Shared Security Podcast

In episode 92 of our monthly show Tom and Scott talk about Amazon’s new smart glasses that work with Alexa, what webkey’s are and how they could be used for social engineering, and why you should always erase old hard drives and other data storage before selling or giving away computers and other electronics. Looking to up your privacy and security game while you travel? Then you need to check out Silent Pocket’s patented product line of faraday bags, wallets, backpacks, and other accessories at silentpocket.com. Be sure to use discount code “sharedsecurity” at checkout to receive 15% off your order. Here are the show notes and links to articles discussed during the show: Give a listen to our 10 year anniversary episode, and our interviews with Aaron Zar from Silent Pocket, and Max Krohn from Keybase.io. A first look at Amazon’s new AirPods competitor, smart glasses and ring “Another experimental product is Echo Frames, but I think these have legs. These aren’t augmented reality glasses like Microsoft’s Hololens or Google Glass — there’s no display on them, and no camera like Glass had. Instead, you talk to the glasses and Alexa talks back to you. They make more sense than the Echo Loop, since the speakers are right near your ears and you don’t need to raise a hand up to listen Amazon has had lots of privacy issues around Alexa recordings including how contractors have been listening to these recordings and that you can only manually delete your recordings one at a time. Amazon’s privacy policies are starting to change! Check out our latest episode of the Weekly Blaze for more details. What is a Webkey? “USB webkeys( USB web keys ) are a great way of getting people to remember your logo, yet it saves the trouble of remembering a lengthy URL. Plug the Webkey into a USB port and your pre-programmed website automatically launches — just like magic! If you’ve read Harry Potter, you’ll appreciate this Muggle equivalent of the Portkey. The USB Web key is a low cost alternative to USB flash memory devices, and an effective way of promoting your company, new product launch, training material, or recruitment campaign. It’s available in various shapes. The USB Web key is pre-programmed with the URL (may up to 110pcs characters) that you provide. Every device is guaranteed to be virus free.” Here’s the Twitter thread that Scott mentioned on the show about the webkey given out at the information security conference: A great physical/cyber #socialEngineering experiment. A honey webkey! Wonder how many inserted this? Did the #InformationSecurity folks approve of this marketing tactic? Hey, @agent0x0 @streetsec the next gen beyond #HoneySticks => #HoneyPhones for you. https://t.co/u9B1vR6Iaj — Rebecca Herold (@PrivacyProf) August 22, 2019 Study: 3 in 5 secondhand hard drives still contain previous owner’s data “59 percent of secondhand hard disks sold on marketplaces like eBay are not properly wiped and still contain data from their previous owners, according to a new study by the University of Hertfordshire and commissioned by Comparitech.We purchased 200 used hard drives from online marketplaces, secondhand shops, and conventional auctions: 100 in the USA and 100 in the UK. University researchers then performed forensic analysis to determine whether any attempt had been made at deleting the contents of the drive and whether those attempts were successful. We uncovered a wide range of sensitive and private information left by previous owners. The remnant data included, among other things, employment and payroll records, family and holiday photos, business documents, visa applications, resumes and job applications, lists of passwords, passport and driver’s license scans, tax documents, bank statements, and lists of students attending senior high schools.” Here’s a great guide we talked about on how to erase/wipe most electronic storage including SD cards. Be sure to follow the Shared Security Podcast on Facebook, Twitter and Instagram for the latest news and commentary. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app or watch and subscribe on our YouTube channel. The post Amazon Smart Glasses, Webkey Social Engineering, Erase Your Old Hard Drives! appeared first on Shared Security Podcast.

You’re listening to the Shared Security Podcast, exploring the trust you put in people, apps, and technology…with your host, Tom Eston. In episode 88 for September 30th 2019: DoorDash announces a data breach affecting 4.9 million people, recent voice assistant privacy changes, and ways that you can limit ad tracking on your mobile device. Are you a frequent traveler that wants a high-quality, fashionable backpack that keeps your digital privacy in mind? Then you need to check out Silent Pocket’s new Faraday Bag Waterproof Backpack. Check it out at silentpocket.com as well as their other products built to protect your privacy. Don’t forget, as a listener of this podcast you receive 15% off your order at checkout using discount code “sharedsecurity”. Welcome to the Shared Security Weekly Blaze Podcast where we update you on this week’s most important cybersecurity and privacy news. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Popular food delivery company DoorDash said in a blog post late last week that 4.9 million customers, delivery workers, and merchants had their information stolen through a third-party service provider who was not named. Data stolen included name, email and delivery address, order history, phone numbers, last four digits of their credit card or bank account, and hashed (and salted) passwords. Users who joined the service prior to April 5th 2018 were affected by this breach and to add insult to injury about 100,000 delivery works also had their driver’s license information stolen as well. And if that wasn’t enough, this news ironically comes almost a year after many DoorDash users complained that their accounts were hacked. At the time, DoorDash denied that there was a breach and blamed it on credential stuffing attacks, where attackers use user names and passwords previously exposed through known data breaches, then use those credentials on other sites like DoorDash. This is basically a way to pass blame to the user for selecting poor passwords. I think DoorDash has a little bit of explaining to do as we now add this latest breach to the long list or breaches that we’ve had just this year alone. If you happen to be a DoorDash customer check out our show notes to a link to the official news release about the breach for more information. Several weeks ago on the podcast I talked about how Apple was changing the way that contractors were analyzing recordings from Siri as part of their “grading” program due to privacy concerns around sensitive and private conversations