Shared Security Podcast

This is the Shared Security Weekly Blaze for August 27, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions and Silent Pocket. This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here! Show Transcript This is your Shared Security Weekly Blaze for August 27th 2018 with your host, Tom Eston. In this week’s episode: New TSA Body Scanners, Back to School Cybersecurity, and Instagram Hacking. The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable, and undetectable. Visit silent-pocket.com for more details. Hi everyone, this is Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. The city of Los Angeles California in partnership with the US Transportation and Security Administration jointly announced that the city of Los Angeles is purchasing body scanners that will be used to screen metro riders. This new body scanning technology will be used to help detect weapon and explosive device security threats on one of the largest public transportation systems in the US. The Los Angeles metro system is also the first transportation agency in the nation to purchase such equipment. The technology is similar to what is used at airports, called millimeter wave technology, but does not emit radiation and no anatomical body images are displayed. What makes this type of scanner technology different is that these work off of your body heat and can detect objects that are hidden when heat waves are blocked. The other big difference is that metro passengers just need to walk by the scanners and not stop to line up like you normally would going through airport security. The other advantage is that the devices are portable, meaning, they can be moved to a different area of a public transportation system if needed. This news reminded of a scene from the 1990 movie “Total Recall” with actor Arnold Schwarzenegger. There was a scene where passengers in the movie walked through a security system that was essentially an “x-ray” of their body. Skeletons of passenger bodies were displayed as security personnel observed passengers to detect weapons that might be coming into the transportation system. Back in 1990, most people watching that scene must have felt a little uneasy and concerned about the privacy ramifications of such invasive security technology. Funny that this was just a pipe dream back in 1990, but now, very much a reality 28 years later. Given the security climate since 9/11, this technology shouldn’t really be a surprise anyone. Come full circle, privacy concerns are still very real today. In fact, there have been many cases of the TSA screening passengers inappropriately and abusing technology like this by violating passengers privacy all in the name of “keeping us all safer”. Let’s hope that when this new scanning technology rolls out across the US, and I would assume across most of the world, we continue to hold the people in charge of these systems accountable to ensure our privacy while balancing the needs of security. It’s that time again as school is starting back up for most students and we begin the yearly tradition of getting kids ready and prepared for school. With the new school year being top of mind for many of us, it’s a great time to think about the how our schools are protecting student data from attackers looking to compromise and steal confidential student information. As of this podcast recoding, according to the K-12 Cybersecurity Resource Center, there have been 356 cybersecurity related incidents targeting K-12 schools since January 2016. Many of these incidents being ransomware attacks. Surprisingly, in 2016 it was noted by the US Department of Education that 60 percent of K-12 schools that were victims of ransomware attacks actually paid their attackers to get stolen student data back. There has also been other disturbing stories like one recent incident in the Tulsa Oklahoma Public School district where confidential student records were found in a dumpster. But it’s not only the outside attackers and careless school personnel you have to worry about, it’s also the students themselves. There has been a sharp increase in recent years where students are hacking into their school networks and applications in order to change grades and attendance records. Based on these recent statistics and news stories you may be curious to know what the schools your kids go to, or the ones i

This is the Shared Security Weekly Blaze for August 20, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions and Silent Pocket. This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here! Show Transcript This is your Shared Security Weekly Blaze for August 20th 2018 with your host, Tom Eston. In this week’s episode: ATM cashout attacks, mobile phone voicemail security and Google location tracking. The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details. Hi everyone, this is Tom Eston, co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. This the 30th episode of the Weekly Blaze Podcast! I wanted to give a quick shout out and thank you to our listeners and sponsors for supporting the show! Thank you for all the feedback that you provide and we look forward to bringing you more great content in the coming weeks and months. Thanks for listening! The Federal Bureau of Investigation is warning banks that criminals are looking to carry out a highly organized global “ATM cash out” in which criminals take previously cloned credit cards and use them at ATMs around the world to withdraw millions of dollars of cash all within a few hours. In the past, this attack has been done around a holiday when banks and financial institutions are closed. This is because the limited staff at banks during a holiday make it difficult for a bank to quickly respond to an attack like this. Similar attacks in the past have targeted small to medium sized banks, which may not have the robust security and fraud teams that a larger bank may have. Brian Krebs from Krebsonsecurity.com reports that this most recent FBI alert was related to a card breach of a bank in India called Cosmos. In this incident attackers drained $13.5 million from accounts using cloned cards at 25 different ATMs located in India, Hong Kong and Canada. Malware was also installed on the bank network which was used to help process the fraudulent ATM transactions. In the alert to banks the FBI noted several common tips to help prevent banks from becoming a victim but the truth of the matter is that many small and medium sized banks do not have the resources or staff to properly defend their systems from a dedicated attacker on their network. The best course of action for the rest of us is to stay vigilant about checking our credit and debit card statements and ensure you set up some type of fraud alerts for any transactions that may happen on your card. As a reminder, using a debit card instead of a credit card can be more risky due to the fact that money is instantly removed from your checking account and can take weeks for the bank to reimburse you. Check out our show notes for a link to our episode on credit card fraud in which we discuss tips how to prevent becoming a victim of this type of crime. When was the last time you thought about the security of the voicemail on your mobile phone? If you’re like most of us, probably not at all. But as one security researcher named Martin Vigo demonstrated at the DEF CON hacking conference in Las Vegas this past week, it’s all too easy to hack into someone’s voicemail. Why would someone want to hack into your voicemail you may ask? Well there are many popular online apps and services that use a phone call to deliver a code that you can use to verify your identity through things like a password reset process. You may be surprised to know that this is a popular option for authentication alongside SMS text messaging, which hopefully all of you know is considered insecure. If you can hack someone’s voice mail, you now have the potential to compromise someone’s email, social networks, banking apps, conversations and much more. Martin’s research showed that sites like PayPal, WhatsApp, Instagram and LinkedIn all have a feature to call you to reset your password. So how does one go about hacking into someone’s voicemail? The first step is to find the backdoor number for the victim’s mobile carrier which allows you to login to the voicemail system to hear messages. Voice mailboxes are protected with a PIN code and many of these mailboxes are configured with default or easy to guess PINs codes, many of which are only 4 or 6 digits in length. In fact, Martin wrote a tool that can brute force common PIN codes and can also try random combinations of numbers until one of them w

This is the Shared Security Weekly Blaze for August 13, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions and Silent Pocket. This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here! Show Transcript This is your Shared Security Weekly Blaze for August 13th 2018 with your host, Tom Eston. In this week’s episode: Facebook and your financial transactions, Smart Home security and critical HP printer vulnerabilities. The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details. Hi everyone, this is Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. The Wall Street Journal reports that Facebook is asking large banks to share customer information and financial records so that they can potentially offer financial services via Facebook Messenger. The proposal from Facebook includes getting access to bank customer’s card transactions, account balances as well as information on where customers are spending their money. In return for customer information, Facebook will provide banks with access to Facebook user information, which may be lucrative to a large bank looking to sell and target their services to existing and new customers. Facebook has said that they would not use any information provided by banks for targeted ads and would not share this data with third-parties. This news comes as Facebook is still conducting damage control on their public relations after the infamous Cambridge Analytica scandal where the personal data of approximately 87 million Facebook users was harvested without user consent. My take on this story is that Facebook needs to find new and innovative ways to collect user data which in turn allows companies to use the Facebook Platform to give you, guess what, more ads. We all know how Facebook makes money and that’s through your data being used to sell you more stuff. It should be no surprise then that Facebook is looking to get into the social financial business recently made popular by PayPal’s Venmo app. Haven’t heard of Venmo? Venmo is an application which allows social sharing of financial transactions. Venmo itself has been also in the news recently for the ease of which anyone can publicly view the financial transactions of anyone using the app. This is because all Venmo transactions are made public by default. This past July a savvy developer created a Twitter bot called “@VenmoDrugs” to showcase any financial transactions related to drug deals, sex or alcohol. The developer eventually removed the Twitter account after being the center of some controversy and news reports, but it does demonstrate that there is money to be made with an app that allows transactions to be public by default. Venmo won’t be the last app that will monetize the social sharing of financial transactions and it seems Facebook doesn’t want to be the last. Have you recently sold your home or moved into a home that has smart devices like thermostats, lights, cameras, alarm systems and other “Internet of Things” devices installed? Have you thought about resetting or changing the passwords that would allow access to those devices? Smart-device security, especially in a home that is being sold or if someone is moving out because of a domestic abuse situation, is being reported as a large problem that many people are now dealing with. For example, it can be very common for an ex-husband to leave a home due to a pending divorce but still have access to all the smart-devices like lights, cameras and even thermostats. This can lead to abuse of this technology and causing real privacy concerns, especially with victims of domestic abuse. In regards to new homes we all know that whenever you purchase a home, that had a previous owner, you should always change the locks, garage and alarm codes and anything else that the previous owner had knowledge of. But if you happen to inherit smart devices as part of the purchase, you need to make sure you reset these devices back to default to ensure any previous access is removed. For other domestic situations, it’s advisable to reset any Internet of Things devices as well ensure you have administrative access to these accounts or disable or change passwords as necessary. With the increase of smart-devices in our homes we need ensure we add smart devices to the list of things to secure whenever our living si

This is the Shared Security Weekly Blaze for August 6, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions and Silent Pocket. This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here! Show Transcript This is your Shared Security Weekly Blaze for August 6, 2018 with your host, Tom Eston. In this week’s episode: The Quiet Skies TSA surveillance program, SIM hijacking and the Reddit data breach and Sextortion scams. The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details. Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. If you like our weekly podcast we would really appreciate you leaving a five star review in iTunes. We’ll be sure to thank you on the show! Click the iTunes link in our show notes for this episode to leave us a review and thank you for your support! Ever feel like you’re being followed when you’re at the airport or while on a flight recently? Well you may actually may have been followed as the Boston Globe reported last week that federal air marshals are following US citizens that are not suspected of a crime at airports and on airplanes. The previously unknown program called “Quiet Skies” has caused controversy within the Transportation Security Administration (aka: the TSA) as thousands of US citizens that are not on any watch list are being surveilled and observed to see if they violate 15 rules which are part of a checklist that air marshals need to follow. Characteristics that air marshals look for include things like: excessive fidgeting, wide-open staring eyes and even if the subject slept on the flight or went to the bathroom. According to the report, about 35 passengers are targeted every day and there are 2,000 to 3,000 federal air marshals that conduct this and other air marshal duties across airports in the United States. What I find interesting is that federal air marshal’s themselves are questioning the need for the Quiet Skies program. One air marshal said to the Boston Globe “What we are doing [in Quiet Skies] is troubling and raising some serious questions as to the validity and legality of what we are doing and how we are doing it”. Groups such as the ACLU are now involved questioning if passenger’s constitutional rights are being violated by this program given that people’s race, religion or mental health may put someone under surveillance. Of course, the TSA declined to discuss the Quiet Skies program but noted that “federal air marshals leverage multiple internal and external intelligence sources in its deployment strategy”. As many of you are hopefully aware, the TSA in the United States has come under much scrutiny over the last several years due to treatment of passengers during screening as well as the federal air marshal program itself. It should be interesting to see how this recent revelation about the previously secret “Quiet Skies” program puts more pressure on Congress to further scrutinize the activities of the TSA and the Department of Homeland Security. Last Thursday, the popular news and social media site Reddit announced that they had a data breach. The data breach apparently happened in June and exposed some user data including current email addresses and a backup database which had usernames and hashed passwords from 2007. The attackers apparently targeted several Reddit employee accounts that were being used with Reddit’s cloud and source code providers. Reddit noted that while they did secure these employee accounts with SMS based two-factor authentication, the attackers were still able to compromise these accounts even with two-factor authentication enabled. It’s important to note that the attackers did not compromise further Reddit systems or user accounts. This most recent data breach example further demonstrates that sites and services need to move away from using SMS based two-factor authentication and start using authenticator apps like Google Authenticator or provide methods to use a hardware token or solution such as a YubiKey. As we’ve mentioned before on the podcast, there has been an large increase in attacks targeting SMS two-factor authentication called SIM hijacking or also known as SIM port out scams. SIM hijacking is where an attacker will either call your mobile phone company or show up at the mobile phone

This is the Shared Security Weekly Blaze for July 30th, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions and Silent Pocket. This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here! Help the podcast and leave us a review! We would really appreciate you leaving a review in iTunes. Reviews really help move us up the podcast ratings list and are greatly appreciated! Click here to leave your review in iTunes! Show Transcript This is your Shared Security Weekly Blaze for July 30th 2018 with your host, Tom Eston. In this week’s episode: Bluetooth vulnerabilities, malicious apps removed from Twitter and Gmail confidential mode. The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details. Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Researchers from the Israel Institute of Technology announced a critical vulnerability in Bluetooth technology which could allow an attacker, within physical proximity of the Bluetooth device, to intercept, monitor, or change the data being used by the Bluetooth device. Several vendors of Bluetooth implementations including Apple, Broadcom, Intel and Qualcomm have firmware and some software drivers that are vulnerable to this attack. The vulnerability is caused because the current Bluetooth specification recommends, but does not require, that a device supporting two specific features (called Secure Simple Pairing and LE Secure Connections) validate the public key received over the air when pairing a Bluetooth device. It’s important to note that there is no evidence that this vulnerability is being exploited in the wild and that vendors are working on patches if their implementations of Bluetooth are affected. So what does this Bluetooth vulnerability mean for you? First, always stay up-to-date on patches for any Bluetooth device that you may be using. For this vulnerability in particular the good news is that Apple, Intel and Broadcom have already released patches. What may be more problematic is more obscure “Internet of Things” devices, which happen to use Bluetooth, that may never receive updates because they were either manufactured cheaply or were not designed with security updates in mind. This, of course, is a much larger problem that does not have an immediate solution. However, the risk here seems very low for most of us because an attacker needs to be in very close proximity of the victim. Last week Twitter announced that it removed more than 143,000 malicious apps from their service. Twitter said that the applications were removed between April and June of this year but did not specify which apps were deleted but only saying that they removed these apps because developers have violated Twitter’s policies. Twitter stated in a blog post that “We do not tolerate the use of our APIs to produce spam, manipulate conversations, or invade the privacy of people using Twitter”. In addition, Twitter announced a new app registration process for developers which have applicants go through a more rigorous approval process including having developers include all details on how their apps will be used and limiting the number of default apps that developers can create to 10. This news from Twitter comes at a time where other large social networking companies like Facebook are cracking down on malicious and spammy apps. In Facebook’s case, the infamous Cambridge Analytica controversy made Facebook audit all apps that had requested user data in the past. Facebook has removed around 200 or so apps since they began this audit earlier this year. Facebook has also significantly changed its developer policies to align with better privacy data practices since the Cambridge Analytica controversy as well. In related Facebook news, it’s worth noting that Facebook suffered its largest drop in market value to the tune of $119 billion dollars when they announced their Q2 quarterly earnings on a call with investors last Wednesday. Facebook stated that they will be taking a “privacy first” approach with their product development which will likely have impact on future revenue growth. This news caused the biggest ever one-day loss in market value for a U.S.-listed company in the history of the US stock market. This is an interesting development as the demand for greater privacy and transparency from Fac

This is the 78th episode of the Shared Security Podcast sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions and Silent Pocket. This episode was hosted by Tom Eston and Scott Wright recorded July 18, 2018. Listen to this episode and previous ones direct via your web browser by clicking here! Subscribe to our new email list! Stay up-to-date on the latest episodes, receive exclusive offers from our sponsors, participate in contests and gain access to content just for our email subscribers! Sign-up via this link today! In this episode Tom and Scott discuss the recent trend in using facial recognition technology at kids summer camps. While there are many advantages for parents that are looking for easier ways to see what their kids are doing at camp, the use of facial recognition technology also opens up many questions and concerns about the privacy and security of this technology, especially when it comes to our children. We also discuss the risks of using the “dark web”, what the dark web is, how do you access the dark web, what are the associated risks, and why you may not want to browse and use dark web (.onion) sites if you don’t know what you’re doing. Please send any show feedback, suggestions for future guests and topics to feedback [aT] sharedsecurity.net or comment in our social media feeds. You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next full episode. Be sure to visit our website, follow us on Twitter, Instagram and like us on Facebook. Thanks for listening! The post The Shared Security Podcast Episode 78 – Summer Camp Facial Recognition, Dark Web Dangers appeared first on Shared Security Podcast.

