Firewalls Don't Stop Dragons Podcast

Identity theft is arguably one of the worst cyber crimes in terms of deep and lasting impact to the victim. This runs the gamut from simple credit card fraud to committing crimes in someone else’s name. We’ll talk about the entire spectrum today in part one of my interview with Adam Levin, author of Swiped: How to Protect Yourself in a World Full of Scammers, Phishers, and Identity Thieves. Adam Levin is a consumer advocate with more than 40 years of experience in security, privacy, personal finance and many other things. He is the former director of the New Jersey Division of Consumer Affairs and current chairman and founder of CyberScout. You may have seen Adam on one of his several TV appearances, as well. Further Info: Adam Levin’s website: https://adamlevin.com/ Adam’s book, Swiped: https://adamlevin.com/swiped-book-adam-levin/ CyberScout: https://www.cyberscout.com/

Bad guys have been using scary emails and pop-up messages to bilk unsuspecting victims of millions of dollars for a long time now. But recent scams purporting to be from the CIA have taken things to a new level. In today’s show, I’ll walk you through one variant of this scam and teach you how to spot similar scare scams. In other news, government spyware has made its way into everyday apps on the Google Play Store, WinRAR has a serious bug that you need to patch, hundreds of millions of Facebook records were found lying around unprotected in the cloud, ASUS computer users were targeted by ShadowHammer malware, and Cloudflare has a new mobile VPN app you should take a look at. Further Info Install and configure Cloudflare’s 1.1.1.1 DNS: https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/ ASUS malware checker: https://shadowhammer.kaspersky.com/

How often have you run across something so obviously bad or behind the times that you just want to scream: Hey, fix this already! Electronic Frontier Foundation to the rescue! Gennie Gebhart explains the EFF’s new #FixItAlready campaign – a “most wanted” list of no-brainer bugs and shortcomings in today’s most popular services and products that just should not be. Examples include no end-to-end encryption of Twitter DMs, using two-factor Facebook phone numbers for marketing, and not being able to set your own password on iCloud or Windows 10 hard drive encryption. Gennie Gebhart is the Associate Director of Research at the Electronic Frontier Foundation, where she does research and advocacy on consumer privacy and security issues. She holds a Master of Library and Information Science from the University of Washington. Further Info: Fix It Already! https://fixitalready.eff.org/ Donate to EFF: https://supporters.eff.org/donate/join-eff-4

What happens to your digital life when you die? The answer is only slightly less philosophical than what happens to your soul. The laws, as least in the US, haven’t kept up with the times and there aren’t clear rules for who has legal rights to your online accounts or the files you’ve stored in the cloud. In today’s episode, I’ll tell you how to prepare for your inevitable digital afterlife. In other news, Facebook revealed that 100’s of millions of its users passwords were left open on internal servers, ransomware has hit one of the world’s largest producers of aluminum, the Pwn2Own bug hunt contest shows us how to do responsible disclosures, a critical flaw has been found in implanted defibrillators leaving them vulnerable to hacking, and DARPA is hoping to fix our broken voting systems. Further Reading My blog article on Digital Afterlife: https://firewallsdontstopdragons.com/preparing-for-your-digital-afterlife/ Facebook’s password screwup: https://krebsonsecurity.com/2019/03/facebook-stored-hundreds-of-millions-of-user-passwords-in-plain-text-for-years/ Critical defibrillator bugs: https://arstechnica.com/information-technology/2019/03/critical-flaw-lets-hackers-control-lifesaving-devices-implanted-inside-patients

In second half of my interview with EFF’s Bill Budington, Bill helps us understand how we can at least attempt to disguise ourselves on the web and basically try to blend in with the crowd. We’ll also see how tools like EFF’s Panopticlick can hep us pinpoint the things that are making us stand out, which enables us to be tracked more easily. Finally, we’ll discuss several browsers and plugins that can help you preserve your privacy. If you missed Part 1, you can listen to it here: http://podcast.firewallsdontstopdragons.com/2019/03/10/enter-the-panopticon-pt1/. Guest Bio: Bill is a Senior Staff Technologist at the Electronic Frontier Foundation (EFF). He works on privacy and security-enhancing projects, such as the HTTPS Everywhere browser add-on and Panopticlick, a tool that alerts users users to how vulnerable they are to browser tracking. He has also contributed to projects such as Let’s Encrypt and SecureDrop. Further Info: Is your browser giving you away? EFF’s Panopticlick will tell you: https://panopticlick.eff.org EFF’s Surveillance Self Defense guide – learn how to keep yourself safe online! https://ssd.eff.org/ Help EFF to help you: https://supporters.eff.org/