that were recorded. You may recall that this was also a huge problem for Amazon and Google’s voice assistants as well. Well this past week, Google announced significant changes to how their product, the Google Assistant, handles voice recordings. First, Google says that your audio data is not stored by default and that if you do want it stored, so that it can be used to help improve the Google Assistant, than you can opt-in to this feature. Second, Google has updated their audio settings to highlight that when you choose to opt-in you can choose to opt-out and for existing users that have chosen this already, a chance to review and change the setting if you would prefer. Third, Google said that recordings are never linked to a particular user and that only .2% of all audio recordings are ever analyzed by someone. Lastly, the Google Assistant will automatically delete any audio data when it realizes that it was activated unintentionally. In addition, Google is making changes to their data retention policy so that audio data is deleted older than a few months. And in late breaking news last week, Amazon released several new Echo related products to the market and also announced several new privacy improvements as well. First, Amazon has added two new commands to its Alexa voice assistant in which you can now say “Alexa, tell me what you heard” and, “Alexa, why did you do that?”. The tell me what you heard command lets you know what exactly Alexa is listening to and “why did you do that” is meant to give you more information if Alexa does something random like play a song out of nowhere. In addition, Amazon will now allow people to delete Alexa voice recordings on a rolling 3-month or 18-month basis and is allowing users to opt-out of human reviews of voice recordings. These changes now put Amazon along the same lines as Apple and now Google with current privacy settings of these popular voice assistants. And now a word from our sponsor, Edgewise Networks. The biggest problem in security that remains unsolved is unprotected attack paths that allow threats to compromise vulnerable targets in the cloud and data center. But traditional microsegmentation is too complex and time consuming, and offers limited value that’s hard to measure. But there’s a better approach… Edgewise “Zero Trust Auto-Segmentation.” Edgewise is impossibly simple microsegmentation … delivering results immediately, with a security outcome that’s provable, and management that’s zero touch. At the core of Edgewise Auto-Segmentation is Zero Trust Identity, which automatically builds unique identities for all communicating software and devices by combining cryptographic properties of the workload with risk classifications. Edgewise protects any application, in any environment, without any architectural changes. Edgewise provides measurable improvement by quantifying attack path risk reduction and demonstrates isolation between critical services—so that your applications can’t be breached. Visit edgewise.net to find out more about how Edgewise can help stop data breaches. Did you know that there is a setting on our mobile devices which gives us more control over targeted advertising? I wanted to bring this up on the show because we typically only think about the privacy settings in the apps we use, like Facebook, but Android and Apple iOS also have a very important setting that you can enable at the device level to help limit the information advertisers can obtain about you and your device. How it works is that both Android and iOS have something called an “ad ID” which gets linked to data that advertisers collect from you from the apps that you’re using. This “ad ID” was created in an attempt to reduce the amount of information about your device, such as things that can’t be changed, like your unique device identifier and Wi-Fi MAC address. Advertisers leverage this id instead so that they can have a unique identifier about you and your device without giving away all these other details. By default this “ad ID” is enabled on your device (which is a good thing) but by turning on a setting called “Opt out of Ads Personalization” on Android or “Limit Ad Tracking” in Apple iOS this ad ID is randomly changed or zeroed out. On Android, this setting only changes your ID but in iOS, the ad ID is set to all zero’s. To make this change in Android go to Settings > Privacy > Advanced > Ads and turn on “Opt out of Ads Personalization.” On iOS, go to Settings > Privacy > Advertising and turn on “Limit Ad Tracking”. What this setting means is that advertisers will have to either start a new profile about you or simply won’t be able to link very specific data back to you so that they can serve ads that are more personalized. Now by enabling this setting it doesn’t mean that you won’t receive any more ads, but it does mean that ads may not be as personalized to you. And since we’re all constantly bombarded by ads, anything we can do it throw a wrench into the how advertisers track you, the better off we’ll all be from a privacy perspective. That’s a wrap for this week’s show. Visit our website, SharedSecurity.net for previous episodes, links to our social media feeds, our YouTube channel, and to sign-up for our email newsletter. First time listener to the podcast? Please subscribe where ever you like to listen to podcasts and if you like this episode please it share with friends and colleagues.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post DoorDash Data Breach, Voice Assistant Privacy Changes, Limiting Ad Tracking appeared first on Shared Security Podcast.

On this special edition of the podcast we speak with Aaron Zar, co-founder and CEO of Silent Pocket. Silent Pocket has been a long time sponsor of the show and it was great to catch up with Aaron to get his thoughts on the current state of digital privacy. On the show we also discuss: Why privacy isn’t dead and how Aaron responds to people that say “Who cares about privacy! I have nothing to hide!” How Silent Pocket products are helping people protect their digital privacy and stay more secure The history of Silent Pocket, their first products, and how Aaron started his career What products are recommended for the average person? What new and innovative products are in the pipeline? It was a pleasure having Aaron on the show and we hope you enjoy this episode as much as we did! Check out Silent Pocket’s great line of faraday bags, wallets, and other gear including their new Faraday Bag Waterproof Backpack which we discuss on the show. Don’t forget, because you listen to this podcast, you receive 15% off your order using discount code “sharedsecurity” during checkout at silentpocket.com. The post Aaron Zar, Co-Founder and CEO of Silent Pocket appeared first on Shared Security Podcast.

