Shared Security Podcast

This is your Shared Security Weekly Blaze for August 12th 2019 with your host, Tom Eston. In this week’s episode: My summary of last week’s BSides Las Vegas security conference, how a single text message to your iPhone could get you hacked, and how Stingray surveillance devices can still be used on new 5G networks. Wireless technology such as Wi-Fi, Bluetooth, and RFID are integrated into every part of our daily lives. In fact, because everything these days is wireless we can often take the security risks for granted. So if you’re looking to have the ultimate peace of mind, you should use a faraday bag to protect your devices. A faraday bag blocks all wireless signals which makes any device that uses wireless technology completely undetectable. And using a faraday bag is so much faster than disabling the wireless on a laptop or smartphone. Just stick it in the bag! And if you want the best faraday bags on the market today, you’ll want to use one from Silent Pocket. Visit slientpocket.com and check out their great line of products and receive 15% off your order using discount code, “sharedsecurity”. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. The annual BSides Las Vegas security conference took place last week which also coincides with the Black Hat and infamous DEF CON hacking conference. This is the week that all of us in the cybersecurity industry lovingly call “security summer camp”. BSides would be considered the smaller conference of the three and in my opinion, provides a much more intimate experience to network with other cybersecurity and privacy professionals. As part of this year’s BSides conference, I participated in the “Proving Ground” speaking track where I was a mentor helping out a fantastic new speaker work on the talk that he gave at the conference. It was a very rewarding experience that I highly recommend other speakers volunteer for if they have the time to do so.  I also attended several talks and met several speakers that had some very interesting research to share. While many of the talks at BSides were about all the latest topics on how anything is hackable, there were two talks in particular that were on topics that we don’t hear much about. These talks were “Satellite Vulnerabilities 101” by Elizabeth Wilson and “Human Honey Pots or How I learned to love the NFC implant” by Nick Koch. Satellites provide means for different forms of communication as well as GPS, military, and other critical systems. Elizabeth presented a really nice overview of the many different types of vulnerabilities that are present in satellites including everything from, timing of banking transactions, nation states using anti-satellite weapons, and even the threat of space junk. Here’s Elizabeth’s take on the threat of space junk and how this is a major problem. Elizabeth: The debris is growing and growing and the more you put up there the more potential damage you’re putting up as well. It’s like I said during my talk, the difference between a hundred .01 meter satellites and one single satellite that’s 1 meter is 30 times of an increase in risk. And when you consider that, the more you have these small hard to track things that sometimes don’t even have propulsion systems, yeah it’s going to create a lot of issues. This is one of the most pressing areas that we need. We really need some way to manage this debris. We need some sort of clean up system in a way. And there has been some ideas people have had on that like sending capture satellites up there to capture the debris and things but we don’t have anything yet that’s currently really viable. What I also found fascinating from her talk was that organizations that support satellites, like NASA, are getting hacked all the time. For example, in 2007 Chinese hackers actually gained access to NASA’s satellite control systems and came very close to issuing commands to these satellites. Thankfully, that did not happen. The other takeaway from this talk was how satellites are a lot like the “Internet of Things” devices where security was never built in because the threat model at the time didn’t conceive the types of attacks that we see today. By the way, the typical satellite has a lifespan of about 50 years! Is it even feasible to think that satellites can be patched and updated? Here’s Elizabeth speaking to me about this problem and what the solutions might be. Elizabeth: That is one of the big challenges right now because a lot of these systems, unless you’re going to completely replace it, you just can’t update it in some cases. And maybe the solution is we need to completely replace them, take them down and put something else up but that’s extremely expensive, time consuming, and are they going to put the time and money into it? Probably not. They’re probably going to just deal with the vulnerabilities until the lifecycle ends. I feel like the real solution here is going to be making sure to proactively set these systems up to be  more resilient and have the availability for like updating actively in the future. The other interesting talk I attended was by Nick Koch (here’s his blog) who discussed biohacking and NFC implants. NFC, which stands for Near Field Communication, is a short range wireless technology that is used for transferring or receiving information from an electronic tag or other supported device. For example, all modern phones like your iPhone or Android device all have NFC capabilities. Now many of us wouldn’t think about putting an NFC implant into our bodies, but the fact is, more and more people are starting to do this. Why on earth would someone implant a small wireless device into their body? Well, there are some conveniences like unlocking the door on your house with a wireless implant, or having some other type of information easily available like quickly paying for things such as subway fares. And on the flip side, there are some interesting attacks where an attacker could use an NFC implant to get your device to open up a web browser and send you to a malicious link or conduct other types of attacks by leveraging an NFC implant. According to Nick, attackers with NFC implants could be a future form of attack vector. Especially when combined with social engineering. According to Nick, he feels that his generation, has become more aware of phishing and that most of his generation is pretty well trained to not click on suspicious links. This means that future attacks that direct people to malicious links could take a wireless form where now the attacks happen by being physically close to someone with one of these implants. Now I think the risk for this type of attack right now is very low but as NFC and other wireless technologies evolve, I think Nick is on to something here. It’s quite possible that in the future, malicious NFC or other new wireless implants may be a future threat we have to be aware of. And now a word from our sponsor, Edgewise Networks. The biggest problem in security that remains unsolved is unprotected attack paths that allow threats to compromise vulnerable targets in the cloud and data center. But traditional microsegmentation is too complex and time consuming, and offers limited value that’s hard to measure. But there’s a better approach… Edgewise “Zero Trust Auto-Segmentation.” Edgewise is impossibly simple microsegmentation … delivering results immediately, with a security outcome that’s provable, and management that’s zero touch. At the core of Edgewise Auto-Segmentation is Zero Trust Identity, which automatically builds unique identities for all communicating software and devices by combining cryptographic properties of the workload with risk classifications. Edgewise protects any application, in any environment, without any architectural changes. Edgewise provides measurable improvement by quantifying attack path risk reduction and demonstrates isolation between critical services—so that your applications can’t be breached. Visit edgewise.net to find out more about how Edgewise can help stop data breaches. Last week at the Black Hat security conference in Las Vegas Google Project Zero researcher Natalie Silvanovich announced six “interaction-less” vulnerabilities in iMessage which means that an attacker can exploit and gain control of an iOS device by simply sending a text message with no interaction from the user. You don’t even have to open up the message. Just receiving the message alone is enough to exploit these vulnerabilities. It’s worth noting that these are the types of vulnerabilities could be worth tens of millions of dollars because nation states and other threat actors would find exploits like these extremely attractive. The good news here is that the researcher has been working with Apple to patch these vulnerabilities, however, there are several more that do not have a patch yet. Keeping your devices fully patched and updated is one of the best ways to protect yourself from attacks like these. If you happen to be using an Apple iOS device or running macOS, you should immediately update to iOS version 12.4 and macOS 10.14.6. One thing I noticed with this specific update is that Apple may not notify you automatically that a new update is ready to install. So make sure you go into your settings and manually check for an update to make sure you’re protected. 5G networks are finally starting to be rolled out in several large US cities but it’s probably going to be awhile before we have devices as well as the infrastructure across the world that supports this much faster data network. But while we wait, researchers at the Black Hat security conference last week presented their findings on flaws that they found in the new 5G standard that were meant to stop the use of surveillance devices called stingrays. Now we’ve talked about stingray devices on this show in the past but as a reminder these  devices being used by nation states and governments to intercept phone calls, text messages and track the movements of a specific device. Stingrays create fake cell towers which trick your mobile phone to think it’s a legitimate cell tower. The research that they discussed was quite technical but to break it down to layman’s terms they were able to find that there were weaknesses in the way that mobile devices are identified as well as new ways to downgrade the devices network connection to an older and more vulnerable 4G or 3G network. This particular issue is actually not a flaw in the 5G standard itself but is an issue with how 5G is implemented by the mobile carriers themselves. Oh and this is not the first time that researchers have found flaws in the 5G standard, there were previous flaws that have since been fixed. The good news is that the researcher has started working with the 5G standards committee to hopefully fix these flaws as well. This will hopefully bring 5G closer to helping stop, or at least make mass surveillance of mobile networks much more difficult to perform. That’s a wrap for this week’s show. Visit our website, SharedSecurity.net for previous episodes, links to our social media feeds, our YouTube channel, and to sign-up for our email newsletter. First time listener to the podcast? Please subscribe where ever you like to listen to podcasts and if you like this episode please it share with friends and colleagues.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post BSides Las Vegas, iMessage Exploit, 5G and Stingray Surveillance appeared first on Shared Security Podcast.

