Shared Security Podcast

This is your Shared Security Weekly Blaze for April 22nd 2019 with your host, Tom Eston. In this week’s episode: Microsoft email services hacked, the Instagram “Nasty List” phishing scam, and Facebook’s attempted deals to sell your data. Protect your digital privacy with Silent Pocket’s product line of patented Faraday bags, phone cases, and wallets which will make your devices untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order during checkout. Visit silentpocket.com today to take advantage of this exclusive offer. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Microsoft was in the hot seat this past week with the announcement that email services on Outlook.com, MSN, and Hotmail were breached from January to late March this year. This breach was due to the compromise of a support agent’s privileged credentials, most likely due to a targeted social engineering attack. The attackers apparently had access to email addresses, subject lines, names of people within conversations, and custom folder names. Accounts affected were only free consumer accounts and not accounts that businesses pay for. According to Motherboard, who broke the story, Microsoft has confirmed the breach and have sent breach notification emails to customers that have been affected but didn’t say how many users were impacted by the breach. Other details show that the source, who was used for the Motherboard story, noted that the attacker appeared to have used this access for what are called “iCloud unlocks”. This is where attackers will compromise a victim’s email or iCloud account to remove Apple’s ‘Activation Lock’ from a stolen iPhone. This security feature was implemented to prevent thieves from resetting stolen iPhones and selling them. My take is that this is one of those attacks that as users, is very hard, if not impossible to prevent. Even if you secure your account with multi-factor authentication, you’re still at the mercy of Microsoft and the administrators that may have their credentials compromised. In these cases, it comes down to how quickly a company can respond to a breach to limit impact to it’s customers. Have you been receiving strange messages on Instagram from your followers about you being on something called the “Nasty List”? If so, the message is actually a massive phishing campaign that is being spread though hacked Instagram accounts. The message will say something like quote “OMG your actually on here, @TheNastyList_(some number), your number is 15! Its really messed up” end quote. Grammar Nazis, your first clue that is that this is a scam is the spelling of “your” which should be “you’re”. Unless, of course, your friends naturally have bad grammar. Now if you visit the profile you will see an interesting URL in the profile link which will, you guessed it, take you to a fake Instagram login page. If you happen to enter in your Instagram credentials, you’ll be hacked yourself and your account will then become another zombie also sending out the same message to your followers. For more details on this scam check out the link in our show notes for a great article from Bleeping Computer. Hopefully, as a listener of this podcast, you didn’t fall for this scam but if you did change your password, re-edit your profile, and profusely apologize to your followers that you were hacked. And now a word from our sponsor, Edgewise Networks. Organizations’ internal networks are overly permissive and can’t distinguish trusted from untrusted applications. Attackers abuse this condition to move laterally through networks, bypassing address-based controls to spread malware. Edgewise abstracts security policies away from traditional network controls that rely on IP addresses, ports, and protocols and instead ties controls directly to applications and their data paths. Edgewise allows organizations to analyze the network attack surface and segment workloads based on the software and how it’s communicating. Edgewise monitors applications and protects data paths using zero trust segmentation. Visit edgewise.net to get your free month of visibility. I think I’m starting to sound like a broken record here but surprise, surprise, Facebook was in the news once again this week when NBC News reported that Facebook CEO Mark Zuckerberg once considered making deals with third-party developers to find out how much users’ data might actually be worth. In the report over 4,000 leaked pages of internal Facebook documents show that there were potentially 100 deals with third-party app developers for selling them access to Facebook user data. Zuckerberg reportedly even said that these deals would help decide the “real market value” of Facebook user data and help set a “public rate” for developers. This recent reveal of information comes from a court case in California between Facebook and a company called Six4Three. This company created a creepy app called “Pikinis” which allowed users to find pictures of people in bikini’s and swimsuits. This app was shut down in 2015 once Facebook changed its data sharing policies with developers which is what spurred the lawsuit from Six4Three. Facebook, of course, says that this information only tells one side of the story and have never sold user data.  Regardless, this is yet another example that shows Facebook has always looked for ways to monetize the massive amount of data that they hold on all of us. Oh, and if that wasn’t enough  last Thursday Facebook confirmed that it “unintentially” uploaded email contacts belonging to 1.5 million new users without their knowledge since May of 2016. All I’ll say, it’s not a great time to be Facebook or a user of Facebook. That’s all for this week’s show. Be sure to follow the Shared Security Podcast on Facebook, Twitter and Instagram for the latest news and commentary. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or watch and subscribe on our YouTube channel.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post Microsoft Email Hacked, Instagram Nasty List Phishing Scam, Facebook Third-Party Data Deals appeared first on Shared Security Podcast.

