Shared Security Podcast

This is your Shared Security Weekly Blaze for February 18th 2019 with your host, Tom Eston. In this week’s episode: Preventing illegal robocalls, should you be scared of your laptop’s webcam, and recent hacks of popular dating apps. Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order. Visit silent-pocket.com to take advantage of this exclusive offer. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. I’ll bet you’re like me and whenever I see a phone call from a number I don’t recognize I refuse to answer it due to the amount of robocalls, scams and fraud attempts that I’m always receiving.  In a previous podcast we referenced a report from a company called First Orion, that said nearly half of the mobile phone calls received in 2019 will be scams. Well, it’s 2019 and I’m starting to believe that it may even be higher than 50%! It really seems like the problem is getting worse. However, in a new report released from the FCC on the frequency and prevention of illegal robocalls shows that there is some progress being made to prevent these calls and to hold scammers accountable for their actions. In regards to call-blocking services the FCC states that hundreds of these services are now available, many of them for free, and that there has been significant progress made towards caller ID authentication through a new standard being implemented by the major telecom companies called STIR/SHAKEN. Umm…interesting martini reference there guys. Apparently, this standard verifies that caller ID’s are accurate and not spoofed or modified. Caller ID authentication is supposed to be implemented by all major telecom companies in the US by the end of this year.  From a enforcement perspective, the FCC notes that they have proposed or imposed fines of around $245 million dollars just in the last two years against people and companies that have been found guilty of illegal robocalling. While all of these efforts seem to be making some progress, will caller ID authentication really drop the number of these robocalls? Time will tell but in the meantime, it’s probably best to get yourself one of the many free robocall and scam call blocking apps that are available. Check out our show notes for a link to many different types of popular apps that are available right now for you to use. And now a word from our sponsor, Edgewise Networks. Organizations’ internal networks are overly permissive and can’t distinguish trusted from untrusted applications. Attackers abuse this condition to move laterally through networks, bypassing address-based controls to spread malware. Edgewise abstracts security policies away from traditional network controls that rely on IP addresses, ports, and protocols and instead ties controls directly to applications and their data paths. Edgewise allows organizations to analyze the network attack surface and segment workloads based on the software and how it’s communicating. Edgewise monitors applications and protects data paths using zero trust segmentation. Visit edgewise.net to get your free month of visibility. I was intrigued by a story last week posted on ZDNet titled “Should you be scared of your laptop’s webcam” which talks about a recent Wall Street Journal story about a columnist who hired an ethical hacker to see if he could hack into the webcams of her two laptops and a baby monitor. This story was to see if you really need to put tape or purchase a cover for your webcam. By using a carefully crafted phishing email, with a link to a malicious file, the hacker was able to gain access to all her web cams and home network. But was it as easy as sending a simple phishing email? No, it actually wasn’t. The story pointed out that it took the columnist “performing some intentionally careless things for him to succeed”. So what careless things are we talking about? Well, the malicious file that was sent to the columnist via the phishing email was flagged by her operating system, anti-virus and even Microsoft Office. She had intentionally dismissed all the various warnings that were alerting her and even purposely disabled the various built in security controls within her operating system. By doing all of this it finally allowed the malicious document to be edited and therefore allowed the malware to execute.  Now that was just on Windows but on her MacBook Air it took even more steps to gain access to the camera and it required more things to “disable” to get the exploit to work. Now this begs the question, if it was so difficult for this ethical hacker to break through all these layers of security (with the assistance of the “victim” (yes, that’s victim in quotes), do we need to worry about our webcams getting hijacked? The answer is…well it depends on things like your personal threat model and how diligent you are about security awareness. It’s true, updated and fully patched and protected modern operating systems like Windows and Apple macOS are much more difficult to break into these days. And that’s the key. Keep all of your systems fully patched and updated and never disable the built in security controls in your operating system. Also, don’t forget to change default passwords of those cheap Internet of Things devices as well. So the point is, its typically the action of the victim, like disabling anti-virus or other security controls, and not keeping our systems updated which leaves us at the greatest risk. Last week was Valentine’s day and unfortunately for some users of dating sites OkCupid and ‘Coffee Meets Bagel’ it wasn’t all love and romance. TechCrunch reported that multiple users of OkCupid had their accounts hacked and passwords changed without their knowledge. And popular dating app ‘Coffee Meets Bagel’ had 6.1 million user names, email address and other personal details exposed in a recent massive pool of compromised data that was found for sale on the Dark Web. Other data from this dump  included user data from other well-known data breaches such as My Heritage and MyFitnessPal.  Representatives from OkCupid have denied that there was a data breach but essentially blamed their own users for choosing poor passwords that may have been exposed in previous data breaches.  According to the TechCrunch article a spokesperson for OkCupid said “All websites constantly experience account takeover attempts. There has been no increase in account takeovers on OkCupid.” Account takeovers relate to the more recent attack trend called “credential stuffing” where attackers leverage the credentials found in large databases of past data breaches and utilize tools and scripts to see if username and password combinations work on various web sites. Ironically, OkCupid and many other dating apps don’t have the ability to enable two-factor authentication so if you happened to be using the same password across all of the apps you use, you may more easily become a victim of a credential stuffing attack.  If you’re one of the millions of people that use these and other dating apps, take a minute to review how you’re choosing your passwords and be sure to enable two-factor authentication if it’s available. If you happen to be looking for love on one of these sites, the last thing you need is to find out is the “heartbreaking” news that your account and personal data was compromised. That’s all for this week’s show. Be sure to follow the Shared Security Podcast on Facebook, Twitter and Instagram for the latest news and commentary. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or watch and subscribe on our YouTube channel.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post Preventing Illegal Robocalls, Webcam Spying, Dating App Account Hacking appeared first on Shared Security Podcast.

