel security inspected your hotel room every 24 hours, regardless if you have a “do not disturb” sign on your doorknob? Well Caesars Entertainment told the associated press last week that this new policy will be implemented soon in all of their properties in to address guest security concerns due to the mass shooting at the Mandalay Bay in Las Vegas which killed 58 people last October, as well as o

This is the Shared Security Weekly Blaze for February 19, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston. Show Transcript This is your Shared Security Weekly Blaze for February 19th 2018…with your host…Tom Eston In this week’s episode: Instagram Social Stalking, Cryptojacking, Equifax Breach Updates Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Ever get the feeling that a “social creeper” might be taking screen captures of your Instagram stories without your knowledge? Well this past week Instagram began testing a new feature in which a pop-up message will appear stating that “Next time you take a screenshot or screen recording, the person who posted the story will be able to see it.”. This message will automatically appear when someone takes a screen capture of a story you posted. People taking screen captures of your stories will also be identified in the “seen by” list which is shown to you when you view one of your stories. Interestingly enough, the direct messages feature within Instagram as well as Snapchat have had a similar feature for quite some time. It’s important to note that in regards to Instagram direct messages, users are only notified when a screen capture is taken of a picture or video that you sent them via a direct message. There was no timeline given on when this notification feature will be added but I think this type of notification is a good thing from a privacy and awareness perspective. But, no matter what controls are put in place to bring awareness to “social creepers”, just be aware that any notification or other control won’t be able to prevent someone from using another camera to take a picture of their device with your photos or stories on the screen. Always be mindful of what you post on any social media app and know that everything, even what you send privately, may not be so private after all. Over the last few weeks we’ve seen an increase in what are called “cryptojacking” attacks. A cryptojacking attack is where code within a website is used to hijack your web browser and the computing power of your device to silently mine cryptocurrency while you browse and use a website. With the recent rise in popularity of Bitcoin and other types of cryptocurrency’s, this attack is becoming much more popular. In fact, just this past week, we saw thousands of websites across the world, including many government websites being use to mine cryptocurrency. In this case, a third-party plugin called BrowseAloud (which helps blind and disabled people use websites) was compromised which allowed malicious code to be embedded in every website that had the BrowseAloud plug-in installed. This is a similar attack that we see with ad networks being compromised and pushing malware to unsuspecting users of common web sites. However, some companies are taking a new approach of disclosing to website visitors that by accessing their site you are in fact mining cryptocurrency for them. The news site Salon is one such organization that announced last week that they’ve introduced a feature called “suppress ads” which allows users to quote “block ads by allowing Salon to use your unused computing power” end quote. This is a very ingenious way for companies to help pay for their services while reducing the barrage of ads that we all see when using the Internet because…everyone hates ads, right? It’s interesting to note that this is not the first time an organization has tried to harvest users computing power. Last year, the infamous website “The Pirate Bay” used code within their website to hijack users computing power to mine cryptocurrency back in September. The Pirate Bay called this a “test” in that using this code in the future would be a great way to replace ads completely. I think for most people, if a website disclosed to you that they are going to harvest your computer power to eliminate ads is really no big deal. However, if you’re concerned about having your web browser and computer power hijacked to mine cryptocurrency you can use a browser add-on like No Script or ensure your ad blocker within your browser is blocking known sites used to mine cryptocurrency such as Coinhive. From a privacy perspective, we always recommend the use of a browser add-on such as an ad blocker as well as the Privacy Badger add-on, which will block third-party advertising trackers. Check out the show notes for this episode on sharedsecurity.net for links to the browser add-on&#8217

