Shared Security Podcast

This is your Shared Security Weekly Blaze for May 27th 2019 with your host, Tom Eston. In this week’s episode: Investment firm Moody’s downgrades Equifax, Huawei’s US technology ban, and how Google is tracking all your purchases. Protect your digital privacy with Silent Pocket’s product line of patented Faraday bags, phone cases, and wallets which will make your devices untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order during checkout. Visit silentpocket.com today to take advantage of this exclusive offer. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Equifax was back in the news late last week with the announcement that Moody’s has cut its rating outlook for Equifax, from stable to negative, because of their massive data breach of 146 million users which took place in 2017. This is the first time that a company has had its investment rating downgraded because of a data breach. Moody’s noted that the downgrade was due to the large expense that Equifax has had to pay such as $786.8 million in general costs, $82.8 million is data security costs, $12.5 million in legal fees, and $1.5 million in product liability charges. If you’re not familiar with the details about the Equifax breach we’ll have a link in our show notes to one of our previous episodes on the topic, but for a short recap, Equifax was breached due to a well-known vulnerability in Apache Struts that remained unpatched on an Equifax server. The breach could have been preventable since the patch for the vulnerability was released two months prior to the breach. Unless you work for Equifax, this is actually really good news and honestly I’m not feeling that sorry for Equifax. I’ve always said that until companies are held financially accountable for poor security, we will continue to see more breaches and unfortunately, more massive ones like Equifax. A few weeks ago the Trump administration banned US companies from doing business with the Chinese telecom giant, Huawei. This ban resulted in Google and many other tech firms halting business with them. While there has been no evidence produced or further details provided by the US government regarding the Huawei ban, Huawei in the past has been accused of intellectual property violations and theft of trade secrets not that long ago, not to mention some potential ties to the Chinese communist party. Now last week chip designer ARM has officially suspended all business with Huawei. This is a huge blow and will prevent Huawei from creating their own chips. What’s interesting is that ARM is based in the UK and owned by a Japanese company. However, ARM develops some possessors in the US which they feel put them in hot water with the US government if ARM was to continue selling to Huawei. Look from a cybersecurity perspective, my take is this has something to do with the potential and perhaps past evidence of Chinese spying on the US. The biggest issue is that Huawei is the one of the main suppliers for the technology that cell towers use to communicate with our devices. Now with the talk of 5G networks and upgrades to support this new technology there may be the threat of Chinese surveillance or backdoors in the backbone of mobile communication in the US. Is there evidence to support this? Who knows at this point. The US government isn’t saying but one thing is for sure, this won’t be the end of this story and neither will the impact of Huawei’s technology in the US. And now a word from our sponsor, Edgewise Networks. Organizations’ internal networks are overly permissive and can’t distinguish trusted from untrusted applications. Attackers abuse this condition to move laterally through networks, bypassing address-based controls to spread malware. Edgewise abstracts security policies away from traditional network controls that rely on IP addresses, ports, and protocols and instead ties controls directly to applications and their data paths. Edgewise allows organizations to analyze the network attack surface and segment workloads based on the software and how it’s communicating. Edgewise monitors applications and protects data paths using zero trust segmentation. Visit edgewise.net to get your free month of visibility. It should be no surprise that if you have a Google Gmail account you already know that while you’re signed into a Google account and browse the web, your search history is harvested for Google to serve you ads in your Gmail account. By the way, it’s a common misconception that Google scans your email to serve you ads through your Gmail account. Something that may be surprising though was the revela

In episode 88 of our monthly show we streamed live on GetVokl! Subscribe to our channel and get notified when we’ll be live so you can chat and participate in our next show! Here are the topics we covered and links to articles we discussed: Hacker Finds He Can Remotely Kill Car Engines After Breaking Into GPS Tracking A hacker by the name of L&M broke into to GPS systems from iTrack and ProTrack which are apps used to manage and monitor fleets of trucks and vehicles. About 27,000 accounts. He could track and shut down the engines of any vehicle either parked or driving under 12 miles per hour He found a flaw in their Android app which set the default password to 123456 for all new user accounts and brute forced the user names. He also wrote a script to login to the accounts. Microsoft says password expiration policies are stupid and will be removing them from their security baselines Skip the Surveillance By Opting Out of Face Recognition At Airports Debate: Is it InfoSec or Cybersecurity ? What do you think? Does the term “cybersecurity” best describe this industry? Send us a message on Instagram, Twitter, Facebook or by email (feedback[aT]sharedsecurity.net) to let us know! Check out Scott’s new company: ClickArmor More news about Scott’s new venture coming soon on the show! The Shared Security Podcast sponsored by Silent Pocket and Edgewise Networks. Be sure to follow the Shared Security Podcast on Facebook, Twitter and Instagram for the latest news and commentary. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or watch and subscribe on our YouTube channel. The post Remotely Killing Car Engines, Password Expiration Policies, Facial Recognition at Airports, InfoSec vs. Cybersecurity appeared first on Shared Security Podcast.

This is your Shared Security Weekly Blaze for May 20th 2019 with your host, Tom Eston. In this week’s episode: A serious spyware vulnerability in WhatsApp, San Francisco bans facial recognition, and a wormable vulnerability in older Microsoft systems. Protect your digital privacy with Silent Pocket’s product line of patented Faraday bags, phone cases, and wallets which will make your devices untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order during checkout. Visit silentpocket.com today to take advantage of this exclusive offer. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Facebook has revealed a major vulnerability in its popular WhatsApp messaging app which is used by 1.5 billion users. This vulnerability allows malicious spyware to be installed by initiating a call over WhatsApp’s voice calling feature. The vulnerability is so serious that the spyware would be installed even if the call wasn’t picked up. WhatsApp said that only a select number of users were victims and that the vulnerability affects all but the latest version available for Apple iOS and Android. Now it should be no surprise that this spyware was also linked back to the infamous Israeli NSO Group which is known for selling highly advanced spyware to governments and nation states. We’ve mentioned the NSO Group many times on the podcast before when we had talked about their Pegasus spyware which can read messages, turn on the microphone and camera and completely take over the device. Of course reports say that the NSO Group has denied any involvement in the WhatsApp vulnerability. WhatsApp has fixed the vulnerability and if you happen to use WhatsApp you need to update to the latest version immediately. What’s really disturbing about a vulnerability like this is that you as the victim can’t really do anything to protect yourself, except not have the app installed. We’re seeing more of these types of vulnerabilities and many of them are taking advantage of zero-day vulnerabilities where only the exploit developer has the exploit, and the device manufacture like Apple is unaware. This is not going to be the last time we see something as dangerous like this so our best advice is to keep your device and apps always updated. That’s about all you can do to protect yourself, or just not use a mobile phone. The other controversy around the WhatsApp vulnerability I want to talk about was a related story that came out in a Bloomberg article which said that end-to-end encryption is nothing but a marketing gimmick. The article went as far to say quote “End-to-end encryption is a marketing device used by companies such as Facebook to lull consumers wary about cyber-surveillance into a false sense of security.” end quote. First of all, this is wrong and extremely misleading. But don’t take my work for it, the cybersecurity community reaction on social media was swift to dismiss the FUD being thrown in this article. Look, zero-days and app vulnerabilities aside, end-to-end encryption is not a gimmick. It’s a real and very important technology to protect your information. End-to-end encryption has nothing to do with this particular vulnerability as the exploit completely compromises the device not the transit of messages themselves which is what end-to-end encryption protects. Oy vey. Check out our show notes to read this terrible article for yourself. And let’s hope news organizations like Bloomberg will learn that click-bait articles like this one are dangerous and don’t help anyone stay more secure. In breaking news last week, San Francisco became the first city in the US to ban the use of facial recognition by police and several other local government agencies. Facial recognition has been used by police and other law enforcement for over a decade now but more recently this technology has come under great scrutiny because of privacy concerns as well as the risk of government abuse. Not only that, but there is concern about facial recognition technology not having a 100% success rate, meaning, there is a risk of people being falsely identified if law enforcement was using this technology, in say an investigation. As I’ve mentioned on previous episodes of this podcast, US Customs and Boarder Protection are now using facial recognition at airports and ports of entry for the last several weeks now. There is some good news, that there seem to be ways to opt-out of facial recognition if you don’t want your face scanned, but reports say that if you’re not a US citizen you can’t opt-out. Now not being able to opt-out is one thing but what’s really fascinating

This is your Shared Security Weekly Blaze for May 13th 2019 with your host, Tom Eston. In this week’s episode: Israel bombs a building in retaliation for a cyber-attack, Google adds more privacy settings, and a new blackmail scam that uses traditional mail. Protect your digital privacy with Silent Pocket’s product line of patented Faraday bags, phone cases, and wallets which will make your devices untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order during checkout. Visit silentpocket.com today to take advantage of this exclusive offer. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. In breaking news last week it was reported that the Israeli Defense Force, or also known as the IDF, launched an airstrike on the Palestinian Hamas military intelligence headquarters which apparently was the source of an attempted cyber-attack directed towards Israeli targets. The IDF on Twitter said quote “We thwarted an attempted Hamas cyber offensive against Israeli targets. Following our successful cyber defensive operation, we targeted a building where the Hamas cyber operatives work. HamasCyberHQ.exe has been removed” end quote. No further information or statement from the IDF has since been released. All I can say is, that escalated quickly and that this is the first time that I’ve heard of an actual real-time military strike in response to a cyber-attack. Now the US has done similar attacks in the past, using drones to target a ISIS hacker in 2015 and a British citizen who leaked information about US personnel online. However, those two attacks seemed to be planned out well in advance and were not an immediate response like the one just done by Israel. Now whether you agree with this response or not, it does set an interesting precedent that cyber-attacks could result in a military response especially between two nation states. I don’t know if we’ll see anything like this happen between two major superpowers like the US and Russia, even though there is apparently a lot of evidence that Russia has conducted cyber-attacks on the US. This is, of course, according to the US intelligence community. Now just remember folks, attribution is hard. In a surprise move last week, Google announced that it will be rolling out a feature that will allow users to delete some activity data like location history as well as web and app activity. Google users can also choose if they want this activity data saved for either 3 or 18 months, after which any old data will automatically be removed on a continual basis. Not going away is the current ability to manually delete your location history and app activity data. Now we all know that Google uses your data to recommend you various things like ads and other things based on your search queries and all the data you happen to give all the different Google products that you use. Given the recent privacy uprising over Facebook and even Google’s own grilling by Congress over their policy over user location tracking and data practices back in March, it should be no surprise that Google is now backtracking and finally allowing users more control over their data. I know it’s hard to remove yourself from Google services. Especially ones like Gmail and Google search which are in fact probably the best email and search engines out there. Sure, there are alternatives that we’ve talked about on the podcast but with the increasing concern over how large tech giants like Google are using our data, while not giving us a lot of control over it, are you ready to kick Google to the curb? Or do you think Google is started to change because of the new pressures governments and all of us users are putting on them. And now a word from our sponsor, Edgewise Networks. Organizations’ internal networks are overly permissive and can’t distinguish trusted from untrusted applications. Attackers abuse this condition to move laterally through networks, bypassing address-based controls to spread malware. Edgewise abstracts security policies away from traditional network controls that rely on IP addresses, ports, and protocols and instead ties controls directly to applications and their data paths. Edgewise allows organizations to analyze the network attack surface and segment workloads based on the software and how it’s communicating. Edgewise monitors applications and protects data paths using zero trust segmentation. Visit edgewise.net to get your free month of visibility. This past week I was made aware of a local news story about letters that were being sent to residents of a neighboring community which attempted to blackmail people for bitcoin. The letters, which c

This is your Shared Security Weekly Blaze for May 6th 2019 with your host, Tom Eston. In this week’s episode: Is this the end of password expiration policies, are there camera’s recording you on an airplane, and the unknown data breach exposing 80 million records. Protect your digital privacy with Silent Pocket’s product line of patented Faraday bags, phone cases, and wallets which will make your devices untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order during checkout. Visit silentpocket.com today to take advantage of this exclusive offer. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Last week Microsoft has come out and admitted that password expiration policies are essentially useless and said that these requirements are “an ancient and obsolete mitigation of very low value”. In a blog post about updated security baseline settings for Windows 10 and Windows Server, Microsoft says that password expiration policies really don’t provide additional security. Microsoft says that “If a password is never stolen, there’s no need to expire it. And if you have evidence that a password has been stolen, you would presumably act immediately rather than wait for expiration to fix the problem”. Now this doesn’t mean that password expiration’s are going away anytime soon but in regards to the Microsoft security baseline, it means that if an organization uses this baseline, password expiration will be optional and not enforced. The current recommendation in the industry is to use blacklists of banned passwords, implementation of multi-factor authentication, and detection of password guessing attempts. I can say that for once I actually agree with Microsoft here. Password expiration is really an outdated practice so it’s good to see Microsoft getting with the times. Be sure to check out our upcoming monthly show where Scott and I delve deeper into this topic. In the meantime, let’s see how many organizations follow this sound advice from Microsoft. In related news, the UK’s National Cyber Security Centre released an analysis of the 100,000 most common passwords from recent data breaches and hacking campaigns. The most common passwords consist of ‘123456’ at 23.2 million, ‘123456789’ at 7.7 million, followed by ‘qwerty’, ‘password’, and ‘111111’ . My non-scientific analysis tells me that people are just lazy picking weak passwords like this! Let’s hope that more sites use password blacklists that help prevent users from selecting these really poor passwords. If you fly United, Delta, or American Airlines, have you recently noticed that there is now a sticker over what looks to be a camera on the entertainment system that is found on the back of seats? If so, this is because of recent privacy complaints from passengers thinking that these cameras were recording them on the airplane. United told BuzzFeed News that the cameras were never activated and were installed by the manufacture for possible future applications such as video conferencing. As an additional measure all three airlines decided to put stickers on these cameras to alleviate any customer privacy concerns. You may remember that back in February a photo of a camera on a Singapore Airlines entertainment system went viral on Twitter and caused quite the privacy controversy. On top of that there has been a more recent concern over the use of facial recognition technology being used by Delta, JetBlue and other airlines to replace boarding passes. These new systems are being tested out by US Customs and Border Protection right now at certain airports to further screen passengers by matching the picture taken of you to your passport photo. In most cases you can opt-out of these scans but for non-US citizens traveling to or from the US you may not be able to opt-out. And now a word from our sponsor, Edgewise Networks. Organizations’ internal networks are overly permissive and can’t distinguish trusted from untrusted applications. Attackers abuse this condition to move laterally through networks, bypassing address-based controls to spread malware. Edgewise abstracts security policies away from traditional network controls that rely on IP addresses, ports, and protocols and instead ties controls directly to applications and their data paths. Edgewise allows organizations to analyze the network attack surface and segment workloads based on the software and how it’s communicating. Edgewise monitors applications and protects data paths using zero trust segmentation. Visit edgewise.net to get your free month of visibility. Security resear

Protect your digital privacy with Silent Pocket’s product line of patented Faraday bags, phone cases, and wallets which will make your devices untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order during checkout. Visit silentpocket.com today to take advantage of this exclusive offer. Tom Eston: Joining me on the podcast to discuss VPNs is Gaya Polat from vpnMentor. Welcome, Gaya. Gaya Polat: Hello. Tom Eston: Alright. So first question about VPNs is, maybe for our audience that may not be familiar with VPNs, what is a VPN and why should someone use one? Gaya Polat: A VPN stands for virtual private network. Is a tool that routes your online information through specialized service. What this means is that it routes your traffic and then encrypts your data. So by doing so, VPNs hide your online activity and protect you from the many danger on the web, whether it’s hackers, data selling, identity theft, and more. So using a VPN keeps your online activity private and safe, therefore it minimizes the chance that you’ll be hacked. But there are other reasons people use VPNs. One of the more common reasons people have been using VPNs is to access geo-block content. And the way a lot of content online works, let’s say Netflix or Hulu, they have different catalogs based for different countries and places. So if you’re an American, for example, who now is spending a semester in England or anywhere else, you’re gonna see that your Netflix catalog has changed. So a lot of people have been using VPNs to access content that is blocked. Gaya Polat: Another very popular reason people have been using VPNs is, sports fans have found VPNs to be quite useful, because a lot of the times like let’s say you want to watch a certain UFC fight on your pay-for-view, it can cost around $80, but there’s a very likely chance that somewhere in a different country, let’s say the United Kingdom, France, or Canada even, you can watch the game on a regular cable channel. So by using a VPN, you can access that quite freely, and before every important boxing or UFC match, you can… We tell you the best way by using a VPN to watch the game or the fight. There’s also a different segment of people who use VPNs because they want to overcome their local censorship laws. Sadly, some countries don’t have free internet and free online access, and they simply need a VPN to use, for example, in Turkey, Wikipedia is blocked. So whenever someone from Turkey wants to access, say, Wikipedia, they need to use a VPN. Russia, almost all online social media is blocked. So we see a lot of users from Russia. That is it. Yeah. Those are I think the main reasons people use VPN. Tom Eston: Yeah, that’s great. Lots of good things, especially if you’re in a country that may be censored, like you said, or access to different types of entertainment content that may not be available in your region or region of the world. And of course user privacy which is definitely a big one. So having said that, with all the great use cases for a VPN, what are some of the disadvantages that come with using a VPN? Gaya Polat: So first of all, as you said, there are a lot of advantages to using a VPN, but it’s not a magic potion that you can use and everything will be great. For example, it will not protect you from phishing scams or having your personal data leaked in certain cases. For example, if you entered your personal information to Facebook and that is hacked, even if you use the best VPN, that will not save your private information. Gaya Polat: There is also an issue with speeds, because by default, what a VPN does, as I said, it is that it routes your internet data through a different server. So that means that by using a different server, it can add a bit of lag time to your speed. So when you choose a VPN, you want to choose a VPN that has servers in a lot of countries and a lot of servers. The more servers it has, the more the user usage of the different servers will be spread out, so there will be sort of less traffic. If you want, you can see on our website the different VPNs and the servers they have and the different speeds. But generally speaking, the top brands all have a lot of servers. Gaya Polat: And another thing that can be a big disadvantage when using a VPN has to do… If you turned copyrighted content, then you need to make sure that the VPN you use does not keep blocks because in some countries, like let’s say for the US, your ISP can be required to give your information if it is asked when turned in. And if the VPN keeps logs, then it has to give your information to the ISP. So if you’re using torrent websites, then you need to make sure, absolutely make sure that it could get you in a lot of hot waters. [chuckle] Gaya Polat: And the last thing to know about VPN usage is that some sites

