Shared Security Podcast

In episode 97 for December 2nd 2019: How to prevent phone and voice fraud, Twitter’s inactive account purge, and the Adobe Magento Marketplace data breach. ** Show notes and links mentioned on the show ** Don’t become a victim of phone and voicemail fraud https://www.darkreading.com/7-ways-to-hang-up-on-voice-fraud—/d/d-id/1336427 Twitter’s inactive account purge https://www.cnn.com/2019/11/27/tech/twitter-inactive-account-delete/index.html https://twitter.com/TwitterSupport/status/1199777313300209664 Adobe Magento Marketplace data breach https://nakedsecurity.sophos.com/2019/11/29/adobes-magento-marketplace-suffers-data-breach/ https://magento.com/blog/magento-news/magento-marketplace-security-update https://nakedsecurity.sophos.com/2019/04/05/patch-now-magento-e-commerce-sites-targeted-by-sqli-attacks/ ** Thank you to our sponsors! * Silent Pocket Visit https://silent-pocket.com check out Silent Pocket’s amazing line of faraday bags and other products built to protect your privacy. As a listener of this podcast you receive 15% off your order at checkout using discount code “sharedsecurity”. Edgewise Networks Find out how Edgewise can stop lateral threat movement and prevent data breaches. Visit https://edgewise.net and request a demo! ** Subscribe and follow the show ** Sign-up for our email newsletter to receive our free Facebook Privacy & Security Guide, full transcripts of each weekly episode, contest announcements, and special offers from our sponsors: http://eepurl.com/dwcc8D Subscribe on your favorite podcast app: https://sharedsecurity.net/subscribe Contact us: https://sharedsecurity.net/contact Website: https://sharedsecurity.net Twitter: https://twitter.com/sharedsec Facebook: https://facebook.com/sharedsec Instagram: https://instagram.com/sharedsecurity YouTube: https://www.youtube.com/channel/UCg9CCDIYkDDqwEZ3UYaxjnA/ The post Phone and Voice Fraud, Twitter Account Purge, Adobe Magento Marketplace Data Breach appeared first on Shared Security Podcast.

In episode 96: Thousands of Disney+ accounts have been hacked, Black Friday and Cyber Monday scams to watch out for, and the latest on new Android camera exploits affecting Google and Samsung smartphones. ** Show notes and links mentioned on the show ** Disney+ accounts hacked shortly after the service launched https://www.zdnet.com/article/thousands-of-hacked-disney-accounts-are-already-for-sale-on-hacking-forums/ Find out which apps and sites offer two-factor authentication https://twofactorauth.org/ KeyPass – free password manager https://keepass.info/ List of popular password managers https://en.wikipedia.org/wiki/List_of_password_managers Black Friday and Cyber Monday scams to watch out for https://www.msn.com/en-us/money/personalfinance/black-friday-2019-how-scammers-use-gift-cards-hot-toy-deals-to-trick-you/ar-BBX2xEV?li=AA30Nm How attackers could hijack your Android camera to spy on you https://www.checkmarx.com/blog/how-attackers-could-hijack-your-android-camera https://thehackernews.com/2019/11/android-camera-hacking.html ** Thank you to our sponsors! ** Silent Pocket Visit https://silent-pocket.com check out Silent Pocket’s amazing line of faraday bags and other products built to protect your privacy. As a listener of this podcast you receive 15% off your order at checkout using discount code “sharedsecurity”. Edgewise Networks Find out how Edgewise can stop lateral threat movement and prevent data breaches. Visit https://edgewise.net and request a demo! ** Subscribe and follow the show ** Sign-up for our email newsletter to receive our free Facebook Privacy & Security Guide, full transcripts of each weekly episode, contest announcements, and special offers from our sponsors: http://eepurl.com/dwcc8D Subscribe on your favorite podcast app: https://sharedsecurity.net/subscribe Contact us: https://sharedsecurity.net/contact Website: https://sharedsecurity.net Twitter: https://twitter.com/sharedsec Facebook: https://facebook.com/sharedsec Instagram: https://instagram.com/sharedsecurity YouTube: https://www.youtube.com/channel/UCg9CCDIYkDDqwEZ3UYaxjnA/ The post Disney+ Hacked Accounts, Black Friday Scams, Android Camera Exploits appeared first on Shared Security Podcast.

You’re listening to the Shared Security Podcast, exploring the trust you put in people, apps, and technology…with your host, Tom Eston. In episode 95 for November 18th 2019: Google’s access to the medical records of millions of Americans, a new ruling on suspicionless searches at the US border, and details on a new scam using the popular money sharing app Zelle. This week I read a news article about how more schools are either outright banning the use of smart phones or having kids put their phones in their lockers while in class. And while some kids may complain that they can’t use their device, teachers and school administrators are noticing that when there are no smart phones in school kids seem more engaged with their friends, less distracted, and even less stressed. I think this is a great idea and hope more schools start implementing similar polices but did you know that as adults we have the power to do the same thing? When was the last time you “docked” your phone during the day so you could be more engaged and less distracted. Well Silent Pocket has the perfect solution for this and it’s called a Faraday Bag. Simply place your smart phone in one of their stylish faraday bags and you have instant silence, privacy, and quick way to be more engaged with the people around us. Pick up one today at silentpocket.com and use discount code “sharedsecurity” at checkout to receive 15% off your order. Welcome to the Shared Security Weekly Blaze Podcast where we update you on this week’s most important cybersecurity and privacy news. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. I realize that just a few weeks ago I talked about Facebook’s new preventive health tool that is apparently not collecting patient data, but this past week it was reported that Google actually does have access to detailed medical records on tens of millions of Americans. But don’t worry, Google says that it promises to not mix patient data with all of the other massive amounts of data that Google collects about its users. The Wall Street Journal reported that Google has partnered with a company called Ascension, which is the second largest healthcare system in the US, on a project to “collect and crunch the detailed personal-health information of millions of people across 21 states.” According to a statement from Ascension they say they are partnering with Google to improve the tools used by patients and caregivers as well as “explore artificial intelligence and machine learning applications that will have the potential to support improvements in clinical quality and effectiveness.” So what kind of healthcare data are we talking about? Well, pretty much everything including names, birthdates, addresses, family members, allergies, immunizations, radiology scans, hospitalization records, lab tests, medications, medical conditions, and even some billing claims. Shockingly, it seems that this partnership does not violate HIPAA (the Health Insurance Portability and Accountability Act) as the law does allow hospitals to share data with business partners as long as the data is used to help carry out its health care functions. Personally, I think this is a fine line that Google and Ascension are walking here. I mean, does anyone else find it ironic that Google also just purchased FitBit for $2.1 billion dollars? Don’t you think that it’s going to be really tempting for Google to find ways to combine or analyze Fitbit data with the detailed health care data of tens of millions of Americans? Even though it’s not too terribly shocking that Google is working with health care organizations but with the risk of data breaches and the constant mishandling of privacy information by the large tech firms, are we willing to let Google handle our health care data too? Perhaps we have no choice in the matter but at least the government does. In breaking news last week the Department of Health and Human Services stated that they will be opening up an investigation with Google to ensure that HIPPA protections were fully implemented. In privacy news this week, a federal court in Boston ruled that supicionless searches of travelers’ electronic devices by federal agents at airports and other US ports of entry are unconstitutional. The ruling stemmed from a lawsuit made by the ACLU and the EFF on behalf of 11 travelers who had their laptops and smart phones searched at US ports of entry without being suspected of any crime. This new ruling means that the Customs and Border Control and Immigration and Customs Enforcement agencies need to now demonstrate individualized suspicion of illegal digital contraband before they can search a travelers device. As we’ve reported on previous episodes of the podcast, these agencies have been searching the devices of international travelers for quite some time now with really no rhyme or reason for doing so. And these searches have been done on US citizens