This is your Shared Security Weekly Blaze for April 15th 2019 with your host, Tom Eston. In this week’s episode: Amazon Echo’s recording controversy, a new mobile phone scam, and hotels leaking your private information. Protect your digital privacy with Silent Pocket’s product line of patented Faraday bags, phone cases, and wallets which will make your devices untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order during checkout. Visit silentpocket.com today to take advantage of this exclusive offer. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. In late breaking news last week, it was reported by Bloomberg that Amazon employs thousands of workers to listen to what customers say to Amazon Echo devices. According to the report workers can listen to as many as 1,000 audio clips in 9 hour work shifts. Apparently, workers listen to audio clips that are “mundane” and even sometimes “possibly criminal”. Amazon responded to the report by saying that it only annotates “extremely small number of interactions from a random set of customers.” and that it uses “requests to Alexa to train our speech recognition and natural language understanding systems”. While Amazon employees don’t have access to names or addresses of customers, they do have access to the Amazon account number and device serial number. Amazon further clarified that no audio is stored unless the wake word is used to activate the Alexa-enabled device. While you can go in to the Alexa app to view the privacy configuration of your Echo device and individually delete audio clips, there currently is no way to completely opt-out of recording all together. The only option available is to disable the use of recordings for the development of new features. However, its reported that Amazon may still have recordings analyzed by hand over an occasional review process. A new scam, where someone calls asking for your mobile carrier’s verification code, has been making the rounds. The way it works is that you’ll receive an email which looks like it’s come from your mobile carrier, like Verizon, with the message saying that fraud has been found on your account and you need to call the number noted in the email immediately. If you call the number the scammer will say they need your verification PIN that you set up with them to verify your account.  Once you do that, the scammer will reset your password and make themselves the “primary” account user. After that, the scammer will have full access to potentially buy devices at your carriers store as well as hijack your phone number to reset two-factor authentication on other critical accounts. In two recent cases that took place in Florida, scammers attempted to purchase several brand new phones from a Verizon store using this scam. Fortunately, police showed up at the store to arrest the perpetrators after being alerted by Verizon that something wasn’t quite right. So what can you do to prevent becoming a victim of a scam like this? First, even with the threat of phishing and social engineering, you should always have a PIN, or also known as a “port validation” code set up through your mobile carrier. See our show notes for a great guide on how to do this as each company has a different procedure. Also note, you should ensure that this passcode or PIN is unique and different than any other passcode or PIN that may be in use with your mobile carrier. Lastly, if you receive an email or phone call from someone that says they are from your mobile carrier, hang up. You’re not going to be contacted over the phone like this and if you are concerned about fraud or to find out if a request is legitimate or not, it’s best to just give your mobile carrier a call yourself. And now a word from our sponsor, Edgewise Networks. Organizations’ internal networks are overly permissive and can’t distinguish trusted from untrusted applications. Attackers abuse this condition to move laterally through networks, bypassing address-based controls to spread malware. Edgewise abstracts security policies away from traditional network controls that rely on IP addresses, ports, and protocols and instead ties controls directly to applications and their data paths. Edgewise allows organizations to analyze the network attack surface and segment workloads based on the software and how it’s communicating. Edgewise monitors applications and protects data paths using zero trust segmentation. Visit edgewise.net to get your free month of visibility. New research from Symantec shows that hotels are leaking detailed guest reservation data to different types of third-party advertisers, websites and data aggregators. Registration information can include everything from name, address, phone numbers, and even passport number and last four digits of credit card numbers. Symantec’s research data comes from more than 1,500 hotels in 54 countries in which 67% were leaking this data through the booking reservation code which is typically distributed through a link that allows anyone to view reservation data without logging in to a hotel account. The other problem here is that in these same emails, there is additional content that loads ads within these booking emails. This content was found to share the hotel booking code with more than 30 different third-parties which in many cases were transmitted over non-encrypted HTTP. While there may be no indication that personal data was compromised here. It does show that hotel chains need to review the security of how a hotel booking number is used within these emails. And it also creates a very large problem for the hotel industry, specifically for hotel’s that may be operating in Europe or the State of California due to GDPR and the California Consumer Privacy Act.  Unfortunately, this is yet, another example of third-party companies mishandling our private data. That’s all for this week’s show. Be sure to follow the Shared Security Podcast on Facebook, Twitter and Instagram for the latest news and commentary. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or watch and subscribe on our YouTube channel.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post Amazon Echo Recording Controversy, New Mobile Phone Scam, Hotels Leaking Data appeared first on Shared Security Podcast.

This is your Shared Security Weekly Blaze for April 8th 2019 with your host, Tom Eston. In this week’s episode: Facebook’s very bad week, Stalkerware on the rise, and tax season scams. Protect your digital privacy with Silent Pocket’s product line of patented Faraday bags, phone cases, and wallets which will make your devices untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order during checkout. Visit silentpocket.com today to take advantage of this exclusive offer. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. I know you’ll be shocked to hear this but Facebook had yet another painful week of data breaches and controversy. First was the announcement that over 540 million Facebook user records and associated data was found unsecured on two Amazon AWS servers discovered earlier in the year by cybersecurity firm, UpGuard. The first server, belonging to a company called Cultura Colectiva, which is a Mexico based media platform, had the majority of the exposed data containing usernames, Facebook IDs, comments, likes, and other data that may have been used for social media analytics.  The second server had data from a Facebook game called “At the Pool” which had details such as Facebook ID, friends list, likes, photos, groups, checkins, user interests, and of course 22,000 passwords. The passwords were apparently only for the game account and not the Facebook login, however, we all know that most people reuse passwords across the same sites and services that they use. Both servers are now locked down after quite the ordeal noted by UpGuard in their incident report which we’ll have linked in our show notes. This particular breach shows one of the many problems that Facebook has had with all the data that third-party app developers have been collecting over the years. Just like the Cambridge Analytica scandal, it’s nearly impossible for Facebook to oversee and regulate the security of user data that leaves the Facebook Platform. The second Facebook story that made the news last week was how Facebook is asking some new users to provide the password to their email account. Apparently, if you happen to use an email account from some email service providers like Yandex and GMX, you’ll be prompted to enter your email account password to confirm your email address. Once you do that, a pop-up appears stating that Facebook is importing your email contacts without any authorization by the user to do so. According to the report from Business Insider, Facebook stated that this “feature” is being discontinued but in the meantime, it’s set off groups like the Electronic Frontier Foundation which said that this “feature” is indistinguishable to a phishing attack which will also ask you to enter in passwords to verify who you say you are. According to anti-virus company Kaspersky over 58,000 Android users had “stalkerware” installed on their phones last year. 35,000 out of this number had no idea that they had stalkerware installed on their device until they installed Kaspersky’s mobile antivirus product. Stalkerware or also known as spouseware or legal spyware, is sold by various companies under the guise of an easy way to monitor your child’s activities or tracking employee device usage. In reality, most of these apps are being used maliciously and having these apps installed means that someone has had physical access to your device as the majority of these apps require someone to install the application manually, mostly because these apps require the device to be “jailbroken” or “rooted” so that the app can be installed. Last year, on episode 40 of the Weekly Blaze, we recorded an entire podcast about stalkerapps and spyware I encourage you to check out. This episode goes into more detail on how these apps work and what to look for if you suspect one of these apps are installed on your mobile device or laptop. In related news, Kaspersky has said that they will now start alerting Android users, that have their antivirus product, whenever a stalkerware app is installed on a user’s device. This push by Kaspersky was initiated by Eva Galperin head of the Electronic Frontier Foundation’s Threat Lab in which she’s spearheading a push in the cybersecurity industry to finally take the threat of stalkerware