You’re listening to the Shared Security Podcast, exploring the trust you put in people, apps, and technology…with your host, Tom Eston. In episode 87 for September 22nd 2019: Everything you need to know about Apple iOS 13, Venmo scams you need to be aware of, and new details about “Simjacking” attacks This week I had the pleasure of interviewing Aaron Zar, co-founder and CEO of our sponsor Silent Pocket. Aaron’s a great guy and I think you’ll enjoy hearing how he started Silent Pocket and his take on why our digital privacy is more important than ever. We’ll be publishing this episode soon so be on the lookout for it.  And if you haven’t taken a look at Silent Pocket’s great product line of stylish faraday bags and wallets I highly recommend you check them out at silentpocket.com. Don’t forget because you listen to this podcast you can take 15% off your order using discount code “sharedsecurity”. Welcome to the Shared Security Weekly Blaze Podcast where we update you on this week’s most important cybersecurity and privacy news. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Last week Apple released iOS 13 to the public which also happened to include a passcode bypass vulnerability which allows you to view the contacts on a locked Apple device. In order to conduct the attack you would need access to someone’s device and go through a series of steps, which by the way, would not be that easy to pull off by someone who had physical access to your device. Steps include replying to an incoming call with a custom message, enabling and disabling the VoiceOver feature, adding a new contact to a custom message, and then viewing the contacts information. This of course is not the first time we’ve seen passcode bypass vulnerabilities in Apple iOS, there were two that were patched in iOS 12 as well. Apple will most likely patch this vulnerability in the first update to iOS 13 which will probably happen in the next few weeks. Besides this particular issue, the iOS 13 update comes with several new privacy enhancements including the much anticipated “Sign in with Apple” feature which can create an anonymous email address for you when signing up for new apps and services. Also, phone calls from apps like Facebook Messenger and WhatsApp will have more restrictions in the way that they run in the background to prevent them from collecting user data without permission. Speaking of permissions, someone noticed while testing the new iOS update that an unexpected notification popped up on their device stating that Facebook would like to use your Bluetooth wireless.  Why on Earth would Facebook need access to your Bluetooth? Well apparently, some apps are tracking your physical location and the proximity you are to other people’s smartphones. Potential uses of this data could include deeper analysis of the people around you and their relationships. Not only that but it could also be used to serve you ads and I could even see the potential use in Facebook’s new dating service in which having location services turned on is a requirement. Now this “feature” has been going on for quite some time and it’s not just Facebook. YouTube just so happens to be doing the same thing. Do you use the popular peer-to-peer payment app, Venmo?  If you are, then you need to be aware of a new text message based phishing scam that directs you to a fake Venmo website. Here’s how it works. You’ll receive a text message saying that your Venmo account is about to be charged and if you want to cancel the withdrawal, you need to login to your account and decline it. When clicking the link, a site that looks just like Venmo will ask you for your phone number and password, then prompt you to enter in your bank card and other personal and financial information. In another, more advanced variation that is most likely tied to criminal money laundering, you may receive a legitimate text message from Venmo staying that you just received money from someone you don’t know. This is typically a large amount like $1,000. If you accept the payment, later down the road the scammer will ask you for the money back due to an error on their part and even ask you to keep $50 or so for your “trouble”. When you return the money back to the scammer, the scammer will contact Venmo to “correct” their mistake in which Venmo may also reverse the payment again or put you on the hook for accepting a fraudulent transaction. The best advice, of course, is to never accept money from people you don’t know and to never enter in financial details through a link that comes through a text message. Scams like these that leverage text messages are only going to increase because payment services like Venmo are rapidly growing in popularity. Just in Q1 of this year the number of Venmo users has grown to 40 million people! And as we always say…scammers will always try to target apps that are extremely popular and apps that have the ability to transfer money. And now a word from our sponsor, Edgewise Networks. The biggest problem in security that remains unsolved is unprotected attack paths that allow threats to compromise vulnerable targets in the cloud and data center. But traditional microsegmentation is too complex and time consuming, and offers limited value that’s hard to measure. But there’s a better approach… Edgewise “Zero Trust Auto-Segmentation.” Edgewise is impossibly simple microsegmentation … delivering results immediately, with a security outcome that’s provable, and management that’s zero touch. At the core of Edgewise Auto-Segmentation is Zero Trust Identity, which automatically builds unique identities for all communicating software and devices by combining cryptographic properties of the workload with risk classifications. Edgewise protects any application, in any environment, without any architectural changes. Edgewise provides measurable improvement by quantifying attack path risk reduction and demonstrates isolation between critical services—so that your applications can’t be breached. Visit edgewise.net to find out more about how Edgewise can help stop data breaches. If you’ve been listening to the podcast for a while you’ve probably heard me talk about “Simjacking” attacks. Simjacking is where someone will call your mobile carrier and attempt to transfer your number to a SIM card and other device under their control. This is how many celebrities and others are getting their social media and other accounts hacked, even with two-factor authentication enabled. Well just last week a new Simjacking attack was announced by researchers from AdaptiveMobile Security that would allow an attacker to “take over” a mobile phone, obtaining information like its location and potentially forcing it to make calls or send texts by simply sending an SMS text message to the device. What’s most concerning about the attack is that its device agnostic, meaning, Apple, Samsung and all brands of mobile phones are affected. And while the researchers did not say who was responsible for this exploit, stating that only that it was a private company that happens to work with governments to monitor individuals, you can pretty much conclude that certain nation states are using this capability to monitor and track individuals of interest. US mobile carriers do not seem to be affected by this attack but that does leave potentially a billion smartphone users across 30 countries vulnerable to attack. The bad news here is only the mobile carriers can fix this vulnerability themselves. The good news? Industry groups such as the SIMalliance issued a new set of security guidelines for cellular carriers. The recommendations include  implementing filtering at the network level to intercept and block “illegitimate binary SMS messages” and making changes to the security settings of SIM cards issued to mobile phone customers. That’s a wrap for this week’s show. Visit our website, SharedSecurity.net for previous episodes, links to our social media feeds, our YouTube channel, and to sign-up for our email newsletter. First time listener to the podcast? Please subscribe where ever you like to listen to podcasts and if you like this episode please it share with friends and colleagues.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post Apple iOS 13, Venmo Scams, Simjacking Attacks appeared first on Shared Security Podcast.

You’re listening to the Shared Security Podcast, exploring the trust you put in people, apps, and technology…with your host, Tom Eston. In episode 86 for September 16th 2019: All about end-to-end encryption with Max Krohn from Keybase.io. Are you looking for the very best products to protect your digital privacy? Well, Silent Pocket has everything you need to mind the grid with their patented product line of faraday bags and wallets. Visit silentpocket.com today and receive 15% off your order with discount code “sharedsecurity”. The Shared Security Podcast is also sponsored by Edgewise Networks. Visit edgewise.net to find out about how Edgewise can help stop data breaches. In this special edition of the Weekly Blaze, Tom interviews Max Krohn co-founder of Keybase.io to discuss the current state of encryption and why end-to-end encryption is so important. Here are the topics that we covered with Max on the show: Who is Max Krohn and what is Keybase.io? What is end-to-end encryption and how is it different than other types of encryption? Recent news about governments asking tech companies to build in “encryption backdoors” into services and products to prevent terrorism and mass shootings. Max’s take on the controversial talk given by Crown Sterling at the Black Hat USA security conference on the “discovery” of quasi-prime numbers. Is this snake oil or real research that will change encryption forever? Find out more about Keybase.io and follow Max on Twitter Visit our website, SharedSecurity.net for previous episodes, links to our social media feeds, our YouTube channel, and to sign-up for our email newsletter. First time listener to the podcast? Please subscribe where ever you like to listen to podcasts and if you like this episode please it share with friends and colleagues.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post End-to-End Encryption with Max Krohn from Keybase.io appeared first on Shared Security Podcast.