In episode 85 of our monthly show we discuss artificial intelligence in cybersecurity, the recent Apple FaceTime bug, and the controversy over compromised Nest camera’s. This was also the first show we streamed live over YouTube! You can re-watch the live stream on our YouTube Channel. The Shared Security Podcast sponsored by Silent Pocket and Edgewise Networks. Be sure to follow the Shared Security Podcast on Facebook, Twitter and Instagram for the latest news and commentary. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or watch and subscribe on our YouTube channel. The post Artificial Intelligence in Cybersecurity, Apple FaceTime Bug, Nest Camera Passwords appeared first on Shared Security Podcast.

This is your Shared Security Weekly Blaze for February 11th 2019 with your host, Tom Eston. In this week’s episode: DNA testing and the FBI, the $198 million dollar cryptocurrency password, and a new Chrome extension to protect your accounts from data breaches. Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order. Visit silent-pocket.com to take advantage of this exclusive offer. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Before we get in to the news this week I wanted to update you all on the Apple FaceTime bug that we talked about in last week’s episode. Well Apple has finally released a patch! Make sure you update your Apple iOS device to 12.1.4 and any Apple system running macOS to version 10.14.3 of Mojave. Check our show notes for a link to all the details and instructions on updating. Now is a story about how one of the largest DNA testing companies, Family Tree DNA, is working with the FBI to allow them to search their massive genealogy database to solve crimes that have been nearly impossible to solve in the past. You may remember that this topic may sound very familiar as last year there was a story about how the “Golden State Killer” (Joseph DeAngelo) was convicted due to DNA information that was from an open source genealogy website called “GEDMatch”. Apparently, a distant relative of DeAngelo was found in the database which allowed law enforcement to pinpoint who the killer was through clues such as location, ethnicity and other characteristics. However, in this most recent story this is the first time that a private company has agreed to voluntarily allow database access to law enforcement. According to the article this new relationship with Family Tree allows the FBI to upload DNA samples and then have them matched to around a million DNA records contained in their database. It’s important to note that anyone can upload their own DNA profile to its service, not just paying customers. I think we’re starting to see a very dangerous precedent in regards to the privacy of our DNA and who can access these records without user consent. While all of us would agree that finding murderers and solving unsolved crimes is really important, at what cost are we willing to have our most sensitive information, like our DNA, involved in searches or matching of other people’s profiles?  Now that DNA testing kits are given as gifts and as it seems like everyone is doing it, what are the privacy ramifications in the future? One important thing to note, if you’ve used one of these DNA testing services in the past, you can delete your DNA records (or also known as your ‘kit’) either by contacting the company’s customer service or through your profile settings within the DNA service web application.  This process will vary between DNA companies but be sure to read the terms of service and privacy policies of the DNA company that you have used to see how they handle and potentially share your DNA records with other third-parties.  What do you think? If you’ve used one of these DNA services in the past are you concerned about this recent news? Let us know by commenting on our website or social media so we can continue this very important conversation. And now a word from our sponsor, Edgewise Networks. Organizations’ internal networks are overly permissive and can’t distinguish trusted from untrusted applications. Attackers abuse this condition to move laterally through networks, bypassing address-based controls to spread malware. Edgewise abstracts security policies away from traditional network controls that rely on IP addresses, ports, and protocols and instead ties controls directly to applications and their data paths. Edgewise allows organizations to analyze the network attack surface and segment workloads based on the software and how it’s communicating. Edgewise monitors applications and protects data paths using zero trust segmentation. Visit edgewise.net to get your free month of visibility. Canadian bitcoin exchange, QuadrigaCX, owes its customers about $198 million dollars’ worth of cryptocurrency due to the sudden death of the company’s CEO, Gerry Cotton.  The reason you may ask? Well the only person with the password to the offline storage wallet that stored the private encryption keys to unlock the cryptocurrency was the CEO. No other members of the company, nor the CEO’s wife had the password to the offline storage wallet. In a report from the Hacker News some have even questioned that the CEO may have faked his death or that this was what is known as a ‘exit scam’ where the CEO and his wife wanted to quickly get out of the cryptocurrency business and never to be seen again. While these two claims may be unfounded, this is a problem that is fairly common in the cryptocurrency market where the exchanges actually store the cryptocurrency and don’t just facilitate the transactions like traditional stock exchanges. The lesson from this story is for all of us is to consider who have you designated as a backup for your passwords and other private information if you were to suddenly die? It’s an uncomfortable reality to think about but how would your immediate family handle your accounts, money and other important things if you were no longer here? This is definitely concerning if you are (hopefully) using a password vault or manager as we always advocate. Our advice is to come up with a plan with your immediate family or someone you trust to determine how they would access any passwords or other things that would be needed if you were no longer around. One suggestion might be to store your password vault passphrase in a safety deposit box or other password vault which your trusted designee may have access to. It’s a lot to consider and one that may require some real thinking about as every individual situation may be different but it’s very important that we all have a plan in place. Data leaks and breaches are inevitable and that means that usernames and passwords we choose always seem vulnerable to compromise no matter how many precautions we take to protect this information. Often times, it’s the data of past data breaches that comes back to haunt us. Well to help combat this problem Google has released a new extension for the Chrome web browser called “Password Checkup”.  The extension triggers a warning if the user name and password combination that you use, when signing into a site, is one of over 4 billion credentials that Google knows to have been compromised. The extension was developed jointly by cryptography experts from Stanford University to ensure that Google never sees any of your credentials being entered or retrieved, and that the extension itself cannot be compromised by attackers. In addition, all statistics being reported by the extension back to Google are anonymous. Google released a blog post showing how the extension works as well as the technical details behind the design.  One thing I like about this extension is that it will only alert you if the same user name and password combination happened to be part of a past data breach. It won’t alert you on outdated passwords or weak passwords like “12345”.  Check out our show notes for a link to download this great extension if you happen to use the Chrome web browser. The more awareness we can spread about the use of compromised credentials is a win for everyone. That’s all for this week’s show. Be sure to follow the Shared Security Podcast on Facebook, Twitter and Instagram for the latest news and commentary. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or watch and subscribe on our YouTube channel.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post DNA Testing and the FBI, $198 Million Dollar Cryptocurrency Password, Password Checkup Chrome Extension appeared first on Shared Security Podcast.