This is your Shared Security Weekly Blaze for August 5th 2019 with your host, Tom Eston. In this week’s episode: everything you need to know about the Capital One data breach, changes in the payouts from the Equifax settlement, and Nextdoor app scams. If you happen to be in the cybersecurity industry this week is what we call “security summer camp” where thousands of cybersecurity professionals, enthusiasts, and even black hat hackers all meet in Las Vegas to attend the Bsides, BlackHat, and the infamous hacker conference, DEF CON. These conferences are probably the most dangerous place on the plant because your laptop or smart phone could easily be compromised since everyone is hacking everyone else either intentionally and even unintentionally as part of quote unquote “research”. I know that I’ll be using a faraday bag for all my devices while I’m at the conferences this week. That way I know my devices are completely secure and off the grid. If you’re heading to Vegas this week make sure you protect your devices with Silent Pocket’s great product line of faraday bags. In fact, stop by the Silent Pocket booth at DEF CON this weekend and check out their products for yourself while you’re at the conference. Don’t forget you can also visit slientpocket.com and receive 15% off your order using discount code, “sharedsecurity”. Stay safe this week and be sure to mind the grid! Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. The big news last week was the massive Capital One data breach affecting more than 100 million customers in the US and 6 million in Canada. This is actually the third largest data breach in history with Equifax being number one followed by the Heartland Payment Systems data breach which took place in 2009. The 30 gigabytes of personal information exposed in this breach included names, addresses, phone numbers, email addresses, dates of birth, and self-reported income as well as 140,000 Social Security and 80,000 bank account numbers. All of this data appears to be from credit card applications dating back to 2005. In the announcement posted by Capital One the breach was discovered on July 19th and the person responsible, Paige Thompson a former Amazon employee, was arrested by the FBI. Perhaps the most interesting aspect of the breach is how the perpetrator was caught. Paige had posted details about the data she had stolen on her GitHub page and boasted about it on her Twitter account. Someone had saw this information posted in the GitHub account and sent an email to a Capital One’s security vulnerability disclosure email alerting them of the issue. So how did this data get compromised in the first place? Well she was able to download this data from an Amazon S3 bucket through a misconfigured web application firewall (which is also known as a WAF). Now this isn’t the typical Amazon S3 vulnerability we commonly hear about where this data was left wide-open for anyone to access and there is much debate in the security community about how the breach actually occurred. It’s largely suspected that one of the user roles that was assigned to the WAF may have been exposed through a Server Side Request Forgery (or SSRF) which is a vulnerability that affects public cloud environments like Amazon. What’s even more fascinating is how she tried to steal this data without getting caught.  The official complaint filed by the FBI states that she attempted to cover up her tracks by using a VPN as well as Tor (which is also used to hide your IP address) when she was downloading Capital One data from the Amazon S3 server. However, that didn’t matter much when she discussed how she could steal data from Amazon S3 buckets on Twitter and in a Slack chat room, as well as storing the data in a public GitHub repository with her real name tied to it. It’s almost like she wanted to get caught! Quite the lesson of how criminals make mistakes and how those mistakes could put someone in prison for a very long time.  In this case, the accused could face up to five years in prison and a $250,000 fine. Now we don’t know if this data was accessed by anyone else and Capital One has stated that they don’t think it has either. But I think some positives here are that Capital One did have a way for people to report security vulnerabilities and that the incident response from Capital One seemed to have been handled very quickly. It’s also the first data breach I’ve heard of where an arrest was made within days of the breach being detected. The negatives? Well, for starters be on the lookout for phishing emails capitalizing (no pun intended) on this data breach asking you to verify your personal data or pay for credit monitoring services which attempt to steal more of your data and your credit card number. Also, we weary of spam from identity theft protection or monitoring services as well. Many of these services are a waste of money and you’re better off freezing your credit on your own and monitoring your credit card statements, bank accounts, and other financials on a monthly basis. Plus, its one less company that you have to give your private data to just so they can monitor your credit.  We’ve talked about how to freeze your credit and do all of this on your own in episode 16 of this podcast and we’ve linked to a great guide put together by Brian Krebs. Check out our show notes for links to these resources. And now a word from our sponsor, Edgewise Networks. The biggest problem in security that remains unsolved is unprotected attack paths that allow threats to compromise vulnerable targets in the cloud and data center. But traditional microsegmentation is too complex and time consuming, and offers limited value that’s hard to measure. But there’s a better approach… Edgewise “Zero Trust Auto-Segmentation.” Edgewise is impossibly simple microsegmentation … delivering results immediately, with a security outcome that’s provable, and management that’s zero touch. At the core of Edgewise Auto-Segmentation is Zero Trust Identity, which automatically builds unique identities for all communicating software and devices by combining cryptographic properties of the workload with risk classifications. Edgewise protects any application, in any environment, without any architectural changes. Edgewise provides measurable improvement by quantifying attack path risk reduction and demonstrates isolation between critical services—so that your applications can’t be breached. Visit edgewise.net to find out more about how Edgewise can help stop data breaches. These days, it’s rarely a case of “if” you’ll be hacked and more a question of “when.” Once a hacker gets past your defenses, they cover their tracks and systematically infiltrate your network to steal information or shut your business down. And, more often than not, they do it quietly and methodically. There is one single source of truth that can expose the hacker — the packets on the network. They contain the information necessary to understand where a hacker may be, what they’re stealing, and where they’re going next. That’s where NETSCOUT comes in. Their Smart Data approach gives you high resolution, consistent, and continuous monitoring everywhere in the IT infrastructure and in any workload. NETSCOUT gives you Visibility Without Borders. Their solutions detect the most comprehensive array of threats and provide visibility any place a hacker travels, even in the public cloud. With NETSCOUT’s Visibility Without Borders you’ll get the visibility you need to see across any network, data center, Cloud, 5G and more. Rethink the way security is delivered for your digitally transformed business. Get a clearer view at www. NETSCOUT.com. Speaking of data breaches last week remember how I talked about how you should go and claim your $125 if you happen to have been a victim of the Equifax breach? Well the FTC announced this past week that too many people have filed claims and that the actual payout will be significantly less than the stated $125. The FTC said in a updated FAQ posted on the official settlement web site quote “The public response to the settlement has been overwhelming. Millions of people have visited this site in just the first week. Because the total amount available for these alternative payments is $31 million, each person who takes the money option is going to get a very small amount. Nowhere near the $125 they could have gotten if there hadn’t been such an enormous number of claims filed.” end quote. The FTC goes on further to say that the free credit monitoring is a better value which has a market value of hundreds of dollars per year. I think that statement about value is debatable and what about the people who already have paid for credit monitoring? Why would they get another service on top of the one they already have? What this means is that most of us will get nothing out of this settlement unless you did happen to get your identity stolen and can prove it in your claim. In that case there is still money for real victims of the breach, up to $20,000 per claim. Oh, and don’t bother getting a credit monitoring service by giving Equifax even more of your data. You’re better off freezing your credit on your own. Nextdoor, the popular app that your neighbors use to discuss everything from lost cats to loud cars going down your street and of course the one neighbor that hasn’t cut their lawn in two weeks, is also being used by criminals for identity theft and other scams. Buzzfeed news reported last week that more and more of these types of scams are happening because people have a higher level of trust since the app only lets your neighbors register. This has led to people blindly trusting recommendations by neighbors for contractors and other services which end up being scams.  In fact a recent 2018 study by the Better Business Bureau showed that people between the ages of 35 and 54 were more susceptible to home improvement scams. The sad part is that the elderly are also common targets because they often have a nest egg and also have excellent credit according to the FBI. And just because Nextdoor tries on its own to verify your neighbors when they register, by the way which seems like a privacy nightmare waiting to happen, don’t think for a second that criminals won’t pretend to be one of your neighbors in order to post fake recommendations and other scams.  Also, Nextdoor shares your full name and address to other neighbors by default so this gives criminals even more information about you and your address unless you’re changing the default settings. And this problem is not just limited to Nextdoor. The same thing can happen on those private Facebook groups for neighborhoods and cities that everyone is using. Now I’m not saying that you shouldn’t use apps like Nextdoor but before you hire a contractor for anything you should be doing your own research outside of just a good recommendation from your neighbor. That means, check the Better Business Bureau , Angie’s List and simply Google the contractor to see what type of reviews have been left before you move forward with hiring someone. A little extra due diligence and research can go a long way to help prevent becoming a victim of these increasingly popular scams. That’s a wrap for this week’s show. Visit our website, SharedSecurity.net for previous episodes, links to our social media feeds, our YouTube channel, and to sign-up for our email newsletter. First time listener to the podcast? Please subscribe where ever you like to listen to podcasts and if you like this episode please it share with friends and colleagues.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post Capital One Data Breach, Equifax Settlement Payouts, Nextdoor App Scams appeared first on Shared Security Podcast.

