Firewalls Don't Stop Dragons Podcast

Do you have a “smart” TV? Or an Internet-connected baby monitor? Then you are a part of the Internet of Things (IoT)! Welcome to the world of everyday devices being connected to the network, allowing you to change the temperature of your home while traveling, check up on your dogs from work, and have a Bluetooth speaker that can also fetch tomorrow’s weather forecast. While there are lots of great uses for these devices, their security (or lack thereof) is making many of us vulnerable to attack. Today I speak at length with John Graham-Cumming, CTO of Cloudflare, about the Internet of Things and how it’s already wreaking havoc on our world. We’ll tell you how to be smart about your smart devices! We’ll also talk about the massive OneLogin password system breach and how hackers are increasingly turning to social media to target people for phishing attacks. John Graham-Cumming is a computer programmer and author. He studied mathematics and computation at Oxford and stayed for a doctorate in computer security. As a programmer he has worked in Silicon Valley and New York, the UK, Germany and France and currently works at CloudFlare. His open source POPFile program won a Jolt Productivity Award in 2004. He is the author of a travel book for scientists published in 2009 called The Geek Atlas and has written articles for The Times, The Guardian, The Sunday Times, The San Francisco Chronicle, New Scientist and other publications. In 2009 he successfully petitioned the British Government to apologize for the mistreatment of British mathematician Alan Turing. He is a licensed radio amateur. For Further Insight: Website: http://jgc.org Follow on Twitter: https://twitter.com/jgrahamc Additional Resources: Save 40% off next year’s domain registration (and get FREE privacy) https://hover.com/transfermydomain Social media increasingly used by hackers: https://www.nytimes.com/2017/05/28/technology/hackers-hide-cyberattacks-in-social-media-posts.html The Geek Atlas: https://www.amazon.com/Geek-Atlas-Places-Science-Technology/dp/0596523203 EFF’s page to help send comments to FCC on Net Neutrality: https://dearfcc.org/

Summer is upon us and for many of us that means travel – but before you even pack your bags, you need to listen to this podcast! In my second interview with Michael Kaiser (the Executive Director of the National Cyber Security Alliance), we discuss all the cyber security and privacy issues you need to consider: before you go and while you’re traveling. Going abroad this summer? There are even more things you need to consider well before you leave! Also in this episode, I’ll tell you why Twitter’s new privacy policy changes are not in your favor, and how to fix it. Android’s next major software release, due out later this year, should finally address some of the major problems with getting updates. And I answer two questions from listeners on how best to deal with getting off mailing lists and tell you how secure Apple’s Message system really is. Michael Kaiser joined the National Cyber Security Alliance (NCSA) in 2008. As NCSA’s executive director, Mr. Kaiser engages diverse constituencies—business, government and other nonprofit organizations—in NCSA’s broad public education and outreach efforts to promote a safer, more secure and more trusted Internet. Mr. Kaiser leads NCSA in several major awareness initiatives, including National Cyber Security Awareness Month (NCSAM) each October, Data Privacy Day (Jan. 28) and STOP. THINK. CONNECT., the global online safety awareness and education campaign. NCSA builds efforts through public-private partnerships that address cybersecurity and privacy issues for a wide array of target audiences, including individuals, families and the education and business communities. In 2009, Mr. Kaiser was named one of SC Magazine’s information security luminaries. Mr. Kaiser has served on several nonprofit boards. He is currently the chair and a founding board member of SPINUSA, a national nonprofit based in Massachusetts, and has served on the Board of Trustees of the College of the Atlantic in Bar Harbor, Maine, and New Destiny Housing Corporation in New York City. For Further Insight: Web site: staysafeonline.org Follow on Twitter: https://twitter.com/MKaiserNCSA Facebook: https://www.facebook.com/staysafeonline/ LinkedIn: https://www.linkedin.com/in/michael-kaiser-3579752b Additionally Important: NCSA’s Cyber Trip Advisor: https://www.stopthinkconnect.org/resources/preview/tip-sheet-ncsas-cyber-trip-advisor Undoing the new Twitter privacy settings: https://www.eff.org/deeplinks/2017/05/how-opt-out-twitters-new-privacy-settings Secure messaging apps: WhatsApp: https://www.whatsapp.com/ Signal: https://whispersystems.org/  

