Shared Security Podcast

This is your Shared Security Weekly Blaze for June 17th 2019 with your host, Tom Eston. In this week’s episode: the US Customs and Border Protection data breach, the new sign in with Apple button, and more leaked Facebook emails. Protect your digital privacy with Silent Pocket’s product line of patented Faraday bags, phone cases, and wallets which will make your devices untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order during checkout. Visit silentpocket.com today to take advantage of this exclusive offer. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Apple made a few big privacy announcements at its Worldwide Developers Conference the other week including: updates to how Apple’s HomeKit securely transmits and stores video from home security systems, new permission settings in iOS 13 to further limit location sharing, heath data that is used by Apple Watch is now being encrypted and stored on your watch or within iCloud, and that you can now lock your Mac remotely through Apple’s activation lock feature if your Mac happens to be lost or stolen. But the biggest privacy announcement was “Sign in with Apple” which is a new feature that looks to roll out later in the year with iOS 13. Sign in with Apple is a button that is very similar to Facebook or Google’s “one-click” sign-on buttons you might see on many apps and websites. These buttons leverage your Facebook or Google accounts to sign you in without creating a separate login ID. The problem with this is that sometimes your personal information, which Facebook and Google collect about you, gets shared with these sites and can be used to track you. Apple’s one-click sign-on solution authenticates using Face ID without sending any personal information to a third-party company. On top of that Apple’s solution will auto-generate a random “relay” email address that will hide your real email address. I like this a lot as email addresses are commonly used as a user name and is one of the ways you happen to be linked back to a data breach. In addition, Apple says you’ll be able to disable these randomly generated email addresses if you don’t want to use an app anymore. Now the biggest challenge for Apple will be if developers will start using this new feature when developing their applications. Many have already been using Facebook and Google for one-click sign-on buttons, so Apple may have to find ways to convince developers that there is a more secure, and private approach to help protect their users personal information. Remember just recently on episode 88 of our monthly show I talked about how US Customs and Border Protection (or CBP) was now using facial recognition at several US airports in order to board flights? Well, it seems that a CBP database, storing images of travelers and license plates, was hacked and compromised. Apparently it was a subcontractor who had the data that had gotten compromised. It’s not known who the subcontractor is nor did CBP provide any other details except that the agency became aware that on May 31st the subcontractor had transferred the photos to its network. CBP also stated that this was a violation of their policies and that several members of Congress have been alerted and that law enforcement is investigating the incident. However, the Washington Post now reports that fewer than 100,000 people were impacted and that initial reports show that the hacked data included photographs of people in vehicles entering and exiting the US over a “single land border crossing” which the CBP did not name. Hmmm, I wonder if that’s Canada or Mexico. What do you think? This breach comes at a controversial time for the CBP as there have been many privacy concerns regarding the use of facial recognition at US airports and now the collection of social media names from foreigners visiting from other countries or applying for a visa. Now that we know that the data they have been collecting wasn’t properly protected, subcontractor or not, do you think this will halt CBPs expanse to collect and use more of our private data? As past government response to previous privacy concerns and data breaches show, probably not. And now a word from our sponsor, Edgewise Networks. The biggest problem in security that remains unsolved is unprotected attack paths that allow threats to compromise vulnerable targets in the cloud and data center. But traditional microsegmentation is too complex and time consuming, and offers limited value that’s hard to measure. But there’s a better approach… Edgewise “Zero Trust Auto-Segmentation.” Edgewise is impossibly simple microsegmentation … delivering results immediately, with a security outcome that’s provable, and management that’s zero touch. At the core of Edgewise Auto-Segmentation is Zero Trust Identity, which automatically builds unique identities for all communicating software and devices by combining cryptographic properties of the workload with risk classifications. Edgewise protects any application, in any environment, without any architectural changes. Edgewise provides measurable improvement by quantifying attack path risk reduction and demonstrates isolation between critical services—so that your applications can’t be breached. Visit edgewise.net to find out more about how Edgewise can help stop data breaches. Facebook is, yet again, in hot water about more leaked emails that show Mark Zuckerberg wasn’t taking the 2012 settlement with the FTC very seriously and that he knew about controversial privacy practices when he should have been focused on user privacy. An anonymous source apparently provided these emails to the Wall Street Journal last week. The emails show that shortly after the FTC’s 2012 consent decree, Zuckerberg had asked employees about building an app tied to a database of Facebook user information and having that data shared with other developers, regardless of the privacy settings of those users. The email chain showed that this was a complex thing to do but was definitely in the realm of possibility. The app appeared to not have been developed but these emails are pretty significant if the FTC is looking for more ammunition in their recent case against Facebook. Facebook is currently looking to settle the FTCs latest investigation where it’s been reported that Facebook may have to pay around $5 billion dollars as part of this most recent settlement. That’s a wrap for this week’s show. Visit our website, SharedSecurity.net for previous episodes, links to our social media feeds, our YouTube channel, and to sign-up for our email newsletter. First time listener to the podcast? Please subscribe where ever you like to listen to podcasts and if you like this episode please it share with friends and colleagues.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post US Customs and Border Protection Data Breach, Sign in with Apple, Leaked Facebook Emails appeared first on Shared Security Podcast.

