Shared Security Podcast

In episode 110: Tyler Hudak, Incident Response Practice Lead at TrustedSec, joins us to talk about what you should do (and more importantly what you shouldn’t do) if you find out you’ve been hacked! ** Show notes and links mentioned on the show ** Take our podcast listener survey and be entered to win a $25 Amazon gift card! https://sharedsecurity.net/survey Connect with Tyler https://twitter.com/secshoggoth https://www.linkedin.com/in/tylerhudak https://secshoggoth.blogspot.com/ Find out more about TrustedSec https://www.trustedsec.com/ ** Thank you to our sponsors! ** Silent Pocket Visit https://silent-pocket.com to check out Silent Pocket’s amazing line of faraday bags and other products built to protect your privacy. As a listener of this podcast you receive 15% off your order at checkout using discount code “sharedsecurity”. Edgewise Networks Find out how Edgewise can stop lateral threat movement and prevent data breaches. Visit https://edgewise.net and request a demo! ** Help support the show ** Looking for an affordable, reliable, no logs VPN provider? Support the podcast by purchasing a Private Internet Access VPN subscription via our affiliate link: http://www.privateinternetaccess.com/pages/buy-vpn/sharedsecurity ** Subscribe and follow the show ** Sign-up for our email newsletter to receive our free Facebook Privacy & Security Guide, full transcripts of each weekly episode, contest announcements, and special offers from our sponsors: http://eepurl.com/dwcc8D Subscribe on your favorite podcast app: https://sharedsecurity.net/subscribe Contact us: https://sharedsecurity.net/contact Website: https://sharedsecurity.net Twitter: https://twitter.com/sharedsec Facebook: https://facebook.com/sharedsec Instagram: https://instagram.com/sharedsecurity YouTube: https://www.youtube.com/channel/UCg9CCDIYkDDqwEZ3UYaxjnA/ The post You’ve Been Hacked! Now What? appeared first on Shared Security Podcast.

In episode 109 for February 24th 2020: Kevin Johnson joins us to discuss how Ring made two-factor authentication mandatory following recent hacking incidents, California police have been caught illegally sharing license plate reader data, and details on IBM and other companies pulling out of the RSA conference due to coronavirus fears. ** Show notes and links mentioned on the show ** Take our podcast listener survey and be entered to win a $25 Amazon gift card! https://sharedsecurity.net/survey Ring Makes 2-Factor Authentication Mandatory Following Recent Hacks https://thehackernews.com/2020/02/ring-cameras-cybersecurity.html https://www.eff.org/deeplinks/2020/02/ring-updates-device-security-and-privacy-ignores-larger-concerns California Police Have Been Illegally Sharing License Plate Reader Data https://www.vice.com/en_us/article/y3mb8b/california-police-have-been-illegally-sharing-license-plate-reader-data IBM pulls out of the RSA conference due to coronavirus fears https://www.rsaconference.com/novel-coronavirus-update ** Thank you to our sponsors! ** Silent Pocket Visit https://silent-pocket.com to check out Silent Pocket’s amazing line of faraday bags and other products built to protect your privacy. As a listener of this podcast you receive 15% off your order at checkout using discount code “sharedsecurity”. Edgewise Networks Find out how Edgewise can stop lateral threat movement and prevent data breaches. Visit https://edgewise.net and request a demo! ** Help support the show ** Looking for an affordable, reliable, no logs VPN provider? Support the podcast by purchasing a Private Internet Access VPN subscription via our affiliate link: http://www.privateinternetaccess.com/pages/buy-vpn/sharedsecurity ** Subscribe and follow the show ** Sign-up for our email newsletter to receive our free Facebook Privacy & Security Guide, full transcripts of each weekly episode, contest announcements, and special offers from our sponsors: http://eepurl.com/dwcc8D Subscribe on your favorite podcast app: https://sharedsecurity.net/subscribe Contact us: https://sharedsecurity.net/contact Website: https://sharedsecurity.net Twitter: https://twitter.com/sharedsec Facebook: https://facebook.com/sharedsec Instagram: https://instagram.com/sharedsecurity YouTube: https://www.youtube.com/channel/UCg9CCDIYkDDqwEZ3UYaxjnA/ The post Ring Mandates Two-Factor Authentication, License Plate Reader Data Sharing, RSA Conference Coronavirus Fears appeared first on Shared Security Podcast.

In episode 97 of our monthly show we discuss how Chinese hackers caused the Equifax data breach, new coronavirus phishing attacks to be aware of, and how to stay (almost) anonymous online. ** Show notes and links mentioned on the show ** U.S. Charges 4 Chinese Military Officers in 2017 Equifax Hack https://krebsonsecurity.com/2020/02/u-s-charges-4-chinese-military-officers-in-2017-equifax-hack/ Phishers impersonate WHO, exploit coronavirus-related anxiety https://www.helpnetsecurity.com/2020/02/07/coronavirus-fake-emails/ 8 steps to being (almost) completely anonymous online https://www.csoonline.com/article/2975193/9-steps-completely-anonymous-online.html ** Thank you to our sponsors! ** Silent Pocket Visit https://silent-pocket.com to check out Silent Pocket’s amazing line of faraday bags and other products built to protect your privacy. As a listener of this podcast you receive 15% off your order at checkout using discount code “sharedsecurity”. Edgewise Networks Find out how Edgewise can stop lateral threat movement and prevent data breaches. Visit https://edgewise.net and request a demo! ** Help support the show ** Looking for an affordable, reliable, no logs VPN provider? Support the podcast by purchasing a Private Internet Access VPN subscription via our affiliate link: http://www.privateinternetaccess.com/pages/buy-vpn/sharedsecurity ** Subscribe and follow the show ** Sign-up for our email newsletter to receive our free Facebook Privacy & Security Guide, full transcripts of each weekly episode, contest announcements, and special offers from our sponsors: http://eepurl.com/dwcc8D Subscribe on your favorite podcast app: https://sharedsecurity.net/subscribe Contact us: https://sharedsecurity.net/contact Website: https://sharedsecurity.net Twitter: https://twitter.com/sharedsec Facebook: https://facebook.com/sharedsec Instagram: https://instagram.com/sharedsecurity YouTube: https://www.youtube.com/channel/UCg9CCDIYkDDqwEZ3UYaxjnA/ The post Chinese Hackers, Coronavirus Phishing Attacks, How to Stay (Almost) Anonymous Online appeared first on Shared Security Podcast.

In episode 108 for February 17th 2020: The US charges four Chinese military hackers in the Equifax data breach, how Israel’s entire voter registry was exposed, and details on the encryption provider that was secretly owned by the CIA for the last fifty years. ** Show notes and links mentioned on the show ** U.S. charges four Chinese military hackers in 2017 Equifax breach https://www.reuters.com/article/us-usa-justice-cyber-idUSKBN2041RT https://krebsonsecurity.com/2020/02/u-s-charges-4-chinese-military-officers-in-2017-equifax-hack/ Netanyahu’s party left Israel’s entire voter registry exposed https://www.engadget.com/2020/02/09/likud-left-israel-voter-database-exposed/ https://www.nytimes.com/2020/02/10/world/middleeast/israeli-voters-leak.html CIA Secretly Owned Global Encryption Provider, Built Backdoors, Spied On 100+ Foreign Governments https://www.washingtonpost.com/graphics/2020/world/national-security/cia-crypto-encryption-machines-espionage/ ** Thank you to our sponsors! ** Silent Pocket Visit https://silent-pocket.com to check out Silent Pocket’s amazing line of faraday bags and other products built to protect your privacy. As a listener of this podcast you receive 15% off your order at checkout using discount code “sharedsecurity”. Edgewise Networks Find out how Edgewise can stop lateral threat movement and prevent data breaches. Visit https://edgewise.net and request a demo! ** Help support the show ** Looking for an affordable, reliable, no logs VPN provider? Support the podcast by purchasing a Private Internet Access VPN subscription via our affiliate link: http://www.privateinternetaccess.com/pages/buy-vpn/sharedsecurity ** Subscribe and follow the show ** Sign-up for our email newsletter to receive our free Facebook Privacy & Security Guide, full transcripts of each weekly episode, contest announcements, and special offers from our sponsors: http://eepurl.com/dwcc8D Subscribe on your favorite podcast app: https://sharedsecurity.net/subscribe Contact us: https://sharedsecurity.net/contact Website: https://sharedsecurity.net Twitter: https://twitter.com/sharedsec Facebook: https://facebook.com/sharedsec Instagram: https://instagram.com/sharedsecurity YouTube: https://www.youtube.com/channel/UCg9CCDIYkDDqwEZ3UYaxjnA/ The post Equifax Hacked by China, Israeli Voter Registry Exposed, How the CIA Owned Encryption appeared first on Shared Security Podcast.

In episode 107 for February 10th 2020: preventing tax identity theft and other tax scams, the FTC taking a stand against companies that support robocallers, and details on the incident where videos from Google Photos were being sent to strangers. ** Show notes and links mentioned on the show ** Preventing Tax Identity Theft and other Tax Scams https://www.consumer.ftc.gov/features/tax-identity-theft-awareness FTC warns VoIP providers that help robocallers: we can and will sue https://nakedsecurity.sophos.com/2020/02/03/ftc-warns-voip-providers-that-help-robocallers-we-can-and-will-sue/ Google Photos accidentally sent people’s private videos to strangers https://www.technologyreview.com/f/615140/google-accidentally-sent-peoples-private-videos-to-strangers/ ** Thank you to our sponsors! ** Silent Pocket Visit https://silent-pocket.com to check out Silent Pocket’s amazing line of faraday bags and other products built to protect your privacy. As a listener of this podcast you receive 15% off your order at checkout using discount code “sharedsecurity”. Edgewise Networks Find out how Edgewise can stop lateral threat movement and prevent data breaches. Visit https://edgewise.net and request a demo! ** Help support the show ** Looking for an affordable, reliable, no logs VPN provider? Support the podcast by purchasing a Private Internet Access VPN subscription via our affiliate link: http://www.privateinternetaccess.com/pages/buy-vpn/sharedsecurity ** Subscribe and follow the show ** Sign-up for our email newsletter to receive our free Facebook Privacy & Security Guide, full transcripts of each weekly episode, contest announcements, and special offers from our sponsors: http://eepurl.com/dwcc8D Subscribe on your favorite podcast app: https://sharedsecurity.net/subscribe Contact us: https://sharedsecurity.net/contact Website: https://sharedsecurity.net Twitter: https://twitter.com/sharedsec Facebook: https://facebook.com/sharedsec Instagram: https://instagram.com/sharedsecurity YouTube: https://www.youtube.com/channel/UCg9CCDIYkDDqwEZ3UYaxjnA/ The post Preventing Tax Identity Theft, FTC and Robocallers, Google Photos Incident appeared first on Shared Security Podcast.

In episode 106 for February 3rd 2020: What you need to know about Facebook’s new off-Facebook activity tool, details about the Ring Android app sending user data to third party trackers, and new developments in the Wawa credit card breach. ** Show notes and links mentioned on the show ** Off-Facebook Activity is a Welcome but Incomplete Move https://www.eff.org/deeplinks/2020/01/facebook-history-welcome-incomplete-move How to Change Your Off-Facebook Activity Settings https://www.eff.org/deeplinks/2020/01/how-change-your-facebook-activity-settings Link to Facebook to change your Off-Facebook Activity Settings https://www.facebook.com/off_facebook_activity Ring Android App Sent Sensitive User Data to 3rd Party Trackers https://www.eff.org/deeplinks/2020/01/ring-doorbell-app-packed-third-party-trackers Wawa card breach may rank as one of the biggest of all times https://www.zdnet.com/article/wawa-card-breach-may-rank-as-one-of-the-biggest-of-all-times/ ** Thank you to our sponsors! ** Silent Pocket Visit https://silent-pocket.com to check out Silent Pocket’s amazing line of faraday bags and other products built to protect your privacy. As a listener of this podcast you receive 15% off your order at checkout using discount code “sharedsecurity”. Edgewise Networks Find out how Edgewise can stop lateral threat movement and prevent data breaches. Visit https://edgewise.net and request a demo! ** Help support the show ** Looking for an affordable, reliable, no logs VPN provider? Support the podcast by purchasing a Private Internet Access VPN subscription via our affiliate link: http://www.privateinternetaccess.com/pages/buy-vpn/sharedsecurity ** Subscribe and follow the show ** Sign-up for our email newsletter to receive our free Facebook Privacy & Security Guide, full transcripts of each weekly episode, contest announcements, and special offers from our sponsors: http://eepurl.com/dwcc8D Subscribe on your favorite podcast app: https://sharedsecurity.net/subscribe Contact us: https://sharedsecurity.net/contact Website: https://sharedsecurity.net Twitter: https://twitter.com/sharedsec Facebook: https://facebook.com/sharedsec Instagram: https://instagram.com/sharedsecurity YouTube: https://www.youtube.com/channel/UCg9CCDIYkDDqwEZ3UYaxjnA/ The post Off-Facebook Activity Tool, Ring App Third-Party Trackers, Wawa Credit Card Breach appeared first on Shared Security Podcast.

In episode 96 of our monthly we discuss the controversy of voting by smartphone in our elections, the Jeff Bezos hacking incident, and the recent Microsoft support security breach. ** Show notes and links mentioned on the show ** Seattle-Area Voters To Vote By Smartphone In 1st For U.S. Elections https://www.npr.org/2020/01/22/798126153/exclusive-seattle-area-voters-to-vote-by-smartphone-in-1st-for-u-s-elections Saudi Prince Allegedly Hacked World’s Richest Man Jeff Bezos Using WhatsApp https://thehackernews.com/2020/01/saudi-prince-allegedly-hacked-worlds.html Microsoft discloses security breach of customer support database https://www.zdnet.com/article/microsoft-discloses-security-breach-of-customer-support-database/ ** Thank you to our sponsors! ** Silent Pocket Visit https://silent-pocket.com to check out Silent Pocket’s amazing line of faraday bags and other products built to protect your privacy. As a listener of this podcast you receive 15% off your order at checkout using discount code “sharedsecurity”. Edgewise Networks Find out how Edgewise can stop lateral threat movement and prevent data breaches. Visit https://edgewise.net and request a demo! ** Help support the show ** Looking for an affordable, reliable, no logs VPN provider? Support the podcast by purchasing a Private Internet Access VPN subscription via our affiliate link: http://www.privateinternetaccess.com/pages/buy-vpn/sharedsecurity ** Subscribe and follow the show ** Sign-up for our email newsletter to receive our free Facebook Privacy & Security Guide, full transcripts of each weekly episode, contest announcements, and special offers from our sponsors: http://eepurl.com/dwcc8D Subscribe on your favorite podcast app: https://sharedsecurity.net/subscribe Contact us: https://sharedsecurity.net/contact Website: https://sharedsecurity.net Twitter: https://twitter.com/sharedsec Facebook: https://facebook.com/sharedsec Instagram: https://instagram.com/sharedsecurity YouTube: https://www.youtube.com/channel/UCg9CCDIYkDDqwEZ3UYaxjnA/ The post Voting by Smartphone, Jeff Bezos Hacked, Microsoft Security Breach appeared first on Shared Security Podcast.

In episode 105 for January 27th 2020: What are the new forms of fraud and cybercrime being found on the Dark Web? We discuss this fascinating topic with Emily Wilson, VP of Research at Terbium Labs. ** Show notes and links mentioned on the show ** Emily’s Dark Reading Article: Fraud in the New Decade https://www.darkreading.com/application-security/fraud-in-the-new-decade/a/d-id/1336671 Terbium Labs https://terbiumlabs.com/ https://twitter.com/TerbiumLabs Connect with Emily https://twitter.com/thirdemily https://www.linkedin.com/in/emily-e-wilson/ ** Thank you to our sponsors! ** Silent Pocket Visit https://silent-pocket.com to check out Silent Pocket’s amazing line of faraday bags and other products built to protect your privacy. As a listener of this podcast you receive 15% off your order at checkout using discount code “sharedsecurity”. Edgewise Networks Find out how Edgewise can stop lateral threat movement and prevent data breaches. Visit https://edgewise.net and request a demo! ** Help support the show ** Looking for an affordable, reliable, no logs VPN provider? Support the podcast by purchasing a Private Internet Access VPN subscription via our affiliate link: http://www.privateinternetaccess.com/pages/buy-vpn/sharedsecurity ** Subscribe and follow the show ** Sign-up for our email newsletter to receive our free Facebook Privacy & Security Guide, full transcripts of each weekly episode, contest announcements, and special offers from our sponsors: http://eepurl.com/dwcc8D Subscribe on your favorite podcast app: https://sharedsecurity.net/subscribe Contact us: https://sharedsecurity.net/contact Website: https://sharedsecurity.net Twitter: https://twitter.com/sharedsec Facebook: https://facebook.com/sharedsec Instagram: https://instagram.com/sharedsecurity YouTube: https://www.youtube.com/channel/UCg9CCDIYkDDqwEZ3UYaxjnA/ The post Dark Web Fraud and Cybercrime with Emily Wilson appeared first on Shared Security Podcast.