as well, not just foreigners. Last year alone, the  Customs and Border Control agency conducted more than 33,000 searches, which is almost four times the number of searches from just three years prior. This is a very positive development regarding the protections that the Fourth Amendment provides the countless numbers of travelers that come to the US each year. It’s also a win for everyone’s privacy as this ruling demonstrates that governments should not have the right to conduct suspicionless searches at border crossings. And now a word from our sponsor, Edgewise Networks. The biggest problem in security that remains unsolved is unprotected attack paths that allow threats to compromise vulnerable targets in the cloud and data center. But traditional microsegmentation is too complex and time consuming, and offers limited value that’s hard to measure. But there’s a better approach… Edgewise “Zero Trust Auto-Segmentation.” Edgewise is impossibly simple microsegmentation … delivering results immediately, with a security outcome that’s provable, and management that’s zero touch. At the core of Edgewise Auto-Segmentation is Zero Trust Identity, which automatically builds unique identities for all communicating software and devices by combining cryptographic properties of the workload with risk classifications. Edgewise protects any application, in any environment, without any architectural changes. Edgewise provides measurable improvement by quantifying attack path risk reduction and demonstrates isolation between critical services—so that your applications can’t be breached. Visit edgewise.net to find out more about how Edgewise can help stop data breaches. I’ve seen lots of news stories and even Facebook posts being shared by friends regarding a recent scam going around that uses the popular money sharing app, Zelle, to drain your bank account. This is the perfect time of year to talk about this because the holidays seem to increase the number and frequency of these scams. This one in particular is concerning because many people don’t realize that Zelle is probably already partnered with your current bank and automatically pre-built into your banks mobile app. In fact, every major US bank is partnered with Zelle so there is a very good chance that your bank is using it. Here’s how one version of the scam works. You’ll receive a call from what looks to come from your bank even with the caller ID showing your bank name. If you answer the call you’ll be told that your bank has detected fraud on your account and they can take care of the problem right now on the phone with you. You’ll then be asked to tell them a code that they had just sent you over text message. Just like that, you’ll receive the text message with the code and when you repeat the code back to the caller, they will say all fraud charges have been reimbursed, and to have a nice day. Minutes later, the scammer uses the verification code that you sent them to create a Zelle account and within minutes, start to drain your bank account sending money to the attacker. In this case, the attacker has either already has gained access to your online banking account or they are social engineering you over the phone so that they can gain access to your online banking account. Variations on this scam include asking you over the phone for personal details (like ones that would be in password reset questions), asking for your password, and other types of multi-factor authentication codes your bank may use. There have also been reports of this scam starting with a phishing email which takes you to a site that looks like your bank in order to harvest your banking credentials with the attacker then calling you with the text message trick to enable your Zelle account. I did my own research to find out if Zelle was installed on the mobile app for my bank and I was actually surprised that it was. Like everyone else, I never heard of Zelle before nor did I know my bank had built in into their mobile app. I also found out that there is no way to disable Zelle on my banking account! This is feedback that I’m definitely taking back to my bank, and so should you. So what’s the best advice to avoid becoming a victim of this scam? First, your bank will never call you about fraud. Typically, if you have fraud alerts set up you’ll get a text message asking you to call them. Speaking of fraud alerts, always enable these as most banks these days have this option available. I also recommend never picking up a call that looks to come from your bank. Most likely this is always going to be a spoofed call. In fact, I actually recommend never answering your phone for any number you don’t recognize unless it’s a call that you’re expecting. Sad, I know, but this is unfortunately the world we live in. Lastly, never give out any personal information, passwords, two-factor authentication codes, credit card details, and other sensitive information over the phone if asked. Unless you 100% trust the person or company you’re talking to, you may be giving this information to a scammer. That’s a wrap for this week’s show. Visit our website, SharedSecurity.net for previous episodes, links to our social media feeds, our YouTube channel, and to sign-up for our email newsletter. First time listener to the podcast? Please subscribe where ever you like to listen to podcasts and if you like this episode please it share with friends and colleagues.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post Google’s Health Record Storage Controversy, US Border Search Ruling, Zelle Scams appeared first on Shared Security Podcast.

You’re listening to the Shared Security Podcast, exploring the trust you put in people, apps, and technology…with your host, Tom Eston. In episode 94 for November 11th 2019: Facebook’s Group API data leak and 7,000 pages of leaked Facebook documents, lasers that can control your smart speakers, and details about the BlueKeep vulnerability now being exploited in the wild. Are you like most of us that have to be constantly checking our smart phones for the latest Tweet or Facebook update? How many of us are actually doing this while we’re driving? Distracted driving is one of the most common ways accidents and even deaths happen on the road these days and a lot of states in the US have started enacting laws prohibiting the complete use of smart phones while driving. It’s just not worth putting ourselves and others at risk so I’ve committed to not use my smart phone while driving, and so should you. One easy solution I recommend is to store your smart phone in a Silent Pocket Faraday Sleeve. It’s small enough to store in your glove compartment or arm rest and it’s quick and easy to use. Pick one up today by visiting silentpocket.com and receive 15% off your order at checkout using discount code “sharedsecurity”. Welcome to the Shared Security Weekly Blaze Podcast where we update you on this week’s most important cybersecurity and privacy news. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. It seems that we can’t go a single week from reporting news about yet another Facebook data leak or controversy. This week is no exception as Facebook disclosed details about a leak of private group information such as post details, number of group users, and depending if group users opted-in: names and profile pictures. This data may have been accessed by about 100 partners which had video streaming and social media management apps integrated into certain Facebook Groups. Apparently, the issue happened when Facebook was restricting access to the Groups API back in 2018. Facebook said that they believe 11 of these partners had accessed group information in the last 60 days and that they would kindly ask all 100 partners to delete any Facebook user data that they may have collected. Facebook also stated that there has been no evidence that Facebook user data was abused in any way but will be conducting audits to confirm that said partners have deleted user data as requested. In other Facebook news, NBC News released close to 7,000 pages of leaked documents that showed how Facebook was using user data as a bargaining chip with third-party developers. The data, which included 4000 internal Facebook emails, web chats, and documents show that Facebook would give certain types of user data to certain high-value customers while also restricting certain types of user data to rival companies. For example, Amazon got special access to more user data because they were paying for ads on Facebook and another company called MessageMe was completely cut off from user data because Facebook felt it was a competitor to its own Messenger product. Meanwhile, it was revealed that Facebook was using these moves to publicly show that they were protecting user privacy. This latest news is once again leaving Facebook in hot water with a continuing onslaught of lawsuits by former customers and government inquires. Oh and on top of this all this news, Facebook announced a new logo which I’m certain will make all of their privacy problems go away. The new logo, which is attempting to show that all of the