This is the Shared Security Weekly Blaze for July 23rd, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions and Silent Pocket. This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here! Help the podcast and leave us a review! We would really appreciate you leaving a review in iTunes. Reviews really help move us up the podcast ratings list and are greatly appreciated! Show Transcript This is your Shared Security Weekly Blaze for July 23rd 2018 with your host, Tom Eston. In this week’s episode: Lost and stolen devices, Instagram and SIM hijacking and the LabCorp security breach. The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details. Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. In the spirit of good GDPR compliance you can now opt-in to our brand new email list for the podcast! Stay up-to-date on the latest episodes, receive exclusive offers from our sponsors, participate in contests and gain access to content just for our email subscribers! Sign-up at sharedsecurity.net today. Did you know that over 26,000 electronic devices (including mobile phones, laptops and eReaders) were lost in the London transport system last year? According to a report released from a research firm called Parliament Street showed that the majority of lost devices, to the tune of 23,000, were mobile devices followed by laptops with approximately 1,000 devices that were lost. This announcement has been a wakeup call of sorts for UK business’ to ensure that there are protections in place for the data being stored on lost or stolen devices. Not only does this present a business risk, but also a personal privacy risk as well. I’m sure many of these devices were not properly protected by very basic device security controls such as passcodes for mobile devices and full disk encryption for laptops. While 26,000 devices does seem like a lot, imagine how many devices go missing in an even larger transportation system like the one in New York City. Physical device security is one of most important, and easiest, security controls you can implement on your devices to avoid having your data accessed if your mobile phone or laptop is ever lost or stolen. Some of the basics for a mobile phone is to ensure you’re setting a long, complex passcode or passphrase, ensure that the device is erased after 10 failed login attempts as well as enabling any GPS or location tracking so that you have a way to find your device if its ever lost. You’d be surprised how many people are able to find their lost device by using a feature like this. Also, for laptops always enable full disk encryption that is enabled upon powering on your laptop. For Windows laptops, depending if you have Windows 10 Professional or not, you can enable BitLocker for full disk encryption. If you have Windows 10 Home Edition, you can use a free and open-source full disk encryption solution called VeraCrypt. MacOS users should enable FileVault which is installed with all modern versions of MacOS. See our show notes for links to these different full disk encryption solutions to ensure your devices are protected if they are ever lost or stolen. Instagram is reported to be developing a more secure way of two-factor authentication by moving away from text messages to more app based solutions like Google Authenticator or Duo. As we’ve previously reported on the Weekly Blaze, SIM card “port out” scams or also known as SIM hijacking attacks have been on the rise in just the last year or so. A SIM hijacking scam is where an attacker will call your mobile carrier and use social engineering techniques to transfer your mobile number to another carrier, thus, giving the attacker access to receive SMS text messages. This access is then used to reset passwords on many popular apps like Instagram as well as your email service which can also be used to reset passwords. Many celebrities and others with very valuable Instagram user names have been a target of this attack but it can really happen to anyone, especially if you’re known to be trading bitcoin or other cryptocurrency. With the recent popularity of cryptocurrency, this attack is now financially motivated. So what can you do to prevent becoming a victim of a SIM port out scam? First, contact your mobile carrier to ensure you have set up or configured a P

This is the Shared Security Weekly Blaze for July 16th, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions and Silent Pocket. This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here! Help the podcast and leave us a review! We would really appreciate you leaving a review in iTunes. Reviews really help move us up the podcast ratings list and are greatly appreciated! Show Transcript This is your Shared Security Weekly Blaze for July 16th 2018 with your host, Tom Eston. In this week’s episode: Polar fitness app location data exposed, blocking scam phone calls and the Samba TV privacy controversy. The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details. Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. I wanted to clarify a few details about the new California Privacy Act that I discussed on the Weekly Blaze podcast last week. While this law applies only to California residents, it will most likely have broader implications for all major businesses in the US. Most major companies that deal in personal data, have some California customers. That will leave those businesses with two options: either build systems and procedures to comply with California law, or treat Californians one way and every other customer another. It should be interesting to see how this plays out in the coming months before this law is made official in 2020. Here we go again with more fitness apps exposing the location of spies and military personnel. You may remember back in February on the second episode of the Weekly Blaze podcast we discussed how the popular fitness app Strava inadvertently disclosed locations, daily routines and possible supply routes of known and unknown US military bases and CIA outposts. This information was all found though Strava’s publicly available “world-wide heatmap” of Strava users. This time around it’s fitness tracker Polar’s turn which has an app called “Polar Flow” that has a developer API that can be improperly queried. In addition to viewing the public Polar user map, the data exposed includes all user details including GPS coordinates. Journalists from the Dutch news site De Correspondent were able to identify over 6,400 users across 69 different nationalities that have been using the Polar Flow app to see who they are and where they worked using Google and LinkedIn to correlate the data. Many of these users were found to work for different government agencies including the Dutch military. Dutch authorities have noted that this is a major problem as there are rules about how the Dutch military should not wear their uniforms in public or have other personal information exposed which could identify them due to recent terrorist threats on military members and their families. Polar responded last week by taking it’s publicly available activity map offline and issuing a statement noting that all users have “opted-in” to have their private information shared, as by default all workouts are private. However, no word from Polar about that misconfigured developer API. The Dutch military, as well as other countries, have started banning the use of fitness trackers due to these security concerns. Like we always mention on the show, even if you make sure your privacy setting in fitness apps like these are locked down, there may be ways, like insecure developer APIs, that could be used to pull your private data anyway. Let this issue with Polar be a reminder that you need to determine for yourself if you accept the risk of putting your personal workout data and location out there for anyone to potentially access. Don’t you hate robocalls, telemarketers, and scammers calling our phones day in and day out? Well Google announced last week that they going to be adding a new feature to their phone app called “Call Screen” which will automatically screen calls for unknown and suspicious numbers. This new feature, which looks like it may launch on the Google Phone, will make suspicious calls answer one or more automated questions. The audio and audio transcription of the answers are then relayed to the call recipient so they can decide if they want to answer the call our not. This feature comes on the heels of a new “warning filter” that was implemented for telemarketing calls that is now

This is the Shared Security Weekly Blaze for July 2nd, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions and Silent Pocket. This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here! Help the podcast and leave us a review! We would really appreciate you leaving a review in iTunes. Reviews really help move us up the podcast ratings list and are greatly appreciated! Show Transcript This is your Shared Security Weekly Blaze for July 9th 2018 with your host, Tom Eston. In this week’s episode: Mobile app data leaks, the California privacy act, and third-party Gmail access. The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details. Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Researchers from a mobile security company called Appthority have released concerning details about their research into Android and Apple iOS apps that use a cloud-based backend database called Firebase. Firebase was acquired by Google in 2014. Appthority reviewed more than 2.7 million mobile apps and discovered that around two-thousand of these apps had unsecured Firebase databases. These databases were found to be wide-open allowing anyone to view around 2.6 million user names and plain text passwords, 25 million GPS location records, 50 thousand financial transactions and approximately 4.5 million user tokens for social media sites. In addition, over 4 million PHI (Protected Health Information) records were found containing prescription and private chat records. To add more insult to injury, all that was needed to access these unsecured databases was to append a simple “/.json” to the end of a database host name. The good news is that Appthority reached out to Google to alert them of the issue and Google was able to contact app developers to fix the issue. Ironically, in our last episode of the podcast, we discussed the Exactis data leak which exposed 340 million records due to developers not properly securing ElasticSearch databases. Data leaks due to developers not properly securing and configuring databases seems to have reached epidemic proportions. The unfortunate side effect of data leaks like these is that if your data happened to be exposed, you may never know about it. Of course, unless your data happens to show up on list of compromised databases like Troy Hunt’s “Have I been Pwnd” service, it’s very hard to know if criminals have accessed or used data from all these recent data leaks. Until developers and database software takes a “security by default” approach and companies are held more accountable for securing our private information, data leaks like these are going to continue well into the future. The new California Privacy Act of 2018, recently passed by the California legislature, will apply to more than 500,000 US businesses according to the International Association of Privacy Professionals (IAPP). This new law is similar to GDPR privacy legislation that was recently enacted by the European Union. Beginning in January of 2020 all California residents will now have rights to transparency about data collected, the right to be forgotten, a right to data portability and a right to opt out of having their data sold. This law will apply to any business in California that collects personal information and businesses that sell or disclose personal information for a specific business purpose. Ironically, some of the largest companies that use and sell personal data such as Google and Facebook, are headquartered in California. These new rules will be enforced by the California attorney general and businesses could face fines up to $7,500 for each violation. This bill is currently the strongest privacy law in the United States so it will be interesting to see if other states follow suite or if legislators start discussing a federal privacy law in line with what currently exists with the European GDPR privacy legislation. Google confirmed last week that emails, from Google’s free Gmail email service, can be read by some third-party app developers. Specifically, third-party apps can request access to users Gmail accounts if there is particular functionality that requires email access. For example, there are some apps need to send and receive emails or integrate into a mail account to pull out specific data. Most of the time it&#821

This is the Shared Security Weekly Blaze for July 2nd, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions, Silent Pocket and CISOBox. This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here! Help the podcast and leave us a review! We would really appreciate you leaving a review in iTunes. Reviews really help move us up the podcast ratings list and are greatly appreciated! Show Transcript This is your Shared Security Weekly Blaze for July 2nd 2018 with your host, Tom Eston. In this week’s episode: New WPA3 Wireless Standard, Malicious Smartphone Batteries and the Exactis Data Leak. The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details. Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Did you know that you can now opt-in to our brand new email list for the podcast? Stay up-to-date on the latest episodes, receive exclusive offers from our sponsors, participate in contests and gain access to content just for our email subscribers! Sign-up at sharedsecurity.net today. The anxiously awaited new wireless standard, WPA3, has officially been launched by the Wi-Fi Alliance last week. This new wireless standard will fix several known vulnerabilities with the previous WPA2 standard such as the KRACK attack which can allow an attacker to intercept and decrypt wireless network traffic. Note that many Wi-Fi device manufactures have already patched for the KRACK attack, however, the Wi-Fi Alliance made sure that WPA3, by default, included protection for this particular attack and other known issues with WPA2. WPA3 will have increased protection against brute-force attacks and support for something called SAE (Simultaneous Authentication of Equals) which will prevent attackers from decrypting previously captured network traffic even with a compromised Wi-Fi network password. Other new features include individualized data encryption to prevent local “Man-in-the-Middle” attacks and a feature called “Wi-Fi Easy Connect” which will allow simple and secure pairing of Internet of Things devices that don’t have a visual screen or display. This will replace “Wi-Fi Protected Setup” or also known as WPS which has been proven to be insecure. According to the Wi-Fi Alliance, mass adoption by device manufactures and consumers is predicted to start taking place towards the end of 2019. Are you a CISO or Information Security Manager challenged with tracking and managing information security incidents within your organization? If you are, you need to take a look at CISOBox which is a software appliance built for NIST-compliant management of all types of information security incidents. CISOBox secures and protects sensitive incident data using technology accredited by US Federal Intelligence Agencies and gives your organization an efficient and streamlined process for incident handling. No matter if your business is large or small, we highly recommend the CISOBox solution as it’s extremely easy to use, scalable, and a secure way to implement incident handling within your organization. For more information on the CISOBox solution and to schedule a demo visit cisobox.com/sharedsecurity. That’s cisobox.com/sharedsecurity. Last week, security researchers have shown that maliciously crafted smart phone batteries can allow an attacker to harvest sensitive information such as characters typed on the touch screen, browser history, detecting incoming phone calls and when a photo has been taken. It’s also possible to exfiltrate that data, one bit at a time, through the web browser installed on the device. This exfiltration can take place through something called the Battery API that is available in the Google Chrome mobile browser. The Battery API was deemed a privacy issue by Apple and Mozilla so it was removed from Safari and Firefox. While this particular attack seems pretty farfetched, this research shows the possibilities with attacks that may target mobile devices through the supply chain, especially in China where most mobile phones are manufactured. It’s not that far of a stretch when we already have malware that has been installed in hardware and other devices coming through similar supply chains for many years now. One of the researchers that discovered this issue says “The attack may seem like a stretch (requires physical battery replacem

This is the 77th episode of the Shared Security Podcast sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions, Silent Pocket and CISOBox. This episode was hosted by Tom Eston and Scott Wright recorded June 19, 2018. Listen to this episode and previous ones direct via your web browser by clicking here! Help the podcast and leave us a review! We would really appreciate you leaving a review in iTunes. Reviews really help move us up the podcast ratings list and are greatly appreciated! In this episode Tom and Scott discuss the concept of developing your own privacy threat model and personal risk assessment. We often discuss privacy threats and risk on the podcast so we thought it would make sense to discuss how to put together your own threat model to determine what risk you actually face from potential threats. We define risk, in the context of the topics of this podcast, as how likely is it that a potential threat may compromise your privacy or your personal information. By threat, we define that as something bad that can happen to you like being the receiver of phishing emails, malware being installed installed on your computer or even surveillance being conducted by a nation-state or ISP on your Internet activities. Here’s an example of putting risk and threat together. Lets say you have a nice car and you park it in an area that is known for a high threat of crime and auto thefts, there is a greater risk that your car may be stolen than if it was parked in an area not known for crime and auto theft. The first step in the personal risk assessment is to create a privacy threat model for yourself. We’re going to reference a really great framework for threat modeling put together by the EFF (The Electronic Frontier Foundation) borrowed from their helpful guides on Surveillance Self-Defense. The EFF threat model starts by having you answer the following five questions: What do I want to protect? Who do I want to protect it from? How bad are the consequences if I fail? How likely is it that I will need to protect it? How much trouble am I willing to go through to try to prevent potential consequences? The idea is to answer these questions as best as you can in preparation for an event or action that you may be taking related to your privacy. Based on your threat model you can then determine what tools and techniques are appropriate for your level of risk. This is always a personal decision! Some examples: “I want to hide my browsing habits from third-party ad trackers or my ISP” This scenario may be low risk to you so you may be fine just using a VPN and privacy focused browser plugins like EFF’s Privacy Badger. “I’m not comfortable giving Facebook my personal data” This scenario may be more of a medium risk for you so you may choose to delete your Facebook account or be more careful what you post. “I’m a journalist in a foreign country reporting on human rights abuses” This scenario is most likely high risk to you so you should consider using a burner laptop, Tor and the Signal app for communication. Listen to the full episode where Tom and Scott discuss other real world applications for privacy related threat modeling. We also discuss Stingray surveillance devices which are commonly used by law-enforcement and governments to intercept mobile phone communications. Please send any show feedback, suggestions for future guests and topics to feedback [aT] sharedsecurity.net or comment in our social media feeds. You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next full episode. Be sure to visit our website, follow us on Twitter, Instagram and like us on Facebook. Thanks for listening! The post The Shared Security Podcast Episode 77 – Personal Risk Assessments, Stingray Surveillance Devices appeared first on Shared Security Podcast.

This is the Shared Security Weekly Blaze for June 25, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions, Silent Pocket and CISOBox. This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here! Help the podcast and leave us a review! We would really appreciate you leaving a review in iTunes. Reviews really help move us up the podcast ratings list and are greatly appreciated! Show Transcript This is your Shared Security Weekly Blaze for June 25th 2018 with your host, Tom Eston. In this week’s episode: MyLobot malware, updates on third-party location data sharing, Fortnite scam websites. The Shared Security Podcast is sponsored by Silent Pocket with their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details. Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. A new serious form of malware called MyLobot (apparently named after the researchers pet dog) was discovered by security firm ‘Deep Instinct’. This new form of malware is quite dangerous as it will make infected systems part of a large botnet and has the ability to install trojans, keyloggers, conduct DDoS attacks as well as ensure that it cannot be detected and even run executable files from within system memory. Having executable files run from within memory is a newer technique only discovered by malware researchers in 2016 and makes detecting this type of malware much more difficult. Researchers have indicated that this particular form of malware is quite advanced not the typical work of an amateur. In addition to all of this, there is an interesting delay feature which will not allow the malware to communicate to its command and control services for approximately two weeks. This delay was put in to avoid detection from modern endpoint detection and other techniques which usually pick up malware infections like these. To top it all off, the malware will attempt to detect and disable other types of malware already installed, effectively, eliminating other malware competition. Deep Instinct researchers indicate that this type of advanced malware is being sold on the ‘darkweb’ for purchase and that “Other than the malware itself, malware developers can purchase services that assist in the infection process. An attacker can purchase access to exploit kits, buy traffic of tens of thousands of users to a web page, or even buy a full ransomware-as-a-service for his own use”. As we’ve mentioned on the podcast before, one of the primary ways that malware can get installed on your computer is through phishing and social engineering. There are, of course, other ways such as drive by downloads from malicious ads and compromised web sites hosting malicious code. Besides being more aware of phishing and social engineering, you can help defend your computer by keeping your system patched and up-to-date as well as using ad blocking web browser plugins like uBlock Origin and web tracker prevention plugins like EFF’s Privacy Badger. Check out our show notes for details on where to download and how to install these plugins. Are you a CISO or Information Security Manager challenged with tracking and managing information security incidents within your organization? If you are, you need to take a look at CISOBox which is a software appliance built for NIST-compliant management of all types of information security incidents. CISOBox secures and protects sensitive incident data using technology accredited by US Federal Intelligence Agencies and gives your organization an efficient and streamlined process for incident handling. No matter if your business is large or small, we highly recommend the CISOBox solution as it’s extremely easy to use, scalable, and a secure way to implement incident handling within your organization. For more information on the CISOBox solution and to schedule a demo visit cisobox.com/sharedsecurity. That’s cisobox.com/sharedsecurity. This week I wanted to provide an update on the previous news we mentioned on the podcast a few weeks ago regarding how the major wireless carriers were selling your real-time location data to various third party companies. Just this past week Verizon, AT&T and Sprint announced that they will no longer share customer location data with third-party data aggregators like one particular company we discussed on the podcast called ‘LocationSmart’. This change was most likely due to the in