In episode 104 for January 20th 2020: Details on the new critical Microsoft Windows vulnerability, why dating apps could pose a national security risk, and how new Apple privacy features are changing the way your data is sold. ** Show notes and links mentioned on the show ** Major Windows flaw was discovered and reported by the NSA https://www.cnet.com/news/major-windows-10-flaw-was-reportedly-discovered-by-the-nsa/ https://media.defense.gov/2020/Jan/14/2002234275/-1/-1/0/CSA-WINDOWS-10-CRYPT-LIB-20190114.PDF https://www.us-cert.gov/ncas/alerts/aa20-014a https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601 Windows 7 end of life announcement https://support.microsoft.com/en-us/help/4057281/windows-7-support-ended-on-january-14-2020 Apple’s new privacy features have further rattled the location-based ad market https://digiday.com/marketing/apples-new-privacy-features-rattle-location-based-ad-market ** Thank you to our sponsors! ** Silent Pocket Visit https://silent-pocket.com to check out Silent Pocket’s amazing line of faraday bags and other products built to protect your privacy. As a listener of this podcast you receive 15% off your order at checkout using discount code “sharedsecurity”. Edgewise Networks Find out how Edgewise can stop lateral threat movement and prevent data breaches. Visit https://edgewise.net and request a demo! ** Help support the show ** Looking for an affordable, reliable, no logs VPN provider? Support the podcast by purchasing a Private Internet Access VPN subscription via our affiliate link: http://www.privateinternetaccess.com/pages/buy-vpn/sharedsecurity ** Subscribe and follow the show ** Sign-up for our email newsletter to receive our free Facebook Privacy & Security Guide, full transcripts of each weekly episode, contest announcements, and special offers from our sponsors: http://eepurl.com/dwcc8D Subscribe on your favorite podcast app: https://sharedsecurity.net/subscribe Contact us: https://sharedsecurity.net/contact Website: https://sharedsecurity.net Twitter: https://twitter.com/sharedsec Facebook: https://facebook.com/sharedsec Instagram: https://instagram.com/sharedsecurity YouTube: https://www.youtube.com/channel/UCg9CCDIYkDDqwEZ3UYaxjnA/ The post Critical Windows Vulnerability, Dating App Security Risk, Apple iOS Privacy Features appeared first on Shared Security Podcast.

In episode 103: The US Department of Homeland Security warns of Iranian cyber-attacks, Ring gets hit with a $5 million dollar class action lawsuit, and some quick tips on how to prevent calendar SPAM. ** Show notes and links mentioned on the show ** Iran maintains a robust cyber program and can execute cyber-attacks against the US https://www.us-cert.gov/ncas/alerts/aa20-006a https://sharedsecurity.net/2019/07/01/us-cyber-attack-on-iran-poor-government-cybersecurity-malvertising-campaigns/ https://www.dallasnews.com/news/politics/2020/01/07/texas-officials-fear-iranian-cyber-attack-attempts-may-be-increasing/ https://twitter.com/campuscodi/status/1213641008556265472 Ring faces a $5 million proposed class action lawsuit https://abcnews.go.com/US/amazon-ring-face-million-proposed-class-action-lawsuit/story?id=67948687 Preventing Calendar SPAM https://the-parallax.com/2019/08/29/how-to-stop-calendar-spam/ ** Thank you to our sponsors! ** Silent Pocket Visit https://silent-pocket.com to check out Silent Pocket’s amazing line of faraday bags and other products built to protect your privacy. As a listener of this podcast you receive 15% off your order at checkout using discount code “sharedsecurity”. Edgewise Networks Find out how Edgewise can stop lateral threat movement and prevent data breaches. Visit https://edgewise.net and request a demo! ** Help support the show ** Looking for an affordable, reliable, no logs VPN provider? Support the podcast by purchasing a Private Internet Access VPN subscription via our affiliate link: http://www.privateinternetaccess.com/pages/buy-vpn/sharedsecurity ** Subscribe and follow the show ** Sign-up for our email newsletter to receive our free Facebook Privacy & Security Guide, full transcripts of each weekly episode, contest announcements, and special offers from our sponsors: http://eepurl.com/dwcc8D Subscribe on your favorite podcast app: https://sharedsecurity.net/subscribe Contact us: https://sharedsecurity.net/contact Website: https://sharedsecurity.net Twitter: https://twitter.com/sharedsec Facebook: https://facebook.com/sharedsec Instagram: https://instagram.com/sharedsecurity YouTube: https://www.youtube.com/channel/UCg9CCDIYkDDqwEZ3UYaxjnA/ The post Iranian Cyber-Attacks, Ring Class-Action Lawsuit, Preventing Calendar SPAM appeared first on Shared Security Podcast.

In episode 102: Details on the new California data privacy law, the Wyze data leak, and what is the ToTok app and could it be spying on you? ** Show notes and links mentioned on the show ** Enter our Silent Pocket New Year’s Giveaway – Deadline to enter: January 11th 2020 https://kingsumo.com/g/jsz2pk/silent-pocket-faraday-bag-new-years-giveaway Details on the new California data privacy law https://www.npr.org/2019/12/30/791190150/california-rings-in-the-new-year-with-a-new-data-privacy-law https://news.yahoo.com/california-apos-privacy-law-finally-110223203.html Wyze leaked personal data of 2.4 million users https://www.engadget.com/2019/12/30/wyze-leak-2-4-million-users/ https://www.bleepingcomputer.com/news/security/wyze-exposes-user-data-via-unsecured-elasticsearch-cluster/ https://ipvm.com/reports/wyze-employee https://forums.wyzecam.com/t/updated-12-27-19-data-leak-12-26-2019/79046 What is ToTok and is it a spy app? New York Times Article Twitter response from ToTok about the Google and Apple app store ban ** Thank you to our sponsors! ** Silent Pocket Visit https://silent-pocket.com to check out Silent Pocket’s amazing line of faraday bags and other products built to protect your privacy. As a listener of this podcast you receive 15% off your order at checkout using discount code “sharedsecurity”. Edgewise Networks Find out how Edgewise can stop lateral threat movement and prevent data breaches. Visit https://edgewise.net and request a demo! ** Help support the show ** Looking for an affordable, reliable, no logs VPN provider? Support the podcast by purchasing a Private Internet Access VPN subscription via our affiliate link: http://www.privateinternetaccess.com/pages/buy-vpn/sharedsecurity ** Subscribe and follow the show ** Sign-up for our email newsletter to receive our free Facebook Privacy & Security Guide, full transcripts of each weekly episode, contest announcements, and special offers from our sponsors: http://eepurl.com/dwcc8D Subscribe on your favorite podcast app: https://sharedsecurity.net/subscribe Contact us: https://sharedsecurity.net/contact Website: https://sharedsecurity.net Twitter: https://twitter.com/sharedsec Facebook: https://facebook.com/sharedsec Instagram: https://instagram.com/sharedsecurity YouTube: https://www.youtube.com/channel/UCg9CCDIYkDDqwEZ3UYaxjnA/ The post New California Data Privacy Law, Wyze Data Leak, ToTok Spy App appeared first on Shared Security Podcast.

In episode 101: Start the new year off right by following our top 10 cybersecurity and privacy resolutions! ** Show notes and links mentioned on the show ** Recommended Password Managers KeePass (free and open source): https://keepass.info/ Dashlane: https://www.dashlane.com/ 1Password: https://1password.com/ See if your site or service offer’s two-factor or multi-factor authentication https://twofactorauth.org/ Silent Pocket Faraday bag to protect your smartphone or laptop (use discount code “sharedsecurity” and get 15% off your order!) https://silent-pocket.com The new Firefox web browser offers blocking of third-party trackers by default https://www.mozilla.org/en-US/firefox/new/ https://blog.mozilla.org/press/2019/10/latest-firefox-brings-privacy-protections-front-and-center-letting-you-track-the-trackers/ Recommended Web Browser Ad Blockers and Privacy Plugins https://github.com/gorhill/uBlock https://www.eff.org/privacybadger Freeze your credit to prevent credit card fraud https://krebsonsecurity.com/2015/06/how-i-learned-to-stop-worrying-and-embrace-the-security-freeze/ ** Thank you to our sponsors! ** Silent Pocket Visit https://silent-pocket.com to check out Silent Pocket’s amazing line of faraday bags and other products built to protect your privacy. As a listener of this podcast you receive 15% off your order at checkout using discount code “sharedsecurity”. Edgewise Networks Find out how Edgewise can stop lateral threat movement and prevent data breaches. Visit https://edgewise.net and request a demo! ** Help support the show ** Looking for an affordable, reliable, no logs VPN provider? Support the podcast by purchasing a Private Internet Access VPN subscription via our affiliate link: http://www.privateinternetaccess.com/pages/buy-vpn/sharedsecurity ** Subscribe and follow the show ** Sign-up for our email newsletter to receive our free Facebook Privacy & Security Guide, full transcripts of each weekly episode, contest announcements, and special offers from our sponsors: http://eepurl.com/dwcc8D Subscribe on your favorite podcast app: https://sharedsecurity.net/subscribe Contact us: https://sharedsecurity.net/contact Website: https://sharedsecurity.net Twitter: https://twitter.com/sharedsec Facebook: https://facebook.com/sharedsec Instagram: https://instagram.com/sharedsecurity YouTube: https://www.youtube.com/channel/UCg9CCDIYkDDqwEZ3UYaxjnA/ The post Top 10 Cybersecurity and Privacy Resolutions appeared first on Shared Security Podcast.

In episode 95 of our monthly show we’re joined by special guest Rebecca Herold, the “Privacy Professor”. Rebecca is a well known expert in the privacy and cybersecurity community and gives us an update on what she’s been working on, what her thoughts are on the current state of privacy regulations (CCPA, GLBA, etc), and what we may see in 2020 from a privacy perspective. We also talk about Rebecca’s favorite books and her encounter with famed author Cliff Stoll who wrote “The Cuckoo’s Egg”. Thanks to Rebecca for joining us again on the show! ** Show notes and links mentioned on the show ** Rebecca’s previous interview on episode 71 (January 2018) Rebecca’s work on the NIST Privacy Framework Rebecca’s podcast “Data Security & Privacy with the Privacy Professor You should read The Cuckoo’s Egg (this is a must read for anyone in privacy or cybersecurity!) Find out more about Rebecca and her work at privacyprofessor.com Follow Rebecca on Twitter and LinkedIn ** Thank you to our sponsors! ** Silent Pocket Visit https://silent-pocket.com to check out Silent Pocket’s amazing line of faraday bags and other products built to protect your privacy. As a listener of this podcast you receive 15% off your order at checkout using discount code “sharedsecurity”. Edgewise Networks Find out how Edgewise can stop lateral threat movement and prevent data breaches. Visit https://edgewise.net and request a demo! ** Help support the show ** Looking for an affordable, reliable, no logs VPN provider? Support the podcast by purchasing a Private Internet Access VPN subscription via our affiliate link: http://www.privateinternetaccess.com/pages/buy-vpn/sharedsecurity ** Subscribe and follow the show ** Sign-up for our email newsletter to receive our free Facebook Privacy & Security Guide, full transcripts of each weekly episode, contest announcements, and special offers from our sponsors: http://eepurl.com/dwcc8D Subscribe on your favorite podcast app: https://sharedsecurity.net/subscribe Contact us: https://sharedsecurity.net/contact Website: https://sharedsecurity.net Twitter: https://twitter.com/sharedsec Facebook: https://facebook.com/sharedsec Instagram: https://instagram.com/sharedsecurity YouTube: https://www.youtube.com/channel/UCg9CCDIYkDDqwEZ3UYaxjnA/ The post Rebecca Herold “The Privacy Professor” appeared first on Shared Security Podcast.

In episode 100: Kevin Johnson, CEO of SecureIdeas joins us in this very special milestone episode to discuss the year that was 2019 and what Kevin’s “predictions” are for cybersecurity and privacy 2020. Thank you to Kevin for being our special guest! ** Show notes and links mentioned on the show ** The Nerf Dart “head-shot” that will live in infamy (yes, Kevin..it’s in the show notes) Professionally Evil CISSP Mentorship Class – Starting in January https://training.secureideas.com/course/cissp-mentor/ ** Thank you to our sponsors! ** Silent Pocket Visit https://silent-pocket.com to check out Silent Pocket’s amazing line of faraday bags and other products built to protect your privacy. As a listener of this podcast you receive 15% off your order at checkout using discount code “sharedsecurity”. Edgewise Networks Find out how Edgewise can stop lateral threat movement and prevent data breaches. Visit https://edgewise.net and request a demo! ** Help support the show ** Looking for an affordable, reliable, no logs VPN provider? Support the podcast by purchasing a Private Internet Access VPN subscription via our affiliate link: http://www.privateinternetaccess.com/pages/buy-vpn/sharedsecurity ** Subscribe and follow the show ** Sign-up for our email newsletter to receive our free Facebook Privacy & Security Guide, full transcripts of each weekly episode, contest announcements, and special offers from our sponsors: http://eepurl.com/dwcc8D Subscribe on your favorite podcast app: https://sharedsecurity.net/subscribe Contact us: https://sharedsecurity.net/contact Website: https://sharedsecurity.net Twitter: https://twitter.com/sharedsec Facebook: https://facebook.com/sharedsec Instagram: https://instagram.com/sharedsecurity YouTube: https://www.youtube.com/channel/UCg9CCDIYkDDqwEZ3UYaxjnA/ The post The Year in Review and 2020 Predictions with Kevin Johnson appeared first on Shared Security Podcast.

In episode 99: Password reuse is still a very large problem, US government recommendations for securing Internet of Things devices, and yet another smart lock device security disaster. ** Show notes and links mentioned on the show ** Password reuse continues to be a major problem https://www.microsoft.com/securityinsights/Identity https://resources.hypr.com/top-recommendations/password-usage-study https://www.nbcnews.com/news/us-news/man-hacks-ring-camera-8-year-old-girl-s-bedroom-n1100586 US government recommendations for securing Internet of Things devices https://www.bleepingcomputer.com/news/security/fbi-recommends-securing-your-smart-tvs-and-iot-devices/ https://www.bleepingcomputer.com/news/security/ftc-advises-checking-smart-toy-features-before-buying/ Another “smart” lock device security disaster https://www.helpnetsecurity.com/2019/12/11/keywe-smart-lock/ https://sharedsecurity.net/2019/10/14/hong-kong-protests-instagrams-anti-phishing-tool-smart-device-fail/ ** Thank you to our sponsors! ** Silent Pocket Visit https://silent-pocket.com to check out Silent Pocket’s amazing line of faraday bags and other products built to protect your privacy. As a listener of this podcast you receive 15% off your order at checkout using discount code “sharedsecurity”. Edgewise Networks Find out how Edgewise can stop lateral threat movement and prevent data breaches. Visit https://edgewise.net and request a demo! ** Help support the show ** Looking for an affordable, reliable, no logs VPN provider? Support the podcast by purchasing a Private Internet Access VPN subscription via our affiliate link: http://www.privateinternetaccess.com/pages/buy-vpn/sharedsecurity ** Subscribe and follow the show ** Sign-up for our email newsletter to receive our free Facebook Privacy & Security Guide, full transcripts of each weekly episode, contest announcements, and special offers from our sponsors: http://eepurl.com/dwcc8D Subscribe on your favorite podcast app: https://sharedsecurity.net/subscribe Contact us: https://sharedsecurity.net/contact Website: https://sharedsecurity.net Twitter: https://twitter.com/sharedsec Facebook: https://facebook.com/sharedsec Instagram: https://instagram.com/sharedsecurity YouTube: https://www.youtube.com/channel/UCg9CCDIYkDDqwEZ3UYaxjnA/   The post The Password Reuse Problem, US Government IoT Recommendations, Smart Lock Security Disaster appeared first on Shared Security Podcast.

In episode 98: A new report from the EFF details how we are tracked online by third-party corporations, more mass surveillance concerns in China and Australia, and a malicious app hijack attack on Android to be aware of. ** Show notes and links mentioned on the show ** How You’re Tracked Online – Must Read Research from the EFF https://www.eff.org/press/releases/eff-report-exposes-explains-big-techs-personal-data-trackers-lurk-social-media https://www.eff.org/wp/behind-the-one-way-mirror EFF’s Privacy Badger uBlock Origin New Privacy Concerns in China and Australia https://www.engadget.com/2019/12/01/china-requires-face-scans-for-mobile-service-users/ https://www.engadget.com/2019/12/01/australia-rolls-out-ai-cameras-to-spot-drivers-using-their-phone/ Malicious Android Apps in the Wild https://www.zdnet.com/article/android-new-strandhogg-vulnerability-is-being-exploited-in-the-wild/ ** Thank you to our sponsors! ** Silent Pocket Visit https://silent-pocket.com and check out Silent Pocket’s amazing line of Faraday Bags and other products built to protect your privacy. As a listener of this podcast you receive 15% off your order at checkout using discount code “sharedsecurity”. Edgewise Networks Find out how Edgewise can stop lateral threat movement and prevent data breaches. Visit https://edgewise.net and request a demo! ** Subscribe and follow the show ** Sign-up for our email newsletter to receive our free Facebook Privacy & Security Guide, full transcripts of each weekly episode, contest announcements, and special offers from our sponsors: http://eepurl.com/dwcc8D Subscribe on your favorite podcast app: https://sharedsecurity.net/subscribe Contact us: https://sharedsecurity.net/contact Website: https://sharedsecurity.net Twitter: https://twitter.com/sharedsec Facebook: https://facebook.com/sharedsec Instagram: https://instagram.com/sharedsecurity YouTube: https://www.youtube.com/channel/UCg9CCDIYkDDqwEZ3UYaxjnA/ The post How You’re Tracked Online, New Mass Surveillance Concerns, Malicious Android App Hijack appeared first on Shared Security Podcast.