Facebook “property” apps are similar, seems to be an attempt to make it harder for government regulators to breakup Facebook if that day ever comes. And now a word from our sponsor, Edgewise Networks. The biggest problem in security that remains unsolved is unprotected attack paths that allow threats to compromise vulnerable targets in the cloud and data center. But traditional microsegmentation is too complex and time consuming, and offers limited value that’s hard to measure. But there’s a better approach… Edgewise “Zero Trust Auto-Segmentation.” Edgewise is impossibly simple microsegmentation … delivering results immediately, with a security outcome that’s provable, and management that’s zero touch. At the core of Edgewise Auto-Segmentation is Zero Trust Identity, which automatically builds unique identities for all communicating software and devices by combining cryptographic properties of the workload with risk classifications. Edgewise protects any application, in any environment, without any architectural changes. Edgewise provides measurable improvement by quantifying attack path risk reduction and demonstrates isolation between critical services—so that your applications can’t be breached. Visit edgewise.net to find out more about how Edgewise can help stop data breaches. I’m not sure why, but whenever I hear about attacks using lasers I seem to think about Star Wars or that one scene from the movie Austin Powers, “Sharks with friggin’ laser beams attached to their heads”. In this case though, we’re talking about a team of security researchers who discovered a way to inject inaudible and invisible commands into smart speakers just by pointing a laser beam at the device. According to researchers from Japanese and Michigan universities, an attacker armed with a laser, only a few meters away from a smart speaker, can modulate the laser to create an acoustic pressure wave. This in turn tricks the microphone on a smart speaker to think that its receiving real audio. The vulnerability has been dubbed a “light-based signal injection” attack and every popular smart speaker is vulnerable including Amazon Echo, Siri, and Google Home. Not only that but researchers also tested the laser trick on popular smart phones that use voice assistants like an iPhone, Samsung Galaxy, and Google Pixel. These devices were vulnerable too but only at very short distances. On the flip side it seems that physical barriers like windows, distance, and of course your skill at aiming a laser all come into play when trying to exploit a vulnerability like this. So should we all start to think about a laser defense system for our homes to combat this new risk? No, not really. First, I think research like this is often done to quickly grab media attention making it seem like the sky is falling. The term we use in the cybersecurity industry for this is called “stunt hacking” where some researchers come up with far-fetched hacks just to gain media attention or speaking slots at major cybersecurity and hacking conferences. Now, I’m not denying that this is a real vulnerability and its some pretty cool research, but once again, common sense applies. First, it may have never been a good idea to connect your smart speaker to your home alarm system, smart locks, and even your garage door without thinking someone else may be able to just speak to your voice assistant to bypass your security. Second, there is some equipment and technical knowledge that someone would have to research, configure, test and also have the perfect environmental and situational conditions to actually pull this off. Like we’ve mentioned before. If someone is going to break into your house, they are more than likely going to do this through breaking a window or opening a unlocked door instead of hacking your smart speaker with a laser. The BlueKeep remote code execution vulnerability, which Microsoft patched for older unsupported systems like Windows XP back in May of this year, is now being found in the wild exploiting systems on the Internet through the Windows Remote Desktop Protocol (or abbreviated RDP). According to security researchers, vulnerable systems are being compromised so that cryptocurrency mining malware is installed. You may remember that earlier this year, warnings went out from Microsoft and even the National Security Agency about the seriousness of this vulnerability in that BlueKeep has the potential to be “wormable”. Wormable means the exploit could propagate from one system to another which would be similar to the infamous WannaCry worm in 2017. According to security researchers Kevin Beaumont and Marcus Hutchins who made the discovery that BlueKeep was in the wild said that instead of this being a wormable threat it appears to only target exposed RDP servers on the Internet to only install cryptocurrency miner based malware. That is definitely good news as these recent attacks may be only limited to RDP servers that have exposed port 3389 to the Internet and have not patched for the BlueKeep vulnerability. However, 700,000 systems were found on the Internet that are not patched! Systems affected include unpatched versions of Windows Server 2003, Windows XP, Windows Vista, Windows 7, Windows Server 2008 and Windows Server 2008 R2. So the lesson here, besides not having RDP port 3389 exposed to the Internet, is to always keep your systems patched and up-to-date. Also, pay close attention to end-of-life announcements when vendors like Microsoft say that a particular operating system like, Windows XP, is being unsupported because it’s so old and potentially vulnerable to attack. That’s a wrap for this week’s show. Visit our website, SharedSecurity.net for previous episodes, links to our social media feeds, our YouTube channel, and to sign-up for our email newsletter. First time listener to the podcast? Please subscribe where ever you like to listen to podcasts and if you like this episode please it share with friends and colleagues.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post Facebook Data Leaks, Smart Speaker Laser Attack, BlueKeep in the Wild appeared first on Shared Security Podcast.

You’re listening to the Shared Security Podcast, exploring the trust you put in people, apps, and technology…with your host, Tom Eston. In episode 93 for November 4th 2019: The WhatsApp NSO group lawsuit plus details on Facebook’s preventive health tool, this week’s data breach news, and how attackers are using a voicemail to phish Microsoft Office 365 users. Halloween may be over but this time of year doesn’t have to be scary when it comes to protecting your digital privacy. Silent Pocket makes it easy to protect your devices with their full line of faraday bags, wallets, and other accessories that will block all wireless signal.  As a special treat for our podcast listeners you can receive 15% off your order right now at silentpocket.com using discount code “sharedsecurity” during checkout. No tricks involved in this exclusive offer. Welcome to the Shared Security Weekly Blaze Podcast where we update you on this week’s most important cybersecurity and privacy news. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Will Cathcart, the head of WhatsApp which is a Facebook company, wrote an opt-ed for the Washington Post stating that WhatsApp has filed a complaint in US federal court against the infamous Israeli company, the NSO Group. You may remember that several months ago a serious vulnerability was found in WhatsApp in which malicious code was delivered via a seemingly innocent video call compromising the app and device. Through WhatsApp’s own investigation, in partnership with activist group Citizen Lab, they detailed how NSO Group servers, Internet-hosted services and certain WhatsApp accounts were traced back to the NSO Group during their investigation of the attacks. In addition, it was discovered that at least 100 human-rights defenders and journalists were targeted using this NSO spyware, most likely a form of Pegasus ,which is known as the spyware of choice for nation states to target specific individuals. Of course, the NSO Group as expected, has denied any involvement in the attack. Check out our show notes for the link to the full federal complaint to read the details for yourself. In other Facebook news, Facebook announced that they are developing new partnerships and programs to support people that want to connect with resources to support their health. One of those resources is something called the “Preventive Health Tool” available in the US. This new tool will allow Facebook users to find doctors, set appointment reminders to schedule tests, note them as completed, and much more. Facebook says that their reason for doing this is to spread more awareness about preventive care for things like cancer screenings. Now I’m sure the first thing you’re thinking is, will Facebook now have access to my health care data? Well Facebook says quote “Preventive Health allows you to set reminders for your future checkups and mark them as done, but it doesn’t provide us, or the health organizations we’re working with, access to your actual