The WannaCry virus hit over 200,000 computers in over 150 countries in a matter of days. While WannaCry spread quickly, it had some fatal flaws that prevented it from doing a lot more damage. However, these flaws will soon be fixed – Round 2 of this virus is already upon us. I speak with Michael Kaiser from the National Cyber Security Alliance to find the lessons we need to learn and what we need to do to protect ourselves from the next generations of this nasty malware. We also take a good look at who might be to blame for all of this and some thorny issues exposed by this attack. In other news, I’ll tell you how to find out if your HP laptop might be logging all of your keystrokes and how to fix it. Michael Kaiser joined the National Cyber Security Alliance (NCSA) in 2008. As NCSA’s executive director, Mr. Kaiser engages diverse constituencies—business, government and other nonprofit organizations—in NCSA’s broad public education and outreach efforts to promote a safer, more secure and more trusted Internet. Mr. Kaiser leads NCSA in several major awareness initiatives, including National Cyber Security Awareness Month (NCSAM) each October, Data Privacy Day (Jan. 28) and STOP. THINK. CONNECT., the global online safety awareness and education campaign. NCSA builds efforts through public-private partnerships that address cybersecurity and privacy issues for a wide array of target audiences, including individuals, families and the education and business communities. In 2009, Mr. Kaiser was named one of SC Magazine’s information security luminaries. Mr. Kaiser has served on several nonprofit boards. He is currently the chair and a founding board member of SPINUSA, a national nonprofit based in Massachusetts, and has served on the Board of Trustees of the College of the Atlantic in Bar Harbor, Maine, and New Destiny Housing Corporation in New York City. For Further Insight: Web site: staysafeonline.org Follow on Twitter: https://twitter.com/MKaiserNCSA Facebook: https://www.facebook.com/staysafeonline/ LinkedIn: https://www.linkedin.com/in/michael-kaiser-3579752b Additionally Important: 10% off your first domain name order! https://www.hover.com/welcome/Firewalls HP key logger: https://www.bleepingcomputer.com/news/security/keylogger-found-in-audio-driver-of-hp-laptops/ Got ransomware? Go here before paying! https://www.nomoreransom.org/ Start With Security: https://www.ftc.gov/tips-advice/business-center/guidance/start-security-guide-business Dept Homeland Security C-Cubed: https://www.dhs.gov/ccubedvp

The WannaCry ransomware worm spread across the planet is a matter of hours, infecting over 200,000 computers in just a matter of hours – this included hospitals in the UK, phone service in Spain, and even a Russian ministry. The malware was stopped dead by one security researcher who basically got lucky. In today’s show, I will explain what WannaCry is and how to ensure that you are protected again this nasty bug and others just like it that will surely be coming. My guest today is security research Nick Weaver who will help us understand what the real threats are for most people – it’s not just hackers! He explains why we’re vulnerable and gives us a lot of great and timely tips on how to protect your computers and mobile devices (spoiler alert: you need to ditch Android and go with Apple). Nicholas Weaver received a B.A. in Astrophysics and Computer Science in 1995, and his Ph.D. in Computer Science in 2003 from the University of California at Berkeley. Although his dissertation was on novel FPGA architectures, he also was highly interested in Computer Security, including postulating the possibility of very fast computer worms in 2001. In 2003, he joined the International Computer Science Institute (ICSI), first as a postdoc and then as a staff researcher. His primary research focus is on network security, notably worms, botnets, and other internet-scale attacks, and network measurement. Other areas have included both hardware acceleration and software parallelization of network intrusion detection, defenses for DNS resolvers, and tools for detecting ISP-introduced manipulations of a user's network connection. For Further Insight: Website: http://www1.icsi.berkeley.edu/~nweaver Follow on Twitter: @ncweaver Further Reading: Article on WannaCry by our guest: https://lawfareblog.com/crying-about-wannacry-notable-features-newest-ransomeware-attack Microsoft help on WannaCry malware:   https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/ John Oliver on Net Neutrality: https://www.youtube.com/watch?v=92vuuZt7wak Tell the FCC how you feel about Net Neutrality! http://gofccyourself.com/