In episode 94 of our monthly show for November 2019: The 25 most dangerous vulnerabilities, the privacy of new “smart cities”, and which search engine keeps your searches more private? It’s DuckDuckGo vs. Google! ** Show notes and links mentioned on the show ** Snapshot: Top 25 Most Dangerous Software Errors https://www.dhs.gov/science-and-technology/news/2019/11/26/snapshot-top-25-most-dangerous-software-errors https://www.theregister.co.uk/2019/09/18/the_25_most_dangerous_software_weaknesses/ Google’s “smart city” in Toronto: what it wanted, what it will now get – and why it’s still problematic for privacy Toyota, Lexus owners warned about thefts that use ‘relay attacks’ I ditched Google for DuckDuckGo. Here’s why you should too Sign-up for Rebecca Herold’s privacy newsletter – It’s great! Check out the interview with co-host Tom Eston who was interviewed on the Infosec Career Podcast ** Thank you to our sponsors! * Silent Pocket Visit https://silent-pocket.com check out Silent Pocket’s amazing line of faraday bags and other products built to protect your privacy. As a listener of this podcast you receive 15% off your order at checkout using discount code “sharedsecurity”. Edgewise Networks Find out how Edgewise can stop lateral threat movement and prevent data breaches. Visit https://edgewise.net and request a demo! ** Subscribe and follow the show ** Sign-up for our email newsletter to receive our free Facebook Privacy & Security Guide, full transcripts of each weekly episode, contest announcements, and special offers from our sponsors: http://eepurl.com/dwcc8D Subscribe on your favorite podcast app: https://sharedsecurity.net/subscribe Contact us: https://sharedsecurity.net/contact Website: https://sharedsecurity.net Twitter: https://twitter.com/sharedsec Facebook: https://facebook.com/sharedsec Instagram: https://instagram.com/sharedsecurity YouTube: https://www.youtube.com/channel/UCg9CCDIYkDDqwEZ3UYaxjnA/ The post Top 25 Most Dangerous Vulnerabilities, Smart City Privacy, DuckDuckGo vs. Google appeared first on Shared Security Podcast.

In episode 97 for December 2nd 2019: How to prevent phone and voice fraud, Twitter’s inactive account purge, and the Adobe Magento Marketplace data breach. ** Show notes and links mentioned on the show ** Don’t become a victim of phone and voicemail fraud https://www.darkreading.com/7-ways-to-hang-up-on-voice-fraud—/d/d-id/1336427 Twitter’s inactive account purge https://www.cnn.com/2019/11/27/tech/twitter-inactive-account-delete/index.html https://twitter.com/TwitterSupport/status/1199777313300209664 Adobe Magento Marketplace data breach https://nakedsecurity.sophos.com/2019/11/29/adobes-magento-marketplace-suffers-data-breach/ https://magento.com/blog/magento-news/magento-marketplace-security-update https://nakedsecurity.sophos.com/2019/04/05/patch-now-magento-e-commerce-sites-targeted-by-sqli-attacks/ ** Thank you to our sponsors! * Silent Pocket Visit https://silent-pocket.com check out Silent Pocket’s amazing line of faraday bags and other products built to protect your privacy. As a listener of this podcast you receive 15% off your order at checkout using discount code “sharedsecurity”. Edgewise Networks Find out how Edgewise can stop lateral threat movement and prevent data breaches. Visit https://edgewise.net and request a demo! ** Subscribe and follow the show ** Sign-up for our email newsletter to receive our free Facebook Privacy & Security Guide, full transcripts of each weekly episode, contest announcements, and special offers from our sponsors: http://eepurl.com/dwcc8D Subscribe on your favorite podcast app: https://sharedsecurity.net/subscribe Contact us: https://sharedsecurity.net/contact Website: https://sharedsecurity.net Twitter: https://twitter.com/sharedsec Facebook: https://facebook.com/sharedsec Instagram: https://instagram.com/sharedsecurity YouTube: https://www.youtube.com/channel/UCg9CCDIYkDDqwEZ3UYaxjnA/ The post Phone and Voice Fraud, Twitter Account Purge, Adobe Magento Marketplace Data Breach appeared first on Shared Security Podcast.

In episode 96: Thousands of Disney+ accounts have been hacked, Black Friday and Cyber Monday scams to watch out for, and the latest on new Android camera exploits affecting Google and Samsung smartphones. ** Show notes and links mentioned on the show ** Disney+ accounts hacked shortly after the service launched https://www.zdnet.com/article/thousands-of-hacked-disney-accounts-are-already-for-sale-on-hacking-forums/ Find out which apps and sites offer two-factor authentication https://twofactorauth.org/ KeyPass – free password manager https://keepass.info/ List of popular password managers https://en.wikipedia.org/wiki/List_of_password_managers Black Friday and Cyber Monday scams to watch out for https://www.msn.com/en-us/money/personalfinance/black-friday-2019-how-scammers-use-gift-cards-hot-toy-deals-to-trick-you/ar-BBX2xEV?li=AA30Nm How attackers could hijack your Android camera to spy on you https://www.checkmarx.com/blog/how-attackers-could-hijack-your-android-camera https://thehackernews.com/2019/11/android-camera-hacking.html ** Thank you to our sponsors! ** Silent Pocket Visit https://silent-pocket.com check out Silent Pocket’s amazing line of faraday bags and other products built to protect your privacy. As a listener of this podcast you receive 15% off your order at checkout using discount code “sharedsecurity”. Edgewise Networks Find out how Edgewise can stop lateral threat movement and prevent data breaches. Visit https://edgewise.net and request a demo! ** Subscribe and follow the show ** Sign-up for our email newsletter to receive our free Facebook Privacy & Security Guide, full transcripts of each weekly episode, contest announcements, and special offers from our sponsors: http://eepurl.com/dwcc8D Subscribe on your favorite podcast app: https://sharedsecurity.net/subscribe Contact us: https://sharedsecurity.net/contact Website: https://sharedsecurity.net Twitter: https://twitter.com/sharedsec Facebook: https://facebook.com/sharedsec Instagram: https://instagram.com/sharedsecurity YouTube: https://www.youtube.com/channel/UCg9CCDIYkDDqwEZ3UYaxjnA/ The post Disney+ Hacked Accounts, Black Friday Scams, Android Camera Exploits appeared first on Shared Security Podcast.

You’re listening to the Shared Security Podcast, exploring the trust you put in people, apps, and technology…with your host, Tom Eston. In episode 95 for November 18th 2019: Google’s access to the medical records of millions of Americans, a new ruling on suspicionless searches at the US border, and details on a new scam using the popular money sharing app Zelle. This week I read a news article about how more schools are either outright banning the use of smart phones or having kids put their phones in their lockers while in class. And while some kids may complain that they can’t use their device, teachers and school administrators are noticing that when there are no smart phones in school kids seem more engaged with their friends, less distracted, and even less stressed. I think this is a great idea and hope more schools start implementing similar polices but did you know that as adults we have the power to do the same thing? When was the last time you “docked” your phone during the day so you could be more engaged and less distracted. Well Silent Pocket has the perfect solution for this and it’s called a Faraday Bag. Simply place your smart phone in one of their stylish faraday bags and you have instant silence, privacy, and quick way to be more engaged with the people around us. Pick up one today at silentpocket.com and use discount code “sharedsecurity” at checkout to receive 15% off your order. Welcome to the Shared Security Weekly Blaze Podcast where we update you on this week’s most important cybersecurity and privacy news. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. I realize that just a few weeks ago I talked about Facebook’s new preventive health tool that is apparently not collecting patient data, but this past week it was reported that Google actually does have access to detailed medical records on tens of millions of Americans. But don’t worry, Google says that it promises to not mix patient data with all of the other massive amounts of data that Google collects about its users. The Wall Street Journal reported that Google has partnered with a company called Ascension, which is the second largest healthcare system in the US, on a project to “collect and crunch the detailed personal-health information of millions of people across 21 states.” According to a statement from Ascension they say they are partnering with Google to improve the tools used by patients and caregivers as well as “explore artificial intelligence and machine learning applications that will have the potential to support improvements in clinical quality and effectiveness.” So what kind of healthcare data are we talking about? Well, pretty much everything including names, birthdates, addresses, family members, allergies, immunizations, radiology scans, hospitalization records, lab tests, medications, medical conditions, and even some billing claims. Shockingly, it seems that this partnership does not violate HIPAA (the Health Insurance Portability and Accountability Act) as the law does allow hospitals to share data with business partners as long as the data is used to help carry out its health care functions. Personally, I think this is a fine line that Google and Ascension are walking here. I mean, does anyone else find it ironic that Google also just purchased FitBit for $2.1 billion dollars? Don’t you think that it’s going to be really tempting for Google to find ways to combine or analyze Fitbit data with the detailed health care data of tens of millions of Americans? Even though it’s not too terribly shocking that Google is working with health care organizations but with the risk of data breaches and the constant mishandling of privacy information by the large tech firms, are we willing to let Google handle our health care data too? Perhaps we have no choice in the matter but at least the government does. In breaking news last week the Department of Health and Human Services stated that they will be opening up an investigation with Google to ensure that HIPPA protections were fully implemented. In privacy news this week, a federal court in Boston ruled that supicionless searches of travelers’ electronic devices by federal agents at airports and other US ports of entry are unconstitutional. The ruling stemmed from a lawsuit made by the ACLU and the EFF on behalf of 11 travelers who had their laptops and smart phones searched at US ports of entry without being suspected of any crime. This new ruling means that the Customs and Border Control and Immigration and Customs Enforcement agencies need to now demonstrate individualized suspicion of illegal digital contraband before they can search a travelers device. As we’ve reported on previous episodes of the podcast, these agencies have been searching the devices of international tra

You’re listening to the Shared Security Podcast, exploring the trust you put in people, apps, and technology…with your host, Tom Eston. In episode 94 for November 11th 2019: Facebook’s Group API data leak and 7,000 pages of leaked Facebook documents, lasers that can control your smart speakers, and details about the BlueKeep vulnerability now being exploited in the wild. Are you like most of us that have to be constantly checking our smart phones for the latest Tweet or Facebook update? How many of us are actually doing this while we’re driving? Distracted driving is one of the most common ways accidents and even deaths happen on the road these days and a lot of states in the US have started enacting laws prohibiting the complete use of smart phones while driving. It’s just not worth putting ourselves and others at risk so I’ve committed to not use my smart phone while driving, and so should you. One easy solution I recommend is to store your smart phone in a Silent Pocket Faraday Sleeve. It’s small enough to store in your glove compartment or arm rest and it’s quick and easy to use. Pick one up today by visiting silentpocket.com and receive 15% off your order at checkout using discount code “sharedsecurity”. Welcome to the Shared Security Weekly Blaze Podcast where we update you on this week’s most important cybersecurity and privacy news. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. It seems that we can’t go a single week from reporting news about yet another Facebook data leak or controversy. This week is no exception as Facebook disclosed details about a leak of private group information such as post details, number of group users, and depending if group users opted-in: names and profile pictures. This data may have been accessed by about 100 partners which had video streaming and social media management apps integrated into certain Facebook Groups. Apparently, the issue happened when Facebook was restricting access to the Groups API back in 2018. Facebook said that they believe 11 of these partners had accessed group information in the last 60 days and that they would kindly ask all 100 partners to delete any Facebook user data that they may have collected. Facebook also stated that there has been no evidence that Facebook user data was abused in any way but will be conducting audits to confirm that said partners have deleted user data as requested. In other Facebook news, NBC News released close to 7,000 pages of leaked documents that showed how Facebook was using user data as a bargaining chip with third-party developers. The data, which included 4000 internal Facebook emails, web chats, and documents show that Facebook would give certain types of user data to certain high-value customers while also restricting certain types of user data to rival companies. For example, Amazon got special access to more user data because they were paying for ads on Facebook and another company called MessageMe was completely cut off from user data because Facebook felt it was a competitor to its own Messenger product. Meanwhile, it was revealed that Facebook was using these moves to publicly show that they were protecting user privacy. This latest news is once again leaving Facebook in hot water with a continuing onslaught of lawsuits by former customers and government inquires. Oh and on top of this all this news, Facebook announced a new logo which I’m certain will make all of their privacy problems go away. The new logo, which is attempting to show that all of the Facebook “property” apps are similar, seems to be an attempt to make it harder for government regulators to breakup Facebook if that day ever comes. And now a word from our sponsor, Edgewise Networks. The biggest problem in security that remains unsolved is unprotected attack paths that allow threats to compromise vulnerable targets in the cloud and data center. But traditional microsegmentation is too complex and time consuming, and offers limited value that’s hard to measure. But there’s a better approach… Edgewise “Zero Trust Auto-Segmentation.” Edgewise is impossibly simple microsegmentation … delivering results immediately, with a security outcome that’s provable, and management that’s zero touch. At the core of Edgewise Auto-Segmentation is Zero Trust Identity, which automatically builds unique identities for all communicating software and devices by combining cryptographic properties of the workload with risk classifications. Edgewise protects any application, in any environment, without any architectural changes. Edgewise provides measurable improvement by quantifying attack path risk reduction and demonstrates isolation between critical services—so that your applications can’t be breached. Visit edgewise.net to find out more about how Edgewise can help stop data breaches. I&#821

You’re listening to the Shared Security Podcast, exploring the trust you put in people, apps, and technology…with your host, Tom Eston. In episode 93 for November 4th 2019: The WhatsApp NSO group lawsuit plus details on Facebook’s preventive health tool, this week’s data breach news, and how attackers are using a voicemail to phish Microsoft Office 365 users. Halloween may be over but this time of year doesn’t have to be scary when it comes to protecting your digital privacy. Silent Pocket makes it easy to protect your devices with their full line of faraday bags, wallets, and other accessories that will block all wireless signal. As a special treat for our podcast listeners you can receive 15% off your order right now at silentpocket.com using discount code “sharedsecurity” during checkout. No tricks involved in this exclusive offer. Welcome to the Shared Security Weekly Blaze Podcast where we update you on this week’s most important cybersecurity and privacy news. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Will Cathcart, the head of WhatsApp which is a Facebook company, wrote an opt-ed for the Washington Post stating that WhatsApp has filed a complaint in US federal court against the infamous Israeli company, the NSO Group. You may remember that several months ago a serious vulnerability was found in WhatsApp in which malicious code was delivered via a seemingly innocent video call compromising the app and device. Through WhatsApp’s own investigation, in partnership with activist group Citizen Lab, they detailed how NSO Group servers, Internet-hosted services and certain WhatsApp accounts were traced back to the NSO Group during their investigation of the attacks. In addition, it was discovered that at least 100 human-rights defenders and journalists were targeted using this NSO spyware, most likely a form of Pegasus ,which is known as the spyware of choice for nation states to target specific individuals. Of course, the NSO Group as expected, has denied any involvement in the attack. Check out our show notes for the link to the full federal complaint to read the details for yourself. In other Facebook news, Facebook announced that they are developing new partnerships and programs to support people that want to connect with resources to support their health. One of those resources is something called the “Preventive Health Tool” available in the US. This new tool will allow Facebook users to find doctors, set appointment reminders to schedule tests, note them as completed, and much more. Facebook says that their reason for doing this is to spread more awareness about preventive care for things like cancer screenings. Now I’m sure the first thing you’re thinking is, will Facebook now have access to my health care data? Well Facebook says quote “Preventive Health allows you to set reminders for your future checkups and mark them as done, but it doesn’t provide us, or the health organizations we’re working with, access to your actual test results. Personal information about your activity in Preventive Health is not shared with third parties, such as health organizations or insurance companies, so it can’t be used for purposes like insurance eligibility” end quote. Now your next question is probably about how many more heath care related ads will I start seeing on Facebook if I use this tool? Well Facebook has an answer to that and says quote “We don’t show ads based on the information you provide in Preventive Health — that includes things like setting a reminder for a test, marking it as done or searching for a healthcare location. As always, other actions that you take on Facebook could inform the ads you see, for example, liking the Facebook page of a health organization or visiting an external website linked to or from Preventive Health.” end quote And that last sentence is key. Ultimately, the more time you spend on Facebook, the more opportunity you have to see ads in general, but by also liking a page of a health care organization or visiting an external website you are still giving Facebook little pieces of information that can be used to track you and eventually, serve you…guess what? More ads. And now a word from our sponsor, Edgewise Networks. The biggest problem in security that remains unsolved is unprotected attack paths that allow threats to compromise vulnerable targets in the cloud and data center. But traditional microsegmentation is too complex and time consuming, and offers limited value that’s hard to measure. But there’s a better approach… Edgewise “Zero Trust Auto-Segmentation.” Edgewise is impossibly simple microsegmentation … delivering results immediately, with a security outcome that’s provable, and management that’s zero touch. At the core of Edgewise Auto-Segmentation is Zero Trust Identity, w