This is the 73rd episode of the Shared Security Podcast sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston and Scott Wright recorded February 14, 2018. Below are the show notes, commentary, links to articles and news mentioned in the podcast: The Shared Security Amazing Thing of the Month This month we discuss why it’s important to use a password manager as well as our personal recommendations on which one to use. Tom prefers KeePass, while Scott prefers LastPass. Regardless of our preference…any password manager you choose is better than none! Product Review: Silent Pocket Faraday Laptop Sleeve We were recently contacted by Silent Pocket to review one of their new products, the Faraday Laptop Sleeve and they were kind enough to send Tom one. This is a great privacy and security product which will block all wireless signals from a device including cellular, WiFi, GPS, Bluetooth, RFID and NFC in all frequencies. As mentioned on the show, you don’t need to be a person that is “ultra paranoid” about their privacy to use one of these devices. In fact, in recent months there have been more attacks targeting wireless devices (many of which we’ve mentioned on the show) so products like these add a simple extra layer of protection for your devices. Specifically, if you’re someone that would be considered “high risk” for having your wireless devices targeting (i.e. government, military, journalist or human rights defender) this product is a absolute must have. Here are my observations of the Laptop Sleeve: The sleeve is very durable and made of excellent quality material. I like how the sleeve “snaps” together and seals the itself. In fact, it holds a bit of air that you have to “push” out when you seal it which demonstrates how solid the seal is. I tested the sleeve with a mobile phone and a 15″ MacBook Pro and I was unable to connect to my phone via Bluetooth, Wifi and cellular. My cellphone quickly reconnected once I removed it from the sleeve. As Scott mentioned on the podcast, we wondered if the battery on a mobile phone would drain more quickly looking for a mobile signal while protected in the sleeve. However, according to Silent Pocket’s FAQ, this isn’t an issue. You can use it for practically any wireless device like your car key fob or RFID enabled credit cards and passports. You could easily fit your laptop and a few other devices in the sleeve (it will be crowded and a bit tight, but it can work). On my next business trip I’m curious to see how it goes through the airport security x-ray process. If you’re interested in learning more about the laptop sleeve and other products you can visit silent-pocket.com for more information. Note to other privacy product vendors: We’re happy to review your products as well! Fill out our “Contact Us” form on sharedsecurity.net or send us an email at feedback[aT]sharedsecurity.net for more information. Intel Vaunt Smart Glasses Oh no! Is it Google Glass all over again? Tom and Scott don’t think so and in fact, this may turn out be the next useful device. Germany Picks on Facebook Regarding the use of Real Identities We’ve mentioned this before on the podcast that Facebook doesn’t play nice with it’s users that don’t want to use their real names. Germany has something to say about that with this new court ruling. Will we finally see Facebook change this policy? Google Chrome will show your website as “Not Secure” if you don’t move to HTTPS Google recently announced that they will start showing non-HTTPS websites as “Not Secure” starting in July. If you have a business or own a website, best get started on purchasing a SSL certificate or get one for free through the Let’s Encrypt project. Besides, Google automatically lowers the search results for non-SSL sites and they’ve been doing this for quite some time already. Fun Tweet from Kevin Mitnick (famous hacker)… So I went to the Apple Genius Bar to pick up a repaired iPhone.At the same time, the guy next to me is verbally giving his username and password to the Genius helping him. After he says his credentials he goes on to say he hopes he doesn’t get hacked. Only if he knew — Kevin Mitnick (@kevinmitnick) February 5, 2018 Please send any show feedback, suggestions for future guests and topics to feedback [aT] sharedsecurity.net or comment in our social media feeds. You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode. Be sure to visit our website, follow us on Twitter, Instagram and like us on Facebook. Thanks for listening! The post The Shared Security Podcast Episode 73 – Silent Pocket Faraday Laptop Sleeve Review, Password Managers, Smart

This is the Shared Security Weekly Blaze for February 12, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston. Show Transcript This is your Shared Security Weekly Blaze for February 12th 2018…with your host…Tom Eston In this week’s episode: Tax Season Scams, SIM Hijacking and Smart TV Privacy Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. It’s tax season here in the United States and as you may already know there are three things that are certain in life: death, taxes and criminals trying to scam you out of your hard earned money. Which means it’s time to be aware of common phishing and scam tactics that may target you during this tax season. In fact, this year (due to news of changes to the US tax code) there are now more opportunities for scammers to leverage this news to their advantage. Like any significant event that happens in the world (like natural disasters and terrorist attacks) , attackers will leverage these news events in an attempt to elicit an emotional response from you so that you either click a malicious link or submit your private and sensitive information to the scammer. According to the SANS Internet Storm Center, recent tax related phishing emails that have been identified are asking for personal information in order to receive your tax refund. Keep in mind, it’s not just your email that these scams can originate from. Many of these tax scams also come through phone calls or voicemail’s. These calls will typically ask