This is your Shared Security Weekly Blaze for February 4th 2019 with your host, Tom Eston. In this week’s episode: The massive Apple FaceTime privacy bug, selling your privacy for money, and insecure smart light bulbs. Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order. Visit silent-pocket.com to take advantage of this exclusive offer. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. In breaking news this past week, a very serious privacy bug in Apple FaceTime was found by a 14-year-old high school student who was trying to FaceTime his friends while playing Fortnite. The bug allows someone to force other Apple devices that have FaceTime installed (everything from iPhones, iPads and laptops or Mac’s running newer versions of macOS) to answer a FaceTime call, even if the other person doesn’t take any action. Essentially, this turns an iPhone into a surveillance device where the microphone stays active.  If you’re interested in learning more about the fascinating story on how this bug was discovered and the painful path that this 14-year-old and his parents had to take to notify Apple of the issue, check out the link provided in our show notes for this episode. In response to this bug, Apple has disabled group FaceTime functionality but it’s still not a bad idea to turn off FaceTime in your Apple device settings until a patch is released. Apple states that an update will be issued in coming weeks. In the meantime, be sure to follow the podcast on Twitter, Facebook and Instagram for the latest updates on when a patch will be released. Organizations’ internal networks are overly permissive and can’t distinguish trusted from untrusted applications. Attackers abuse this condition to move laterally through networks, bypassing address-based controls to spread malware. Edgewise abstracts security policies away from traditional network controls that rely on IP addresses, ports, and protocols and instead ties controls directly to applications and their data paths. Edgewise allows organizations to analyze the network attack surface and segment workloads based on the software and how it’s communicating. Edgewise monitors applications and protects data paths using zero trust segmentation. Visit edgewise.net to get your free month of visibility. Facebook was in the news once again this past week when it was revealed in a TechCrunch story that Facebook was secretly paying users, from 13 to 35 years old, up to $20 per month plus referral fees to install an app called “Facebook Research” or known internally at Facebook as “Project Atlas”. This app is essentially a VPN and allowed Facebook to capture almost all data being used on an a personal Apple device including messages, photos, phone call data, and web browsing history. Facebook even went as far as to distribute this app outside of the Apple AppStore through Apple’s Enterprise Developer Program, which Apple designed for companies to distribute apps within an organization. The TechCrunch story prompted Apple last week to revoke Facebook’s access to this program as a terms of service violation because Facebook was using the Enterprise Developer Program to distribute “internal only” apps to the public. Dan Goldstein, president and owner of Page 1 Solutions, a digital-marketing agency says “This shows, once again, that Facebook doesn’t value user privacy and goes to great lengths to collect private behavioral data to give it a competitive advantage. The FTC is already investigating Facebook’s privacy policies and practices. As Facebook’s efforts to collect and use private data continue to be exposed, it risks losing market share and may prompt additional governmental investigations and regulation”. In related news, Google has removed a similar app called “Screenwise Meter” from Apple’s Enterprise Developer Program in fear that Apple would also revoke their access to this program. Google was doing the exact same type of thing where they were using a program designed to be used internally by organizations to distribute an app to the public.  Screenwise Meter is very similar to the Facebook Research app in that it collects similar data such as browsing history. It seems that we’re starting to see more instances of tech companies offering money or other incentives in return for your private data. What do you think? Is this creepy or just the new world we live in? Would you participate in one of these programs where you allow access to your private photos, web browsing history and phone calls in return for money and gift cards? Let us know by commenting on our social media feeds and the show notes for this episode. Don’t just throw away that cheap smart lightbulb that just went bad. Instead, you may want to smash it with a hammer before throwing it out as many of these lightbulbs appear to be storing sensitive information like your Wi-Fi password and other secrets. But is this news really that concerning? Well, in a series of blog posts posted by “Limited Results”, a blogger shows how easy it is to access the firmware of several different low cost smart lightbulb’s. These are products that you would typically find for sale on Amazon.  Once the firmware was dumped to a computer, simple searches revealed network login information such as Wi-Fi network SSID’s and passwords, and other information like root certificates and private keys. The problem? Many cheap products like these take a lot of shortcuts by storing private information insecurely on the device. Now, I wouldn’t be surprised if we see similar issues with most devices that fall into the category of the “Internet of Things”. From smart thermostats, sprinkler systems, power outlets and more, we should assume these devices are also prone to similar flaws. And that is, not building security in from the beginning when these products are designed. Unfortunately, much of the advice that I see being mentioned to better secure these devices are to only install them on a separate, segmented wireless network that is different than the one that you’re using for Internet access. While that seems reasonable, how many of us are actually doing this in practice? I’ll bet that the average home user of these products wouldn’t even think about this or know how to set up a separate network in the first place. In fact, most people don’t even know how to change the default network name or set a secure password to begin with. But ultimately, the risk of these devices falling into the wrong hands, and the work it takes to extract sensitive information is probably not worth the time of most criminals. I think there is a greater risk of your home being broken into by a thief through a window than getting your Wi-Fi password extracted from one of these devices. That’s all for this week’s show. Be sure to follow the Shared Security Podcast on Facebook, Twitter and Instagram for the latest news and commentary. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or watch and subscribe on our YouTube channel.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post Massive Apple FaceTime Privacy Bug, Selling Your Privacy for Money, Insecure Smart Light Bulbs appeared first on Shared Security Podcast.