In episode 93 of our monthly show we review the Firewalla home network device, talk about the 15 most dangerous (or scary) apps for kids that parents need to be aware of, and the rise of the “deepfake”! Watch the recording of our live stream on YouTube (we’re not sure what happened with Scott’s out-of-sync and choppy video so we apologize for our technical difficulties): Here are the show notes and links to articles discussed during the show: Tom’s review of the Firewalla home network protection device Description of the Firewalla Blue and Firewalla Red Firewalla router compatibility list Information about compatibility with mesh routers like Google WiFi Charts and graphs regarding network usage in the mobile app Information about activity and parental controls Buy one on Amazon 15 Most Dangerous Apps for Kids Article with the list of apps mentioned on the show The Rise of the Deepfake Deepfake video of Mark Zuckerberg Guardian article about “The rise of the deepfake and the threat to democracy” which also has the clips of the Jimmy Fallon deepfake and Nancy Pelosi edited video (not a deepfake) Please support our sponsors, Silent Pocket and Edgewise Networks: Looking to up your privacy and security game while you travel? Then you need to check out Silent Pocket’s patented product line of faraday bags, wallets, backpacks, and other accessories at silentpocket.com. Be sure to use discount code “sharedsecurity” at checkout to receive 15% off your order. The biggest problem in security that remains unsolved is unprotected attack paths that allow threats to compromise vulnerable targets in the cloud and data center. But traditional microsegmentation is too complex and time consuming, and offers limited value that’s hard to measure. But there’s a better approach… Edgewise “Zero Trust Auto-Segmentation.” Edgewise is impossibly simple microsegmentation … delivering results immediately, with a security outcome that’s provable, and management that’s zero touch. At the core of Edgewise Auto-Segmentation is Zero Trust Identity, which automatically builds unique identities for all communicating software and devices by combining cryptographic properties of the workload with risk classifications. Edgewise protects any application, in any environment, without any architectural changes. Edgewise provides measurable improvement by quantifying attack path risk reduction and demonstrates isolation between critical services—so that your applications can’t be breached. Visit edgewise.net to find out more about how Edgewise can help stop data breaches. Be sure to follow the Shared Security Podcast on Facebook, Twitter and Instagram for the latest news and commentary. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app or watch and subscribe on our YouTube channel. The post Firewalla Review, 15 Most Dangerous Apps for Kids, Rise of the Deepfake appeared first on Shared Security Podcast.

You’re listening to the Shared Security Podcast, exploring the trust you put in people, apps, and technology…with your host, Tom Eston. In episode 92 for October 28th 2019: Details on the Nord VPN security incident, using Amazon Echo and Google Home smart speakers for phishing attacks, and new privacy features in Apple iOS 13 you should know about. What does it mean to go off the grid? For most of us that are constantly relying on our phones, tablets, and laptops it means shutting them off and doing some other activity like enjoying nature or spending valuable time with friends and family. I don’t know about you but I struggle with turning off or putting down my phone because I’ve become so tied to it. I mean, have you ever forgotten your phone at home while you were driving to work or did you happen to find yourself in the wilderness or somewhere where you can’t get a cell phone signal? How did this make you feel? I know I have had that awkward feeling of “what if someone tried to message me?” or “how will anyone get ahold of me in an emergency”? In fact, how many of you would drive back home to retrieve your phone or walk around until you found a cell phone signal out in the middle of nowhere? Look it’s hard to go off the grid but the good news is that there are products that can help. That’s why I recommend using a Silent Pocket Faraday bag which can instantly block are wireless signals, quickly taking you off the grid. Check out their full product line at silentpocket.com. And because you listen to this podcast remember to use discount code “sharedsecurity” at checkout to receive 15% off your order. Welcome to the Shared Security Weekly Blaze Podcast where we update you on this week’s most important cybersecurity and privacy news. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Popular VPN service provider Nord VPN disclosed that they were the victim of a security incident which happened about 16 months ago, back in March 2018. The attack compromised a server in Finland in which attackers were able to access encryption keys which could have been used to potentially decrypt user traffic, launch man-in-the-middle attacks, and even impersonate the nordvpn.com website. Attackers were able to access the server by exploiting an unnamed remote management system that was being used by the data center that housed one of the Nord VPN servers. One of the certificates the attackers gained access to was one that provides HTTPS encryption for nordvpn.com. This certificate wasn’t set to expire until October 2018, seven months after the breach. This means that for months, attackers could have been luring unsuspecting victims to phishing sites thinking they were signing up or accessing nordvpn.com. And to make matters worse details about the incident have been apparently floating around underground forums on the Internet since May of 2018. Nord VPN posted a blog about the incident and stated that no user accounts or user data was affected or that anyone attempted to monitor user traffic in any way. They also stated that the only attack possible would have been a personalized and highly sophisticated man-in-the-middle attack to intercept a single connection. And also restating that they are a “no logs” VPN provider so there would be nothing for an attacker to see anyway. This is contrary to what others in the media and security research community are saying noting that man-in-the-middle attacks are not that hard to pull off and that these types of attacks are actually what VPNs are supposed to help protect users from. The Nord VPN blog post also seemed to pass complete blame of the incident on the third-party datacenter which housed the server that was accessed. Nord VPN also stated that they did not disclose the breach to their customers and to the public quote “until we could be sure that such an attack could not be replicated anywhere else on our infrastructure. ” They also stated that they are preparing a bug bounty program and also conducting internal and external audits of all systems. In related news, two other VPN providers, TorGuard and VikingVPN also disclosed that they too had been hacked where encryption keys were also stolen around the same time period. The lesson here is that, besides a VPN provider perhaps not disclosing a breach or incident in a timely manner, the bigger issue here is twofold. First, understand that a VPN is not an end all be all solution to protect your privacy, contrary to what many of these VPN companies may say in their advertising. As seen with this incident, anyone can become a victim when there is a third-party involved, like an insecure remote management application which is managed by someone else. One perspective is that this incident wasn’t Nord VPNs fault, especially since they had no cont

You’re listening to the Shared Security Podcast, exploring the trust you put in people, apps, and technology…with your host, Tom Eston. In episode 91 for October 21st 2019: Pitney Bowes becomes the latest ransomware victim, what are the top technology fears, and the latest on the vulnerability that allows a Samsung Galaxy S10 to be unlocked with anyone’s fingerprint. Smart phones and other mobile devices have truly become integrated with our daily lives. So much in fact, these devices are causing a new type of stress injury called “text neck”. Text neck is a stress injury which causes pain in your neck caused by excessive use or texting on a mobile device over a long period of time. This condition is increasingly concerning given that all of us seem to be looking down at our devices every minute of every day. Just take a look around you whenever you’re out in public. Our mobile devices have truly become a “pain in our neck”. So if you want an easy way to prevent this condition, try taking more breaks away from your device and simply just put your device down so you are less tempted to use it. And if you want an easy way to get off the grid for a while, put it in a Silent Pocket faraday bag. The nice thing about this solution is that you don’t even have to power off your device! Check out Silent Pocket’s full line of faraday bags and wallets at silentpocket.com and recieve 15% off your order during checkout using discount code “sharedsecurity”. Welcome to the Shared Security Weekly Blaze Podcast where we update you on this week’s most important cybersecurity and privacy news. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Last week shipping and postage provider Pitney Bowes, which serves 90% of businesses in the Fortune 500, was the victim of a ransomware attack preventing customers from adding postage to packages and may have even impacted some mail delivery at the US Postal Service. In a statement the company said quote “Pitney Bowes was affected by a malware attack that encrypted information on some systems and disrupted customer access to some of our services. At this time, the company has seen no evidence that customer or employee data has been improperly accessed.” end quote Pitney Bowes is most known for its postage meters which can automate the painful process of putting postage on envelopes and packages. Some customers took to Twitter during the outage showing postage meters and associated software with errors and confusing messages about “system faults”. Apparently the meters would still work up until you had to refill funds in order to print out more postage. Check out our show notes for a link to the latest updates from Pitney Bowes on the status of their systems. In related news, late last week business credit rating agency Moody’s issued a “credit negative” event note regarding the ransomware attack meaning the credit agency is cautiously watching the incident but has yet to issue a ratings downgrade. Rating’s agencies like Moody’s are commonly referenced by investors and negative ratings can make it more difficult for a company to raise money and can drive the stock value down. This news is pretty significant in that ratings agencies are now monitoring companies for data breaches and other cybersecurity incidents and issuing ratings adjustments based on the impact of the incident. Just last May, Moody’s downgraded Equifax’s outlook to negative because of the massive data breach that we all know and love. And ironically, Equifax’s outlook remains negative for the foreseeable future. Ransomware attacks like these are continuing to rise, mostly because a lot of companies are paying the ransom because they feel they are left with no other option. The more companies pay, the more incentive there is for attackers to continue finding victims. The advice from law enforcement and the cybersecurity community is to never pay the ransom because there is no guarantee that you will get your data back. Rather, contact law enforcement or a third-party cybersecurity professional to help get your data back in other ways. For example, there is a site run by a security researcher called “ID Ransomware” which (as of this podcast recording) can decrypt 771 different types of ransomware by uploading the ransom note or sample encrypted file. This is a free service by the way and you have a much better chance of getting your data back by using a free service like this than ever paying the ransom. A recent survey of about 1,000 Americans from security solutions company Cove revealed people’s modern day safety and cybersecurity fears by gender, generation, and political party. Some of the most interesting findings say that four in five parents said that they were worried about raising

You’re listening to the Shared Security Podcast, exploring the trust you put in people, apps, and technology…with your host, Tom Eston In episode 90 for October 14th 2019: How protesters in Hong Kong are avoiding facial recognition, Instagram’s new anti-phishing tool, and my recent epic smart device failure incident. Being a frequent traveler myself, I’m always surprised at how many people at airports are not very aware of their privacy. Just last week while I was waiting for my flight I listened as someone was giving their credit card number over the phone, and another person had their laptop open and I was able to see a presentation they were working on which looked to have very sensitive business information. The message here is that we always need to be aware of our surroundings and be careful what you say or expose when you’re in a public place like an airport. And if you’re a privacy aware traveler like me I highly recommend using Silent Pocket’s product line of faraday bags, backpacks and wallets which are built with your digital privacy in mind. Check them out at silentpocket.com and receive 15% off your order at checkout using discount code “sharedsecurity” Welcome to the Shared Security Weekly Blaze Podcast where we update you on this week’s most important cybersecurity and privacy news. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use” Violent protests continued in Hong Kong last week with the local authorities implementing a new anti-mask law which targets protestors wearing masks to avoid being recognized by the police and surveillance cameras. Now such bans are nothing new as Sri Lanka, France, the Netherlands, and Canada have similar controversial bans as well. Some protesters have even been seen wearing face paint in the form of Pepe the Frog which has recently been adopted as an international symbol of liberation for the Hong Kong protesters. Some protesters are even using laser pointers as a way to disable or make facial recognition technology harder to identify themselves. In related news, Apple has been criticized for removing an app from the Apple App Store because of pressure from the Chinese government. The app allowed protesters to crowdsource the locations of police. Apple is just the latest US based company joining the ranks of the NBA, and the video game company Blizzard who have given into Chinese pressure. This is very unfortunate and while I don’t bring up politics too much on this show, freedom loving people and companies should be supporting the protesters. And as a reminder, you as a consumer, have a choice on what products and entertainment you spend your money on. Now I bring up the Hong Kong protests because we all need to know that the technology that governments possess in order to identify protesters should be concerning to all of us. So when does the use of this technology truly become an invasion of our privacy all in the name of more security? Perhaps we’re already there. The good news is that we are seeing more privacy laws that several states in the US are now implementing. Just last week the state of California signed a bill into law that prevents police from using facial recognition technology on video recordings gathered by police officers. The bill states that quote “The use of facial recognition and other biometric surveillance is the functional equivalent of requiring every person to show a personal photo identification card at all times in violation of recognized constitutional rights.” end quote I think this is a positive sign that, at least in the US, facial recognition is beginning to become more regulated. Instagram has added a new security feature which will help you identify if an email was sent by Instagram or may be a phishing email. Here’s how this feature works. Let’s say you receive an email claiming to be from Instagram. You can now see if Instagram sent you that email by going into the “Emails from Instagram” option in your app’s settings. Within this setting you’ll be able to see every email that was sent to you by Instagram over the last 14 days. The new feature also separates emails into two categories; security emails and other. If you see an email that matches with what’s in your inbox than you can assume that this was a legitimate email. As you know, phishing emails are a constant threat and some recent Instagram phishing attacks are looking so legitimate that it’s very difficult to identify a real email vs. a fake one. Be on the lookout for this new and welcome security feature to show up in your Instagram account over the next several weeks. And now a word from our sponsor, Edgewise Networks. The biggest problem in security that remains unsolved is unprotected attack paths that allow threats to compromise vulnerable targets in the cloud and data

You’re listening to the Shared Security Podcast, exploring the trust you put in people, apps, and technology…with your host, Tom Eston. In episode 89 for October 7th 2019: Microsoft’s new OneDrive personal vault, updated privacy and security controls announced by Google, and the TSA’s announcement about the REAL ID deadline next year. I have a question for you. What’s in your daily carry? Now I’m not talking about your concealed weapon of choice (if you do legally choose to do so) but I’m talking about your wallet, backpack, clutch, or other travel accessory. If you’re looking to upgrade to something that’s high quality, fashionable, and built with your digital privacy in mind you need to check out Silent Pocket. Visit their full line of products at silentpocket.com and use discount code “sharedsecurity” at checkout to take 15% off your order. Welcome to the Shared Security Weekly Blaze Podcast where we update you on this week’s most important cybersecurity and privacy news. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Microsoft has increased the security and privacy of its OneDrive cloud storage service with a new feature called a “Personal Vault” which is now available worldwide for all OneDrive users except for those on business plans. Personal Vault is a protected area in OneDrive that requires additional authentication, like biometrics, a PIN code, or SMS-based two-factor authentication in order to access and store files. Microsoft has stated that on Windows 10 devices files that are stored in Personal Vault are synced by default to Bitlocker-encrypted locations, and that the vault will lock automatically in 20 minutes by default. I think the real security advantage here is on mobile devices where the OneDrive app will let you scan files or take pictures and video and store it directly into your Personal Vault instead of your camera roll. And because data that is stored in OneDrive is encrypted at rest and in transit, it seems to be a nice addition to increase the security and privacy of your most sensitive data like storing a picture of your driver’s license, passport, birth certificate, or other electronic documents you should protect. One disappointment though, if you have a free OneDrive account or one that you recently upgraded to one of Microsoft’s standalone 100 GB plans, you can only store a maximum of three files in your Personal Vault. To store more, you’ll need to upgrade to an Office 365 Personal or Home subscription. I guess according to Microsoft, much needed personal file security and privacy comes with an additional cost. There were lots of new privacy and security updates from Google last week which includes new features and improvements to give you more control over your data and to make privacy and security controls more seamless across all of Google’s products. First up is the new feature which allows you to auto-delete your YouTube browsing history at a set time period of 3 months, 18 months, or the ability to just delete your history manually. Next, Google has integrated a password checkup tool into the Google Password Manager which will let you know if your passwords are weak, reused, or have been compromised in a previous data breach. This is similar functionality to what Firefox rolled out a few months ago by integrating with Troy Hunt’s ‘Have I been pwnd’ service. In addition to these improvements you’ll be able to tell the Google Assistant to delete what you just said or delete a recording from a specific time period, like last week, and Google has added incognito or private mode to Google Maps which removes any personalization and search history which won’t be linked back to your Google account. In other related Google news, Google has been lobbying congress to let them start forcing Chrome users to automatically use DNS over HTTPS. If you’re not familiar with what DNS over HTTPS is, well it means is that when you type a URL like google.com into your web browser, the query for google.com gets encrypted, therefore, not allowing your ISP (or someone else monitoring your Internet connection) to view the sites you’re going to on the Internet. Keep in mind that this is slightly different than full HTTPS encryption where the contents of data that you send and receive from sites on the Internet is encrypted. Think of DNS over HTTPS as an add-on that will increase the overall security and privacy of the Internet. My take is that I think this and all the recent changes that Google is making is really needed. I don’t know about you but I feel lately that perhaps Amazon, Apple, and now Google are playing a game of “privacy catch up” given how data breaches and privacy concerns are all over the news as of late. Let’s hope this trend continues.