for personal information or to convince you to make a payment under the threat of being arrested. Note that the IRS will never email or call you about owing taxes or about a potential refund, or threaten to arrest you. Stay vigilant this tax season and please let your elderly friends, parents or relatives know about these tax scams. Unfortunately, the elderly are common targets for these types of attacks. Last week telecom giant T-Mobile sent out a mass text message to its entire customer base alerting them to add an additional security measure to their account. The problem? There has been a major increase in an attack called SIM hijacking or also known as a phone number port out scam. SIM hijacking is where an attacker will either call your mobile phone company or show up at the mobile phone store, impersonating you in an attempt to request a new SIM card for your phone number or in some cases the attacker will attempt to move your mobile number over to a new carrier. Once the attacker has control of your mobile number, they now have access to reset credentials for banking or potentially access to any other accounts that use a mobile phone number for access. SIM hijacking and fraudulent phone porting have become popular attacks for identity thieves as well as other criminals. This is because your mobile number is increasingly becoming the center of your digital identity in that your phone number is a unique identifier for you and is used for things like authentication to reset passwords and for two-factor access to many different types of accounts and systems. The way to help prevent this attack is to create a validation code with your mobile carrier. T-Mobile calls this a “port validation” code but other carriers may call this a phone passcode or PIN. Once this code is enabled on your account, you’ll need to provide this to the mobile carrier in order to obtain a new SIM card or port your number to a new carrier. Our advice is to enable this feature with your mobile carrier to help prevent this attack happening to you. You may have to research this on your mobile carrier’s website as each company has a different procedure for enabling this feature. Also note, you should ensure that this passcode or PIN is unique and different than any other passcode or PIN that may be in use with your mobile carrier such as the password for accessing your account for online access. Our number one story is about research Consumer Reports released this past week which found that millions of smart TVs are vulnerable to hackers and that all smart TVs are collecting private data about your viewing habits. Consumer Reports conducted their own testing as part of a security and privacy evaluation of smart TVs from popular brands such as LG, Sony and Vizio. Specifically, vulnerabilities were identified in Samsung TVs along with models made by TCL and other brands, that use the Roku smart TV platform. These vulnerabilities would allow an attacker to cause havoc on the victims TV like randomly change the channel, mute the TV speakers or pump up the volume unbeknownst

This is the Shared Security Weekly Blaze for February 5, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston. Show Transcript This is your Shared Security Weekly Blaze for February 5th 2018…with your host…Tom Eston In this week’s episode: ICE license plate tracking database, the first Jackpotting attacks on US ATMs and the Strava global heatmap controversy. Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Our number three story of the week is about ICE, the Immigration and Customs Enforcement Agency and how they now have the ability to track billions of license plate records across the US using ALPR (Automated License Plate Recognition) technology. A company called Vigilant Systems has been putting together a database of license plate records submitted by repo agencies, local law enforcement, traffic cameras as well as data from roving ALPR vehicles (similar to the Google street view cars you may have seen roaming around your neighborhood). Vigilant Systems is partnering with ICE so that they can use this data in deportation and immigration control cases. Several civil liberty groups, such as the ACLU, have stated concerns that this database could be used locate and track anyone in real-time for more than just immigration issues. Even if you’re not connected to a criminal investigation, your license record and driving habits could be in this database. The other controversy is that Vigilant systems entered into a private contract with ICE which is a government agency, therefore, there was no congressional oversight and no accountability with a massive surveillance system like this in government hands. What can you do if you’re concerned about ALPR technology and being tracked? From an legal perspective, several weeks ago the state of California introduced bill S.B 712 which would allow drivers to cover their license plate while parked legally in order to avoid roving ALPR scans, but the bill was rejected by the California senate just this week. No other states to my knowledge are proposing similar legislation. From a product perspective, there are ALPR “blockers” in the form of IR filters and special reflective coatings that can be applied to license plates in an attempt to block ALPR scans. There are many different types of products out there that are just a Google search away. Friendly disclaimer: you should research the legality of using