seriously. In her list of demands she’s asking antivirus companies to start detecting and alerting on these types of apps, asking Apple to allow antivirus apps in their app store (Apple currently does not allow this), have Apple alert and detect when an Apple device is jailbroken or rooted, and to have more state and federal officials start filing charges against executives of stalkerware companies for hacking. My take is that it’s great to see at least one antivirus company doing something about the threat of stalkerware and with the EFF and people like Eva Galperin, perhaps we’ll see positive changes in the months to come. And now a word from our sponsor, Edgewise Networks. Organizations’ internal networks are overly permissive and can’t distinguish trusted from untrusted applications. Attackers abuse this condition to move laterally through networks, bypassing address-based controls to spread malware. Edgewise abstracts security policies away from traditional network controls that rely on IP addresses, ports, and protocols and instead ties controls directly to applications and their data paths. Edgewise allows organizations to analyze the network attack surface and segment workloads based on the software and how it’s communicating. Edgewise monitors applications and protects data paths using zero trust segmentation. Visit edgewise.net to get your free month of visibility. Guess what season it is? It may be Spring in the United States but it’s also tax season which means it’s time to be aware of common phishing and scam tactics that may target you while you file your taxes. In fact, it’s so bad this year that the IRS recently released their “dirty dozen” in which they’ve detailed the top tax fraud scams of the year. Check our show notes for a link to the full list but it should be no surprise that phishing scams come in at number one. Things to lookout for include emails posing as the IRS promising a big refund, or threatening you with arrest if you don’t reply or submit personal or sensitive details about yourself or your finances. In one recent variation, a scammer has already stolen personal data and filed a tax return on the victim’s behalf. The scammer then uses the victims own bank account to direct deposit their tax refund and attempt to reclaim the funds by posing as the IRS or someone from a collection agency. Keep in mind, it’s not just your email that these scams can originate from. Many of these tax scams also come through phone calls or voicemail’s. Phone scams are number two in the IRS’s “dirty dozen” this year. These calls will typically ask for personal information or to convince you to make a tax payment or threaten you with arrest just like similar IRS phishing emails. In some calls the scammer can change the caller ID to indicate the IRS is calling or from another number in your same prefix. Note that the IRS will never email or call you about owing taxes or about a potential refund, or threaten to arrest you. Stay vigilant and be more aware of phishing and phone scams this tax season and please let your elderly friends, parents or relatives know about these scams as well. Unfortunately, the elderly are common targets for these types of attacks. That’s all for this week’s show. Be sure to follow the Shared Security Podcast on Facebook, Twitter and Instagram for the latest news and commentary. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or watch and subscribe on our YouTube channel.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post Facebook’s Bad Week, Stalkerware, Tax Season Scams appeared first on Shared Security Podcast.

This is your Shared Security Weekly Blaze for April 1st 2019 with your host, Tom Eston. In this week’s episode: Apple’s new privacy focused credit card, the ASUS live update software backdoor, and recent statistics on Malware attacks. Protect your digital privacy with Silent Pocket’s product line of patented Faraday bags, phone cases, and wallets which will make your devices untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order during checkout. Visit silentpocket.com today to take advantage of this exclusive offer. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Apple announced last week that it’s partnered with financial firm Goldman Sachs on a new type of credit card which is focused on privacy and security. The credit card, which is called “Apple Card”, is paired with Apple Pay so you can use it like you normally do with your iPhone, but it also includes a traditional physical card made out of titanium, laser-etched and has no visible card number, CVV code, expiration date, or signature on the card itself. Now that credit card, completely has Apple written all over it. In regards to the technology, the credit card number will be stored in the iPhone’s Secure Element chip and all purchases must be authenticated through Touch ID or Face ID. Apple also says that they will not track what you’ve purchased, where you’ve shopped, or how much you’ve paid for purchases and that Goldman Sachs will not share or sell your data to third-party marketing firms. Other perks include a cash back program on all purchases, no annual fees, and insight into spending habits right on your iPhone. If this all sounds amazing, you may be asking yourself “What’s the catch?”. Well, the Apple Card is still a credit card so from what we know so far is that interest rates will vary between 13 and 24% and are based on your “creditworthiness” and that any late or missed payments will drive up your interest rate. My take is that I think it’s great to see Apple making more of their products and services with privacy and security in mind. I think we all give Apple some grief over their sometimes overly aggressive marketing campaigns like they did at CES in Las Vegas this year when they proclaimed on a large billboard “What happens on your iPhone, stays on your iPhone”. But perhaps, now we’re really starting to see Apple put their money where their mouth is. Computer hardware manufacture ASUS confirmed that their “live update” tool, which provides firmware updates, drivers, and patches for all of their laptops and other consumer hardware, was compromised by an Advanced Persistent Threat group. This is a great example of what is called a supply chain attack where a central update repository was compromised to spread malware. ASUS said in their press release that “a small number of devices have been implanted with malicious code through a sophisticated attack on our Live Update servers in an attempt to target a very small and specific user group”.  ASUS also stated that it had reached out to affected users and worked with them to ensure any security risks were removed. Kaspersky, which makes anti-virus software, claims it’s detected the ASUS supply-chain malware, conveniently named ShadowHammer, on 57,000 computers. Kaspersky says that there may be even more devices that have been affected. In related news, TechCrunch reports that a security researcher warned ASUS about two months ago that ASUS developers were disclosing passwords within their GitHub code repositories which could be used to access the ASUS corporate network. These repositories were publicly available and the researcher notes that one of the repositories was a daily release mailbox where automated build notifications were sent. Within these emails contained the full file path of where drivers and other files were stored on the ASUS internal network. This information, combined with access to this mailbox could have easily have been used for phishing or targeting other developers via social engineering.  While there have been no reports of compromised systems, it does show a lack of overall security awareness of ASUS’s developers. Now in regards to remediation, ASUS says the backdoor has been fixed and that ASUS users should update to the latest version of its “Live Update” software. Do you own a ASUS laptop or other device? If you do, be sure to check out our show notes for a link where you can download a tool from ASUS which will determine if your ASUS system was affected by the backdoor. And now a word from our sponsor, Edgewise Networks. Organizations’ internal networks are overly permissive and can’t distinguish trusted from untrusted applications. Attackers abuse this condition to move laterally through networks, bypassing address-based controls to spread malware. Edgewise abstracts security policies away from traditional network controls that rely on IP addresses, ports, and protocols and instead ties controls directly to applications and their data paths. Edgewise allows organizations to analyze the network attack surface and segment workloads based on the software and how it’s communicating. Edgewise monitors applications and protects data paths using zero trust segmentation. Visit edgewise.net to get your free month of visibility. For the third-year in a row malware, and in particular ransomware attacks have significantly increased according to cybersecurity company SonicWall which analyzed  10.52 million malware attacks in 2018 via the network of one million sensors used by SonicWall’s customers. Other interesting data from SonicWall’s report show that Ransomware volume from a global perspective reached 206.4 million attacks in 2018 which is an 11 percent year-over-year increase. This increase has to do with ransomware authors mixing and matching different malware components to create new variants which become harder to block. Ironically, the US in particular had the largest increase in ransomware attacks from last year. From a phishing perspective, SonicWall recorded 26 million attacks and noted a 4.1 percent drop. The reason? Well attackers seem to be changing their approach by moving towards hiding malware in PDF’s as well as Microsoft Office documents and conducting more targeted attacks. You may remember on last week’s podcast I noted that Microsoft Office is the biggest target for cybercriminals which is why we all need to be more aware of phishing attacks using attachments that may be hiding malware. Check out our show notes to download the full SonicWall report. That’s all for this week’s show. Be sure to follow the Shared Security Podcast on Facebook, Twitter and Instagram for the latest news and commentary. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or watch and subscribe on our YouTube channel.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post Apple Card, ASUS Live Update Backdoor, Statistics on Malware Attacks appeared first on Shared Security Podcast.