This is the Shared Security Weekly Blaze for June 18, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions, Silent Pocket and CISOBox. This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here! Help the podcast and leave us a review! We would really appreciate you leaving a review in iTunes. Reviews really help move us up the podcast ratings list and are greatly appreciated! Show Transcript This is your Shared Security Weekly Blaze for June 18, 2018 with your host, Tom Eston. In this week’s episode: Ultrasonic Hard Drive Attacks, Dangerous USB Devices and Email Fraudsters Arrested. The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details. Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Researchers from Princeton and Purdue University have shown how sonic and ultrasonic signals, which are not able to be heard by a human, can be used to physically damage computer hard drives by using the computer’s own speaker or by using a speaker that is near the device. In their research they demonstrated how this vulnerability could be leveraged to attack hard drives in CCTV (Closed-Circuit Television) systems as well as desktop and laptop computers. In their experiments, they were able to cause errors in just 5-8 seconds on hard drives from Seagate, Toshiba and Western Digital. In one particular experiment on a Dell XPS laptop, they were able to cause the laptop to freeze and crash within seconds after a malicious file was played over the laptop’s built in speaker. It’s crazy to think that an audio file can be a new attack vector that may start being leveraged by attackers. The good news is that the researchers indicated that these vulnerabilities could be remediated through firmware updates provided by the hard drive manufactures, so not all is lost. I’m sure the threat of this happening to most people is very low, however, I suspect that a nation state or dedicated adversary could easily take this research and ‘weaponize’ it to target specific individuals in order to destroy incriminating information. Two groups most likely targeted could be journalists and human rights defenders. Are you a CISO or Information Security Manager challenged with tracking and managing information security incidents within your organization? If you are, you need to take a look at CISOBox which is a software appliance built for NIST-compliant management of all types of information security incidents. CISOBox secures and protects sensitive incident data using technology accredited by US Federal Intelligence Agencies and gives your organization an efficient and streamlined process for incident handling. No matter if your business is large or small, we highly recommend the CISOBox solution as it’s extremely easy to use, scalable, and a secure way to implement incident handling within your organization. For more information on the CISOBox solution and to schedule a demo visit cisobox.com/sharedsecurity. That’s cisobox.com/sharedsecurity. This week was a historic one for US President Donald Trump and North Korea’s leader Kim Jong-un as they met face to face in Singapore during their very first summit together. However, what happened behind the scenes may have been more interesting. You see, journalists attending the summit were given very special commemorative gift bags which had a guidebook, water bottle, a trial to a newspaper and a fan that plugs into a USB port on your computer. Wait, did you say USB fan that plugs into your computer? Now we all know that you shouldn’t plug random, untrusted USB devices into your computer right? Not to mention that these USB devices are from a foreign country and we’re talking about the United States and North Korea leadership all in the same area together…what could possibly go wrong? In the show notes we’ve linked to a funny but not so funny article showing the tweets that may security researchers posted about this mysterious USB fan. Even if you have nothing to do with this summit, the advice from us and other professionals is to never put a USB device from a conference or other non-trusted source like this in your computer. There have been many reports of devices like these being infected with malware and given that this is a historic summit with probably spies all over the place, the risk of something n

This is the Shared Security Weekly Blaze for June 11, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions, Silent Pocket and CISOBox. This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here! Help the podcast and leave us a review! We would really appreciate you leaving a review in iTunes. Reviews really help move us up the podcast ratings list and are greatly appreciated! Show Transcript This is your Shared Security Weekly Blaze for June 11th 2018 with your host, Tom Eston. In this week’s episode: MyHeritage data breach, Facebook’s data sharing partnership and Apple iOS 12 and macOS updates. The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details. Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. MyHeritage, the DNA and ancestry service, announced a large data breach this past week which exposed the email addresses and hashed passwords of approximately 92 million customers. Apparently, a file containing this data was found on a private server by a security researcher who reported it to the Information Security team at MyHeritage. Customers affected include anyone that signed up for an account previous to October 26, 2017. Regarding how user passwords are being stored, MyHeritage stated that “MyHeritage does not store user passwords, but rather a one-way hash of each password, in which the hash key differs for each customer. This means that anyone gaining access to the hashed passwords does not have the actual passwords”. No further details were provided on how the file was found or why it was on a private server to begin with. Other than the typical advice of “change your password” and the announcement that MyHeritage will be implementing two-factor authentication in the near future for added account protection, MyHeritage does not suspect that any IT systems were compromised in the breach. My take on this situation is that it sounds to me like a developer or other internal employee posted this file either in error or there may be the possibility that a disgruntled employee may have maliciously posted the file. We may never find out what really happened here but I do find it ironic that just a few short weeks ago we had discussed the impact of an ancestry company that holds the DNA records of millions of people having a data breach. I’m also surprised that MyHeritage is finally implementing two-factor authentication given that this type of account protection has been the standard for many years now. Like our other advice discussed on the podcast, we can’t rely on third-party companies to keep our personal data secure. You need to decide if you want to risk your data being exposed, either by accident or through a compromise, by choosing the companies you want to supply your personal information to. Are you a CISO or Information Security Manager challenged with tracking and managing information security incidents within your organization? If you are, you need to take a look at CISOBox which is a software appliance built for NIST-compliant management of all types of information security incidents. CISOBox secures and protects sensitive incident data using technology accredited by US Federal Intelligence Agencies and gives your organization an efficient and streamlined process for incident handling. No matter if your business is large or small, we highly recommend the CISOBox solution as it’s extremely easy to use, scalable, and a secure way to implement incident handling within your organization. For more information on the CISOBox solution and to schedule a demo visit cisobox.com/sharedsecurity. That’s cisobox.com/sharedsecurity. Facebook is in the news once again, this time for its data-partnership with 60 companies including Amazon, Apple, BlackBerry, Samsung and several Chinese companies such as Huawei. Huawei was identified as a threat to US national security by government officials which makes this partnership a little bit more interesting. Access to Facebook data was given to these companies as early as 2011 so they could tightly integrate Facebook into their devices. This was a feature implemented before the Facebook app became the most popular way to access Facebook on a mobile device. This type of data access allows devices to pull Facebook data so that they can provide a Facebook like experience. For example, Blac

This is the Shared Security Weekly Blaze for June 4, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions, Silent Pocket and CISOBox. This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here! Help the podcast and leave us a review! We would really appreciate you leaving a review in iTunes. Reviews really help move us up the podcast ratings list and are greatly appreciated! Show Transcript This is your Shared Security Weekly Blaze for June 4th 2018 with your host, Tom Eston. In this week’s episode: Telegram Messenger in Russia, Amazon’s Facial Recognition Technology and Digital License Plates. The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details. Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. In the spirit of good GDPR compliance you can now opt-in to our brand new email list for the podcast! Stay up-to-date on the latest episodes, receive exclusive offers from our sponsors, participate in contests and gain access to content just for our email subscribers! Sign-up at sharedsecurity.net today. The Russian communications agency has given an ultimatum to Apple if they do not remove Telegram, which is a secure messaging app, from the Apple App Store in Russia. Several months ago the Russian government banned the Telegram app because Telegram refused to give them the private encryption keys to access messages being sent through the app. Russia claims that terrorists are using the Telegram app and are demanding what is essentially backdoor access to chats for government investigations and surveillance. Apple now has a month to comply with this request or face regulatory action from the Russian government. It’s also being reported that the same request also went out to Google to ban Telegram from the Google Play app store as well. Now despite this request Telegram is still being actively used by Russian citizens through the use of VPN’s which allow circumvention of any blocking of Telegram servers that the Russian government is actively doing. This news reminds me of the controversy back in 2016 here in the US regarding the iPhone of the San Bernardino shooter in which the FBI asked Apple to unlock the shooter’s iPhone for their investigation. Like the Telegram situation it’s a very dangerous proposal when governments begin asking for companies to install backdoors or to do things that circumvent built in security and privacy controls. This is a debate that will be continuing for sure, in the meantime it’s important that we all support the need to protect our own privacy by keeping encryption and other security technologies built into the devices and apps that we use. Are you a CISO or Information Security Manager challenged with tracking and managing information security incidents within your organization? If you are, you need to take a look at CISOBox which is a software appliance built for NIST-compliant management of all types of information security incidents. CISOBox secures and protects sensitive incident data using technology accredited by US Federal Intelligence Agencies and gives your organization an efficient and streamlined process for incident handling. No matter if your business is large or small, we highly recommend the CISOBox solution as it’s extremely easy to use, scalable, and a secure way to implement incident handling within your organization. For more information on the CISOBox solution and to schedule a demo visit cisobox.com/sharedsecurity. That’s cisobox.com/sharedsecurity. Amazon is in the news recently about a cloud based facial recognition technology they’ve developed called “Rekognition”. Rekognition can identify approximately 100 people in a single image leveraging databases containing the faces of millions of people. The controversy is that Amazon has been offering this service to law enforcement agencies and its already being used by the Orlando Police Department and a Sheriff’s office in Oregon which adds to the growing list of surveillance technology now in the hands of local government. In the case of the Orlando Police Department, Amazon actually gave this technology to them for free as a proof-of-concept. In a blog post written by the American Civil Liberties Union, they express great concern since this is a case of the government partnering up with a large tech company t

This is the Shared Security Weekly Blaze for May 28, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions, Silent Pocket and CISOBox. This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here! Help the podcast and leave us a review! We would really appreciate you leaving a review in iTunes. Reviews really help move us up the podcast ratings list and are greatly appreciated! Show Transcript This is your Shared Security Weekly Blaze for May 28th 2018 with your host, Tom Eston. In this week’s episode: Real-time Location Tracking, VPNFilter Router Malware and Apple’s GDPR Updates. The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details. Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. In the spirit of good GDPR compliance you can now opt-in to our brand new email list for the podcast! Stay up-to-date on the latest episodes, receive exclusive offers from our sponsors, participate in contests and gain access to content just for our email subscribers! Sign-up at sharedsecurity.net today. How valuable is your real-time location? For many of us, it’s a very scary thought to think that someone may have access to easily track your whereabouts in real-time with no permission from you or little or no recourse for their actions. Well for mobile phone carriers your location means more profit for them because they have been selling access to real-time location data to different third-party companies. In late breaking news the other week a company called LocationSmart, which is a real-time data aggregator of mobile phone location data, has been able to access the real-time location of every phone from every major US carrier (that includes AT&T, Sprint, T-Mobile and Verizon) without user consent. A researcher named Robert Xiao who is from Carnegie Mellon University was messing around with a web demo of the LocationSmart application and found that he could query the real-time location of some of his friends through a vulnerability in the API of the application. The LocationSmart demo app was not taken down until famed reporter Brian Krebs from KrebsSecurity.com got involved and reported on the issue. This is also not the first time that we’ve recently seen real-time location data from the mobile carriers being used suspiciously. Back in early May, a company called Securus was identified through a New York Times article that was about a former sheriff who was using location data through the Securus service to track people without a warrant or user consent. To add further insult to injury, a hacker broke into Securus systems and stole 2,800 usernames, emails and hashed passwords of Securus customers. Ironically, Securus gets its location data from, you guessed it, LocationSmart. You also shouldn’t be surprised that these are probably not the only two companies that have access to real-time location data. You can bet that many other organizations, including criminals and nation states are also using services from similar companies. This entire situation brings into question what mobile phone carriers are doing with our location data. Of course they need to monitor, track and record your location otherwise your phone wouldn’t work and it would defeat the purpose of having a mobile phone altogether. However, it comes as a surprise that the carriers are blatantly giving your location data to third-party aggregators which in turn is giving this to other companies who work for law enforcement and the government. Seems to me that this is a great way for mobile carriers to make money off of your location data and for law enforcement to “bypass” a warrant and other user privacy protections. It’s also sad that you as the consumer of these mobile services have no control on how your location data is shared with third-parties. Especially since we all advocate to change and lock down location sharing features on your devices and apps as a way to prevent third-parties from receiving this information. With the carriers selling off your location information it makes these settings pretty much useless. Your best course of action to prevent a third-party from tracking you is to use a Faraday Bag like ones from our sponsor, Silent Pocket, which prevent all wireless signals and makes your device completely secure while in the Faraday bag (well except for

This is the Shared Security Weekly Blaze for May 21, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions, Silent Pocket and CISOBox. This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here! Help the podcast and leave us a review! We would really appreciate you leaving a review in iTunes. Reviews really help move us up the podcast ratings list and are greatly appreciated! Show Transcript This is your Shared Security Weekly Blaze for May 21st 2018 with your host, Tom Eston. In this week’s episode: Efail vulnerabilities and PGP encryption, Facebook’s app investigation and Nest password notifications. The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details. Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. If you like this podcast we would really appreciate you leaving a five star review in iTunes. Reviews really help move us up in the podcast ratings and attract more listeners. We’ll be sure to thank you for your review on the show! Thanks for your support! Multiple vulnerabilities dubbed “Efail” were announced by European security researchers in several popular email clients that make it possible for attackers to view the plaintext of email messages encrypted with PGP (also known as Pretty Good Privacy) and S/MIME encryption standards. Email, as you’re hopefully aware, is not encrypted by default. This is often referred to as “plaintext” email. PGP and S/MIME have been the standard for email encryption for many years now and is used by many people and businesses to secure email communication. The Efail vulnerabilities allow an attacker to embed previously obtained encrypted text into a new email and also include a web URL of the attackers server. When the email is sent to the victim the email client decrypts the email like normal but inadvertently sends the plaintext of the previously encrypted email to the attackers server. The issue lies in the way vulnerable email clients decrypt encrypted email. One very important point to make is that PGP and S/MIME encryption is not broken. While it may not be a modern encryption solution, it’s still a viable and secure method to safeguard sensitive emails and other information such as documents and files. This particular issue is about vulnerable email clients, not in the encryption protocol itself. Organizations such as the EFF have advised to disable PGP and S/MIME within your email clients as a temporary solution until a fix for email clients identified as vulnerable are released. You can still encrypt and decrypt emails outside of your email client if you’re already using PGP. However, the disabling of encryption software should be based on your own level of risk vs. just turning off encryption safeguards all together. For example, if you are a human rights activist that knows your email communication is being monitored by say, a nation-state, there may be much more risk to you of being a victim of this attack because its more than likely that all of your encrypted email communications have already been collected. If you were at this level of risk, you absolutely should take heed and disable PGP in your email client and perform encryption and decryption through other means. You should also consider using other secure end-to-end encryption services like Signal to send sensitive messages. If you’re a low risk PGP or S/MIME user you should determine if you have a vulnerable email client and ensure you update when patches are released. Check out our show notes for details on what email clients are vulnerable and for more details about the Efail vulnerabilities. Are you a CISO or Information Security Manager challenged with tracking and managing information security incidents within your organization? If you are, you need to take a look at CISOBox which is a software appliance built for NIST-compliant management of all types of information security incidents. CISOBox secures and protects sensitive incident data using technology accredited by US Federal Intelligence Agencies and gives your organization an efficient and streamlined process for incident handling. No matter if your business is large or small, we highly recommend the CISOBox solution as it’s extremely easy to use, scalable, and a secure way to implement incident handling within your organization. For more