In episode 87 of our monthly show, frequent guest Kevin Johnson joins us to discuss the current state of cybersecurity training and certifications. If you’re currently in the industry or pursuing a career in cybersecurity this is one episode not to miss! Tom and Kevin cover the following topics: What’s the state of training and certifications in our industry? Why is some training so expensive? How did we get here? What’s the biggest challenge we face? What should we look for in a training provider and are certifications really worth it? What certifications are valuable? We also discuss the recent incident of Kevin’s training provider which was compromised a few weeks ago. Kevin talks about the way they handled the incident, how they disclosed to the public, and the right way to handle a data breach and incident. Full write up of the incident that we mention on the show: https://blog.secureideas.com/2019/04/we-take-security-seriously-and-other-trite-statements.html This episode was also streamed live over Twitch and YouTube Live! Be sure to subscribe to us on Twitch and YouTube to catch the next live episode. Special thanks to Kevin Johnson for being our guest. It’s always a pleasure to have Kevin on the show! The Shared Security Podcast sponsored by Silent Pocket and Edgewise Networks. Be sure to follow the Shared Security Podcast on Facebook, Twitter and Instagram for the latest news and commentary. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or watch and subscribe on our YouTube channel. The post The State of Cybersecurity Training and Certifications with Kevin Johnson appeared first on Shared Security Podcast.

This is your Shared Security Weekly Blaze for April 22nd 2019 with your host, Tom Eston. In this week’s episode: Microsoft email services hacked, the Instagram “Nasty List” phishing scam, and Facebook’s attempted deals to sell your data. Protect your digital privacy with Silent Pocket’s product line of patented Faraday bags, phone cases, and wallets which will make your devices untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order during checkout. Visit silentpocket.com today to take advantage of this exclusive offer. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Microsoft was in the hot seat this past week with the announcement that email services on Outlook.com, MSN, and Hotmail were breached from January to late March this year. This breach was due to the compromise of a support agent’s privileged credentials, most likely due to a targeted social engineering attack. The attackers apparently had access to email addresses, subject lines, names of people within conversations, and custom folder names. Accounts affected were only free consumer accounts and not accounts that businesses pay for. According to Motherboard, who broke the story, Microsoft has confirmed the breach and have sent breach notification emails to customers that have been affected but didn’t say how many users were impacted by the breach. Other details show that the source, who was used for the Motherboard story, noted that the attacker appeared to have used this access for what are called “iCloud unlocks”. This is where attackers will compromise a victim’s email or iCloud account to remove Apple’s ‘Activation Lock’ from a stolen iPhone. This security feature was implemented to prevent thieves from resetting stolen iPhones and selling them. My take is that this is one of those attacks that as users, is very hard, if not impossible to prevent. Even if you secure your account with multi-factor authentication, you’re still at the mercy of Microsoft and the administrators that may have their credentials compromised. In these cases, it comes down to how quickly a company can respond to a breach to limit impact to it’s customers. Have you been receiving strange messages on Instagram from your followers about you being on something called the “Nasty List”? If so, the message is actually a massive phishing campaign that is being spread though hacked Instagram accounts. The message will say something like quote “OMG your actually on here, @TheNastyList_(some number), your number is 15! Its really messed up” end quote. Grammar Nazis, your first clue that is that this is a scam is the spelling of “your” which should be “you’re”. Unless, of course, your friends naturally have bad grammar. Now if you visit the profile you will see an interesting URL in the profile link which will, you guessed it, take you to a fake Instagram login page. If you happen to enter in your Instagram credentials, you’ll be hacked yourself and your account will then become another zombie also sending out the same message to your followers. For more details on this scam check out the link in our show notes for a great article from Bleeping Computer. Hopefully, as a listener of this podcast, you didn’t fall for this scam but if you did change your password, re-edit your profile, and profusely apologize to your followers that you were hacked. And now a word from our sponsor, Edgewise Networks. Organizations’ internal networks are overly permissive and can’t distinguish trusted from untrusted applications. Attackers abuse this condition to move laterally through networks, bypassing address-based controls to spread malware. Edgewise abstracts security policies away from traditional network controls that rely on IP addresses, ports, and protocols and instead ties controls directly to applications and their data paths. Edgewise allows organizations to analyze the network attack surface and segment workloads based on the software and how it’s communicating. Edgewise monitors applications and protects data paths using zero trust segmentation. Visit edgewise.net to get your free month of visibility. I think I’m starting to sound like a broken record here but surprise, surprise, Facebook was in the news once again this week when NBC News reported that Facebook CEO Mark Zuckerberg once considered making deals with third-party developers to find out how much users’ data might actually be worth. In the report over 4,000 leaked pages of internal Facebook documents show that there were potentially 100 deals with third-party app de

This is your Shared Security Weekly Blaze for April 15th 2019 with your host, Tom Eston. In this week’s episode: Amazon Echo’s recording controversy, a new mobile phone scam, and hotels leaking your private information. Protect your digital privacy with Silent Pocket’s product line of patented Faraday bags, phone cases, and wallets which will make your devices untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order during checkout. Visit silentpocket.com today to take advantage of this exclusive offer. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. In late breaking news last week, it was reported by Bloomberg that Amazon employs thousands of workers to listen to what customers say to Amazon Echo devices. According to the report workers can listen to as many as 1,000 audio clips in 9 hour work shifts. Apparently, workers listen to audio clips that are “mundane” and even sometimes “possibly criminal”. Amazon responded to the report by saying that it only annotates “extremely small number of interactions from a random set of customers.” and that it uses “requests to Alexa to train our speech recognition and natural language understanding systems”. While Amazon employees don’t have access to names or addresses of customers, they do have access to the Amazon account number and device serial number. Amazon further clarified that no audio is stored unless the wake word is used to activate the Alexa-enabled device. While you can go in to the Alexa app to view the privacy configuration of your Echo device and individually delete audio clips, there currently is no way to completely opt-out of recording all together. The only option available is to disable the use of recordings for the development of new features. However, its reported that Amazon may still have recordings analyzed by hand over an occasional review process. A new scam, where someone calls asking for your mobile carrier’s verification code, has been making the rounds. The way it works is that you’ll receive an email which looks like it’s come from your mobile carrier, like Verizon, with the message saying that fraud has been found on your account and you need to call the number noted in the email immediately. If you call the number the scammer will say they need your verification PIN that you set up with them to verify your account. Once you do that, the scammer will reset your password and make themselves the “primary” account user. After that, the scammer will have full access to potentially buy devices at your carriers store as well as hijack your phone number to reset two-factor authentication on other critical accounts. In two recent cases that took place in Florida, scammers attempted to purchase several brand new phones from a Verizon store using this scam. Fortunately, police showed up at the store to arrest the perpetrators after being alerted by Verizon that something wasn’t quite right. So what can you do to prevent becoming a victim of a scam like this? First, even with the threat of phishing and social engineering, you should always have a PIN, or also known as a “port validation” code set up through your mobile carrier. See our show notes for a great guide on how to do this as each company has a different procedure. Also note, you should ensure that this passcode or PIN is unique and different than any other passcode or PIN that may be in use with your mobile carrier. Lastly, if you receive an email or phone call from someone that says they are from your mobile carrier, hang up. You’re not going to be contacted over the phone like this and if you are concerned about fraud or to find out if a request is legitimate or not, it’s best to just give your mobile carrier a call yourself. And now a word from our sponsor, Edgewise Networks. Organizations’ internal networks are overly permissive and can’t distinguish trusted from untrusted applications. Attackers abuse this condition to move laterally through networks, bypassing address-based controls to spread malware. Edgewise abstracts security policies away from traditional network controls that rely on IP addresses, ports, and protocols and instead ties controls directly to applications and their data paths. Edgewise allows organizations to analyze the network attack surface and segment workloads based on the software and how it’s communicating. Edgewise monitors applications and protects data paths using zero trust segmentation. Visit edgewise.net to get your free month of visibility. New research from Symantec shows that hotels are leaking detailed guest reservation da

This is your Shared Security Weekly Blaze for April 8th 2019 with your host, Tom Eston. In this week’s episode: Facebook’s very bad week, Stalkerware on the rise, and tax season scams. Protect your digital privacy with Silent Pocket’s product line of patented Faraday bags, phone cases, and wallets which will make your devices untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order during checkout. Visit silentpocket.com today to take advantage of this exclusive offer. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. I know you’ll be shocked to hear this but Facebook had yet another painful week of data breaches and controversy. First was the announcement that over 540 million Facebook user records and associated data was found unsecured on two Amazon AWS servers discovered earlier in the year by cybersecurity firm, UpGuard. The first server, belonging to a company called Cultura Colectiva, which is a Mexico based media platform, had the majority of the exposed data containing usernames, Facebook IDs, comments, likes, and other data that may have been used for social media analytics. The second server had data from a Facebook game called “At the Pool” which had details such as Facebook ID, friends list, likes, photos, groups, checkins, user interests, and of course 22,000 passwords. The passwords were apparently only for the game account and not the Facebook login, however, we all know that most people reuse passwords across the same sites and services that they use. Both servers are now locked down after quite the ordeal noted by UpGuard in their incident report which we’ll have linked in our show notes. This particular breach shows one of the many problems that Facebook has had with all the data that third-party app developers have been collecting over the years. Just like the Cambridge Analytica scandal, it’s nearly impossible for Facebook to oversee and regulate the security of user data that leaves the Facebook Platform. The second Facebook story that made the news last week was how Facebook is asking some new users to provide the password to their email account. Apparently, if you happen to use an email account from some email service providers like Yandex and GMX, you’ll be prompted to enter your email account password to confirm your email address. Once you do that, a pop-up appears stating that Facebook is importing your email contacts without any authorization by the user to do so. According to the report from Business Insider, Facebook stated that this “feature” is being discontinued but in the meantime, it’s set off groups like the Electronic Frontier Foundation which said that this “feature” is indistinguishable to a phishing attack which will also ask you to enter in passwords to verify who you say you are. According to anti-virus company Kaspersky over 58,000 Android users had “stalkerware” installed on their phones last year. 35,000 out of this number had no idea that they had stalkerware installed on their device until they installed Kaspersky’s mobile antivirus product. Stalkerware or also known as spouseware or legal spyware, is sold by various companies under the guise of an easy way to monitor your child’s activities or tracking employee device usage. In reality, most of these apps are being used maliciously and having these apps installed means that someone has had physical access to your device as the majority of these apps require someone to install the application manually, mostly because these apps require the device to be “jailbroken” or “rooted” so that the app can be installed. Last year, on episode 40 of the Weekly Blaze, we recorded an entire podcast about stalkerapps and spyware I encourage you to check out. This episode goes into more detail on how these apps work and what to look for if you suspect one of these apps are installed on your mobile device or laptop. In related news, Kaspersky has said that they will now start alerting Android users, that have their antivirus product, whenever a stalkerware app is installed on a user’s device. This push by Kaspersky was initiated by Eva Galperin head of the Electronic Frontier Foundation’s Threat Lab in which she’s spearheading a push in the cybersecurity industry to finally take the threat of stalkerware seriously. In her list of demands she’s asking antivirus companies to start detecting and alerting on these types of apps, asking Apple to allow antivirus apps in their app store (Apple currently does not allow this), have Apple alert and detect when an Apple device is jailbroken or rooted, and to hav

This is your Shared Security Weekly Blaze for April 1st 2019 with your host, Tom Eston. In this week’s episode: Apple’s new privacy focused credit card, the ASUS live update software backdoor, and recent statistics on Malware attacks. Protect your digital privacy with Silent Pocket’s product line of patented Faraday bags, phone cases, and wallets which will make your devices untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order during checkout. Visit silentpocket.com today to take advantage of this exclusive offer. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Apple announced last week that it’s partnered with financial firm Goldman Sachs on a new type of credit card which is focused on privacy and security. The credit card, which is called “Apple Card”, is paired with Apple Pay so you can use it like you normally do with your iPhone, but it also includes a traditional physical card made out of titanium, laser-etched and has no visible card number, CVV code, expiration date, or signature on the card itself. Now that credit card, completely has Apple written all over it. In regards to the technology, the credit card number will be stored in the iPhone’s Secure Element chip and all purchases must be authenticated through Touch ID or Face ID. Apple also says that they will not track what you’ve purchased, where you’ve shopped, or how much you’ve paid for purchases and that Goldman Sachs will not share or sell your data to third-party marketing firms. Other perks include a cash back program on all purchases, no annual fees, and insight into spending habits right on your iPhone. If this all sounds amazing, you may be asking yourself “What’s the catch?”. Well, the Apple Card is still a credit card so from what we know so far is that interest rates will vary between 13 and 24% and are based on your “creditworthiness” and that any late or missed payments will drive up your interest rate. My take is that I think it’s great to see Apple making more of their products and services with privacy and security in mind. I think we all give Apple some grief over their sometimes overly aggressive marketing campaigns like they did at CES in Las Vegas this year when they proclaimed on a large billboard “What happens on your iPhone, stays on your iPhone”. But perhaps, now we’re really starting to see Apple put their money where their mouth is. Computer hardware manufacture ASUS confirmed that their “live update” tool, which provides firmware updates, drivers, and patches for all of their laptops and other consumer hardware, was compromised by an Advanced Persistent Threat group. This is a great example of what is called a supply chain attack where a central update repository was compromised to spread malware. ASUS said in their press release that “a small number of devices have been implanted with malicious code through a sophisticated attack on our Live Update servers in an attempt to target a very small and specific user group”. ASUS also stated that it had reached out to affected users and worked with them to ensure any security risks were removed. Kaspersky, which makes anti-virus software, claims it’s detected the ASUS supply-chain malware, conveniently named ShadowHammer, on 57,000 computers. Kaspersky says that there may be even more devices that have been affected. In related news, TechCrunch reports that a security researcher warned ASUS about two months ago that ASUS developers were disclosing passwords within their GitHub code repositories which could be used to access the ASUS corporate network. These repositories were publicly available and the researcher notes that one of the repositories was a daily release mailbox where automated build notifications were sent. Within these emails contained the full file path of where drivers and other files were stored on the ASUS internal network. This information, combined with access to this mailbox could have easily have been used for phishing or targeting other developers via social engineering. While there have been no reports of compromised systems, it does show a lack of overall security awareness of ASUS’s developers. Now in regards to remediation, ASUS says the backdoor has been fixed and that ASUS users should update to the latest version of its “Live Update” software. Do you own a ASUS laptop or other device? If you do, be sure to check out our show notes for a link where you can download a tool from ASUS which will determine if your ASUS system was affected by the backdoor. And now a word from our sponsor, Edgewise Networks. Org