This is your Shared Security Weekly Blaze for March 25th 2019 with your host, Tom Eston. In this week’s episode: Facebook passwords exposed in plain text, Android Q’s new privacy features, and why Microsoft Office is the most popular target for cybercriminals. Protect your digital privacy with Silent Pocket’s product line of patented Faraday bags, phone cases, and wallets which will make your devices untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order during checkout. Visit silentpocket.com today to take advantage of this exclusive offer. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. I want to mention a correction from last week’s show when I talked about the service called CLEAR. CLEAR does not use Facial Recognition technology, they only use iris or fingerprint biometric scans. And now, on to this week’s news. In late breaking news last week Facebook announced that hundreds of millions of its users had their account passwords stored in plain-text going all the way back to 2012.  Apparently, through an internal security review, Facebook had found these passwords exposed on internal servers.  Apps affected include Facebook, Instagram and Facebook Lite, which is a version of Facebook made for underpowered phones and low speed connections. Famed reporter Brian Krebs from Krebsonsecurity.com said a source at Facebook told him that between 200 and 600 million Facebook users had their passwords stored in plain text and the data was searchable by over 20,000 Facebook employees. The source also said that about 2,000 internal developers made about 9 million queries for information that contained those plain text passwords. Facebook stated that it appears no one outside of Facebook had compromised this data and that (for now) there is no evidence that anyone internally at Facebook accessed or abused anyone’s password. Now, are you shocked to hear this latest news? If you’re not, how much more can we all take before it’s time to finally delete Facebook from our lives? It seems this is just yet another security and privacy blunder that continues to plague the world’s largest social network on pretty much a weekly basis. Our advice is if you plan on sticking around Facebook, change your Facebook and Instagram password, and if you haven’t already, enable two-factor authentication. In fact, if you have two-factor authentication already enabled on your account, you’re already a step ahead protecting your Facebook password from potential compromise. Android users rejoice! Android Q, Google’s new version of Android set to be released this summer, is coming with several new and exciting privacy features. Here’s our take on the top three features. First up is that Android apps can no longer access clipboard data, unless the app is actively being used. This can help prevent malicious apps from gaining access to copied clipboard data like passwords from a password manager. Next, MAC address randomization will be enabled by default. A MAC address is the unique ID that your Wi-Fi and Bluetooth chips installed on your devices use when communicating on a network. This feature was available in Android 6.0 but now will be enabled by default. This feature will also help prevent some data harvesting and tracking used by some third-party app providers. And probably the biggest new privacy feature is having more control over your location data. Android Q will now have a permissions prompt whenever an app wants to use your location data. So now you can give the app access to location data all the time, only when the app is in use, or completely deny the app access to your location data. Check out our show notes for a link to all the new privacy features coming in the upcoming release of Android Q. And now a word from our sponsor, Edgewise Networks. Organizations’ internal networks are overly permissive and can’t distinguish trusted from untrusted applications. Attackers abuse this condition to move laterally through networks, bypassing address-based controls to spread malware. Edgewise abstracts security policies away from traditional network controls that rely on IP addresses, ports, and protocols and instead ties controls directly to applications and their data paths. Edgewise allows organizations to analyze the network attack surface and segment workloads based on the software and how it’s communicating. Edgewise monitors applications and protects data paths using zero trust segmentation. Visit edgewise.net to get your free month of visibility. A recent report by threat intelligence firm Recorded Future, shows that for the second year in a row, Microsoft was the biggest target for cybercriminals, with 8 of the top 10 vulnerabilities affecting their products. Surprisingly, half of those vulnerabilities were in Microsoft Office, followed by Internet Explorer. Oh and if you’re still using Internet Explorer, please stop what you’re doing right now and switch to a new modern browser like Chrome, Firefox, or even Microsoft Edge. What we’re trying to say is that while web browsers are getting more secure there are still older versions, like Internet Explorer, which are still major targets for attackers. Other details worth noting in the report show that the number of new exploit kits, which are typically offered for sale on dark web markets and are used to exploit the top 10 vulnerabilities noted in the report, are continuing to drop in 2018 by 50 percent, with only five new exploit kits, compared to ten from the year before. Lastly, the report shows the progression from what are called web exploit kits to more phishing attacks in 2018. While many older browsers are still major targets, it’s much easier to use exploits tied to a phishing email while using social engineering tactics to lure victims into clicking a link or running an executable. Microsoft Office is a very popular target, not just because it is the world’s most popular business software, but because people are more susceptible to opening a malicious Word or Excel documents mostly because it’s so common to send those types of attachments over email. Some may say that the best advice is to never click on links or attachments in an email but that can be really hard to do, especially you’re in a business environment. But it really does come down to compromise and your own personal risk assessment. We still need to use Microsoft Office and open email attachments so the best advice is to rely on your instinct and remember if an email seems phishy, it probably is. That’s all for this week’s show. Be sure to follow the Shared Security Podcast on Facebook, Twitter and Instagram for the latest news and commentary. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or watch and subscribe on our YouTube channel.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post Facebook Passwords Exposed, Android Q Privacy, Microsoft Office Targeted appeared first on Shared Security Podcast.

In episode 86 of our monthly show we discuss Tom’s new garbage service (yep, that’s right) and why taking credit cards by filling out a form and mailing it is never a good idea, the Verifications.io data breach, how a cyberattack could capsize a ship, and the world’s most dangerous malware.  This was also the first show we streamed live over Twitch. Be sure to subscribe to us on Twitch to get notified when we’ll be live! Links to articles mentioned on the show: Verifications.io data breach How a cyberattack can capsize a ship Triton is the world’s most murderous malware, and it’s spreading   The Shared Security Podcast sponsored by Silent Pocket and Edgewise Networks. Be sure to follow the Shared Security Podcast on Facebook, Twitter and Instagram for the latest news and commentary. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or watch and subscribe on our YouTube channel. The post Verifications.io Data Breach, Capsizing a Ship with a Cyberattack, World’s Most Dangerous Malware appeared first on Shared Security Podcast.