You’re listening to the Shared Security Podcast, exploring the trust you put in people, apps, and technology…with your host, Tom Eston. In episode 85 for September 9th 2019: Firefox will now block all third-party tracking cookies and more by default, serious vulnerabilities found in Apple iOS, and the latest on the huge database of Facebook users’ phone numbers found online. Did you know that all electronic devices emit a form of electromagnetic radiation? Well recently we’re starting to see more scientific research come out about the potential health effects of using our mobile devices and other wireless electronics so close to our body. In fact, just recently a class action lawsuit was filed against Apple and Samsung for exceeding the radiation limit on the smartphones that they sell. And while this research is debatable in some circles, more and more experts are recommending keeping our smartphones away from our bodies. If this is something that concerns you one product that can help is a Silent Pocket faraday bag which can block all wireless signals emitting from a device. Visit silentpocket.com to check out their great line of faraday bags and other products to protect your digital privacy. Don’t forget, as a listener of this podcast you receive 15% off your order at checkout using discount code “sharedsecurity”. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. It should be no surprise that I’m a huge fan of Firefox. In my opinion it’s probably the best web browser out there that is truly focused on your privacy. And with the latest release of Firefox, version 69, Mozilla has made a change to its enhanced tracking protection feature by enabling this for all users by default. Enhanced Tracking Protection is a privacy control which blocks all third-party tracking cookies and more. Back in June Firefox enabled this feature only for new users but over the last few months of testing and improvements they are finally ready to enable this setting for everyone which is a huge benefit from a privacy perspective. Enhanced Tracking Protection works behind-the-scenes to keep websites from developing a profile of you based on how they are tracking your web browser behavior across different websites. These profiles are then collected and even sold to third-party marketing companies without your consent. In addition, Firefox is also now blocking cryptominers by default too. Cryptominers access your computer’s CPU slowing it down and draining your battery to generate cryptocurrency for someone else to profit from. Oh and if that wasn’t enough, Fingerprinting scripts are being blocked too but not by default. These scripts attempt to harvest information about your computers configuration when you visit a website. If you want to take advantage of blocking these types of scripts you’ll need to enable “Strict Mode” within your Firefox privacy settings. Eventually, Firefox plans on turning this blocking on by default in the near future. Now I’ve also been recommending the EFF’s Privacy Badger as a great add-on for Firefox too. So it will be interesting to see how Privacy Badger compares to Enhanced Tracking Protection built in now by default into Firefox. Perhaps, we’ll do a comparison for you in a future episode of the podcast but in the meantime, if you are using Firefox make sure you update to the latest version to take advantage of these great new privacy protections. The big news being discussed in the cybersecurity community recently was the big reveal from Google’s Project Zero vulnerability research team which found that over a dozen Apple iOS vulnerabilities have been exploited by attackers for at least two-years to steal everything on a vulnerable device including passwords, photos, text messages, and more.  Most surprising though is the method used to infect iOS devices which was by simply visiting certain websites which would exploit the vulnerabilities without you even knowing it. The researchers did not disclose the websites that were used but said that these sites received thousands of visitors per week. Oh, and the exploit only persisted until you rebooted your iOS device but like many of us you remember the last time you powered off or rebooted your device? What’s also interesting is that typically iOS zero-days like this would be used by nation states to target specific groups or individuals but in this case the attackers didn’t have a particular target in mind, rather was a mass attack on any Apple device running iOS 10 through iOS 12. This also brings into question how secure Apple devices really are given that they have a reputation of iOS being one of the hardest operating systems to compromise. Typically vulnerabilities like these are worth tens of millions of dollars and are usually only funded by nation states with deep pockets and specific targets in mind. The question here is who was behind this massive undertaking and was any particular nation state involved? We may never know but the good news is that Apple did patch these particular vulnerabilities back in February of this year with iOS 12.1.4. This is yet another reason you should always keep your devices up to date and patched. And now a word from our sponsor, Edgewise Networks. The biggest problem in security that remains unsolved is unprotected attack paths that allow threats to compromise vulnerable targets in the cloud and data center. But traditional microsegmentation is too complex and time consuming, and offers limited value that’s hard to measure. But there’s a better approach… Edgewise “Zero Trust Auto-Segmentation.” Edgewise is impossibly simple microsegmentation … delivering results immediately, with a security outcome that’s provable, and management that’s zero touch. At the core of Edgewise Auto-Segmentation is Zero Trust Identity, which automatically builds unique identities for all communicating software and devices by combining cryptographic properties of the workload with risk classifications. Edgewise protects any application, in any environment, without any architectural changes. Edgewise provides measurable improvement by quantifying attack path risk reduction and demonstrates isolation between critical services—so that your applications can’t be breached. Visit edgewise.net to find out more about how Edgewise can help stop data breaches. In Facebook news this week, and I know you’ll be so surprised to hear this, but a unprotected server was found exposing more that 419 million Facebook users’ phone numbers that also included a user’s Facebook ID which is a unique number associated with a Facebook user account. These user records break out to 133 million from the US, 18 million from the UK, and more than 50 million from Vietnam. What’s most interesting is that the data appears to be older than at least a year, since Facebook removed public access to phone numbers in April of last year which was due to the Cambridge Analytica scandal. A security researcher names Sanyam Jain, found the database and contacted media outlet TechCrunch after he was unable to find the owner of the database. A spokesperson from Facebook commented that the data set is old and that there are no indications that anyone’s Facebook account was compromised due to this specific database being exposed. TechCrunch also stated that the web hosting company pulled the data once they were notified. This most recent exposure is on top of the long list of previous data leaks that have been a huge problem for Facebook in recent months. Not only that, it’s another example of a database found completely unprotected and available for anyone to harvest for whatever purpose they wanted. In other Facebook news, Facebook is migrating users that had a setting called “tag suggestions” to the current face recognition setting. Apparently, some new users and others still had this old setting and now will be fully moved over to the new setting. Back in December of 2017, Facebook introduced a setting specifically for face recognition. In addition to this, Facebook will also provide users with more information on how face recognition works and with the option to turn this feature on. Facebook also notes that if you do not currently have the face recognition setting and do nothing, Facebook will not use face recognition to recognize you or suggest tags unless you opt in. We’ll have a link to the full news release in our show notes if you want more information but we always recommend not enabling face recognition for the obvious privacy reasons. Oh, and if you haven’t downloaded our free Facebook Privacy and Security Guide I highly recommend you do so. Our guide will walk you through all of your Facebook privacy settings so that you can remain as private as possible while still being social. Visit sharedsecurity.net/Facebook to get your copy today! That’s a wrap for this week’s show. Visit our website, SharedSecurity.net for previous episodes, links to our social media feeds, our YouTube channel, and to sign-up for our email newsletter. First time listener to the podcast? Please subscribe where ever you like to listen to podcasts and if you like this episode please it share with friends and colleagues.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post New Firefox Privacy Protections, Apple iOS Zero-Days, Facebook User Phone Numbers Exposed appeared first on Shared Security Podcast.