In episode 92 of our monthly show Tom and Scott talk about Amazon’s new smart glasses that work with Alexa, what webkey’s are and how they could be used for social engineering, and why you should always erase old hard drives and other data storage before selling or giving away computers and other electronics. Looking to up your privacy and security game while you travel? Then you need to check out Silent Pocket’s patented product line of faraday bags, wallets, backpacks, and other accessories at silentpocket.com. Be sure to use discount code “sharedsecurity” at checkout to receive 15% off your order. Here are the show notes and links to articles discussed during the show: Give a listen to our 10 year anniversary episode, and our interviews with Aaron Zar from Silent Pocket, and Max Krohn from Keybase.io. A first look at Amazon’s new AirPods competitor, smart glasses and ring “Another experimental product is Echo Frames, but I think these have legs. These aren’t augmented reality glasses like Microsoft’s Hololens or Google Glass — there’s no display on them, and no camera like Glass had. Instead, you talk to the glasses and Alexa talks back to you. They make more sense than the Echo Loop, since the speakers are right near your ears and you don’t need to raise a hand up to listen Amazon has had lots of privacy issues around Alexa recordings including how contractors have been listening to these recordings and that you can only manually delete your recordings one at a time. Amazon’s privacy policies are starting to change! Check out our latest episode of the Weekly Blaze for more details. What is a Webkey? “USB webkeys( USB web keys ) are a great way of getting people to remember your logo, yet it saves the trouble of remembering a lengthy URL. Plug the Webkey into a USB port and your pre-programmed website automatically launches — just like magic! If you’ve read Harry Potter, you’ll appreciate this Muggle equivalent of the Portkey. The USB Web key is a low cost alternative to USB flash memory devices, and an effective way of promoting your company, new product launch, training material, or recruitment campaign. It’s available in various shapes. The USB Web key is pre-programmed with the URL (may up to 110pcs characters) that you provide. Every device is guaranteed to be virus free.” Here’s the Twitter thread that Scott mentioned on the show about the webkey given out at the information security conference: A great physical/cyber #socialEngineering experiment. A honey webkey! Wonder how many inserted this? Did the #InformationSecurity folks approve of this marketing tactic? Hey, @agent0x0 @streetsec the next gen beyond #HoneySticks => #HoneyPhones for you. https://t.co/u9B1vR6Iaj — Rebecca Herold (@PrivacyProf) August 22, 2019 Study: 3 in 5 secondhand hard drives still contain previous owner’s data “59 percent of secondhand hard disks sold on marketplaces like eBay are not properly wiped and still contain data from their previous owners, according to a new study by the University of Hertfordshire and commissioned by Comparitech.We purchased 200 used hard drives from online marketplaces, secondhand shops, and conventional auctions: 100 in the USA and 100 in the UK. University researchers then performed forensic analysis to determine whether any attempt had been made at deleting the contents of the drive and whether those attempts were successful. We uncovered a wide range of sensitive and private information left by previous owners. The remnant data included, among other things, employment and payroll records, family and holiday photos, business documents, visa applications, resumes and job applications, lists of passwords, passport and driver’s license scans, tax documents, bank statements, and lists of students attending senior high schools.” Here’s a great guide we talked about on how to erase/wipe most electronic storage including SD cards. Be sure to follow the Shared Security Podcast on Facebook, Twitter and Instagram for the latest news and commentary. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app or watch and subscribe on our YouTube channel. The post Amazon Smart Glasses, Webkey Social Engineering, Erase Your Old Hard Drives! appeared first on Shared Security Podcast.

You’re listening to the Shared Security Podcast, exploring the trust you put in people, apps, and technology…with your host, Tom Eston. In episode 88 for September 30th 2019: DoorDash announces a data breach affecting 4.9 million people, recent voice assistant privacy changes, and ways that you can limit ad tracking on your mobile device. Are you a frequent traveler that wants a high-quality, fashionable backpack that keeps your digital privacy in mind? Then you need to check out Silent Pocket’s new Faraday Bag Waterproof Backpack. Check it out at silentpocket.com as well as their other products built to protect your privacy. Don’t forget, as a listener of this podcast you receive 15% off your order at checkout using discount code “sharedsecurity”. Welcome to the Shared Security Weekly Blaze Podcast where we update you on this week’s most important cybersecurity and privacy news. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Popular food delivery company DoorDash said in a blog post late last week that 4.9 million customers, delivery workers, and merchants had their information stolen through a third-party service provider who was not named. Data stolen included name, email and delivery address, order history, phone numbers, last four digits of their credit card or bank account, and hashed (and salted) passwords. Users who joined the service prior to April 5th 2018 were affected by this breach and to add insult to injury about 100,000 delivery works also had their driver’s license information stolen as well. And if that wasn’t enough, this news ironically comes almost a year after many DoorDash users complained that their accounts were hacked. At the time, DoorDash denied that there was a breach and blamed it on credential stuffing attacks, where attackers use user names and passwords previously exposed through known data breaches, then use those credentials on other sites like DoorDash. This is basically a way to pass blame to the user for selecting poor passwords. I think DoorDash has a little bit of explaining to do as we now add this latest breach to the long list or breaches that we’ve had just this year alone. If you happen to be a DoorDash customer check out our show notes to a link to the official news release about the breach for more information. Several weeks ago on the podcast I talked about how Apple was changing the way that contractors were analyzing recordings from Siri as part of their “grading” program due to privacy concerns around sensitive and private conversations that were recorded. You may recall that this was also a huge problem for Amazon and Google’s voice assistants as well. Well this past week, Google announced significant changes to how their product, the Google Assistant, handles voice recordings. First, Google says that your audio data is not stored by default and that if you do want it stored, so that it can be used to help improve the Google Assistant, than you can opt-in to this feature. Second, Google has updated their audio settings to highlight that when you choose to opt-in you can choose to opt-out and for existing users that have chosen this already, a chance to review and change the setting if you would prefer. Third, Google said that recordings are never linked to a particular user and that only .2% of all audio recordings are ever analyzed by someone. Lastly, the Google Assistant will automatically delete any audio data when it realizes that it was activated unintentionally. In addition, Google is making changes to their data retention policy so that audio data is deleted older than a few months. And in late breaking news last week, Amazon released several new Echo related products to the market and also announced several new privacy improvements as well. First, Amazon has added two new commands to its Alexa voice assistant in which you can now say “Alexa, tell me what you heard” and, “Alexa, why did you do that?”. The tell me what you heard command lets you know what exactly Alexa is listening to and “why did you do that” is meant to give you more information if Alexa does something random like play a song out of nowhere. In addition, Amazon will now allow people to delete Alexa voice recordings on a rolling 3-month or 18-month basis and is allowing users to opt-out of human reviews of voice recordings. These changes now put Amazon along the same lines as Apple and now Google with current privacy settings of these popular voice assistants. And now a word from our sponsor, Edgewise Networks. The biggest problem in security that remains unsolved is unprotected attack paths that allow threats to compromise vulnerable targets in the cloud and data center. But traditional microsegmentation is too complex and time consuming, and offers limited value that’s hard to measure. But there’s

On this special edition of the podcast we speak with Aaron Zar, co-founder and CEO of Silent Pocket. Silent Pocket has been a long time sponsor of the show and it was great to catch up with Aaron to get his thoughts on the current state of digital privacy. On the show we also discuss: Why privacy isn’t dead and how Aaron responds to people that say “Who cares about privacy! I have nothing to hide!” How Silent Pocket products are helping people protect their digital privacy and stay more secure The history of Silent Pocket, their first products, and how Aaron started his career What products are recommended for the average person? What new and innovative products are in the pipeline? It was a pleasure having Aaron on the show and we hope you enjoy this episode as much as we did! Check out Silent Pocket’s great line of faraday bags, wallets, and other gear including their new Faraday Bag Waterproof Backpack which we discuss on the show. Don’t forget, because you listen to this podcast, you receive 15% off your order using discount code “sharedsecurity” during checkout at silentpocket.com. The post Aaron Zar, Co-Founder and CEO of Silent Pocket appeared first on Shared Security Podcast.

You’re listening to the Shared Security Podcast, exploring the trust you put in people, apps, and technology…with your host, Tom Eston. In episode 87 for September 22nd 2019: Everything you need to know about Apple iOS 13, Venmo scams you need to be aware of, and new details about “Simjacking” attacks This week I had the pleasure of interviewing Aaron Zar, co-founder and CEO of our sponsor Silent Pocket. Aaron’s a great guy and I think you’ll enjoy hearing how he started Silent Pocket and his take on why our digital privacy is more important than ever. We’ll be publishing this episode soon so be on the lookout for it. And if you haven’t taken a look at Silent Pocket’s great product line of stylish faraday bags and wallets I highly recommend you check them out at silentpocket.com. Don’t forget because you listen to this podcast you can take 15% off your order using discount code “sharedsecurity”. Welcome to the Shared Security Weekly Blaze Podcast where we update you on this week’s most important cybersecurity and privacy news. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Last week Apple released iOS 13 to the public which also happened to include a passcode bypass vulnerability which allows you to view the contacts on a locked Apple device. In order to conduct the attack you would need access to someone’s device and go through a series of steps, which by the way, would not be that easy to pull off by someone who had physical access to your device. Steps include replying to an incoming call with a custom message, enabling and disabling the VoiceOver feature, adding a new contact to a custom message, and then viewing the contacts information. This of course is not the first time we’ve seen passcode bypass vulnerabilities in Apple iOS, there were two that were patched in iOS 12 as well. Apple will most likely patch this vulnerability in the first update to iOS 13 which will probably happen in the next few weeks. Besides this particular issue, the iOS 13 update comes with several new privacy enhancements including the much anticipated “Sign in with Apple” feature which can create an anonymous email address for you when signing up for new apps and services. Also, phone calls from apps like Facebook Messenger and WhatsApp will have more restrictions in the way that they run in the background to prevent them from collecting user data without permission. Speaking of permissions, someone noticed while testing the new iOS update that an unexpected notification popped up on their device stating that Facebook would like to use your Bluetooth wireless. Why on Earth would Facebook need access to your Bluetooth? Well apparently, some apps are tracking your physical location and the proximity you are to other people’s smartphones. Potential uses of this data could include deeper analysis of the people around you and their relationships. Not only that but it could also be used to serve you ads and I could even see the potential use in Facebook’s new dating service in which having location services turned on is a requirement. Now this “feature” has been going on for quite some time and it’s not just Facebook. YouTube just so happens to be doing the same thing. Do you use the popular peer-to-peer payment app, Venmo? If you are, then you need to be aware of a new text message based phishing scam that directs you to a fake Venmo website. Here’s how it works. You’ll receive a text message saying that your Venmo account is about to be charged and if you want to cancel the withdrawal, you need to login to your account and decline it. When clicking the link, a site that looks just like Venmo will ask you for your phone number and password, then prompt you to enter in your bank card and other personal and financial information. In another, more advanced variation that is most likely tied to criminal money laundering, you may receive a legitimate text message from Venmo staying that you just received money from someone you don’t know. This is typically a large amount like $1,000. If you accept the payment, later down the road the scammer will ask you for the money back due to an error on their part and even ask you to keep $50 or so for your “trouble”. When you return the money back to the scammer, the scammer will contact Venmo to “correct” their mistake in which Venmo may also reverse the payment again or put you on the hook for accepting a fraudulent transaction. The best advice, of course, is to never accept money from people you don’t know and to never enter in financial details through a link that comes through a text message. Scams like these that leverage text messages are only going to increase because payment services like Venmo are rapidly growing in popularity. Just in Q1 of thi

You’re listening to the Shared Security Podcast, exploring the trust you put in people, apps, and technology…with your host, Tom Eston. In episode 86 for September 16th 2019: All about end-to-end encryption with Max Krohn from Keybase.io. Are you looking for the very best products to protect your digital privacy? Well, Silent Pocket has everything you need to mind the grid with their patented product line of faraday bags and wallets. Visit silentpocket.com today and receive 15% off your order with discount code “sharedsecurity”. The Shared Security Podcast is also sponsored by Edgewise Networks. Visit edgewise.net to find out about how Edgewise can help stop data breaches. In this special edition of the Weekly Blaze, Tom interviews Max Krohn co-founder of Keybase.io to discuss the current state of encryption and why end-to-end encryption is so important. Here are the topics that we covered with Max on the show: Who is Max Krohn and what is Keybase.io? What is end-to-end encryption and how is it different than other types of encryption? Recent news about governments asking tech companies to build in “encryption backdoors” into services and products to prevent terrorism and mass shootings. Max’s take on the controversial talk given by Crown Sterling at the Black Hat USA security conference on the “discovery” of quasi-prime numbers. Is this snake oil or real research that will change encryption forever? Find out more about Keybase.io and follow Max on Twitter Visit our website, SharedSecurity.net for previous episodes, links to our social media feeds, our YouTube channel, and to sign-up for our email newsletter. First time listener to the podcast? Please subscribe where ever you like to listen to podcasts and if you like this episode please it share with friends and colleagues. Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post End-to-End Encryption with Max Krohn from Keybase.io appeared first on Shared Security Podcast.

You’re listening to the Shared Security Podcast, exploring the trust you put in people, apps, and technology…with your host, Tom Eston. In episode 85 for September 9th 2019: Firefox will now block all third-party tracking cookies and more by default, serious vulnerabilities found in Apple iOS, and the latest on the huge database of Facebook users’ phone numbers found online. Did you know that all electronic devices emit a form of electromagnetic radiation? Well recently we’re starting to see more scientific research come out about the potential health effects of using our mobile devices and other wireless electronics so close to our body. In fact, just recently a class action lawsuit was filed against Apple and Samsung for exceeding the radiation limit on the smartphones that they sell. And while this research is debatable in some circles, more and more experts are recommending keeping our smartphones away from our bodies. If this is something that concerns you one product that can help is a Silent Pocket faraday bag which can block all wireless signals emitting from a device. Visit silentpocket.com to check out their great line of faraday bags and other products to protect your digital privacy. Don’t forget, as a listener of this podcast you receive 15% off your order at checkout using discount code “sharedsecurity”. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. It should be no surprise that I’m a huge fan of Firefox. In my opinion it’s probably the best web browser out there that is truly focused on your privacy. And with the latest release of Firefox, version 69, Mozilla has made a change to its enhanced tracking protection feature by enabling this for all users by default. Enhanced Tracking Protection is a privacy control which blocks all third-party tracking cookies and more. Back in June Firefox enabled this feature only for new users but over the last few months of testing and improvements they are finally ready to enable this setting for everyone which is a huge benefit from a privacy perspective. Enhanced Tracking Protection works behind-the-scenes to keep websites from developing a profile of you based on how they are tracking your web browser behavior across different websites. These profiles are then collected and even sold to third-party marketing companies without your consent. In addition, Firefox is also now blocking cryptominers by default too. Cryptominers access your computer’s CPU slowing it down and draining your battery to generate cryptocurrency for someone else to profit from. Oh and if that wasn’t enough, Fingerprinting scripts are being blocked too but not by default. These scripts attempt to harvest information about your computers configuration when you visit a website. If you want to take advantage of blocking these types of scripts you’ll need to enable “Strict Mode” within your Firefox privacy settings. Eventually, Firefox plans on turning this blocking on by default in the near future. Now I’ve also been recommending the EFF’s Privacy Badger as a great add-on for Firefox too. So it will be interesting to see how Privacy Badger compares to Enhanced Tracking Protection built in now by default into Firefox. Perhaps, we’ll do a comparison for you in a future episode of the podcast but in the meantime, if you are using Firefox make sure you update to the latest version to take advantage of these great new privacy protections. The big news being discussed in the cybersecurity community recently was the big reveal from Google’s Project Zero vulnerability research team which found that over a dozen Apple iOS vulnerabilities have been exploited by attackers for at least two-years to steal everything on a vulnerable device including passwords, photos, text messages, and more. Most surprising though is the method used to infect iOS devices which was by simply visiting certain websites which would exploit the vulnerabilities without you even knowing it. The researchers did not disclose the websites that were used but said that these sites received thousands of visitors per week. Oh, and the exploit only persisted until you rebooted your iOS device but like many of us you remember the last time you powered off or rebooted your device? What’s also interesting is that typically iOS zero-days like this would be used by nation states to target specific groups or individuals but in this case the attackers didn’t have a particular target in mind, rather was a mass attack on any Apple device running iOS 10 through iOS 12. This also brings into question how secure Apple devices really are given that they have a reputation of iOS being one of the hardest operating systems to com