** Correction about CLEAR as noted in this episode of the podcast. CLEAR does not use Facial Recognition technology, only iris or fingerprint biometric scans ** This is your Shared Security Weekly Blaze for March 18th 2019 with your host, Tom Eston. In this week’s episode: Equifax and Marriott data breach updates, facial recognition coming to 20 US airports, and the Citrix password spraying attack. Protect your digital privacy with Silent Pocket’s product line of patented Faraday bags, phone cases, and wallets which will make your devices untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order during checkout. Visit silentpocket.com today to take advantage of this exclusive offer. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. In data breach news, Equifax CEO Mark Begor and Marriott CEO Arne Sorenson appeared before a US Senate subcommittee to testify regarding the data breaches that both companies have suffered. While no new information was made about the Equifax breach (just the committee grilling Equifax’s CEO on the security controls and investments in security that they’ve put in place) several more technical details about the Marriott breach were revealed. In September of last year, Accenture, who managed the Starwood Guest Reservation Database, contacted Marriott’s IT team about a strange query from a legitimate administrator account. Marriot discovered that these credentials were stolen and began an investigation. Investigators first found a remote access trojan being used as well as a tool to reveal usernames and passwords in  memory called MimiKatz. Investigators finally found two encrypted files that were deleted and then recovered. These two files were removed from the Starwood network on November 13th of last year. Shortly after, investigators were able to decrypt these files to show what type of data was stolen. Even though 383 million guest records were accessed, the good news was that 9.1 million credit card numbers in the stolen data was encrypted and there has been no evidence to indicate that the master encryption keys to decrypt the card data was accessed. Marriott also said that they have not received any claims of loss from fraud from the incident. This is quite surprising, given that attackers had breached the Starwood network for at least 4 years since 2014 well before Marriott acquired the hotel chain. In other Equifax news, famed reporter Brian Krebs reports that even if you already froze your credit files through Equifax after their data breach and were issued a PIN code, it still may be possible for an attacker to bypass your PIN and lift an existing credit freeze with just your name, social security number and birthday. Check out the link in our show notes to read the full article on this rather disturbing development. US Customs and Border Protection (or CBP) is beginning to implement facial-recognition technology at 20 airports across the US. These new systems will be used to verify the identities of passengers entering and exiting the country. The plan is to have this system in place across all US airports by 2020. The technology will measure what’s called facial landmarks, which is the distance between the eyes or from the forehead to the chin, and match that data to passport photos stored in a database. You might be surprised to hear this but similar commercial facial-recognition systems are already in use at many airports already. For example, Delta has a “curb-to-gate” facial recognition system for international travelers at Atlanta International Airport and other airlines like JetBlue, British Airways, and Lufthansa are running similar pilot programs of their own.  You may have also seen a third-party service called “Clear” at over 27 US airports which are kiosks that use iris or fingerprint biometric scans. Clear allows you to basically jump to the front of the security screening line, and includes a bunch of other airline specific perks, which can significantly decrease the time it takes through airport security. The issue with Clear, is that it comes at a cost of about $15 a month. Facial-recognition technology seems to be implemented faster than we can understand the privacy ramifications. In a lot of ways, we’re starting to see the beginnings of a government funded massive surveillance network, now tied into the passport system, which has the potential to expand even outside of the airport. It’s also important to note that there are no laws that govern the use of facial recognition. Yet, the government is happy to roll this technology out, all in the name of your security. Third-parties like Clear, now make millions of dollars in this new business model of paying money in order to trade our privacy for extra convenience. Just so we don’t have to wait in line like everyone else. I hate to say this but it’s not going to stop anytime soon. So what do you think? Are you OK with facial-recognition technology being used at airports? Does it really improve security? And are you willing to trade your privacy for convenience? A recent attack on Citrix, a large virtualization and software provider used by 98% of the Fortune 500, shows that weak and guessable passwords are still a huge problem for organizations. On March 6th, Citrix posted a notice that they had their internal network hacked by international cyber criminals. In a blog post about the intrusion Citrix said that the attackers may have accessed and downloaded business documents and that they are cooperating with the FBI in the ongoing activation. Apparently, the attack vector used was a technique called “Password Spraying” which is where an attacker puts together a list of usernames, usually collected through harvesting employee names from LinkedIn or other publicly available sources, and tries to login to exposed applications using a single common weak password like, “Winter2019” or “Password1”.  Each login uses a username from the list and that single password. This technique is similar to another type of attack called a “brute force” attack were multiple logins and multiple common passwords are used. This type of attack is much noisier and easier to detect which is why many attacker prefer to use password spraying. Once an attacker finds a valid set of credentials, it doesn’t take long for the attacker to gain a foothold into the company’s internal network. Typically, this is done through lateral movement by exploiting vulnerabilities found with the access of that one single account. This attack, of course, take advantage of poor password policies as well as the lack of other controls like multi-factor authentication.  Check out our show notes for our recent episode on multi-factor authentication to find out why just having a password alone, is not enough to protect user accounts. That’s all for this week’s show. Be sure to follow the Shared Security Podcast on Facebook, Twitter and Instagram for the latest news and commentary. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or watch and subscribe on our YouTube channel.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post Equifax and Marriott Data Breach Updates, Facial Recognition at the Airport, Citrix Password Spraying Attack appeared first on Shared Security Podcast.