This is the Shared Security Weekly Blaze for May 14, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions, Silent Pocket and CISOBox. This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here! Help the podcast and leave us a review! We would really appreciate you leaving a review in iTunes. Reviews really help move us up the podcast ratings list and are greatly appreciated! Show Transcript This is your Shared Security Weekly Blaze for May 14th 2018 with your host, Tom Eston. In this week’s episode: Recent windows vulnerabilities, exposed Twitter and GitHub passwords and the latest credit freeze controversy. The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details. Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. If you like this podcast we would really appreciate you leaving a five star review in iTunes. Reviews really help move us up in the podcast ratings and attract more listeners. We’ll be sure to thank you for your review on the show! Thanks for your support! Microsoft has recently released patches for two rather serious vulnerabilities that are currently being exploited in the wild. One vulnerability, dubbed “Double Kill”, affects the Windows VBScript engine through the Internet Explorer web browser which impacts most modern Windows operating systems including Windows 10. The other vulnerability is described as an elevation of privilege vulnerability which only affects Windows 7 and Windows Server 2008. With the VBScript engine vulnerability, an attacker leverages a malicious Word document to exploit the flaw through the Internet Explorer web browser. The interesting aspect of this attack is that even if you don’t use Internet Explorer, and use another browser like Chrome or Firefox, you can still fall victim to this attack. This is because Internet Explorer is tightly integrated into the rest of the Windows operating system. Researchers have noted that this vulnerability in particular is looking to be one of the most exploited in the future because of the way it leverages Internet Explorer to conduct the attack. The other critical vulnerability announced is a little harder to exploit as the attacker needs to login to a Windows system as a regular user, then run an application to exploit the vulnerability, which would give the attacker full control of the victim’s system. Lastly to note, there were about 20 more critical updates that were part of this most recent patch release from Microsoft that are not yet known to be actively exploited. The best way to protect yourself against these latest vulnerabilities and future ones is to ensure you’re running the most current version of Windows as well as checking that Windows Update is set to automatically download and install critical updates. See our show notes for details on where you can check to see how Windows Update on your system is configured. Are you a CISO or Information Security Manager challenged with tracking and managing information security incidents within your organization? If you are, you need to take a look at CISOBox which is a software appliance built for NIST-compliant management of all types of information security incidents. CISOBox secures and protects sensitive incident data using technology accredited by US Federal Intelligence Agencies and gives your organization an efficient and streamlined process for incident handling. No matter if your business is large or small, we highly recommend the CISOBox solution as it’s extremely easy to use, scalable, and a secure way to implement incident handling within your organization. For more information on the CISOBox solution and to schedule a demo visit cisobox.com/sharedsecurity. That’s cisobox.com/sharedsecurity. Twitter and popular code repository site GitHub announced that user passwords were exposed to internal employees through an internal log due to a system related bug. In the case of Twitter the issue is related to the hashing function that masks passwords before they are stored in their system and in the case of GitHub they have only said that the passwords were discovered in a recent audit and no further details were given. Twitter proactively sent out a notice to all of its 330 million users to change their passwords even though there was no evidence of misuse but as a precautionary measure. In the cas

This is the 76th episode of the Shared Security Podcast sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions, Silent Pocket and CISOBox. This episode was hosted by Tom Eston and Scott Wright with special guest Kevin Johnson recorded May 7, 2018. Listen to this episode direct via this link or through the media player embedded in this post! Interview with special guest Kevin Johnson Kevin Johnson is the Chief Executive Officer of Secure Ideas. Kevin has a long history in the IT field including system administration, network architecture and application development. He has been involved in building incident response and forensic teams, architecting security solutions for large enterprises and penetration testing everything from government agencies to Fortune 100 companies. In addition, Kevin is a faculty member at IANS and was an instructor and author for the SANS Institute . Kevin has performed a large number of trainings, briefings and presentations for both public events and internal trainings. He is the author of three SANS Institute classes: SEC542: Web Application Penetration Testing and Ethical Hacking, SEC642: Advanced Web Application Penetration Testing and SEC571: Mobile Device Security. Kevin has also presented at a large number of conventions, meetings and industry events. Some examples of these are: DerbyCon, ShmooCon, DEFCON, Blackhat, ISACA, Infragard and ISSA. Kevin is also very involved in the open source community. He runs a number of open source projects. These include SamuraiWTF; a web pen-testing environment, Laudanum; a collection of injectable web payloads, Yokoso; an infrastructure fingerprinting project and a number of others. Kevin is also involved in MobiSec and SH5ARK. Kevin was the founder and lead of the BASE project for Snort before transitioning that to another developer. In his free time, Kevin enjoys spending time with his family and is an avid Star Wars fan and member of the 501st Legion (Star Wars charity group). In this episode we discuss a broad range of hot topics with Kevin including how big of a Star Wars fan he is, Russian router hacking, home router security, security awareness of the typical consumer, GDPR, NSA metadata, Facebook and much more! Kevin is always a fun, uncensored and very entertaining guest. We hope you enjoy this interview as much as we did! Thanks to Kevin for being a guest on our show! The post The Shared Security Podcast Episode 76 – Special Guest Kevin Johnson (@secureideas), Router Hacking, GDPR, NSA Metadata appeared first on Shared Security Podcast.

This is the Shared Security Weekly Blaze for May 7, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions, Silent Pocket and CISOBox. This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here! Leave us a review! If you like this podcast we would really appreciate you leaving a review in iTunes or your favorite podcatcher app. Reviews really help move us up the podcast ratings list and are greatly appreciated! Show Transcript This is your Shared Security Weekly Blaze for May 7th 2018 with your host, Tom Eston. In this week’s episode: DNA Privacy, This Week’s Social Media Privacy News Roundup and Remote Car Hacking. The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details. Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Shout outs this week to @PrivacyAlive, @Yohun and @TASCET on Twitter as well as Michael and Richard on Facebook for commenting, liking and sharing our posts on social media. Thank you for your support of the show! Have you thought about the privacy and security of your DNA? Well recently it was announced that the “Golden State Killer” suspect Joseph DeAngelo was arrested and is accused of 12 homicides, 45 rapes and more than 100 robberies that took place in California from 1976 through 1989. Investigators disclosed that the arrest was due to DNA information that was from an open source genealogy website called “GEDMatch”. Apparently, a distant relative of DeAngelo was found in the database which allowed law enforcement to pinpoint who the killer was through clues such as location, ethnicity and other characteristics. This brings into question that anyone who may have submitted their DNA test results to an open-source database like this could be used by others for more than just criminal investigations. I think it’s fascinating that even if you don’t submit your DNA to one of these services people that have some distant DNA relationship to you may already be in a database like this used to locate criminals. This case has set off numerous discussions and debates to review the privacy policies of popular DNA testing companies such as 23andMe, MyHeritage and Ancestry.com. It’s important to note that all these companies require a court order for law enforcement in order to access DNA records, however, it does not stop someone from taking their own DNA records and importing it into a larger open-source database like the one used to find the Golden State Killer. In my opinion, your DNA records are extremely personal and are much more valuable than any other piece of personally identifiable information that may be out there about you. And while many different companies have sprung up recently that are in the business of building out family trees, it begs the question regarding how these companies are protecting your DNA information. Could you imagine the fallout if one of these companies like 23andMe had a data breach? Our advice is for you to determine if it’s really worth submitting your DNA to one of these services as most likely your genetic data, through some distant relative of yours, may get caught up in an investigation or used for another purpose that you may not even be directly involved with. What a time to be alive, isn’t it? Are you a CISO or Information Security Manager challenged with tracking and managing information security incidents within your organization? If you are, you need to take a look at CISOBox which is a software appliance built for NIST-compliant management of all types of information security incidents. CISOBox secures and protects sensitive incident data using technology accredited by US Federal Intelligence Agencies and gives your organization an efficient and streamlined process for incident handling. No matter if your business is large or small, we highly recommend the CISOBox solution as it’s extremely easy to use, scalable, and a secure way to implement incident handling within your organization. For more information on the CISOBox solution and to schedule a demo visit cisobox.com/sharedsecurity. That’s cisobox.com/sharedsecurity. In Facebook and social media privacy news last week it was discovered that Twitter also sold data to Aleksandr Kogan, the researcher who happened to sell the personal information of over 87 million Facebook users to Cambridge Analytica.

This is the Shared Security Weekly Blaze for April 30, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions, Silent Pocket and CISOBox. This episode was hosted by Tom Eston. Show Transcript This is your Shared Security Weekly Blaze for April 30th 2018 with your host, Tom Eston. In this week’s episode: Child Identity Fraud, Tech Support Scams and Amazon Key In-Car Delivery. The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details. Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. If you like this podcast we would really appreciate you leaving a review in iTunes or your favorite podcatcher app. Reviews really help move us up the podcast ratings list and are greatly appreciated. Shout outs this week to @jandrusk and @privacydivas on Twitter as well as itincloud and pacifictech808 on Instagram and Jason, Johann and Richard on Facebook for commenting, liking and sharing our posts on social media. Thank you for your support of the show! A sobering report was released last Tuesday which showed that more than 1 million children in the United States were victims of identity theft last year. The study by Javelin Strategy & Research shows that in 2017 more than $2.6 billion in total losses and over $540 million in out-of-pocket costs to families are attributed to child identity fraud. What’s surprising about this study is that it showed more than half (which is 60%) of child identity fraud victims have a personal relationship with the person stealing their identity. This is in stark contrast to adults where only 7 percent of adult fraud victims know the fraudster. Also of note, there was a strong correlation between a child being bullied and identity fraud. Bullied children are more than nine times more likely to be victims of fraud than children who were not bullied. One of the big problems this study highlights is the challenges we have with the security of credit reports. Given that there have been large breaches like Equifax which highlight how adults can have their identities stolen through the use of their credit reports, I find it disturbing that we don’t give the topic of child identity fraud more attention. Children don’t have credit reports until they are old enough to apply for credit on their own so it’s often overlooked that if the personal information of a child is stolen, it’s much easier for a fraudster to use a fresh, unused credit history to their advantage. Also, given the fact that the fraudsters are people that know these children personally, it makes using their personal information (and credit) much more easier than adult victims. Some signs or indicators specific to child identity fraud include the child being turned down for benefits, receiving notices from the IRS about unpaid taxes or debit collectors calling about products and other things you or your child has never purchased. If you’re a parent I would highly recommend the following advice from the FTC and others about how to secure your child’s identity such as potentially freezing their credit, determining how they are sharing their personal information, monitoring existing accounts and keeping physical documents like birth certificates and social security cards secure and out of reach of household guests and visitors. Regarding freezing your child’s credit, this is something you should research on your own as not all states allow this and some experts debate if there may be more risk in opening up a credit file before your child is ready to start building their credit. Check out our show notes for links to more advice on this very important topic. Are you a CISO or Information Security Manager challenged with tracking and managing information security incidents within your organization? If you are, you need to take a look at CISOBox which is a software appliance built for NIST-compliant management of all types of information security incidents. CISOBox secures and protects sensitive incident data using technology accredited by US Federal Intelligence Agencies and gives your organization an efficient and streamlined process for incident handling. No matter if your business is large or small, we highly recommend the CISOBox solution as it’s extremely easy to use, scalable, and a secure way to implement incident handling within your organization. For more information on the CISOBox solution and to schedule a demo visi

This is the Shared Security Weekly Blaze for April 23, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions, Silent Pocket and CISOBox. This episode was hosted by Tom Eston. Show Transcript This is your Shared Security Weekly Blaze for April 23rd 2018 with your host, Tom Eston. In this week’s episode: Android’s Toxic Hellstew of Vulnerabilities, Facebook’s New Privacy Controls and Russian Router Hacking. The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details. Hi everyone, I’m Tom Eston, co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. If you like this podcast we would really appreciate you leaving a review in iTunes or your favorite podcatcher app. Reviews really help move us up the podcast ratings list and are greatly appreciated. Shout outs this week to @securityvoid, @HammerITConsult, @davegeek_ and @Yohun on Twitter as well as Tim Maliyil on Instagram and Richard, Jason and Eddie on Facebook for commenting, liking and sharing our posts on social media. Thank you for your support of the show! There was an article this past week that totally got my attention and should get yours as well which was titled quote “Is your Android phone a ‘toxic hellstew’ of vulnerabilities?” end quote. Toxic hellstew does sound rather terrible so if you have an Android phone you may want to pay attention to this. A study was recently released that found that your Android phone may be lying to you about critical patches that should be installed by your device manufacture. This issue called the ‘hidden patch gap’ was discovered by German security firm Security Research Labs. The research shows that some popular Android devices from Google, Sony, Samsung and many others brands would show that they were fully patched when in fact they were missing security patches, and in some cases up to a dozen patches from a specific time period. This means that without current security patches, these Android devices were left vulnerable to various attacks. The researchers believe that manufactures are setting these false patch levels in an attempt to deliberately deceive consumers that their devices are secure. Device manufactures like Google have responded to the research stating that there are other layers of security in Android devices to protect them from attack and patching is just one of those layers. Of course they did not admit to providing consumers with a false sense of security. While patching of Android devices has always been a challenge because of the known issue of device fragmentation, where older Android devices may never get updated, patching should be of up most importance to device manufactures because of the rise of mobile device attacks. So what can you do to see the real patch level of your Android device? Well the researchers behind the ‘toxic hellstew’ patch issue released an app called ‘SnoopSnitch’ that can run a test to see the real patch level of your device. If your device ends up being fully patched once running the app you should be up-to-date on recent patches. If not, you may want to consider being more careful what you click on, what apps you install and how you use your Android device until your manufacture ‘really’ updates your phone. If you really are concerned, you may want to consider getting a different Android device from another manufacture in the future. Check out our show notes for details on downloading the SnoopSnitch app and for a link to a FAQ about the testing results and what they mean to your device. Are you a CISO or Information Security Manager challenged with tracking and managing information security incidents within your organization? If you are, you need to take a look at CISOBox which is a software appliance built for NIST-compliant management of all types of information security incidents. CISOBox secures and protects sensitive incident data using technology accredited by US Federal Intelligence Agencies and gives your organization an efficient and streamlined process for incident handling. No matter if your business is large or small, we highly recommend the CISOBox solution as it’s extremely easy to use, scalable, and a secure way to implement incident handling within your organization. For more information on the CISOBox solution and to schedule a demo visit cisobox.com/sharedsecurity. That’s cisobox.com/sharedsecurity. In Facebook news this week,

This is the 75th episode of the Shared Security Podcast sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions, Silent Pocket and CISOBox. This episode was hosted by Tom Eston and Scott Wright with special guests Gotham Sharma and Dr. Brian Krupp recorded April 16, 2018. The Cybersecurity Education Episode In this episode we’re joined by two cybersecurity educators for their perspective on the current state of education in the cybersecurity industry. This is a really important topic given the current cybersecurity skills shortage where its becoming more difficult to find qualified and skilled individuals to fill cybersecurity jobs. Gotham Sharma serves as the Managing Director of the Exeltek Consulting Group, where he manages daily operations of the New York City based cybersecurity advisory firm. Previously a Wall Street consultant for Global Technology Operations at various Fortune 500 Organizations, Gotham left financial services to consult for the nonprofit world, where he focused on youth development and STEM education. In particular, his work centered around designing Career and Technical Education (CTE) Programs for traditionally disconnected young adults. You can contact Gotham via his LinkedIn page. Dr. Brian Krupp is an Assistant Professor in the Computer Science department at Baldwin Wallace University. He is the faculty advisor of the Mobile Privacy and Security (MOPS) research group where their current research is investigating methods to increase consumer awareness of privacy issues in smartphone and tablet applications. He is also the faculty advisor of CS+ which provides computer science opportunities for elementary to high school students through Tech Camps, school visits, and partnerships in the NEO region. You can contact Dr. Krupp via his Twitter or find out more about the classes he teaches and his work with students via his Baldwin Wallace University home page. On this podcast we discuss if there really is a shortage of cybersecurity talent and what programs are available for young kids as well as teenagers and college students that may be interested in a cybersecurity career. We also discuss the importance of mentorship, being a good mentor as well as the need for more women, minorities and diversity in the cybersecurity industry. Thanks to Gotham and Dr. Krupp for being guests on our show! The post The Shared Security Podcast Episode 75 – Cybersecurity Education with Gotham Sharma (@g0thamsharma) and Dr. Brian Krupp (@briankrupp) appeared first on Shared Security Podcast.