You’re listening to the Shared Security Podcast, exploring the trust you put in people, apps, and technology…with your host, Tom Eston. In episode 84 for September 2nd 2019: “Ghost click” Android apps found on the Google Play Store, new privacy protections for Apple’s Siri voice assistant, and did you know that your credit card may spying on you? I have a question for you. How often do you carry your laptop with you? If you’re a frequent traveler, the answer may be all day and every day. So if you are carrying your laptop around, how are you doing it? If you’re like most of us we use some cheap neoprene laptop sleeve or just throw it in a backpack. But what if I told you there is a better approach? Well Silent Pocket makes a fantastic solution called a faraday laptop and tablet sleeve. I have one and I love it. Their laptop sleeve comes in waterproof nylon or beautiful leather to provide protection for your laptop from not only the elements but also by blocking all wireless signals making your laptop instantly secure. Check out Silent Pocket’s Farady Laptop and Tablet Sleeve for yourself at silentpocket.com. And as a listener of this podcast be sure to use discount code “sharedsecurity” to receive 15% off your order. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy news topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Did you know that Android app developers have found creative ways to load ads or conduct “ghost clicks” within an app so that the ad is never shown to you and that you never have to click an ad on the screen? Well last week it was discovered by researchers from Symantec that an Android app developer called “Idea Master” had two apps, a notepad app called “Idea Note: OCR Text Scanner, GTD, Color Notes” and a fitness app called “Beauty Fitness: Daily Workout, Best HIIT Coach”, were downloaded over 1.5 million times in the Google Play Store for close to a year were using this very tactic. According to Symantec researchers, the code to do all of this was hidden due to the way that the apps were compiled. Typically, researchers can easily reverse engineer Android apps to view the source code but in this case a “packer” was used to purposely obfuscate the code. These packers are typically used by app developers to protect intellectual property in their code. How this attack works is that the developer first makes sure the ads show up just outside the viewable area of the of the screen and then they program the app to initiate an automated ad-clicking process that runs in the background. Not only will this drive up ad revenue for the app developer but it has the side-effect of slowing down your Android device and drains your battery. There is also the potential for these developers to use similar tactics to load malicious content or open up websites so that more dangerous things could be installed on your phone. So how can you prevent something like this from happening on your Android device? First, keep your mobile device up-to-date, only install apps from trusted sources, and pay close attention to the permissions that are requested when you install an app. And if you see your battery or data usage spike after installing an app, that should also be a clue that an app may be doing something malicious on your device. Remember on a recent previous episode how I talked about Amazon, Apple, and Google having major privacy issues regarding what was being recorded from their voice assistants like Siri, Amazon Echo, and Google Home? In all of these assistants, recordings were found to have contained very private conversations that were being analyzed by contractors hired to improve the technology behind these digital assistants. Several weeks ago Apple suspended what they call their Siri “grading” program due to privacy concerns with the use of contractors and the very private conversations which included everything from financial data, medical, and other very personal details when Siri was accidentally triggered. This past week Apple has now announced that they will be resuming this program in the Fall but only after some privacy changes are made. These changes include that Apple will no longer retain recordings of Siri interactions and instead will use computer generated transcripts to help Siri improve. Second, users will be able to opt in to have audio samples from Siri analyzed with the option to opt out at any time. And third, for customers that do opt-in, only Apple employees will be allowed to listen to audio samples and that they will delete any recording which happened to be an inadvertent trigger of Siri. Now, let’s see of Google and Amazon follow Apple’s lead to fix some of these recent privacy co

In Episode 91 of this very special episode of our monthly show, Tom and Scott are joined by special guests Kevin Johnson and Jayson E. Street back to celebrate the 10 year anniversary of this podcast! We talk about the history of the show, what’s improved (or not improved) in the last 10 years from a cybersecurity and privacy perspective, Kevin’s Star Wars addiction, Jayson’s #HackerAdventures, and we have a very important debate about the future of security awareness and what can be done to provide better education on phishing which continues to be one of the top attack vectors we’ve seen in the last 10 years. Be sure to stay tuned to the end of the episode for some fun outtakes from this episode and some highlights from our very first episode which we recorded way back in August of 2009. You can also watch the full live stream of this episode on our YouTube channel. Thank you to all of our sponsors (Silent Pocket and Edgewise Networks), listeners, and previous guests for supporting the show over the last 10 years! We really appreciate it and we look forward to many more years of podcasting! Your hosts, Tom Eston and Scott Wright The post 10 Year Anniversary Episode with Kevin Johnson and Jayson E. Street appeared first on Shared Security Podcast.

You’re listening to the Shared Security Podcast, exploring the trust you put in people, apps, and technology…with your host, Tom Eston. In episode 83 for August 26th 2019: Facebook announces new off-Facebook activity privacy controls, how Apple made everyone’s iOS device vulnerable, and details on the massive MoviePass data breach. This week I read yet another news article that talked about how thieves stole a Tesla in about 30-seconds using what is known as a relay or key fob attack. The attack works by using a device to amplify the signal from the car thinking that the key fob is nearby. Once the device relays the signal back to the car, the door is unlocked and the thief can steal the car. This is also an issue for other car manufactures, it’s really any car that uses a technology called PKES or Passive Keyless Entry and Start. Besides disabling this feature, the easiest way to prevent this attack is to put your key fob in a faraday bag which is designed to block all wireless signals making an attack like this completely preventable. And if you want the finest faraday bags available, you’ll want to use one from Silent Pocket. In fact, Silent Pocket offers a key fob guard which is made to specifically to prevent a relay attack. Order one today by visiting silentpocket.com and receive 15% off your order using discount code “sharedsecurity” during checkout. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Ever wonder how certain products that you were thinking about buying mysteriously show up as ads on your Facebook newsfeed? Is there some black magic going on here? Well it’s not black magic and is actually one of the many ways that Facebook serves you more ads. Last week Facebook announced that they are finally implementing new privacy controls around what they are calling “Off-Facebook Activity”. Off-Facebook activity is data that is collected from websites and apps about your online searches. This can only happen when websites and apps use the Facebook login feature or have enabled Facebook’s business tools. These sites and services send certain details about that activity to Facebook so that they can in turn show you ads about those specific products. This is why you see ads show up in Facebook for items or products that you’ve been searching for on the Internet. Now this is how off-Facebook activity works. Say you’re searching for a new backpack on a site that sells backpacks. That site can send information about your device, what was searched for and other details so that Facebook can match up that device to your Facebook account. This in turn sends you an ad about that backpack or company. Facebook has always said that the companies utilizing this feature do not get your personal information like name or email address. All they know about you is a unique device identifier which allows Facebook to match your device to your account. Now for the first time ever, Facebook is allowing more control over this data and is even allowing you to delete and disconnect this data from your Facebook account. Facebook will be slowly rolling this feature out to uses over the coming months. These new privacy settings will give you the ability to see a summary of information other apps and websites have sent Facebook, disconnect this information from your account, and choose to disconnect future off-Facebook activity, or just for specific apps and websites. So if you disconnect all this data from Facebook does that mean you’ll no longer see ads? Not really, you’ll still see ads but they will be less personalized than before. Keep in mind, this applies to Instagram too since Instagram is owned by Facebook and is tightly integrated into the Facebook Platform.So what do you think about this news? Is Facebook finally trying to focus on user privacy or is it too little, too late? This new privacy control is of course a response to the Cambridge Analytica scandal and the beating that Facebook has taken from privacy experts for months now. My take is that any control is only as good as the users that plan on using it and unless Facebook makes this an “opt-out” setting where by default your off-Facebook activity is automatically disconnected, I don’t see many users going through their Facebook settings turning these connections off. We will, of course, be updating our free Facebook Privacy and Security Guide when these settings start rolling out. In the meantime, check out our show notes for the link to download the current version of our Facebook Privacy and Security Guide today. Last week Apple made a huge error with their latest 12.4 iOS update. The problem? Well, it appears that they accidentally unpatched a ser

You’re listening to the Shared Security Podcast, exploring the trust you put in people, apps, and technology…with your host, Tom Eston. In episode 82 for August 19th 2019: The BioStar2 biometric security data breach, wormable vulnerabilities in Microsoft Windows, and the FBI trying to harvest your social media data. Can you believe that this week we’re celebrating the 10 year anniversary of this podcast? For the last 10 years we’ve been talking about how your private information can be exposed through data breaches, vulnerabilities, exploits, and even through the wireless capabilities of our smartphones and laptops. It seems that in the last 10 years it’s only gotten worse. That’s why I recommend the use of a Silent Pocket faraday bag to protect my smartphone and laptop so I can have true piece of mind that my devices are protected when I’m not using them. Visit silentpocket.com to check out Silent Pocket’s amazing line of faraday bags and other products built to protect your privacy. Don’t forget, as a listener of this podcast you receive 15% off your order at checkout using discount code “sharedsecurity”. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. On August 5th security researchers from vpnMentor disclosed a massive data breach in a biometrics security platform called BioStar2. vpnMentor has been doing a large web-mapping project across the internet which had identified this unsecured database. BioStar2 is a web based biometric security smart lock platform, built by a company called Suprema, and is used to administer physical access controls to facilities. The core technology of the product uses facial recognition and fingerprints to identify users. Suprema recently partnered with a firm to integrate the software into over 5,700 organizations in 83 countries. Most of these customers also happen to be in Europe. Shockingly, many European governments, banks and even the UK Metropolitan Police use this system for the security of their facilities. The data that was leaked in the breach, which totaled over 27.8 million records, included personal information of employees, unencrypted usernames and passwords, and to top it all off over 1 million fingerprint records and facial recognition data. We’re talking about the actual fingerprints and images of users which as you know can’t be changed like a password can. This alone is extremely concerning as this data combined with other personal information from the data leak are perfect for identity theft or other fraud. The good news is that after vpnMentor attempted several times to contact the company about the breach they finally took the database offline. Check out our show notes for links to further information as well as a listing of the companies and countries affected by this data breach. Last week Microsoft announced four new critical vulnerabilities for Windows that are wormable, meaning, they can be exploited by malware to install and propagate from one computer to another without any user interaction. The last time we had to deal with a wormable vulnerability like this was back in May of this year when Microsoft patched another serious vulnerability called ‘Bluekeep’ which at the time had a close resemblance to the WannaCry malware. WannaCry caused major issues for companies and individuals across the world back in 2017. The vulnerabilities in all of these cases reside in Remote Desktop Services (abbreviated as ‘RDP’) and more specifically have to do with vulnerabilities in the protocol itself. RDP is the service that allows a user to remotely connect to another Windows computer to view the desktop in real-time and these vulnerabilities can allow malware to do this without authentication making this vulnerability extremely dangerous. Microsoft stated that quote “no evidence that these vulnerabilities were known to any third party” and that quote “It is important that affected systems are patched as quickly as possible because of the elevated risks associated with wormable vulnerabilities like these.” Affected systems include all newer Microsoft operating systems starting with Windows 7 all the way to the current version of Windows 10 and related server versions. Like Microsoft said, you should update your version of Windows as soon as possible. To check to see if your version of Windows is updated, head to Settings -> Update & Security -> Windows Update and then look to see if KB4512501 from August 13th is installed. As a reminder you should always enable automatic updates for your Windows system so you always get the latest security patches as they are released. And now a word from our sponsor, Edgewise Networks.

This is your Shared Security Weekly Blaze for August 12th 2019 with your host, Tom Eston. In this week’s episode: My summary of last week’s BSides Las Vegas security conference, how a single text message to your iPhone could get you hacked, and how Stingray surveillance devices can still be used on new 5G networks. Wireless technology such as Wi-Fi, Bluetooth, and RFID are integrated into every part of our daily lives. In fact, because everything these days is wireless we can often take the security risks for granted. So if you’re looking to have the ultimate peace of mind, you should use a faraday bag to protect your devices. A faraday bag blocks all wireless signals which makes any device that uses wireless technology completely undetectable. And using a faraday bag is so much faster than disabling the wireless on a laptop or smartphone. Just stick it in the bag! And if you want the best faraday bags on the market today, you’ll want to use one from Silent Pocket. Visit slientpocket.com and check out their great line of products and receive 15% off your order using discount code, “sharedsecurity”. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. The annual BSides Las Vegas security conference took place last week which also coincides with the Black Hat and infamous DEF CON hacking conference. This is the week that all of us in the cybersecurity industry lovingly call “security summer camp”. BSides would be considered the smaller conference of the three and in my opinion, provides a much more intimate experience to network with other cybersecurity and privacy professionals. As part of this year’s BSides conference, I participated in the “Proving Ground” speaking track where I was a mentor helping out a fantastic new speaker work on the talk that he gave at the conference. It was a very rewarding experience that I highly recommend other speakers volunteer for if they have the time to do so. I also attended several talks and met several speakers that had some very interesting research to share. While many of the talks at BSides were about all the latest topics on how anything is hackable, there were two talks in particular that were on topics that we don’t hear much about. These talks were “Satellite Vulnerabilities 101” by Elizabeth Wilson and “Human Honey Pots or How I learned to love the NFC implant” by Nick Koch. Satellites provide means for different forms of communication as well as GPS, military, and other critical systems. Elizabeth presented a really nice overview of the many different types of vulnerabilities that are present in satellites including everything from, timing of banking transactions, nation states using anti-satellite weapons, and even the threat of space junk. Here’s Elizabeth’s take on the threat of space junk and how this is a major problem. Elizabeth: The debris is growing and growing and the more you put up there the more potential damage you’re putting up as well. It’s like I said during my talk, the difference between a hundred .01 meter satellites and one single satellite that’s 1 meter is 30 times of an increase in risk. And when you consider that, the more you have these small hard to track things that sometimes don’t even have propulsion systems, yeah it’s going to create a lot of issues. This is one of the most pressing areas that we need. We really need some way to manage this debris. We need some sort of clean up system in a way. And there has been some ideas people have had on that like sending capture satellites up there to capture the debris and things but we don’t have anything yet that’s currently really viable. What I also found fascinating from her talk was that organizations that support satellites, like NASA, are getting hacked all the time. For example, in 2007 Chinese hackers actually gained access to NASA’s satellite control systems and came very close to issuing commands to these satellites. Thankfully, that did not happen. The other takeaway from this talk was how satellites are a lot like the “Internet of Things” devices where security was never built in because the threat model at the time didn’t conceive the types of attacks that we see today. By the way, the typical satellite has a lifespan of about 50 years! Is it even feasible to think that satellites can be patched and updated? Here’s Elizabeth speaking to me about this problem and what the solutions might be. Elizabeth: That is one of the big challenges right now because a lot of these systems, unless you’re going to completely replace it, you just can’t update it in some cases. And maybe the solution is we

This is your Shared Security Weekly Blaze for August 5th 2019 with your host, Tom Eston. In this week’s episode: everything you need to know about the Capital One data breach, changes in the payouts from the Equifax settlement, and Nextdoor app scams. If you happen to be in the cybersecurity industry this week is what we call “security summer camp” where thousands of cybersecurity professionals, enthusiasts, and even black hat hackers all meet in Las Vegas to attend the Bsides, BlackHat, and the infamous hacker conference, DEF CON. These conferences are probably the most dangerous place on the plant because your laptop or smart phone could easily be compromised since everyone is hacking everyone else either intentionally and even unintentionally as part of quote unquote “research”. I know that I’ll be using a faraday bag for all my devices while I’m at the conferences this week. That way I know my devices are completely secure and off the grid. If you’re heading to Vegas this week make sure you protect your devices with Silent Pocket’s great product line of faraday bags. In fact, stop by the Silent Pocket booth at DEF CON this weekend and check out their products for yourself while you’re at the conference. Don’t forget you can also visit slientpocket.com and receive 15% off your order using discount code, “sharedsecurity”. Stay safe this week and be sure to mind the grid! Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. The big news last week was the massive Capital One data breach affecting more than 100 million customers in the US and 6 million in Canada. This is actually the third largest data breach in history with Equifax being number one followed by the Heartland Payment Systems data breach which took place in 2009. The 30 gigabytes of personal information exposed in this breach included names, addresses, phone numbers, email addresses, dates of birth, and self-reported income as well as 140,000 Social Security and 80,000 bank account numbers. All of this data appears to be from credit card applications dating back to 2005. In the announcement posted by Capital One the breach was discovered on July 19th and the person responsible, Paige Thompson a former Amazon employee, was arrested by the FBI. Perhaps the most interesting aspect of the breach is how the perpetrator was caught. Paige had posted details about the data she had stolen on her GitHub page and boasted about it on her Twitter account. Someone had saw this information posted in the GitHub account and sent an email to a Capital One’s security vulnerability disclosure email alerting them of the issue. So how did this data get compromised in the first place? Well she was able to download this data from an Amazon S3 bucket through a misconfigured web application firewall (which is also known as a WAF). Now this isn’t the typical Amazon S3 vulnerability we commonly hear about where this data was left wide-open for anyone to access and there is much debate in the security community about how the breach actually occurred. It’s largely suspected that one of the user roles that was assigned to the WAF may have been exposed through a Server Side Request Forgery (or SSRF) which is a vulnerability that affects public cloud environments like Amazon. What’s even more fascinating is how she tried to steal this data without getting caught. The official complaint filed by the FBI states that she attempted to cover up her tracks by using a VPN as well as Tor (which is also used to hide your IP address) when she was downloading Capital One data from the Amazon S3 server. However, that didn’t matter much when she discussed how she could steal data from Amazon S3 buckets on Twitter and in a Slack chat room, as well as storing the data in a public GitHub repository with her real name tied to it. It’s almost like she wanted to get caught! Quite the lesson of how criminals make mistakes and how those mistakes could put someone in prison for a very long time. In this case, the accused could face up to five years in prison and a $250,000 fine. Now we don’t know if this data was accessed by anyone else and Capital One has stated that they don’t think it has either. But I think some positives here are that Capital One did have a way for people to report security vulnerabilities and that the incident response from Capital One seemed to have been handled very quickly. It’s also the first data breach I’ve heard of where an arrest was made within days of the breach being detected. The negatives? Well, for starters be on the lookout for phishing emails capitalizing (no pun intended) on this data breach asking you to verify your

In episode 90 of our monthly show we discuss medical device security with John Nye, Senior Director of Cybersecurity Research and Communication at CynergisTek. Do you use an insulin pump, have a pacemaker or other medical device implant? Are you concerned about medical device security and what the future holds for technology like this? If so, this is one show not to miss! The Shared Security Podcast is proudly sponsored by Silent Pocket and Edgewise Networks. Here are show notes and topics we covered with John: Should we be concerned about medical device security? Are the attacks we hear about in the news theoretical or is there really cause for concern? Some recent medical device news stories that are concerning: Doctors concerned about medical device security, Insulin pump hacking How medical devices get hacked and what the real threat is What should hospitals and other health care organizations should do to help better secure medical devices What the FDA on other government regulators are doing What can the cybersecurity industry do to better secure medical devices Thanks again to John for being a guest on our show! Be sure to follow the Shared Security Podcast on Facebook, Twitter and Instagram for the latest news and commentary. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app or watch and subscribe on our YouTube channel. The post Medical Device Security with Special Guest John Nye appeared first on Shared Security Podcast.