This is your Shared Security Weekly Blaze for June 10th 2019 with your host, Tom Eston. In this week’s episode: the Quest Diagnostics and LabCorp Data Breach, what happens to your smart devices when the Internet goes down, and US visa applicants now required to share their social media names. Protect your digital privacy with Silent Pocket’s product line of patented Faraday bags, phone cases, and wallets which will make your devices untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order during checkout. Visit silentpocket.com today to take advantage of this exclusive offer. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Everyone ready for news about yet another massive data breach? Well, last Monday Quest Diagnostics (which is the world’s largest blood testing company) disclosed that a data breach affecting 11.9 million customers was due to a website breach of a third-party collections vendor called American Medical Collection Agency (or AMCA). This breach in particular was a little different because Quest uses a contractor (Optum360) which in turn uses another contractor, AMCA, for medical billing and collections. According to the SEC filing, the AMCA payment system was compromised on August 1st 2018 and was vulnerable until March 30th of this year. Information compromised included names, birth dates, address, phone number, dates of service, medical providers, and balance information. To make matters worse, LabCorp (who also used AMCA) disclosed later in the week that 7.7 million of their patients were also affected by this breach. LabCorp also indicated that about 200,000 people also had their credit cards and bank account information compromised as well. The only good news out of all this is that medical data and laboratory test results were not compromised. What this latest breach shows us that companies like Quest Diagnostics routinely outsource functions like billing and collections to third-party companies. In this case it was a contractor of a contractor but in many similar breaches, we never know how far or how deep the rabbit hole may go with all these third-party relationships. Third-party security is very challenging for organizations, especially when there are multiple parties involved processing and storing customer data. One thing is clear, I think we’ve all had enough of free credit monitoring for 24 months and statements like “we take the security and privacy of your data seriously” type responses we always hear after every data breach. I know personally, I’d like to hear more statements like: we are doing the following things to make sure a breach like this doesn’t happen again. Perhaps it’s just a pipe dream but for now, I guess we continue to let the data breaches flow. Last week Google had a major outage that affected YouTube, Gmail, G Suite, and several other services like Nest which by the way is now a Google owned company. While network outages are not that uncommon, in this case the outage caused Nest products to not function which left many customers without any way to control thermostats, security cameras, and other Nest products like their smart door locks. Now most of these devices have manual overrides in the case of an Internet outage, that is until they lose power or battery then you may be in trouble. It just depends on your device. For example, the Nest smart lock in particular has a way to use the key pad even if the battery is dead. This outage made me think that incidents like this may be a significant disadvantage of cloud controlled products like Nest. We often only think of the convenience of products like these but when the Internet or cloud infrastructure goes down, well they all go back to the “dumb” devices that they were. And why would we ever go back to using an old fashioned thermostat or door lock? This is crazy talk! Potential privacy and security concerns with Internet of Things devices aside, think for a minute about all the smart devices in your home and what you would do if you lost Internet or there was a large network outage or even loss of power to your home. If you have smart devices being used for security, what will your plan be so that you can continue to use these devices. And now a word from our sponsor, Edgewise Networks. The biggest problem in security that remains unsolved is unprotected attack paths that allow threats to compromise vulnerable targets in the cloud and data center. But traditional microsegmentation is too complex and time consuming, and offers limited value that’s hard to measure. But there’s a better approach… Edgewise “Zero Trust Auto-Segmentation.” Edgewise is impossibly simple microsegmentation … delivering results immediately, with a security outcome that’s provable, and management that’s zero touch. At the core of Edgewise Auto-Segmentation is Zero Trust Identity, which automatically builds unique identities for all communicating software and devices by combining cryptographic properties of the workload with risk classifications. Edgewise protects any application, in any environment, without any architectural changes. Edgewise provides measurable improvement by quantifying attack path risk reduction and demonstrates isolation between critical services—so that your applications can’t be breached. Visit edgewise.net to find out more about how Edgewise can help stop data breaches. If you’re from another country coming over to the US on a visa, surprise, surprise but you’ll now need to share the social media names that you’ve used for the past five years in your visa application. Of course, you could choose not to share this information and just say that you don’t use social media, but according to the US State Department, it would be unwise to lie in your application as lying could present serious consequences. The purpose of this allows the US government a  way to identify potentially terrorists, public safety threats, and other dangerous individuals from gaining access to the US. The way the process works is that visa applicants will have background checks completed against watchlists that are maintained by the US government. Future “improvements” to the visa application process may also require applicants to provide more extensive information about their travel history. Reports say that much of this new policy stems from the 2015 mass shooting that took place in San Bernard-ino California where Syed Farook killed 14 people. Farook’s wife, Tashfeen Malik, was found to have terrorist sympathies in her social media communications before she was granted a US visa. So what do you think? Is this a worthwhile effort to stop real terrorists from coming to the US or will it end up causing more privacy problems and controversy for the US government. That’s a wrap for this week’s show. Visit our website, SharedSecurity.net for previous episodes, links to our social media feeds, our YouTube channel, and to sign-up for our email newsletter. First time listener to the podcast? Please subscribe where ever you like to listen to podcasts and if you like this episode please it share with friends and colleagues.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post Quest Diagnostics Data Breach, Google’s Network Outage, US Visa Applicants and Social Media Names appeared first on Shared Security Podcast.

