Shared Security Podcast

Watch this episode on our YouTube channel! In this year end episode of the podcast, we’re joined by frequent guest Kevin Johnson to recap the big cybersecurity and privacy news of this past year, talk about a little movie called Star Wars, and have some fun discussing our “predictions” for what’s to come in 2019. The Shared Security Podcast sponsored by Silent Pocket and Edgewise Networks. Thank you to our listeners and sponsors for an amazing year! We really appreciate your support of the show! Be sure to follow the Shared Security Podcast on Facebook, Twitter and Instagram for the latest news and commentary. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or watch and subscribe on our YouTube channel. The post The Year in Review and 2019 Predictions with Special Guest Kevin Johnson appeared first on Shared Security Podcast.

Watch this episode on our YouTube channel! This is your Shared Security Weekly Blaze for December 24th 2018 with your host, Tom Eston. In this week’s episode: Healthcare databases exposed, Facebook’s Photo API bug, and Signal speaks out. Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order. Visit silent-pocket.com to take advantage of this exclusive offer. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. A new report called the “Chronic [Cyber] Pain: Exposed & Misconfigured Databases in the Healthcare Industry,” from threat intelligence firm IntSights shows that about 30 percent of all healthcare databases end up unsecured and exposed to the Internet.  Some key findings during their research included spending 90 hours of research which found 15 databases exposed containing 1.5 million patient records. Based on their calculations this results in approximately 16,667 medical records discovered. Other interesting information from the report note that the estimated price on the black market is $1 for a single medical record. Exposed databases were found using popular cloud data storage and sharing databases like Elasticsearch or MongoDB. Exposed and misconfigured Elasticsearch databases in particular have been a source of countless data breaches this year including one that we discussed on the podcast, the Exactis data leak, which exposed 340 million records back in July. Other interesting attack vectors found that led to healthcare databases being exposed include legacy and outdated file sharing protocols such as SMB and FTP as well as misconfigured APIs and of course our favorite, weak passwords.  Recommendations from the report note the always standard security recommendations such as enabling two-factor authentication for web applications, limit third-party access to databases, closely monitor databases for unusual reads or requests, limit database access to specific IP ranges and conduct penetration testing to find exposed systems and vulnerabilities. One recommendation I would add is for healthcare organizations to evaluate what systems and databases may be exposed to the Internet and to have a process for discovering exposed systems on a continual basis. Certainly, penetration testing can be used for a point-in-time assessment but using vulnerability scanning and other discovery services on all company owned or third-party managed systems that are exposed to the Internet should be part of any good cybersecurity program. Edgewise Networks is the first zero trust platform that stops data breaches by allowing only verified software to communicate in your cloud and data center. Micro segmentation projects can be costly and difficult, but Edgewise offers a new approach: zero trust segmentation. Without any changes to your network environment, Edgewise puts your data at the heart of your security strategy, giving you: Visibility into workload communication pathways; Security policies built on the cryptographic fingerprint of the software; The ability to apply policies and segment your networks in one click; and A way to continuously monitor and assess risk. Edgewise recommends policies based on the identity of your software, and stops attackers’ lateral movements by requiring authentication and authorization with every workload communication. Visit edgewise.net to learn how Edgewise can eliminate network attack surface, stop lateral movement, and protect your applications. Facebook recently announced yet another vulnerability that affected nearly 6.8 million of its users. Apparently, a bug in Facebook’s Photo API allowed third-party apps being used by Facebook developers to access more than the users private photos that were authorized to access, but also photos that were shared on Facebook’s Marketplace, Facebook Stories, or photos that were uploaded but not posted by the user. For example, if someone uploads a photo but doesn’t finish posting it, those photos may have been exposed. Facebook says that this bug only impacted users for 12 days, from September 13th to September 25th of this year and that this issue has been corrected. If you were impacted by this vulnerability Facebook states that you will see an alert pop up when you login to Facebook. Facebook also recommends logging into any apps with which you may have shared Facebook photos with to see which photos these apps may have access to. This most recent issue is a great reminder that you should frequently review the third-party apps that you may have given permission to view personal data from your Facebook account. If you’ve been a long time user of Facebook, it’s easy to forget about all the apps that you may have given various types of permission to your personal data. To see what third-party apps have access to your data, login to Facebook and then visit your Settings, then click on “Apps and Websites”. On this page you can see all the apps that have access to data from your Facebook profile. You can either remove access or in some cases, change the level of permissions for each third-party app.  