This is your Shared Security Weekly Blaze for July 29th 2019 with your host, Tom Eston. In this week’s episode: Details on the Equifax breach settlement, why your Android phone could be exploited by simply watching a video file, and encryption backdoors being requested by world-wide governments. Can you believe that its almost August and that summer is almost over? I was just in Target the other day and noticed that the school supplies are already out! Once you see that you know the Halloween supplies are also right around the corner. It’s totally crazy! I don’t know about you but I want to plan at least a few more short trips with my friends and family which is my own desperate way to hold on to the last few fleeting moments of summer. So don’t let protecting your digital privacy get in the way of your plans. You should be using a Silent Pocket faraday bag or phone case which will block all wireless signals keeping your devices secure and completely off the grid so you can be focused on your time away. As a listener of this podcast you get 15% off your order by using discount code, “sharedsecurity” at checkout. See Silent Pocket’s full line of products at silentpocket.com today before summer gets away. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Everyone remember the Equifax breach that affected 147 million people? Do you think you may have been financially or otherwise impacted from this data breach? If so, you may be entitled to up to $20,000 for documented breach related expenses or 10 years of free credit monitoring services. You can also collect $125 if you already have a credit monitoring service (which, by the way, really doesn’t do much for you). This news broke last Monday when the FTC announced a proposed settlement that will cost Equifax $700 million dollars which will be the largest settlement related to a data breach in history. Equifax would be required to pay at least $300 million but up to $425 million and provide free credit monitoring for all victims of the data breach. In addition, Equifax will offer free resources for victims recovering from identity theft and six free credit reports for all US consumers starting in 2020. If you think you want to collect on this settlement, you’ll need to file a claim on the official claim site. Check out our show notes for a link to the FTC website which has all the details on where to file a claim. Note that fake sites are bound to pop up so be sure you only use the site linked from the FTC. If you think you may have a case to file a claim you’ll want to move quickly as you’ll only have 6 months to make your claim once the settlement is approved. So is this settlement too little, too late? Even with the FTC now requiring Equifax to overhaul their security procedures does a fine like this even matter much? Like I talked about on last week’s show the 5 billion dollar fine about to be issued to Facebook for their handling of the Cambridge Analytica scandal, Facebook was able to make most of this fine up through the jump in their stock price. I think we will see the same with Equifax but with the caveat that I’m sure security teams internally at Equifax will actually have money now to spend on security personnel and additional security controls including incident response. Are you going to at least make a claim for $125 of this settlement? I’d love to hear your thoughts on this topic for discussion on a future episode of the podcast. So visit our contact us page at sharedsecurity.net/contact and tell us what you think is needed to keep companies like Equifax more accountable for protecting our personal information. Do you happen to use an Android phone? Not only do you need to worry about malware, fake apps, and phishing attacks but now there is a new exploit making the rounds that’s delivered through simply playing a video on your Android device. According to the Hacker News, there is a remote code execution vulnerability that affects over 1 billion devices running Android versions 7 through 9. That would be Android Nougat, Oreo, and Pie. The vulnerability itself resides in the Android media framework which if exploited could allow an attacker full control of an Android device. The attack works by tricking the user to play a malicious video file within the native Android video player application. That is, the video player that’s installed by default on most Android devices. The good news is that Google has already released a patch earlier in July for this specific vulnerability but the bad news is that with the way Android patching works this update may or may not be pushed to Android devices depending on your carrier and device manufacture. This is one of the bi

This is your Shared Security Weekly Blaze for July 22nd 2019 with your host, Tom Eston. In this week’s episode: The FaceApp privacy panic, Facebook’s 5 billion dollar fine from the FTC, and what you need to know about two new types of Amazon scams. Traveling internationally this summer? If so, make sure you protect one of the most valuable documents that you’re going to carry, and that’s your passport. Not only do you have to worry about losing your passport but you also need to consider the privacy issues if your passport information is exposed. Passport information is often exposed through simple information disclosure where you can be identified by shoulder surfing and having your nationality and other personal information on your passport exposed. Not only that, you need to protect your passport from damage and physical theft. My recommendation is to check out Silent Pocket’s Passport Wallet which provides a stylish way to protect your passport while you travel with the added benefit of RFID blocking. Pick one up today at slientpocket.com and use discount code “sharedsecurity” to receive 15% off of your order during checkout. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. The Federal Trade Commission has approved a 5 billion dollar settlement with Facebook over its investigation into their handling of the Cambridge Analytica privacy scandal which exposed the private information of 87 million users. According to the Wall Street Journal, the settlement also allows the FTC to have more oversight and restrictions on Facebook’s privacy practices. While 5 billion dollars seems like a lot, it’s really just a drop in the bucket for a company like Facebook. In fact, when the news hit last week about the FTC settlement, Facebook’s stock shares went up 1.8%. So let’s run the numbers, Facebook made $15.1 billion just in Q1 of this year and $5 billion is only about 9% of their total revenue for 2018 which came in at $55.83 billion. Again, this is not that big of a deal for Facebook when we’re talking about billions and billions in revenue. Now we do have to keep in mind this is the largest fine ever issued by the FTC. The last fine, which wasn’t even close to this magnitude, was the $22.5 million issued to Google in 2012 for their mishandling of privacy issues. A drop in the bucket compared to 5 billion but has the privacy issues and controversy stopped with Google? No, it hasn’t as we talk about privacy missteps from both Google and Facebook on this podcast almost every week. So are “massive” fines the solution for companies that mishandle our privacy? It certainly doesn’t seem like it. What do you think is needed besides fines? Perhaps jail time for CEOs? One thing is for sure, something else needs to be done besides fines. Do you read the privacy policies and the terms of service of the apps that you use? If not, the recent drama over an app called FaceApp may want to make you start reading these policies before you start using an app. FaceApp is an app that will make a selfie look younger, older, or turn yourself into the opposite sex all by using facial recognition and AI technology. The app went viral last week all over social media and has been downloaded over 95 million times across the world. So what’s the controversy? Well first, there were unfounded claims on social media that because the app is created by a Russian company, called Wireless Lab, that somehow there are ties to the Russian government in some giant conspiracy to harvest all the pictures on the devices of millions of users. The truth is that FaceApp only uploads the pictures you want to manipulate and those photos are actually sent to an Amazon AWS server which happens to be based in the US. But the bigger problem is what is said and in some cases, not said, in the FaceApp privacy policy and terms of service. First, you give FaceApp all rights to use the photos you upload for anything they want including using your photos for commercial purposes. Going further, your name, likeness, and other data like your voice can also be used for commercial purposes, forever. Now, this type of policy is not that much different than Facebook or other social apps but the recent drama of this particular app should be a good reminder for all of us to read these policies to make sure you know what data is collected about you and how it may be used. While I think the controversy over FaceApp is a little overblown think about all the similar or other “fun” apps like these that you may be using and think twice before allowing your data to be used for something you don’t approve of. And now a word from our sponsor, Edgewise Networks. The biggest problem in security that remain

This is your Shared Security Weekly Blaze for July 15th 2019 with your host, Tom Eston. In this week’s episode: Zoom video conferencing zero-day, massive fines being issued for violating GDPR, and who might be listening when you talk to your Google Assistant. Looking to protect your laptop, smartphone, and key fobs this summer? Well this week I’m excited to announce that you could win one of two Silent Pocket vacation prize packages which includes a passport wallet, medium faraday sleeve, and 5 liter drybag! Check out our post on Twitter @sharedsec or on Instagram @sharedsecurity for contest rules and how to enter. And don’t forget, listeners of this podcast receive 15% off at checkout using discount code “sharedsecurity”. Visit slientpocket.com to see the latest Silent Pocket products built to protect your digital privacy. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Do you or your organization use Zoom for video conferencing? If so, and you happen to be using it on a Mac, you’ll want to pay close attention to this story. The problem? Well a security researcher last Monday disclosed that a vulnerable web server is automatically installed on Apple Mac computers during the installation of the Zoom client. What this means is that any website could be used to forcibly join a user to a Zoom call, with their video camera activated, and without the user’s permission. On top of that the researcher also discovered that the vulnerability would allow any webpage to conduct a Denial of Service attack on a victim’s Mac by constantly joining a user to an invalid call. And if that wasn’t enough when you uninstall the Zoom client, the web server continues to be installed and active. The researcher disclosed the vulnerability to Zoom back in March but after many meetings (and fixes that didn’t work) the researcher decided to disclose the vulnerability to the public. The next day Zoom issued a patch to remove the web server and to allow users to uninstall the Zoom client which will now fully remove the web server. Zoom’s CEO posted a blog post apologizing to customers and noting that they will be improving their bug bounty program as well as issuing another update that took place over the weekend of July 13th to further lock-down the “video on” by default setting. Also, Apple made a surprising move on Wednesday by issuing a silent update to all Macs automatically uninstalling the Zoom web server. Many people don’t realize that Apple has the power to issue patches and updates to Macs connected to the Internet at any time and while this seems creepy, it’s actually a good thing when Apple can take immediate and swift action to patch a critical vulnerability without user interaction. Check out our social media feeds for the latest updates on this developing story. The General Data Protection Regulation, or also known as GDPR, is now starting to penalize organizations which are found to have violated these now enforced consumer privacy protections in the European Union. Last week the Information Commissioner’s Office in the UK has issued British Airways a staggering fine of 183.4 million pounds (which is about $230 million dollars) because of the data breach affecting 500,000 customers last year. This $230 million dollar fine is roughly 1.5% of British Airways revenue and is the largest fine issued to date for violating GDPR regulations. And that’s not all, the global hotel giant Marriot was also issued a fine of $125 million for their data breach which impacted 339 million customers across the world. Of course both companies can contest the fines to make their case but this is the first time we’ve seen a large financial impact due to a GDPR violation. But does issuing fines for violating regulations actually help prevent data breaches? If we use PCI DSS compliance fines as an example, not much will probably change. PCI DSS (which stands for the Payment Card Industry Data Security Standards) is what US merchants who process and store credit card data need to comply with. Fines from the card brands can vary between $5,000 – $100,000 per month depending on lots of things like the size of your business and the type of non-compliance you happen to be violating. And in some extreme cases, violations can prevent a company from taking credit card payments. Now PCI has been around for a long time, and have we seen the amount of data breaches related to credit cards go down? Not reallly. In fact as I talk about on this podcast all the time, data breaches seem to be increasing. So is that the game that’s being played? The more data breaches that happen, the more money the regulators make? Look, I’m sure fin

This is your Shared Security Weekly Blaze for July 8th 2019 with your host, Tom Eston. In this week’s episode: Amazon confirms that Alexa recordings are kept forever, details about one of the largest Facebook malware campaigns, and my top three tips for staying private on vacation. Summer is upon us and that means it’s time for some much needed vacation time with friends and family. Summer also means that you need to be aware of data privacy and how to protect your laptops, smartphones and key fobs while traveling. Airports, concert venues, festivals, beaches, and other public areas can often be targeted by attackers looking to gain access to your devices through their wireless signals. Instead of worrying about disabling or turning off wireless functions on these devices it’s so much easier to place them in a Faraday bag when they’re not being used. And if you want the best protection you can get; you want to be using Silent Pocket’s premium faraday bag product line that blocks all wireless signals keeping your devices secure from attackers. This summer, get your devices the protection they require before you head out on your vacation. Use discount code “sharedsecurity” and receive 15% off your order during checkout right now at silentpocket.com. In this week’s surprising but not so surprising news, Amazon has confirmed that Alexa voice recordings are kept by Amazon forever unless you manually delete each one. Apparently this revelation was noted in a letter from Amazon to US Senator Chris Coons who had asked Amazon about their data handling and privacy practices around Alexa recordings. Amazon stated that they keep transcripts and voice recordings indefinitely, and only removes them if they’re manually deleted by users. The letter went on to say that even if people manually delete their recordings some records and conversations may still remain on Amazon storage systems. Amazon is apparently conducting an ongoing effort to ensure deleted recordings are removed from various internal systems. Amazon and other tech companies have been under increasing pressure to take the privacy of user data more seriously due to the EU’s enforcement of GDPR and the fact that all of this new technology seems to always increase the demand for more and more of our private data. So will this latest revelation make you think twice before talking to Alexa? I think manually deleting each individual recording is a very poor solution and hopefully they take the approach of changing the retention policy on this data or allowing users to delete everything with one single action. But until that day comes (if it ever does) Amazon is going to hold our data indefinitely. Malware distribution has always been a problem on Facebook and this goes way back to the beginnings of the social network. In this most recent example, a malware campaign called “Operation Tripoli” was found that targeted tens of thousands of users in Libya but also had the side effect of impacting users in North America. The most interesting aspect of this particular campaign was that it was started by someone creating a Facebook page impersonating Khalifa Haftar who is the commander of the Libyan National Army. This Facebook page had over 11,000 followers and had links to various types of propaganda that when clicked on, let to the download of various remote access trojans and other spyware. According to researchers from Check Point Software who discovered this campaign, this looks to be the largest seen by the researchers. In fact, this particular campaign may have started all the way back in 2014 and the individual behind this page was found to have 30 other Facebook pages using the same techniques. One of these other pages had close to 140,000 followers. While this particular malware campaign was specifically targeting Libyan citizens, you can bet that other pages targeting you and your country most certainly exist. This is a great reminder for us all that impersonating other people on Facebook is almost too easy and we should be constantly aware of Facebook pages that may look legitimate but are really set up to impersonate a person or organization. Back in 2009 I jokingly talked about how easy it was to impersonate celebrities like Rick Astley on Facebook and Twitter by exploiting people’s trust and getting them to click on malicious links. This was demonstrated in some of the talks I gave at hacker conferences and was the start of my research on the privacy and security of social networks, and ironically the start of this podcast. By the way, at the end of August we’re celebrating the 10 year anniversary of this show! As part of that celebration we’ve recently released an updated version of our popular Facebook Privacy & Security Guide which walks you through the most appropriate privacy settings so that you can still be social. You can get your copy for free by visiting