This is your Shared Security Weekly Blaze for June 3rd 2019 with your host, Tom Eston. In this week’s episode: US cities are being rampaged with ransomware, mobile phishing attacks on the rise, and do you know what your iPhone is doing while you sleep? Protect your digital privacy with Silent Pocket’s product line of patented Faraday bags, phone cases, and wallets which will make your devices untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order during checkout. Visit silentpocket.com today to take advantage of this exclusive offer. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. I was intrigued by an opinion piece posted to Dark Reading about the recent rise in ransomware attacks targeting cities and local governments. From Atlanta, Cleveland’s airport, and now the city of Baltimore, ransomware is grinding communication and critical processes to a halt in many cities across the country. Local governments are expected to provide certain critical services for citizens, such as obtaining permits, and closing home sales, so without computer systems working it’s like going back to the ice age with paper and a manual process. My hometown of Cleveland Ohio had a ransomware attack hit the airport but thankfully, only affected the flight and baggage information screens and not the security of flights or the airport itself. This latest string of ransomware attacks appears to be attributed to the previously leaked “EternalBlue” exploit back from 2017 which was created by the NSA. Anyone else find it ironic that our own cities are being used against us with the same tools and exploits designed to attack other nation states? One thing is clear, cyber criminals see a massive target in cities and local government because they know (as well as many of us) that IT budgets are tight and more often than not systems are not being patched or maintained. The other ethical dilemma this brings up is if cities should pay the ransom. While we always say to never give in and pay a ransom, the recent ransomware incident in Atlanta cost the city an estimated $17 million in recovery costs when the ransom was only $50,000. Now just paying the ransom may not work out either as there have been cases of criminals asking for more money or just not giving the keys to unlock the data regardless of being paid. It’s a tough situation for sure and will continue to be hotly debated as attacks on cities increase. From a prevention perspective, perhaps with limited IT and security budgets money may best spent by focusing on security awareness training. Many of these ransomware attacks start though a phishing email or by clicking on a malicious link to a compromised website which then allows the malware to propagate through the network. If the first line of defense, the users, knows how to identify a malicious email or link that alone may prevent the entire ransomware attack from happening. I started a Twitter post which I’ve linked in the show notes about this very topic so I’d love to hear your thoughts and ideas on how we can help the cities that we live in defend themselves from a ransomware attack. Speaking of social engineering, Phishlabs released a report on mobile phishing attacks which have not gotten the past attention like we see with email based attacks. With the rise in mobile phone usage there has been quite the increase in phishing attacks using SMS text messages and leveraging specially designed phishing exploit kits which mimic login screens of legitimate apps. According to the report, the financial industry appears to be the main target and attacks are looking to replicate your bank’s mobile login screen so that you’re tricked into entering credentials and even two-factor authentication codes. SMS phishing in particular is getting more complicated to prevent. For example, phone numbers can be easily spoofed and filtering of SMS or text based spam is pretty much non-existent. In addition, mobile phishing attacks take advantage of small screen sizes and uses techniques like URL padding which can hide the full URL making the site seem legitimate. Also in the report Phishlabs noted that Android is currently the number one target for mobile malware and that banking trojans are the most popular malware that’s being used today. Ironically the Bankbot Anubis malware uses a Twitter account for command and control of the malware to avoid detection. This is something myself and researchers Kevin Johnson and Robin Wood, who developed a proof of concept of this,  first talked about in a DEF CON and subsequent ShmooCon talk way back in 2009. Crazy that this concept that I was a part of is actually being used in modern day malware. In related phishing news, Brian Krebs from Krebsonsecurity.com posted an article about people being fired for failing phishing tests put on by their companies. He goes on to interview several phishing industry experts to get their opinion, which of course, are not in agreement to fire employees over an awareness exercise. We’ll link the article in the show notes so you read it for yourself but what do you think? Is the hard handed and fear based approach the best way to increase awareness? And now a word from our sponsor, Edgewise Networks. Organizations’ internal networks are overly permissive and can’t distinguish trusted from untrusted applications. Attackers abuse this condition to move laterally through networks, bypassing address-based controls to spread malware. Edgewise abstracts security policies away from traditional network controls that rely on IP addresses, ports, and protocols and instead ties controls directly to applications and their data paths. Edgewise allows organizations to analyze the network attack surface and segment workloads based on the software and how it’s communicating. Edgewise monitors applications and protects data paths using zero trust segmentation. Visit edgewise.net to get your free month of visibility. Have you wondered what your iPhone is doing while you’re sleeping? Like most of us, our phones go into “do not disturb” mode and we gently drift off into our quiet slumber to be awakened by the horrible sound of the alarm we set for some ungodly hour so we can get up and go to work. But did you know, your phone is constantly communicating and your apps in particular are sending tons of information about you and your device to marketing companies, research firms and ad agencies? Well a technology columnist from the Washington post worked with a privacy firm to find out exactly what was going on here. Through their research they found that there were over 5,400 trackers in a single week, mostly from apps, which resulted in 1.5 gigabytes of data being used over the course of a month. Information sent from these apps included his phone number, email address, exact location and device fingerprints, while also helping trackers link back to his phone. And these trackers do activate at night or when the device is plugged in because of the background refresh setting that is on by default with an iPhone. And don’t think that just because you don’t own an iPhone you’re immune. Android users face the same issue with apps that use trackers like these as well. Now none of this news should be at all surprising, except for the volume of data we’re talking about here. The most concerning part is that we really don’t know where apps are sending our data and we don’t know what these companies are doing with our data. There is no disclosure system by Apple or anyone that shows you what these ad trackers are doing unless you do what this columnist did and dig into the technical details of how these apps work. Privacy notices and polices don’t help much either because they don’t go into the gory details of what these trackers do and transmit. You can read the article for yourself in the show notes but I think the best quote from the story is about transparency and that quote is “If we don’t know where our data is going, how can we ever hope to keep it private?”. That’s a wrap for this week’s show. Visit our website, SharedSecurity.net for previous episodes, links to our social media feeds, our YouTube channel, and to sign-up for our email newsletter. First time listener to the podcast? Please subscribe where ever you like to listen to podcasts and if you like this episode please it share with friends and colleagues.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post Ransomware Rampage, Mobile Phishing Attacks, iPhone App Ad Trackers appeared first on Shared Security Podcast.