You’re listening to the Shared Security Podcast, exploring the trust you put in people, apps, and technology…with your host, Tom Eston.  In episode 84 for September 2nd 2019: “Ghost click” Android apps found on the Google Play Store, new privacy protections for Apple’s Siri voice assistant, and did you know that your credit card may spying on you? I have a question for you. How often do you carry your laptop with you? If you’re a frequent traveler, the answer may be all day and every day. So if you are carrying your laptop around, how are you doing it? If you’re like most of us we use some cheap neoprene laptop sleeve or just throw it in a backpack. But what if I told you there is a better approach? Well Silent Pocket makes a fantastic solution called a faraday laptop and tablet sleeve. I have one and I love it. Their laptop sleeve comes in waterproof nylon or beautiful leather to provide protection for your laptop from not only the elements but also by blocking all wireless signals making your laptop instantly secure. Check out Silent Pocket’s Farady Laptop and Tablet Sleeve for yourself at silentpocket.com. And as a listener of this podcast be sure to use discount code “sharedsecurity” to receive 15% off your order. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy news topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Did you know that Android app developers have found creative ways to load ads or conduct “ghost clicks” within an app so that the ad is never shown to you and that you never have to click an ad on the screen? Well last week it was discovered by researchers from Symantec that an Android app developer called “Idea Master” had two apps, a notepad app called “Idea Note: OCR Text Scanner, GTD, Color Notes” and a fitness app called “Beauty Fitness: Daily Workout, Best HIIT Coach”, were downloaded over 1.5 million times in the Google Play Store for close to a year were using this very tactic. According to Symantec researchers, the code to do all of this was hidden due to the way that the apps were compiled. Typically, researchers can easily reverse engineer Android apps to view the source code but in this case a “packer” was used to purposely obfuscate the code. These packers are typically used by app developers to protect intellectual property in their code. How this attack works is that the developer first makes sure the ads show up just outside the viewable area of the of the screen and then they program the app to initiate an automated ad-clicking process that runs in the background. Not only will this drive up ad revenue for the app developer but it has the side-effect of slowing down your Android device and drains your battery. There is also the potential for these developers to use similar tactics to load malicious content or open up websites so that more dangerous things could be installed on your phone. So how can you prevent something like this from happening on your Android device? First, keep your mobile device up-to-date, only install apps from trusted sources, and pay close attention to the permissions that are requested when you install an app. And if you see your battery or data usage spike after installing an app, that should also be a clue that an app may be doing something malicious on your device. Remember on a recent previous episode how I talked about Amazon, Apple, and Google having major privacy issues regarding what was being recorded from their voice assistants like Siri, Amazon Echo, and Google Home? In all of these assistants, recordings were found to have contained very private conversations that were being analyzed by contractors hired to improve the technology behind these digital assistants. Several weeks ago Apple suspended what they call their Siri “grading” program due to privacy concerns with the use of contractors and the very private conversations which included everything from financial data, medical, and other very personal details when Siri was accidentally triggered. This past week Apple has now announced that they will be resuming this program in the Fall but only after some privacy changes are made. These changes include that Apple will no longer retain recordings of Siri interactions and instead will use computer generated transcripts to help Siri improve. Second, users will be able to opt in to have audio samples from Siri analyzed with the option to opt out at any time. And third, for customers that do opt-in, only Apple employees will be allowed to listen to audio samples and that they will delete any recording which happened to be an inadvertent trigger of Siri. Now, let’s see of Google and Amazon follow Apple’s lead to fix some of these recent privacy concerns with all of these voice assistants. And now a word from our sponsor, Edgewise Networks. The biggest problem in security that remains unsolved is unprotected attack paths that allow threats to compromise vulnerable targets in the cloud and data center. But traditional microsegmentation is too complex and time consuming, and offers limited value that’s hard to measure. But there’s a better approach… Edgewise “Zero Trust Auto-Segmentation.” Edgewise is impossibly simple microsegmentation … delivering results immediately, with a security outcome that’s provable, and management that’s zero touch. At the core of Edgewise Auto-Segmentation is Zero Trust Identity, which automatically builds unique identities for all communicating software and devices by combining cryptographic properties of the workload with risk classifications. Edgewise protects any application, in any environment, without any architectural changes. Edgewise provides measurable improvement by quantifying attack path risk reduction and demonstrates isolation between critical services—so that your applications can’t be breached. Visit edgewise.net to find out more about how Edgewise can help stop data breaches. Credit cards are a necessity these days for paying for things either online or when you’re out and about and we all know that credit cards just make paying for things much more convenient. One of the side effects though, as we often talk about on this show, is that your credit card data is a huge target as evidenced by the countless data breaches we hear about almost every day. But