In the first part of my discussion with Bill Budington from the EFF, we’re going to talk about some of the key ways in which we are tracked around the web as we surf from site to site. I’ll ask Bill who is tracking up, why they’re tracking us, and we’ll get into some of the clever and downright devious methods by which we are tracked and recognized on the web. In part 2 (next week) Bill will help us understand why it’s so hard to disguise ourselves on the web and how tools like EFF’s Panopticlick can show us what’s going on under the covers. We’ll also offer up some solutions or at least mitigations for all this tracking. Guest Bio: Bill is a Senior Staff Technologist at the Electronic Frontier Foundation (EFF). He works on privacy and security-enhancing projects, such as the HTTPS Everywhere browser add-on and Panopticlick, a tool that alerts users users to how vulnerable they are to browser tracking. He has also contributed to projects such as Let’s Encrypt and SecureDrop. Further Info: Is your browser giving you away? EFF’s Panopticlick will tell you: https://panopticlick.eff.org EFF’s Surveillance Self Defense guide – learn how to keep yourself safe online! https://ssd.eff.org/ Help EFF to help you: https://supporters.eff.org/donate/join-4

The Mayor of Tampa, Florida, had this Twitter account hacked due to “the usual weaknesses, including poor passwords.” The hackers used the account to tweet pornographic images and even an incoming ballistic missile alert. Comcast’s Xfinity Mobile service used a default account security PIN of “0000”, which allowed several customers to have their accounts taken over. You not only need strong passwords, you need strong second factor authentication. That’s defense in depth. In other news, Microsoft’s Edge browser was found to have a whitelist for almost 60 websites that bypass the Flash Player click-to-run protections, a Canadian province is allowing the mass sale of anonymized medical records, the fast Thunderbolt USBC ports are found to be vulnerable to a memory access hack called Thunderclap.

The European Union has recalled a GPS smart watch meant to be worn by children so that their parents can keep tabs on them. Unfortunately, due to horrible security, anyone can track these watches – and even send messages to the children. The Internet of Things (IoT) is well-known for having lax or non-existent security protections. Connecting our children’s toys to the internet in this manner is raising serious (and valid) privacy concerns. In other news, there’s a devious new Facebook and Google phishing scam that would fool many pros, the Chrome browser will soon help you spot fake look-alike websites, Apple cracks down on apps that surreptitiously record their users’ interactions with their apps, and many modern Android phones are vulnerable to hacking simply by loading a malicious image. Help Me to Help You! Visit my page on Patreon for details: https://www.patreon.com/FirewallsDontStopDragons

Last week I told you about the literally billions of email addresses and passwords that were released by hackers as “Collections 1-5”. I also told you how you can check to see if your information was contained in these (or other dumped data) by checking haveibeenpwnd.com. And today I’m interviewing the man behind this wonderful, free service: Troy Hunt! He tells us how he gets his hands on all of this data and what we should be doing to mitigate the damage from these inevitable breaches. The worst thing you can do? Reusing passwords on multiple sites! In today’s episode, I also reveal the winners of my Pod-Centennial contest! Five lucky people will be getting signed copies of my book, signed copies of Bruce Schneier’s latest book (Click Here to Kill Everybody), and a selection of other cybersecurity books! Troy Hunt is an Australian Microsoft Regional Director and Microsoft Most Valuable Professional for Developer Security. You’ll regularly find Troy in the press talking about security and even testifying before US Congress on the impact of data breaches. Further Info HaveIBeenPwned.com Ethics of running a data breach search service: https://www.troyhunt.com/the-ethics-of-running-a-data-breach-search-service/ Authentication evolved: https://www.troyhunt.com/passwords-evolved-authentication-guidance-for-the-modern-era/