test results. Personal information about your activity in Preventive Health is not shared with third parties, such as health organizations or insurance companies, so it can’t be used for purposes like insurance eligibility” end quote. Now your next question is probably about how many more heath care related ads will I start seeing on Facebook if I use this tool? Well Facebook has an answer to that and says quote “We don’t show ads based on the information you provide in Preventive Health — that includes things like setting a reminder for a test, marking it as done or searching for a healthcare location. As always, other actions that you take on Facebook could inform the ads you see, for example, liking the Facebook page of a health organization or visiting an external website linked to or from Preventive Health.” end quote And that last sentence is key. Ultimately, the more time you spend on Facebook, the more opportunity you have to see ads in general, but by also liking a page of a health care organization or visiting an external website you are still giving Facebook little pieces of information that can be used to track you and eventually, serve you…guess what? More ads. And now a word from our sponsor, Edgewise Networks. The biggest problem in security that remains unsolved is unprotected attack paths that allow threats to compromise vulnerable targets in the cloud and data center. But traditional microsegmentation is too complex and time consuming, and offers limited value that’s hard to measure. But there’s a better approach… Edgewise “Zero Trust Auto-Segmentation.” Edgewise is impossibly simple microsegmentation … delivering results immediately, with a security outcome that’s provable, and management that’s zero touch. At the core of Edgewise Auto-Segmentation is Zero Trust Identity, which automatically builds unique identities for all communicating software and devices by combining cryptographic properties of the workload with risk classifications. Edgewise protects any application, in any environment, without any architectural changes. Edgewise provides measurable improvement by quantifying attack path risk reduction and demonstrates isolation between critical services—so that your applications can’t be breached. Visit edgewise.net to find out more about how Edgewise can help stop data breaches. In data breach news the world’s very first domain registrar, Network Solutions, disclosed a data breach in which a third-party gained unauthorized access to a number of computer systems in which account information (such as name, email, address, phone number, and services assigned to a customer) may have been accessed. However, according to the breach notice, no customer credit card data was compromised and they have hired a third-party independent cybersecurity firm to investigate the incident. If you’re not familiar with a domain registrar, these are the companies that supply domains (like .com and .net), website hosting, and email to individuals and businesses. Network Solutions, which is now owned by Web.com, was the very first company to operate the domain name system (aka: DNS) as a subcontractor for the US Government way back in 1991. Besides posting a breach notice, that for some strange reason isn’t linked from their main website, Network Solutions is contacting those customers affected and will require all customers to reset their passwords as an additional precautionary measure. In related news, an open Elasticsearch database exposed 7.5 million Adobe Creative Cloud user records. According to the researcher who reported the issue to Adobe on October 19th, no sensitive details like passwords or payment data was found but the data did include email address, the date the account was created, products used, and payment status. This is typically enough information that can be used for targeted phishing attacks. In a statement from Adobe regarding the breach they note quote “We are reviewing our development processes to help prevent a similar issue occurring in the future” end quote. As we’ve seen countless times this year, open or unsecured Elasticsearch or Amazon S3 buckets are prime targets for attackers looking to harvest mass amounts of user data and either sell it on the dark web or use it for phishing attacks. Speaking of phishing attacks, they seem to be getting much more creative and devious. We just talked on the show last week about how researchers found ways to use our Amazon Echo and Google Home smart speakers in phishing attacks against us! And this week, researchers at McAfee Labs identified a new type of attack that uses a fake voicemail message to lure victims into submitting their Office 365 email credentials. Here’s how the attack works. You’ll receive an email that looks to come from Microsoft stating that a call was missed and that the caller left you a voicemail. Attached to the email is a file which will automatically play an audio recording that appears to be a very short voicemail saying “Hello” and nothing more. After the recording ends you’re told that in order to hear the rest of the voicemail you need to login with your Office 365 credentials. The login page looks just like the Office 365 login page but…you know better, right? And according to McAfee Labs, it not just one type of phishing kit that is using this voicemail trick, two others were found for sale on the dark web leveraging the same technique. Now regardless of new phishing techniques being used like this one, always look that the URL of any landing page to see if it’s actually legitimate before entering in your credentials, and even better, don’t click on links in suspicious emails in the first place. That’s a wrap for this week’s show. Visit our website, SharedSecurity.net for previous episodes, links to our social media feeds, our YouTube channel, and to sign-up for our email newsletter. First time listener to the podcast? Please subscribe where ever you like to listen to podcasts and if you like this episode please it share with friends and colleagues.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post WhatsApp’s NSO Group Lawsuit, This Week in Data Breaches, Office 365 Voicemail Phishing appeared first on Shared Security Podcast.

In episode 93 of our monthly show we review the Firewalla home network device, talk about the 15 most dangerous (or scary) apps for kids that parents need to be aware of, and the rise of the “deepfake”! Watch the recording of our live stream on YouTube (we’re not sure what happened with Scott’s out-of-sync and choppy video so we apologize for our technical difficulties): Here are the show notes and links to articles discussed during the show: Tom’s review of the Firewalla home network protection device Description of the Firewalla Blue and Firewalla Red Firewalla router compatibility list Information about compatibility with mesh routers like Google WiFi Charts and graphs regarding network usage in the mobile app Information about activity and parental controls Buy one on Amazon 15 Most Dangerous Apps for Kids Article with the list of apps mentioned on the show The Rise of the Deepfake Deepfake video of Mark Zuckerberg Guardian article about “The rise of the deepfake and the threat to democracy” which also has the clips of the Jimmy Fallon deepfake and Nancy Pelosi edited video (not a deepfake) Please support our sponsors, Silent Pocket and Edgewise Networks: Looking to up your privacy and security game while you travel? Then you need to check out Silent Pocket’s patented product line of faraday bags, wallets, backpacks, and other accessories at silentpocket.com. Be sure to use discount code “sharedsecurity” at checkout to receive 15% off your order. The biggest problem in security that remains unsolved is unprotected attack paths that allow threats to compromise vulnerable targets in the cloud and data center. But traditional microsegmentation is too complex and time consuming, and offers limited value that’s hard to measure. But there’s a better approach… Edgewise “Zero Trust Auto-Segmentation.” Edgewise is impossibly simple microsegmentation … delivering results immediately, with a security outcome that’s provable, and management that’s zero touch. At the core of Edgewise Auto-Segmentation is Zero Trust Identity, which automatically builds unique identities for all communicating software and devices by combining cryptographic properties of the workload with risk classifications. Edgewise protects any application, in any environment, without any architectural changes. Edgewise provides measurable improvement by quantifying attack path risk reduction and demonstrates isolation between critical services—so that your applications can’t be breached. Visit edgewise.net to find out more about how Edgewise can help stop data breaches. Be sure to follow the Shared Security Podcast on Facebook, Twitter and Instagram for the latest news and commentary. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app or watch and subscribe on our YouTube channel. The post Firewalla Review, 15 Most Dangerous Apps for Kids, Rise of the Deepfake appeared first on Shared Security Podcast.