This is your Shared Security Weekly Blaze for January 28th 2019 with your host, Tom Eston. In this week’s episode: Where are the US federal privacy regulations and details on Nest camera’s being hijacked in credential stuffing attacks. Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order. Visit silent-pocket.com to take advantage of this exclusive offer. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. January 28th is international data privacy day and ironically, it seems that we still have a major problem with protecting the privacy of our data. Data breach after data leak after countless examples of mishandling of our data by companies large and small, have led many of us to ask the question “Why isn’t there more laws and regulations in the US that are focused on data privacy?.” While Europe has the GDPR the United States seems drastically behind in a battle for the protection of our private data that seems to be getting worse every day. Eventually, something big with data privacy will have to happen to finally get the attention of Congress, right? How big of a data breach is big enough? Equifax, which impacted 143 million Americans, was one example of a huge breach of our private data, yet nothing has changed. Facebook’s Cambridge Analytica scandal sent Mark Zuckerberg to face questions by Congress, and again nothing changed. And now there are reports that major telecom companies are selling our location data to shady third-parties.  So I ask you, will there finally be a bigger data breach that makes an even bigger impact this year which will drive a regulation from the federal level? Here’s Ameesh Divatia, CEO and co-founder of Baffle, a data encryption company, with his thoughts on the development of new data privacy laws and regulations in the United States this year. Ameesh: I think that would be very, very important because right now we have a mishmash of where every state has a notification law which means that you have to tell somebody and notify somebody about the fact that you’ve lost customers data. So a uniformed notification approach would definitely help. I think the key issue is the whole issue of fines.  I think GDPR took it to a whole new level as how to fine entities that lose data. We need a more practical approach to that and I think that you’re going to see that. Where it hurts but doesn’t put you out of business because you do want data collection like I said very early on is very critical there is no way you’re going to get a lot of services without data being collected. But processing that data responsibly is what it’s all about. I always say security has traditionally been sort of sold with fear in the background. And that’s not good for anybody. What we see is a transition where being more secure and being able to protect the customers data is going to become a differentiator, a competitive differentiator versus the necessary evil that always gets in the way of business.  And if that really starts happening that’s a true win, win for the industry as well as for the data aggregators. Tom: So what do you see happening with privacy this year? Ameesh: So what we see for 2019 is obviously a continued focus on the fact that privacy has to be taken seriously. I think you’re going to see some big fines being levied. Whether it’s the European Union or even the US states that are starting to catch up, I think that’s going to be another game changing event for 2019 where one of the large data aggregators is going to be fined. And that’s going to get the focus more and more on the fact that collecting data is the first step but making sure you protect it is a necessary second step. Tom: That was Ameesh Divatia from Baffle. Now, ironically just this past week we saw news stories that two major tech companies, Google and Facebook, are being fined or in the process of being fined. According to a report by the Washington Post, the Federal Trade Commission is planning on issuing a fine to Facebook because of the violation of an agreement dating back to 2012 stating that Facebook would keep certain user information private.  No details on when this fine may happen or how much the fine will be, have been released. However, it’s sure to be much larger than the recent fine of €500,000 pounds issued by the United Kingdom to Facebook back in October of last year. Google, however, is right now being fined $57 million dollars, which happens to be the largest GDPR related fine ever issued, because Google failed to go far enough obtaining user consent to collect data for targeted advertising. So the question is, when will we see more enforcement in the US like we see in Europe? With the current government shut down, we’re not going to see anything happen soon and regardless of countless data breaches, it’s anyone’s guess if this year will be the year for a federal data privacy law. Organizations’ internal networks are overly permissive and can’t distinguish trusted from untrusted applications. Attackers abuse this condition to move laterally through networks, bypassing address-based controls to spread malware. Edgewise abstracts security policies away from traditional network controls that rely on IP addresses, ports, and protocols and instead ties controls directly to applications and their data paths. Edgewise allows organizations to analyze the network attack surface and segment workloads based on the software and how it’s communicating. Edgewise monitors applications and protects data paths using zero trust segmentation. Visit edgewise.net to get your free month of visibility. You may have seen reports on all the major national news channels here in the US about Nest camera’s being hacked which allow an attacker to talk though the camera saying  scary phrases like “I’m going to kidnap your baby, I’m in your baby’s room.”. Most of these stories carry a lot of sensational headlines but without much context. So how are attackers gaining access to so many Nest camera’s all of a sudden? The answer is actually pretty trivial and it has something to with an attack called credential stuffing. Credential stuffing is where an attacker will use user names and passwords obtained from previous data breaches in order to compromise user accounts of many different types of sites and services. Databases of user names and passwords from previous data breaches are easily available either for sale on the Dark Web or by using some creative Google searching on the Internet. Once these credentials are obtained, the attacker uses a script or program to try logging into hundreds of websites until successful logins are found. Once the attacker has a successful login, other sites and services are then tried to see if the same password was used. And that, is the key to this attack. If you happened to use the same password for all sites and services you may happen to use, you can easily become a victim of an attack like this. This is exactly what happened in the case of all these Nest camera’s being hacked.  So how do you prevent yourself from becoming a victim and having your Nest or other camera hijacked? Well, it all goes back to basic password security. So make sure you’re using a password manager and always ensure you’re using random and complex passwords for each site and service that you use. Second, always enable two-factor authentication whenever it’s available. In the case of Nest, they do have an option to enable two-factor authentication, but it’s not enabled by default. Check your Nest account settings and enable this feature. Other smart cameras, specifically, Ring camera’s don’t have any options for two factor authentication so your best defense in these cases are only strong passwords. Your mileage may vary as account security for all smart camera’s and other Internet of Things devices is typically not very good at all and always subject to change. That’s all for this week’s show. Be sure to follow the Shared Security Podcast on Facebook, Twitter and Instagram for the latest news and commentary. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or watch and subscribe on our YouTube channel.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post The Lack of US Privacy Regulations, Nest Camera’s Hijacked appeared first on Shared Security Podcast.