such ALPR anti-tracking devices in your state and/or country before purchasing or using any of these products. Our number two story this week is about the “jackpotting” attacks that are targeting ATMs in the United States. Jackpotting allows malware installed on ATM machines to shoot out money just like a Las Vegas slot machine. For some strange reason I’m reminded of the movie “Vegas Vacation” in the scene where Clark Griswold jackpot’s his family bank account at the ATM. This attack, on the other hand, is no laughing matter. In order to perform the attack someone needs to physically access the ATM machine and install the malware via a USB port or through another interface, such as the cash dispensing or front loading slot, and eventually get the malware to infect the underlying operating system of the ATM. Brian Krebs from krebsonsecirity.com noted that most attackers quote “typically use an endoscope — a slender, flexible instrument traditionally used in medicine to give physicians a look inside the human body — to locate the internal portion of the cash machine where they can attach a cord that allows them to sync their laptop with the ATM’s computer.” end quote. Now these attacks seem to require a risky amount of time to physically access the ATM and in some cases attackers have used social engineering techniques such as dressing like an ATM technician to con their way to the ATM. It’s important to note that these attacks have focused on smaller ATMs typically located in pharmacies, gas stations and other small locations not your local large bank ATMs. The Secret Service as well as ATM manufactures have sent out alerts notifying owners of these attacks and how to harden and secure their ATMs from physical attack. In the meantime if you happen to see an ATM jackpotting with money flying out…be sure to alert authorities. The number one story this week is the controversy over the Strava world-wide heatmap release that inadvertently disclosed locations, daily routines and possible supply routes of known and unknown US military bases and CIA outposts. Because of this, the US military is now reviewing its policies

This is the 72nd episode of the Shared Security Podcast sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston and Scott Wright recorded January 22, 2018. Below are the show notes, commentary, links to articles and news mentioned in the podcast: The Shared Security Amazing Thing of the Month (we’re not sure what to name this new segment so we’re rolling with this for now…) Tom and Scott discuss the emergency SOS feature on your mobile device. There was a recent story in the news about a college student who was able to text message and send her location when she was being kidnapped. Even though the college student was able to find a way to text and send out her location, there are some easier and more discreet ways that you can make an emergency phone call as well as alert authorities to your location. Here are the instructions we mentioned on the show if you have an Apple iOS 11 device or on your Apple Watch. Android is not left out of the emergency notification party either! Here are details if you have an Android phone to enable or install this feature with an app. Overview of the Meltdown and Spectre Critical Vulnerabilities CPU hardware implementations (manufactured in the last 20 years) are vulnerable to side-channel attacks referred to as Meltdown and Spectre. Modern processors perform speculative execution. To maximize performance, processors try to execute instructions even before it is certain that those instructions need to be executed. The best description of these vulnerabilities is from the original website announcing these issues: Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware vulnerabilities allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents. Meltdown and Spectre work on personal computers, mobile devices, and in the cloud. Depending on the cloud provider’s infrastructure, it might be possible to steal data from other customers. Spectre in particular is quite interesting from an attackers perspective. For example, malicious JavaScript code on a website could use Spectre to trick a web browser into revealing user and password information. Software patches are starting to come out for both of these vulnerabilities but there are reports of additional problems that the patches are causing, including impacting system performance in some cases. Announcing the Shared Security Weekly Blaze Podcast We’re starting a new weekly podcast which will bring you the hot security and privacy news of the week. The first episode has been released and you can still listen to the new podcast just like you do now. The idea is to give you fast and consumable security and privacy “news that you can use” in 15 minutes or less. These weekly podcasts are in addition to our traditional monthly podcast which will continue to cover security and privacy topics in more detail. We hope you enjoy the new format! Please send any show feedback, suggestions for future guests and topics to feedback [aT] sharedsecurity.net or comment in our social media feeds. You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode. Be sure to visit our website, follow us on Twitter, Instagram and like us on Facebook. Thanks for listening! The post The Shared Security Podcast Episode 72 – Mobile Phone Emergency SOS, Overview of Meltdown and Spectre appeared first on Shared Security Podcast.