This is the Shared Security Weekly Blaze for April 16, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions, Silent Pocket and CISOBox. This episode was hosted by Tom Eston. Show Transcript This is your Shared Security Weekly Blaze for April 16th 2018 with your host, Tom Eston In this week’s episode: Facebook goes to Congress, More Data Breach Announcements and a New Hope for Replacing Passwords The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details. Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. If you like this podcast we would really appreciate you leaving a review in iTunes or your favorite podcatcher app. Reviews really help move us up the podcast ratings list and are greatly appreciated. Shout outs this week to @ZodMagus, @Yohun, @BNI212, @StrongArmSecure, @Borderless_i and @drheleno_ca on Twitter as well as @itincloud, @dahveezy, @grassfedmama and @simpletechla on Instagram and Johann, Richard, Julie, Jason and Stephane on Facebook for commenting, liking and sharing our posts on social media. Thank you for your support of the show! The Facebook news continues this week with the announcement of a new tool to see if you or your friends shared personal information with Cambridge Analytica. This tool won’t tell you who of your friends took the quiz called “This Is Your Digital Life” but will just say how many of your friends may have taken the quiz. If this tool tells you if some of your friends took the quiz which allowed your data to be harvested, be sure to scold them until you find out who did it. Just kidding but you may want to make a post about it so that your friends are aware of what they did. Also within this tool Facebook gives you a link to review the information you share with other third-party apps. So check out our show notes for the link to this tool and for more information. In other Facebook news, Facebook confirmed recently that it uses automated tools to scan private chats within their Facebook Messenger application for malware links, child porn and other violations of its terms of service. This news was surprising to many users of the Messenger app as most people thought that these conversations were not being monitored by Facebook. Just so you’re aware, the only conversations that are not able to be monitored by Facebook are “secret” conversations which only work on the Apple iOS and Android versions of Facebook Messenger. Facebook’s secret conversation feature is actually the same end-to-end encryption protocol used by Signal, which is one of the most popular secure messaging applications that you can use. To use secret conversations you have to enable this on a per conversation basis. For details on how to do this check out our show notes. One important thing to note about Facebook secret conversations is that if the other party you’re having a private conversation with reports your conversation for something inappropriate, these messages are decrypted and sent to Facebook’s support team. Just something to be aware of if you’re using the secret conversations feature. Last but not least, Facebook CEO Mark Zuckerburg testified to Congress last week which included legislators from both the Senate and House of Representatives. Legislators asked Mark Zukerburg questions about how Facebook secures user data, what type of regulations should the government put in place for Facebook and for Mark to explain the details around the Cambridge Analytica controversy. One thing that I noted during the testimony was that these legislators really have no idea how Facebook or any social network works. It was surprising to me that Mark Zuckerburg had to explain very basic functions and features that are part of using Facebook as well as how Facebook makes revenue. For example, many legislators seemed to be unaware that Facebook has very detailed privacy controls for everything that a user can share and were confused regarding how messaging apps like WhatsApp even work. I believe one Senator even noted that the messaging application WhatsApp can be used to send email. Now I realize this is a very similar situation for those fellow gen X’ers like myself that may have a non-technical parent that may not have a clue about social media or technology. However, if a legislator is proposing to regulate a technology that they know nothing about…we’re in for

This is the Shared Security Weekly Blaze for April 9, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions, Silent Pocket and CISOBox. This episode was hosted by Tom Eston. Show Transcript This is your Shared Security Weekly Blaze for April 9th 2018 with your host, Tom Eston In this week’s episode: The #DeleteFacebook Movement, Cloudflare’s New Privacy Focused DNS Service and the Saks Fifth Avenue and Panera Data Breaches The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details. Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. If you like this podcast we would really appreciate you leaving a review in iTunes or your favorite podcatcher app. Reviews really help move us up the podcast ratings list and are greatly appreciated. I also have several shout outs this week to @yohun and @nevon on Twitter as well as Richard, David and Johann on Facebook for commenting, liking and sharing our posts on social media. Thank you for your support of the show! Ever since the Facebook Cambridge Analytica controversy an online movement has started to form called #DeleteFacebook. The delete Facebook movement is in response to Facebook’s recent privacy firestorm regarding the way the social network collects your personal information. I’m sure many of you have had friends or family either say they are quitting Facebook or are planning on doing so because of everything that’s been going on in the news about Facebook recently. Having said that, I wanted to quickly talk about the #DeleteFacebook movement and how it applies to what we talk about on this podcast. When Scott and I started this podcast back in 2009 it was called the “Social Media Security” podcast and for very good reason. Social networks like Facebook were just starting to get popular and it seemed like the wild west in regards to the lack of privacy controls as well as awareness of social network security issues. As the years went on we began speaking more about social network risks and privacy issues but also how to use them safely. We soon realized that all of us were going to use social media at some point so how can we use it with some sense of balance between our privacy and the need to share information with friends and family. Education became the theme rather than “delete your accounts and never use social networks”. In fact, Scott and I make it well known that we use social networks like Facebook all the time and even promote engaging us on various social media platforms so that we can have conversations about these important topics. We strongly believe that education, through the use of social media, can make the most impact to others about privacy and security issues. One of the taglines that the podcast developed over the years is, “we bring you stories, advice and tips to make better risk decisions because no one else can make them for you.” This tagline is what this podcast is all about and tells us that it’s your decision to use Facebook or not. Like most everything in life, there is always a risk of something. If you accept that Facebook is going to harvest your personal information, as what it was designed to do, than you accept that risk. If it seems too risky and you want to delete Facebook and all other social media, that’s fine as well. However, we believe that all of us can use social networks more safely and can limit the amount and type of personal information that we share. Remember that you ultimately have control of what you post and the information you share on social networks. Internet performance and security company Coudflare released a new privacy focused DNS service this past week called 1.1.1.1 which aims to solve several of the privacy issues related to using the DNS service of your Internet Service Provider (or ISP). If you’re not familiar with what DNS is and why it’s important, here’s a quick overview. DNS stands for the Domain Name System. You can think of DNS as a big directory of the Internet. Whenever you type in a website like sharedsecurity.net into your web browser the first thing that happens is that a DNS server needs to be queried to find the IP address of that name. If we didn’t have DNS we would all have to remember IP addresses such as 69.39.236.80 to get to a website like sharedsecurity.net. With Cloudflare’s DNS service, you can use their DNS s

This is the Shared Security Weekly Blaze for April 2, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions and Silent Pocket. This episode was hosted by Tom Eston. Show Transcript This is your Shared Security Weekly Blaze for April 2nd 2018 with your host, Tom Eston. In this week’s episode: Facebook’s Privacy Firestorm, the MyFitnessPal Data Breach and Ramifications of the CLOUD and FOSTA Bills The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details. Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Shout outs this week to @Yohun, @zroone, @StrongArmSecure, and @CamilleEsq on Twitter as well as @vanishedvpn and @newcybersource on Instagram and Lou, Shawn, Jun, and Andrew on Facebook for commenting, liking and sharing our posts on social media. Thank you for your support of the show! Since the news broke about Facebook and the Cambridge Analytica controversy the other week, there has been a firestorm of information coming out about Facebook’s data harvesting practices as well as new tools and information about Facebook’s privacy settings which are in response to Facebook’s recent privacy challenges. For example, Mozilla the creator of the Firefox web browser released a new browser extension called “Facebook Container” which lets you isolate your Facebook activity to just Facebook.com which will limit the amount of tracking that Facebook can do while you browse the web. Keep in mind, when using a browser extension like this any sites that you “sign-in” using Facebook will no longer work. In other Facebook news, details also came out about Facebook collecting phone call metadata from Android phones that have the Facebook mobile app installed. This data included names, phone numbers and the length of each call made or received on the device. This access is given during the installation of the Facebook app which asks for permission to read contacts off of the device. The reason Facebook does this is so your contact data can be used to find and match more Facebook friends for you. Apparently older versions of Android allowed access to call and message logs in addition to contacts on your device. The issue has been fixed in newer versions of Android but if you had the Facebook app installed before these updates were made, the Facebook app would still be able to access this data. It’s important to note that Apple iOS has never allowed apps to access call logs and other call data. So if you have an Apple iOS device, you’re safe…for now. Check out our show notes for instructions on how to remove these permissions if you have the Facebook app installed on your Android device. Given all the news about Facebook recently, and where your data may have been collected, you may be thinking it’s time to re-evaluate your use of Facebook and to ponder on the reasons why you may or may not want to continue using the social network. One tip we have to share is that you do have the ability to download all the data that Facebook has about you so you can see for yourself what information has been collected. See our show notes for details on how you can do this but you may be surprised to see all the data that Facebook has collected about you, especially if you’ve been a long time user of Facebook. In other breaking news this past week, Under Armour announced that their app MyFitnessPal was breached sometime in February of this year. This breach affects 150 million user accounts making it the second largest data breach of consumer data in U.S. history right behind the infamous Yahoo data breach which happened in 2016. The information compromised included usernames, email addresses and hashed passwords. While details about how the breach happened have not been released there are a few good things to mention. First, in the breach disclosure Under Armour mentioned that bcrypt was used as the hashing function for storing passwords. Bcrypt is a much more secure method of storing passwords so depending on how bcrypt was implemented it will be very difficult for an attacker to find out users passwords. Second, Under Armour announced the breach very quickly which is far different than other similar breaches we’ve seen like the Equifax breach last year. So what should you do if you’re a user of the MyFitnessPal app? First, change your password by going to the MyFitnessPal website. Ho

This is the 74th episode of the Shared Security Podcast sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston and Scott Wright with special guest Rachel Tobac recorded March 25, 2018. Below are the show notes, commentary, links to articles and news mentioned in the podcast: Interview with special guest Rachel Tobac Rachel is the CEO & Co-founder of SocialProof Security where she helps people and companies keep their data safe by training them on social engineering risks. Rachel also placed second place two years in a row in the DEF CON hacking conference’s Social Engineering Capture the Flag contest (SECTF). In her remaining spare time, Rachel works as the Chair of the Board for the nonprofit Women in Security and Privacy (WISP) where she empowers women to lead the converging fields. In this episode, Tom and Scott speak to Rachel about her adventures participating in the Social Engineering Capture the Flag contest at DEF CON. Rachel also discusses her thoughts on how to avoid being a victim of a social engineering attack and how more young women can get into cybersecurity and technology careers. Of course, no interview with Rachel would be complete without discussing her favorite (and least favorite) David Lynch movies as well as her book recommendations. Rachel was super fun to chat with! On the show Tom and Rachel mentioned the call that the Chris Kirsch, the winner of last years DEF CON SECTF, performed. Here’s the re-enactment you should definitely check out! Thanks again to Rachel for being a guest on our show! Please send any show feedback, suggestions for future guests and topics to feedback [aT] sharedsecurity.net or comment in our social media feeds. You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode. Be sure to visit our website, follow us on Twitter, Instagram and like us on Facebook. Thanks for listening! The post The Shared Security Podcast Episode 74 – Special Guest Rachel Tobac (@RachelTobac) appeared first on Shared Security Podcast.

This is the Shared Security Weekly Blaze for March 26, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston. Show Transcript This is your Shared Security Weekly Blaze for March 26th 2018…with your host, Tom Eston. In this week’s episode: Facebook and the Cambridge Analytica Controversy, Vulnerable VPNs and Siri Lock Screen Privacy Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Shout outs this week to @StrongArmSecure, @BrotherBlarneyS and @AANaseer on Twitter as well as @newcybersource and @thebluehawaiipodcast on Instagram and David, Julie, Gary and Jason on Facebook for commenting, liking and sharing our posts on social media. Thank you for your support of the show! Several privacy focused vulnerabilities were identified in three popular VPNs. According to research done by VPN Mentor, PureVPN, Zenmate and Hotspot Shield were all found to leak your real IP address. This vulnerability could allow an attacker to know your real location while you use the Internet which is not the purpose of a VPN at all. Hotspot Shield and PureVPN appear to have remediated this issue but as of this podcast recording, Zenmate VPN has not fixed these vulnerabilities. In addition, functionality was disabled in the Firefox web browser that could invade your privacy. Mozilla has disabled functionality, called the proximity API, which allows websites you visit to know how far your phone is away from your face as well as the ability to detect what the ambient light levels are of the room you’re in. The reason that Firefox is disabling these features is that they can be used to fingerprint or identify you to target more ads to you. In regards to the ambient light sensor, some techniques can be used to leak your browsing history in something called a browser history attack. Mozilla is disabling these features in Firefox version 62. As we’ve mentioned on the show many times before, make sure you’re staying up to date with software updates for the apps you use especially VPNs and your web browser. Ensuring you are applying frequent updates is a one of the most important things you can do to from a cybersecurity perspective. Do you have an iPhone with Siri enabled from your lock screen? If you do, you should know that there is a new vulnerability that can allow Siri to read out messages from the lock screen even if those messages are hidden. This vulnerability allows someone to access hidden messages from many different types of third-party applications including popular secure messaging apps like Facebook Messenger, Signal and WhatsApp. The good news is that the vulnerability doesn’t apply to Apple iMessage or standard text messages. The vulnerability currently affects version 11.2.6 of iOS and Apple is aware and working on a fix. If you are concerned that someone would be able to gain access to sensitive information in your messages you’ll need to do the following two things. First, turn off screen notifications in your settings for any sensitive applications you may be using and second, disable the feature to allow Siri to be used when your device is locked. Check out our show notes for details on where these settings are on your iOS device. Last weekend Facebook confirmed that back in 2013 an academic researcher named Dr. Aleksandr Kogan created a Facebook app called “This is Your Digital Life” which was a personality quiz distributed through Facebook. When Facebook users took the quiz it harvested profile data from their Facebook account. About 300,000 Facebook users took the quiz, but the data of about 50 million users ended up being harvested because the app also accessed profile data of those users friends. In 2014, this was Facebook’s feature called “friends of friends” where apps could access your friends data under certain conditions. This data was then given by Kogan to a political consulting and data analytics firm called “Cambridge Analytica” which apparently has ties to US president Trump and his political campaign. According to sources, Cambridge Analytica used this data to profile 50 million people so that they could target them with political propaganda prior to the US election. Many news articles and other sources have been stating that this was a “data breach” and that this data was effectively “stolen” from Facebook users. These statements are absolutely false because that’s not how Facebook applications work at all. Each user that took this quiz willingly installed the app and accepted that their personal data was going to be accesse

This is the Shared Security Weekly Blaze for March 19, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston. Show Transcript This is your Shared Security Weekly Blaze for March 19th 2018 with your host, Tom Eston. In this week’s episode: The Insecure Internet of Things, Spectre Patch Updates and Android Malware. Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Shout outs this week to @Yohun, @ClarkWillClark, @drheleno_ca and @eg0sum on Twitter as well as @heath_robinson on Instagram and Tom, Shawn and Jamie on Facebook for commenting, liking and sharing our posts on social media. Thank you for your support! A new paper called the “Secure by Design Report” from the UK government’s Department for Culture Media and Sport describes 13 new security guidelines for manufactures of Internet of Things devices ( also abbreviated as IoT). If you’ve have been listening to past episodes of the podcast or have been paying attention to the news, we’ve seen a huge increase in devices such as smart watches, Internet enabled camera’s and hundreds of other connected devices like coffee machines and even toasters. Yes, you can actually buy a connected toaster that you can control from your mobile phone just in case you want to really fine tune your toasting process. Over the last several years Internet of Things devices have been found to have many different kinds of security vulnerabilities such as being configured with default passwords, having no mechanism to be updated and the lack of features to delete private data. In fact, insecure devices like these have been hacked to steal information and can be hijacked to be used in botnets, like the Marai botnet in 2016, that infected over 300,000 IoT devices with malware. These new guidelines aim to educate manufactures so they can build and eventually sell secure products. I think these guidelines are a great start to advocate good security practices for IoT device manufactures, however, guidelines are just guidelines. Will manufactures listen to this advice or will they continue to sell devices that are easily hackable. Unfortunately, it’s very difficult to determine if the IoT device that you’re purchasing is secure or not. From what we’ve seen in the past, many of these new IoT products are cheaply made with the purpose of getting cool technology out to the market to make a quick sale. In fact, it’s really easy to do a quick search on Amazon for pretty much any “connected” device these days to find manufactures or sellers that no one has ever heard of. One tip I’ve found helpful is to check reviews and comments left by owners of products that you may be interested in purchasing to find out if any security or privacy configurations are being discussed or if there are known security issues that the manufacture is aware of and is addressing. Like these guidelines state, it’s up to the device manufactures to bear the burden of securing their products. For us consumers we either need to accept the risk that these products may compromise our security and privacy or just not purchase these devices all together. I mean, it’s still possible to make toast with a regular toaster and not a connected one. Intel is almost ready to release more updated patches for the critical Spectre vulnerability that affects almost all computer processors manufactured within the last 20 years. If you have a Dell, Lenovo or HP PC you should start seeing these updates showing up through your update software within the next few weeks. Spectre and it’s close cousin, Meltdown, are critical hardware vulnerabilities which allow attackers to steal data that is being processed within your computer. This data could include sensitive information such as passwords, emails, photos and documents. You may remember that back in late January after releasing the original updates, Intel told PC manufactures to stop the deployment due to random reboots and the “blue screen of death” happening after the patch was installed. These patches need to update the firmware of your PC so make sure you have your software update feature enabled and working. Many times after we buy our PC’s we automatically assume that software update applications that are installed by default are “bloatware” and we either remove or disable this software. We highly recommend you check to see if this software is running, as well as your Windows security updates to ensure you’re receiving timely security patches for your operating system. If you