This week I’ll tell you why you should not be using Microsoft’s Edge Browser, how to find out if you were bitten by a very clever Google Docs phishing scheme, and why you can’t believe every voice you hear. Along the way, I’ll give you my recommendations on the best web browser to use as well as how to revoke permissions you may have granted to Twitter, Facebook and Google over the years that may be leaving your vulnerable. Finally, I’ll tell you how Intel finally found and fixed a flaw in their backdoor chip for managing PC’s, how to see if your computer is affected, and why backdoors can let the bad guys in just as easily as the good guys. For Further Insight: Lyrebird: https://soundcloud.com/user-535691776 Google app permissions: https://myaccount.google.com/permissions Twitter app permissions: http://lifehacker.com/5905299/clean-our-your-twitter-app-permissions-as-part-of-your-spring-cleaning-regimen Facebook app permisssions: http://lifehacker.com/5904590/clean-out-your-facebook-app-permissions-as-part-of-your-spring-cleaning-regimen Intel chip security bulletin: https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr ShieldsUp! https://www.grc.com/x/ne.dll?bh0bkyd2

Would you write banking information, passwords, private conversation or any sensitive data on the back of a postcard? Sounds like a silly question perhaps – but this is the equivalency of writing private information in your public emails. Your emails are NOT secure. Today I’m going to help you understand the options available to you so you don’t get caught with your drawbridge down! I have an insightful discussion with Dr Andy Yen, the CEO and Co-Founder of Protonmail. We discuss why regular email is not very secure and how corporations like Yahoo, Google, and others have complete access to everything you send and receive. There are lots of better options out there and we discuss how to evaluate and choose a better service. We have lots of important news items this week including another Android hack that has infected at least 2 million phones, a raft of bugs in the latest Linksys home WiFi routers, a clever new ransomware attack that nests like Russian dolls, and finally a vigilante hacker that has written software that he dubs “Internet chemotherapy” that may completely take out your insecure devices. Dr. Andy Yen, CEO and Co-Founder of Protonmail has over 8 years of experience in distributed computing for demanding particle physics applications. Andy was a researcher at CERN from 2009 to 2015, where ProtonMail’s founding team met. He has a PhD in Physics from Harvard and a degree in Economics from Caltech. For Further Insight: Website: https://protonmail.com/ Follow on Twitter: https://twitter.com/ProtonMail Linkedin: https://www.linkedin.com/in/andy-yen-03a9676 Further Reading: http://blog.checkpoint.com/2017/04/24/falaseguide-misleads-users-googleplay/ http://www.linksys.com/us/support-article?articleNum=246427 https://thatoneprivacysite.net/email-section/ https://www.ted.com/talks/andy_yen_think_your_email_s_private_think_again Top VPN Servers List by Country

The Shadow Brokers have dumped a treasure trove of NSA secret hacking tools, proving that even the best secret-keepers in the country can’t always prevent info from leaking. Is it better for intelligence agencies to hoard software vulnerabilities for use against others, or to report those vulnerabilities so they can be fixed? I delve into this topic in detail, exploring the pros and cons. What if you could do one simple thing to protect your computer from most critical software bugs? It’s not only simple, it’s free and available to all users of modern Windows and Mac computers – and yet most people never use it! And as a bonus, I answer several of your questions from the mailbag about sharing WiFi passwords, choosing a cloud storage provider, protecting your kids while surfing the web, and things to consider when picking out a new computer! For Further Insight: https://www.eff.org/deeplinks/2017/04/border-search-bill-would-rein-cbp https://support.microsoft.com/en-us/help/306525/how-to-configure-and-use-automatic-updates-in-windows https://www.schneier.com/blog/archives/2016/08/the_nsa_is_hoar.html