This is your Shared Security Weekly Blaze for January 21st 2019 with your host, Tom Eston. In this week’s episode: Ring doorbell privacy concerns, news on a recent password breach, and a new ruling on biometrics and Fifth Amendment rights. Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order. Visit silent-pocket.com to take advantage of this exclusive offer. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Amazon, who now owns popular smart doorbell maker Ring, is being accused of mishandling video footage from customers’ cameras. In a report from the Intercept, Ring is accused of mishandling videos that were taken from their line of smart home security cameras and allowing unrestricted access by internal employees to these videos. According to the article, in 2016 Ring moved its R&D operations to the Ukraine in a cost saving measure and the team had quote “unfettered access to a folder on Amazon’s S3 cloud storage service that contained every video created by every Ring camera around the world.” end quote On top of that, there was a database that allowed internal users access to run a search on any videos linked to a particular user and Ring executives and engineers in the US were allowed quote “unfiltered, round-the-clock live feeds from some customer cameras.” end quote Apparently, Ring uses this team in the Ukraine to manually tag videos so that one day Ring’s AI technology could be trained to leverage this type of metadata. Video’s from Ring’s line of smart cameras can contain video from outside and inside someone’s house. Ring responded to the Intercept article with the following statement quote “We take the privacy and security of our customers’ personal information extremely seriously. In order to improve our service, we view and annotate certain Ring videos. These videos are sourced exclusively from publicly shared Ring videos from the Neighbors app (in accordance with our terms of service), and from a small fraction of Ring users who have provided their explicit written consent to allow us to access and utilize their videos for such purposes.” end quote. There was more to their statement about their internal policies but I think you get the idea. The Intercepts sources for this story, of course, dispute these claims from Ring’s management. While one can argue the trustworthiness of this article, it does have a great point to it. If you’re using a smart device like a Ring doorbell camera that saves its video or data to the cloud, you should probably assume that someone else will most likely be able to view your data. Regardless of what the companies privacy policy or terms of use say, there will always be ways for internal employees to access this data. From customer support situations or using your data to improve their own technology, companies will find creative ways to leverage incredibly valuable private information, especially from video feeds. Organizations’ internal networks are overly permissive and can’t distinguish trusted from untrusted applications. Attackers abuse this condition to move laterally through networks, bypassing address-based controls to spread malware. Edgewise abstracts security policies away from traditional network controls that rely on IP addresses, ports, and protocols and instead ties controls directly to applications and their data paths. Edgewise allows organizations to analyze the network attack surface and segment workloads based on the software and how it’s communicating. Edgewise monitors applications and protects data paths using zero trust segmentation. Visit edgewise.net to get your free month of visibility. When you see articles with sensational titles like “Hack Brief: An Astonishing 773 Million Records Exposed in Monster Breach” you usually think that this is a pretty serious situation. However, in this day and age, don’t be so quick to jump to conclusions as in this case these 773 million records with 21 million unique passwords are actually a collection of past data from many different data breaches. This data dump called “Collection #1” is approximately 87GB in size and was first analyzed by Troy Hunt who manages the HaveIBeenPwned data breach notification service. Troy Hunt confirmed that this data was in fact made up of many different data breaches from many different sources. Brian Krebs from KrebsOnSecurity.Com went a step further and contacted the seller of this data to find out more details. In discussions with the seller, he actually steered Brian away from “Collection #1” since the seller said that this data was at least 2-3 years old. The seller then tried to sell him more recent data which was less than 4GB in size and less than a year old. So besides trying not to fall for “click bait” articles like the one created by Wired, the moral of this story is that collections of data from previous data breaches is big business. Data like this can easily be repackaged and resold as a “recent” data breach with very little ramifications. The take away from this is that if your information was ever part of one of these data breaches it can easily be recycled over and over to the highest bidder. As we always say, you should periodically think about your password management strategy. And this should include using a password manager, choosing unique passwords for each and every site and service that you use and using two-factor authentication (preferably app based) where ever possible or available. Last week a US judge ruled that law enforcement cannot force individuals to unlock their mobile device through biometrics like your finger or face, whether or not a warrant has been issued.  The judge, who was presiding over a case in the US District Court for the Northern District of California says that by forcing someone to unlock their device through biometrics violates a person’s Fifth Amendment rights against self-incrimination. This development is a long time coming as previously it was viewed that law enforcement had the right to force people to unlock a device with their face or finger. Before this new ruling, law enforcement treated biometrics just like passwords as suspects could be forced to unlock their device upon request. The judge has said “There are other ways that the government might access the content that do not trample on the Fifth Amendment.” You may remember that I mentioned this exact topic back in October of last year where for the first time ever, there was now a documented case of law enforcement forcing an Apple iPhone X owner to unlock their device with their face. Now with this recent development, it’s great to see that while technology like biometrics are being treated the same way as passcodes from a Fifth Amendment perspective. I’ll bet, that future cases will challenge this ruling. But in the meantime, let’s call this latest ruling a victory for our privacy. That’s all for this week’s show. Be sure to follow the Shared Security Podcast on Facebook, Twitter and Instagram for the latest news and commentary. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or watch and subscribe on our YouTube channel.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post Ring Doorbell Privacy Concerns, Recent Password Breach News, Biometrics and Fifth Amendment Rights appeared first on Shared Security Podcast.