In episode 90 of our monthly show we discuss medical device security with John Nye, Senior Director of Cybersecurity Research and Communication at CynergisTek. Do you use an insulin pump, have a pacemaker or other medical device implant? Are you concerned about medical device security and what the future holds for technology like this? If so, this is one show not to miss! The Shared Security Podcast is proudly sponsored by Silent Pocket and Edgewise Networks. Here are show notes and topics we covered with John: Should we be concerned about medical device security? Are the attacks we hear about in the news theoretical or is there really cause for concern? Some recent medical device news stories that are concerning: Doctors concerned about medical device security, Insulin pump hacking How medical devices get hacked and what the real threat is What should hospitals and other health care organizations should do to help better secure medical devices What the FDA on other government regulators are doing What can the cybersecurity industry do to better secure medical devices Thanks again to John for being a guest on our show! Be sure to follow the Shared Security Podcast on Facebook, Twitter and Instagram for the latest news and commentary. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app or watch and subscribe on our YouTube channel. The post Medical Device Security with Special Guest John Nye appeared first on Shared Security Podcast.

This is your Shared Security Weekly Blaze for July 29th 2019 with your host, Tom Eston. In this week’s episode: Details on the Equifax breach settlement, why your Android phone could be exploited by simply watching a video file, and encryption backdoors being requested by world-wide governments. Can you believe that its almost August and that summer is almost over? I was just in Target the other day and noticed that the school supplies are already out! Once you see that you know the Halloween supplies are also right around the corner. It’s totally crazy! I don’t know about you but I want to plan at least a few more short trips with my friends and family which is my own desperate way to hold on to the last few fleeting moments of summer. So don’t let protecting your digital privacy get in the way of your plans. You should be using a Silent Pocket faraday bag or phone case which will block all wireless signals keeping your devices secure and completely off the grid so you can be focused on your time away. As a listener of this podcast you get 15% off your order by using discount code, “sharedsecurity” at checkout. See Silent Pocket’s full line of products at silentpocket.com today before summer gets away. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Everyone remember the Equifax breach that affected 147 million people? Do you think you may have been financially or otherwise impacted from this data breach? If so, you may be entitled to up to $20,000 for documented breach related expenses or 10 years of free credit monitoring services. You can also collect $125 if you already have a credit monitoring service (which, by the way, really doesn’t do much for you). This news broke last Monday when the FTC announced a proposed settlement that will cost Equifax $700 million dollars which will be the largest settlement related to a data breach in history. Equifax would be required to pay at least $300 million but up to $425 million and provide free credit monitoring for all victims of the data breach. In addition, Equifax will offer free resources for victims recovering from identity theft and six free credit reports for all US consumers starting in 2020.  If you think you want to collect on this settlement, you’ll need to file a claim on the official claim site. Check out our show notes for a link to the FTC website which has all the details on where to file a claim. Note that fake sites are bound to pop up so be sure you only use the site linked from the FTC. If you think you may have a case to file a claim you’ll want to move quickly as you’ll only have 6 months to make your claim once the settlement is approved. So is this settlement too little, too late? Even with the FTC now requiring Equifax to overhaul their security procedures does a fine like this even matter much? Like I talked about on last week’s show the 5 billion dollar fine about to be issued to Facebook for their handling of the Cambridge Analytica scandal, Facebook was able to make most of this fine up through the jump in their stock price. I think we will see the same with Equifax but with the caveat that I’m sure security teams internally at Equifax will actually have money now to spend on security personnel and additional security controls including incident response. Are you going to at least make a claim for $125 of this settlement? I’d love to hear your thoughts on this topic for discussion on a future episode of the podcast. So visit our contact us page at sharedsecurity.net/contact and tell us what you think is needed to keep companies like Equifax more accountable for protecting our personal information. Do you happen to use an Android phone? Not only do you need to worry about malware, fake apps, and phishing attacks but now there is a new exploit making the rounds that’s delivered through simply playing a video on your Android device. According to the Hacker News, there is a remote code execution vulnerability that affects over 1 billion devices running Android versions 7 through 9. That would be Android Nougat, Oreo, and Pie. The vulnerability itself resides in the Android media framework which if exploited could allow an attacker full control of an Android device. The attack works by tricking the user to play a malicious video file within the native Android video player application. That is, the video player that’s installed by default on most Android devices. The good news is that Google has already released a patch earlier in July for this specific vulnerability but the bad news is that with the way Android patching works this update may or may not be pushed to Android devices depending on your carrier and device manufacture. This is one of the biggest problems with Android devices and that is, device fragmentation and the way security updates are delivered to Android devices, if at all. Note that if you receive a video through an app like Facebook Messenger or WhatsApp the video is always compressed and encoded so this type of exploit won’t work. The best course of action is to never click on video links via untrusted sources and of course update your Android operating system as frequently as possible. And now a word from our sponsor, Edgewise Networks. The biggest problem in security that remains unsolved is unprotected attack paths that allow threats to compromise vulnerable targets in the cloud and data center. But traditional microsegmentation is too complex and time consuming, and offers limited value that’s hard to measure. But there’s a better approach… Edgewise “Zero Trust Auto-Segmentation.” Edgewise is impossibly simple microsegmentation … delivering results immediately, with a security outcome that’s provable, and management that’s zero touch. At the core of Edgewise Auto-Segmentation is Zero Trust Identity, which automatically builds unique identities for all communicating software and devices by combining cryptographic properties of the workload with risk classifications. Edgewise protects any application, in any environment, without any architectural changes. Edgewise provides measurable improvement by quantifying attack path risk reduction and demonstrates isolation between critical services—so that your applications can’t be breached. Visit edgewise.net to find out more about how Edgewise can help stop data breaches. These days, it’s rarely a case of “if” you’ll be hacked and more a question of “when.” Once a hacker gets past your defenses, they cover their tracks and systematically infiltrate your network to steal information or shut your business down. And, more often than not, they do it quietly and methodically. There is one single source of truth that can expose the hacker — the packets on the network. They contain the information necessary to understand where a hacker may be, what they’re stealing, and where they’re going next. That’s where NETSCOUT comes in. Their Smart Data approach gives you high resolution, consistent, and continuous monitoring everywhere in the IT infrastructure and in any workload. NETSCOUT gives you Visibility Without Borders. Their solutions detect the most comprehensive array of threats and provide visibility any place a hacker travels, even in the public cloud. With NETSCOUT’s Visibility Without Borders you’ll get the visibility you need to see across any network, data center, Cloud, 5G and more. Rethink the way security is delivered for your digitally transformed business. Get a clearer view at www. NETSCOUT.com. I read an interesting op-ed this past week (that we have linked in the show notes for you) about a comment that current US Attorney General Bill Barr told attendees at a cybersecurity conference last week regarding encryption. And that was “warrant-proof encryption is already imposing huge costs on society,” and that he has had enough of “dogmatic pronouncements that lawful access simply cannot be done.” He went on further to say “It can be, and it must be,”. Now this isn’t the first time that the US or other worldwide governments have made similar demands to the tech industry to create what would essentially be “backdoors” into apps and systems that use encryption, all in the name of “lawful access” to prevent terrorists and to enhance “public safety”. A great example is when the Australian government last year asked the maker of Signal, which is an end-to-end encrypted messaging app, to build in a backdoor For government use. Now the problem with backdoors is that they cause a weakness in not just the software, but the entire product or solution allowing an area for real attackers to exploit and find weakness. I like the authors analogy in which she says “Should a technology service provider bow to such demands and citizens are made aware of the existence of a deliberate backdoor, this is akin to asking them to have a front door installed in their home which is always left slightly ajar.”  And it’s not just the encryption itself that governments are trying to backdoor. Just this past May Apple, Google, Microsoft, and WhatsApp rejected the UK governments request to add “ghost” users to private chats so that law enforcement could monitor conversations. Not too much different than a backdoor but still a way to circumvent existing security controls and the trust of the users using the app. And guess what, when users find out that an app has been either backdoored or surveilled by a government entity users, will find some other app to use. The good news here is that that all the major tech companies like Google, Apple, and Microsoft have not given in to these demands nor should they. I like the authors opinion that requests like these are nothing more than self-fulfilling prophecy when encryption was originally adopted to protect government communications from the enemy within a time of war. Ironic, that its now us who may be the new enemy in the continuing battle for encryption and our privacy. That’s a wrap for this week’s show. Visit our website, SharedSecurity.net for previous episodes, links to our social media feeds, our YouTube channel, and to sign-up for our email newsletter. First time listener to the podcast? Please subscribe where ever you like to listen to podcasts and if you like this episode please it share with friends and colleagues.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post Equifax Settlement, Android Video File Exploit, Encryption Backdoors appeared first on Shared Security Podcast.