This is your Shared Security Weekly Blaze for March 11th 2019 with your host, Tom Eston. In this week’s episode: a new Google Chrome Zero-Day, how Facebook uses your phone number, and the shutdown of the NSA’s phone data collection program. Protect your digital privacy with Silent Pocket’s product line of patented Faraday bags, phone cases, and wallets which will make your devices untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order during checkout. Visit silentpocket.com today to take advantage of this exclusive offer. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Google announced last week that a patch released on March 1st for the Google Chrome web browser was actually to fix a zero-day vulnerability that has been under active attack. The vulnerability, which is known as a use-after-free bug, is a type of memory error which can allow malicious code to escape Chrome’s built in security sandbox and will allow commands to be ran on the local operating system. This particular vulnerability was found in what’s known as the “FileReader API” that allows web applications to read the contents of files within a user’s computer. Google updated their original post about the patch to indicate that “Access to bug details and links may be kept restricted until a majority of users are updated with a fix”. This is, of course, done to prevent malicious actors from accessing details on how the vulnerability works so that it cannot be replicated. As always, ensure you keep your web browser of choice updated. In fact, all modern browsers have a nifty auto-update feature. The Chrome browser will show you a “green, orange, red” three dot indicator at the top right of your browser. If its green, an update has been available for 2 days, if it’s orange, 4 days, and if it’s red, 7 days. Click on the three dots and simply click “Update Google Chrome”. If you don’t see this button or any color indicators, you’re at the most current version.  Our advice is to take a minute now to ensure you’re using the latest version of Chrome. First up in Facebook news last week was the controversy with how Facebook uses your phone number. The Electronic Frontier Foundation said that phone numbers in Facebook, which happen to be used for two-factor authentication, have the privacy setting set to searchable by “Everyone” as the default. In fact, Facebook only gives you the choice of “Everyone”, “Friends of Friends” and “Friends” which means there is no option to opt-out.  Facebook is essentially forcing us into a trade-off between the security of two-factor authentication and privacy of our phone number. Keep in mind, back in April of last year, Facebook did remove the ability to search for a user by entering a phone number or email address in the Facebook search bar but it did not disable the ability for someone to search for you when they upload a list of their contacts, which happens to have your phone number in it. In other Facebook news, a report from the Guardian shows that Facebook targeted politicians around the world, promising various forms of investments and incentives so that they would lobby on Facebook’s behalf against data privacy legislation. This was all made public via a brand new leak of internal Facebook documents. And if that wasn’t enough Facebook news, Facebook CEO Mark Zuckerberg released a manifesto of sorts which details his vision for building a privacy-focused messaging and social networking platform. Check out our show notes if you’re interested in reading Mark’s full post but basically he wants to change Facebook so that it can have more private interactions, end-to-end encryption, reducing permanence, safety, interoperability, and secure data storage. So what do you think? With all the controversy and scandal going on with Facebook, do you think Mark’s intentions for a more secure and private Facebook are true? Or, do you feel that ultimately we are the product and at the end of the day, making money off of our private data is what Facebook is really about. Let us know your thoughts by sending us an email at feedback@sharedsecurity.net or through any of our social media channels and lets continue the conversation. And now a word from our sponsor, Edgewise Networks. Organizations’ internal networks are overly permissive and can’t distinguish trusted from untrusted applications. Attackers abuse this condition to move laterally through networks, bypassing address-based controls to spread malware. Edgewise abstracts security policies away from traditional network controls that rely on IP addresses, ports, and protocols and instead ties controls directly to applications and their data paths. Edgewise allows organizations to analyze the network attack surface and segment workloads based on the software and how it’s communicating. Edgewise monitors applications and protects data paths using zero trust segmentation. Visit edgewise.net to get your free month of visibility. The NSA has silently discontinued its very controversial program put in place after the 911 terrorist attacks which collected and analyzed millions of domestic phone calls and text messages. You may remember that this was the program exposed by whistleblower Edward Snowden. Because of the US Patriot Act in 2001, this program collected metadata of communications which included phone numbers on the call, when the calls took place and how long they lasted. Apparently, the system hasn’t been used in months and the Trump administration may not renew or extend this program. The New York Times says sources indicate that there have been problems with the way the data has been collected which may be the reason for the shutdown of the program. In other NSA news, at the RSA security conference last week the NSA released a free software reverse engineering tool called “Ghidra” which is used internally by NSA employees. In fact, they even plan on releasing the source code for the tool on GitHub. In the meantime, that didn’t stop some researchers who downloaded the tool to discover that a network port was opened when running the application which would allow remote code execution. While the NSA states that they would never release a tool to the security community with a backdoor installed, it left many to speculate what the purpose of the port was. Upon letting the NSA know about this open port the NSA said that this is used for internal teams to collaborate and share information with each other. However, the port specified by the NSA was not the same one discovered by the researcher. Now besides what port should be or shouldn’t be open, I find it fascinating that the NSA is trying to be more transparent about what they are working on, tools they develop and wanting more collaboration with the cybersecurity community. More transparency from the NSA  is a good thing. So let’s hope for more of it in the future. That’s all for this week’s show. Be sure to follow the Shared Security Podcast on Facebook, Twitter and Instagram for the latest news and commentary. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or watch and subscribe on our YouTube channel.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post Google Chrome Zero-Day, Facebook Phone Number Privacy, NSA Phone Data Collection Program appeared first on Shared Security Podcast.

This is your Shared Security Weekly Blaze for March 4th 2019 with your host, Tom Eston. In this week’s episode: Multi-factor authentication to protect your credentials, and new attacks on 4G and 5G mobile networks. Protect your digital privacy with Silent Pocket’s product line of patented Faraday bags, phone cases, and wallets which will make your devices untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order during checkout. Visit silentpocket.com today to take advantage of this exclusive offer. Almost every day we hear about a new data breach or leak of personal data. In a lot of these stories, compromised credentials are used in what is known as a ‘credential stuffing’ attack in which stolen credentials, from large databases of past data breaches, are used to gain access to many different types of popular applications and services. Just last week, one of those services was Intuit’s TurboTax application which right now, because of tax season in the US, is extremely popular. Victims of this particular attack had their information like social security numbers, address, date of birth, driver’s license number, previous tax returns and other personal data compromised.  That’s enough data for someone’s identity to be stolen! But even if we take the right precautions to use unique and complex passwords, many of us can still fall victim to a phishing or other social engineering attack where we may be convinced to giveaway our user credentials. In fact, in last week’s show I discussed a very realistic Facebook social login phishing campaign which looks so real that even cybersecurity professionals could fall for it. So what can you do to help better protect your user credentials?  