This is your Shared Security Weekly Blaze for January 14th 2019 with your host, Tom Eston. In this week’s episode: The US government shutdown and cybersecurity, privacy takes center stage at CES 2019, and a mobile location data controversy. Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order. Visit silent-pocket.com to take advantage of this exclusive offer. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. As of this podcast recording it’s been over 19 days since the US government shutdown due to Congress not able to agree on a bill for border security. This has meant that about a quarter of all federal departments (which is about 800,000 federal workers) are furloughed and the government is unable to pay people working for these departments. While we patiently wait for Congress to figure out how to end the shutdown, there is now cause for concern that because of this shutdown, US national security and cybersecurity may be affected, now and even into the future. Even in a government shutdown, cybersecurity threats to the nation are not going to stop and in fact, attackers love it when a company or government is in chaos which means attacks will increase. Key departments like the new, two month old, Cybersecurity and Infrastructure Security Agency (part of the Department of Homeland Security) has had about 45% of its staff furloughed. In addition, the DHS Office of Intelligence and Analysis, and the Office of Operations Coordination (which both provide security intelligence to the private sector and intelligence community is also on furlough. It’s also important to note other critical cybersecurity services like NIST (which stands for The National Institute of Standards and Technology) has 85% of its staff furloughed. NIST regulates federal agencies and provides security standards for the private sector which includes many new and updated risk management frameworks and guidelines on security controls.  Besides cybersecurity, 90% of airport security TSA agents (who are actually quite underpaid) are working without pay and that has caused many agents to call off sick or quit their jobs. And that means longer lines for you at the airport. Let’s hope that Congress and the President can up to some type of compromise soon, or we may see more longer lasting impacts to US national cybersecurity. Organizations’ internal networks are overly permissive and can’t distinguish trusted from untrusted applications. Attackers abuse this condition to move laterally through networks, bypassing address-based controls to spread malware. Edgewise abstracts security policies away from traditional network controls that rely on IP addresses, ports, and protocols and instead ties controls directly to applications and their data paths. Edgewise allows organizations to analyze the network attack surface and segment workloads based on the software and how it’s communicating. Edgewise monitors applications and protects data paths using zero trust segmentation. Visit edgewise.net to get your free month of visibility. Privacy took center stage at the Consumer Electronics Show in Las Vegas last week when Apple placed a giant ad on a 13-story building, which happens to overlook the CES convention center with the message “What happens on your iPhone, stays on your iPhone.” This ad included a friendly link to apple.com/privacy, which talks about how your data is protected by using Apple products. This is obviously a direct stab at competitors like Amazon, Google, and Facebook which have been continuously in the news about privacy issues and breaches of user data. Many of these stories we cover on this podcast every week. But CES is also about new products and there have been a lot of privacy and security gadgets being shown off at this year’s show. All these new gadgets are connected to the Internet and almost all new products have some relation to privacy and security of user data. Smart speakers and their accessories in particular were a highlight of this year’s show. For example, a device called Mute+ from a startup called Smarte, creates a layer of protection to stop smart speakers from picking up sensitive conversations. And another product called Snips allows you to build voice activated products that run locally on the device and not in the cloud like Google and Amazon’s voice assistants. Because data is stored on the device, there is less of a data harvesting or privacy concern.  According to research firm eMarketer, it’s now estimated that 74 million Americans will use smart speakers in 2019, an increase of over 15% from last year. It should be no surprise that Google Home and Amazon Echo devices control the majority of this market. I’ve also been reading stories and talking with people about how more consumers are concerned that these smart speakers are always listening and recording every conversation like a very invasive spy device. Well, yes, these devices are always listening for key words to activate them (I could say one right now to activate your Amazon Echo…I’ll be nice) but both Google and Amazon are only recording and saving what you’re saying to the device. This data is then send to their cloud services for processing and you hopefully get the information you were looking for. While you can go into the apps for these devices to see your previous recordings, and of course delete them, the bigger issue I think is what happens when these devices malfunction? I mean, how many times have you seen your Amazon Echo device just light up for no reason or just starts saying something when you didn’t even ask it anything? I find these devices are very prone to error and the technology still has a lot of growing pains. These ‘malfunctions’ prove many of the privacy concerns consumers rightfully have. So any improvements or new products that help increase the privacy of using devices like these will be more than welcome this year. In surprising but not so surprising news, an investigation by Motherboard last week showed how a reporter, who gave a bounty hunter $300, was able to get the real-time location of a mobile phone through data that was sold by the major telecommunications companies to private third-parties. In what I would call a fairly complex ecosystem, T-Mobile, AT&T, Verizon, and others routinely sell your real-time location data to what are called data aggregators which then sell that data to other companies which then sell the data to people like landlords, car salesmen, people conducting credit checks and of course shady data dealers like bounty hunters. In the Motherboard story data aggregator firm Zumigo had sold data to a credit reporting company called MicroBilt which sold the real-time location of the mobile phone for only $12.95. Of course, as you might expect, the major telecoms like T-Mobile all stated that “protecting our customers’ privacy and security is a top priority, and we are transparent about that in our Privacy Policy…”. T-Mobile and others have since removed data access for this one particular data aggregator but it begs the question, how many more of these relationships do the major telecoms have? If this story seems strangely familiar, well, it is. Back in May of last year on the show I discussed another very similar situation where a company called Securus was providing real-time mobile phone location data to law enforcement without a warrant. This was in addition to news of another situation where a data aggregator called LocationSmart had a vulnerability in its website which allowed anyone to query the exact location of any phone through any major US carrier. It seems that we will see more of these situations this year which begs the question, why is there no accountability and what will the US government do about it. That’s all for this week’s show. Be sure to follow the Shared Security Podcast on Facebook, Twitter and Instagram for the latest news and commentary. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or watch and subscribe on our YouTube channel.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post US Government Shutdown, Privacy at CES 2019, Mobile Location Data Controversy appeared first on Shared Security Podcast.