This is your Shared Security Weekly Blaze for May 27th 2019 with your host, Tom Eston. In this week’s episode: Investment firm Moody’s downgrades Equifax, Huawei’s US technology ban, and how Google is tracking all your purchases. Protect your digital privacy with Silent Pocket’s product line of patented Faraday bags, phone cases, and wallets which will make your devices untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order during checkout. Visit silentpocket.com today to take advantage of this exclusive offer. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Equifax was back in the news late last week with the announcement that Moody’s has cut its rating outlook for Equifax, from stable to negative, because of their massive data breach of 146 million users which took place in 2017. This is the first time that a company has had its investment rating downgraded because of a data breach.  Moody’s noted that the downgrade was due to the large expense that Equifax has had to pay such as $786.8 million in general costs, $82.8 million is data security costs, $12.5 million in legal fees, and $1.5 million in product liability charges. If you’re not familiar with the details about the Equifax breach we’ll have a link in our show notes to one of our previous episodes on the topic, but for a short recap, Equifax was breached due to a well-known vulnerability in Apache Struts that remained unpatched on an Equifax server. The breach could have been preventable since the patch for the vulnerability was released two months prior to the breach. Unless you work for Equifax, this is actually really good news and honestly I’m not feeling that sorry for Equifax. I’ve always said that until companies are held financially accountable for poor security, we will continue to see more breaches and unfortunately, more massive ones like Equifax. A few weeks ago the Trump administration banned US companies from doing business with the Chinese telecom giant, Huawei. This ban resulted in Google and many other tech firms halting business with them. While there has been no evidence produced or further details provided by the US government regarding the Huawei ban, Huawei in the past has been accused of intellectual property violations and theft of trade secrets not that long ago, not to mention some potential ties to the Chinese communist party. Now last week chip designer ARM has officially suspended all business with Huawei. This is a huge blow and will prevent Huawei from creating their own chips. What’s interesting is that ARM is based in the UK and owned by a Japanese company. However, ARM develops some possessors in the US which they feel put them in hot water with the US government if ARM was to continue selling to Huawei. Look from a cybersecurity perspective, my take is this has something to do with the potential and perhaps past evidence of Chinese spying on the US. The biggest issue is that Huawei is the one of the main suppliers for the technology that cell towers use to communicate with our devices.  Now with the talk of 5G networks and upgrades to support this new technology there may be the threat of Chinese surveillance or backdoors in the backbone of mobile communication in the US. Is there evidence to support this? Who knows at this point. The US government isn’t saying but one thing is for sure, this won’t be the end of this story and neither will the impact of Huawei’s technology in the US. And now a word from our sponsor, Edgewise Networks. Organizations’ internal networks are overly permissive and can’t distinguish trusted from untrusted applications. Attackers abuse this condition to move laterally through networks, bypassing address-based controls to spread malware. Edgewise abstracts security policies away from traditional network controls that rely on IP addresses, ports, and protocols and instead ties controls directly to applications and their data paths. Edgewise allows organizations to analyze the network attack surface and segment workloads based on the software and how it’s communicating. Edgewise monitors applications and protects data paths using zero trust segmentation. Visit edgewise.net to get your free month of visibility. It should be no surprise that if you have a Google Gmail account you already know that while you’re signed into a Google account and browse the web, your search history is harvested for Google to serve you ads in your Gmail account. By the way, it’s a common misconception that Google scans your email to serve you ads through your Gmail account. Something that may be surprising though was the revelation from a CNBC report which revealed that Google has created a page called “Purchases” which shows you a list of all the purchases that you’ve made. This list is pulled form your emails which show receipts from previous purchases that were emailed to your Gmail account. This list of purchases goes way back, all the way to the day you created your Gmail account and for some of us that could be decades worth of purchase data. Now this page is only accessible to you only but what I find interesting is that it’s really difficult to delete this data if you happen to be creeped out about Google collecting all of your past purchase history. The only way you can delete your purchase data is to actually delete the email that contains the purchase receipt. From the “Purchase” page you can individually delete a receipt but that takes you back to your Gmail to delete the actual message. There appears to be no mass delete option or ability to prevent Google from collecting your purchase history. In fact, Google told CNBC that there was a way to turn off this ability in the search preferences, but the reporter found out that changing these settings didn’t work. In other Google news, Google announced that they discovered that passwords for some G Suite business users’ were being stored in plain text. The data was apparently being stored on internal Google servers and the issue was quickly corrected. Affected G Suite business users have been notified by Google to change their passwords. This is very reminiscent of a similar situation back in March where Facebook discovered hundreds of millions of user passwords were also stored plain text and were accessible by over 20,000 Facebook employees. That’s all for this week’s show. Be sure to follow the Shared Security Podcast on Facebook, Twitter and Instagram for the latest news and commentary. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or watch and subscribe on our YouTube channel.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post Equifax Downgraded, Huawei Ban, Google is Tracking Your Purchases appeared first on Shared Security Podcast.

In episode 88 of our monthly show we streamed live on GetVokl! Subscribe to our channel and get notified when we’ll be live so you can chat and participate in our next show! Here are the topics we covered and links to articles we discussed: Hacker Finds He Can Remotely Kill Car Engines After Breaking Into GPS Tracking A hacker by the name of L&M broke into to GPS systems from iTrack and ProTrack which are apps used to manage and monitor fleets of trucks and vehicles. About 27,000 accounts. He could track and shut down the engines of any vehicle either parked or driving under 12 miles per hour He found a flaw in their Android app which set the default password to 123456 for all new user accounts and brute forced the user names. He also wrote a script to login to the accounts. Microsoft says password expiration policies are stupid and will be removing them from their security baselines Skip the Surveillance By Opting Out of Face Recognition At Airports Debate: Is it InfoSec or Cybersecurity ? What do you think? Does the term “cybersecurity” best describe this industry? Send us a message on Instagram, Twitter, Facebook or by email (feedback[aT]sharedsecurity.net) to let us know! Check out Scott’s new company: ClickArmor More news about Scott’s new venture coming soon on the show! The Shared Security Podcast sponsored by Silent Pocket and Edgewise Networks. Be sure to follow the Shared Security Podcast on Facebook, Twitter and Instagram for the latest news and commentary. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or watch and subscribe on our YouTube channel. The post Remotely Killing Car Engines, Password Expiration Policies, Facial Recognition at Airports, InfoSec vs. Cybersecurity appeared first on Shared Security Podcast.