This is the first episode of the Shared Security Weekly Blaze podcast. This episode was hosted by Tom Eston. Every Monday we’ll be releasing a short podcast, in 15 minutes or less, covering the top 3 hot news topics happening in the security and privacy world. The idea is to give you fast and consumable security and privacy “news that you can use”. These weekly podcasts are in addition to our traditional monthly podcast which will continue to cover security and privacy topics in more detail. In this week’s episode we talk about a new form of mobile malware called Dark Caracal, recent news about patching for the Meltdown and Spectre vulnerabilities and the launch of Amazon Go in downtown Seattle. Show Transcript This is your Shared Security Weekly Blaze for January 29th 2018 with your host, Tom Eston In this week’s episode we’re going to talk about a new form of mobile malware called Dark Caracal, recent news about patching for the Meltdown and Spectre vulnerabilities and the launch of Amazon Go in downtown Seattle. Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the first episode of the Shared Security Weekly Blaze where we update you on the top three security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news you can use”. Our number three story for the week is about a new form of mobile malware that has been identified called Dark Caracal. The Electronic Frontier Foundation and security firm Lookout Security jointly announced research last week on what they are calling a new “malware espionage campaign” which has been targeting military personnel, activists, journalists and lawyers all across the world. The Dark Caracal malware campaign appears be traced back to the Lebanese government. The malware affects Android mobile devices primarily but other systems like Windows could be affected as well. The Dark Caracal malware has the capability to install trojanized versions of popular secure messaging apps like Signal and WhatsApp as well as gain access to text messages, photos and data from other apps. This doesn’t mean that legitimate apps you may be using (like Signal) are infected with malware, it means that the malware can trick you into installing a fake version of that app. The Dark Caracal malware uses phishing and social engineering techniques through WhatsApp messages and Facebook Group posts to install the malware on the device. EFF Director of Cybersecurity Eva Galperin said “This is a very large, global campaign, focused on mobile devices. Mobile is the future of spying, because phones are full of so much data about a person’s day-to-day life.” This is not the first case of a large global mobile malware campaign. The Pegasus mobile malware, which targets Apple iOS, has been used by nation states such as the United Arab Emirates and the Mexican government to target individuals since 2016. It’s important to note that anyone could be a target for mobile malware, you don’t necessarily have to be targeted by a nation state! So what can you do to protect yourself? First and foremost be aware that phishing attacks typically start with emails, texts and social media posts and always try to elicit some type of urgent response or emotion from you to get you to click a link or provide sensitive information like passwords. Our advice? Think before you click! Check out previous episodes of the Shared Security Podcast where we talk about phishing and social engineering if you’re interested in learning more. The number two story of the week is the Meltdown and Spectre vulnerability patching debacle. In fact it’s such a debacle that the creator of the Linux operating system, Linus Torvalds, has said “All of this is pure garbage, The patches are COMPLETE AND UTTER GARBAGE. …They do things that do not make sense.” If you’re not familiar with the Meltdown and Spectre vulnerabilities here’s the deal: Earlier this month security researchers discovered two critical vulnerabilities in modern computer processors (or CPUs). These vulnerabilities allow an attacker to access data on a computer system that would be very difficult to obtain such as passwords stored in your browser, photos, emails and even documents. The reason this problem is so big is that the vulnerability affects many different types of systems including personal computers, mobile devices as well as systems in the “cloud” and it applies to all these different types of devices manufactured within the last 20 years. The guidance from the processor manufactures like Intel has been to install patches that would be released by the different operating systems like Microsoft and Apple while they figure out how to fix these vulnerabilities in future processors. But not so fast! Some of these patches have already bee

This is the 71st episode of the Shared Security Podcast sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston and Scott Wright with special guest Rebecca Herold recorded December 13, 2017. Below are the show notes, commentary, links to articles and news mentioned in the podcast: Interview and discussion about privacy with Rebecca Herold Rebecca has over 25 years of IT, info sec, privacy & security experience; is CEO & Founder (2004) of Rebecca Herold & Associates, LLC, aka The Privacy Professor(R); and President & Co-Founder (2014) of SIMBUS360. Rebecca is also an entrepreneur, author and Adjunct Professor for the Norwich University Master of Science in Information Assurance Program. Rebecca has led the NIST Smart Grid privacy group since June 2009 and has been an officer for the IEEE P1912 Privacy and Security Architecture for Consumer Wireless Devices Working Group since June 2015. Rebecca has received numerous awards and recognitions for her work throughout the course of her career. Rebecca has written 19 books to date, chapters in many books and hundreds of articles. In this podcast we discuss Rebecca’s background in privacy, how she got into her area of expertise as well as her thoughts on the evolution of privacy policies (aka: privacy notices that are found on websites and services that you may use). Thanks again to Rebecca for being a guest on the show! Be sure to connect with Rebecca through her website, Twitter, and LinkedIn. Please send any show feedback, suggestions for future guests and topics to feedback [aT] sharedsecurity.net or comment below. You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode. Be sure to visit our website, follow us on Twitter and like us on Facebook. Thanks for listening! The post The Shared Security Podcast Episode 71 – Special Guest Rebecca Herold “The Privacy Professor” (@PrivacyProf) appeared first on Shared Security Podcast.