This week I talk with Chris Romeo on why humans are so horribly bad at picking good passwords and why this invariably makes you vulnerable to hacking. We discuss password managers and how to create the one and only password you should ever need. Along the way, we’ll explain things like two-factor authentication, how often you should be changing your passwords, and how to make sure your accounts can still be accessible if the worst happens. In the news this week, I’ll tell you about a nasty WiFi bug that affects just about every smartphone on the market and why you will be vulnerable on public hotspots until you download the fix. Popular password manager LastPass also fixed a serious flaw in their browser plugin, though in this case, you’re probably already protected by the auto-update feature in your browser. And finally, I’ll answer a listener’s question about defending against ransomware and whether having a firewall will help. Chris Romeo is CEO and co-founder of Security Journey. His passion is to bring security belt programs to all organizations, large and small. He was the Chief Security Advocate at Cisco Systems for five years, where he guided Cisco’s Security Advocates, empowering engineers to “build security in” to all products at Cisco. He led the creation of Cisco’s internal, end-to-end security belt program launched in 2012. Chris has twenty years of experience in security, holding positions across the gamut, including application security, penetration testing, and incident response. Chris holds the CISSP and CSSLP. For Further Insight: Website, www.securityjourney.com Follow on Twitter, @SecurityJourney Facebook, https://www.facebook.com/SecJourney/ Additional Resources: https://thehackernews.com/2017/04/broadcom-wifi-hack.html https://blog.lastpass.com/2017/03/security-update-for-the-lastpass-extension.html/

This week I discuss the stunning repeal of Internet privacy provisions with Ernesto Falcon from the Electronic Frontier Foundation. Congress narrowly passed a bill that would not only toss out the regulations that would have given consumers much-needed transparency and choice in how their web surfing data is collected and used, but also would effectively prevent any further regulations from being created. Mr Falcon explains how we got here, what this means for you (the consumer), and what we can do about it. One potential solution to this invasion of your privacy is using a Virtual Private Network (VPN) service. I discuss how VPN’s work and how you can find a service that works for you. VPN’s are not only good for hiding your web surfing from your nosey Internet Service Provider (ISP) and wireless carrier, they can also protect your data from snooping when you’re connected to public WiFi networks. Prior to joining EFF, Ernesto worked as a legislative staffer for two Members of Congress (2004-2010). He then became Vice President of Government Affairs at Public Knowledge where he advocated on behalf of consumers on copyright issues and broadband competition. During his tenure, Public Knowledge was successful in achieving one of the largest consumer victories in telecom policy by defeating AT&T’s merger with T-Mobile. The following year, PK and EFF scored a major victory for consumers by rallying the Internet community to defeat the Stop Online Piracy Act (SOPA). After eight years in Washington DC, he returned to his home state of California to go to law school at McGeorge School of Law in order to strengthen his digital rights advocacy. Now, as an attorney, he is excited to rejoin the fight for consumers and Internet freedom. For Further Insight: Website: https://eff.org/ Follow on Twitter: https://twitter.com/EFFFalcon FaceBook: https://www.facebook.com/eff/ Additional Resources: http://www.privacyabroad.com/ https://www.eff.org/deeplinks/2017/03/congress-sides-cable-and-telephone-industry https://thatoneprivacysite.net/vpn-section/

What are your rights at the border? It depends on your immigration status, and even US citizens will not enjoy their usual Constitutional rights in this situation. This is an important topic that should not be overlooked. I have a insightful and revealing discussion with Adam Schwartz from the Electronic Frontier Foundation about the recent escalation in US border searches of electronic devices. We’ll discuss what’s happening and how you can prepare for potential searches at the border, and why this is important for every citizen whether you plan to leave the country or not. Adam Schwartz is a Senior Staff Attorney at the Electronic Frontier Foundation. Adam works to ensure that new technologies expand instead of shrink our privacy, freedom of speech, and other civil liberties. Before joining EFF, Adam worked as a Senior Staff Attorney at the American Civil Liberties Union of Illinois. Adam graduated in 1995 from the Howard University School of Law. Also, in the news this week: 600M iCloud accounts are purported to have been hacked – are you at risk? And the Senate has taken the first step towards allowing your internet service and cell phone providers to once again do whatever they please with your web surfing and app usage data. I’ll tell you how much you need to worry about these and what you can do about them! For Further Insight: Website: https://eff.org/ Follow on Twitter: https://twitter.com/EFF Facebook: https://www.facebook.com/eff/ Additional Sources For You: https://www.eff.org/wp/digital-privacy-us-border-2017 https://medium.freecodecamp.com/ill-never-bring-my-phone-on-an-international-flight-again-neither-should-you-e9289cde0e5f https://act.eff.org/action/don-t-let-congress-undermine-our-online-privacy