If you’ve never visited these settings before, you may be surprised how many different apps have access to your data. One way that Facebook makes it easy for developers to access your data is through the Facebook login that you see embedded in many popular sites and services that you may use. Often times, it’s easy to trade convenience over privacy because it’s so easy to just login with Facebook rather than creating a whole new set of user credentials. The key here is for you to make the best decision for you and your level of risk. If you’re ok with a third-party company getting information from your Facebook profile, and in some cases, information you were going to give them anyway, it may not be that big of a deal. However keep in mind, when Facebook has a vulnerability like the one they just announced, it’s not just the third-party that has your data but Facebook has it as well. Signal the popular end-to-end encrypted messaging app said this past week that they would not give in to any requests made by a new law in Australia related to the new “Assistance and Access” bill.  This law requires that companies provide a way to access encrypted communications and can even impose massive fines to companies and individuals who do not comply. In a blog post from Signal, they are quick to note that by design Signal does not have a record of any conversations, contact lists or other profile information and that “the end-to-end encrypted contents of every message and voice/video call are protected by keys that are entirely inaccessible to us. In most cases now we don’t even have access to who is messaging whom”.  Signal even points out that the Prime Minister of Australia uses their application to prove the point that everyone benefits from the way that Signal was designed, even the people trying to enforce laws that make no sense in an ever increasing digital and online world. This is not the first time that governments around the world have either tried to ban encryption or compel companies into creating backdoors into applications and products to circumvent encryption. Here in the United States back in 2016, a federal judge asked Apple to help the FBI unlock an iPhone that belonged to the San Bernardino mass shooter . Ironically, even after the case went to court, the FBI never needed Apple to build a encryption backdoor since the FBI had paid a third-party firm called Cellebrite to unlock the phone for them. This latest example will not be the last case of a government that doesn’t have a good understanding of why banning encryption or creating backdoors within popular end-to-end encrypted communications software weakens protection for everyone. That’s all for this week’s show. Be sure to follow the Shared Security Podcast on Facebook, Twitter and Instagram for the latest news and commentary. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or watch and subscribe on our YouTube channel.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post Healthcare Databases Exposed, Facebook’s Photo API Bug, Signal Speaks Out – WB48 appeared first on Shared Security Podcast.

Watch this episode on our YouTube channel! This is your Shared Security Weekly Blaze for December 17th 2018 with your host, Tom Eston. In this week’s episode: Equifax data breach details released, more Google+ API bugs and Supermicro strikes back. Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order. Visit silent-pocket.com to take advantage of this exclusive offer. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. A report released last week from the U.S. House of Representatives Committee on Oversight and Government Reform about the Equifax data breach, known as the largest consumer data breach in US history, shows that the breach could have been entirely preventable. The 96-page report, which we’ve linked in the show notes for a very stimulating and exciting read, goes into great detail on how attackers were able to exploit an Apache Struts vulnerability on an application called the Automated Consumer Interview System (or known as ACIS). For 76 days Equifax failed to detect the breach even though massive amounts of data was being exfiltrated. The report said “Attackers sent 9,000 queries on these 48 databases, successfully locating unencrypted personally identifiable information (PII) data 265 times”. The breach went undetected because the device used to monitor ACIS network traffic was inactive for 19 months due to an expired SSL certificate on the data exfiltration monitoring system. Ironically, at the same time, Equifax had also allowed at least 324 other SSL certificates to expire and “including 79 certificates for monitoring business-critical domains”. Once the SSL certificate was renewed for the data exfiltration service, it was then immediately identified that a data breach was taking place.  