This is the Shared Security Weekly Blaze for March 12, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston. Show Transcript This is your Shared Security Weekly Blaze for March 12th 2018…with your host…Tom Eston In this week’s episode: Malicious Healthcare Workers, New Attacks on Mobile Networks, and Facebook Messenger for Kids Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. I have a few shout outs this week to several of our listeners for commenting, liking and sharing our posts on social media @karinavold, @Yohun and @securid on Twitter as well as @Itincloud and @wearethelightpodcast on Instagram and Tom, Shawn, Malcom and William on Facebook. Thanks to all of you for your support of the show! If you go to your doctor or to the hospital, have you ever wondered if your private healthcare information is being properly protected? Well this past week there were two reports released showing that its own workforce is the biggest cybersecurity problem for the healthcare industry. According to the 2018 Protected Health Information Data Breach Report released by Verizon, 58% of data breach incidents involved insiders. Most of the breaches noted by Verizon were because of corrupt healthcare workers stealing data to commit tax fraud, opening lines of credit from patient data or by looking up personal records of celebrities and family members. Another report, based on a survey of healthcare employees from consulting firm Accenture, showed that 18% of respondents were willing to sell confidential patient data for as little as $500 or $1,000. This data could include selling your login credentials, putting your data on portable drives to be sold and installing malware on internal systems to capture confidential patient data. I don’t know about you but reports and surveys like these are very concerning considering the fragile state of healthcare, especially here in the US. Whether it’s failed security policy oversight or lack of security controls, healthcare remains one of the number one sources for criminals to gain access to your private information for medical identity theft. This is despite having healthcare laws such as HIPAA which are supposed to enforce good security practices within the industry. Like other types of fraud we’ve talked about on the show, you need to take steps to defend against someone using your information to commit fraud or identity theft. Unfortunately, we can’t rely on others like the healthcare industry or the government to properly protect our information. Much of the same advice we’ve given to protect against fraud, like putting a freeze on your credit and creating strong and unique passwords, also apply to the issues we’re seeing with healthcare data breaches. Some other tips specific to medical identity theft is to keep accurate records of your medical history, always review your medical statements to ensure they are accurate, be aware of fake or real calls from medical debt collectors and physically shred any healthcare related documentation containing personal information. Check out our show notes for a great guide from the Federal Trade Commission about detecting and preventing medical identity theft. Security researchers announced several new security vulnerabilities in 4G LTE mobile networks this past week. The researchers, who are from Purdue University and the University of Iowa, said quote “Among the 10 newly detected attacks, we have verified eight of them in a real test bed with SIM cards from four major US carriers”. End quote. The researchers also noted that using publicly available software-defined radio devices as well as open source software, anyone with enough knowledge could build a tool around $1,300 – $4,000. A fairly cheap solution for most attackers. The vulnerabilities that were identified could be used by criminals to create spoofed locations, impersonate an existing mobile number and allow someone to create mass hysteria over a fake emergency alert sent to thousands of mobile devices all at once. You may remember a few months ago when the Hawaii Emergency Management Agency accidentally sent out an emergency alert to all mobile devices in Hawaii about an impending missile attack. Could you imagine the fallout from something like this happening on a much broader scale? The good news is that it appears that the US carriers that were identified in the research are working to fix these vulnerabilities and the exploit code was not publicly released. There isn’t much we can do at this point but wait for the mobile carriers to fix

This is the Shared Security Weekly Blaze for March 5, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston. Show Transcript This is your Shared Security Weekly Blaze for March 5th 2018…with your host…Tom Eston In this week’s episode: Facebook Face Recognition, Private Web Browsing and Credit Card Fraud Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. I have a few shout outs this week to several of our listeners for commenting, liking and sharing our posts on social media @securid, @WiFI_NY and @drheleno_ca on Twitter as well as Itincloud and thelaurajeans on Instagram and Tom, Lauretta, Jason, Shawn and William on Facebook. A special shout out this week also goes out to sweepa36 who left us a five star review on iTunes. Thanks to all of you for supporting the show! If you’ve been on Facebook recently you may have seen a message in your news feed about a new feature called “Face Recognition”. This feature will analyze faces to automatically tag you in photos and videos that are posted to Facebook. Facebook says that this “feature” will find photos that you’re in but haven’t been tagged, help protect you from others using your photo and to help people with visual impairments who may be in your photo or video. You can opt out of this feature by turning it off in your Facebook privacy settings. Note, some people have reported that this feature was already set to “on” so it’s a good idea to check out your privacy settings to see if this feature is enabled or not. Check out our show notes for information on where to find this setting. Not to be overly suspicious but you know as well as I do that this feature will eventually be used to target more ads to you or to allow Facebook more ways to gather data about your activities and monetize your personal information. What I also find ironic is that just this past week a federal judge in Illinois made a ruling about an ongoing class-action case that Facebook “must face claims that it violated the privacy of millions of users by gathering and storing biometric data without their consent”. This decision means that Facebook could be liable for fines under Illinois law from $1,000 to $5,000 dollars each time a person’s image is used without permission. Of course Facebook is fighting this ruling but I’m sure this is not the end of more legal troubles for Facebook since the social network continues to push technology like Facial Recognition to its user base. Did you know that when you use “private browsing” or “incognito mode” in your web browser, your browsing activities may not be so private after all? Hopefully, you’re aware that the sites you visit can be monitored and logged through your ISP, VPN provider or employer. It’s also important to know that data from a private browsing session can also be retrieved through common computer forensic techniques once someone has physical access to your computer. Recently a group of MIT and Harvard researchers developed a solution called Veil which allows web developers to implement technology to protect data while it’s stored and processed within a private browsing session. To do this Veil uses “blinding servers” which are located in the cloud to encrypt and protect data on a website. That data then gets retrieved by your private browsing session. Essentially, this would make any data stored within your browsing session (or within computer memory) useless from a forensic perspective. What I like about this technology is that it can add an additional layer of privacy for people, like journalists or human rights defenders, that might have their browsing history or computers targeted by say a state-sponsored government or dedicated adversary. Veil might also be the kick start of other technologies that further support protecting our private information while we browse the web. We’ll be closely following this project for sure to see how it evolves in the future. Visa released new statistics that show there has been a 70% drop in counterfeit credit card fraud during the period from December 2015 to September 2017. Other data of note is that over 2.7 million merchant locations are now accepting chip cards which equates to 96% of all credit card transactions in the US. You may remember that chip cards started being implemented back in 2015 to replace the ancient “magnetic stripe” technology that has been used for credit cards since the 1970’s. The move to chip cards was magnified because of the ma

This is the Shared Security Weekly Blaze for February 26, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston. Show Transcript This is your Shared Security Weekly Blaze for February 26th 2018…with your host…Tom Eston In this week’s episode: AI Enabled Privacy Policies, New Android Updates and Hotel Room Inspections Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Before we jump into the news I wanted to give some shout outs this week to several of our listeners for commenting, liking and sharing our posts on social media @Yohun, @borderless_i, @securid and @b0dach on Twitter as well as @cyberspacearmor and @silentpocket on Instagram and Andrew, Shawn and Jason on Facebook. Thank you for your support of the show! Do you ever read the privacy notices that are found linked in super tiny text at the bottom of a web page or the “privacy notice” emails you receive for the many different services and websites that you use? If you answered no, well you’re not alone. According to studies noted by security firm Sophos, 98% of us don’t read privacy notices. According to another study, it would take a person 30 full working days to read all the privacy notices for services the average person uses. While no one has time for that, let’s not forget that most privacy notices are filled with legal language and typically very difficult to understand. We really need a better way to understand how websites and services are using our personal information. Enter AI to the rescue! A new AI based technology called (POL-IS-IS) “Polisis” aims to visualize privacy notices through machine learning. This tool can create visual flow charts based on what is written in the notice giving users a visual idea of what type of information is being collected and what options are available to users of these services. What I really like about Polisis is that they have thousands of privacy notices on their site that have already been analyzed. For example, you can type in Facebook.com to get analysis of their privacy notice as well as many other sites that you may frequently use. You can even submit links to other policies on the web to have them analyzed as well. Check out the show notes for the link to Polisis and if you’re interested in learning more about privacy notices be sure to check out the interview with did with Rebecca Herold, also known as the Privacy Professor, in Episode 71 of the podcast. Have an Android phone? If you do you’ll want upgrade to the soon to be released Android 9.0 operating system (or currently known as “Android P”) for two new privacy features that are being added. According to several news sources, the new Android operating system will prevent an app from using the camera or microphone when the app is idling in the background. Once the app becomes active, the camera and microphone are available to the app again. This feature fixes a large privacy concern about the ability of malicious apps being able to monitor you via the camera or microphone on your device. Regarding how Android updates are handled, updates are rolled out by the manufacturer of your phone and sometimes in conjunction with your network provider so the updates can be customized to work with any features that your network provider has added. If you happen to own a newer Google device like the Pixel, you’ll get the update immediately, which is similar to how Apple releases updates to its iOS operating system. It’s important to note that almost all Android devices have an issue with what is called “device fragmentation”. This means that if your device manufacturer and/or network provider decides to stop updating and supporting your device, you’ll never get future updates and most of these updates have patches to fix serious security vulnerabilities. Our advice is that with all the different versions of Android out there it’s important that you update your hardware, as well as your Android operating system, to keep up with security and privacy updates. Sounds like a good excuse to buy that brand new Google Pixel 2 you’ve always wanted. How would you feel if hotel security inspected your hotel room every 24 hours, regardless if you have a “do not disturb” sign on your doorknob? Well Caesars Entertainment told the associated press last week that this new policy will be implemented soon in all of their properties in to address guest security concerns due to the mass shooting at the Mandalay Bay in Las Vegas which killed 58 people last October, as well as o

This is the Shared Security Weekly Blaze for February 19, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston. Show Transcript This is your Shared Security Weekly Blaze for February 19th 2018…with your host…Tom Eston In this week’s episode: Instagram Social Stalking, Cryptojacking, Equifax Breach Updates Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Ever get the feeling that a “social creeper” might be taking screen captures of your Instagram stories without your knowledge? Well this past week Instagram began testing a new feature in which a pop-up message will appear stating that “Next time you take a screenshot or screen recording, the person who posted the story will be able to see it.”. This message will automatically appear when someone takes a screen capture of a story you posted. People taking screen captures of your stories will also be identified in the “seen by” list which is shown to you when you view one of your stories. Interestingly enough, the direct messages feature within Instagram as well as Snapchat have had a similar feature for quite some time. It’s important to note that in regards to Instagram direct messages, users are only notified when a screen capture is taken of a picture or video that you sent them via a direct message. There was no timeline given on when this notification feature will be added but I think this type of notification is a good thing from a privacy and awareness perspective. But, no matter what controls are put in place to bring awareness to “social creepers”, just be aware that any notification or other control won’t be able to prevent someone from using another camera to take a picture of their device with your photos or stories on the screen. Always be mindful of what you post on any social media app and know that everything, even what you send privately, may not be so private after all. Over the last few weeks we’ve seen an increase in what are called “cryptojacking” attacks. A cryptojacking attack is where code within a website is used to hijack your web browser and the computing power of your device to silently mine cryptocurrency while you browse and use a website. With the recent rise in popularity of Bitcoin and other types of cryptocurrency’s, this attack is becoming much more popular. In fact, just this past week, we saw thousands of websites across the world, including many government websites being use to mine cryptocurrency. In this case, a third-party plugin called BrowseAloud (which helps blind and disabled people use websites) was compromised which allowed malicious code to be embedded in every website that had the BrowseAloud plug-in installed. This is a similar attack that we see with ad networks being compromised and pushing malware to unsuspecting users of common web sites. However, some companies are taking a new approach of disclosing to website visitors that by accessing their site you are in fact mining cryptocurrency for them. The news site Salon is one such organization that announced last week that they’ve introduced a feature called “suppress ads” which allows users to quote “block ads by allowing Salon to use your unused computing power” end quote. This is a very ingenious way for companies to help pay for their services while reducing the barrage of ads that we all see when using the Internet because…everyone hates ads, right? It’s interesting to note that this is not the first time an organization has tried to harvest users computing power. Last year, the infamous website “The Pirate Bay” used code within their website to hijack users computing power to mine cryptocurrency back in September. The Pirate Bay called this a “test” in that using this code in the future would be a great way to replace ads completely. I think for most people, if a website disclosed to you that they are going to harvest your computer power to eliminate ads is really no big deal. However, if you’re concerned about having your web browser and computer power hijacked to mine cryptocurrency you can use a browser add-on like No Script or ensure your ad blocker within your browser is blocking known sites used to mine cryptocurrency such as Coinhive. From a privacy perspective, we always recommend the use of a browser add-on such as an ad blocker as well as the Privacy Badger add-on, which will block third-party advertising trackers. Check out the show notes for this episode on sharedsecurity.net for links to the browser add-on&#8217

This is the 73rd episode of the Shared Security Podcast sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston and Scott Wright recorded February 14, 2018. Below are the show notes, commentary, links to articles and news mentioned in the podcast: The Shared Security Amazing Thing of the Month This month we discuss why it’s important to use a password manager as well as our personal recommendations on which one to use. Tom prefers KeePass, while Scott prefers LastPass. Regardless of our preference…any password manager you choose is better than none! Product Review: Silent Pocket Faraday Laptop Sleeve We were recently contacted by Silent Pocket to review one of their new products, the Faraday Laptop Sleeve and they were kind enough to send Tom one. This is a great privacy and security product which will block all wireless signals from a device including cellular, WiFi, GPS, Bluetooth, RFID and NFC in all frequencies. As mentioned on the show, you don’t need to be a person that is “ultra paranoid” about their privacy to use one of these devices. In fact, in recent months there have been more attacks targeting wireless devices (many of which we’ve mentioned on the show) so products like these add a simple extra layer of protection for your devices. Specifically, if you’re someone that would be considered “high risk” for having your wireless devices targeting (i.e. government, military, journalist or human rights defender) this product is a absolute must have. Here are my observations of the Laptop Sleeve: The sleeve is very durable and made of excellent quality material. I like how the sleeve “snaps” together and seals the itself. In fact, it holds a bit of air that you have to “push” out when you seal it which demonstrates how solid the seal is. I tested the sleeve with a mobile phone and a 15″ MacBook Pro and I was unable to connect to my phone via Bluetooth, Wifi and cellular. My cellphone quickly reconnected once I removed it from the sleeve. As Scott mentioned on the podcast, we wondered if the battery on a mobile phone would drain more quickly looking for a mobile signal while protected in the sleeve. However, according to Silent Pocket’s FAQ, this isn’t an issue. You can use it for practically any wireless device like your car key fob or RFID enabled credit cards and passports. You could easily fit your laptop and a few other devices in the sleeve (it will be crowded and a bit tight, but it can work). On my next business trip I’m curious to see how it goes through the airport security x-ray process. If you’re interested in learning more about the laptop sleeve and other products you can visit silent-pocket.com for more information. Note to other privacy product vendors: We’re happy to review your products as well! Fill out our “Contact Us” form on sharedsecurity.net or send us an email at feedback[aT]sharedsecurity.net for more information. Intel Vaunt Smart Glasses Oh no! Is it Google Glass all over again? Tom and Scott don’t think so and in fact, this may turn out be the next useful device. Germany Picks on Facebook Regarding the use of Real Identities We’ve mentioned this before on the podcast that Facebook doesn’t play nice with it’s users that don’t want to use their real names. Germany has something to say about that with this new court ruling. Will we finally see Facebook change this policy? Google Chrome will show your website as “Not Secure” if you don’t move to HTTPS Google recently announced that they will start showing non-HTTPS websites as “Not Secure” starting in July. If you have a business or own a website, best get started on purchasing a SSL certificate or get one for free through the Let’s Encrypt project. Besides, Google automatically lowers the search results for non-SSL sites and they’ve been doing this for quite some time already. Fun Tweet from Kevin Mitnick (famous hacker)… So I went to the Apple Genius Bar to pick up a repaired iPhone.At the same time, the guy next to me is verbally giving his username and password to the Genius helping him. After he says his credentials he goes on to say he hopes he doesn’t get hacked. Only if he knew — Kevin Mitnick (@kevinmitnick) February 5, 2018 Please send any show feedback, suggestions for future guests and topics to feedback [aT] sharedsecurity.net or comment in our social media feeds. You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode. Be sure to visit our website, follow us on Twitter, Instagram and like us on Facebook. Thanks for listening! The post The Shared Security Podcast Episode 73 – Silent Pocket Faraday Laptop Sleeve Review, Password Managers, Smart

This is the Shared Security Weekly Blaze for February 12, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston. Show Transcript This is your Shared Security Weekly Blaze for February 12th 2018…with your host…Tom Eston In this week’s episode: Tax Season Scams, SIM Hijacking and Smart TV Privacy Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. It’s tax season here in the United States and as you may already know there are three things that are certain in life: death, taxes and criminals trying to scam you out of your hard earned money. Which means it’s time to be aware of common phishing and scam tactics that may target you during this tax season. In fact, this year (due to news of changes to the US tax code) there are now more opportunities for scammers to leverage this news to their advantage. Like any significant event that happens in the world (like natural disasters and terrorist attacks) , attackers will leverage these news events in an attempt to elicit an emotional response from you so that you either click a malicious link or submit your private and sensitive information to the scammer. According to the SANS Internet Storm Center, recent tax related phishing emails that have been identified are asking for personal information in order to receive your tax refund. Keep in mind, it’s not just your email that these scams can originate from. Many of these tax scams also come through phone calls or voicemail’s. These calls will typically ask for personal information or to convince you to make a payment under the threat of being arrested. Note that the IRS will never email or call you about owing taxes or about a potential refund, or threaten to arrest you. Stay vigilant this tax season and please let your elderly friends, parents or relatives know about these tax scams. Unfortunately, the elderly are common targets for these types of attacks. Last week telecom giant T-Mobile sent out a mass text message to its entire customer base alerting them to add an additional security measure to their account. The problem? There has been a major increase in an attack called SIM hijacking or also known as a phone number port out scam. SIM hijacking is where an attacker will either call your mobile phone company or show up at the mobile phone store, impersonating you in an attempt to request a new SIM card for your phone number or in some cases the attacker will attempt to move your mobile number over to a new carrier. Once the attacker has control of your mobile number, they now have access to reset credentials for banking or potentially access to any other accounts that use a mobile phone number for access. SIM hijacking and fraudulent phone porting have become popular attacks for identity thieves as well as other criminals. This is because your mobile number is increasingly becoming the center of your digital identity in that your phone number is a unique identifier for you and is used for things like authentication to reset passwords and for two-factor access to many different types of accounts and systems. The way to help prevent this attack is to create a validation code with your mobile carrier. T-Mobile calls this a “port validation” code but other carriers may call this a phone passcode or PIN. Once this code is enabled on your account, you’ll need to provide this to the mobile carrier in order to obtain a new SIM card or port your number to a new carrier. Our advice is to enable this feature with your mobile carrier to help prevent this attack happening to you. You may have to research this on your mobile carrier’s website as each company has a different procedure for enabling this feature. Also note, you should ensure that this passcode or PIN is unique and different than any other passcode or PIN that may be in use with your mobile carrier such as the password for accessing your account for online access. Our number one story is about research Consumer Reports released this past week which found that millions of smart TVs are vulnerable to hackers and that all smart TVs are collecting private data about your viewing habits. Consumer Reports conducted their own testing as part of a security and privacy evaluation of smart TVs from popular brands such as LG, Sony and Vizio. Specifically, vulnerabilities were identified in Samsung TVs along with models made by TCL and other brands, that use the Roku smart TV platform. These vulnerabilities would allow an attacker to cause havoc on the victims TV like randomly change the channel, mute the TV speakers or pump up the volume unbeknownst