You’re listening to the Shared Security Podcast, exploring the trust you put in people, apps, and technology…with your host, Tom Eston. In episode 92 for October 28th 2019: Details on the Nord VPN security incident, using Amazon Echo and Google Home smart speakers for phishing attacks, and new privacy features in Apple iOS 13 you should know about. What does it mean to go off the grid? For most of us that are constantly relying on our phones, tablets, and laptops it means shutting them off and doing some other activity like enjoying nature or spending valuable time with friends and family. I don’t know about you but I struggle with turning off or putting down my phone because I’ve become so tied to it. I mean, have you ever forgotten your phone at home while you were driving to work or did you happen to find yourself in the wilderness or somewhere where you can’t get a cell phone signal? How did this make you feel? I know I have had that awkward feeling of “what if someone tried to message me?” or “how will anyone get ahold of me in an emergency”? In fact, how many of you would drive back home to retrieve your phone or walk around until you found a cell phone signal out in the middle of nowhere? Look it’s hard to go off the grid but the good news is that there are products that can help. That’s why I recommend using a Silent Pocket Faraday bag which can instantly block are wireless signals, quickly taking you off the grid. Check out their full product line at  silentpocket.com. And because you listen to this podcast remember to use discount code “sharedsecurity” at checkout to receive 15% off your order. Welcome to the Shared Security Weekly Blaze Podcast where we update you on this week’s most important cybersecurity and privacy news. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Popular VPN service provider Nord VPN disclosed that they were the victim of a security incident which happened about 16 months ago, back in March 2018. The attack compromised a server in Finland in which attackers were able to access encryption keys which could have been used to potentially decrypt user traffic, launch man-in-the-middle attacks, and even impersonate the nordvpn.com website. Attackers were able to access the server by exploiting an unnamed remote management system that was being used by the data center that housed one of the Nord VPN servers. One of the certificates the attackers gained access to was one that provides HTTPS encryption for nordvpn.com. This certificate wasn’t set to expire until October 2018, seven months after the breach. This means that for months, attackers could have been luring unsuspecting victims to phishing sites thinking they were signing up or accessing nordvpn.com. And to make matters worse details about the incident have been apparently floating around underground forums on the Internet since May of 2018. Nord VPN posted a blog about the incident and stated that no user accounts or user data was affected or that anyone attempted to monitor user traffic in any way. They also stated that the only attack possible would have been a personalized and highly sophisticated man-in-the-middle attack to intercept a single connection. And also restating that they are a “no logs” VPN provider so there would be nothing for an attacker to see anyway. This is contrary to what others in the media and security research community are saying noting that man-in-the-middle attacks are not that hard to pull off and that these types of attacks are actually what VPNs are supposed to help protect users from. The Nord VPN blog post also seemed to pass complete blame of the incident on the third-party datacenter which housed the server that was accessed. Nord VPN also stated that they did not disclose the breach to their customers and to the public quote “until we could be sure that such an attack could not be replicated anywhere else on our infrastructure. ” They also stated that they are preparing a bug bounty program and also conducting internal and external audits of all systems. In related news, two other VPN providers, TorGuard and VikingVPN also disclosed that they too had been hacked where encryption keys were also stolen around the same time period. The lesson here is that, besides a VPN provider perhaps not disclosing a breach or incident in a timely manner, the bigger issue here is twofold. First, understand that a VPN is not an end all be all solution to protect your privacy, contrary to what many of these VPN companies may say in their advertising. As seen with this incident, anyone can become a victim when there is a third-party involved, like an insecure remote management application which is managed by someone else. One perspective is that this incident wasn’t Nord VPNs fault, especially since they had no control over what the datacenter uses for remote management. However, it’s a lesson for all of us that we inherently trust many different types of third-party companies with access to our information and unfortunately we have no control over how they secure these systems and ultimately how they protect our information. We always seem to be talking about these smart speakers like Amazon Echo, Google Home, and Siri having lots of privacy issues. I mean, why not? We’ve all  placed these devices all over our house because we see some value in what they do for us, right? But usefulness aside, do they have the potential to become “Smart Spies“? Well last week German security researchers from a company called Security Research Labs just added phishing to the list of privacy concerns with these devices. The researchers created several “malicious” apps delivered through “Skills” for Amazon’s Echo devices and “Actions” for Google Home voice assistants. These apps were designed to maliciously phish for sensitive information like passwords and also eavesdrop on users after they believe the smart speaker has stopped listening. The apps that were built were a seemingly innocent horoscope app called “My Lucky Horoscope” and the other was a random number generator app. Both types of apps even passed review by Amazon and Google. Here’s how the eavesdropping attack works. First, you need to install the skill that allows Alexa to generate a random number. Alexa then responds with a random number for you but then the skill does not end, Alexa will continue to record. The researchers also showed how whatever is recorded is transcribed and sent directly to the app developer. Now adding phishing to this same attack is even easier. Let’s say you ask Alexa for your daily horoscope.  Alexa responds with an error that this skill is not available in your country, a long pause ensues, then Alexa tells you an update is available for your device. Alexa prompts you to say “start update, followed by your Amazon password”. And there you have it, everything you say is recorded, transcribed, and sent to the attacker. The phishing possibilities are quite endless. Now obviously this was done to prove a point of what may be possible with these devices and there is no indication that malicious apps like these exist, at least not right now. The good news is that the researchers did send their test results to Google and Amazon. Both companies responded stating that they are changing their approval process for skills and actions from having similar capabilities in the future. So what do you think? Does this latest privacy concern outweigh the benefits of using these smart speakers? Or will we all continue to put these potential “smart spies” in our homes. And now a word from our sponsor, Edgewise Networks. The biggest problem in security that remains unsolved is unprotected attack paths that allow threats to compromise vulnerable targets in the cloud and data center. But traditional microsegmentation is too complex and time consuming, and offers limited value that’s hard to measure. But there’s a better approach… Edgewise “Zero Trust Auto-Segmentation.” Edgewise is impossibly simple microsegmentation … delivering results immediately, with a security outcome that’s provable, and management that’s zero touch. At the core of Edgewise Auto-Segmentation is Zero Trust Identity, which automatically builds unique identities for all communicating software and devices by combining cryptographic properties of the workload with risk classifications. Edgewise protects any application, in any environment, without any architectural changes. Edgewise provides measurable improvement by quantifying attack path risk reduction and demonstrates isolation between critical services—so that your applications can’t be breached. Visit edgewise.net to find out more about how Edgewise can help stop data breaches. Apple iOS 13 has been out for about a month now and I wanted to highlight a few really helpful privacy features that all Apple device owners should be taking advantage of. First, are new pop-up notifications whenever an app is tracking your location. For example, apps like Facebook, Uber, or Google Maps have the ability to track your location, even if you don’t have the app open. Your device will now notify you if a particular app is tracking your location, provide you how long it’s been doing this, and a map showing you the location the app is trying to track. You now have the option from this pop-up to select “Change to Only While Using” or “Always Allow”. Now this setting has been available manually in your settings for the last few years but now with iOS 13, Apple made the change to more prominently show apps that track your locations. Similar to the location tracking pop-up you may also see a pop-up for apps that want to use Bluetooth wireless. For example, you may see apps that ask to use your Bluetooth that, well, don’t have any use for Bluetooth at all. Why is that you may ask? Well many apps are using Bluetooth to track your location when visiting stores or other public venues and these stores may be using wireless beacons to know that you visited a particular location. Yes, this is very creepy and unless you have an app that requires Bluetooth (like a wireless speaker system) you should always deny the app from accessing your Bluetooth. Lastly, there is a new setting in iOS 13 called “Silence Unknown Callers” that can help fight spam calls and robocalls by sending them directly to voicemail. The nice thing about this feature is that calls that come in with an unknown number won’t ring and will go straight to your voicemail. However, keep in mind that if you don’t have a number that you’ve called previously or in your contact list you may miss a call with this setting enabled. My advice is to always add numbers of anyone that calls you to your contacts so that your phone always rings for calls you are expecting. If you want to manually see which apps on your Apple device are tracking you open Settings, choose Privacy, select Location Services, and change the location tracking setting for each app. To manage which apps have access to your Bluetooth, open Settings, open Privacy, and choose Bluetooth. To turn on “Silence Unknown Callers” open Settings, choose Phone, and toggle the “Silence Unknown Callers” button to on. That’s a wrap for this week’s show. Visit our website, SharedSecurity.net for previous episodes, links to our social media feeds, our YouTube channel, and to sign-up for our email newsletter. First time listener to the podcast? Please subscribe where ever you like to listen to podcasts and if you like this episode please it share with friends and colleagues.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post Nord VPN Security Incident, Smart Speaker Phishing, Apple iOS 13 Privacy Features appeared first on Shared Security Podcast.