This is your Shared Security Weekly Blaze for July 22nd 2019 with your host, Tom Eston. In this week’s episode: The FaceApp privacy panic, Facebook’s 5 billion dollar fine from the FTC, and what you need to know about two new types of Amazon scams. Traveling internationally this summer? If so, make sure you protect one of the most valuable documents that you’re going to carry, and that’s your passport. Not only do you have to worry about losing your passport but you also need to consider the privacy issues if your passport information is exposed. Passport information is often exposed through simple information disclosure where you can be identified by shoulder surfing and having your nationality and other personal information on your passport exposed. Not only that, you need to protect your passport from damage and physical theft. My recommendation is to check out Silent Pocket’s Passport Wallet which provides a stylish way to protect your passport while you travel with the added benefit of RFID blocking. Pick one up today at slientpocket.com and use discount code “sharedsecurity” to receive 15% off of your order during checkout. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. The Federal Trade Commission has approved a 5 billion dollar settlement with Facebook over its investigation into their handling of the Cambridge Analytica privacy scandal which exposed the private information of 87 million users. According to the Wall Street Journal, the settlement also allows the FTC to have more oversight and restrictions on Facebook’s privacy practices. While 5 billion dollars seems like a lot, it’s really just a drop in the bucket for a company like Facebook. In fact, when the news hit last week about the FTC settlement, Facebook’s stock shares went up 1.8%. So let’s run the numbers, Facebook made $15.1 billion just in Q1 of this year and $5 billion is only about 9% of their total revenue for 2018 which came in at $55.83 billion. Again, this is not that big of a deal for Facebook when we’re talking about billions and billions in revenue. Now we do have to keep in mind this is the largest fine ever issued by the FTC. The last fine, which wasn’t even close to this magnitude, was the $22.5 million issued to Google in 2012 for their mishandling of privacy issues. A drop in the bucket compared to 5 billion but has the privacy issues and controversy stopped with Google? No, it hasn’t as we talk about privacy missteps from both Google and Facebook on this podcast almost every week. So are “massive” fines the solution for companies that mishandle our privacy? It certainly doesn’t seem like it. What do you think is needed besides fines? Perhaps jail time for CEOs? One thing is for sure, something else needs to be done besides fines. Do you read the privacy policies and the terms of service of the apps that you use? If not, the recent drama over an app called FaceApp may want to make you start reading these policies before you start using an app. FaceApp is an app that will make a selfie look younger, older, or turn yourself into the opposite sex all by using facial recognition and AI technology. The app went viral last week all over social media and has been downloaded over 95 million times across the world. So what’s the controversy? Well first, there were unfounded claims on social media that because the app is created by a Russian company, called Wireless Lab, that somehow there are ties to the Russian government in some giant conspiracy to harvest all the pictures on the devices of millions of users. The truth is that FaceApp only uploads the pictures you want to manipulate and those photos are actually sent to an Amazon AWS server which happens to be based in the US. But the bigger problem is what is said and in some cases, not said, in the FaceApp privacy policy and terms of service. First, you give FaceApp all rights to use the photos you upload for anything they want including using your photos for commercial purposes. Going further, your name, likeness, and other data like your voice can also be used for commercial purposes, forever. Now, this type of policy is not that much different than Facebook or other social apps but the recent drama of this particular app should be a good reminder for all of us to read these policies to make sure you know what data is collected about you and how it may be used.  While I think the controversy over FaceApp is a little overblown think about all the similar or other “fun” apps like these that you may be using and think twice before allowing your data to be used for something you don’t approve of. And now a word from our sponsor, Edgewise Networks. The biggest problem in security that remains unsolved is unprotected attack paths that allow threats to compromise vulnerable targets in the cloud and data center. But traditional microsegmentation is too complex and time consuming, and offers limited value that’s hard to measure. But there’s a better approach… Edgewise “Zero Trust Auto-Segmentation.” Edgewise is impossibly simple microsegmentation … delivering results immediately, with a security outcome that’s provable, and management that’s zero touch. At the core of Edgewise Auto-Segmentation is Zero Trust Identity, which automatically builds unique identities for all communicating software and devices by combining cryptographic properties of the workload with risk classifications. Edgewise protects any application, in any environment, without any architectural changes. Edgewise provides measurable improvement by quantifying attack path risk reduction and demonstrates isolation between critical services—so that your applications can’t be breached. Visit edgewise.net to find out more about how Edgewise can help stop data breaches. These days, it’s rarely a case of “if” you’ll be hacked and more a question of “when.” Once a hacker gets past your defenses, they cover their tracks and systematically infiltrate your network to steal information or shut your business down. And, more often than not, they do it quietly and methodically. There is one single source of truth that can expose the hacker — the packets on the network. They contain the information necessary to understand where a hacker may be, what they’re stealing, and where they’re going next. That’s where NETSCOUT comes in. Their Smart Data approach gives you high resolution, consistent, and continuous monitoring everywhere in the IT infrastructure and in any workload. NETSCOUT gives you Visibility Without Borders. Their solutions detect the most comprehensive array of threats and provide visibility any place a hacker travels, even in the public cloud. With NETSCOUT’s Visibility Without Borders you’ll get the visibility you need to see across any network, data center, Cloud, 5G and more. Rethink the way security is delivered for your digitally transformed business. Get a clearer view at www. NETSCOUT.com. Did you take advantage of Amazon Prime Day deals last week and you happen to live in Florida or Texas? If so, and according to cybersecurity firm MonsterCloud, you could have been targeted with spoofed Amazon ads, and fraudulent email marketing with fake deals and coupons that were actually malware and ransomware links.  MonsterCloud CEO Zohar Pinhasi says “Florida in particular is off the charts – 200% higher rate of attack around Prime Day compared with the rest of the country. That likely may be because criminals are trying to take advantage of an older demographic that may not be as familiar with online shopping and the Internet, let alone cybercrime.” It’s obvious that shopping days like Amazon Prime Day and Black Friday are huge targets for attackers to use and leverage for more success in delivering all types of attacks including ransomware. What I find interesting about the MonsterCloud report is that it shows very specific states like Florida being targeted because of a large demographic of retired and elderly people. Like I’ve covered on the podcast before, the elderly are common targets of scams like these. One thing we can do is check in on our elderly friends and family members, especially around shopping events like these, to make sure they have some awareness of these types of scams. Besides malware and ransomware scams you should also be aware of an increasingly popular Amazon scam called “brushing”. A brushing scam is where a third-party seller on Amazon will somehow get the name and address of a consumer. The seller will purchase an item and then send it to that person, claiming it’s a gift.  Amazon allows the person who purchases a gift to leave a review for that item so the seller will leave a fake review after the item ships. This creates fake positive reviews which increase the reputation of the seller and pushes their products up higher in the Amazon search results. Products that show up to your house can be totally random with no return address or other identifying information except that it’s in an Amazon shipping box. And while getting a ton of free stuff might be awesome, the bigger problem is that it’s obvious that some of your personal information like name, address and phone number have been compromised either from some shady seller that you bought something from on Amazon, you happen to be targeted, or your data was found in a data breach. So what do you do if you happen to receive random packages you didn’t order from Amazon? First, contact Amazon immediately. Next, change your Amazon password just in case your account happens to be compromised (you did of course enable two-step verification, right?) and last, it’s always a good idea to research the product and vendor before you buy something on Amazon by doing a search on Google to see if there are reports of scams with that particular vendor. Also, check to see if you’re purchasing from Amazon directly or through a third-party. That’s a wrap for this week’s show. Visit our website, SharedSecurity.net for previous episodes, links to our social media feeds, our YouTube channel, and to sign-up for our email newsletter. First time listener to the podcast? Please subscribe where ever you like to listen to podcasts and if you like this episode please it share with friends and colleagues.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post FaceApp Privacy Panic, Facebook’s 5 Billion Dollar Fine, Amazon Brushing Scams appeared first on Shared Security Podcast.