This is your Shared Security Weekly Blaze for March 25th 2019 with your host, Tom Eston. In this week’s episode: Facebook passwords exposed in plain text, Android Q’s new privacy features, and why Microsoft Office is the most popular target for cybercriminals. Protect your digital privacy with Silent Pocket’s product line of patented Faraday bags, phone cases, and wallets which will make your devices untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order during checkout. Visit silentpocket.com today to take advantage of this exclusive offer. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. I want to mention a correction from last week’s show when I talked about the service called CLEAR. CLEAR does not use Facial Recognition technology, they only use iris or fingerprint biometric scans. And now, on to this week’s news. In late breaking news last week Facebook announced that hundreds of millions of its users had their account passwords stored in plain-text going all the way back to 2012. Apparently, through an internal security review, Facebook had found these passwords exposed on internal servers. Apps affected include Facebook, Instagram and Facebook Lite, which is a version of Facebook made for underpowered phones and low speed connections. Famed reporter Brian Krebs from Krebsonsecurity.com said a source at Facebook told him that between 200 and 600 million Facebook users had their passwords stored in plain text and the data was searchable by over 20,000 Facebook employees. The source also said that about 2,000 internal developers made about 9 million queries for information that contained those plain text passwords. Facebook stated that it appears no one outside of Facebook had compromised this data and that (for now) there is no evidence that anyone internally at Facebook accessed or abused anyone’s password. Now, are you shocked to hear this latest news? If you’re not, how much more can we all take before it’s time to finally delete Facebook from our lives? It seems this is just yet another security and privacy blunder that continues to plague the world’s largest social network on pretty much a weekly basis. Our advice is if you plan on sticking around Facebook, change your Facebook and Instagram password, and if you haven’t already, enable two-factor authentication. In fact, if you have two-factor authentication already enabled on your account, you’re already a step ahead protecting your Facebook password from potential compromise. Android users rejoice! Android Q, Google’s new version of Android set to be released this summer, is coming with several new and exciting privacy features. Here’s our take on the top three features. First up is that Android apps can no longer access clipboard data, unless the app is actively being used. This can help prevent malicious apps from gaining access to copied clipboard data like passwords from a password manager. Next, MAC address randomization will be enabled by default. A MAC address is the unique ID that your Wi-Fi and Bluetooth chips installed on your devices use when communicating on a network. This feature was available in Android 6.0 but now will be enabled by default. This feature will also help prevent some data harvesting and tracking used by some third-party app providers. And probably the biggest new privacy feature is having more control over your location data. Android Q will now have a permissions prompt whenever an app wants to use your location data. So now you can give the app access to location data all the time, only when the app is in use, or completely deny the app access to your location data. Check out our show notes for a link to all the new privacy features coming in the upcoming release of Android Q. And now a word from our sponsor, Edgewise Networks. Organizations’ internal networks are overly permissive and can’t distinguish trusted from untrusted applications. Attackers abuse this condition to move laterally through networks, bypassing address-based controls to spread malware. Edgewise abstracts security policies away from traditional network controls that rely on IP addresses, ports, and protocols and instead ties controls directly to applications and their data paths. Edgewise allows organizations to analyze the network attack surface and segment workloads based on the software and how it’s communicating. Edgewise monitors applications and protects data paths using zero trust segmentation. Visit edgewise.net to get your free month of visibility. A recent report by threat intelligence firm Recorded Future, shows that for the second year in a row, Microsoft was the

In episode 86 of our monthly show we discuss Tom’s new garbage service (yep, that’s right) and why taking credit cards by filling out a form and mailing it is never a good idea, the Verifications.io data breach, how a cyberattack could capsize a ship, and the world’s most dangerous malware. This was also the first show we streamed live over Twitch. Be sure to subscribe to us on Twitch to get notified when we’ll be live! Links to articles mentioned on the show: Verifications.io data breach How a cyberattack can capsize a ship Triton is the world’s most murderous malware, and it’s spreading   The Shared Security Podcast sponsored by Silent Pocket and Edgewise Networks. Be sure to follow the Shared Security Podcast on Facebook, Twitter and Instagram for the latest news and commentary. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or watch and subscribe on our YouTube channel. The post Verifications.io Data Breach, Capsizing a Ship with a Cyberattack, World’s Most Dangerous Malware appeared first on Shared Security Podcast.

** Correction about CLEAR as noted in this episode of the podcast. CLEAR does not use Facial Recognition technology, only iris or fingerprint biometric scans ** This is your Shared Security Weekly Blaze for March 18th 2019 with your host, Tom Eston. In this week’s episode: Equifax and Marriott data breach updates, facial recognition coming to 20 US airports, and the Citrix password spraying attack. Protect your digital privacy with Silent Pocket’s product line of patented Faraday bags, phone cases, and wallets which will make your devices untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order during checkout. Visit silentpocket.com today to take advantage of this exclusive offer. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. In data breach news, Equifax CEO Mark Begor and Marriott CEO Arne Sorenson appeared before a US Senate subcommittee to testify regarding the data breaches that both companies have suffered. While no new information was made about the Equifax breach (just the committee grilling Equifax’s CEO on the security controls and investments in security that they’ve put in place) several more technical details about the Marriott breach were revealed. In September of last year, Accenture, who managed the Starwood Guest Reservation Database, contacted Marriott’s IT team about a strange query from a legitimate administrator account. Marriot discovered that these credentials were stolen and began an investigation. Investigators first found a remote access trojan being used as well as a tool to reveal usernames and passwords in memory called MimiKatz. Investigators finally found two encrypted files that were deleted and then recovered. These two files were removed from the Starwood network on November 13th of last year. Shortly after, investigators were able to decrypt these files to show what type of data was stolen. Even though 383 million guest records were accessed, the good news was that 9.1 million credit card numbers in the stolen data was encrypted and there has been no evidence to indicate that the master encryption keys to decrypt the card data was accessed. Marriott also said that they have not received any claims of loss from fraud from the incident. This is quite surprising, given that attackers had breached the Starwood network for at least 4 years since 2014 well before Marriott acquired the hotel chain. In other Equifax news, famed reporter Brian Krebs reports that even if you already froze your credit files through Equifax after their data breach and were issued a PIN code, it still may be possible for an attacker to bypass your PIN and lift an existing credit freeze with just your name, social security number and birthday. Check out the link in our show notes to read the full article on this rather disturbing development. US Customs and Border Protection (or CBP) is beginning to implement facial-recognition technology at 20 airports across the US. These new systems will be used to verify the identities of passengers entering and exiting the country. The plan is to have this system in place across all US airports by 2020. The technology will measure what’s called facial landmarks, which is the distance between the eyes or from the forehead to the chin, and match that data to passport photos stored in a database. You might be surprised to hear this but similar commercial facial-recognition systems are already in use at many airports already. For example, Delta has a “curb-to-gate” facial recognition system for international travelers at Atlanta International Airport and other airlines like JetBlue, British Airways, and Lufthansa are running similar pilot programs of their own. You may have also seen a third-party service called “Clear” at over 27 US airports which are kiosks that use iris or fingerprint biometric scans. Clear allows you to basically jump to the front of the security screening line, and includes a bunch of other airline specific perks, which can significantly decrease the time it takes through airport security. The issue with Clear, is that it comes at a cost of about $15 a month. Facial-recognition technology seems to be implemented faster than we can understand the privacy ramifications. In a lot of ways, we’re starting to see the beginnings of a government funded massive surveillance network, now tied into the passport system, which has the potential to expand even outside of the airport. It’s also important to note that there are no laws that govern the use of facial recognition. Yet, the government is happy to roll this technology out, all in the name of your security. Third-parties like Clear, now make millions of d

This is your Shared Security Weekly Blaze for March 11th 2019 with your host, Tom Eston. In this week’s episode: a new Google Chrome Zero-Day, how Facebook uses your phone number, and the shutdown of the NSA’s phone data collection program. Protect your digital privacy with Silent Pocket’s product line of patented Faraday bags, phone cases, and wallets which will make your devices untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order during checkout. Visit silentpocket.com today to take advantage of this exclusive offer. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Google announced last week that a patch released on March 1st for the Google Chrome web browser was actually to fix a zero-day vulnerability that has been under active attack. The vulnerability, which is known as a use-after-free bug, is a type of memory error which can allow malicious code to escape Chrome’s built in security sandbox and will allow commands to be ran on the local operating system. This particular vulnerability was found in what’s known as the “FileReader API” that allows web applications to read the contents of files within a user’s computer. Google updated their original post about the patch to indicate that “Access to bug details and links may be kept restricted until a majority of users are updated with a fix”. This is, of course, done to prevent malicious actors from accessing details on how the vulnerability works so that it cannot be replicated. As always, ensure you keep your web browser of choice updated. In fact, all modern browsers have a nifty auto-update feature. The Chrome browser will show you a “green, orange, red” three dot indicator at the top right of your browser. If its green, an update has been available for 2 days, if it’s orange, 4 days, and if it’s red, 7 days. Click on the three dots and simply click “Update Google Chrome”. If you don’t see this button or any color indicators, you’re at the most current version. Our advice is to take a minute now to ensure you’re using the latest version of Chrome. First up in Facebook news last week was the controversy with how Facebook uses your phone number. The Electronic Frontier Foundation said that phone numbers in Facebook, which happen to be used for two-factor authentication, have the privacy setting set to searchable by “Everyone” as the default. In fact, Facebook only gives you the choice of “Everyone”, “Friends of Friends” and “Friends” which means there is no option to opt-out. Facebook is essentially forcing us into a trade-off between the security of two-factor authentication and privacy of our phone number. Keep in mind, back in April of last year, Facebook did remove the ability to search for a user by entering a phone number or email address in the Facebook search bar but it did not disable the ability for someone to search for you when they upload a list of their contacts, which happens to have your phone number in it. In other Facebook news, a report from the Guardian shows that Facebook targeted politicians around the world, promising various forms of investments and incentives so that they would lobby on Facebook’s behalf against data privacy legislation. This was all made public via a brand new leak of internal Facebook documents. And if that wasn’t enough Facebook news, Facebook CEO Mark Zuckerberg released a manifesto of sorts which details his vision for building a privacy-focused messaging and social networking platform. Check out our show notes if you’re interested in reading Mark’s full post but basically he wants to change Facebook so that it can have more private interactions, end-to-end encryption, reducing permanence, safety, interoperability, and secure data storage. So what do you think? With all the controversy and scandal going on with Facebook, do you think Mark’s intentions for a more secure and private Facebook are true? Or, do you feel that ultimately we are the product and at the end of the day, making money off of our private data is what Facebook is really about. Let us know your thoughts by sending us an email at [email protected] or through any of our social media channels and lets continue the conversation. And now a word from our sponsor, Edgewise Networks. Organizations’ internal networks are overly permissive and can’t distinguish trusted from untrusted applications. Attackers abuse this condition to move laterally through networks, bypassing address-based controls to spread malware. Edgewise abstracts security policies away from

This is your Shared Security Weekly Blaze for March 4th 2019 with your host, Tom Eston. In this week’s episode: Multi-factor authentication to protect your credentials, and new attacks on 4G and 5G mobile networks. Protect your digital privacy with Silent Pocket’s product line of patented Faraday bags, phone cases, and wallets which will make your devices untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order during checkout. Visit silentpocket.com today to take advantage of this exclusive offer. Almost every day we hear about a new data breach or leak of personal data. In a lot of these stories, compromised credentials are used in what is known as a ‘credential stuffing’ attack in which stolen credentials, from large databases of past data breaches, are used to gain access to many different types of popular applications and services. Just last week, one of those services was Intuit’s TurboTax application which right now, because of tax season in the US, is extremely popular. Victims of this particular attack had their information like social security numbers, address, date of birth, driver’s license number, previous tax returns and other personal data compromised. That’s enough data for someone’s identity to be stolen! But even if we take the right precautions to use unique and complex passwords, many of us can still fall victim to a phishing or other social engineering attack where we may be convinced to giveaway our user credentials. In fact, in last week’s show I discussed a very realistic Facebook social login phishing campaign which looks so real that even cybersecurity professionals could fall for it. So what can you do to help better protect your user credentials? The answer is multi-factor authentication and you should always enable it if the apps and services you are using support it. Here to discuss what multi-factor authentication is and how it’s different than other forms of authentication is Ian Paterson, CEO of identity assurance company, Plurilock. Ian Paterson: Historically, authentication is based around what you know, which would be something like a password or a PIN number for your debit card; what you have, so that would be something like the debit card itself or maybe an RSA token; and something that you are, and that would be something like your fingerprint for touch ID or maybe your face for using facial recognition. And multi-factor authentication is when you have two or more of those factors. So you’re mixing and matching something that you know, something that you have, and something that you are. Ian Paterson: Traditional authentication is generally something that you know, and that would be passwords. And what the world has learned over the last five to 10 years, is that passwords, something that you know, are really a terrible way of protecting stuff. I would say ironically, but not ironically, I got a note in my inbox earlier this week from Have I Been Pwned, saying, “Congratulations. You have been subject to a data breach.” And the reality is if you’ve been around online for any amount of time, probably you’ve had your credentials breached. And I usually talk about, there’s two people in the world, people who know that they’ve been part of a data breach and people who don’t know. And that’s basically it. So, coming back to your question. So MFA is designed to mitigate some of the problems around traditional authentication, I.e., passwords and we’re starting to see more of… More consumer options, certainly, around being able to use MFA or two factors, so two-factor authentication and multi-factor authentication, we’re starting to see more of those options being available to consumers. Tom Eston: So, what are some of the issues that you’re seeing with the way that companies and applications and everyone is using multi-factor authentication right now? Ian Paterson: I think that there are some good ways of doing multi-factor authentication and there are some not good ways of doing multi-factor authentication. So some examples of maybe good attempts, but attempts that come up short, would be using two forms of something that you know. Ian Paterson: A lot of banks actually are still stuck with this. Where you’ll have a login and password and then if you get through the login and password, then they’ll ask you a security question. So it’s not actually multi-factor, they call it two-step verification in a lot of cases, which kinda sounds like two-factor authentication, but you’re still using two shared secrets, two something that you knows, in order to authenticate you as a person. And it’s a little bit better than just a password on its own, but not by much. And certainly it doesn’t meet a lot of the regulatory requirements around strong authenti

This is your Shared Security Weekly Blaze for February 25th 2019 with your host, Tom Eston. In this week’s episode: Google Nest’s secret microphone, a new Facebook login phishing campaign, and vulnerabilities in popular password managers. Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order. Visit silent-pocket.com to take advantage of this exclusive offer. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Do you own or thinking about owning a Nest Secure security system? If so, did you know that Google secretly installed a microphone into the system as a previously undocumented opt-in feature? Well just last week Google announced that an update for its Nest Secure system would allow users to enable the Google Assistant (that’s Google’s voice activated product) so that users could use voice commands to enable and disable the alarm system. In a report from Business Insider last week, a Google spokesperson said that the company had made an error and that “the on-device microphone was never intended to be a secret and should have been listed in the tech specs”. Google said that the microphone was originally included in the system for the future possibility of new features, like the ability to detect broken glass. Google also stated that the microphone was always disabled. This news comes at a very challenging time for the tech giant as many consumers are increasingly worried about their privacy and companies like Google who have continued to demonstrate a lack of commitment to protecting our private information. In fact, a privacy group called EPIC which stands for the Electronic Privacy Information Center, is asking the Federal Trade Commission here in the United States to divest Nest from the rest of its parent company Google and disclose any data that these undocumented microphones may have been collecting. EPIC has, in the past, called for similar action against Google dating back to 2010 when Google was found to have been collecting Wi-Fi data from its Street View project which included Wi-Fi network names, MAC addresses, URLs, emails, and even passwords from unsecured Wi-Fi networks. So what do you think? Are you concerned about a microphone in your home security system? Or is the bigger issue that companies like Google are not being honest with consumers about the privacy impacting technology being used in their products. And now a word from our sponsor, Edgewise Networks. Organizations’ internal networks are overly permissive and can’t distinguish trusted from untrusted applications. Attackers abuse this condition to move laterally through networks, bypassing address-based controls to spread malware. Edgewise abstracts security policies away from traditional network controls that rely on IP addresses, ports, and protocols and instead ties controls directly to applications and their data paths. Edgewise allows organizations to analyze the network attack surface and segment workloads based on the software and how it’s communicating. Edgewise monitors applications and protects data paths using zero trust segmentation. Visit edgewise.net to get your free month of visibility. Last week password management company Myki posted about a new Facebook login phishing campaign making the rounds that looks so realistic that even cybersecurity professionals would have a hard time recognizing it. The attack takes advantage of the popular “social login” feature that is used for most web and mobile applications these days. Social logins gives you the option of logging in with your Facebook account instead of creating a new set of user credentials. This is often times more convenient than always creating a new user name and password combination. However, in the case of this new attack, convenience may come at a price. The way this particular attack works is that the attacker creates a very realistic-looking social login pop-up where everything from the status and navigation bar, graphics and more all look just like the real social login page. The user can even interact with the login box, just like the real one, by moving it around the screen and closing it. Once you fill out the form with your Facebook login credentials, they are then sent to the attacker. Check out the link in our show notes for a video demonstration of what the attack looks like but the only advice given to protect yourself is to try and drag the prompt away from the box that it is