This is the Shared Security Weekly Blaze for February 5, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston. Show Transcript This is your Shared Security Weekly Blaze for February 5th 2018…with your host…Tom Eston In this week’s episode: ICE license plate tracking database, the first Jackpotting attacks on US ATMs and the Strava global heatmap controversy. Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Our number three story of the week is about ICE, the Immigration and Customs Enforcement Agency and how they now have the ability to track billions of license plate records across the US using ALPR (Automated License Plate Recognition) technology. A company called Vigilant Systems has been putting together a database of license plate records submitted by repo agencies, local law enforcement, traffic cameras as well as data from roving ALPR vehicles (similar to the Google street view cars you may have seen roaming around your neighborhood). Vigilant Systems is partnering with ICE so that they can use this data in deportation and immigration control cases. Several civil liberty groups, such as the ACLU, have stated concerns that this database could be used locate and track anyone in real-time for more than just immigration issues. Even if you’re not connected to a criminal investigation, your license record and driving habits could be in this database. The other controversy is that Vigilant systems entered into a private contract with ICE which is a government agency, therefore, there was no congressional oversight and no accountability with a massive surveillance system like this in government hands. What can you do if you’re concerned about ALPR technology and being tracked? From an legal perspective, several weeks ago the state of California introduced bill S.B 712 which would allow drivers to cover their license plate while parked legally in order to avoid roving ALPR scans, but the bill was rejected by the California senate just this week. No other states to my knowledge are proposing similar legislation. From a product perspective, there are ALPR “blockers” in the form of IR filters and special reflective coatings that can be applied to license plates in an attempt to block ALPR scans. There are many different types of products out there that are just a Google search away. Friendly disclaimer: you should research the legality of using such ALPR anti-tracking devices in your state and/or country before purchasing or using any of these products. Our number two story this week is about the “jackpotting” attacks that are targeting ATMs in the United States. Jackpotting allows malware installed on ATM machines to shoot out money just like a Las Vegas slot machine. For some strange reason I’m reminded of the movie “Vegas Vacation” in the scene where Clark Griswold jackpot’s his family bank account at the ATM. This attack, on the other hand, is no laughing matter. In order to perform the attack someone needs to physically access the ATM machine and install the malware via a USB port or through another interface, such as the cash dispensing or front loading slot, and eventually get the malware to infect the underlying operating system of the ATM. Brian Krebs from krebsonsecirity.com noted that most attackers quote “typically use an endoscope — a slender, flexible instrument traditionally used in medicine to give physicians a look inside the human body — to locate the internal portion of the cash machine where they can attach a cord that allows them to sync their laptop with the ATM’s computer.” end quote. Now these attacks seem to require a risky amount of time to physically access the ATM and in some cases attackers have used social engineering techniques such as dressing like an ATM technician to con their way to the ATM. It’s important to note that these attacks have focused on smaller ATMs typically located in pharmacies, gas stations and other small locations not your local large bank ATMs. The Secret Service as well as ATM manufactures have sent out alerts notifying owners of these attacks and how to harden and secure their ATMs from physical attack. In the meantime if you happen to see an ATM jackpotting with money flying out…be sure to alert authorities. The number one story this week is the controversy over the Strava world-wide heatmap release that inadvertently disclosed locations, daily routines and possible supply routes of known and unknown US military bases and CIA outposts. Because of this, the US military is now reviewing its policies

This is the 72nd episode of the Shared Security Podcast sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston and Scott Wright recorded January 22, 2018. Below are the show notes, commentary, links to articles and news mentioned in the podcast: The Shared Security Amazing Thing of the Month (we’re not sure what to name this new segment so we’re rolling with this for now…) Tom and Scott discuss the emergency SOS feature on your mobile device. There was a recent story in the news about a college student who was able to text message and send her location when she was being kidnapped. Even though the college student was able to find a way to text and send out her location, there are some easier and more discreet ways that you can make an emergency phone call as well as alert authorities to your location. Here are the instructions we mentioned on the show if you have an Apple iOS 11 device or on your Apple Watch. Android is not left out of the emergency notification party either! Here are details if you have an Android phone to enable or install this feature with an app. Overview of the Meltdown and Spectre Critical Vulnerabilities CPU hardware implementations (manufactured in the last 20 years) are vulnerable to side-channel attacks referred to as Meltdown and Spectre. Modern processors perform speculative execution. To maximize performance, processors try to execute instructions even before it is certain that those instructions need to be executed. The best description of these vulnerabilities is from the original website announcing these issues: Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware vulnerabilities allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents. Meltdown and Spectre work on personal computers, mobile devices, and in the cloud. Depending on the cloud provider’s infrastructure, it might be possible to steal data from other customers. Spectre in particular is quite interesting from an attackers perspective. For example, malicious JavaScript code on a website could use Spectre to trick a web browser into revealing user and password information. Software patches are starting to come out for both of these vulnerabilities but there are reports of additional problems that the patches are causing, including impacting system performance in some cases. Announcing the Shared Security Weekly Blaze Podcast We’re starting a new weekly podcast which will bring you the hot security and privacy news of the week. The first episode has been released and you can still listen to the new podcast just like you do now. The idea is to give you fast and consumable security and privacy “news that you can use” in 15 minutes or less. These weekly podcasts are in addition to our traditional monthly podcast which will continue to cover security and privacy topics in more detail. We hope you enjoy the new format! Please send any show feedback, suggestions for future guests and topics to feedback [aT] sharedsecurity.net or comment in our social media feeds. You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode. Be sure to visit our website, follow us on Twitter, Instagram and like us on Facebook. Thanks for listening! The post The Shared Security Podcast Episode 72 – Mobile Phone Emergency SOS, Overview of Meltdown and Spectre appeared first on Shared Security Podcast.

This is the first episode of the Shared Security Weekly Blaze podcast. This episode was hosted by Tom Eston. Every Monday we’ll be releasing a short podcast, in 15 minutes or less, covering the top 3 hot news topics happening in the security and privacy world. The idea is to give you fast and consumable security and privacy “news that you can use”. These weekly podcasts are in addition to our traditional monthly podcast which will continue to cover security and privacy topics in more detail. In this week’s episode we talk about a new form of mobile malware called Dark Caracal, recent news about patching for the Meltdown and Spectre vulnerabilities and the launch of Amazon Go in downtown Seattle. Show Transcript This is your Shared Security Weekly Blaze for January 29th 2018 with your host, Tom Eston In this week’s episode we’re going to talk about a new form of mobile malware called Dark Caracal, recent news about patching for the Meltdown and Spectre vulnerabilities and the launch of Amazon Go in downtown Seattle. Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the first episode of the Shared Security Weekly Blaze where we update you on the top three security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news you can use”. Our number three story for the week is about a new form of mobile malware that has been identified called Dark Caracal. The Electronic Frontier Foundation and security firm Lookout Security jointly announced research last week on what they are calling a new “malware espionage campaign” which has been targeting military personnel, activists, journalists and lawyers all across the world. The Dark Caracal malware campaign appears be traced back to the Lebanese government. The malware affects Android mobile devices primarily but other systems like Windows could be affected as well. The Dark Caracal malware has the capability to install trojanized versions of popular secure messaging apps like Signal and WhatsApp as well as gain access to text messages, photos and data from other apps. This doesn’t mean that legitimate apps you may be using (like Signal) are infected with malware, it means that the malware can trick you into installing a fake version of that app. The Dark Caracal malware uses phishing and social engineering techniques through WhatsApp messages and Facebook Group posts to install the malware on the device. EFF Director of Cybersecurity Eva Galperin said “This is a very large, global campaign, focused on mobile devices. Mobile is the future of spying, because phones are full of so much data about a person’s day-to-day life.” This is not the first case of a large global mobile malware campaign. The Pegasus mobile malware, which targets Apple iOS, has been used by nation states such as the United Arab Emirates and the Mexican government to target individuals since 2016. It’s important to note that anyone could be a target for mobile malware, you don’t necessarily have to be targeted by a nation state! So what can you do to protect yourself? First and foremost be aware that phishing attacks typically start with emails, texts and social media posts and always try to elicit some type of urgent response or emotion from you to get you to click a link or provide sensitive information like passwords. Our advice? Think before you click! Check out previous episodes of the Shared Security Podcast where we talk about phishing and social engineering if you’re interested in learning more. The number two story of the week is the Meltdown and Spectre vulnerability patching debacle. In fact it’s such a debacle that the creator of the Linux operating system, Linus Torvalds, has said “All of this is pure garbage, The patches are COMPLETE AND UTTER GARBAGE. …They do things that do not make sense.” If you’re not familiar with the Meltdown and Spectre vulnerabilities here’s the deal: Earlier this month security researchers discovered two critical vulnerabilities in modern computer processors (or CPUs). These vulnerabilities allow an attacker to access data on a computer system that would be very difficult to obtain such as passwords stored in your browser, photos, emails and even documents. The reason this problem is so big is that the vulnerability affects many different types of systems including personal computers, mobile devices as well as systems in the “cloud” and it applies to all these different types of devices manufactured within the last 20 years. The guidance from the processor manufactures like Intel has been to install patches that would be released by the different operating systems like Microsoft and Apple while they figure out how to fix these vulnerabilities in future processors. But not so fast! Some of these patches have already bee

This is the 71st episode of the Shared Security Podcast sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston and Scott Wright with special guest Rebecca Herold recorded December 13, 2017. Below are the show notes, commentary, links to articles and news mentioned in the podcast: Interview and discussion about privacy with Rebecca Herold Rebecca has over 25 years of IT, info sec, privacy & security experience; is CEO & Founder (2004) of Rebecca Herold & Associates, LLC, aka The Privacy Professor(R); and President & Co-Founder (2014) of SIMBUS360. Rebecca is also an entrepreneur, author and Adjunct Professor for the Norwich University Master of Science in Information Assurance Program. Rebecca has led the NIST Smart Grid privacy group since June 2009 and has been an officer for the IEEE P1912 Privacy and Security Architecture for Consumer Wireless Devices Working Group since June 2015. Rebecca has received numerous awards and recognitions for her work throughout the course of her career. Rebecca has written 19 books to date, chapters in many books and hundreds of articles. In this podcast we discuss Rebecca’s background in privacy, how she got into her area of expertise as well as her thoughts on the evolution of privacy policies (aka: privacy notices that are found on websites and services that you may use). Thanks again to Rebecca for being a guest on the show! Be sure to connect with Rebecca through her website, Twitter, and LinkedIn. Please send any show feedback, suggestions for future guests and topics to feedback [aT] sharedsecurity.net or comment below. You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode. Be sure to visit our website, follow us on Twitter and like us on Facebook. Thanks for listening! The post The Shared Security Podcast Episode 71 – Special Guest Rebecca Herold “The Privacy Professor” (@PrivacyProf) appeared first on Shared Security Podcast.

This is the 70th episode of the Shared Security Podcast sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston and Scott Wright with special guest Dr Helen Ofosu recorded November 29, 2017. Below are the show notes, commentary, links to articles and news mentioned in the podcast: Interview and discussion about insider threat psychology with Dr Helen Ofosu Dr Ofosu has more than 15 years of experience using industrial and organizational psychology in the business and government sectors. Dr Ofosu brings her vast knowledge, sensitivity, and special brand of humor to her career consultations, business, and government clients, and her presentations and speaking engagements. In this podcast Scott and Tom discuss insider threat psychology with Dr Ofosu, how to address insider threats in the workplace as well as what the most common “psychological factors” are that manifest as insider security threats to organizations. We also discuss some recent news stories about insider threats and what they mean to you and your organization. Thanks again to Dr Ofosu for being a guest on our show! Be sure to connect with Dr Ofosu through her website, Twitter, Facebook and LinkedIn. Please send any show feedback, suggestions for future guests and topics to feedback [aT] sharedsecurity.net or comment below. You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode. Be sure to visit our website, follow us on Twitter and like us on Facebook. Thanks for listening! The post The Shared Security Podcast Episode 70 – Insider Threat Psychology with Special Guest Dr Helen Ofosu appeared first on Shared Security Podcast.

This is the 69th episode of the Shared Security Podcast sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston and Scott Wright recorded October 25, 2017. Below are the show notes, commentary, links to articles and news mentioned in the podcast: Amazon Key opens your home for indoor deliveries A new Amazon Prime service now allows your package couriers access to your home to drop off deliveries. The system uses a Amazon smart lock and connected camera. Innovation or invasion of privacy/security nightmare? Tom and Scott debate the pros and cons! Severe WiFi security flaw puts millions of devices at risk (KRACK) A new attack (called KRACK – Key Reinstallation Attack) on the current standard for WiFi security (WPA2) allows an attacker to decrypt Internet traffic from devices being used on a WiFi network with WPA2 encryption enabled. While patches for most modern devices and operating systems will be released (i.e. Apple iOS, Windows 10, etc), many devices such as older Android phones and IoT devices may never get patched. Tom also mentioned a tool which can be used to “downgrade” secure HTTPS connections with this attack called SSL Strip. DUHK (Don’t Use Hard-coded Keys) Vulnerability Another recent attack (with a funny name) was announced on a specific type of cryptography implementation being used by certain VPN’s. Specifically, VPNs which use specific versions of FortiOS are vulnerable. If you or your business uses one of these VPNs make sure you patch ASAP. Just a Pair of These $11 Radio Gadgets Can Steal a Car Stealing cars just got easier with a recently updated attack on certain keyless entry systems that cars use. Researchers have now demonstrated how easy it is to steal a car with just a pair of $11 radio gadgets. Best way to prevent this (until car manufactures can patch/address the vulnerability) is to keep your car key in a “Faraday bag” or metal protective sleeve like they have available for wallets to protect RFID enabled credit cards. Please send any show feedback, suggestions for future guests and topics to feedback [aT] sharedsecurity.net or comment below. You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode. Be sure to visit our website, follow us on Twitter and like us on Facebook. Thanks for listening! The post The Shared Security Podcast Episode 69 – Amazon Key, KRACK and DUHK Attacks, New Devices to Steal a Car appeared first on Shared Security Podcast.

This is the 68th episode of the Shared Security Podcast sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston and Scott Wright with special guest Chris Hadnagy from the Innocent Lives Foundation and Social-Engineer.org recorded September 27, 2017. Below are the show notes, commentary, links to articles and news mentioned in the podcast: Interview with Chris Hadnagy from the Innocent Lives Foundation Chris Hadnagy is a professional social engineer, founder of Social-Engineer.org, book author, host of the Social Engineer Podcast and founder of the Innocent Lives Foundation. Chris talks to us about his new organization and discusses the topic of social engineering. Please help support Chris’ organization which has a mission to unmask child predators in order to bring them to justice. You can find out more about volunteer opportunities as well as providing financial support at the Innocent Lives Foundation website. Chris also talks with us about the art of Social Engineering and what you can do to educate and protect yourself. Lastly, Chris provides a recap from the recent DEF CON Social Engineering CTF event. As mentioned on the show, be sure to check out this video from the Veracode blog about the winner from this year’s event. Thanks again to Chris for being our guest! The post The Shared Security Podcast Episode 68 – Special Guest Chris Hadnagy, Innocent Lives Foundation, Social Engineering appeared first on Shared Security Podcast.