This is your Shared Security Weekly Blaze for July 15th 2019 with your host, Tom Eston. In this week’s episode: Zoom video conferencing zero-day, massive fines being issued for violating GDPR, and who might be listening when you talk to your Google Assistant. Looking to protect your laptop, smartphone, and key fobs this summer? Well this week I’m excited to announce that you could win one of two Silent Pocket vacation prize packages which includes a passport wallet, medium faraday sleeve, and 5 liter drybag! Check out our post on Twitter @sharedsec or on Instagram @sharedsecurity for contest rules and how to enter. And don’t forget, listeners of this podcast receive 15%  off at checkout using discount code “sharedsecurity”. Visit slientpocket.com to see the latest Silent Pocket products built to protect your digital privacy. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Do you or your organization use Zoom for video conferencing? If so, and you happen to be using it on a Mac, you’ll want to pay close attention to this story. The problem? Well a security researcher last Monday disclosed that a vulnerable web server is automatically installed on Apple Mac computers during the installation of the Zoom client. What this means is that any website could be used to forcibly join a user to a Zoom call, with their video camera activated, and without the user’s permission. On top of that the researcher also discovered that the vulnerability would allow any webpage to conduct a Denial of Service attack on a victim’s Mac by constantly joining a user to an invalid call. And if that wasn’t enough when you uninstall the Zoom client, the web server continues to be installed and active. The researcher disclosed the vulnerability to Zoom back in March but after many meetings (and fixes that didn’t work) the researcher decided to disclose the vulnerability to the public. The next day Zoom issued a patch to remove the web server and to allow users to uninstall the Zoom client which will now fully remove the web server. Zoom’s CEO posted a blog post apologizing to customers and noting that they will be improving their bug bounty program as well as issuing another update that took place over the weekend of July 13th to further lock-down the “video on” by default setting. Also, Apple made a surprising move on Wednesday by issuing a silent update to all Macs automatically uninstalling the Zoom web server. Many people don’t realize that Apple has the power to issue patches and updates to Macs connected to the Internet at any time and while this seems creepy, it’s actually a good thing when Apple can take immediate and swift action to patch a critical vulnerability without user interaction. Check out our social media feeds for the latest updates on this developing story. The General Data Protection Regulation, or also known as GDPR, is now starting to penalize organizations which are found to have violated these now enforced consumer privacy protections in the European Union. Last week the Information Commissioner’s Office in the UK has issued British Airways a staggering fine of 183.4 million pounds (which is about $230 million dollars) because of the data breach affecting 500,000 customers last year. This $230 million dollar fine is roughly 1.5% of British Airways revenue and is the largest fine issued to date for violating GDPR regulations. And that’s not all, the global hotel giant Marriot was also issued a fine of $125 million for their data breach which impacted 339 million customers across the world. Of course both companies can contest the fines to make their case but this is the first time we’ve seen a large financial impact due to a GDPR violation. But does issuing fines for violating regulations actually help prevent data breaches? If we use PCI DSS compliance fines as an example, not much will probably change. PCI DSS (which stands for the Payment Card Industry Data Security Standards) is what US merchants who process and store credit card data need to comply with. Fines from the card brands can vary between $5,000 – $100,000 per month depending on lots of things like the size of your business and the type of non-compliance you happen to be violating. And in some extreme cases, violations can prevent a company from taking credit card payments. Now PCI has been around for a long time, and have we seen the amount of data breaches related to credit cards go down? Not reallly. In fact as I talk about on this podcast all the time, data breaches seem to be increasing. So is that the game that’s being played? The more data breaches that happen, the more money the regulators make? Look, I’m sure fines are a pretty severe penalty for most businesses, but when it comes to giant companies like Marriott and British Airways, will this just be another accounting write off or will GDPR really set the stage to force more organizations to take data privacy seriously. And now a word from our sponsor, Edgewise Networks. The biggest problem in security that remains unsolved is unprotected attack paths that allow threats to compromise vulnerable targets in the cloud and data center. But traditional microsegmentation is too complex and time consuming, and offers limited value that’s hard to measure. But there’s a better approach… Edgewise “Zero Trust Auto-Segmentation.” Edgewise is impossibly simple microsegmentation … delivering results immediately, with a security outcome that’s provable, and management that’s zero touch. At the core of Edgewise Auto-Segmentation is Zero Trust Identity, which automatically builds unique identities for all communicating software and devices by combining cryptographic properties of the workload with risk classifications. Edgewise protects any application, in any environment, without any architectural changes. Edgewise provides measurable improvement by quantifying attack path risk reduction and demonstrates isolation between critical services—so that your applications can’t be breached. Visit edgewise.net to find out more about how Edgewise can help stop data breaches. These days, it’s rarely a case of “if” you’ll be hacked and more a question of “when.” Once a hacker gets past your defenses, they cover their tracks and systematically infiltrate your network to steal information or shut your business down. And, more often than not, they do it quietly and methodically. There is one single source of truth that can expose the hacker — the packets on the network. They contain the information necessary to understand where a hacker may be, what they’re stealing, and where they’re going next. That’s where NETSCOUT comes in. Their Smart Data approach gives you high resolution, consistent, and continuous monitoring everywhere in the IT infrastructure and in any workload. NETSCOUT gives you Visibility Without Borders. Their solutions detect the most comprehensive array of threats and provide visibility any place a hacker travels, even in the public cloud. With NETSCOUT’s Visibility Without Borders you’ll get the visibility you need to see across any network, data center, Cloud, 5G and more. Rethink the way security is delivered for your digitally transformed business. Get a clearer view at www. NETSCOUT.com. If you think Amazon is the only company that is taking heat about privacy issues with their popular voice assistants, think again as Google is also in the hot seat as they admitted last week that Google contractors can access voice recordings from Google Assistant. This all started with a Belgian journalist who obtained audio files which contained voice recordings of about 1,000 users. The recordings were found to have had personal data like names and addresses disclosed as well as conversations that would be deemed extremely private. Google hires contractors to assist with making translations as well as making the technology better by having humans review thousands of voice recordings. The Google Assistant works just like Amazon and Apple’s voice assistants by saying a wake word or key phrase like “OK, Google”. But like all of these voice assistants they will sometimes record unintentionally if you happen to say a word similar to a key phrase or when recordings for some reason continue when you’re finished asking a question.  Google issued a statement noting that the contractor who disclosed these recordings violated their data security policies and that they do hire language experts to do transcriptions on about .2 percent of all recordings, which are not associated with user accounts.  So what do you think? If your personal information was disclosed in a Google Assistant or other Amazon Alexa recording would you be concerned? Or are you OK with giving up a little bit of your privacy for the convenience of using a voice assistant. That’s a wrap for this week’s show. Visit our website, SharedSecurity.net for previous episodes, links to our social media feeds, our YouTube channel, and to sign-up for our email newsletter. First time listener to the podcast? Please subscribe where ever you like to listen to podcasts and if you like this episode please it share with friends and colleagues.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post Zoom Zero-Day, GDPR Fines, Google Assistant Recordings appeared first on Shared Security Podcast.