This is your Shared Security Weekly Blaze for February 18th 2019 with your host, Tom Eston. In this week’s episode: Preventing illegal robocalls, should you be scared of your laptop’s webcam, and recent hacks of popular dating apps. Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order. Visit silent-pocket.com to take advantage of this exclusive offer. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. I’ll bet you’re like me and whenever I see a phone call from a number I don’t recognize I refuse to answer it due to the amount of robocalls, scams and fraud attempts that I’m always receiving. In a previous podcast we referenced a report from a company called First Orion, that said nearly half of the mobile phone calls received in 2019 will be scams. Well, it’s 2019 and I’m starting to believe that it may even be higher than 50%! It really seems like the problem is getting worse. However, in a new report released from the FCC on the frequency and prevention of illegal robocalls shows that there is some progress being made to prevent these calls and to hold scammers accountable for their actions. In regards to call-blocking services the FCC states that hundreds of these services are now available, many of them for free, and that there has been significant progress made towards caller ID authentication through a new standard being implemented by the major telecom companies called STIR/SHAKEN. Umm…interesting martini reference there guys. Apparently, this standard verifies that caller ID’s are accurate and not spoofed or modified. Caller ID authentication is supposed to be implemented by all major telecom companies in the US by the end of this year. From a enforcement perspective, the FCC notes that they have proposed or imposed fines of around $245 million dollars just in the last two years against people and companies that have been found guilty of illegal robocalling. While all of these efforts seem to be making some progress, will caller ID authentication really drop the number of these robocalls? Time will tell but in the meantime, it’s probably best to get yourself one of the many free robocall and scam call blocking apps that are available. Check out our show notes for a link to many different types of popular apps that are available right now for you to use. And now a word from our sponsor, Edgewise Networks. Organizations’ internal networks are overly permissive and can’t distinguish trusted from untrusted applications. Attackers abuse this condition to move laterally through networks, bypassing address-based controls to spread malware. Edgewise abstracts security policies away from traditional network controls that rely on IP addresses, ports, and protocols and instead ties controls directly to applications and their data paths. Edgewise allows organizations to analyze the network attack surface and segment workloads based on the software and how it’s communicating. Edgewise monitors applications and protects data paths using zero trust segmentation. Visit edgewise.net to get your free month of visibility. I was intrigued by a story last week posted on ZDNet titled “Should you be scared of your laptop’s webcam” which talks about a recent Wall Street Journal story about a columnist who hired an ethical hacker to see if he could hack into the webcams of her two laptops and a baby monitor. This story was to see if you really need to put tape or purchase a cover for your webcam. By using a carefully crafted phishing email, with a link to a malicious file, the hacker was able to gain access to all her web cams and home network. But was it as easy as sending a simple phishing email? No, it actually wasn’t. The story pointed out that it took the columnist “performing some intentionally careless things for him to succeed”. So what careless things are we talking about? Well, the malicious file that was sent to the columnist via the phishing email was flagged by her operating system, anti-virus and even Microsoft Office. She had intentionally dismissed all the various warnings that were alerting her and even purposely disabled the various built in security controls within her operating system. By doing all of this it finally allowed the malicious document to be edited and therefore allowed the malware to execute. Now that was just on Windows but on her MacBook Air it took even more steps to

In episode 85 of our monthly show we discuss artificial intelligence in cybersecurity, the recent Apple FaceTime bug, and the controversy over compromised Nest camera’s. This was also the first show we streamed live over YouTube! You can re-watch the live stream on our YouTube Channel. The Shared Security Podcast sponsored by Silent Pocket and Edgewise Networks. Be sure to follow the Shared Security Podcast on Facebook, Twitter and Instagram for the latest news and commentary. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or watch and subscribe on our YouTube channel. The post Artificial Intelligence in Cybersecurity, Apple FaceTime Bug, Nest Camera Passwords appeared first on Shared Security Podcast.

This is your Shared Security Weekly Blaze for February 11th 2019 with your host, Tom Eston. In this week’s episode: DNA testing and the FBI, the $198 million dollar cryptocurrency password, and a new Chrome extension to protect your accounts from data breaches. Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order. Visit silent-pocket.com to take advantage of this exclusive offer. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Before we get in to the news this week I wanted to update you all on the Apple FaceTime bug that we talked about in last week’s episode. Well Apple has finally released a patch! Make sure you update your Apple iOS device to 12.1.4 and any Apple system running macOS to version 10.14.3 of Mojave. Check our show notes for a link to all the details and instructions on updating. Now is a story about how one of the largest DNA testing companies, Family Tree DNA, is working with the FBI to allow them to search their massive genealogy database to solve crimes that have been nearly impossible to solve in the past. You may remember that this topic may sound very familiar as last year there was a story about how the “Golden State Killer” (Joseph DeAngelo) was convicted due to DNA information that was from an open source genealogy website called “GEDMatch”. Apparently, a distant relative of DeAngelo was found in the database which allowed law enforcement to pinpoint who the killer was through clues such as location, ethnicity and other characteristics. However, in this most recent story this is the first time that a private company has agreed to voluntarily allow database access to law enforcement. According to the article this new relationship with Family Tree allows the FBI to upload DNA samples and then have them matched to around a million DNA records contained in their database. It’s important to note that anyone can upload their own DNA profile to its service, not just paying customers. I think we’re starting to see a very dangerous precedent in regards to the privacy of our DNA and who can access these records without user consent. While all of us would agree that finding murderers and solving unsolved crimes is really important, at what cost are we willing to have our most sensitive information, like our DNA, involved in searches or matching of other people’s profiles? Now that DNA testing kits are given as gifts and as it seems like everyone is doing it, what are the privacy ramifications in the future? One important thing to note, if you’ve used one of these DNA testing services in the past, you can delete your DNA records (or also known as your ‘kit’) either by contacting the company’s customer service or through your profile settings within the DNA service web application. This process will vary between DNA companies but be sure to read the terms of service and privacy policies of the DNA company that you have used to see how they handle and potentially share your DNA records with other third-parties. What do you think? If you’ve used one of these DNA services in the past are you concerned about this recent news? Let us know by commenting on our website or social media so we can continue this very important conversation. And now a word from our sponsor, Edgewise Networks. Organizations’ internal networks are overly permissive and can’t distinguish trusted from untrusted applications. Attackers abuse this condition to move laterally through networks, bypassing address-based controls to spread malware. Edgewise abstracts security policies away from traditional network controls that rely on IP addresses, ports, and protocols and instead ties controls directly to applications and their data paths. Edgewise allows organizations to analyze the network attack surface and segment workloads based on the software and how it’s communicating. Edgewise monitors applications and protects data paths using zero trust segmentation. Visit edgewise.net to get your free month of visibility. Canadian bitcoin exchange, QuadrigaCX, owes its customers about $198 million dollars’ worth of cryptocurrency due to the sudden death of the company’s CEO, Gerry Cotton. The reason you may ask? Well the only person with the password to the offline storage wallet that stored the private encryption keys to unlock the cryptocurrency was the CEO. No other members of the company, nor the CEO’s wife had the pass

This is your Shared Security Weekly Blaze for February 4th 2019 with your host, Tom Eston. In this week’s episode: The massive Apple FaceTime privacy bug, selling your privacy for money, and insecure smart light bulbs. Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order. Visit silent-pocket.com to take advantage of this exclusive offer. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. In breaking news this past week, a very serious privacy bug in Apple FaceTime was found by a 14-year-old high school student who was trying to FaceTime his friends while playing Fortnite. The bug allows someone to force other Apple devices that have FaceTime installed (everything from iPhones, iPads and laptops or Mac’s running newer versions of macOS) to answer a FaceTime call, even if the other person doesn’t take any action. Essentially, this turns an iPhone into a surveillance device where the microphone stays active. If you’re interested in learning more about the fascinating story on how this bug was discovered and the painful path that this 14-year-old and his parents had to take to notify Apple of the issue, check out the link provided in our show notes for this episode. In response to this bug, Apple has disabled group FaceTime functionality but it’s still not a bad idea to turn off FaceTime in your Apple device settings until a patch is released. Apple states that an update will be issued in coming weeks. In the meantime, be sure to follow the podcast on Twitter, Facebook and Instagram for the latest updates on when a patch will be released. Organizations’ internal networks are overly permissive and can’t distinguish trusted from untrusted applications. Attackers abuse this condition to move laterally through networks, bypassing address-based controls to spread malware. Edgewise abstracts security policies away from traditional network controls that rely on IP addresses, ports, and protocols and instead ties controls directly to applications and their data paths. Edgewise allows organizations to analyze the network attack surface and segment workloads based on the software and how it’s communicating. Edgewise monitors applications and protects data paths using zero trust segmentation. Visit edgewise.net to get your free month of visibility. Facebook was in the news once again this past week when it was revealed in a TechCrunch story that Facebook was secretly paying users, from 13 to 35 years old, up to $20 per month plus referral fees to install an app called “Facebook Research” or known internally at Facebook as “Project Atlas”. This app is essentially a VPN and allowed Facebook to capture almost all data being used on an a personal Apple device including messages, photos, phone call data, and web browsing history. Facebook even went as far as to distribute this app outside of the Apple AppStore through Apple’s Enterprise Developer Program, which Apple designed for companies to distribute apps within an organization. The TechCrunch story prompted Apple last week to revoke Facebook’s access to this program as a terms of service violation because Facebook was using the Enterprise Developer Program to distribute “internal only” apps to the public. Dan Goldstein, president and owner of Page 1 Solutions, a digital-marketing agency says “This shows, once again, that Facebook doesn’t value user privacy and goes to great lengths to collect private behavioral data to give it a competitive advantage. The FTC is already investigating Facebook’s privacy policies and practices. As Facebook’s efforts to collect and use private data continue to be exposed, it risks losing market share and may prompt additional governmental investigations and regulation”. In related news, Google has removed a similar app called “Screenwise Meter” from Apple’s Enterprise Developer Program in fear that Apple would also revoke their access to this program. Google was doing the exact same type of thing where they were using a program designed to be used internally by organizations to distribute an app to the public. Screenwise Meter is very similar to the Facebook Research app in that it collects similar data such as browsing history. It seems that we’re starting to see more instances of tech companies offering money or other incentives in return for your private data. What do you think? Is this cr

This is your Shared Security Weekly Blaze for January 28th 2019 with your host, Tom Eston. In this week’s episode: Where are the US federal privacy regulations and details on Nest camera’s being hijacked in credential stuffing attacks. Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order. Visit silent-pocket.com to take advantage of this exclusive offer. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. January 28th is international data privacy day and ironically, it seems that we still have a major problem with protecting the privacy of our data. Data breach after data leak after countless examples of mishandling of our data by companies large and small, have led many of us to ask the question “Why isn’t there more laws and regulations in the US that are focused on data privacy?.” While Europe has the GDPR the United States seems drastically behind in a battle for the protection of our private data that seems to be getting worse every day. Eventually, something big with data privacy will have to happen to finally get the attention of Congress, right? How big of a data breach is big enough? Equifax, which impacted 143 million Americans, was one example of a huge breach of our private data, yet nothing has changed. Facebook’s Cambridge Analytica scandal sent Mark Zuckerberg to face questions by Congress, and again nothing changed. And now there are reports that major telecom companies are selling our location data to shady third-parties. So I ask you, will there finally be a bigger data breach that makes an even bigger impact this year which will drive a regulation from the federal level? Here’s Ameesh Divatia, CEO and co-founder of Baffle, a data encryption company, with his thoughts on the development of new data privacy laws and regulations in the United States this year. Ameesh: I think that would be very, very important because right now we have a mishmash of where every state has a notification law which means that you have to tell somebody and notify somebody about the fact that you’ve lost customers data. So a uniformed notification approach would definitely help. I think the key issue is the whole issue of fines. I think GDPR took it to a whole new level as how to fine entities that lose data. We need a more practical approach to that and I think that you’re going to see that. Where it hurts but doesn’t put you out of business because you do want data collection like I said very early on is very critical there is no way you’re going to get a lot of services without data being collected. But processing that data responsibly is what it’s all about. I always say security has traditionally been sort of sold with fear in the background. And that’s not good for anybody. What we see is a transition where being more secure and being able to protect the customers data is going to become a differentiator, a competitive differentiator versus the necessary evil that always gets in the way of business. And if that really starts happening that’s a true win, win for the industry as well as for the data aggregators. Tom: So what do you see happening with privacy this year? Ameesh: So what we see for 2019 is obviously a continued focus on the fact that privacy has to be taken seriously. I think you’re going to see some big fines being levied. Whether it’s the European Union or even the US states that are starting to catch up, I think that’s going to be another game changing event for 2019 where one of the large data aggregators is going to be fined. And that’s going to get the focus more and more on the fact that collecting data is the first step but making sure you protect it is a necessary second step. Tom: That was Ameesh Divatia from Baffle. Now, ironically just this past week we saw news stories that two major tech companies, Google and Facebook, are being fined or in the process of being fined. According to a report by the Washington Post, the Federal Trade Commission is planning on issuing a fine to Facebook because of the violation of an agreement dating back to 2012 stating that Facebook would keep certain user information private. No details on when this fine may happen or how much the fine will be, have been released. However, it’s sure to be much larger than the recent fine of €500,000 pounds issued by the United Kingdom to Facebook back in October of last year. Google, however, is right now being fined $57 million dollars

This is your Shared Security Weekly Blaze for January 21st 2019 with your host, Tom Eston. In this week’s episode: Ring doorbell privacy concerns, news on a recent password breach, and a new ruling on biometrics and Fifth Amendment rights. Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order. Visit silent-pocket.com to take advantage of this exclusive offer. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Amazon, who now owns popular smart doorbell maker Ring, is being accused of mishandling video footage from customers’ cameras. In a report from the Intercept, Ring is accused of mishandling videos that were taken from their line of smart home security cameras and allowing unrestricted access by internal employees to these videos. According to the article, in 2016 Ring moved its R&D operations to the Ukraine in a cost saving measure and the team had quote “unfettered access to a folder on Amazon’s S3 cloud storage service that contained every video created by every Ring camera around the world.” end quote On top of that, there was a database that allowed internal users access to run a search on any videos linked to a particular user and Ring executives and engineers in the US were allowed quote “unfiltered, round-the-clock live feeds from some customer cameras.” end quote Apparently, Ring uses this team in the Ukraine to manually tag videos so that one day Ring’s AI technology could be trained to leverage this type of metadata. Video’s from Ring’s line of smart cameras can contain video from outside and inside someone’s house. Ring responded to the Intercept article with the following statement quote “We take the privacy and security of our customers’ personal information extremely seriously. In order to improve our service, we view and annotate certain Ring videos. These videos are sourced exclusively from publicly shared Ring videos from the Neighbors app (in accordance with our terms of service), and from a small fraction of Ring users who have provided their explicit written consent to allow us to access and utilize their videos for such purposes.” end quote. There was more to their statement about their internal policies but I think you get the idea. The Intercepts sources for this story, of course, dispute these claims from Ring’s management. While one can argue the trustworthiness of this article, it does have a great point to it. If you’re using a smart device like a Ring doorbell camera that saves its video or data to the cloud, you should probably assume that someone else will most likely be able to view your data. Regardless of what the companies privacy policy or terms of use say, there will always be ways for internal employees to access this data. From customer support situations or using your data to improve their own technology, companies will find creative ways to leverage incredibly valuable private information, especially from video feeds. Organizations’ internal networks are overly permissive and can’t distinguish trusted from untrusted applications. Attackers abuse this condition to move laterally through networks, bypassing address-based controls to spread malware. Edgewise abstracts security policies away from traditional network controls that rely on IP addresses, ports, and protocols and instead ties controls directly to applications and their data paths. Edgewise allows organizations to analyze the network attack surface and segment workloads based on the software and how it’s communicating. Edgewise monitors applications and protects data paths using zero trust segmentation. Visit edgewise.net to get your free month of visibility. When you see articles with sensational titles like “Hack Brief: An Astonishing 773 Million Records Exposed in Monster Breach” you usually think that this is a pretty serious situation. However, in this day and age, don’t be so quick to jump to conclusions as in this case these 773 million records with 21 million unique passwords are actually a collection of past data from many different data breaches. This data dump called “Collection #1” is approximately 87GB in size and was first analyzed by Troy Hunt who manages the HaveIBeenPwned data breach notification service. Troy Hunt confirmed that this data was in fact made up of many different data breaches from many different sources. Brian Krebs from KrebsOnSecurity.Com went a st