The answer is multi-factor authentication and you should always enable it if the apps and services you are using support it. Here to discuss what multi-factor authentication is and how it’s different than other forms of authentication is Ian Paterson, CEO of identity assurance company, Plurilock. Ian Paterson: Historically, authentication is based around what you know, which would be something like a password or a PIN number for your debit card; what you have, so that would be something like the debit card itself or maybe an RSA token; and something that you are, and that would be something like your fingerprint for touch ID or maybe your face for using facial recognition. And multi-factor authentication is when you have two or more of those factors. So you’re mixing and matching something that you know, something that you have, and something that you are. Ian Paterson: Traditional authentication is generally something that you know, and that would be passwords. And what the world has learned over the last five to 10 years, is that passwords, something that you know, are really a terrible way of protecting stuff. I would say ironically, but not ironically, I got a note in my inbox earlier this week from Have I Been Pwned, saying, “Congratulations. You have been subject to a data breach.” And the reality is if you’ve been around online for any amount of time, probably you’ve had your credentials breached. And I usually talk about, there’s two people in the world, people who know that they’ve been part of a data breach and people who don’t know. And that’s basically it. So, coming back to your question. So MFA is designed to mitigate some of the problems around traditional authentication, I.e., passwords and we’re starting to see more of… More consumer options, certainly, around being able to use MFA or two factors, so two-factor authentication and multi-factor authentication, we’re starting to see more of those options being available to consumers. Tom Eston: So, what are some of the issues that you’re seeing with the way that companies and applications and everyone is using multi-factor authentication right now? Ian Paterson: I think that there are some good ways of doing multi-factor authentication and there are some not good ways of doing multi-factor authentication. So some examples of maybe good attempts, but attempts that come up short, would be using two forms of something that you know. Ian Paterson: A lot of banks actually are still stuck with this. Where you’ll have a login and password and then if you get through the login and password, then they’ll ask you a security question. So it’s not actually multi-factor, they call it two-step verification in a lot of cases, which kinda sounds like two-factor authentication, but you’re still using two shared secrets, two something that you knows, in order to authenticate you as a person. And it’s a little bit better than just a password on its own, but not by much. And certainly it doesn’t meet a lot of the regulatory requirements around strong authentication. So we’re seeing that organizations are recognizing that this is not an ideal way of doing it and they’re moving away from it. But certainly… I still have some personal accounts just with organizations that I use and I’m still asked for a login, password, and a security question and it drives me nuts. Tom Eston: Why should apps and services move away from offering SMS text-based multi-factor authentication? Ian Paterson: What we’ve seen over the last couple of years is that SMS as a form of MFA, multi-factor authentication, is really insecure. So the Reddit hack a year or two ago, was they were able to get in because SMS was used as a form of multi-factor authentication and the attackers were able to usurp that and get access. And so, there are better ways of doing MFA. There are not so good ways of doing MFA. The security questions, SMS are definitely in that not great camp. Hardware is a great option as long as users are willing to go through the hassle of using it. Tom Eston: Here’s Ian’s take on what the future of multi-factor authentication might look like. Ian Paterson: So, Plurilock is looking at human behavior and using that as a form of biometrics. So we look at how you type, how you move a mouse, on mobile phones, how you walk or how you sit, which is gait analysis, and we use that as a form of invisible second-factor authentication, on top of your standard login and password. So if you consider that there can be a spectrum of really, really secure and really inconvenient on one end and on the other end of the spectrum would be really, really convenient but unbelievably insecure. There’s different solutions that you can plot on that spectrum. Ian Paterson: And hardware is usually really, really secure. As a general rule, if you’re using hardware tokens or if you have a YubiKey, for instance. Like those are great solutions. The challenge is you actually want to roll out multi-factor authentication to more places than you can realistically expect users to do MFA. And so what happens is, and we’ve seen this with some of our customers and other organizations that we work with, they’ll purchase an MFA solution, they’ll integrate it in one or two points and then the rest of the interaction with users is left unprotected because they can’t get over the pushback from their end users to say, “Look, you can’t really expect to slow me down for five seconds, eight times a day, just so that I can log in securely.” Ian Paterson:  And so what we do is we come in and say, “Look in some cases, use hardware.” If you’re wiring $10 million, I would suggest that you probably want hardware in there to make sure that it’s the right person. But if it’s a… If it’s a manager who’s approving a small change or if it’s a lower risk transaction, is there a way that we can balance that convenience and security aspect? And so what we do is we look at your login and password, which you’re already, for the most part, doing today, we look at how you type in your login and password as a form of behavioral biometrics, and then we also use things like your location. Ian Paterson: So have we seen you log in from the same location in the past. Rather than geo-fencing, we’ll actually do things like the impossible travel problem. So we’ll look at your last known good login, we’ll compute the time that it would have taken you to travel from point A to point B, where you’re currently logging in from, and say that if it’s physically impossible for you to travel from point A to point B, probably there’s something suspicious, right? So it’s all about flexibility. We don’t pre-configure very much, but we’re really looking at risk factors to know whether we need to pause the authentication and ask you for the hardware that you already have or just let you through. Tom Eston: What about privacy and mass surveillance concerns with biometric-based multi-factor authentication? Ian Paterson: So, personal privacy and biometrics is a hot topic. I think where we’re seeing those is that there’s more consumer demand and acceptance for forms of biometrics. And I think you only need to look at what Samsung and Apple are doing, and actually Microsoft Surface is for that matter, as well, where they’re trying to balance the use of biometrics, like your thumb print or facial recognition, with the convenience that that offers. Ian Paterson: Now, the other angle to this, is that biometrics are not foolproof, in the same way that passwords are not foolproof. There’s no silver bullet here anywhere. But biometrics can be a useful tool when you’re talking about defense in depth. And what we’re seeing is that consumers are interacting with those technologies more and so as a result have a greater acceptance for how they can be used and how they can benefit them. Ian Paterson: The challenge really when you come down to consumer adoption is what’s in it for them. And if you just have a ubiquitous surveillance system for your business, there’s not really a benefit for consumers, they’re just being tracked and there’s no… There’s nothing in it for them. But if you were to say, look, rather than fumbling around for your keys, trying to find that frustrating token with that six-digit rotating password that is gonna change in 30 seconds and it actually shows you the bars count down, which just produces anxiety, you have to get it right and then you get it wrong and then you have to wait for the next one. The whole thing is just a terrible user experience. And then if you give them the choice to say, “Look, you can do that or you can swipe your thumb print,” suddenly it’s a different conversation. It’s not just about ubiquitous surveillance, it’s around, “Well, there’s a trade-off here being made and well, actually, I kinda benefit from this.” And when you have that conversation, it’s just much, much more geared towards informed consent and around the value that the users get. Tom Eston: That was Ian Paterson from Plurilock. And now a word from our sponsor, Edgewise Networks. Organizations’ internal networks are overly permissive and can’t distinguish trusted from untrusted applications. Attackers abuse this condition to move laterally through networks, bypassing address-based controls to spread malware. Edgewise abstracts security policies away from traditional network controls that rely on IP addresses, ports, and protocols and instead ties controls directly to applications and their data paths. Edgewise allows organizations to analyze the network attack surface and segment workloads based on the software and how it’s communicating. Edgewise monitors applications and protects data paths using zero trust segmentation. Visit edgewise.net to get your free month of visibility. A group of researchers from Purdue University and the University of Iowa have released details on new security flaws found in 4G and 5G protocols, which are used by mobile networks, to bypass new security protections which would allow IMSI catching devices known as “Stingrays” to intercept phone calls and conduct location tracking. Stingray devices are known to be used by nation states and law enforcement. Surprisingly, the soon to be implemented 5G protocol has built in protections to defend against Stingray devices but the researchers found that these protections can be defeated. The research describes several different attacks, the first called Torpedo, exploits a weakness in the paging protocol mobile carriers use to notify a device before a call or text comes through; Piercer, which allows an attacker to determine a user’s identity (or IMSI) on a 4G network, and a IMSI-Cracking attack which can brute force an IMSI number on 4G and 5G networks. This attack in particular would allow Stingray devices to be used on the new 5G networks which are just starting to be deployed. The code and exploits will not be released by the researchers but instead the flaws will be reported to the mobile carriers so that they can be fixed. However, the researchers note that these attacks could be carried out with radio equipment costing only about $200. Let’s hope the mobile carriers fix these flaws soon, especially before 5G networks are fully deployed. That’s all for this week’s show. Be sure to follow the Shared Security Podcast on Facebook, Twitter and Instagram for the latest news and commentary. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or watch and subscribe on our YouTube channel.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post Multi-Factor Authentication, New Attacks on 4G and 5G Mobile Networks appeared first on Shared Security Podcast.