This is your Shared Security Weekly Blaze for July 8th 2019 with your host, Tom Eston. In this week’s episode: Amazon confirms that Alexa recordings are kept forever, details about one of the largest Facebook malware campaigns, and my top three tips for staying private on vacation. Summer is upon us and that means it’s time for some much needed vacation time with friends and family. Summer also means that you need to be aware of data privacy and how to protect your laptops, smartphones and key fobs while traveling. Airports, concert venues, festivals, beaches, and other public areas can often be targeted by attackers looking to gain access to your devices through their wireless signals. Instead of worrying about disabling or turning off wireless functions on these devices it’s so much easier to place them in a Faraday bag when they’re not being used.  And if you want the best protection you can get; you want to be using Silent Pocket’s premium faraday bag product line that blocks all wireless signals keeping your devices secure from attackers. This summer, get your devices the protection they require before you head out on your vacation. Use discount code “sharedsecurity” and receive 15% off your order during checkout right now at silentpocket.com. In this week’s surprising but not so surprising news, Amazon has confirmed that Alexa voice recordings are kept by Amazon forever unless you manually delete each one. Apparently this revelation was noted in a letter from Amazon to US Senator Chris Coons who had asked Amazon about their data handling and privacy practices around Alexa recordings. Amazon stated that they keep transcripts and voice recordings indefinitely, and only removes them if they’re manually deleted by users. The letter went on to say that even if people manually delete their recordings some records and conversations may still remain on Amazon storage systems. Amazon is apparently conducting an ongoing effort to ensure deleted recordings are removed from various internal systems. Amazon and other tech companies have been under increasing pressure to take the privacy of user data more seriously due to the EU’s enforcement of GDPR and the fact that all of this new technology seems to always increase the demand for more and more of our private data. So will this latest revelation make you think twice before talking to Alexa? I think manually deleting each individual recording is a very poor solution and hopefully they take the approach of changing the retention policy on this data or allowing users to delete everything with one single action. But until that day comes (if it ever does) Amazon is going to hold our data indefinitely. Malware distribution has always been a problem on Facebook and this goes way back to the beginnings of the social network. In this most recent example, a malware campaign called “Operation Tripoli” was found that targeted tens of thousands of users in Libya but also had the side effect of impacting users in North America. The most interesting aspect of this particular campaign was that it was started by someone creating a Facebook page impersonating Khalifa Haftar who is the commander of the Libyan National Army. This Facebook page had over 11,000 followers and had links to various types of propaganda that when clicked on, let to the download of various remote access trojans and other spyware. According to researchers from Check Point Software who discovered this campaign, this looks to be the largest seen by the researchers. In fact, this particular campaign may have started all the way back in 2014 and the individual behind this page was found to have 30 other Facebook pages using the same techniques. One of these other pages had close to 140,000 followers. While this particular malware campaign was specifically targeting Libyan citizens, you can bet that other pages targeting you and your country most certainly exist. This is a great reminder for us all that impersonating other people on Facebook is almost too easy and we should be constantly aware of Facebook pages that may look legitimate but are really set up to impersonate a person or organization. Back in 2009 I jokingly talked about how easy it was to impersonate celebrities like Rick Astley on Facebook and Twitter by exploiting people’s trust and getting them to click on malicious links. This was demonstrated in some of the talks I gave at hacker conferences and was the start of my research on the privacy and security of social networks, and ironically the start of this podcast. By the way, at the end of August we’re celebrating the 10 year anniversary of this show! As part of that celebration we’ve recently released an updated version of our popular Facebook Privacy & Security Guide which walks you through the most appropriate privacy settings so that you can still be social. You can get your copy for free by visiting sharedsecurity.net or check out our show notes for a link you can click (don’t worry, this one is non-malicious) so you can download our updated guide. And now a word from our sponsor, Edgewise Networks. The biggest problem in security that remains unsolved is unprotected attack paths that allow threats to compromise vulnerable targets in the cloud and data center. But traditional microsegmentation is too complex and time consuming, and offers limited value that’s hard to measure. But there’s a better approach… Edgewise “Zero Trust Auto-Segmentation.” Edgewise is impossibly simple microsegmentation … delivering results immediately, with a security outcome that’s provable, and management that’s zero touch. At the core of Edgewise Auto-Segmentation is Zero Trust Identity, which automatically builds unique identities for all communicating software and devices by combining cryptographic properties of the workload with risk classifications. Edgewise protects any application, in any environment, without any architectural changes. Edgewise provides measurable improvement by quantifying attack path risk reduction and demonstrates isolation between critical services—so that your applications can’t be breached. Visit edgewise.net to find out more about how Edgewise can help stop data breaches. Many of you listening to this episode are either on vacation right now or planning to be.  You’ve probably seen and heard major news organizations like the NBC Nightly News talking about hackers trying to target you and your data while you travel. We’ve talked a lot about protecting yourself from those threats on this podcast, but what we don’t hear a lot about is what we should all be doing to protect our privacy from…each other. What I mean is that a lot of times in public spaces there are people always around us, and 99.9% of them have no malicious intent to target us specifically, yet, we sometimes unintentionally become victims because of the things we say or do in a public space. Having said that, I thought it would be good to share with you my top three tips for protecting your privacy while you’re on vacation this summer. First, be aware of what you talk about over the phone or with others while in public spaces. I can’t tell you how many times I’ve overheard private conversations while waiting for a flight at the airport. In some of these conversations I was able to hear peoples full social security and credit card numbers. So that means, you should probably not order something over the phone or discuss personal details about your medical history with your doctor while lots of people are around you. Go somewhere private to have conversations like these. Along with that be cautious pulling out your wallet or purse where you may unintentionally show credit cards, cash and other personal items. Other people can learn a great deal about you by observation and you could potentially become a target for a thief or pickpocket. My second tip is to use your laptop or smartphone in an area without a lot of people around or use a privacy screen, especially if you’re are working on something private or sensitive. People on business are the worst offenders, especially on airplanes. But depending on what Netflix show or movie you might be watching, think about if you want the entire airplane to also be watching that show or movie with you. Check out our show notes for links to a few recommended mobile and laptop privacy screens. My last tip is that if you’re renting a car, don’t plug your smartphone into the USB port of the car! Most cars will auto sync all the contacts, text messages, and other data on your device automatically and if you forget to delete it, the rental car company and potentially the next renter, will have access to private information you probably don’t want strangers to see. As always, being aware of your surroundings and using common sense, will help you stay more private in your travels this summer! That’s a wrap for this week’s show. Visit our website, SharedSecurity.net for previous episodes, links to our social media feeds, our YouTube channel, and to sign-up for our email newsletter. First time listener to the podcast? Please subscribe where ever you like to listen to podcasts and if you like this episode please it share with friends and colleagues.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post Amazon Alexa Recordings, Facebook Malware Campaign, Top 3 Tips to Stay Private on Vacation appeared first on Shared Security Podcast.