This is your Shared Security Weekly Blaze for January 14th 2019 with your host, Tom Eston. In this week’s episode: The US government shutdown and cybersecurity, privacy takes center stage at CES 2019, and a mobile location data controversy. Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order. Visit silent-pocket.com to take advantage of this exclusive offer. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. As of this podcast recording it’s been over 19 days since the US government shutdown due to Congress not able to agree on a bill for border security. This has meant that about a quarter of all federal departments (which is about 800,000 federal workers) are furloughed and the government is unable to pay people working for these departments. While we patiently wait for Congress to figure out how to end the shutdown, there is now cause for concern that because of this shutdown, US national security and cybersecurity may be affected, now and even into the future. Even in a government shutdown, cybersecurity threats to the nation are not going to stop and in fact, attackers love it when a company or government is in chaos which means attacks will increase. Key departments like the new, two month old, Cybersecurity and Infrastructure Security Agency (part of the Department of Homeland Security) has had about 45% of its staff furloughed. In addition, the DHS Office of Intelligence and Analysis, and the Office of Operations Coordination (which both provide security intelligence to the private sector and intelligence community is also on furlough. It’s also important to note other critical cybersecurity services like NIST (which stands for The National Institute of Standards and Technology) has 85% of its staff furloughed. NIST regulates federal agencies and provides security standards for the private sector which includes many new and updated risk management frameworks and guidelines on security controls. Besides cybersecurity, 90% of airport security TSA agents (who are actually quite underpaid) are working without pay and that has caused many agents to call off sick or quit their jobs. And that means longer lines for you at the airport. Let’s hope that Congress and the President can up to some type of compromise soon, or we may see more longer lasting impacts to US national cybersecurity. Organizations’ internal networks are overly permissive and can’t distinguish trusted from untrusted applications. Attackers abuse this condition to move laterally through networks, bypassing address-based controls to spread malware. Edgewise abstracts security policies away from traditional network controls that rely on IP addresses, ports, and protocols and instead ties controls directly to applications and their data paths. Edgewise allows organizations to analyze the network attack surface and segment workloads based on the software and how it’s communicating. Edgewise monitors applications and protects data paths using zero trust segmentation. Visit edgewise.net to get your free month of visibility. Privacy took center stage at the Consumer Electronics Show in Las Vegas last week when Apple placed a giant ad on a 13-story building, which happens to overlook the CES convention center with the message “What happens on your iPhone, stays on your iPhone.” This ad included a friendly link to apple.com/privacy, which talks about how your data is protected by using Apple products. This is obviously a direct stab at competitors like Amazon, Google, and Facebook which have been continuously in the news about privacy issues and breaches of user data. Many of these stories we cover on this podcast every week. But CES is also about new products and there have been a lot of privacy and security gadgets being shown off at this year’s show. All these new gadgets are connected to the Internet and almost all new products have some relation to privacy and security of user data. Smart speakers and their accessories in particular were a highlight of this year’s show. For example, a device called Mute+ from a startup called Smarte, creates a layer of protection to stop smart speakers from picking up sensitive conversations. And another product called Snips allows you to build voice activated products that run locally on the device and not in the cloud like Google and Amazon’s voice assistants. Because data is stored on the device, there is less of a data harvesting or privacy c

New year, new Cybersecurity job? If you’re looking for a new job or just starting out in Cybersecurity you’ll want to listen to this episode of our monthly show where we’re joined by special guest Kathleen Smith, CMO of ClearedJobs.net and CyberSecJobs.com. We discuss Kathleen’s recent survey on people who advance their career by volunteering in the Cybersecurity community, the Hire Ground career track at the BSides Las Vegas cybersecurity conference, how to work with recruiters and job boards, why you should plan (rather than react) when you look for a new job, and much more! Thanks again to Kathleen for being a guest on our show! Be sure to connect with Kathleen on Twitter. The post Cybersecurity Careers, Recruiting, and Volunteering with Kathleen Smith appeared first on Shared Security Podcast.

This is the 50th episode of the Shared Security Weekly Blaze for January 7th 2019 with your host, Tom Eston. In this week’s episode: Newspaper Ransomware Attack, How Facebook Tracks You on Android, and USB-Type-C Authentication Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order. Visit silent-pocket.com to take advantage of this exclusive offer. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Several large newspapers in the US, owned by media giant Tribune Publishing, started off 2019 by having to respond to a massive ransomware attack that caused major printing and delivery problems. Newspapers affected included the Chicago Tribune, Baltimore Sun, the Los Angeles Times as well as several other Tribune Publishing affiliates. The attack, which started on December 29th, targeted critical news production systems and other infrastructure responsible for the newspaper printing process. According to the Los Angeles Times, the attack appears to be carried out by a foreign state or other such organization and some sources with knowledge of the attack have said that the malware appears to be a form of “Ryuk” Ransomware which is typically very targeted and has been around since last August where one particular form of Ryuk was found to have collected about $640,000 worth of Bitcoin from victims. Of course, some are quick to blame the Russians due the .ryk naming convention found on the encrypted files that the malware left behind and because most attacks these days seem easy to attribute back to Russia. However, past origins of Ryuk ransomware may actually have its history tied to North Korea where was determined from a research report last year which reviled that some of the Ryuk source code was actually copied from the Hermes ransomware that was used by the Lazarus Group. The Lazarus Group just happens to be a nation state espionage team previously associated with North Korea. As we all know, attribution is hard. Source code of ransomware can be copied and easily reused by others. The best response for most organizations that are hit with ransomware, like in this most recent example, is to ensure you know how to respond to an attack like this as being hacked for most organizations will most likely happen sometime in the future. Organizations’ internal networks are overly permissive and can’t distinguish trusted from untrusted applications. Attackers abuse this condition to move laterally through networks, bypassing address-based controls to spread malware. Edgewise abstracts security policies away from traditional network controls that rely on IP addresses, ports, and protocols and instead ties controls directly to applications and their data paths. Edgewise allows organizations to analyze the network attack surface and segment workloads based on the software and how it’s communicating. Edgewise monitors applications and protects data paths using zero trust segmentation. Visit edgewise.net to get your free month of visibility. In a talk given by UK-based Privacy International at the 35th Chaos Communication Congress hacking conference last week shows that many popular Android applications are sending tracking information to Facebook without you even having a Facebook account. The research focused on 34 Android applications that have between 10 and 500 million users. By decrypting and analyzing all third-party trackers the apps were using, the researchers found that 23 of these apps were sending data to Facebook such as if the app was opened or closed, device information, language and time zone settings, and the user’s Google advertising ID which can allow companies like Facebook to conduct profile matching. The talk also pointed out that what Facebook is doing is also in common with what other companies like Google, Amazon and Twitter are doing, which offer analytics services for application developers. Other points from the talk include criticism of Facebook for only enforcing the collection of user information through contractual and legal means and that Facebook’s current opt-out cookie policy had no effect on the data the researchers have questioned. Facebook responded to the talk by noting that their upcoming “Clear History” feature, which was one of the developments from the Cambridge Analytica scandal, would be a way for users to remove this data sent by third-party apps. This is just the latest in a long string of seemingly endless data brea

This is your Shared Security Weekly Blaze for December 31st 2018 with your host, Tom Eston. In this week’s episode: a new phishing attack targeting two-factor authentication, Amazon Echo eavesdropping, and a new Netflix email scam. Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order. Visit silent-pocket.com to take advantage of this exclusive offer. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. As this is the last episode in 2018, I wanted to thank all of you for listening and supporting the podcast this year! Happy New Year and we look forward to helping you stay more secure and private in 2019! A recent report from Amnesty International shows that there is a large phishing campaign taking place targeting hundreds of individuals in the Middle East and North Africa. The campaign seems to be targeting email accounts from Google, Yahoo as well as more secure email services from ProtonMail and Tutanota. In the case of attacks targeting ProtonMail and Tutanota, the attackers simply added the letter ‘e’ to the end of ‘proton’ in the domain name ‘protonmail.ch’ and with Tutanota they used the domain ‘tutanota.org’ when the real domain is ‘tutanota.com’. While these two techniques are very common with many similar phishing attacks, these are specifically designed to bypass common forms of two-factor authentication such as text message based methods. Essentially, the attackers set up a login page to an email service and in the background some fancy scripting acts as a proxy to the real email service while you enter your login credentials and then your two-factor authentication code sent to your phone. This attack could even work against app based two-factor authentication like Google Authenticator as well. Mitigations from this type of phishing attack are the typical ones we always recommend like carefully looking at the web address in the email or address bar of your web browser and using a newer but more secure form of two-factor authentication such as a hardware security key from companies like Yubikey and others. I found it interesting that the details in this report were specifically directed towards human rights defenders because they are almost always targeted by nation state governments through phishing attacks like these. But as we continue to see, what I would call the arms race, between us and attackers using more creative ways to conduct phishing campaigns, it’s more important than ever to take the stance of ‘think before you click’. In fact, phishing attacks, like the ones described in this report, are becoming so common that it’s advisable to never click on links in an email all together. Instead, manually type in the web address of the site you’re being prompted to click on. Edgewise Networks is the first zero trust platform that stops data breaches by allowing only verified software to communicate in your cloud and data center. Micro segmentation projects can be costly and difficult, but Edgewise offers a new approach: zero trust segmentation. Without any changes to your network environment, Edgewise puts your data at the heart of your security strategy, giving you: Visibility into workload communication pathways; Security policies built on the cryptographic fingerprint of the software; The ability to apply policies and segment your networks in one click; and A way to continuously monitor and assess risk. Edgewise recommends policies based on the identity of your software, and stops attackers’ lateral movements by requiring authentication and authorization with every workload communication. Visit edgewise.net to learn how Edgewise can eliminate network attack surface, stop lateral movement, and protect your applications. Did you receive an Amazon Echo device as a gift over the holidays? Well you may want to pay attention to this story as a man in Germany got much more than he asked for when requesting a copy of all the data Amazon had about him. Apparently, when Amazon sent him the download link to his data, he was accidentally given access to 1,700 private audio recordings from an Amazon Echo device that were generated by a completely different household. The man requesting his data from Amazon said he doesn’t even own or use an Amazon Echo device. A spokesman for Amazon told Reuters last week that, “This unfortunate case was the result of a human error and an isolated single case&#8

Watch this episode on our YouTube channel! In this year end episode of the podcast, we’re joined by frequent guest Kevin Johnson to recap the big cybersecurity and privacy news of this past year, talk about a little movie called Star Wars, and have some fun discussing our “predictions” for what’s to come in 2019. The Shared Security Podcast sponsored by Silent Pocket and Edgewise Networks. Thank you to our listeners and sponsors for an amazing year! We really appreciate your support of the show! Be sure to follow the Shared Security Podcast on Facebook, Twitter and Instagram for the latest news and commentary. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or watch and subscribe on our YouTube channel. The post The Year in Review and 2019 Predictions with Special Guest Kevin Johnson appeared first on Shared Security Podcast.

Watch this episode on our YouTube channel! This is your Shared Security Weekly Blaze for December 24th 2018 with your host, Tom Eston. In this week’s episode: Healthcare databases exposed, Facebook’s Photo API bug, and Signal speaks out. Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order. Visit silent-pocket.com to take advantage of this exclusive offer. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. A new report called the “Chronic [Cyber] Pain: Exposed & Misconfigured Databases in the Healthcare Industry,” from threat intelligence firm IntSights shows that about 30 percent of all healthcare databases end up unsecured and exposed to the Internet. Some key findings during their research included spending 90 hours of research which found 15 databases exposed containing 1.5 million patient records. Based on their calculations this results in approximately 16,667 medical records discovered. Other interesting information from the report note that the estimated price on the black market is $1 for a single medical record. Exposed databases were found using popular cloud data storage and sharing databases like Elasticsearch or MongoDB. Exposed and misconfigured Elasticsearch databases in particular have been a source of countless data breaches this year including one that we discussed on the podcast, the Exactis data leak, which exposed 340 million records back in July. Other interesting attack vectors found that led to healthcare databases being exposed include legacy and outdated file sharing protocols such as SMB and FTP as well as misconfigured APIs and of course our favorite, weak passwords. Recommendations from the report note the always standard security recommendations such as enabling two-factor authentication for web applications, limit third-party access to databases, closely monitor databases for unusual reads or requests, limit database access to specific IP ranges and conduct penetration testing to find exposed systems and vulnerabilities. One recommendation I would add is for healthcare organizations to evaluate what systems and databases may be exposed to the Internet and to have a process for discovering exposed systems on a continual basis. Certainly, penetration testing can be used for a point-in-time assessment but using vulnerability scanning and other discovery services on all company owned or third-party managed systems that are exposed to the Internet should be part of any good cybersecurity program. Edgewise Networks is the first zero trust platform that stops data breaches by allowing only verified software to communicate in your cloud and data center. Micro segmentation projects can be costly and difficult, but Edgewise offers a new approach: zero trust segmentation. Without any changes to your network environment, Edgewise puts your data at the heart of your security strategy, giving you: Visibility into workload communication pathways; Security policies built on the cryptographic fingerprint of the software; The ability to apply policies and segment your networks in one click; and A way to continuously monitor and assess risk. Edgewise recommends policies based on the identity of your software, and stops attackers’ lateral movements by requiring authentication and authorization with every workload communication. Visit edgewise.net to learn how Edgewise can eliminate network attack surface, stop lateral movement, and protect your applications. Facebook recently announced yet another vulnerability that affected nearly 6.8 million of its users. Apparently, a bug in Facebook’s Photo API allowed third-party apps being used by Facebook developers to access more than the users private photos that were authorized to access, but also photos that were shared on Facebook’s Marketplace, Facebook Stories, or photos that were uploaded but not posted by the user. For example, if someone uploads a photo but doesn’t finish posting it, those photos may have been exposed. Facebook says that this bug only impacted users for 12 days, from September 13th to September 25th of this year and that this issue has been corrected. If you were impacted by this vulnerability Facebook states that you will see an alert pop up when you login to Facebook. Facebook also recommends logging into any apps with which you may have shared Facebook photos with to see which photos these apps may have access to. This most recent issue is a great reminder that you should frequ

Watch this episode on our YouTube channel! This is your Shared Security Weekly Blaze for December 17th 2018 with your host, Tom Eston. In this week’s episode: Equifax data breach details released, more Google+ API bugs and Supermicro strikes back. Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order. Visit silent-pocket.com to take advantage of this exclusive offer. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. A report released last week from the U.S. House of Representatives Committee on Oversight and Government Reform about the Equifax data breach, known as the largest consumer data breach in US history, shows that the breach could have been entirely preventable. The 96-page report, which we’ve linked in the show notes for a very stimulating and exciting read, goes into great detail on how attackers were able to exploit an Apache Struts vulnerability on an application called the Automated Consumer Interview System (or known as ACIS). For 76 days Equifax failed to detect the breach even though massive amounts of data was being exfiltrated. The report said “Attackers sent 9,000 queries on these 48 databases, successfully locating unencrypted personally identifiable information (PII) data 265 times”. The breach went undetected because the device used to monitor ACIS network traffic was inactive for 19 months due to an expired SSL certificate on the data exfiltration monitoring system. Ironically, at the same time, Equifax had also allowed at least 324 other SSL certificates to expire and “including 79 certificates for monitoring business-critical domains”. Once the SSL certificate was renewed for the data exfiltration service, it was then immediately identified that a data breach was taking place. One of the interesting highlights I noticed in the report was about how the attackers were able to deploy 30 “web shells” (which are essentially backdoors) across the Equifax network due to the Apache Struts vulnerability. Because of these web shells, they were able to find a file containing unencrypted credentials which gave them access to 48 databases outside of the ACIS environment. After that, the rest is history. The other shocking, but not so shocking part of the report was the very passive and pretty much voluntary recommendations from the committee. Some of the recommendations include requiring credit agencies to offer a free summary of all data that they’ve collected about you, consider offering more than one year of pre-paid identity theft protection, and giving the Federal Trade Commission more power to monitor data security practices of credit agencies like Equifax. There was no mention of any federal law or government enforcement that would penalize credit agencies for maintaining poor cybersecurity. In my opinion, this is unacceptable. How many more data breaches will it take for the government to take the security and privacy of our personal data seriously? Only time will tell and we have a brand new year coming up to find out. Edgewise Networks is the first zero trust platform that stops data breaches by allowing only verified software to communicate in your cloud and data center. Micro segmentation projects can be costly and difficult, but Edgewise offers a new approach: zero trust segmentation. Without any changes to your network environment, Edgewise puts your data at the heart of your security strategy, giving you: Visibility into workload communication pathways; Security policies built on the cryptographic fingerprint of the software; The ability to apply policies and segment your networks in one click; and A way to continuously monitor and assess risk. Edgewise recommends policies based on the identity of your software, and stops attackers’ lateral movements by requiring authentication and authorization with every workload communication. Visit edgewise.net to learn how Edgewise can eliminate network attack surface, stop lateral movement, and protect your applications. Google announced this week that they are expediting the shutdown of Google+ from August 2019 to April and that the Google+ API will be retired in 90 days. Why the sudden change? Well, back in November a software update caused a vulnerability in the Google+ API that may have impacted 52.5 million users. This vulnerability was found through internal testing procedures and it was fixed within a week of it being found. The vulnerability caused apps that were using the Goo