You’re listening to the Shared Security Podcast, exploring the trust you put in people, apps, and technology…with your host, Tom Eston. In episode 91 for October 21st 2019: Pitney Bowes becomes the latest ransomware victim, what are the top technology fears, and the latest on the vulnerability that allows a Samsung Galaxy S10 to be unlocked with anyone’s fingerprint. Smart phones and other mobile devices have truly become integrated with our daily lives. So much in fact, these devices are causing a new type of stress injury called “text neck”. Text neck is a stress injury which causes pain in your neck caused by excessive use or texting on a mobile device over a long period of time. This condition is increasingly concerning given that all of us seem to be looking down at our devices every minute of every day. Just take a look around you whenever you’re out in public. Our mobile devices have truly become a “pain in our neck”. So if you want an easy way to prevent this condition, try taking more breaks away from your device and simply just put your device down so you are less tempted to use it. And if you want an easy way to get off the grid for a while, put it in a Silent Pocket faraday bag. The nice thing about this solution is that you don’t even have to power off your device! Check out Silent Pocket’s full line of faraday bags and wallets at silentpocket.com and recieve 15% off your order during checkout using discount code “sharedsecurity”. Welcome to the Shared Security Weekly Blaze Podcast where we update you on this week’s most important cybersecurity and privacy news. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Last week shipping and postage provider Pitney Bowes, which serves 90% of businesses in the Fortune 500, was the victim of a ransomware attack preventing customers from adding postage to packages and may have even impacted some mail delivery at the US Postal Service. In a statement the company said quote “Pitney Bowes was affected by a malware attack that encrypted information on some systems and disrupted customer access to some of our services. At this time, the company has seen no evidence that customer or employee data has been improperly accessed.” end quote Pitney Bowes is most known for its postage meters which can automate the painful process of putting postage on envelopes and packages. Some customers took to Twitter during the outage showing postage meters and associated software with errors and confusing messages about “system faults”. Apparently the meters would still work up until you had to refill funds in order to print out more postage. Check out our show notes for a link to the latest updates from Pitney Bowes on the status of their systems. In related news, late last week business credit rating agency Moody’s issued a “credit negative” event note regarding the ransomware attack meaning the credit agency is cautiously watching the incident but has yet to issue a ratings downgrade. Rating’s agencies like Moody’s are commonly referenced by investors and negative ratings can make it more difficult for a company to raise money and can drive the stock value down. This news is pretty significant in that ratings agencies are now monitoring companies for data breaches and other cybersecurity incidents and issuing ratings adjustments based on the impact of the incident. Just last May, Moody’s downgraded Equifax’s outlook to negative because of the massive data breach that we all know and love. And ironically, Equifax’s outlook remains negative for the foreseeable future. Ransomware attacks like these are continuing to rise, mostly because a lot of companies are paying the ransom because they feel they are left with no other option. The more companies pay, the more incentive there is for attackers to continue finding victims. The advice from law enforcement and the cybersecurity community is to never pay the ransom because there is no guarantee that you will get your data back. Rather, contact law enforcement or a third-party cybersecurity professional to help get your data back in other ways.  For example, there is a site run by a security researcher called “ID Ransomware”  which (as of this podcast recording) can decrypt 771 different types of ransomware by uploading the ransom note or sample encrypted file. This is a free service by the way and you have a much better chance of getting your data back by using a free service like this than ever paying the ransom. A recent survey of about 1,000 Americans from security solutions company Cove revealed people’s modern day safety and cybersecurity fears by gender, generation, and political party. Some of the most interesting findings say that four in five parents said that they were worried about raising their kids in today’s world which included things like talking to strangers online, cyberbullying, and sharing personal information online. These things even ranked higher than parents’ concerns about mass shootings. Surprisingly, social media was seen as the most harmful of modern technology when it comes to safety, while security cameras were considered the most helpful. Voice enabled assistants like Amazon Echo’s, Google Home, and Siri ranked second in terms of being harmful for safety, followed by autonomous cars, facial recognition, wearable technology (like Fitbits, and Apple Watches) and last was security cameras. Not surprising is that data breaches is the largest technology fear followed by election hacking. From a privacy perspective only 3% of those surveyed were worried about their personal information being sold to advertisers. One of the most interesting results of the survey was that Generation Z, which are the demographic of individuals born in the mid-1990’s to early 2000’s and known as the most tech-savvy generation, didn’t really have safety concerns with technology but rather almost half reported that their biggest fear was walking in public alone at night. It seems that some traditional fears are still very valid in a world filled with technology. And now a word from our sponsor, Edgewise Networks. The biggest problem in security that remains unsolved is unprotected attack paths that allow threats to compromise vulnerable targets in the cloud and data center. But traditional microsegmentation is too complex and time consuming, and offers limited value that’s hard to measure. But there’s a better approach… Edgewise “Zero Trust Auto-Segmentation.” Edgewise is impossibly simple microsegmentation … delivering results immediately, with a security outcome that’s provable, and management that’s zero touch. At the core of Edgewise Auto-Segmentation is Zero Trust Identity, which automatically builds unique identities for all communicating software and devices by combining cryptographic properties of the workload with risk classifications. Edgewise protects any application, in any environment, without any architectural changes. Edgewise provides measurable improvement by quantifying attack path risk reduction and demonstrates isolation between critical services—so that your applications can’t be breached. Visit edgewise.net to find out more about how Edgewise can help stop data breaches. In late breaking news last week a British couple discovered a serious flaw in Samsung’s popular Galaxy S10 smart phone which could be unlocked by using anyone’s fingerprint. According to reports from several British news outlets a cheap screen protector is all that’s needed to bypass Samsung’s most advanced authentication system which back when the phone was launched in March was touted by Samsung as “revolutionary”. The technology sends ultrasounds to detect 3D ridges of fingerprints and apparently some screen protectors leave a small air gap between the phone and the user’s finger. In a statement to BBC news, Samsung says that they are aware of the issue and will soon issue a software patch. In the meantime, South Korean bank KaKao Bank has told their customers to turn off fingerprint scanning completely until a patch is issued. This is the first major authentication related issue that I’ve heard of for Samsung in recent years. Typically, we’ve seen many passcode bypass and other fun tricks with Apple iOS devices. In fact we just talked about one back in September on the podcast which would allow you bypass the passcode to view the contacts on someone’s device. This recent news though goes to show you that these types of vulnerabilities happen to other manufactures besides Apple. So now it’s time for Samsung to share the love of fixing a very significant security and privacy vulnerability. That’s a wrap for this week’s show. Visit our website, SharedSecurity.net for previous episodes, links to our social media feeds, our YouTube channel, and to sign-up for our email newsletter. First time listener to the podcast? Please subscribe where ever you like to listen to podcasts and if you like this episode please it share with friends and colleagues.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post Pitney Bowes Ransomware Attack, Samsung Galaxy S10 Fingerprint Bypass, Top Technology Fears appeared first on Shared Security Podcast.