This is your Shared Security Weekly Blaze for May 20th 2019 with your host, Tom Eston. In this week’s episode: A serious spyware vulnerability in WhatsApp, San Francisco bans facial recognition, and a wormable vulnerability in older Microsoft systems. Protect your digital privacy with Silent Pocket’s product line of patented Faraday bags, phone cases, and wallets which will make your devices untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order during checkout. Visit silentpocket.com today to take advantage of this exclusive offer. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Facebook has revealed a major vulnerability in its popular WhatsApp messaging app which is used by 1.5 billion users. This vulnerability allows malicious spyware to be installed by initiating a call over WhatsApp’s voice calling feature. The vulnerability is so serious that the spyware would be installed even if the call wasn’t picked up. WhatsApp said that only a select number of users were victims and that the vulnerability affects all but the latest version available for Apple iOS and Android. Now it should be no surprise that this spyware was also linked back to the infamous Israeli NSO Group which is known for selling highly advanced spyware to governments and nation states. We’ve mentioned the NSO Group many times on the podcast before when we had talked about their Pegasus spyware which can read messages, turn on the microphone and camera and completely take over the device. Of course reports say that the NSO Group has denied any involvement in the WhatsApp vulnerability. WhatsApp has fixed the vulnerability and if you happen to use WhatsApp you need to update to the latest version immediately. What’s really disturbing about a vulnerability like this is that you as the victim can’t really do anything to protect yourself, except not have the app installed. We’re seeing more of these types of vulnerabilities and many of them are taking advantage of zero-day vulnerabilities where only the exploit developer has the exploit, and the device manufacture like Apple is unaware. This is not going to be the last time we see something as dangerous like this so our best advice is to keep your device and apps always updated. That’s about all you can do to protect yourself, or just not use a mobile phone. The other controversy around the WhatsApp vulnerability I want to talk about was a related story that came out in a Bloomberg article which said that end-to-end encryption is nothing but a marketing gimmick. The article went as far to say quote “End-to-end encryption is a marketing device used by companies such as Facebook to lull consumers wary about cyber-surveillance into a false sense of security.” end quote. First of all, this is wrong and extremely misleading. But don’t take my work for it, the cybersecurity community reaction on social media was swift to dismiss the FUD being thrown in this article. Look, zero-days and app vulnerabilities aside, end-to-end encryption is not a gimmick. It’s a real and very important technology to protect your information. End-to-end encryption has nothing to do with this particular vulnerability as the exploit completely compromises the device not the transit of messages themselves which is what end-to-end encryption protects. Oy vey. Check out our show notes to read this terrible article for yourself. And let’s hope news organizations like Bloomberg will learn that click-bait articles like this one are dangerous and don’t help anyone stay more secure. In breaking news last week, San Francisco became the first city in the US to ban the use of facial recognition by police and several other local government agencies. Facial recognition has been used by police and other law enforcement for over a decade now but more recently this technology has come under great scrutiny because of privacy concerns as well as the risk of government abuse. Not only that, but there is concern about facial recognition technology not having a 100% success rate, meaning, there is a risk of people being falsely identified if law enforcement was using this technology, in say an investigation. As I’ve mentioned on previous episodes of this podcast, US Customs and Boarder Protection are now using facial recognition at airports and ports of entry for the last several weeks now. There is some good news, that there seem to be ways to opt-out of facial recognition if you don’t want your face scanned, but reports say that if you’re not a US citizen you can’t opt-out. Now not being able to opt-out is one thing but what’s really fascinating is that this technology has become so common that even our personal devices have it installed by default. For example, you can use FaceID to unlock your iPhone or login to your Windows PC using Windows “Hello”. While there is less of a privacy concern since these are devices we own and control, the bigger concern is that in larger surveillance situations, like in large public areas that are using facial recognition, we all unwillingly become a subject and potential suspect in which it becomes impossible to opt out. So have we gotten to the point that we have no choice but to trade our privacy for mass surveillance which uses a technology which isn’t 100% accurate? I think San Francisco is on to something and let’s see if other US cities follow suit. And now a word from our sponsor, Edgewise Networks. Organizations’ internal networks are overly permissive and can’t distinguish trusted from untrusted applications. Attackers abuse this condition to move laterally through networks, bypassing address-based controls to spread malware. Edgewise abstracts security policies away from traditional network controls that rely on IP addresses, ports, and protocols and instead ties controls directly to applications and their data paths. Edgewise allows organizations to analyze the network attack surface and segment workloads based on the software and how it’s communicating. Edgewise monitors applications and protects data paths using zero trust segmentation. Visit edgewise.net to get your free month of visibility. Late last week Microsoft took the unusual step to release several critical security updates for out of support operating systems like Windows Server 2003, and Windows XP. Other updates were also issued for Windows Server 2008 and Windows 7 which are still being supported by Microsoft. This update fixes a critical Remote Code Execution Vulnerability in Remote Desktop Services or also known as Terminal Services back in the day. This particular vulnerability requires no user interaction and is ‘wormable’, meaning, if malware was to exploit this particular vulnerability it could easily be spread to other systems that are also vulnerable. You may remember that back in 2017 the WannaCry ransomware spread in a similar fashion which used the “EternalBlue” exploit that was developed by the NSA. That exploit was leaked by the Shadow Brokers hacking group which published several hacking tools and zero-day exploits leaked from the NSA. The bottom line here is that hopefully all of you listening to this podcast are no longer using ancient and outdated operating systems like Windows XP. However, the reality is that these systems are still being used. In 2017 when WannaCry was released it was estimated that over 200,000 Windows XP computers across 150 countries were infected. Just recently, I saw people posting pictures on Twitter showing Windows XP being used in a dentist office, hospitals and other systems like digital signs at airports. Now, older systems in the healthcare industry is actually pretty common. There is always the attitude of, if it’s not broke, why fix it and these systems may not be connected to a network or the Internet, as they may just run a unique type of software for a medical device. Still, business and consumers alike need to upgrade or decommission older systems like these because the longer they stay in use, history shows us the more vulnerable they become. That’s all for this week’s show. Be sure to follow the Shared Security Podcast on Facebook, Twitter and Instagram for the latest news and commentary. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or watch and subscribe on our YouTube channel.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post Critical WhatsApp Vulnerability, Facial Recognition Ban, Wormable Flaw in Windows appeared first on Shared Security Podcast.