Watch this episode on our YouTube channel! This is your Shared Security Weekly Blaze for December 10th 2018 with your host, Tom Eston. In this week’s episode: In this week’s episode: the Quora data breach, Facebook’s private emails, and Google location tracking. Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order. Visit silent-pocket.com to take advantage of this exclusive offer. Be sure to enter our Silent Pocket Faraday Bag giveaway currently taking place until December 17th 2018. This prize package is valued at over $100! See our show notes for the link to enter and good luck! ENTER THE SILENT POCKET GIVEAWAY: https://kingsumo.com/g/ydnieb/silent-pocket-faraday-bag-prize-package Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Another week and yet another massive data breach. This time the company is Quora, the popular question-and-answer website. In an announcement last week Quora disclosed that 100 million users may have had their private information stolen when a malicious third-party gained access to one of Quora’s systems. Quora states that the issue was discovered on November 30th and that investigation is ongoing. However, they did disclose that account information which is name, email address, encrypted password hashes (apparently using bcrypt with a salt), data imported from linked networks, public content and actions as well as non-public content such as direct messages have all been compromised. One interesting point they made was that anonymous questions and answers were not affected by this breach because Quora does not store details of anonymous users using their site. If you’re a Quora user, the typical data breach recommendations apply. Change your password and don’t use the same password for every site and service that you use. I did find it surprising that they did not mention enabling two-factor authentication. That’s because, unfortunately, two-factor authentication is not available for Quora’s users (at least as of this podcast recording). Just two weeks ago Marriott announced that 500 million customers had their personal information stolen as well. Just as an update to this news, recent reports from Reuters now indicate that Chinese nation-state hackers may have been to blame as private investigators looking into the breach have found hacking tools and techniques previously attributed to China. Having yet another announcement of a data breach that reaches into the hundreds of millions is becoming so common, I think many of us believe that this is just the new normal. While there isn’t much we can do about how third-party companies are protecting our information, what is under our control though is the very basics of good cybersecurity practices and that is, password management. Which means you should be using a password manager, create complex and unique passwords for every site that you use, and always enable two-factor authentication if available. Edgewise Networks is the first zero trust platform that stops data breaches by allowing only verified software to communicate in your cloud and data center. Micro segmentation projects can be costly and difficult, but Edgewise offers a new approach: zero trust segmentation. Without any changes to your network environment, Edgewise puts your data at the heart of your security strategy, giving you: Visibility into workload communication pathways; Security policies built on the cryptographic fingerprint of the software; The ability to apply policies and segment your networks in one click; and A way to continuously monitor and assess risk. Edgewise recommends policies based on the identity of your software, and stops attackers’ lateral movements by requiring authentication and authorization with every workload communication. Visit edgewise.net to learn how Edgewise can eliminate network attack surface, stop lateral movement, and protect your applications. Facebook was in the news again this past week when private internal Facebook emails were disclosed in documents provided by the UK Parliament during a recent government panel that is investigating Facebook. The emails paint a very clear picture that back in 2012, many years before the Cambridge Analytica scandal, that Facebook was looking for ways to monetize the private information it had about its users. One of the ideas discussed with Facebook CEO Mark Zuckerburg was about charging apps and developers for access to user data, at

Watch this episode on our YouTube channel! This is your Shared Security Weekly Blaze for December 3rd 2018 with your host, Tom Eston. In this week’s episode: the massive Marriott data breach, secure holiday shopping tips, and phishing sites using HTTPS. Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order. Visit silent-pocket.com to take advantage of this exclusive offer. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. In late breaking news last Friday Marriott, the world’s largest hotel chain, disclosed a massive data breach that was identified on September 8th of this year affecting up to 500 million guests. That will make this data breach one of the largest in history. Apparently, the Starwood guest reservation database had been accessed by an “unauthorized party” since 2014, yes that’s correct someone had access to this database for 4 years. Private information stolen was categorized by Marriott in two groups of guests. First, approximately 327 million guests had some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences accessed. Some of these guests also had their credit card information accessed, even though Marriott states it was encrypted. However, Marriot disclosed that two components used to encrypt the cards (aka: the encryption keys) were potentially stolen as well. For the remaining 173 million guests only name and sometimes other data such as mailing address, email address, or other information was accessed. In our show notes we’ve linked to a web page that Marriot has set up where you can find additional details as well as to sign up for your “complimentary” monitoring service if you’re one of the victims. If you happen to be a victim, like with other data breaches you should change your password for any Starwood Hotels or Marriott rewards program. And while you’re at it, ensure you’re not saving your credit card details for future use. In general, it’s always advisable to never store your credit card with the sites and services you use. While an inconvenience, the majority of the time, even when credit card data is encrypted, is usually compromised in a data breach when the encryption keys are also found. Per the other usual advice we give, enable two-factor authentication and of course, closely monitor your credit card statements for unusual activity. As this story will likely evolve throughout the week, we’ll keep you updated on our Twitter and Facebook with information about this data breach as we receive it. Edgewise Networks is the first zero trust platform that stops data breaches by allowing only verified software to communicate in your cloud and data center. Micro segmentation projects can be costly and difficult, but Edgewise offers a new approach: zero trust segmentation. Without any changes to your network environment, Edgewise puts your data at the heart of your security strategy, giving you: Visibility into workload communication pathways; Security policies built on the cryptographic fingerprint of the software; The ability to apply policies and segment your networks in one click; and A way to continuously monitor and assess risk. Edgewise recommends policies based on the identity of your software, and stops attackers’ lateral movements by requiring authentication and authorization with every workload communication. Visit edgewise.net to learn how Edgewise can eliminate network attack surface, stop lateral movement, and protect your applications. The holiday shopping season is upon us which means we all need to be more aware of fraud and scams that may targeting us while we shop online. According to an article from CBS News, Dave Kennedy from cybersecurity firm TrustedSec, says that they are seeing “a 317 percent increase in these attacks, compared to the average month”. Why might this be the case? Besides the fact that all of us are spending more money compared to other months, the holidays tend to add a lot of additional stress and pressure that can cause us to be more susceptible to scams and fraud. Scams to look out for this holiday season are ones that may lure you with online coupons, discounts, fake ads and threats like ones that state “you must act now because supplies are limited”. Th

In this episode Tom and Scott are joined by special guest Tanya Janca who is a Senior Cloud Developer Advocate for Microsoft. We speak with Tanya about her journey into the world of AppSec, women and minorities in Cybersecurity, her advice for getting started in AppSec, her OWASP project (DevSlop), the current state of DevOps and privacy, and much more! Tanya is one of our most fun and engaging guests, it’s one not to miss! Below are show notes and links mentioned in the podcast: Tanya’s blog on Medium and her article on getting started in AppSec. Follow Tanya on Twitter. You can try connecting with her on LinkedIn but she’s maxed out her connections! (we didn’t even know this was possible) Tanya hosts a weekly live streaming OWASP DevSlop show every Sunday at 1pm Eastern. Check it out on Mixer, Twitch, or YouTube. You can also watch this episode with Tanya on YouTube! Be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or on our YouTube channel. Thanks for listening! The post Special Guest Tanya Janca, DevOps and AppSec, Women in Cybersecurity – #82 appeared first on Shared Security Podcast.

This is your Shared Security Weekly Blaze for November 26th 2018 with your host, Tom Eston. In this week’s episode: Vehicle infotainment privacy, Instagram’s accidental password exposure, and the Firefox monitor data breach notification service. Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order. Visit silent-pocket.com to take advantage of this exclusive offer. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. A new Bluetooth vulnerability and exploit that affects millions of vehicles worldwide, called CarsBlues, was announced by Privacy4Cars founder Andrea Amico. The exploit, which has been disclosed to auto manufactures through the Automotive Information Sharing and Analysis Center (or Auto-ISAC as its also known) can be performed in a few minutes using inexpensive and readily available hardware and software and apparently does not require significant technical knowledge as well. Information that could be accessed through the vulnerability include stored contacts, call and text logs and text messages. While exact details on the vulnerability have not been released, Privacy4Cars has said that people most vulnerable would be those that may have synched their phones to cars that are no longer under their control like rental cars or leased vehicles. Privacy4Cars, which offers a free mobile app, that shows you how to delete your private data that you may have synced to a car, notes that “industry and consumers alike need to be proactive when it comes to deleting personally identifiable information from vehicle infotainment systems”. This recent news is a great reminder that we all need to be cautious syncing our phones and devices to our car. Especially when we’re syncing our phones to rental cars or we’re in situations where we may be dropping our cars off for repair. I know I’ve noticed that when simply plugging in my phone to the built in USB charger in a rental car, the infotainment system will often times automatically sync your contacts and text messages. If you’re not familiar with how to delete your synced information or if you need to find out how to reset the cars infotainment system, check out the Privacy4Cars app which we have linked in the show notes for this episode. Edgewise Networks is the first zero trust platform that stops data breaches by allowing only verified software to communicate in your cloud and data center. Micro segmentation projects can be costly and difficult, but Edgewise offers a new approach: zero trust segmentation. Without any changes to your network environment, Edgewise puts your data at the heart of your security strategy, giving you: Visibility into workload communication pathways; Security policies built on the cryptographic fingerprint of the software; The ability to apply policies and segment your networks in one click; and A way to continuously monitor and assess risk. Edgewise recommends policies based on the identity of your software, and stops attackers’ lateral movements by requiring authentication and authorization with every workload communication. Visit edgewise.net to learn how Edgewise can eliminate network attack surface, stop lateral movement, and protect your applications. Instagram said last week that they have fixed a vulnerability in its new “download your data” feature that may have inadvertently exposed user’s passwords. The download your data feature is a recently added privacy enhancement that allows you to download all your photos, comments, posts and other information you may have shared with Instagram. The issue was caused by a feature for added security where Instagram asks you for your password before downloading your data. A vulnerability in this security feature allowed the plain text password to be included in the URL as well as stored on Facebook’s servers. Both of these issues were identified by internal Instagram staff. As you all should be aware, Instagram is part of Facebook and uses Facebook’s servers and infrastructure. The good news is that the issue has been corrected and the password data has been deleted. If you happened to be affected, Instagram will notify you to update your password as well as clear your browser cache. It’s worth noting that Instagram added the “download your data” feature to comply with the new European data privacy regulations we all know and love as GDPR. Back in October, Facebook fixed a more serious vuln

In this special edition of the podcast we speak to Harry Sverdlove, who is the Founder and Chief Technology Officer of Edgewise. Harry talks with us about the concept of “zero trust” and their innovative technology that can help stop data breaches. Find out more at Edgewise.net and to schedule a demo by clicking on the “Request Demo” button on the main page. Thanks again to Harry for being our guest on the show and to Edgewise for sponsoring the podcast! The post Harry Sverdlove, Edgewise Founder and CTO – Special Edition appeared first on Shared Security Podcast.

This is your Shared Security Weekly Blaze for November 19th 2018 with your host, Tom Eston. In this week’s episode: USPS Informed delivery vulnerabilities, protecting yourself from credit card fraud and a huge SMS database leak. Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off your order. Visit silent-pocket.com to take advantage of this exclusive offer. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Are you using or thinking about using the US Postal Service’s “Informed Delivery” feature? If so, you’ll want to pay close attention to the recent warning from the US Secret Service which was sent to law enforcement across the country earlier this month. This alert stated that fraudsters are leveraging this feature to surveil potential identity theft victims and references a recent case in Michigan where seven people were arrested for apparently stealing credit cards from mailboxes after registering as those victims for the Informed Delivery service. Brian Krebs from KrebsOnSecurity.com, who broke the news about the Secret Service alert, has noted that in the past the postal service has had no way to notify residents when someone signed up for the Informed Delivery service at their address. However, earlier this year the postal service corrected this issue by now mailing residents if someone has signed up for Informed Delivery at their address. Unfortunately, this doesn’t solve this problem if fraudsters simply order credit cards to the address before signing up for the service. Once the cards have been ordered the fraudster can then take advantage of the week or so that it takes to get a credit card in the mail to sign up the victim for Informed Delivery. The other issue with Informed Delivery is that to sign-up for the service you’re asked four knowledge based authentication (or known as “KBA”) questions which typically have answers which can be Googled or found though other searching techniques on the Internet. KBA has been well known for quite some time that it’s not a reliable form of authentication. So what can you do if you’re concerned about having your address hijacked by a fraudster using Informed Delivery? Unfortunately, not a lot at this point. Putting a freeze on your credit can help as if someone is trying to set up Informed Delivery in your name, then the KBA process can’t access your credit files. However, Brian Krebs reports that this may not be working for everyone with a credit freeze in place. You may also want to “plant your flag” so to speak by signing up for Informed Delivery before someone else does. When signing up myself I was asked to visit my local post office branch to physically verify me or have a “invitation code” sent to me through the mail. Other than that, you can try to email the postal service to attempt to ‘opt-out’ of Informed Delivery but according to reports, emails are going unanswered and those that have had responses are asking KBA questions that are to be responded through plain text email. And we all know plain text email is not a secure means of communication. It’s safe to say that Informed Delivery is quite the mess right now. We’ll be sure to keep you updated of any changes or improvements to the security and privacy of Informed Delivery in future episodes. Edgewise Networks is the first zero trust platform that stops data breaches by allowing only verified software to communicate in your cloud and data center. Micro segmentation projects can be costly and difficult, but Edgewise offers a new approach: zero trust segmentation. Without any changes to your network environment, Edgewise puts your data at the heart of your security strategy, giving you: Visibility into workload communication pathways; Security policies built on the cryptographic fingerprint of the software; The ability to apply policies and segment your networks in one click; and A way to continuously monitor and assess risk. Edgewise recommends policies based on the identity of your software, and stops attackers’ lateral movements by requiring authentication and authorization with every workload communication. Visit edgewise.net to learn how Edgewise can eliminate network attack surface, stop lateral movement, and protect your applications. A report last week released by firm Gemini Advisory showed that credit card fraud is still increasing in the US despite the use of new EMV chip-enabled

This is your Shared Security Weekly Blaze for November 12, 2018 with your host, Tom Eston. In this week’s episode: Midterm Election Security, Gait Recognition Surveillance Technology and Caller ID Authentication Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order. Visit silent-pocket.com to take advantage of this exclusive offer. Hi everyone, this is Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. The mid-term elections here in the United States took place last Tuesday and the Department of Homeland Security has said that there has been no evidence of any hacking that took place on the election infrastructure. As many of you may be aware, last Tuesday’s election was the first major election in the United States since Russia attempted to influence the 2016 presidential race. In fact, Department of Homeland Security Secretary Kristjen Nielson has said that last Tuesday’s election “is the most secure election in the modern era”. Surprisingly, many areas of the country are still using paper ballots. In fact, 21 states are using full paper ballots and others are using a hybrid approach of paper and voting machines. As you can imagine the security of voting machines has been a hotly debated topic ever since the DEF CON hacking conference that took place in August of this year. This conference had a voting machine hacking village in which several different types of real voting machines were found to be vulnerable to many different types of attacks. These attacks could manipulate election results as well as cause other havoc on the overall election system. The biggest concern found with vulnerable voting machines though is physical security as the majority of these hacks require physical access to the voting machine. As long as polling places and local governments running and managing voting infrastructure takes the physical security of these machines serious, the risk of election result manipulation via the machine itself remains very low. If you’re interested in learning more about voting machine security, Scott and I dedicated an entire episode to this fascinating topic in episode 79 of our monthly show. The bigger issue this election season though has been malicious manipulation of voters through the influence of social media. Just last week it was reported that Facebook had blocked more than 100 accounts that had ties to a Russian “troll farm” designed to influence the midterm elections. Facebook also noted that it deleted dozens of accounts that were linked to Iran in late October. Our advice is to always be careful of what you see posted on social media, not just political posts, as a lot of this information may be coming from a non-trusted source designed to manipulate your views. Edgewise Networks is the first zero trust platform that stops data breaches by allowing only verified software to communicate in your cloud and data center. Micro segmentation projects can be costly and difficult, but Edgewise offers a new approach: zero trust segmentation. Without any changes to your network environment, Edgewise puts your data at the heart of your security strategy, giving you: Visibility into workload communication pathways; Security policies built on the cryptographic fingerprint of the software; The ability to apply policies and segment your networks in one click; and A way to continuously monitor and assess risk. Edgewise recommends policies based on the identity of your software, and stops attackers’ lateral movements by requiring authentication and authorization with every workload communication. Visit edgewise.net to learn how Edgewise can eliminate network attack surface, stop lateral movement, and protect your applications. A new form of surveillance technology called “gait recognition” software is now being used by Chinese police on the streets of Beijing and Shanghai as well as other areas of China. Gait recognition software can identify someone by their body shape as well as how someone walks. The technology, created by a company called Watrix, does not need special cameras and works even when faces are hidden or unable to be identified through traditional facial recognition technology. Gait recognition has a 94 percent accuracy rate which is good enough right now for commercial use. The software works by first uploading video footage then by extracting someone’s silhouette from a video wh