You’re listening to the Shared Security Podcast, exploring the trust you put in people, apps, and technology…with your host, Tom Eston In episode 90 for October 14th 2019: How protesters in Hong Kong are avoiding facial recognition, Instagram’s new anti-phishing tool, and my recent epic smart device failure incident. Being a frequent traveler myself, I’m always surprised at how many people at airports are not very aware of their privacy. Just last week while I was waiting for my flight I listened as someone was giving their credit card number over the phone, and another person had their laptop open and I was able to see a presentation they were working on which looked to have very sensitive business information. The message here is that we always need to be aware of our surroundings and be careful what you say or expose when you’re in a public place like an airport. And if you’re a privacy aware traveler like me I highly recommend using Silent Pocket’s product line of faraday bags, backpacks and wallets which are built with your digital privacy in mind. Check them out at silentpocket.com and receive 15% off your order at checkout using discount code “sharedsecurity” Welcome to the Shared Security Weekly Blaze Podcast where we update you on this week’s most important cybersecurity and privacy news. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use” Violent protests continued in Hong Kong last week with the local authorities implementing a new anti-mask law which targets protestors wearing masks to avoid being recognized by the police and surveillance cameras. Now such bans are nothing new as Sri Lanka, France, the Netherlands, and Canada have similar controversial bans as well. Some protesters have even been seen wearing face paint in the form of Pepe the Frog which has recently been adopted as an international symbol of liberation for the Hong Kong protesters. Some protesters are even using laser pointers as a way to disable or make facial recognition technology harder to identify themselves. In related news, Apple has been criticized for removing an app from the Apple App Store because of pressure from the Chinese government. The app allowed protesters to crowdsource the locations of police. Apple is just the latest US based company joining the ranks of the NBA, and the video game company Blizzard who have given into Chinese pressure. This is very unfortunate and while I don’t bring up politics too much on this show, freedom loving people and companies should be supporting the protesters. And as a reminder, you as a consumer, have a choice on what products and entertainment you spend your money on. Now I bring up the Hong Kong protests because we all need to know that the technology that governments possess in order to identify protesters should be concerning to all of us. So when does the use of this technology truly become an invasion of our privacy all in the name of more security? Perhaps we’re already there. The good news is that we are seeing more privacy laws that several states in the US are now implementing. Just last week the state of California signed a bill into law that prevents police from using facial recognition technology on video recordings gathered by police officers. The bill states that quote “The use of facial recognition and other biometric surveillance is the functional equivalent of requiring every person to show a personal photo identification card at all times in violation of recognized constitutional rights.” end quote I think this is a positive sign that, at least in the US, facial recognition is beginning to become more regulated. Instagram has added a new security feature which will help you identify if an email was sent by Instagram or may be a phishing email. Here’s how this feature works. Let’s say you receive an email claiming to be from Instagram. You can now see if Instagram sent you that email by going into the “Emails from Instagram” option in your app’s settings. Within this setting you’ll be able to see every email that was sent to you by Instagram over the last 14 days. The new feature also separates emails into two categories; security emails and other. If you see an email that matches with what’s in your inbox than you can assume that this was a legitimate email. As you know, phishing emails are a constant threat and some recent Instagram phishing attacks are looking so legitimate that it’s very difficult to identify a real email vs. a fake one. Be on the lookout for this new and welcome security feature to show up in your Instagram account over the next several weeks. And now a word from our sponsor, Edgewise Networks. The biggest problem in security that remains unsolved is unprotected attack paths that allow threats to compromise vulnerable targets in the cloud and data center. But traditional microsegmentation is too complex and time consuming, and offers limited value that’s hard to measure. But there’s a better approach… Edgewise “Zero Trust Auto-Segmentation.” Edgewise is impossibly simple microsegmentation … delivering results immediately, with a security outcome that’s provable, and management that’s zero touch. At the core of Edgewise Auto-Segmentation is Zero Trust Identity, which automatically builds unique identities for all communicating software and devices by combining cryptographic properties of the workload with risk classifications. Edgewise protects any application, in any environment, without any architectural changes. Edgewise provides measurable improvement by quantifying attack path risk reduction and demonstrates isolation between critical services—so that your applications can’t be breached. Visit edgewise.net to find out more about how Edgewise can help stop data breaches. Researchers last week disclosed a severe remote code execution vulnerability in a range of popular consumer grade D-Link WiFi routers. Routers affected include model numbers DIR-655, 866L, 652, and 1565 which all came out 7-10 years ago. The vulnerability was found in the authentication process of the login page of the router and can allow an attacker to access the admin credentials or install a backdoor. D-Link responded to the researchers report noting that because these routers are at “End of Life” support, no patch will be released for these devices. And this is part of the problem with the “Internet of Things” which is, what happens to our devices which are later found to be vulnerable to attack and the manufacture stops supporting it? And how are customers notified that their devices are end of life and that they should stop using them due to serious security issues? Oh and don’t think this is a problem specific to D-Link. This can happen to any smart device like this including web cams, printers, and really any device that is part of the Internet of Things. Speaking of Internet of Things devices I wanted to share with you a story that happened to me just last week when I was traveling. So I stayed in a newer hotel that have those “smart locks” on your room door where you can unlock the door with your phone. Now in full transparency, I haven’t yet used my phone to unlock my room door when I travel since I just rather stick to the key card that they give you when you check in. I’m really not that paranoid. Well after hanging out with my co-workers, watching the Cleveland Browns lose yet another football game, I headed back to the hotel, went up to my room and found out that my key card wasn’t working when trying to open up the door. So I went back down to the reception desk, they issued me a new key card, and I proceeded to try again. Guess what, no luck. So I used the lobby phone by the elevators to call down to the registration desk letting the attendant know that my card was still not working. The attendant proceeded to tell me that the battery for the card reader on the door was probably dead and that she would be right up to check it out. As she walked to my room I noticed that she had what looks like a battery pack with a small USB mini connector. She proceeds to try and plug this battery pack into the bottom of the card reader in an attempt to “charge” the battery so that the reader could quickly be powered just enough to read the card. Well that didn’t work either so she had to call maintenance to find out how to get the door open. She also proceeded to tell me that they will most likely have to drill a hole through the door in the connecting door, which is the door that most hotel rooms have to create one large room, and displace myself as well as the occupants in the room next to me so that I could get my stuff out. So, it was midnight, I was tired and just wanted to go to bed. I was told the maintenance guy was about 30 minutes out so I sat in the lobby and waited. The maintenance guy gets there and I see him with a drill and a very large drill bit as he headed up to my room with the hotel attendant. I’m thinking the worse at this point and about 10 minutes later the other desk attendant tells me that the maintenance guy just called down to say that they were able to successfully open the door. Awesome! So I head up to my room and the maintenance guy tells me that he was able to get the backup battery connected by using pliers to pull out the connector so that he could connect the battery pack. Apparently, the connector was broken. Now I had several questions at this point. First, why was there not a failsafe for these door locks when the battery fails? He said that they would have to drill through one of the doors, that’s the only option. There was no key back up or any other way to get in the door. Now my next question was, so let’s say someone was having a medical emergency, called 911, and couldn’t get to the door to let paramedics or the police into the room? If the battery to the door is dead, the only option is to break the door down! I was a bit surprised by this thinking of the potential liability that this may leave the hotel, but the more I thought about it…this is the reality that we live in. While these smart locks should probably have a third failsafe, like a key, situations like these should make you think about what happens when the technology we rely on fails and what should manufactures think about when developing smart devices like these locks. And if you’re wondering, I did finally have a good night’s sleep. That’s a wrap for this week’s show. Visit our website, SharedSecurity.net for previous episodes, links to our social media feeds, our YouTube channel, and to sign-up for our email newsletter. First time listener to the podcast? Please subscribe where ever you like to listen to podcasts and if you like this episode please it share with friends and colleagues.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post Hong Kong Protests, Instagram’s Anti-Phishing Tool, Smart Device Fail appeared first on Shared Security Podcast.