This is your Shared Security Weekly Blaze for July 1st 2019 with your host, Tom Eston. In this week’s episode: The US cyber-attack on Iran, the sad state of cybersecurity in the US government, and what you need to know about malvertising campaigns. Don’t you hate air travel? I know I do! Rude people, crowds, the TSA searching you and your bags because of a toothbrush that for some reason looks like a weapon, and on top of that your flight has a very high chance of being delayed or cancelled! This is the unfortunate reality the minute you get to the airport. While you’re dealing with the stress related to all that, the last thing you need to worry about is your digital privacy while you’re at the airport. That’s why I recommend Silent Pocket’s product line of Faraday bags and wallets which block all wireless signals keeping your devices secure and completely off the grid. As a listener of this podcast you get 15% off your order by using discount code, “sharedsecurity” at checkout. Visit SilentPocket.com to check out their great line of products to make your air travel experience a little less stressful. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Last week the United States launched a cyberattack directed towards Iran which disabled Iranian computer systems that controlled its rocket and missile launchers. This was a response to an escalation by Iran when they shot down a unarmed US drone apparently conducting surveillance in international airspace. Iran denies those claims and states the drone was violating their airspace. The attack was carried out by the US Cyber Command acting upon orders from US President Donald Trump. This was actually the second option to strike back at Iran as the first one was to launch a missile strike against Iranian radar bases which would have resulted in human casualties. According to cybersecurity firms FireEye and Crowdstrike, there has been a recent rise in Iranian attacks on US companies and government agencies as well as critical infrastructure such as the power grid which also prompted for the US government response. This is not the first cyberattack on Iran either. You may remember back in the late 2000’s it’s believed that the US and Israel targeted the Iranian nuclear program with the Stuxnet virus which essentially disabled most of their nuclear program at the time. I find this retaliation interesting as it seems that in more cases traditional warfare, like missile strikes, may start to be a thing of the past when cyberattacks may actually do more damage to critical infrastructure and send a more impactful message than just destroying buildings and killing a bunch of people. Of course, cyberattacks could potentially be used to kill people too. Especially ones that may be targeted towards hospitals or nuclear facilities which could malfunction due to a cyberattack. On the flip side, you may remember back in May Israel bombed a Palestinian Hamas military intelligence headquarters in retaliation for an attempted cyber-attack directed towards Israeli targets. This was the first time a nation state conducted a military strike in response to a cyber-attack. I guess it could go both ways and with the increase in cyber-attacks and capabilities that all nation states now have, it will be interesting to see how the future “cyber-war” may begin to play out. In other US government news, a new report published by the US Senate last week showed that eight government agencies have failed to follow basic cybersecurity protocols and have exposed US citizens private data for over a decade. The investigation itself took about ten months and reviewed the past ten years of compliance reports regarding federal information security standards that these agencies were supposed to follow. One of the eight agencies even included, guess who, the Department of Homeland Security. The biggest issue found was at the Department of Education where it was discovered that anyone could access and maintain a connection to the network for up to 90 seconds which is enough time to launch attacks against servers and systems. In addition to that, five of the eight agencies had not maintained current and complete IT asset inventories. This is a huge problem because if an agency doesn’t know what systems they have on their network, how can they patch, update and protect them? Because of poor asset inventory, six out of eight agencies were unable to deploy security patches or other critical updates. So why is basic network security and asset management so difficult for the government? Well for starters, there is a lot of politics and bureaucracy that takes place in these agencies. First, the people in charge, like the CIO’s don’t have authority to make decisions in many cases and that many of the systems and applications being used are so outdated that they are no longer supported by the vendors. This means that even if they wanted to secure them, there are no patches, updates, or vendor guidance to do so. This of course, is just the tip of the iceberg so if you want to read all the gory details you can check out our show notes to read the full stimulating 99-page government report. And now a word from our sponsor, Edgewise Networks. The biggest problem in security that remains unsolved is unprotected attack paths that allow threats to compromise vulnerable targets in the cloud and data center. But traditional microsegmentation is too complex and time consuming, and offers limited value that’s hard to measure. But there’s a better approach… Edgewise “Zero Trust Auto-Segmentation.” Edgewise is impossibly simple microsegmentation … delivering results immediately, with a security outcome that’s provable, and management that’s zero touch. At the core of Edgewise Auto-Segmentation is Zero Trust Identity, which automatically builds unique identities for all communicating software and devices by combining cryptographic properties of the workload with risk classifications. Edgewise protects any application, in any environment, without any architectural changes. Edgewise provides measurable improvement by quantifying attack path risk reduction and demonstrates isolation between critical services—so that your applications can’t be breached. Visit edgewise.net to find out more about how Edgewise can help stop data breaches. There has been a recent rise in a well-known technique called Malvertising which involves attackers leveraging legitimate domains and services to serve up drive by downloads of ransomware and other types of malicious files. The way it works is that malicious code is embedded in advertisements which get shown to web site visitors. If a user clicks the ad, they get directed to a compromised site serving malware which then gets downloaded and executed on the victims system. The big issue here is that most web site owners have no idea that the ad networks they may be using have been compromised and they have unwillingly become malware distributors. In the past, there have been several large successful Malvertising campaigns that targeted legitimate sites such as the New York Times, the BBC, and MSN. Just recently, researchers found a new form of exploit kit called GreenFlash Sundown that started in Asia but appears to be spreading across the world. This exploit kit was delivered via an ad that was spread through a site called onlinevideoconverter[.]com which is used by 200 million users a month to convert YouTube videos to different audio formats. The payload executed some JavaScript and then ran an Adobe Flash object. Once the exploit kit goes through a series of checks, it will install a form of ransomware called “Seon”. Seon works like most ransomware by encrypting all your files and then demanding you pay a ransom in bitcoin to get your data back. What makes this particular malware a little more devious is that on top of the ransom it also installed a cryptocurrency miner and what appears to be a type of remote access trojan called “Pony”. So how do you protect yourself from Malvertising? First, keep your web browser and plugins up-to-date and ensure that you enable “click-to-play” in your web browser settings. What this setting does is it only allows plugins like Flash to run only when you allow it to. Next, use a decent ad blocker like uBlock in your browser to help prevent ads from showing up in the first place. Lastly, the other common advise still applies. Keep your systems fully patched, updated, use and enable the built in Windows defender anti-virus if you’re on Windows, and always be security aware and vigilant while you use the web. That’s a wrap for this week’s show. Visit our website, SharedSecurity.net for previous episodes, links to our social media feeds, our YouTube channel, and to sign-up for our email newsletter. First time listener to the podcast? Please subscribe where ever you like to listen to podcasts and if you like this episode please it share with friends and colleagues.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post US Cyber-Attack on Iran, Poor Government Cybersecurity, Malvertising Campaigns appeared first on Shared Security Podcast.