One of the interesting highlights I noticed in the report was about how the attackers were able to deploy 30 “web shells” (which are essentially backdoors) across the Equifax network due to the Apache Struts vulnerability. Because of these web shells, they were able to find a file containing unencrypted credentials which gave them access to 48 databases outside of the ACIS environment. After that, the rest is history. The other shocking, but not so shocking part of the report was the very passive and pretty much voluntary recommendations from the committee. Some of the recommendations include requiring credit agencies to offer a free summary of all data that they’ve collected about you, consider offering more than one year of pre-paid identity theft protection, and giving the Federal Trade Commission more power to monitor data security practices of credit agencies like Equifax. There was no mention of any federal law or government enforcement that would penalize credit agencies for maintaining poor cybersecurity.  In my opinion, this is unacceptable. How many more data breaches will it take for the government to take the security and privacy of our personal data seriously? Only time will tell and we have a brand new year coming up to find out. Edgewise Networks is the first zero trust platform that stops data breaches by allowing only verified software to communicate in your cloud and data center. Micro segmentation projects can be costly and difficult, but Edgewise offers a new approach: zero trust segmentation. Without any changes to your network environment, Edgewise puts your data at the heart of your security strategy, giving you: Visibility into workload communication pathways; Security policies built on the cryptographic fingerprint of the software; The ability to apply policies and segment your networks in one click; and A way to continuously monitor and assess risk. Edgewise recommends policies based on the identity of your software, and stops attackers’ lateral movements by requiring authentication and authorization with every workload communication. Visit edgewise.net to learn how Edgewise can eliminate network attack surface, stop lateral movement, and protect your applications. Google announced this week that they are expediting the shutdown of Google+ from August 2019 to April and that the Google+ API will be retired in 90 days. Why the sudden change? Well, back in November a software update caused a vulnerability in the Google+ API that may have impacted 52.5 million users. This vulnerability was found through internal testing procedures and it was fixed within a week of it being found. The vulnerability caused apps that were using the Google+ API that requested permission to view certain profile information like name, email address and more, were granted permission to view profile information about a user, even when set to not-public. In addition, apps with access to a user’s Google+ profiles also had access to profile data that had been shared with approved users which happened to be not publicly shared. The good news is that Google says that there is no evidence that app developers had accessed or abused this information before Google fixed the issue. You may remember that back in October Google announced another similar vulnerability in the Google+ API that exposed the private information of 500,000 Google+ users. That initial vulnerability led Google to decide to retire the struggling Google+ social network altogether.  I don’t think many of us are going to miss Google+, I know I never used it and I’ll bet you never did either. Hopefully, because of this issue with Google+, Google is testing other similar APIs in their infrastructure for vulnerabilities to prevent this same issue from happening in the future. Supermicro, the company at the heart of the controversial Bloomberg report from this past October, which said tiny chips were installed into their boards by the Chinese government, released a letter and YouTube video this past week to customers stating that their own internal audit found no evidence of any tampering of the companies servers or supply chain. The letter states that a leading third-party investigations firm was hired for the audit and motherboard models mentioned in the Bloomberg article were tested including several recent products. This letter follows other major tech companies like Apple and Amazon (who happen to be Supermicro customers) as well as representatives of the Department of Homeland Security, the director of National Intelligence, and the director of the FBI, which have all denied and questioned the truth about claims made by the Bloomberg report.  Bloomberg still sticks to its story even though details about their sources have been very sketchy. Even more so after a subsequent Bloomberg story saying that the Chinese government had implanted spy chips in Supermicro hardware inside a major telecommunications provider. The source of this story came from a company called Sepio Systems but due to non-disclosure agreements with Bloomberg, the telecommunications company has remained unnamed. I think now, with this latest news, the Bloomberg story has even less credibility than when it was first announced. Sure, the Chinese may be capable of infiltrating a supply chain with tainted hardware. However, I think there is something fishy about this story and we should pay attention to the facts and not always trust media speculation without hard evidence. That’s all for this week’s show. Be sure to follow the Shared Security Podcast on Facebook, Twitter and Instagram for the latest news and commentary. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or watch and subscribe on our YouTube channel.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post Equifax Data Breach Details Released, More Google+ API Bugs, Supermicro Strikes Back – WB47 appeared first on Shared Security Podcast.