You’re listening to the Shared Security Podcast, exploring the trust you put in people, apps, and technology…with your host, Tom Eston. In episode 89 for October 7th 2019: Microsoft’s new OneDrive personal vault, updated privacy and security controls announced by Google, and the TSA’s announcement about the REAL ID deadline next year. I have a question for you. What’s in your daily carry? Now I’m not talking about your concealed weapon of choice (if you do legally choose to do so) but I’m talking about your wallet, backpack, clutch, or other travel accessory. If you’re looking to upgrade to something that’s high quality, fashionable, and built with your digital privacy in mind you need to check out Silent Pocket. Visit their full line of products at silentpocket.com  and use discount code “sharedsecurity” at checkout to take 15% off your order. Welcome to the Shared Security Weekly Blaze Podcast where we update you on this week’s most important cybersecurity and privacy news. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Microsoft has increased the security and privacy of its OneDrive cloud storage service with a new feature called a “Personal Vault” which is now available worldwide for all OneDrive users except for those on business plans. Personal Vault is a protected area in OneDrive that requires additional authentication, like biometrics, a PIN code, or SMS-based two-factor authentication in order to access and store files. Microsoft has stated that on Windows 10 devices files that are stored in Personal Vault are synced by default to Bitlocker-encrypted locations, and that the vault will lock automatically in 20 minutes by default. I think the real security advantage here is on mobile devices where the OneDrive app will let you scan files or take pictures and video and store it directly into your Personal Vault instead of your camera roll. And because data that is stored in OneDrive is encrypted at rest and in transit, it seems to be a nice addition to increase the security and privacy of your most sensitive data like storing a picture of your driver’s license, passport, birth certificate, or other electronic documents you should protect. One disappointment though, if you have a free OneDrive account or one that you recently upgraded to one of Microsoft’s standalone 100 GB plans, you can only store a maximum of three files in your Personal Vault. To store more, you’ll need to upgrade to an Office 365 Personal or Home subscription. I guess according to Microsoft, much needed personal file security and privacy comes with an additional cost. There were lots of new privacy and security updates from Google last week which includes new features and improvements to give you more control over your data and to make privacy and security controls more seamless across all of Google’s products. First up is the new feature which allows you to auto-delete your YouTube browsing history at a set time period of 3 months, 18 months, or the ability to just delete your history manually. Next, Google has integrated a password checkup tool into the Google Password Manager which will let you know if your passwords are weak, reused, or have been compromised in a previous data breach. This is similar functionality to what Firefox rolled out a few months ago by integrating with Troy Hunt’s ‘Have I been pwnd’ service. In addition to these improvements you’ll be able to tell the Google Assistant to delete what you just said or delete a recording from a specific time period, like last week, and Google has added incognito or private mode to Google Maps which removes any personalization and search history which won’t be linked back to your Google account. In other related Google news, Google has been lobbying congress to let them start forcing Chrome users to automatically use DNS over HTTPS. If you’re not familiar with what DNS over HTTPS is, well it means is that when you type a URL like google.com into your web browser, the query for google.com gets encrypted, therefore, not allowing your ISP (or someone else monitoring your Internet connection) to view the sites you’re going to on the Internet. Keep in mind that this is slightly different than full HTTPS encryption where the contents of data that you send and receive from sites on the Internet is encrypted. Think of DNS over HTTPS as an add-on that will increase the overall security and privacy of the Internet. My take is that I think this and all the recent changes that Google is making is really needed. I don’t know about you but I feel lately that perhaps Amazon, Apple, and now Google are playing a game of “privacy catch up” given how data breaches and privacy concerns are all over the news as of late. Let’s hope this trend continues. And now a word from our sponsor, Edgewise Networks. The biggest problem in security that remains unsolved is unprotected attack paths that allow threats to compromise vulnerable targets in the cloud and data center. But traditional microsegmentation is too complex and time consuming, and offers limited value that’s hard to measure. But there’s a better approach… Edgewise “Zero Trust Auto-Segmentation.” Edgewise is impossibly simple microsegmentation … delivering results immediately, with a security outcome that’s provable, and management that’s zero touch. At the core of Edgewise Auto-Segmentation is Zero Trust Identity, which automatically builds unique identities for all communicating software and devices by combining cryptographic properties of the workload with risk classifications. Edgewise protects any application, in any environment, without any architectural changes. Edgewise provides measurable improvement by quantifying attack path risk reduction and demonstrates isolation between critical services—so that your applications can’t be breached. Visit edgewise.net to find out more about how Edgewise can help stop data breaches. My last story this week is a friendly public service announcement from the Department of Homeland Security. They want to remind you that if you intend to travel by air in the US a year from now you’ll need to upgrade to a “REAL ID” compliment driver’s license by next October 1st 2020. Standard state issued drivers licenses will not be accepted when going through TSA security screening so you will have to use a REAL ID compliment license or use a current US passport, Global Entry card, or military ID to board a flight in the US. The TSA has been hitting the media to let everyone know about this now to avoid a chaotic situation at the airport with TSA lines, aggravation and the financial impact when people with non-refundable airline tickets are turned away next October. The REAL ID act was passed after 9/11 as a way to make drivers licenses harder to obtain by terrorists. You can tell a REAL ID from a regular driver’s license by the “star” located in the top right corner. But the biggest difference from a traditional driver’s license is that you need to submit four forms of identification, including two with your address. Valid forms of ID can include a valid driver’s license, passport, Social Security card, birth certificate, utility bill, payroll stub, rent or mortgage payment, or a military ID. If you happen to live in Oregon, Oklahoma, or New Jersey you will have less than a year to get a REAL ID since these states are behind and have not yet implemented REAL ID. Check out our show notes for a link from the TSA to find out more information about REAL ID and the October 1st 2020 deadline. That’s a wrap for this week’s show. Visit our website, SharedSecurity.net for previous episodes, links to our social media feeds, our YouTube channel, and to sign-up for our email newsletter. First time listener to the podcast? Please subscribe where ever you like to listen to podcasts and if you like this episode please it share with friends and colleagues.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post Microsoft OneDrive Personal Vault, Google’s New Privacy and Security Controls, REAL ID Deadline appeared first on Shared Security Podcast.