have you ever thought that your credit card might be spying on you and that, in fact, your credit card transaction data goes to many different types of companies for lots of things you may not even know about? Well I read a fascinating story last week posted by Geoffrey Fowler, a technology columnist for the Washington Post, about how he purchased two banana’s at Target. Yes, you heard that correctly, bananas. He purchased one banana on a Chase Amazon Prime Rewards Visa credit card, and the other on the new Apple Card which is advertised as  credit card focused on your privacy. Here’s what he found out. First, card data is extremely valuable to all sorts of companies. From your bank, the retailers, the credit card processors, and even the apps that you might use, like Mint, to organize your finances. All of your transactions are often aggregated, anonymized, hashed, or used in some way to eventually target you with marketing or other types of offers based on what you purchase. While we don’t typically think about how our spending habits could reveal information about us, it was pretty eye opening to me to see the path that your data takes as soon as you make a credit card purchase. First, your bank obviously knows you made a purchase but what you might not know is that your bank will send your data to marketing partners and affiliates. You can opt out of this through those yearly privacy notices that you receive in the mail once a year, but by default you opt-in to data sharing just by signing up for a credit card. In fact the Chase credit card used in this experiment was found to share data for seven different reasons to companies not owned by Chase. This is where the Apple Card was different. Goldman Sachs says it does not collect or send any transaction or other data to any third-party companies. Oh and of course, any co-branded credit card like the Chase card that partners with Amazon, gets a piece of your data too. What else? Well there are the card networks run by Mastercard and Visa which also aggregate your data and then sell that data to various third-parties. This is where the Apple Card starts to fail from a privacy perspective. Once data hits the card network, that data is no longer under the privacy restrictions put in place by Apple and Goldman Sachs. There is also the store itself as well as the point-of-sale-systems. For example, both bananas were purchased at Target. Now Target of course knows what you purchased and can start to use your card number as a unique identifier showing what you’ve purchased and when. Target shares your data as well with other companies too. And if a particular store has a loyalty card, it gets even worse as now more of your purchases and related history can be shared. Now where it gets really interesting is with the point-of-sale systems and the merchant banks that actually process your credit card transactions. They too can share your data. I’ve started to see payment terminals asking me if I want to print a receipt at the register, or have it emailed or texted to me. Guess what happens if I choose email or text? Yep, you guessed it. I just gave my phone number and email to the credit card processor. Creepier still, next time I use that credit card at that store the terminal will most likely remember that I chose email or text as my choice of receipt delivery. But wait, there’s more! Mobile wallets and financial apps also send your data to third parties too but I think you get the idea. We’ll have the full article linked in the show notes so that you can read the rest for yourself, but, what are some things we can do about this? First, you could just start using cash everywhere but if you use a loyalty card with a purchase you’ll still be giving away your data. The more sound, and unfortunately painful approach, is to opt-out of as much of this as you can by researching how to opt-out through your bank, credit card company and even some stores may allow you to opt-out too. But as the article noted, “the devil is in the defaults.” Which means that only a small number of us are going to actually take the time to contact all of these companies to opt-out of data sharing. My take is that the Apple Card is doing some good things here but just doesn’t go far enough. I think it’s going to take a combination of some type of new federal privacy law combined with businesses finally realizing that quote “data is the new corporate social responsibility.” That’s a wrap for this week’s show. Visit our website, SharedSecurity.net for previous episodes, links to our social media feeds, our YouTube channel, and to sign-up for our email newsletter. First time listener to the podcast? Please subscribe where ever you like to listen to podcasts and if you like this episode please it share with friends and colleagues.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post Android “Ghost Click” Apps, New Apple Siri Privacy Protections, Credit Card Spying appeared first on Shared Security Podcast.

In Episode 91 of this very special episode of our monthly show, Tom and Scott are joined by special guests Kevin Johnson and Jayson E. Street back to celebrate the 10 year anniversary of this podcast! We talk about the history of the show, what’s improved (or not improved) in the last 10 years from a cybersecurity and privacy perspective, Kevin’s Star Wars addiction, Jayson’s #HackerAdventures, and we have a very important debate about the future of security awareness and what can be done to provide better education on phishing which continues to be one of the top attack vectors we’ve seen in the last 10 years. Be sure to stay tuned to the end of the episode for some fun outtakes from this episode and some highlights from our very first episode which we recorded way back in August of 2009. You can also watch the full live stream of this episode on our YouTube channel. Thank you to all of our sponsors (Silent Pocket and Edgewise Networks), listeners, and previous guests for supporting the show over the last 10 years! We really appreciate it and we look forward to many more years of podcasting! Your hosts, Tom Eston and Scott Wright The post 10 Year Anniversary Episode with Kevin Johnson and Jayson E. Street appeared first on Shared Security Podcast.