This is your Shared Security Weekly Blaze for May 13th 2019 with your host, Tom Eston. In this week’s episode: Israel bombs a building in retaliation for a cyber-attack, Google adds more privacy settings, and a new blackmail scam that uses traditional mail. Protect your digital privacy with Silent Pocket’s product line of patented Faraday bags, phone cases, and wallets which will make your devices untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order during checkout. Visit silentpocket.com today to take advantage of this exclusive offer. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. In breaking news last week it was reported that the Israeli Defense Force, or also known as the IDF, launched an airstrike on the Palestinian Hamas military intelligence headquarters which apparently was the source of an attempted cyber-attack directed towards Israeli targets. The IDF on Twitter said quote “We thwarted an attempted Hamas cyber offensive against Israeli targets. Following our successful cyber defensive operation, we targeted a building where the Hamas cyber operatives work. HamasCyberHQ.exe has been removed” end quote. No further information or statement from the IDF has since been released. All I can say is, that escalated quickly and that this is the first time that I’ve heard of an actual real-time military strike in response to a cyber-attack. Now the US has done similar attacks in the past, using drones to target a ISIS hacker in 2015 and a British citizen who leaked information about US personnel online. However, those two attacks seemed to be planned out well in advance and were not an immediate response like the one just done by Israel. Now whether you agree with this response or not, it does set an interesting precedent that cyber-attacks could result in a military response especially between two nation states. I don’t know if we’ll see anything like this happen between two major superpowers like the US and Russia, even though there is apparently a lot of evidence that Russia has conducted cyber-attacks on the US. This is, of course, according to the US intelligence community. Now just remember folks, attribution is hard. In a surprise move last week, Google announced that it will be rolling out a feature that will allow users to delete some activity data like location history as well as web and app activity. Google users can also choose if they want this activity data saved for either 3 or 18 months, after which any old data will automatically be removed on a continual basis. Not going away is the current ability to manually delete your location history and app activity data. Now we all know that Google uses your data to recommend you various things like ads and other things based on your search queries and all the data you happen to give all the different Google products that you use. Given the recent privacy uprising over Facebook and even Google’s own grilling by Congress over their policy over user location tracking and data practices back in March, it should be no surprise that Google is now backtracking and finally allowing users more control over their data. I know it’s hard to remove yourself from Google services. Especially ones like Gmail and Google search which are in fact probably the best email and search engines out there. Sure, there are alternatives that we’ve talked about on the podcast but with the increasing concern over how large tech giants like Google are using our data, while not giving us a lot of control over it, are you ready to kick Google to the curb? Or do you think Google is started to change because of the new pressures governments and all of us users are putting on them. And now a word from our sponsor, Edgewise Networks. Organizations’ internal networks are overly permissive and can’t distinguish trusted from untrusted applications. Attackers abuse this condition to move laterally through networks, bypassing address-based controls to spread malware. Edgewise abstracts security policies away from traditional network controls that rely on IP addresses, ports, and protocols and instead ties controls directly to applications and their data paths. Edgewise allows organizations to analyze the network attack surface and segment workloads based on the software and how it’s communicating. Edgewise monitors applications and protects data paths using zero trust segmentation. Visit edgewise.net to get your free month of visibility. This past week I was made aware of a local news story about letters that were being sent to residents of a neighboring community which attempted to blackmail people for bitcoin. The letters, which came in stamped envelopes with no return address, had the massage that they were working a job around your area and stumbled across your misadventures. The lengthy letter goes on to say that there were only two options, that you can either choose to ignore the letter, in which case your wife and all of their friends and neighbors would become aware of your misdeeds or that you pay $20,600 in bitcoin as a “confidentiality fee”. Check out our show notes to read this very entertaining letter but based on the details, it seems that these victims may have been specifically targeted based on their age and location. Now some of the details, like names and address in the letter, were removed but even with some bad grammar in the letter it still leads me to believe that publicly available information through Open Source Intelligence techniques were used to target these individuals. I would also suspect that this is a scammer from outside of the local area, possibly overseas and not in the US. I typically will talk about computer or phone based scams on the podcast but this one uses the regular mail and reminds me of one several years ago where scammers were leaving blackmail letters like this one on people’s car windows. This is just another example that shows scams like these can show up in many different types of non-technology formats, and not just email. That’s all for this week’s show. Be sure to follow the Shared Security Podcast on Facebook, Twitter and Instagram for the latest news and commentary. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or watch and subscribe on our YouTube channel.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post Israel Cyber-Attack Bombing, New Google Privacy Settings, Traditional Mail Blackmail Scam appeared first on Shared Security Podcast.

This is your Shared Security Weekly Blaze for May 6th 2019 with your host, Tom Eston. In this week’s episode: Is this the end of password expiration policies, are there camera’s recording you on an airplane, and the unknown data breach exposing 80 million records. Protect your digital privacy with Silent Pocket’s product line of patented Faraday bags, phone cases, and wallets which will make your devices untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order during checkout. Visit silentpocket.com today to take advantage of this exclusive offer. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Last week Microsoft has come out and admitted that password expiration policies are essentially useless and said that these requirements are “an ancient and obsolete mitigation of very low value”. In a blog post about updated security baseline settings for Windows 10 and Windows Server, Microsoft says that password expiration policies really don’t provide additional security. Microsoft says that “If a password is never stolen, there’s no need to expire it. And if you have evidence that a password has been stolen, you would presumably act immediately rather than wait for expiration to fix the problem”. Now this doesn’t mean that password expiration’s are going away anytime soon but in regards to the Microsoft security baseline, it means that if an organization uses this baseline, password expiration will be optional and not enforced. The current recommendation in the industry is to use blacklists of banned passwords, implementation of multi-factor authentication, and detection of password guessing attempts. I can say that for once I actually agree with Microsoft here. Password expiration is really an outdated practice so it’s good to see Microsoft getting with the times. Be sure to check out our upcoming monthly show where Scott and I delve deeper into this topic. In the meantime, let’s see how many organizations follow this sound advice from Microsoft. In related news, the UK’s National Cyber Security Centre released an analysis of the 100,000 most common passwords from recent data breaches and hacking campaigns. The most common passwords consist of ‘123456’ at 23.2 million, ‘123456789’ at 7.7 million, followed by ‘qwerty’, ‘password’, and ‘111111’ . My non-scientific analysis tells me that people are just lazy picking weak passwords like this! Let’s hope that more sites use password blacklists that help prevent users from selecting these really poor passwords. If you fly United, Delta, or American Airlines, have you recently noticed that there is now a sticker over what looks to be a camera on the entertainment system that is found on the back of seats? If so, this is because of recent privacy complaints from passengers thinking that these cameras were recording them on the airplane. United told BuzzFeed News that the cameras were never activated and were installed by the manufacture for possible future applications such as video conferencing. As an additional measure all three airlines decided to put stickers on these cameras to alleviate any customer privacy concerns. You may remember that back in February a photo of a camera on a Singapore Airlines entertainment system went viral on Twitter and caused quite the privacy controversy. On top of that there has been a more recent concern over the use of facial recognition technology being used by Delta, JetBlue and other airlines to replace boarding passes. These new systems are being tested out by US Customs and Border Protection right now at certain airports to further screen passengers by matching the picture taken of you to your passport photo. In most cases you can opt-out of these scans but for non-US citizens traveling to or from the US you may not be able to opt-out. And now a word from our sponsor, Edgewise Networks. Organizations’ internal networks are overly permissive and can’t distinguish trusted from untrusted applications. Attackers abuse this condition to move laterally through networks, bypassing address-based controls to spread malware. Edgewise abstracts security policies away from traditional network controls that rely on IP addresses, ports, and protocols and instead ties controls directly to applications and their data paths. Edgewise allows organizations to analyze the network attack surface and segment workloads based on the software and how it’s communicating. Edgewise monitors applications and protects data paths using zero trust segmentation. Visit edgewise.net to get your free month of visibility. Security researchers from vpnMentor discovered an unprotected database that included identifying information of more than 80 million US households. Apparently, a 24 gigabyte database was found on a Microsoft cloud server that contained records of households that included full names, marital status, income bracket, age, address, date of birth and most concerning latitude and longitude of their exact location. In a blog post last week vpnMentor was asking for the public’s help to identify the company that this database belonged to. To me this was a little confusing since the IP address belonged to Microsoft’s cloud service and obviously Microsoft would know the person or company hosting this database. Microsoft did release a statement stating that “We have notified the owner of the database and are taking appropriate steps to help the customer remove the data until it can be properly secured”. Still, no owner of the data itself has been identified or released. What’s also interesting about the data is that it only lists adults ages 40 or older. This means that if this data was already accessed by scammers, more older adults in the US may be targeted with ransomware and other phishing attacks. As I’ve mentioned on the show before, the elderly are frequent targets for these types of attacks. Oh, and I’m in my 40’s but would not consider myself or others my age elderly! But I think you get my point. That’s all for this week’s show. Be sure to follow the Shared Security Podcast on Facebook, Twitter and Instagram for the latest news and commentary. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or watch and subscribe on our YouTube channel.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post The End of Password Expiration Policies, Seat-Back Camera’s on Airplanes, Unknown Data Breach appeared first on Shared Security Podcast.

Protect your digital privacy with Silent Pocket’s product line of patented Faraday bags, phone cases, and wallets which will make your devices untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order during checkout. Visit silentpocket.com today to take advantage of this exclusive offer. Tom Eston: Joining me on the podcast to discuss VPNs is Gaya Polat from vpnMentor. Welcome, Gaya. Gaya Polat: Hello. Tom Eston: Alright. So first question about VPNs is, maybe for our audience that may not be familiar with VPNs, what is a VPN and why should someone use one? Gaya Polat: A VPN stands for virtual private network. Is a tool that routes your online information through specialized service. What this means is that it routes your traffic and then encrypts your data. So by doing so, VPNs hide your online activity and protect you from the many danger on the web, whether it’s hackers, data selling, identity theft, and more. So using a VPN keeps your online activity private and safe, therefore it minimizes the chance that you’ll be hacked. But there are other reasons people use VPNs. One of the more common reasons people have been using VPNs is to access geo-block content. And the way a lot of content online works, let’s say Netflix or Hulu, they have different catalogs based for different countries and places. So if you’re an American, for example, who now is spending a semester in England or anywhere else, you’re gonna see that your Netflix catalog has changed. So a lot of people have been using VPNs to access content that is blocked. Gaya Polat: Another very popular reason people have been using VPNs is, sports fans have found VPNs to be quite useful, because a lot of the times like let’s say you want to watch a certain UFC fight on your pay-for-view, it can cost around $80, but there’s a very likely chance that somewhere in a different country, let’s say the United Kingdom, France, or Canada even, you can watch the game on a regular cable channel. So by using a VPN, you can access that quite freely, and before every important boxing or UFC match, you can… We tell you the best way by using a VPN to watch the game or the fight. There’s also a different segment of people who use VPNs because they want to overcome their local censorship laws. Sadly, some countries don’t have free internet and free online access, and they simply need a VPN to use, for example, in Turkey, Wikipedia is blocked. So whenever someone from Turkey wants to access, say, Wikipedia, they need to use a VPN. Russia, almost all online social media is blocked. So we see a lot of users from Russia. That is it. Yeah. Those are I think the main reasons people use VPN. Tom Eston: Yeah, that’s great. Lots of good things, especially if you’re in a country that may be censored, like you said, or access to different types of entertainment content that may not be available in your region or region of the world. And of course user privacy which is definitely a big one. So having said that, with all the great use cases for a VPN, what are some of the disadvantages that come with using a VPN? Gaya Polat: So first of all, as you said, there are a lot of advantages to using a VPN, but it’s not a magic potion that you can use and everything will be great. For example, it will not protect you from phishing scams or having your personal data leaked in certain cases. For example, if you entered your personal information to Facebook and that is hacked, even if you use the best VPN, that will not save your private information. Gaya Polat: There is also an issue with speeds, because by default, what a VPN does, as I said, it is that it routes your internet data through a different server. So that means that by using a different server, it can add a bit of lag time to your speed. So when you choose a VPN, you want to choose a VPN that has servers in a lot of countries and a lot of servers. The more servers it has, the more the user usage of the different servers will be spread out, so there will be sort of less traffic. If you want, you can see on our website the different VPNs and the servers they have and the different speeds. But generally speaking, the top brands all have a lot of servers. Gaya Polat: And another thing that can be a big disadvantage when using a VPN has to do… If you turned copyrighted content, then you need to make sure that the VPN you use does not keep blocks because in some countries, like let’s say for the US, your ISP can be required to give your information if it is asked when turned in. And if the VPN keeps logs, then it has to give your information