This is your Shared Security Weekly Blaze for February 25th 2019 with your host, Tom Eston. In this week’s episode: Google Nest’s secret microphone, a new Facebook login phishing campaign, and vulnerabilities in popular password managers. Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order. Visit silent-pocket.com to take advantage of this exclusive offer. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Do you own or thinking about owning a Nest Secure security system? If so, did you know that Google secretly installed a microphone into the system as a previously undocumented opt-in feature? Well just last week Google announced that an update for its Nest Secure system would allow users to enable the Google Assistant (that’s Google’s voice activated product) so that users could use voice commands to enable and disable the alarm system. In a report from Business Insider last week, a Google spokesperson said that the company had made an error and that “the on-device microphone was never intended to be a secret and should have been listed in the tech specs”. Google said that the microphone was originally included in the system for the future possibility of new features, like the ability to detect broken glass. Google also stated that the microphone was always disabled. This news comes at a very challenging time for the tech giant as many consumers are increasingly worried about their privacy and companies like Google who have continued to demonstrate a lack of commitment to protecting our private information. In fact, a privacy group called EPIC which stands for the Electronic Privacy Information Center, is asking the Federal Trade Commission here in the United States to divest Nest from the rest of its parent company Google and disclose any data that these undocumented microphones may have been collecting. EPIC has, in the past, called for similar action against Google dating back to 2010 when Google was found to have been collecting Wi-Fi data from its Street View project which included Wi-Fi network names, MAC addresses, URLs, emails, and even passwords from unsecured Wi-Fi networks. So what do you think? Are you concerned about a microphone in your home security system? Or is the bigger issue that companies like Google are not being honest with consumers about the privacy impacting technology being used in their products. And now a word from our sponsor, Edgewise Networks. Organizations’ internal networks are overly permissive and can’t distinguish trusted from untrusted applications. Attackers abuse this condition to move laterally through networks, bypassing address-based controls to spread malware. Edgewise abstracts security policies away from traditional network controls that rely on IP addresses, ports, and protocols and instead ties controls directly to applications and their data paths. Edgewise allows organizations to analyze the network attack surface and segment workloads based on the software and how it’s communicating. Edgewise monitors applications and protects data paths using zero trust segmentation. Visit edgewise.net to get your free month of visibility. Last week password management company Myki posted about a new Facebook login phishing campaign making the rounds that looks so realistic that even cybersecurity professionals would have a hard time recognizing it. The attack takes advantage of the popular “social login” feature that is used for most web and mobile applications these days. Social logins gives you the option of logging in with your Facebook account instead of creating a new set of user credentials.  This is often times more convenient than always creating a new user name and password combination. However, in the case of this new attack, convenience may come at a price. The way this particular attack works is that the attacker creates a very realistic-looking social login pop-up where everything from the status and navigation bar, graphics and more all look just like the real social login page.  The user can even interact with the login box, just like the real one, by moving it around the screen and closing it. Once you fill out the form with your Facebook login credentials, they are then sent to the attacker. Check out the link in our show notes for a video demonstration of what the attack looks like but the only advice given to protect yourself is to try and drag the prompt away from the box that it is currently displayed in. If by dragging the popup beyond the edge of the browser fails, you have yourself a malicious pop-up box. Now, unfortunately, this method is not something I’ve seen that many users or even cybersecurity professionals would know about. One thing I thought of was that that the Facebook social login process will automatically log you in if you happen to also be logged into your Facebook account. If you ever do get prompted to login to Facebook through one of these social prompts, I would first check to see if you’re logged into Facebook first. Other than that, stay vigilant as it may be a good idea to try to stay away from using social logins all together. A recent audit of popular password managers LastPass, KeePass, Dashlane, and 1Password for Windows shows that they all leave traces of sensitive data within memory which could potentially be compromised if an attacker has physical access to the victim’s computer or if malware was able to extract the contents of memory. Security consulting firm Independent Security Evaluators, who performed the audit, says that they found vulnerabilities in the way that these applications store secrets like user names, passwords, and even the master password (within memory) while the application is in use or while it’s placed into a locked state. The good news? All of the password managers tested protect the master password and all passwords stored in their encrypted database while the apps are not running. However, while they are running or locked each password manager tested varied greatly on how secrets are stored and managed within memory. Some, like the free and open source KeePass application had the least amount of vulnerabilities and was the only password manager that completely scrubs the master password from memory while the app is running or in a locked state. 1Password version 7 was noted as the most vulnerable with how it stores all secrets within memory, including the master password. Now, this research is by no means telling you to stop using password managers altogether or to dump the password managers noted in this audit. In fact, the opposite is true. Using any password manager is better than not using one at all. Having a password manager will always be a better strategy than using the same password for every site and service that you use. That’s all for this week’s show. Be sure to follow the Shared Security Podcast on Facebook, Twitter and Instagram for the latest news and commentary. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or watch and subscribe on our YouTube channel.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post Google Nest’s Secret Microphone, Facebook Login Phishing, Password Manager Vulnerabilities appeared first on Shared Security Podcast.