This is the 67th episode of the Shared Security Podcast sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston and Scott Wright recorded September 6, 2017. Below are the show notes, commentary, links to articles and news mentioned in the podcast: Over 711 Million Email Addresses Exposed From SpamBot Server Apparently, one of the largest cache of email addresses and SMTP credentials has been discovered. This list was used to distribute SPAM and banking malware. Tom and Scott recommend that you sign up for breach notifications from Troy Hunt’s “Have I been Pwned” service so you can take action to change any account passwords if necessary. 465k patients told to visit doctor to patch critical pacemaker vulnerability What happens when your wireless pacemaker requires a firmware update to patch a serious vulnerability? You’ll need to head into your doctors office for an update. That’s what happened to nearly 465,000 patients that have this particular brand of pacemaker. A security researcher discovered AccuWeather app tracked, shared your location — even if you ‘opt out’ Mobile apps that share your location, even when you opt out, are very common. This app in particular still tracks your location via wifi and doesn’t need your GPS. This is yet another reminder to read the app’s privacy policy, but to also be aware that many apps don’t disclose who they share your location data with. In related news, the popular app “Sarahah” will quietly upload your address book. This is more of a problem with older Android devices since there is no prompt to “allow” sharing of your address book with older Android operating systems. Update gone wrong leaves 500 smart locks inoperable Smartlock manufacturer, LockState, pushed the wrong update to approximately 500 devices which made them inoperable. This is a great lesson in regards to how not to update IoT devices and the customer service nightmare that will happen when things like this go wrong. Just remember, you take a risk when using devices like these! Especially when they are used for physical security. Scott’s Amazing Tip of the Month… (they don’t happen very often) Here’s how to make yourself less annoying to your friends on Facebook by turning off “New Friend Reports”. Please send any show feedback, suggestions for future guests and topics to feedback [aT] sharedsecurity.net or comment below. You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode. Be sure to visit our website, follow us on Twitter and like us on Facebook. Thanks for listening! The post The Shared Security Podcast Episode 67 – SpamBot Exposed, Mobile App Tracking, Smart Lock Fail appeared first on Shared Security Podcast.

This is the 66th episode of the Shared Security Podcast sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston and Scott Wright recorded July 24, 2017. Below are the show notes, commentary, links to articles and news mentioned in the podcast: Tom’s review of the Ring doorbell camera Tom discusses his recently purchased a Ring doorbell camera, some of the features, challenges and tips for use. Disclaimer: This review was not sponsored by Ring…although we’re happy to test other Ring products if Ring would like to get in touch with us. When traffic apps hit diminishing returns Using an app like Waze has huge benefits when navigating traffic situations. However, many things can go wrong especially if the app tells you go a route that everyone else is taking to avoid a traffic situation or when others purposely report an “accident” when there is no accident just to route traffic out of their neighborhoods. What a wonderful time to be alive! Verizon Data of at Least Six Million Users Leaked Online Verizon was recently a victim of a data breach that affected six million customers. What makes this breach different was that it was caused by one of Verizon’s third-party partners accidentally misconfigured an Amazon S3 cloud based data repository, which was set to “public”. A great example of why third-party security is so important to businesses. New iOS update fixes a very dangerous bug If you have an Apple iOS device you should update to iOS 10.3.3 ASAP. You should also update your Android device if you so happen to have a vulnerable one of the listed Android devices as well (see this page for more info). This update fixes a very serious vulnerability in the Broadcom wifi chip on the device. The researchers that discovered this vulnerability discussed (at the BlackHat conference in Las Vegas last week) how they were able to take over a vulnerable device all through a wifi connection. Surprise, Echo Owners, You’re Now Part of Amazon’s Random Social Network Did you know that if you have an Amazon Echo device you can use it to make voice calls and send messages to other Echo owners? Sounds great, except that by default Amazon needs access to your entire contact list to see who else is an Amazon Echo owner which allows everyone to be able to call each other. This is fine except, how many of your contacts to you “really” know? Many times we put temporary contacts or have people in our contact list that we really don’t want to talk to again (old bosses?). Unfortunately, Amazon doesn’t allow you to choose who you want to connect with…it’s all or nothing. Please send any show feedback, suggestions for future guests and topics to feedback [aT] sharedsecurity.net or comment below. You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode. Be sure to visit our website, follow us on Twitter and like us on Facebook. Thanks for listening! The post The Shared Security Podcast Episode 66 – Ring Doorbell Camera Review, Traffic Apps, Amazon Echo appeared first on Shared Security Podcast.

This is the 65th episode of the Shared Security Podcast sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston and Scott Wright recorded July 6, 2017. Below are the show notes, commentary, links to articles and news mentioned in the podcast: Smart TV hack embeds attack code into broadcast signal—no access required A new vulnerability has been discovered in the way Smart TV’s use “Digital Video Broadcasting — Terrestrial” (or DVB-T) to receive TV signals. There is low risk on this one as the attack requires a specialized transmitter but it’s interesting to see more research on other ways that new TV technology could be exploited. Before You Hit ‘Submit,’ This Company Has Already Logged Your Personal Data Many sites are now taking advantage of a new technology that will send information that you’re filling out in a web form to a third-party even before you hit the “submit” button. To make matters worse, many of these sites are not informing users through their privacy policy that this activity is taking place. Yet another reason “auto-complete” in your web browser might not be the best feature to keep enabled from a privacy perspective. Facebook is testing a feature that stops profile photo theft Profile photo theft is a real problem on Facebook and is being used for countless scams. It’s good to see Facebook trying to find new ways to prevent others from stealing your profile pictures. However, there are many ways around these controls and this will remain a very hard problem to solve. What’s worse than getting phished? Getting phished *and* sending a selfie of your Photo ID and credit card It’s hard to believe but this real phishing attack seems to be working. Bottom line: never, ever respond to a request for you to take a selfie with your credit card and/or drivers license to prove your identity. Please send any show feedback, suggestions for future guests and topics to feedback [aT] sharedsecurity.net or comment below. You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode. Be sure to visit our website, follow us on Twitter and like us on Facebook. Thanks for listening! The post The Shared Security Podcast Episode 65 – Smart TV Hacks, New Privacy Concerns, Phishing for Selfies appeared first on Shared Security Podcast.

This is the 64th episode of the Shared Security Podcast sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston, Scott Wright recorded June 7, 2017. Below are the show notes, commentary, links to articles and news mentioned in the podcast: More Android phones than ever are covertly listening for inaudible sounds in ads Marketers can now use apps to listen for “beacons” that indicate when a person is watching a specific TV commercial or other type of audio. If you have an Android phone there are many apps that are using these functions and violating privacy policies set by Google. Attackers can use video subtitles to hijack your devices Even the movies you watch on your computer or mobile device can be a target for malware distribution. A serious vulnerability was found in several popular media players (VLC, Kodi (XBMC), Popcorn-Time and strem.io) which allowed a malicious subtitle file to be downloaded to the victim’s device. The vulnerability would allow an attacker to take complete control of the device. Patch your media players! Printer Tracking Dots Back in the News Several years ago there was a lot of news about “printer tracking dots” and how your printer could be used to track who printed a specific document and where. Recently, this topic has come back in the news with the arrest of Reality Leigh Winner (yes, that’s her real name) who is accused of leaking a document from when she worked as a contractor for the NSA. Guess how she was found? Printer tracking dots! Multiple Home Security Vulnerabilities The security of your home is very important so it’s good to talk about some recent vulnerabilities that were disclosed (now fixed) from several major home security systems including Comcast XFINITY, ADT, and AT&T Digital Life. While the severity of these issues were low, it’s always good to keep an eye issues like these. Side note: Tom now has a Ring Doorbell Camera…he may have done some “testing”…stay tuned for the next episode to learn more. Summary of the ‘WannaCry’ ransomware attack I’m sure by now you’ve heard about the massive ransomware attack from a few weeks back (thanks to the NSA’s recently released tools). Scott and Tom provide a short and brief summary to explain what happened and what you should do. It’s been in the news so much lately…we just wanna cry about it! Lastly, co-host Tom Eston was featured in a blog on Becoming the best Infosec Leader, Even Under Difficult Circumstances. Check it out! Please send any show feedback, suggestions for future guests and topics to feedback [aT] sharedsecurity.net or comment below. You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode. Be sure to visit our website, follow us on Twitter and like us on Facebook. Thanks for listening!   The post The Shared Security Podcast Episode 64 – Ultrasonic Ads, Home Security Vulnerabilities, Printer Tracking Dots appeared first on Shared Security Podcast.

This is the 63rd episode of the Shared Security Podcast sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston, Scott Wright and special guest Jayson E. Street recorded April 12, 2017. Below are the show notes, commentary, links to articles and news mentioned in the podcast: Interview with Special Guest Jayson E. Street In this episode we were joined by “notorious” hacker Jayson E. Street who is the InfoSec Ranger at Pwnie Express, Senior Partner at Krypton Security, CEO of Stratagem 1 Solutions and author of several books. Here is a short snippet of his bio: “Jayson battled a dragon during the Fire Run in Barcelona Spain. He ‘accidentally’ broke into a shark tank in the Dominican Republic and climbed the pyramid of Giza (until the guards carrying AK-47s expressed their displeasure). He consulted with the Secret Service in 2007 on the WIFI security of the White House, and has had tea with a Lebanese General in Beirut. Jayson never finished High School but does have his GED. His first book is used as course material at four colleges in three countries (that he knows of), and he has spoken at numerous universities in the US and gave an eight-hour lecture at the Beijing Institute of Technology in 2014. Outside of standardized education, Jayson has spoken seven times at DEF CON, at the first five DerbyCons and at many other Cons (Hack in Paris, Nuit Du Hack, IT-Defense, SYSCAN360, PH-Neutral, etc…) around the world. Jayson is only one degree away from Kevin Bacon after awkward hugging Oliver Stone and Jimmy Fallon. He started in security and law enforcement over 30 years ago and has always striven to make things more secure. Jayson has been in the Information Security industry for over 17 years, and once broke into a high scale hotel in the South of France – barefoot – wearing Teenage Mutant Ninja Turtles pajamas. He was also noted as the best janitor of all McDonald’s in the South East Texas region for 2 consecutive years.” Jayson provides us his perspective on the current state of privacy and security in the world, his thoughts on VPNs and hearing stories about his most interesting adventures including breaking into banks and other organizations (with permission of course). We also find out how he became Time Magazine’s “Person of the Year” in 2006 (true story!). Jayson is probably the most interesting hacker and security professional you will ever meet! Jayson is going to be on the National Geographic series “Breakthrough” called “Cyber Terror” which airs Tuesday, May 9th at 10pm Eastern on the National Geographic Channel. You can see a preview of Jayson and this really cool series at the National Geographic website. Misconceptions about VPNs There is lots of talk about using VPNs given the recent news that ISPs in the US can now sell your data. However, there are many misconceptions going around about VPNs and how they should be used from a privacy perspective. Jayson, Tom and Scott share our thoughts on this topic and what VPNs should be used for. Someone hacked every tornado siren in Dallas While it may not have been “hacking” (more so “phreaking”) it goes to show you what can happen when critical infrastructure has been compromised or simply malfunctions. Please send any show feedback, suggestions for future guests and topics to feedback [aT] sharedsecurity.net or comment below. You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode. Be sure to visit our website, follow us on Twitter and like us on Facebook. Thanks for listening! The post The Shared Security Podcast Episode 63 – Special Guest Jayson E. Street, Misconceptions About VPNs appeared first on Shared Security Podcast.

This is the 62nd episode of the Shared Security Podcast sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston and Scott Wright recorded March 1, 2017. Below are the show notes, commentary, links to articles and news mentioned in the podcast: “CloudBleed” what is it and are you affected? Internet company Cloudflare recently discovered that they were vulnerable to a rather significant memory leak in which “1 in every 3,300,000 HTTP requests through Cloudflare” was potentially exposed. What this means is that if you were using one of the 3,400 applications that were exposed through the Cloudflare vulnerability, some sensitive information (such as passwords) could have been leaked. On the podcast we discuss that the impact to you is most likely extremely low, however, its a good reminder to periodically change your passwords especially for sites you consider high risk. You can use the search function on this site to see if any applications you use were exposed. This is also a great technical write-up if you’re interested in more details on what happened. Hackers can access your phone via Wi-Fi – even when it’s not connected Notorious hacker (and good guy) Jayson E. Street did a good story for a local news station in Boston about how someone could be trying to get your phone or other device to connect to their malicious wifi access point while you travel through airports and other public places. This is something to be aware of while you travel and probably a good idea to just leave your wifi and bluetooth disabled while you’re not using it. Side note: we need to get Jayson on the podcast! ATM Skimmers in the wild ATM skimmers are getting more sophisticated and harder to detect. Our advice is to double check ATM’s and other credit card machines before you use them for anything unusual going on. Frank Abagnale, world-famous con man, explains why technology won’t stop breaches Very good read from one of the most famous social engineers in modern history. Frank explains why technology won’t stop breaches and why it really comes down to people and education. Children’s Voice Messages Leaked in CloudPets Database Breach Scott discusses a data breach in the “CloudPets” database that someone was able to access. Unfortunately, these types of attacks are becoming more common and are very concerning considering children’s private information is involved. We made a list! Looks like the podcast made a list of popular information security podcasts. Pretty cool! Check out the list of other great podcasts. Please send any show feedback, suggestions for future guests and topics to feedback [aT] sharedsecurity.net or comment below. You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode. Be sure to visit our website, follow us on Twitter and like us on Facebook. Thanks for listening! The post The Shared Security Podcast Episode 62 – CloudBleed, Wifi Risks, ATM Skimmers appeared first on Shared Security Podcast.

This is the 61st episode of the Shared Security Podcast sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston and Scott Wright recorded February 15, 2017. Below are the show notes, commentary, links to articles and news mentioned in the podcast: Here Is How to Fend Off a Hijacking of Home Devices This article has some very good tips on how to secure your IoT devices and home network. Here are our suggestions as well: 1. Research the device you’re about to buy. Google search for the “device name” and “security vulnerabilities”. Read their privacy policy! 2. Create a second wireless network for your smart devices (utilize the “guest” network feature). Ensure a strong passcode using WPA2. 3. Change default passwords on all IoT devices (if you can!), especially your wifi router. 4. Register your product with the manufacture to be updated on new firmware and security issues Used government computers bought at auction filled with personal information It’s hard to believe that you can still buy previously owned computer equipment (in this case the local government in Houston Texas) and find a treasure trove of personal data! This news story is a great reminder to always erase and/or wipe the data from your personally owned devices (laptops, iPad’s, phones, etc.) before selling them to someone else! Facebook’s Creepiest Search Tool Is Back Thanks to This Site This “creepy” new search tool is called “Stalkscan” and it gives you a web front-end that will create creative “Facebook Graph” searches. The application shows a lot of information if you’re not careful with your FB privacy settings. You can also search for others and what information they’ve posted publicly as well. Note that this site does not bypass any Facebook privacy settings it just shows you what you and others have publicly available. Want to fix this? Adjust your Facebook privacy settings for specific posts or for all posts going forward. Hotel ransomed by hackers as guests locked out of rooms What could possibly go wrong when someone hacks a hotel, locks everyone out of their room and demands a ransom paid in Bitcoin? Attacks like these are setting an interesting precedent and a potential new form of “ransomware”. The Confide app is being used by certain paranoid politicians The Confide app tries to allow “secure” message sharing but this is proving more difficult. See our last episode for our run down of secure messaging apps. Where has all the climate data gone? To Canada… Canada is now becoming a safe haven for climate data from the US. Scott gives us his take on this interesting development. Please send any show feedback to feedback [aT] sharedsecurity.net or comment below. You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode. Be sure to visit our website, follow us on Twitter and like us on Facebook. Thanks for listening! The post The Shared Security Podcast Episode 61 – Home Device Hijacking, Used Device Security, Creepy Facebook Search Tool appeared first on Shared Security Podcast.

This is the 60th episode of the Shared Security Podcast sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston and Scott Wright recorded February 1, 2017. Below are the show notes, commentary, links to articles and news mentioned in the podcast: In this episode we focus on secure messaging apps like Signal, Wire, WhatsApp as well as other popular apps like Facebook Messenger. Tom and Scott delve into the reasons why people are starting to use these apps and the security and privacy features. We also discuss if using these apps for text messaging and phone calls are really more secure than traditional communication methods. What’s the biggest issue that we found with these apps? Lack of adoption from friends, family and the general public. Many people don’t know these apps exist or think they don’t have good reasons to use them. However, as the famous song by Bob Dylan once said “The Times They Are a-Changin”. Tom and Scott’s Recommendations: Our recommended secure messaging app: Signal If you need a secure way to communicate that many of your friends may already be using: WhatsApp Using Facebook Messenger? Enable the “Secret” conversation option when starting a new conversation Honorable mention: Wire Links and articles mentioned in the podcast: Good article on the security and privacy features of Signal and WhatsApp Facebook Messenger and end-to-end encryption Top 10 best secure messaging apps of 2017 Please send any show feedback to feedback [aT] sharedsecurity.net or comment below. You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode. Be sure to visit our website, follow us on Twitter and like us on Facebook. Thanks for listening! The post The Shared Security Podcast Episode 60 – The Secure Messaging Episode: Signal, WhatsApp, Facebook Messenger appeared first on Shared Security Podcast.