New year, new Cybersecurity job? If you’re looking for a new job or just starting out in Cybersecurity you’ll want to listen to this episode of our monthly show where we’re joined by special guest Kathleen Smith, CMO of ClearedJobs.net and CyberSecJobs.com. We discuss Kathleen’s recent survey on people who advance their career by volunteering in the Cybersecurity community, the Hire Ground career track at the BSides Las Vegas cybersecurity conference, how to work with recruiters and job boards, why you should plan (rather than react) when you look for a new job, and much more! Thanks again to Kathleen for being a guest on our show! Be sure to connect with Kathleen on Twitter. The post Cybersecurity Careers, Recruiting, and Volunteering with Kathleen Smith appeared first on Shared Security Podcast.

This is the 50th episode of the Shared Security Weekly Blaze for January 7th 2019 with your host, Tom Eston. In this week’s episode: Newspaper Ransomware Attack, How Facebook Tracks You on Android, and USB-Type-C Authentication Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order. Visit silent-pocket.com to take advantage of this exclusive offer. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Several large newspapers in the US, owned by media giant Tribune Publishing, started off 2019 by having to respond to a massive ransomware attack that caused major printing and delivery problems. Newspapers affected included the Chicago Tribune, Baltimore Sun, the Los Angeles Times as well as several other Tribune Publishing affiliates.  The attack, which started on December 29th, targeted critical news production systems and other infrastructure responsible for the newspaper printing process. According to the Los Angeles Times, the attack appears to be carried out by a foreign state or other such organization and some sources with knowledge of the attack have said that the malware appears to be a form of “Ryuk” Ransomware which is typically very targeted and has been around since last August where one particular form of Ryuk was found to have collected about $640,000 worth of Bitcoin from victims. Of course, some are quick to blame the Russians due the .ryk naming convention found on the encrypted files that the malware left behind and because most attacks these days seem easy to attribute back to Russia. However, past origins of Ryuk ransomware may actually have its history tied to North Korea where was determined from a research report last year which reviled that some of the Ryuk source code was actually copied from the Hermes ransomware that was used by the Lazarus Group. The Lazarus Group just happens to be a nation state espionage team previously associated with North Korea. As we all know, attribution is hard. Source code of ransomware can be copied and easily reused by others. The best response for most organizations that are hit with ransomware, like in this most recent example, is to ensure you know how to respond to an attack like this as being hacked for most organizations will most likely happen sometime in the future. Organizations’ internal networks are overly permissive and can’t distinguish trusted from untrusted applications. Attackers abuse this condition to move laterally through networks, bypassing address-based controls to spread malware. Edgewise abstracts security policies away from traditional network controls that rely on IP addresses, ports, and protocols and instead ties controls directly to applications and their data paths. Edgewise allows organizations to analyze the network attack surface and segment workloads based on the software and how it’s communicating. Edgewise monitors applications and protects data paths using zero trust segmentation. Visit edgewise.net to get your free month of visibility. In a talk given by UK-based Privacy International at the 35th Chaos Communication Congress hacking conference last week shows that many popular Android applications are sending tracking information to Facebook without you even having a Facebook account. The research focused on 34 Android applications that have between 10 and 500 million users. By decrypting and analyzing all third-party trackers the apps were using, the researchers found that 23 of these apps were sending data to Facebook such as if the app was opened or closed, device information, language and time zone settings, and the user’s Google advertising ID which can allow companies like Facebook to conduct profile matching. The talk also pointed out that what Facebook is doing is also in common with what other companies like Google, Amazon and Twitter are doing, which offer analytics services for application developers. Other points from the talk include criticism of Facebook for only enforcing the collection of user information  through contractual and legal means and that Facebook’s current opt-out cookie policy had no effect on the data the researchers have questioned. Facebook responded to the talk by noting that their upcoming “Clear History” feature, which was one of the developments from the Cambridge Analytica scandal, would be a way for users to remove this data sent by third-party apps. This is just the latest in a long string of seemingly endless data breaches and mishandling of personal data from Facebook. Now that it’s 2019, will we will see more data mishandling issues and breaches from Facebook? Or, have they given themselves a New Year’s resolution to finally make changes to help protect our private information. The non-profit USB Implementers Forum, also known as USB-IF, have announced a new program to support the a new optional security specification called USB Type-C Authentication. This new specification defines cryptographic-based authentication for USB Type-C chargers and devices. This will allow systems to confirm the authenticity of a USB device or charger and will even be able to allow devices to only work with manufacture certified chargers. What this means for you is that this improvement to USB Type-C can reduce the risk of malicious charging stations, make it harder for law enforcement or others to copy data off of a mobile device, or prevent embedded malware installed on USB hardware from exploiting your device. No dates or other details were given in the announcement but it’s good to see some progress being made on the security of USB, which is now the most common way we interface other hardware with our PC’s, mobile phones and other devices. Perhaps now it’s starting to make more sense why more and more manufactures, like Apple, are ditching the old style USB 2 and 3 and moving towards USB Type-C. That’s all for this week’s show. Be sure to follow the Shared Security Podcast on Facebook, Twitter and Instagram for the latest news and commentary. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or watch and subscribe on our YouTube channel.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post Newspaper Ransomware Attack, How Facebook Tracks You on Android, USB-Type-C Authentication appeared first on Shared Security Podcast.