This is your Shared Security Weekly Blaze for July 1st 2019 with your host, Tom Eston. In this week’s episode: The US cyber-attack on Iran, the sad state of cybersecurity in the US government, and what you need to know about malvertising campaigns. Don’t you hate air travel? I know I do! Rude people, crowds, the TSA searching you and your bags because of a toothbrush that for some reason looks like a weapon, and on top of that your flight has a very high chance of being delayed or cancelled! This is the unfortunate reality the minute you get to the airport. While you’re dealing with the stress related to all that, the last thing you need to worry about is your digital privacy while you’re at the airport. That’s why I recommend Silent Pocket’s product line of Faraday bags and wallets which block all wireless signals keeping your devices secure and completely off the grid. As a listener of this podcast you get 15% off your order by using discount code, “sharedsecurity” at checkout. Visit SilentPocket.com to check out their great line of products to make your air travel experience a little less stressful. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Last week the United States launched a cyberattack directed towards Iran which disabled Iranian computer systems that controlled its rocket and missile launchers. This was a response to an escalation by Iran when they shot down a unarmed US drone apparently conducting surveillance in international airspace. Iran denies those claims and states the drone was violating their airspace. The attack was carried out by the US Cyber Command acting upon orders from US President Donald Trump. This was actually the second option to strike back at Iran as the first one was to launch a missile strike against Iranian radar bases which would have resulted in human casualties. According to cybersecurity firms FireEye and Crowdstrike, there has been a recent rise in Iranian attacks on US companies and government agencies as well as critical infrastructure such as the power grid which also prompted for the US government response. This is not the first cyberattack on Iran either. You may remember back in the late 2000’s it’s believed that the US and Israel targeted the Iranian nuclear program with the Stuxnet virus which essentially disabled most of their nuclear program at the time. I find this retaliation interesting as it seems that in more cases traditional warfare, like missile strikes, may start to be a thing of the past when cyberattacks may actually do more damage to critical infrastructure and send a more impactful message than just destroying buildings and killing a bunch of people. Of course, cyberattacks could potentially be used to kill people too. Especially ones that may be targeted towards hospitals or nuclear facilities which could malfunction due to a cyberattack. On the flip side, you may remember back in May Israel bombed a Palestinian Hamas military intelligence headquarters in retaliation for an attempted cyber-attack directed towards Israeli targets. This was the first time a nation state conducted a military strike in response to a cyber-attack. I guess it could go both ways and with the increase in cyber-attacks and capabilities that all nation states now have, it will be interesting to see how the future “cyber-war” may begin to play out. In other US government news, a new report published by the US Senate last week showed that eight government agencies have failed to follow basic cybersecurity protocols and have exposed US citizens private data for over a decade. The investigation itself took about ten months and reviewed the past ten years of compliance reports regarding federal information security standards that these agencies were supposed to follow. One of the eight agencies even included, guess who, the Department of Homeland Security. The biggest issue found was at the Department of Education where it was discovered that anyone could access and maintain a connection to the network for up to 90 seconds which is enough time to launch attacks against servers and systems. In addition to that, five of the eight agencies had not maintained current and complete IT asset inventories. This is a huge problem because if an agency doesn’t know what systems they have on their network, how can they patch, update and protect them? Because of poor asset inventory, six out of eight agencies were unable to deploy security patches or other critical updates. So why is basic network security and asset management so difficult for the government? Well for starters, there is a lot of politics and bureaucracy that takes place in these agencies. First, the people in charge, like the CIO’s don’t have auth

In episode 89 of our monthly show Scott and Tom discuss everything you need to know about home security with physical security expert, Patrick McNeil. We delve deep into the world of locks, lock bumping, doors, windows, surveillance cameras, alarms, and much more. If you’ve always wanted to know how best to protect your home or residence this is one episode not to miss! Check out the YouTube edition of this episode for Patrick’s presentation on lock bumping and the contest we had during the live stream of this episode. The Shared Security Podcast is proudly sponsored by Silent Pocket and Edgewise Networks. Subscribe to our getVokl channel and get notified when we’ll be live so you can chat and participate in our next show! Here are the home security topics we covered: What you need to know about locks, the quality of the lock you buy at “big box” hardware stores vs. what you get from a locksmith What is lock bumping and how is it performed? Windows and doors: how easy is it for a criminal to break in? What is the proper installation of a dead latch? Why you should hire a professional locksmith vs. trying to increase the security of your locks on your own Crime prevention through environmental design (CPTED) What should you look for in a surveillance camera and where should they be placed? Why dogs (even small ones) are a great deterrent Are alarms worth it and what about placing “fake” alarm company signs? Vulnerabilities in certain popular alarm systems What the number one thing that’s most overlooked with home and neighborhood security. The two talks that Patrick gave on “The Right Way To Do Wrong: Physical security secrets of criminals and professionals alike” at CackalackyCon and Layer8. Thanks again to Patrick for being a guest on our show! Be sure to follow the Shared Security Podcast on Facebook, Twitter and Instagram for the latest news and commentary. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app or watch and subscribe on our YouTube channel. The post The Home Security Episode – Locks, Doors, Cameras, and More! appeared first on Shared Security Podcast.

This is your Shared Security Weekly Blaze for June 24th 2019 with your host, Tom Eston. In this week’s episode: Facebook announces a new cryptocurrency called Libra, two new zero-day vulnerabilities affecting Firefox, and should you be scanning your smart TV for malware? Protect your digital privacy with Silent Pocket’s product line of patented Faraday bags, phone cases, and wallets which will make your devices untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order during checkout. Visit silentpocket.com today to take advantage of this exclusive offer. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Facebook was in the news this past week with the announcement of its own cryptocurrency called “Libra”. This new cryptocurrency will be available starting in the first half of 2020 and is being promoted as a way to buy things and send money with nearly zero fees. Users of Libra will be able to buy or cash out the cryptocurrency at exchange points, like at your grocery store, and use it by utilizing a wallet application like Facebook’s new Calibra cryptocurrency wallet which will be available in WhatsApp, Messenger and in a standalone app. What’s also interesting is that Facebook won’t totally control Libra but will get a share in governance and oversight with other large companies like Visa and Uber. You see, these companies all gave at least $10 million dollars to finance the new Libra Association which is responsible for promoting the Libra blockchain and working with developers that want to build functionality to support Libra payments. This association will also act as a financial reserve to prevent situations like the wild fluctuation we see in the current value of bitcoin. Calibra, which handles the wallet application, will also take care of user privacy and is said to never use or access your Facebook data with Libra payments and that your identity will never be tied to payments or transactions. As you know, privacy is not the first thing that comes to mind when we think of Facebook. And Facebook does make money by selling ads so this seems (from what we know so far) to be quite the departure for Facebook. So how will Facebook make money off this new form of cryptocurrency? Well from what we know so far, Facebook is seeing this as more of an investment in how business’ will want to sell more ads because more people will be using Calibra to buy and sell things using Facebook. I’m wondering if people will really start to use Libra to pay for things becoming something like a new “PayPal”. As we’ve discussed on the show before, there are lots of security issues around cryptocurrency and the blockchain. Crypto exchanges are always being hacked and the applications that are being developed, such as ones that power smart contracts and other apps that use the blockchain, have very unique vulnerabilities which are challenging to remediate. So with the money and influence of Facebook, do you think this is what will make cryptocurrency a mainstream and popular form of payment? If, of course, makes it past world financial regulators. Or is it just another way for Facebook to eventually make more money by selling even more ads. Using Firefox as your preferred web browser? Well Firefox released two critical updates last week to fix a “zero-day” security vulnerability that has been used in targeted attacks against (guess what) cryptocurrency exchanges like Coinbase. The exploit apparently chained together another similar vulnerability which was used in a phishing attack to drop and execute malicious payloads on machines of victims. This vulnerability, called a sandbox escape, was originally reported by Coinbase’s security team and would allow attackers to escape from the browser’s protective sandbox. But then later in the week it was discovered that chaining this vulnerability to the previous one would allow remote code execution. Even if you don’t happen to use Coinbase, attackers may leverage this vulnerability with other sites so you should update Firefox to version 67.0.4 as soon as possible. As a reminder to update Firefox, go to the Firefox menu, go to Help, then About Firefox. Firefox will then check for an update and install it. And now a word from our sponsor, Edgewise Networks. The biggest problem in security that remains unsolved is unprotected attack paths that allow threats to compromise vulnerable targets in the cloud and data center. But traditional microsegmentation is too complex and time consuming, and offers limited value that’s hard to measure. But there’s a better approach… Edgewise “Zero Trust Auto-Segmentation.” Ed

This is your Shared Security Weekly Blaze for June 17th 2019 with your host, Tom Eston. In this week’s episode: the US Customs and Border Protection data breach, the new sign in with Apple button, and more leaked Facebook emails. Protect your digital privacy with Silent Pocket’s product line of patented Faraday bags, phone cases, and wallets which will make your devices untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order during checkout. Visit silentpocket.com today to take advantage of this exclusive offer. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Apple made a few big privacy announcements at its Worldwide Developers Conference the other week including: updates to how Apple’s HomeKit securely transmits and stores video from home security systems, new permission settings in iOS 13 to further limit location sharing, heath data that is used by Apple Watch is now being encrypted and stored on your watch or within iCloud, and that you can now lock your Mac remotely through Apple’s activation lock feature if your Mac happens to be lost or stolen. But the biggest privacy announcement was “Sign in with Apple” which is a new feature that looks to roll out later in the year with iOS 13. Sign in with Apple is a button that is very similar to Facebook or Google’s “one-click” sign-on buttons you might see on many apps and websites. These buttons leverage your Facebook or Google accounts to sign you in without creating a separate login ID. The problem with this is that sometimes your personal information, which Facebook and Google collect about you, gets shared with these sites and can be used to track you. Apple’s one-click sign-on solution authenticates using Face ID without sending any personal information to a third-party company. On top of that Apple’s solution will auto-generate a random “relay” email address that will hide your real email address. I like this a lot as email addresses are commonly used as a user name and is one of the ways you happen to be linked back to a data breach. In addition, Apple says you’ll be able to disable these randomly generated email addresses if you don’t want to use an app anymore. Now the biggest challenge for Apple will be if developers will start using this new feature when developing their applications. Many have already been using Facebook and Google for one-click sign-on buttons, so Apple may have to find ways to convince developers that there is a more secure, and private approach to help protect their users personal information. Remember just recently on episode 88 of our monthly show I talked about how US Customs and Border Protection (or CBP) was now using facial recognition at several US airports in order to board flights? Well, it seems that a CBP database, storing images of travelers and license plates, was hacked and compromised. Apparently it was a subcontractor who had the data that had gotten compromised. It’s not known who the subcontractor is nor did CBP provide any other details except that the agency became aware that on May 31st the subcontractor had transferred the photos to its network. CBP also stated that this was a violation of their policies and that several members of Congress have been alerted and that law enforcement is investigating the incident. However, the Washington Post now reports that fewer than 100,000 people were impacted and that initial reports show that the hacked data included photographs of people in vehicles entering and exiting the US over a “single land border crossing” which the CBP did not name. Hmmm, I wonder if that’s Canada or Mexico. What do you think? This breach comes at a controversial time for the CBP as there have been many privacy concerns regarding the use of facial recognition at US airports and now the collection of social media names from foreigners visiting from other countries or applying for a visa. Now that we know that the data they have been collecting wasn’t properly protected, subcontractor or not, do you think this will halt CBPs expanse to collect and use more of our private data? As past government response to previous privacy concerns and data breaches show, probably not. And now a word from our sponsor, Edgewise Networks. The biggest problem in security that remains unsolved is unprotected attack paths that allow threats to compromise vulnerable targets in the cloud and data center. But traditional microsegmentation is too complex and time consuming, and offers limited value that’s hard to measure. But there’s a better approach… Edgewise “Zero Trust Auto-Segmentation.” Edgewise is impossibly si

This is your Shared Security Weekly Blaze for June 10th 2019 with your host, Tom Eston. In this week’s episode: the Quest Diagnostics and LabCorp Data Breach, what happens to your smart devices when the Internet goes down, and US visa applicants now required to share their social media names. Protect your digital privacy with Silent Pocket’s product line of patented Faraday bags, phone cases, and wallets which will make your devices untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order during checkout. Visit silentpocket.com today to take advantage of this exclusive offer. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Everyone ready for news about yet another massive data breach? Well, last Monday Quest Diagnostics (which is the world’s largest blood testing company) disclosed that a data breach affecting 11.9 million customers was due to a website breach of a third-party collections vendor called American Medical Collection Agency (or AMCA). This breach in particular was a little different because Quest uses a contractor (Optum360) which in turn uses another contractor, AMCA, for medical billing and collections. According to the SEC filing, the AMCA payment system was compromised on August 1st 2018 and was vulnerable until March 30th of this year. Information compromised included names, birth dates, address, phone number, dates of service, medical providers, and balance information. To make matters worse, LabCorp (who also used AMCA) disclosed later in the week that 7.7 million of their patients were also affected by this breach. LabCorp also indicated that about 200,000 people also had their credit cards and bank account information compromised as well. The only good news out of all this is that medical data and laboratory test results were not compromised. What this latest breach shows us that companies like Quest Diagnostics routinely outsource functions like billing and collections to third-party companies. In this case it was a contractor of a contractor but in many similar breaches, we never know how far or how deep the rabbit hole may go with all these third-party relationships. Third-party security is very challenging for organizations, especially when there are multiple parties involved processing and storing customer data. One thing is clear, I think we’ve all had enough of free credit monitoring for 24 months and statements like “we take the security and privacy of your data seriously” type responses we always hear after every data breach. I know personally, I’d like to hear more statements like: we are doing the following things to make sure a breach like this doesn’t happen again. Perhaps it’s just a pipe dream but for now, I guess we continue to let the data breaches flow. Last week Google had a major outage that affected YouTube, Gmail, G Suite, and several other services like Nest which by the way is now a Google owned company. While network outages are not that uncommon, in this case the outage caused Nest products to not function which left many customers without any way to control thermostats, security cameras, and other Nest products like their smart door locks. Now most of these devices have manual overrides in the case of an Internet outage, that is until they lose power or battery then you may be in trouble. It just depends on your device. For example, the Nest smart lock in particular has a way to use the key pad even if the battery is dead. This outage made me think that incidents like this may be a significant disadvantage of cloud controlled products like Nest. We often only think of the convenience of products like these but when the Internet or cloud infrastructure goes down, well they all go back to the “dumb” devices that they were. And why would we ever go back to using an old fashioned thermostat or door lock? This is crazy talk! Potential privacy and security concerns with Internet of Things devices aside, think for a minute about all the smart devices in your home and what you would do if you lost Internet or there was a large network outage or even loss of power to your home. If you have smart devices being used for security, what will your plan be so that you can continue to use these devices. And now a word from our sponsor, Edgewise Networks. The biggest problem in security that remains unsolved is unprotected attack paths that allow threats to compromise vulnerable targets in the cloud and data center. But traditional microsegmentation is too complex and time consuming, and offers limited value that’s hard to measure. But there’s a better approach… Edgewise “Zero Trust Auto-Segmentation.” Edgewise is impossibly simple micr

This is your Shared Security Weekly Blaze for June 3rd 2019 with your host, Tom Eston. In this week’s episode: US cities are being rampaged with ransomware, mobile phishing attacks on the rise, and do you know what your iPhone is doing while you sleep? Protect your digital privacy with Silent Pocket’s product line of patented Faraday bags, phone cases, and wallets which will make your devices untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order during checkout. Visit silentpocket.com today to take advantage of this exclusive offer. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. I was intrigued by an opinion piece posted to Dark Reading about the recent rise in ransomware attacks targeting cities and local governments. From Atlanta, Cleveland’s airport, and now the city of Baltimore, ransomware is grinding communication and critical processes to a halt in many cities across the country. Local governments are expected to provide certain critical services for citizens, such as obtaining permits, and closing home sales, so without computer systems working it’s like going back to the ice age with paper and a manual process. My hometown of Cleveland Ohio had a ransomware attack hit the airport but thankfully, only affected the flight and baggage information screens and not the security of flights or the airport itself. This latest string of ransomware attacks appears to be attributed to the previously leaked “EternalBlue” exploit back from 2017 which was created by the NSA. Anyone else find it ironic that our own cities are being used against us with the same tools and exploits designed to attack other nation states? One thing is clear, cyber criminals see a massive target in cities and local government because they know (as well as many of us) that IT budgets are tight and more often than not systems are not being patched or maintained. The other ethical dilemma this brings up is if cities should pay the ransom. While we always say to never give in and pay a ransom, the recent ransomware incident in Atlanta cost the city an estimated $17 million in recovery costs when the ransom was only $50,000. Now just paying the ransom may not work out either as there have been cases of criminals asking for more money or just not giving the keys to unlock the data regardless of being paid. It’s a tough situation for sure and will continue to be hotly debated as attacks on cities increase. From a prevention perspective, perhaps with limited IT and security budgets money may best spent by focusing on security awareness training. Many of these ransomware attacks start though a phishing email or by clicking on a malicious link to a compromised website which then allows the malware to propagate through the network. If the first line of defense, the users, knows how to identify a malicious email or link that alone may prevent the entire ransomware attack from happening. I started a Twitter post which I’ve linked in the show notes about this very topic so I’d love to hear your thoughts and ideas on how we can help the cities that we live in defend themselves from a ransomware attack. Speaking of social engineering, Phishlabs released a report on mobile phishing attacks which have not gotten the past attention like we see with email based attacks. With the rise in mobile phone usage there has been quite the increase in phishing attacks using SMS text messages and leveraging specially designed phishing exploit kits which mimic login screens of legitimate apps. According to the report, the financial industry appears to be the main target and attacks are looking to replicate your bank’s mobile login screen so that you’re tricked into entering credentials and even two-factor authentication codes. SMS phishing in particular is getting more complicated to prevent. For example, phone numbers can be easily spoofed and filtering of SMS or text based spam is pretty much non-existent. In addition, mobile phishing attacks take advantage of small screen sizes and uses techniques like URL padding which can hide the full URL making the site seem legitimate. Also in the report Phishlabs noted that Android is currently the number one target for mobile malware and that banking trojans are the most popular malware that’s being used today. Ironically the Bankbot Anubis malware uses a Twitter account for command and control of the malware to avoid detection. This is something myself and researchers Kevin Johnson and Robin Wood, who developed a proof of concept of this, first talked about in a DEF CON and subsequent ShmooCon talk way back in 2009. Crazy that this concept that I was a part of is actually