You’re listening to the Shared Security Podcast, exploring the trust you put in people, apps, and technology…with your host, Tom Eston. In episode 83 for August 26th 2019: Facebook announces new off-Facebook activity privacy controls, how Apple made everyone’s iOS device vulnerable, and details on the massive MoviePass data breach. This week I read yet another news article that talked about how thieves stole a Tesla in about 30-seconds using what is known as a relay or key fob attack. The attack works by using a device to amplify the signal from the car thinking that the key fob is nearby. Once the device relays the signal back to the car, the door is unlocked and the thief can steal the car. This is also an issue for other car manufactures, it’s really any car that uses a technology called PKES or Passive Keyless Entry and Start. Besides disabling this feature, the easiest way to prevent this attack is to put your key fob in a faraday bag which is designed to block all wireless signals making an attack like this completely preventable. And if you want the finest faraday bags available, you’ll want to use one from Silent Pocket. In fact, Silent Pocket offers a key fob guard which is made to specifically to prevent a relay attack. Order one today by visiting silentpocket.com and receive 15% off your order using discount code “sharedsecurity” during checkout. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Ever wonder how certain products that you were thinking about buying mysteriously show up as ads on your Facebook newsfeed? Is there some black magic going on here? Well it’s not black magic and is actually one of the many ways that Facebook serves you more ads. Last week Facebook announced that they are finally implementing new privacy controls around what they are calling “Off-Facebook Activity”. Off-Facebook activity is data that is collected from websites and apps about your online searches. This can only happen when websites and apps use the Facebook login feature or have enabled Facebook’s business tools. These sites and services send certain details about that activity to Facebook so that they can in turn show you ads about those specific products. This is why you see ads show up in Facebook for items or products that you’ve been searching for on the Internet. Now this is how off-Facebook activity works. Say you’re searching for a new backpack on a site that sells backpacks. That site can send information about your device, what was searched for and other details so that Facebook can match up that device to your Facebook account. This in turn sends you an ad about that backpack or company. Facebook has always said that the companies utilizing this feature do not get your personal information like name or email address. All they know about you is a unique device identifier which allows Facebook to match your device to your account. Now for the first time ever, Facebook is allowing more control over this data and is even allowing you to delete and disconnect this data from your Facebook account. Facebook will be slowly rolling this feature out to uses over the coming months. These new privacy settings will give you the ability to see a summary of information other apps and websites have sent Facebook, disconnect this information from your account, and choose to disconnect future off-Facebook activity, or just for specific apps and websites. So if you disconnect all this data from Facebook does that mean you’ll no longer see ads? Not really, you’ll still see ads but they will be less personalized than before. Keep in mind, this applies to Instagram too since Instagram is owned by Facebook and is tightly integrated into the Facebook Platform.So what do you think about this news? Is Facebook finally trying to focus on user privacy or is it too little, too late? This new privacy control is of course a response to the Cambridge Analytica scandal and the beating that Facebook has taken from privacy experts for months now. My take is that any control is only as good as the users that plan on using it and unless Facebook makes this an “opt-out” setting where by default your off-Facebook activity is automatically disconnected, I don’t see many users going through their Facebook settings turning these connections off. We will, of course, be updating our free Facebook Privacy and Security Guide when these settings start rolling out. In the meantime, check out our show notes for the link to download the current version of our Facebook Privacy and Security Guide today. Last week Apple made a huge error with their latest 12.4 iOS update. The problem? Well, it appears that they accidentally unpatched a serious vulnerability that was first patched in iOS 12.3. The vulnerability allows unsigned code to be ran on an iOS device and allows the device to be “jailbroken” which allows unauthorized apps and features to be installed. From a security perspective, this is the first time that I can remember that an Apple update actually made their entire platform vulnerable by unpatching a previous vulnerability. This means that the latest and greatest iOS update, 12.4, leaves almost every iOS device in Apple’s walled garden vulnerable to compromise. So what kind of attacks are we talking about? Well for one, malicious code that might be contained in apps that you might download from the Apple App Store could be one risk and the other being targeted attacks by nation states and others via a malicious text message or by leveraging a bug in another installed application. Of course, the biggest risk for most of us are malicious apps potentially being side-loaded with malware that would take advantage of this vulnerability from the Apple App Store. Devices affected include all Apple iOS devices not running Apple’s latest A12 processor. Unfortunately, the iPhone 10 is vulnerable but not the newer iPhones like the XR, XS, or XS Max. As of this podcast recording, the fix for this issue in 12.4.1 has not been released so for now all we can do is wait and continue to be vigilant with the apps we download and the text messages we receive. In other Apple news, if you have an certain older MacBook Pro from 2015-2017 the FAA has banned these laptops from all flights in the US because of the potential that the battery might explode due to a recall made by Apple. It’s not clear how the FAA plans on enforcing this since most MacBook Pro’s look very similar but if you do happen to have an older MacBook Pro you can visit Apple’s support website to find out if your MacBook Pro happens to be on the recall list. Check out our show notes for a link to this support page. And now a word from our sponsor, Edgewise Networks. The biggest problem in security that remains unsolved is unprotected attack paths that allow threats to compromise vulnerable targets in the cloud and data center. But traditional microsegmentation is too complex and time consuming, and offers limited value that’s hard to measure. But there’s a better approach… Edgewise “Zero Trust Auto-Segmentation.” Edgewise is impossibly simple microsegmentation … delivering results immediately, with a security outcome that’s provable, and management that’s zero touch. At the core of Edgewise Auto-Segmentation is Zero Trust Identity, which automatically builds unique identities for all communicating software and devices by combining cryptographic properties of the workload with risk classifications. Edgewise protects any application, in any environment, without any architectural changes. Edgewise provides measurable improvement by quantifying attack path risk reduction and demonstrates isolation between critical services—so that your applications can’t be breached. Visit edgewise.net to find out more about how Edgewise can help stop data breaches. Another week and yet another data breach. This time movie subscription service MoviePass has exposed tens of thousands of personal credit card numbers due to an unprotected, wide-open database. Security researchers from a Dubai-based cybersecurity firm called SpiderSilk discovered 58,000 credit card records including MoviePass’s own customer card numbers which are used just like a debit card. The data also contained personal information such as name, billing address, and more which could be used to commit credit card fraud. The most surprising aspect was that none of this data was encrypted and that the data appears to have been exposed since May of this year. As in many of these types of breaches, MoviePass didn’t seem to take the issue seriously at first. MoviePass did not respond to emails from the security researcher (even when an email was sent to the CEO) and only took the database offline when TechCrunch contacted the company. A statement about the breach from MoviePass was apparently released but if you go to the MoviePass website you get a notice that the entire MoviePass service is “not accepting new customers”. If you happen to be a MoviePass customer, I’d be very concerned about the security of my credit card details. And like we always say for any credit card breach, make sure you check your credit card statements on a regular basis and enable any kind of fraud alerting that your credit card company might offer. That’s a wrap for this week’s show. Visit our website, SharedSecurity.net for previous episodes, links to our social media feeds, our YouTube channel, and to sign-up for our email newsletter. First time listener to the podcast? Please subscribe where ever you like to listen to podcasts and if you like this episode please it share with friends and colleagues.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post New Facebook Privacy Controls, Apple iOS Patching Mistake, MoviePass Data Breach appeared first on Shared Security Podcast.