to the ISP. So if you’re using torrent websites, then you need to make sure, absolutely make sure that it could get you in a lot of hot waters. [chuckle] Gaya Polat: And the last thing to know about VPN usage is that some sites block users using a VPN. So, this is especially true if you want to access your bank account. And then they can sometimes block it to prevent foreign people accessing your bank account. So, this can sometimes be a nuance or something that is very annoying to have to disconnect to connect to certain websites, but those are the big disadvantages. And now a word from our sponsor, Edgewise Networks. Organizations’ internal networks are overly permissive and can’t distinguish trusted from untrusted applications. Attackers abuse this condition to move laterally through networks, bypassing address-based controls to spread malware. Edgewise abstracts security policies away from traditional network controls that rely on IP addresses, ports, and protocols and instead ties controls directly to applications and their data paths. Edgewise allows organizations to analyze the network attack surface and segment workloads based on the software and how it’s communicating. Edgewise monitors applications and protects data paths using zero trust segmentation. Visit edgewise.net to get your free month of visibility. Tom Eston: So, what should someone look for when choosing a really good VPN, especially when we’re talking about protecting activities or protecting their privacy? Gaya Polat: So that’s a great question. The most important thing is to skip free VPNs, because as you can imagine, if a company spends money hosting a large and broad server system, it’s quite expensive. It will cost them a lot of money. So as we found out with Facebook and Google, when something is given to you for free, there’s a catch. And it’s also true in the VPN world. If they’re giving you great speeds, and servers everywhere and everything for free, then something is wrong there, that’s a red flag. And usually that red flag means that your data is being searched by third parties, which is what we saw, for example, recently with the Onavo project that Facebook used. It was basically a VPN program that Facebook used to get all the data about how people were using the Internet and use it as a research tool. So that is one thing. Gaya Polat: Either it sells, sometimes, we have seen with some VPNs that were free, that where tools used by the Chinese government to track their own citizens and how they were using the internet and or that were being used for a Malware or other hacks. So generally speaking, you would want to stay away from free VPNs. And what else you would want is you want to make sure, as I said before, that it has no-logs policy. So, no-logs policy means that VPN doesn’t log or doesn’t track, keep any history of your information. So that’s basically why you want to use a VPN for, as you said, for privacy. So you want to make sure that it’s actually private and nothing is kept. And other thing you would want is basically, you would want to have a VPN that uses AES-256, that’s the current state of the art encryption protocol. It’s considered a military grade encryption so that is one you want to keep. Gaya Polat: And another thing, a lot of people, like your money, you want your privacy and activities to be hidden somewhere remote, way outside the jurisdiction of countries like the US, where it can’t be touched. So it’s the same for VPNs. You want a VPN server based in privacy havens like the British Virgin Islands, or Panama. And this is because a lot of countries like US, Canada, Australia, they have a data sharing agreement, which means that they can share your data with other countries. So you want to make sure your VPN is located in one of those privacy or tax havens. And generally speaking, the top brands in the VPN world are based in the British Virgin Islands or Panama. Two top brands that are based in those countries are ExpressVPN and Nord, but on our website, we have the list about where is each VPN based and you can look. Gaya Polat: Yeah. I think those are some of the… As I said before, you want to make sure that it has a big server network, especially if you want it for content, for example, then you have to make sure that you have servers in that country that you want to access the content. And so if you want to have to access from the United States, the BBC, then obviously you need to make sure the VPN that you choose has servers in England, for example. Tom Eston: So does vpnMentor provide a list of recommended VPNs based on your research? Gaya Polat: Yes. So we do VPN studies and also a YouTube channel that we are dedicating to promoting online privacy and security. And we continuously check the top VPNs, make sure that what they say they do, they actually do it. And for just recently, we checked several popular VPNs for DNS leaks, which basically means that they do not leak your IP address. And quite surprisingly, we found that three of the top brands, most popular brands have been leaking IP addresses of users. You can see the full report on their website. And so, yeah, we’ve always check all these VPNs, make sure that they would give you top speeds, and that, we looked at their privacy policy, their no-logs policy. You know, basically, give you a recommendation, if you want to use it for a VPN for torrenting, those are the ones we tested that have true no-logs policy. If you want to use it for Netflix, Hulu, whatever, those are the best VPNs. Tom Eston: Yeah. And we’ll have links in the show notes for more information on vpnMentor and how to see those reviews of the top VPNs. I think that’s really important. And I like the phrase of, “Not all good things are free. You kind of get what you pay for.” [chuckle] I think that’s a… Gaya Polat: Yeah, exactly. I think if we learned that in everywhere you look, I think Milton Friedman was the first person to say, “There’s no such thing as a free lunch.” Tom Eston: That’s right. Gaya Polat: I think in everywhere we look, every part, it’s always the same. If there’s something you get for free, then there’s some trade of. Some free VPNs are okay to use. We have at least on the website, but then either they would limit your data, which means you would not be able to use it for streaming, for example, or you get to watch ads, but there’s no perfect VPN, as there is nothing for free. There’s like… Which is very sad for maybe our bank accounts. [chuckle] Tom Eston: Yeah, that’s right. Well, thank you very much for coming on the show, Gaya. Gaya Polat: Thank you. It was a pleasure coming. Thank you very much for having me. That’s all for this week’s show. Be sure to follow the Shared Security Podcast on Facebook, Twitter and Instagram for the latest news and commentary. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or watch and subscribe on our YouTube channel.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post All about VPN’s with Gaya Polat from vpnMentor appeared first on Shared Security Podcast.

In episode 87 of our monthly show, frequent guest Kevin Johnson joins us to discuss the current state of cybersecurity training and certifications. If you’re currently in the industry or pursuing a career in cybersecurity this is one episode not to miss! Tom and Kevin cover the following topics: What’s the state of training and certifications in our industry? Why is some training so expensive? How did we get here? What’s the biggest challenge we face? What should we look for in a training provider and are certifications really worth it? What certifications are valuable? We also discuss the recent incident of Kevin’s training provider which was compromised a few weeks ago. Kevin talks about the way they handled the incident, how they disclosed to the public, and the right way to handle a data breach and incident. Full write up of the incident that we mention on the show:  https://blog.secureideas.com/2019/04/we-take-security-seriously-and-other-trite-statements.html This episode was also streamed live over Twitch and YouTube Live! Be sure to subscribe to us on Twitch and YouTube to catch the next live episode. Special thanks to Kevin Johnson for being our guest. It’s always a pleasure to have Kevin on the show! The Shared Security Podcast sponsored by Silent Pocket and Edgewise Networks. Be sure to follow the Shared Security Podcast on Facebook, Twitter and Instagram for the latest news and commentary. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or watch and subscribe on our YouTube channel. The post The State of Cybersecurity Training and Certifications with Kevin Johnson appeared first on Shared Security Podcast.