This is your Shared Security Weekly Blaze for November 5th 2018 with your host, Tom Eston. In this week’s episode: Microsoft and Apple security Updates, Signal’s sealed sender and the Girl Scouts data breach. Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order. Visit silent-pocket.com to take advantage of this exclusive offer. Hi everyone, this is Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. This past week Microsoft announced that its built-in anti-virus application called Windows Defender now has the ability to run within a ‘sandbox” environment. Sandboxing allows an application to run in a separate environment away from the rest of the Windows operating system and other applications installed on a PC. Sandboxing in Windows Defender is a very important security update given that Windows Defender runs as a high-privileged service and is a large target for attackers to compromise. Windows Defender is also the only anti-virus solution on the market with this capability. In order to enable sandboxing in Windows Defender you need to make a quick environment variable change within Windows if you want to use this feature right away. However, Microsoft plans on deploying this update to all Windows Defender users in the near future. See our show notes for details on how to enable sandboxing if you’re interested in using this new feature. In other security update news, Apple has released several new security updates on the heels of the announcement of new Macs and iPads at Apple’s event last Thursday. Security updates for macOS Mojave, High Sierra, Sierra, iOS, watchOS, tvOS, Safari, iTunes, and iCloud for Windows were all released. One particular serious vulnerability for macOS could potentially allow remote code execution or crash your device. During the Apple event on Thursday, Apple also announced that with new MacBooks that have a new T2 security chip, will automatically disable the microphone when the lid of the MacBook is closed. This new privacy control will prevent any type of software, especially spyware or “stalkerware” with root or kernel privileges from engaging the microphone when the lid is closed. This privacy feature is a large step forward to help combat malware that may be installed without user’s knowledge for surveillance and stalking. Be sure to listen to episode 40 of this podcast for more details on stalkerware and how to know if one of these apps may be installed on your device. These two stories once again emphasize that it’s important to keep the operating systems and anti-virus software on your devices and even hardware up-to-date for the most current security and privacy protections. Edgewise Networks is the first zero trust platform that stops data breaches by allowing only verified software to communicate in your cloud and data center. Micro segmentation projects can be costly and difficult, but Edgewise offers a new approach: zero trust segmentation. Without any changes to your network environment, Edgewise puts your data at the heart of your security strategy, giving you: Visibility into workload communication pathways; Security policies built on the cryptographic fingerprint of the software; The ability to apply policies and segment your networks in one click; and A way to continuously monitor and assess risk. Edgewise recommends policies based on the identity of your software, and stops attackers’ lateral movements by requiring authentication and authorization with every workload communication. Visit edgewise.net to learn how Edgewise can eliminate network attack surface, stop lateral movement, and protect your applications. Signal, the highly recommended messaging app that provides end-to-end encryption announced last week a new privacy feature called “Sealed Sender” that is now available in the public beta release of Signal. The ‘sealed sender’ functionality will now hide details on who is messaging whom on the Signal service. Signal, by design, does not store any information about your contacts, conversations, locations, and group information. However, one small piece of metadata within the Signal service was not able to be hidden which is, who is messaging whom. Sealed sender can be described like a traditional piece of physical mail where the outside of the envelope has the address of both the sender and recipient. You can’t initially see

This is the 81st episode of the Shared Security Podcast sponsored by Silent Pocket and Edgewise Networks was hosted by Tom Eston and Scott Wright recorded on October 29, 2018. Listen to this episode and previous ones direct via your web browser by clicking here. This episode is also available to watch on our YouTube Channel. In this episode Tom and Scott cover the recent rise in Fortnite scams, new privacy controls in Google search and the controversy over the Bloomberg article and SuperMicro. Below are show notes and links mentioned in the podcast: Fortnite scams are increasing due to the massive popularity of the game. Many teens and adults play this game so be on the lookout for scams over email, websites, and even YouTube videos. Google is putting more privacy controls directly in “Google Search”. This is a great idea but your privacy and all the many different Google services will continue to be a challenge. We also discuss the benefits of using search engines that have your privacy in mind like DuckDuckGo and StartPage. The Bloomberg story that came out several weeks ago about SuperMicro continues to cause controversy in the cybersecurity community. Scott give his take on the situation! Be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or on our YouTube channel. Thanks for listening! The post Fortnite Scams, Google Search Privacy, Bloomberg SuperMicro Controversy – #81 appeared first on Shared Security Podcast.

This is your Shared Security Weekly Blaze for October 29th 2018 with your host, Tom Eston. In this week’s episode: Spy apps and Stalkerware with special guest Jeff Tang. Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order. Visit silent-pocket.com to take advantage of this exclusive offer. Spy apps, or better known as “stalkerware”, are apps that can be used to track and spy on the activities that someone does on a mobile device. Activities can include everything from being able to read text messages, view photos, emails, see websites visited, track real-time GPS location, turn on the microphone or camera, view social media usage, and much more. These apps go by the names of mSpy, FlexiSPY, Retina-X, and many others that are widely available for purchase. While there may be legitimate purposes for installing an app like these, for example, parents that might want to track what their kids are doing on their mobile devices or employers monitoring company issued mobile phones; criminals as well as stalkers are also using these apps to conduct surveillance and monitoring of a victim’s device. These apps are very concerning for someone that might be in a domestic abuse situation or is being criminally stalked. In this episode we’re going to cover why these apps have become so popular, how they are installed and how you can detect if someone has installed one of these apps on your mobile device. Tom Eston: Joining me to talk about spy apps and stalker-ware is Jeff Tang, who is the Senior Manager of Applied Research at Cylance. Welcome to the show, Jeff. Jeff Tang: Hey Tom, thanks for having me. Tom Eston: So what’s your take on these apps, and why do you think they’re becoming so popular? Jeff Tang: I think there’s a lot of interest in these apps because we’re in a new society where we’re actually recording everything, and everything is becoming digital. Our entire lives are captured onto our cell phones from photos, to text messages, to emails, to just GPS location. And we’re in this age were all this data is now available, and I think we’re seeing the commoditization of the spying applications that take advantage of the availability of this data. So I think a lot of the popularity is just like this wasn’t possible before smartphones existed, it was much more difficult to try to capture someone’s location, but now we all carry a GPS device in our pockets. Tom Eston: Yeah, I’m kind of reminded of… If you’re a fan of the Breaking Bad TV show where they put a GPS locator on somebody’s car and then they use a old style type of GPS tracker to follow the car around, right? Jeff Tang: Yeah, and those are actually still really common, right? You can go on Amazon and buy them for as cheap as 20 bucks. Tom Eston: So the technology has definitely evolved. So, is it just because we now have more power in our finger tips that it makes these apps a lot easier for people to use? Jeff Tang: Yeah, I think it’s… We’ve all had kind of an inclination to know what’s going on. And now in 30 seconds we can go and search for something like this. And there are other vendors out there that are willing to provide this as a service. Tom Eston: So how do these apps get installed? I would think that you either have to have physical access to the device, or are there other ways that somebody would install this on your device? Jeff Tang: So there are effectively two ways that these apps can work. The first way is if you are an iCloud customer where your phone is constantly being backed up to the Cloud. If your iCloud credentials get compromised, as we’ve seen in the past when celebrities were getting their phones hacked, these services can just go download the backup off from the Cloud, extract all the information, and present it to you in their dashboard. The second way is having physical access to the device or having some way of installing this malicious application onto the device. So if for instance, if you lose sight of your phone for a few minutes and you don’t have a pass code on it, someone can easily just grab your phone, install the app, allow it the necessary permissions to access your microphone, your contacts, your GPS location and so on, and then it functions like a normal application. Tom Eston: So are there any dangers to having one of these apps installed on your phone? So I know a couple of these apps do things like they jail break or root your device. I would assume that that’s dangerous in terms of disabling certain things on your device in order for this app to run, correct? Jeff

This is your Shared Security Weekly Blaze for October 22nd 2018 with your host, Tom Eston. In this week’s episode: Hotel Room Security and Privacy with Special Guest Patrick McNeil. Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order. Visit silent-pocket.com to take advantage of this exclusive offer. Hotel security has been a hot topic being debated in the cybersecurity and privacy communities ever since the annual DEF CON hacking conference which was recently held in Las Vegas. The conference hotel security staff at Caesars Palace, conducted random hotel room searches unbeknownst to conference attendees. This caused a firestorm of criticism from conference goers but also brought attention to how we all should all think about the security and privacy of the hotel rooms we stay in. In this episode I want to share with you some helpful tips and advice to increase your security and privacy while staying in a hotel room. Tom Eston: Joining me to discuss hotel room security and privacy is physical security expert, Patrick McNeil. Patrick has a background ranging from software development, networking, operations, and product security and currently works for an application security company. He has travelled extensively for work over the last nine years, staying in hotels, ranging from five star hotels, to hotels with blood stains on the carpet. I think I want to hear more about that. And Patrick is also a lifelong martial arts practitioner, runs Oak City Locksport and does physical security consulting for Stern Security when time permits. Welcome to the show, Patrick. Patrick McNeil: Thank you very much, Tom, appreciate the opportunity to be on. Tom Eston: So tell me a little bit about these hotels you’re staying in. Blood stains on the carpet, what’s that all about? Patrick McNeil: Yeah, that was an unfortunate situation where I went to a conference and the conference coordinator had some hotels nearby that were recommended, and this was in downtown Chicago. And let’s just say, while she thought it was a safe neighborhood, it really wasn’t. And the hotel of course, is completely booked up. I check into my room and do my normal walk around and there’s literally blood stains on the carpet probably the size of a dinner plate and some blood spray on one of the [chuckle] walls. Tom Eston: Oh no. Patrick McNeil: It wasn’t a whole lot, but it was enough to freak me out, and I know I’m asking for a new room and it’s completely booked up. So I ended up staying there but it was like put the towel over it so I didn’t have to look at it. And just stay away from that area. It was obviously old. Tom Eston: Obviously [chuckle] old. Yeah, that’s scary, but… Hopefully you’re not staying in hotels like that anymore. Patrick McNeil: I try to avoid that. [chuckle] Tom Eston: But you wrote a really great blog post recently about safety in and around your hotel room. And I think you wrote this because of the controversy that happened at Caesars Palace back during DEF CON in August in Las Vegas, with the conference attendees of the conference. Could you give us just a brief overview of what happened at DEF CON for our listeners that may not be familiar with the controversy? Patrick McNeil: Sure. And you’re right, I did write the first post and it turned into a follow-on as well, but it all was because of the mass shooting that happened last year in October in Las Vegas. Basically the big casino hotels decided that they wanted to ensure the safety of their guests and the public at large by inspecting the rooms of guests when they hadn’t been seen for a while, they had refused service, or maybe they were seen with large pelican cases or something when they were traveling in. You get an event like DEF CON, between the DEF CON shoot and all the electronics equipment that people bring in [chuckle], there’s gonna be a lot of pelican cases. Those are all similar things, that the shooter had actually done. Patrick McNeil: And unfortunately they had a policy that allowed people to opt out of room service as an environmental or green initiative. So they were setting themselves up for rooms that had refused room service. So when they decided to start investigating what was up in some of these rooms just doing what they were calling a wellness check, it would appear that their policy either was implemented inconsistently or maybe some employees weren’t trained appropriately because they ended up having issues with employees walking in on partially clothed guests after the pre-visitive knock or even pounding on their doors, demanding to be let in and n

This is your Shared Security Weekly Blaze for October 15th 2018 with your host, Tom Eston. In this week’s episode: Google+ shutdown, weapons systems vulnerabilities, and new data on voice phishing scams. Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order. Visit silent-pocket.com to take advantage of this exclusive offer. Hi everyone, this is Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Google announced this past week that it’s shutting down Google+, due to a bug in the “people” API that may have exposed private profile information for more than 500,000 Google+ users. The bug allowed third-party apps to have access to certain optional profile data such as name, email, address, occupation, gender, and age. This access was limited to only Google+ and not any other data you may have had with other Google services. While the bug was patched back in March, Google decided to start the process to shut down Google+, in the next 10 months. Mostly because it was found that 90% of Google+ user sessions only last about 5 seconds. Google states that even though approximately 500,000 Google+ accounts were affected by the bug and that up to 438 applications may have used this API, they found “no evidence that any developer was aware of this bug, or abusing the API, and (we) found no evidence that any Profile data was misused”. Also included in the announcement about the Google+ bug were two other improvements targeting user privacy. First, Google is adding more fine-grained control over what account data you share with apps through the use of new individual dialog boxes. These dialog boxed will show each requested permission, one at a time, within its own dialog box. This will allow more detailed permissions to be selected instead of the traditional “all or nothing” permissions approach. Lastly, Google is limiting the ability of third-party apps requesting to receive call log and SMS data. Google will now only allow whichever default app you use for making phone calls or sending text messages to make these requests. In addition, the Android contacts permission is also changing. Going forward, apps will no longer be able to access basic interaction data like showing you your most recent contacts. In all, I don’t think Google+ will be missed by anyone but it’s good to see that Google is making these small but impactful privacy changes. A new report released from the Government Accountability Office (or also known as the GAO) here in the United States shows that previous cybersecurity vulnerabilities identified in the Department of Defense’s newest weapons systems, were never fixed. Testing was apparently conducted on weapons systems from 2012 to 2017 and shows that these problems seem to be widespread in nearly all weapons systems under development. Some of these vulnerabilities are extremely easy to exploit. For example, guessable and default passwords were easily exploitable and in some cases the report noted that some default passwords were easily identified through simple Internet searches. The report had also stated that during tests conducted on these weapons systems “using relatively simple tools and techniques, testers were able to take control of systems and largely operate undetected”. Given that the Department of Defense plans on spending $1.6 trillion to create more weapons systems, cybersecurity and the significant importance of related computer systems needs to be a top government priority. Many of the vulnerabilities in these systems are very common in Internet of Things devices so it’s not that far of a stretch to see weapons systems that may be using some of the same technology that is available in the consumer market. As we all know, Internet of Things devices often time have very easy vulnerabilities to exploit like default passwords. On top of that, there is a large issue right now with the cybersecurity workforce in the government not nearly getting the level of pay that they do out in the private sector. This means that many entry level cybersecurity analysts spend a short amount of time building their skills in a government job, then end up leaving to get paid much more in the private sector. It really goes back to the weapons systems manufactures making sure they are building security into the products that they are developing. Of course, that’s easier said than

This is your Shared Security Weekly Blaze for October 8th 2018 with your host, Tom Eston. In this week’s episode: Chinese Spying, Facebook Shadow Contact Information and iPhone X FaceID Privacy. Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order. Visit silent-pocket.com to take advantage of this exclusive offer. Hi everyone, this is Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. I have a small favor to ask you. We would really appreciate it if you could leave us a review on iTunes. To leave a review, simply click the iTunes link in our show notes for this episode. We’ll be sure to thank you for your review on a future episode of the podcast. Thanks for your support! In late breaking news on Thursday last week, a report from Bloomberg has detailed a large scale supply chain attack which is believed to be one of the largest spying programs ever conducted by a nation-state. According to the report, a very small microchip about the size of a pencil tip or grain of rice was installed and hidden in servers that were being used by approximately 30 American companies which include Apple and Amazon. These chips were apparently installed during the manufacturing process in server motherboards manufactured by a company called Super Micro, which happens to manufacture its products in China. Of course, as you might assume, these chips were allegedly installed by the Chinese government to spy on American companies giving China the competitive advantage in the highly competitive technology space. While Amazon, Apple, Supermicro and even China are denying the claims made in this report from Bloomberg, it’s not that far of a stretch when you consider that China has been known to install malicious software into the hardware supply chain in the past and that 75% of all mobile devices and 90% of all PC’s in the world are manufactured in China. Whether this story is true or not, securing the hardware supply chain is a very difficult problem to solve, even when hardware is manufactured in a country like the United States. For example, back in 2016 one US based mobile phone company, that makes cheap Android based phones, found a software backdoor installed on their devices which would send information from the device, you guessed it, back to China. So while the hardware itself was not manufactured in China, the software on the Android device was. I remember when I was working as a security consultant several years ago we would strongly advise business clients that when traveling to China they should use a “disposable” laptop and mobile device with very little or no corporate data on them. When our clients returned from China we strongly told them to never ever plug their laptop back into their corporate network and to give it to us for forensic analysis. We gave this advice to our clients because we actually had one client in particular that had their laptops and phones hacked while they either went through Chinese customs or during their stay in China. This client in particular had their proprietary design information about a new product on said laptop. Time will tell how this Bloomberg story pans out, but in the meantime, especially if you’re in the business of having confidential or proprietary business information that might be valuable to a nation-state such as China, be sure to take extra caution with devices that store or handle sensitive or propriety business information. Facebook was back in the news this past week with the revelation that the phone number that you may have provided Facebook for security purposes, like for two-factor authentication, is being shared with advertisers. To make matters worse, you don’t even have to willingly provide your phone number at all because of something called “shadow” contact information. Shadow contact information is any contact information, like your phone number, that is shared when your friends upload their contact information to Facebook. What this means is that even if you’ve never given your number to Facebook, your friends may have without you knowing. What’s also unfortunate about this news is that once again, we seem to be forced to make a privacy trade-off where we have the need to secure our accounts with two-factor authentication but must also allow our phone number to be harvested by advertisers so that we can be served more ads. This news should giv