You’re listening to the Shared Security Podcast, exploring the trust you put in people, apps, and technology…with your host, Tom Eston. In episode 82 for August 19th 2019: The BioStar2 biometric security data breach, wormable vulnerabilities in Microsoft Windows, and the FBI trying to harvest your social media data. Can you believe that this week we’re celebrating the 10 year anniversary of this podcast? For the last 10 years we’ve been talking about how your private information can be exposed through data breaches, vulnerabilities, exploits, and even through the wireless capabilities of our smartphones and laptops. It seems that in the last 10 years it’s only gotten worse. That’s why I recommend the use of a Silent Pocket faraday bag to protect my smartphone and laptop so I can have true piece of mind that my devices are protected when I’m not using them. Visit silentpocket.com to check out Silent Pocket’s amazing line of faraday bags and other products built to protect your privacy. Don’t forget, as a listener of this podcast you receive 15% off your order at checkout using discount code “sharedsecurity”. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. On August 5th security researchers from vpnMentor disclosed a massive data breach in a biometrics security platform called BioStar2. vpnMentor has been doing a large web-mapping project across the internet which had identified this unsecured database. BioStar2 is a web based biometric security smart lock platform, built by a company called Suprema, and is used to administer physical access controls to facilities. The core technology of the product uses facial recognition and fingerprints to identify users. Suprema recently partnered with a firm to integrate the software into over 5,700 organizations in 83 countries. Most of these customers also happen to be in Europe. Shockingly, many European governments, banks and even the UK Metropolitan Police use this system for the security of their facilities. The data that was leaked in the breach, which totaled over 27.8 million records, included personal information of employees, unencrypted usernames and passwords, and to top it all off over 1 million fingerprint records and facial recognition data. We’re talking about the actual fingerprints and images of users which as you know can’t be changed like a password can. This alone is extremely concerning as this data combined with other personal information from the data leak are perfect for identity theft or other fraud. The good news is that after vpnMentor attempted several times to contact the company about the breach they finally took the database offline. Check out our show notes for links to further information as well as a listing of the companies and countries affected by this data breach. Last week Microsoft announced four new critical vulnerabilities for Windows that are wormable, meaning, they can be exploited by malware to install and propagate from one computer to another without any user interaction. The last time we had to deal with a wormable vulnerability like this was back in May of this year when Microsoft patched another serious vulnerability called ‘Bluekeep’ which at the time had a close resemblance to the WannaCry malware. WannaCry caused major issues for companies and individuals across the world back in 2017. The vulnerabilities in all of these cases reside in Remote Desktop Services (abbreviated as ‘RDP’) and more specifically have to do with vulnerabilities in the protocol itself. RDP is the service that allows a user to remotely connect to another Windows computer to view the desktop in real-time and these vulnerabilities can allow malware to do this without authentication making this vulnerability extremely dangerous. Microsoft stated that quote “no evidence that these vulnerabilities were known to any third party” and that quote “It is important that affected systems are patched as quickly as possible because of the elevated risks associated with wormable vulnerabilities like these.” Affected systems include all newer Microsoft operating systems starting with Windows 7 all the way to the current version of Windows 10 and related server versions. Like Microsoft said, you should update your version of Windows as soon as possible. To check to see if your version of Windows is updated, head to Settings -> Update & Security -> Windows Update and then look to see if KB4512501 from August 13th is installed. As a reminder you should always enable automatic updates for your Windows system so you always get the latest security patches as they are released. And now a word from our sponsor, Edgewise Networks. The biggest problem in security that remains unsolved is unprotected attack paths that allow threats to compromise vulnerable targets in the cloud and data center. But traditional microsegmentation is too complex and time consuming, and offers limited value that’s hard to measure. But there’s a better approach… Edgewise “Zero Trust Auto-Segmentation.” Edgewise is impossibly simple microsegmentation … delivering results immediately, with a security outcome that’s provable, and management that’s zero touch. At the core of Edgewise Auto-Segmentation is Zero Trust Identity, which automatically builds unique identities for all communicating software and devices by combining cryptographic properties of the workload with risk classifications. Edgewise protects any application, in any environment, without any architectural changes. Edgewise provides measurable improvement by quantifying attack path risk reduction and demonstrates isolation between critical services—so that your applications can’t be breached. Visit edgewise.net to find out more about how Edgewise can help stop data breaches. The Federal Bureau of Investigation is making plans to find technology and third-party vendors that are able to harvest publicly available information in massive amounts from Facebook, Twitter, and other social media platforms. The Wall Street Journal reports that the FBI will be using the data collected to quote “proactively identify and reactively monitor threats to the United States and its interests.” In addition President Trump has directed the US Department of Justice to work with thrid-party vendors quote “to develop tools that can detect mass shooters before they strike.” The request was apparently made just a few weeks before the recent mass shootings took place in El Paso Texas and in Dayton Ohio.  Vendors have until August 27th to submit their proposals to the FBI. This news comes on the heels of Facebook’s recent $5 billion dollar settlement with the US Federal Trade Commission and is very likely to create a lot of problems for Facebook when one side of the government wants to punish them for privacy violations and mishandling of data, while the other side wants to access all the data they have. Unfortunately, that means that anyone that uses Facebook or other social networks are the ones stuck in the middle between government demands and how are private information might be shared. That’s a wrap for this week’s show. Visit our website, SharedSecurity.net for previous episodes, links to our social media feeds, our YouTube channel, and to sign-up for our email newsletter. First time listener to the podcast? Please subscribe where ever you like to listen to podcasts and if you like this episode please it share with friends and colleagues.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post Biometric Security Data Breach, Critical Windows Vulnerabilities, FBI Data Harvesting appeared first on Shared Security Podcast.