This is your Shared Security Weekly Blaze for December 31st 2018 with your host, Tom Eston. In this week’s episode: a new phishing attack targeting two-factor authentication, Amazon Echo eavesdropping, and a new Netflix email scam. Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order. Visit silent-pocket.com to take advantage of this exclusive offer. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. As this is the last episode in 2018, I wanted to thank all of you for listening and supporting the podcast this year! Happy New Year and we look forward to helping you stay more secure and private in 2019! A recent report from Amnesty International shows that there is a large phishing campaign taking place targeting hundreds of individuals in the Middle East and North Africa. The campaign seems to be targeting email accounts from Google, Yahoo as well as more secure email services from ProtonMail and Tutanota. In the case of attacks targeting ProtonMail and Tutanota, the attackers simply added the letter ‘e’ to the end of ‘proton’ in the domain name ‘protonmail.ch’ and with Tutanota they used the domain ‘tutanota.org’ when the real domain is ‘tutanota.com’.  While these two techniques are very common with many similar phishing attacks, these are specifically designed to bypass common forms of two-factor authentication such as text message based methods. Essentially, the attackers set up a login page to an email service and in the background some fancy scripting acts as a proxy to the real email service while you enter your login credentials and then your two-factor authentication code sent to your phone. This attack could even work against app based two-factor authentication like Google Authenticator as well.  Mitigations from this type of phishing attack are the typical ones we always recommend like carefully looking at the web address in the email or address bar of your web browser and using a newer but more secure form of two-factor authentication such as a hardware security key from companies like Yubikey and others. I found it interesting that the details in this report were specifically directed towards human rights defenders because they are almost always targeted by nation state governments through phishing attacks like these. But as we continue to see, what I would call the arms race, between us and attackers using more creative ways to conduct phishing campaigns, it’s more important than ever to take the stance of ‘think before you click’. In fact, phishing attacks, like the ones described in this report,  are becoming so common that it’s advisable to never click on links in an email all together.  Instead, manually type in the web address of the site you’re being prompted to click on. Edgewise Networks is the first zero trust platform that stops data breaches by allowing only verified software to communicate in your cloud and data center. Micro segmentation projects can be costly and difficult, but Edgewise offers a new approach: zero trust segmentation. Without any changes to your network environment, Edgewise puts your data at the heart of your security strategy, giving you: Visibility into workload communication pathways; Security policies built on the cryptographic fingerprint of the software; The ability to apply policies and segment your networks in one click; and A way to continuously monitor and assess risk. Edgewise recommends policies based on the identity of your software, and stops attackers’ lateral movements by requiring authentication and authorization with every workload communication. Visit edgewise.net to learn how Edgewise can eliminate network attack surface, stop lateral movement, and protect your applications. Did you receive an Amazon Echo device as a gift over the holidays? Well you may want to pay attention to this story as a man in Germany got much more than he asked for when requesting a copy of all the data Amazon had about him. Apparently, when Amazon sent him the download link to his data, he was accidentally given access to 1,700 private audio recordings from an Amazon Echo device that were generated by a completely different household. The man requesting his data from Amazon said he doesn’t even own or use an Amazon Echo device.  A spokesman for Amazon told Reuters last week that, “This unfortunate case was the result of a human error and an isolated single case”. You may recall that this incident follows other similar Amazon Echo issues this past year of Echo devices sending conversations to others that were not the intended recipient. Does it seem surprising that “human error” is the cause of this most recent issue? Something to keep in mind is that in a data request system, that you would think would be automated, we should not be surprised to hear of issues like these when we’re talking about very complex internal systems that are being used to handle potentially thousands of data requests. The GDPR, which we all know as the EU data privacy law, has provided European citizens with the ability to request their data from companies like Amazon. Now this is a huge win for individual privacy but now companies need to make sure internal systems that have issues, like in this example, are properly designed and maintained so that human error and other issues don’t end up creating more privacy concerns. In other phishing related news…tis the season for a new phishing scam targeting Netflix customers. Last week the Federal Trade Commission in the US published an alert to consumers about a phishing email that states that the victim’s Netflix account is ‘on hold’ because the company is having trouble with current billing information.  The email urges the user to click on a link to update their payment details and we all know what happens after that. In the case of this phish, there are several clues that indicate that this is a scam such as using an international support phone number, noting the British spelling of “centre”, and the greeting on the email as “Hi Dear” instead of the victim’s name. Ironically, in our previous story we talked about how phishing attacks are getting more sophisticated, but yet, very simple phishing scams like this one with bad grammar and all (except if your British) continue to be highly effective. Be safe out there and don’t forget to tell your friends and family to be on the lookout for an increase in phishing scams which seem to always increase right after the holidays. That’s all for this week’s show. Be sure to follow the Shared Security Podcast on Facebook, Twitter and Instagram for the latest news and commentary. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or watch and subscribe on our YouTube channel.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post Phishing Attack Targeting Two-Factor Authentication, Amazon Echo Eavesdropping, Netflix Email Scam – WB49 appeared first on Shared Security Podcast.