This is your Shared Security Weekly Blaze for October 1st 2018 with your host, Tom Eston. In this week’s episode: Facebook’s fake account crackdown, privacy upgrade to HTTPS, and new security features in Apple iOS 12. Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order. Visit silent-pocket.com to take advantage of this exclusive offer. Hi everyone, this is Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Facebook has recently taken a tougher stand against fake profiles, specifically ones being used by law enforcement. In a letter that Facebook sent to the Memphis Police Department, Facebook states they have disabled fake accounts that were set up by the police department because they violate Facebook’s terms of service which notes, you must use your real name while using the social network. Privacy advocates like the EFF have been critical of this position in the past since in some cases, free speech may put certain users at risk if real identities are being used. However, regardless of how you feel about this policy, it’s good to see Facebook applying these rules to everyone, including law enforcement. In fact, as the EFF has pointed out, Facebook recently updated their help page titled “Information for Law Enforcement Authorities” and under their misrepresentation policy they state “People on Facebook are required to use the name they go by in everyday life and must not maintain multiple accounts. Operating fake accounts, pretending to be someone else, or otherwise misrepresenting your authentic identity is not allowed, and we will act on violating accounts”. Law enforcement aside, fake accounts on Facebook have always been a problem ever since Facebook started getting popular around 2008. In fact, I remember giving a talk at a hacker conference about social network bots and the underground criminal networks that had created automated tools and scripts to target unsuspecting social network users. Check out our show notes for a link to this talk and a nostalgic look into the younger version of yours truly. Oh, and in full disclosure, I may have pushed the limits of fake account creation back then as well. Now I gave that talk back in 2009 but bots and fake accounts are still running rampant on Facebook and other social networks. They are even using those same techniques I talked about back then to friend thousands of strangers in order to solicit SPAM or to get them to click on links which lead to malware and phishing scams. The best advice to avoid becoming a victim of a fake account or bot in your friends list is to only accept friend requests from people you actually know in real life. But even that can lead to problems though, especially if someone is impersonating one of your friends. Our advice is to contact that friend out of band, for example, via a text message or phone call, to verify that they are who they say they are. In other late breaking Facebook news last Friday, a serious vulnerability in the “View As” profile feature was identified by Facebook’s own engineers that affects almost 50 million accounts. The vulnerability allowed attackers to steal the access tokens which could then be used to take over other people’s accounts. Facebook states that they’ve already fixed the vulnerability and have reset the passwords of around 90 million accounts that may be affected by the issue. Facebook states that they are also working with law enforcement and greatly apologize for any inconvenience this may cause Facebook users. How private do you think your web browsing history is? As we all know, HTTPS encryption helps protect the content of the information we share with websites we are accessing. There has also been new ways to encrypt DNS queries, like DNS over TLS and HTTPS. However, even with an HTTPS connection, your ISP can still see the sites that you’re going to because DNS queries are typically not encrypted. That’s why one company called Cloudflare introduced a new public DNS server called 1.1.1.1 which supports DNS over TLS and HTTPS that encrypts DNS queries as well. But did you know that there are other ways that ISPs can snoop in on the sites that you’re visiting? One large gaping hole that has been identified is something called the “Server Name Indication” extension or SNI. In simplistic terms, you can think of SNI as a way to route HTT

This is the Shared Security Weekly Blaze for September 24, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions and Silent Pocket. This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here. You can also watch each episode of the podcast on our YouTube Channel! Show Transcript This is your Shared Security Weekly Blaze for September 24th 2018 with your host, Tom Eston. In this week’s episode: Mobile phone call scams, Pegasus mobile spyware, and the Newegg data breach. Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order. Visit silent-pocket.com to take advantage of this exclusive offer. Hi everyone, this is Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Raise your hand if you’re sick and tired of receiving scam and fraudulent phone calls on your mobile phone. I’ll assume that all of you are probably raising your hand right about now, myself included. Well not to be the bearer of bad news but according to a recent report, nearly half of the mobile phone calls received in the US next year will be scams. In a report from First Orion, which makes phone call data transparency solutions, notes a dramatic increase in mobile scam calls “from 3.7% of total calls in 2017 to 29.2% in 2018—and that number is projected to reach 44.6% by early 2019”. Many of these calls are using a technique called “Neighborhood Spoofing” which happens when a scammer makes their number look like a real local number, tricking the victim into picking up the call. Since these numbers are typically spoofs of real numbers, sometimes if you call these numbers back, you’ll get a real innocent person; not the scammer who spoofed the number. While many of us are either manually blocking scam calls through the features on our phones or using a third-party app to screen and block calls, the best way to stop these calls from happening seem to be with the mobile carriers themselves. First Orion seems to be addressing this with an in-network technology called “CallPrinting” that is said to significantly reduce the volume of scam calls. First Orion’s press release states that this technology will be used by one Tier-One US carrier this fall. In regards to third-party apps, I’ve recently installed an app called “AT&T Call Protect” which seems to work fairly well to block scam calls . This is a free app for AT&T mobile customers. I’d say that it’s slightly reduced the number of scam and robocalls that I’ve received but I find it’s not perfect as blacklisting scam numbers seems to be an endless pursuit. So what are your thoughts? Have any of you used these third-party scam call blocking apps? If so, we would be interested in hearing what you think about how effective these apps are so we can discuss on the podcast. Send us a message on Twitter, Facebook or email and let us know if these apps are helping or hindering your fight against scam calls on your mobile phone. In a fascinating report released by privacy and security research group Citizen Lab this week shows that a very sophisticated form of mobile spyware, called Pegasus, has been found on Android and Apple iOS phones in 45 countries including the US, UK and Canada. Some of these countries have been known for questionable human rights practices. Citizen Lab researchers point out that Pegasus being installed on devices to conduct cross-border surveillance and may be breaking the law in the US as well as many other countries where Pegasus was found. Pegasus spyware is sold by an Israeli company called the NSO Group and has been used in the past by powerful nation states and governments to target human rights activists and other individuals under surveillance for one reason or another. In this recent research by Citizen Lab they estimate that Pegasus is being used by at least 33 different NSO Group customers. Back in 2016, one of these individuals targeted with Pegasus was UAE activist Ahmed Mansoor who was able to provide Citizen Lab researchers his iPhone to analyze when he received a very odd and strange link sent to him via a text message. When clicking the link, this particular version of Pegasus launched three zero-day exploits for Ahmed’s particular version of Apple iOS and would have allowed full a

This is the Shared Security Weekly Blaze for September 17, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions and Silent Pocket. This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here. You can also watch each episode of the podcast on our YouTube Channel! Show Transcript This is your Shared Security Weekly Blaze for September 17th 2018 with your host, Tom Eston. In this week’s episode: Malware-less email attacks, Equifax breach updates and the Vizio class action lawsuit. Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order. Visit silent-pocket.com to take advantage of this exclusive offer. Hi everyone, this is Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Security vendor FireEye released research this past week which shows that 90% of the half-a-billion emails, blocked through their product in the first half of 2018, were found to be “malware-less”. Meaning, there were no malicious attachments or other code within the email itself that would attempt to compromise victims. Phishing actually made up 81% of what are considered malware-less attacks. Malware-less attacks also use impersonation of a trusted sender or company and include intimidation, links to malicious sites and sometimes forged requests. Other interesting data points include: malware-based attacks were most common on Mondays and Wednesdays and that malware-less attacks were most likely to occur on Thursdays. Data from the report also notes that phishing attacks will continue to rise. Just for a minute, let’s forget about the day of the week that attacks like these are most likely to occur and focus on what you should do if you do receive a malware or malware-less email in your inbox. As we all know, social engineering techniques are often used to convince you to click a link or submit sensitive information to the attacker. In fact, we just released episode 80 of our monthly show with social engineering expert, Chris Hadnagy in which we talk to him about the different types of social engineering techniques used in phishing and many other types of attacks. It was great having Chris on the show so definitely give this episode a listen. Emails using social engineering techniques are one of the most popular ways to target victims because email is still one of the primary means of communication that we all use, especially in the business world. While many businesses typically have some type of security product to screen emails for potential attacks, it won’t help in situations with personal email or when these products don’t work as expected. Your first line of defense is to “think before you click”. This means for any suspicious email, take a step back for 30 seconds, read the email carefully and look for clues that indicate that the email might be a phishing attack. Check out our show notes for a great guide put together by TripWire on the six most common phishing attacks and how to protect against them. The Equifax data breach last year, which exposed the personal information of almost half of the US population, has yielded very little change in regards to Equifax profits and any federal laws that could be implemented to prevent another breach as large as this one. The Chicago Tribune reported in an article last week that Equifax posted record revenue last quarter of $877 million and will most likely post a record profit next year. In fact, Equifax has recovered about 90 percent of the losses that were because of last year’s data breach. I’m actually a little surprised that Equifax has been able to “skate” around any financial penalty or other serious impact to their business. It does make you wonder how they have been able to keep the public reaction of this data breach to a low roar. It seems that the only positive news coming out of this data breach is that there is more awareness from a consumer and legislative perspective as well as a pending class action lawsuit that is still in the early stages of development. One small but recent win for consumers is that President Trump signed a bill into law this past May which states that consumers can freeze their credit for free this week beginning on September 21st. This new law will remove the $5-$10 fee that was imposed by the various credit agen

This is the 80th episode of the Shared Security Podcast sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions and Silent Pocket. This episode was hosted by Tom Eston and Scott Wright recorded September 5, 2018. Listen to this episode and previous ones direct via your web browser by clicking here! This podcast is also available to watch on our YouTube Channel. In this very special episode we’re joined by Chris Hadnagy (@humanhacker) who is the author of the new book “Social Engineering: The Science of Human Hacking”. We talk with Chris about his new book, how Social Engineering has changed over the years and what he’s been up to with his organization the Innocent Lives Foundation, Social-Engineer.com and the recent DEF CON SECTF (Social Engineering CTF). Here are the links that we mentioned on the show: Our previous interview with Chris in Episode 68 Innocent Lives Foundation Social-Engineer.org Order Chris’ new book on Amazon Thanks to Chris for being a guest on our show! The post Episode 80 – Special Guest Chris Hadnagy and Social Engineering The Science of Human Hacking appeared first on Shared Security Podcast.

This is the Shared Security Weekly Blaze for September 10, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions and Silent Pocket. This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here. You can also watch the podcast by subscribing to our YouTube Channel! Show Transcript This is your Shared Security Weekly Blaze for September 10th 2018 with your host, Tom Eston. In this week’s episode: The five eyes security alliance, Google and your offline purchases, and privacy by default in Firefox. Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order. Visit silent-pocket.com to take advantage of this exclusive offer. Hi everyone, this is Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. The “Five Eyes”, which is a long-running security alliance between the US, UK, Australia, New Zealand, and Canada, agreed in their annual meeting a few weeks ago that “privacy is not absolute” and “Should governments continue to encounter impediments to lawful access to information necessary to aid the protection of the citizens of our countries, we may pursue technological, enforcement, legislative or other measures to achieve lawful access solutions”. In addition, it was also stated that technology companies should be urged to “voluntarily establish lawful access solutions to their products and services”. If that is not possible, due to push back from technology companies, intelligence agencies may take matters into their own hands. What this means is that if technology companies do not build or develop backdoors into their products, law enforcement may develop their own ways to hack into devices or could work to enact legislation to eventually force technology companies to create these backdoors. Encryption and government backdoor access, as you may remember, has been a very hotly debated topic as the needs of law enforcement often times conflict with the needs of encryption and privacy that we all are entitled to. We all realize that the same encryption that we use to safeguard our legitimate private and business data is the very same encryption that criminals use. However, allowing our governments backdoor access to bypass or circumvent encryption weakens security for all of us. You may recall the controversy over the FBI asking Apple to break into the seized iPhone from the San Bernardino shooting that took place in 2015. Apple rejected the FBI’s demand so the FBI apparently found their own way to access the device from professional hackers that may have had a 0day vulnerability to allow access to the iPhone. I would suspect that because of this new rhetoric from government alliances such as the “Five Eyes”, the 0day market for exploits allowing governments ways to bypass encryption solutions, are going to be much more popular as the arms race around encryption and privacy continue. It seems that we can’t stop all the news about how Google uses your information to serve you more ads or to track your location, even if you disable the setting to not allow location tracking. If that wasn’t bad enough it was reported last week that Google has a secret deal with Mastercard to track what users are purchasing offline. According to a report by Bloomberg, sources with knowledge of the deal say that Google and Mastercard have been negotiating for about four years to allow Mastercard transaction data in the US to be encrypted and sent to Google. This data would allow Google to match existing Google users to actual physical purchases. This means that when Google users click on ads, those clicks can be tracked to actual sales in physical stores. In response to this Bloomberg article, Mastercard has stated that they do not provide any transaction data to third-parties and that Mastercard does not “know the individual items that consumers purchase in any shopping cart – physical or digital”. Google has also stated that it does not have access to any personal information from its partners’ credit and debit cards, and that Google does not share any personal information with its partners. So who are we to believe? First, we need to keep in mind that Google’s ad business had 95.4 billion dollars in sales just last year alone. You know as well as I do that Google is going to do

This is the Shared Security Weekly Blaze for September 3, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions and Silent Pocket. This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here! Show Transcript This is your Shared Security Weekly Blaze for September 3rd 2018 with your host, Tom Eston. In this week’s episode: US Federal Privacy Law, WhatsApp’s Google Drive Warning and Improved Security for Instagram. Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order. Visit silent-pocket.com to take advantage of this exclusive offer. Hi everyone, this is Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. The New York Times reports that the technology industry in the United States is beginning to lobby the Trump administration to create federal privacy legislation. Sources say that this proposed federal privacy law would first overrule the recent California privacy law and second, be much softer and less restrictive than the California law in regards to the way personal data is handled by technology companies. You may remember that back in July of this year that the state of California passed their own privacy law which is very similar to the European Union’s GDPR privacy legislation that went into effect this past May. It’s no surprise that technology companies like Google, Facebook, and others who have come under great scrutiny over the way that they protect and use our data are now “freaking out” over the possibility that if they don’t act soon, to heavily influence the creation of a federal privacy law, their businesses and profitability suffer greatly. The California Privacy Act and GDPR have been huge wins for data privacy around the world but have caused much pain for companies like Google and Facebook that rely on advertising revenue which is built from the collection of your private data. Look, there will most likely be a federal privacy law enacted in the US at some point. What that eventually looks like is anyone’s guess. I will say that it’s going to get complicated very quickly when the technology lobbyists that have tons of money, from companies like Facebook and Google, push their own agendas. Moreover, add in the various trade groups such as the US Chamber of Commerce and others that are trying to enact voluntary standards that businesses can follow vs. the federal laws. Federal laws would most likely enact fines for breaking the law. It’s unfortunate that our digital privacy seems up for grabs by corporations and governments more than ever before. Are you an Android user that is storing your WhatsApp data backups in Google Drive? If so, you need to know that backups of your WhatsApp messages are not encrypted once it leaves your device and is stored within Google Drive. Last week, WhatsApp reminded its users that backup services like Google Drive may not have the same protections, such as end-to-end encryption, that WhatsApp provides while using the app. This announcement came to the forefront due to recent news that Google has now allowed WhatsApp backups from counting towards Google Drive space limits. On the other hand, if you’re a WhatsApp user on Apple iOS, your backups are sent to iCloud which does provide end-to-end encryption of WhatsApp backup data by ensuring anything that is stored at the server level is encrypted. This means, that the WhatsApp backup data file itself is not encrypted but the location within Apple’s iCloud storage is. I think that you know why Google Drive is not encrypted, right? Google is using data from your documents, just like your email in Gmail, to serve you more ads. This news from WhatsApp should make you think about how any of your backups are stored and what would happen if backups for your computer, phone or an application that was storing sensitive data was lost or stolen? It’s an interesting question as cloud based storage seems to be all over the place in regards to who encrypts data stored at the server level (or also known as ‘at rest’)and who doesn’t. For example, I was surprised to learn that Microsoft OneDrive is only encrypted for Office 365 business users and not for personal accounts. So what are some quick solutions? With any backup that you make through a cloud based solution, take a

This is the 79th episode of the Shared Security Podcast sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions and Silent Pocket. This episode was hosted by Tom Eston and Scott Wright recorded August 23, 2018. Listen to this episode and previous ones direct via your web browser by clicking here! This episode is available on our YouTube Channel and is the very first episode that we recorded over video via Skype! We apologize for the poor video quality at times and will be testing additional video streaming via Facebook or YouTube live in the future. Please subscribe to our channel and let us know how you like this new format! In this episode Tom and Scott discuss election hacking which has been top of mind for many of us and a hot topic in the news, especially with the midyear elections coming up in the United States. Tom talks about the DEF CON Voting Machine Hacking Village, what was discovered and how hacking voting machines will hopefully make elections more secure in the future. As mentioned on the show, we recommend checking out previous podcast guest Rachel Tobac’s short video on how easy it was to hack a voting machine used in 18 US states in under 2 minutes: At @defcon hacking conference and just learned how easy it is to physically gain admin access on a voting machine that is used in 18 states. Requires no tools and takes under 2 minutes. I’m concerned for our upcoming elections. pic.twitter.com/Kl9erBsrtl — Rachel Tobac (@RachelTobac) August 12, 2018 Scott also discusses the recent phishing “attack” on the Democratic National Committee (DNC) that actually was a authorized phishing test and some of the challenges with disclosing or not disclosing phishing tests to employees. Please send any show feedback, suggestions for future guests and topics to feedback [aT] sharedsecurity.net or comment in our social media feeds. You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next full episode. Be sure to visit our website, follow us on Twitter, Instagram and like us on Facebook. Thanks for listening! The post Election Hacking and Vulnerable Voting Machines appeared first on Shared Security Podcast.