This is the 70th episode of the Shared Security Podcast sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston and Scott Wright with special guest Dr Helen Ofosu recorded November 29, 2017. Below are the show notes, commentary, links to articles and news mentioned in the podcast: Interview and discussion about insider threat psychology with Dr Helen Ofosu Dr Ofosu has more than 15 years of experience using industrial and organizational psychology in the business and government sectors. Dr Ofosu brings her vast knowledge, sensitivity, and special brand of humor to her career consultations, business, and government clients, and her presentations and speaking engagements. In this podcast Scott and Tom discuss insider threat psychology with Dr Ofosu, how to address insider threats in the workplace as well as what the most common “psychological factors” are that manifest as insider security threats to organizations. We also discuss some recent news stories about insider threats and what they mean to you and your organization. Thanks again to Dr Ofosu for being a guest on our show! Be sure to connect with Dr Ofosu through her website, Twitter, Facebook and LinkedIn. Please send any show feedback, suggestions for future guests and topics to feedback [aT] sharedsecurity.net or comment below. You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode. Be sure to visit our website, follow us on Twitter and like us on Facebook. Thanks for listening! The post The Shared Security Podcast Episode 70 – Insider Threat Psychology with Special Guest Dr Helen Ofosu appeared first on Shared Security Podcast.

This is the 69th episode of the Shared Security Podcast sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston and Scott Wright recorded October 25, 2017. Below are the show notes, commentary, links to articles and news mentioned in the podcast: Amazon Key opens your home for indoor deliveries A new Amazon Prime service now allows your package couriers access to your home to drop off deliveries. The system uses a Amazon smart lock and connected camera. Innovation or invasion of privacy/security nightmare? Tom and Scott debate the pros and cons! Severe WiFi security flaw puts millions of devices at risk (KRACK) A new attack (called KRACK – Key Reinstallation Attack) on the current standard for WiFi security (WPA2) allows an attacker to decrypt Internet traffic from devices being used on a WiFi network with WPA2 encryption enabled. While patches for most modern devices and operating systems will be released (i.e. Apple iOS, Windows 10, etc), many devices such as older Android phones and IoT devices may never get patched. Tom also mentioned a tool which can be used to “downgrade” secure HTTPS connections with this attack called SSL Strip. DUHK (Don’t Use Hard-coded Keys) Vulnerability Another recent attack (with a funny name) was announced on a specific type of cryptography implementation being used by certain VPN’s. Specifically, VPNs which use specific versions of FortiOS are vulnerable. If you or your business uses one of these VPNs make sure you patch ASAP. Just a Pair of These $11 Radio Gadgets Can Steal a Car Stealing cars just got easier with a recently updated attack on certain keyless entry systems that cars use. Researchers have now demonstrated how easy it is to steal a car with just a pair of $11 radio gadgets. Best way to prevent this (until car manufactures can patch/address the vulnerability) is to keep your car key in a “Faraday bag” or metal protective sleeve like they have available for wallets to protect RFID enabled credit cards. Please send any show feedback, suggestions for future guests and topics to feedback [aT] sharedsecurity.net or comment below. You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode. Be sure to visit our website, follow us on Twitter and like us on Facebook. Thanks for listening! The post The Shared Security Podcast Episode 69 – Amazon Key, KRACK and DUHK Attacks, New Devices to Steal a Car appeared first on Shared Security Podcast.

This is the 68th episode of the Shared Security Podcast sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston and Scott Wright with special guest Chris Hadnagy from the Innocent Lives Foundation and Social-Engineer.org recorded September 27, 2017. Below are the show notes, commentary, links to articles and news mentioned in the podcast: Interview with Chris Hadnagy from the Innocent Lives Foundation Chris Hadnagy is a professional social engineer, founder of Social-Engineer.org, book author, host of the Social Engineer Podcast and founder of the Innocent Lives Foundation. Chris talks to us about his new organization and discusses the topic of social engineering. Please help support Chris’ organization which has a mission to unmask child predators in order to bring them to justice. You can find out more about volunteer opportunities as well as providing financial support at the Innocent Lives Foundation website. Chris also talks with us about the art of Social Engineering and what you can do to educate and protect yourself. Lastly, Chris provides a recap from the recent DEF CON Social Engineering CTF event. As mentioned on the show, be sure to check out this video from the Veracode blog about the winner from this year’s event. Thanks again to Chris for being our guest! The post The Shared Security Podcast Episode 68 – Special Guest Chris Hadnagy, Innocent Lives Foundation, Social Engineering appeared first on Shared Security Podcast.