In episode 89 of our monthly show Scott and Tom discuss everything you need to know about home security with physical security expert, Patrick McNeil. We delve deep into the world of locks, lock bumping, doors, windows, surveillance cameras, alarms, and much more. If you’ve always wanted to know how best to protect your home or residence this is one episode not to miss! Check out the YouTube edition of this episode for Patrick’s presentation on lock bumping and the contest we had during the live stream of this episode. The Shared Security Podcast is proudly sponsored by Silent Pocket and Edgewise Networks. Subscribe to our getVokl channel and get notified when we’ll be live so you can chat and participate in our next show! Here are the home security topics we covered: What you need to know about locks, the quality of the lock you buy at “big box” hardware stores vs. what you get from a locksmith What is lock bumping and how is it performed? Windows and doors: how easy is it for a criminal to break in? What is the proper installation of a dead latch? Why you should hire a professional locksmith vs. trying to increase the security of your locks on your own Crime prevention through environmental design (CPTED) What should you look for in a surveillance camera and where should they be placed? Why dogs (even small ones) are a great deterrent Are alarms worth it and what about placing “fake” alarm company signs? Vulnerabilities in certain popular alarm systems What the number one thing that’s most overlooked with home and neighborhood security. The two talks that Patrick gave on “The Right Way To Do Wrong: Physical security secrets of criminals and professionals alike” at CackalackyCon and Layer8. Thanks again to Patrick for being a guest on our show! Be sure to follow the Shared Security Podcast on Facebook, Twitter and Instagram for the latest news and commentary. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app or watch and subscribe on our YouTube channel. The post The Home Security Episode – Locks, Doors, Cameras, and More! appeared first on Shared Security Podcast.

This is your Shared Security Weekly Blaze for June 24th 2019 with your host, Tom Eston. In this week’s episode: Facebook announces a new cryptocurrency called Libra, two new zero-day vulnerabilities affecting Firefox, and should you be scanning your smart TV for malware? Protect your digital privacy with Silent Pocket’s product line of patented Faraday bags, phone cases, and wallets which will make your devices untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order during checkout. Visit silentpocket.com today to take advantage of this exclusive offer. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Facebook was in the news this past week with the announcement of its own cryptocurrency called “Libra”. This new cryptocurrency will be available starting in the first half of 2020 and is being promoted as a way to buy things and send money with nearly zero fees. Users of Libra will be able to buy or cash out the cryptocurrency at exchange points, like at your grocery store, and use it by utilizing a wallet application like Facebook’s new Calibra cryptocurrency wallet which will be available in WhatsApp, Messenger and in a standalone app. What’s also interesting is that Facebook won’t totally control Libra but will get a share in governance and oversight with other large companies like Visa and Uber. You see, these companies all gave at least $10 million dollars to finance the new Libra Association which is responsible for promoting the Libra blockchain and working with developers that want to build functionality to support Libra payments. This association will also act as a financial reserve to prevent situations like the wild fluctuation we see in the current value of bitcoin. Calibra, which handles the wallet application, will also take care of user privacy and is said to never use or access your Facebook data with Libra payments and that your identity will never be tied to payments or transactions. As you know, privacy is not the first thing that comes to mind when we think of Facebook. And Facebook does make money by selling ads so this seems (from what we know so far) to be quite the departure for Facebook. So how will Facebook make money off this new form of cryptocurrency? Well from what we know so far, Facebook is seeing this as more of an investment in how business’ will want to sell more ads because more people will be using Calibra to buy and sell things using Facebook. I’m wondering if people will really start to use Libra to pay for things becoming something like a new “PayPal”.  As we’ve discussed on the show before, there are lots of security issues around cryptocurrency and the blockchain. Crypto exchanges are always being hacked and the applications that are being developed, such as ones that power smart contracts and other apps that use the blockchain, have very unique vulnerabilities which are challenging to remediate. So with the money and influence of Facebook, do you think this is what will make cryptocurrency a mainstream and popular form of payment? If, of course, makes it past world financial regulators. Or is it just another way for Facebook to eventually make more money by selling even more ads. Using Firefox as your preferred web browser? Well Firefox released two critical updates last week to fix a “zero-day” security vulnerability that has been used in targeted attacks against (guess what) cryptocurrency exchanges like Coinbase. The exploit apparently chained together another similar vulnerability which was used in a phishing attack to drop and execute malicious payloads on machines of victims. This vulnerability, called a sandbox escape, was originally reported by Coinbase’s security team and would allow attackers to escape from the browser’s protective sandbox. But then later in the week it was discovered that chaining this vulnerability to the previous one would allow remote code execution. Even if you don’t happen to use Coinbase, attackers may leverage this vulnerability with other sites so you should update Firefox to version 67.0.4 as soon as possible. As a reminder to update Firefox, go to the Firefox menu, go to Help, then About Firefox. Firefox will then check for an update and install it. And now a word from our sponsor, Edgewise Networks. The biggest problem in security that remains unsolved is unprotected attack paths that allow threats to compromise vulnerable targets in the cloud and data center. But traditional microsegmentation is too complex and time consuming, and offers limited value that’s hard to measure. But there’s a better approach… Edgewise “Zero Trust Auto-Segmentation.” Edgewise is impossibly simple microsegmentation … delivering results immediately, with a security outcome that’s provable, and management that’s zero touch. At the core of Edgewise Auto-Segmentation is Zero Trust Identity, which automatically builds unique identities for all communicating software and devices by combining cryptographic properties of the workload with risk classifications. Edgewise protects any application, in any environment, without any architectural changes. Edgewise provides measurable improvement by quantifying attack path risk reduction and demonstrates isolation between critical services—so that your applications can’t be breached. Visit edgewise.net to find out more about how Edgewise can help stop data breaches. If you happen to own a newer Samsung Smart QLED TV did you know that you should be scanning your TV for malware? Well last week Twitter blew up when Samsung made a Tweet saying “Scanning your computer for malware viruses is important to keep it running smoothly. This is also true for your QLED TV if it’s connected to Wi-Fi! Prevent malicious software attacks on your TV by scanning for viruses on your TV every few weeks. Here’s how”. Now if many of you are asking yourself “how do I actually scan my TV?” well Samsung has a security solution built into their QLED TVs which will attempt to detect and block malicious applications and files attempting to access the device. The TV also includes a scanning tool which will  find and locate whatever Samsung calls malware that might already be installed on the TV. Why scans are not set to automatically run, similar to how anti-virus works on a PC, is beyond me. But, if you’re bored and want to see if your TV might be infected you do have a manual way of doing this. So what’s the risk of your TV being infected with malware? Right now, I’d say that the risk is pretty low. However, back in 2017 during one of the WikiLeak dumps, malware called “Weeping Angel” (which was developed by the CIA and MI5) was found that could infect Samsung F800 TVs. As expected, this malware was capable of recording audio through the TVs microphone, collect browser history and much more. Odds that a nation state may target your TV, which really depends on your personal threat model, is probably not something most of us have to worry about. But the fact that scanning smart devices like our TV for malware seems to be a reality of the “insecure” Internet of Things world in which we live in. That’s a wrap for this week’s show. Visit our website, SharedSecurity.net for previous episodes, links to our social media feeds, our YouTube channel, and to sign-up for our email newsletter. First time listener to the podcast? Please subscribe where ever you like to listen to podcasts and if you like this episode please it share with friends and colleagues.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post Facebook’s New Cryptocurrency, Firefox Zero Day, Smart TV Malware appeared first on Shared Security Podcast.