Watch this episode on our YouTube channel! This is your Shared Security Weekly Blaze for December 10th 2018 with your host, Tom Eston. In this week’s episode: In this week’s episode: the Quora data breach, Facebook’s private emails, and Google location tracking. Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order. Visit silent-pocket.com to take advantage of this exclusive offer. Be sure to enter our Silent Pocket Faraday Bag giveaway currently taking place until December 17th 2018. This prize package is valued at over $100! See our show notes for the link to enter and good luck! ENTER THE SILENT POCKET GIVEAWAY: https://kingsumo.com/g/ydnieb/silent-pocket-faraday-bag-prize-package Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Another week and yet another massive data breach. This time the company is Quora, the popular question-and-answer website. In an announcement last week Quora disclosed that 100 million users may have had their private information stolen when a malicious third-party gained access to one of Quora’s systems. Quora states that the issue was discovered on November 30th and that investigation is ongoing. However, they did disclose that account information which is name, email address, encrypted password hashes (apparently using bcrypt with a salt), data imported from linked networks, public content and actions as well as non-public content such as direct messages have all been compromised.  One interesting point they made was that anonymous questions and answers were not affected by this breach because Quora does not store details of anonymous users using their site.  If you’re a Quora user, the typical data breach recommendations apply. Change your password and don’t use the same password for every site and service that you use. I did find it surprising that they did not mention enabling two-factor authentication. That’s because, unfortunately, two-factor authentication is not available for Quora’s users (at least as of this podcast recording). Just two weeks ago Marriott announced that 500 million customers had their personal information stolen as well. Just as an update to this news, recent reports from Reuters now indicate that Chinese nation-state hackers may have been to blame as private investigators looking into the breach have found hacking tools and techniques previously attributed to China.  Having yet another announcement of a data breach that reaches into the hundreds of millions is becoming so common, I think many of us believe that this is just the new normal. While there isn’t much we can do about how third-party companies are protecting our information, what is under our control though is the very basics of good cybersecurity practices and that is, password management. Which means you should be using a password manager, create complex and unique passwords for every site that you use, and always enable two-factor authentication if available. Edgewise Networks is the first zero trust platform that stops data breaches by allowing only verified software to communicate in your cloud and data center. Micro segmentation projects can be costly and difficult, but Edgewise offers a new approach: zero trust segmentation. Without any changes to your network environment, Edgewise puts your data at the heart of your security strategy, giving you: Visibility into workload communication pathways; Security policies built on the cryptographic fingerprint of the software; The ability to apply policies and segment your networks in one click; and A way to continuously monitor and assess risk. Edgewise recommends policies based on the identity of your software, and stops attackers’ lateral movements by requiring authentication and authorization with every workload communication. Visit edgewise.net to learn how Edgewise can eliminate network attack surface, stop lateral movement, and protect your applications. Facebook was in the news again this past week when private internal Facebook emails were disclosed in documents provided by the UK Parliament during a recent government panel that is investigating Facebook. The emails paint a very clear picture that back in 2012, many years before the Cambridge Analytica scandal, that Facebook was looking for ways to monetize the private information it had about its users. One of the ideas discussed with Facebook CEO Mark Zuckerburg was about charging apps and developers for access to user data, at about 10 cents per every data user request per year, but Zuckerberg rejected that approach and went with the one that is currently being used today, which is to get people to share more information on Facebook. Other interesting emails within the disclosure show that there were internal discussions on how to move Facebook to more mobile platforms instead of desktop and laptop computers which was more of a threat to their revenue model. In one of these emails they go as far as discussing how Facebook could gain access to call logs on Android phones without the user being alerted. These emails indicate that Facebook would rather decide to risk it, try to hide it through an app upgrade and deal with the public relations fallout later if anyone ever found out. Look, we should all know by now that you and your information is the product when we talk about Facebook’s business model. Even with all the scandals surrounding Facebook, their business model, to monetize your data, is not going to change. What can change is what you want to do about it. Will you continue to allow your private data to be used so that Facebook can make more money? Have your really thought about the risk vs. the rewards of using Facebook?  These are all questions to ponder but no matter what Facebook does, ultimately, it becomes your risk decision to use Facebook or not because no one else can make that decision for you. The BEUC, a large consumer organization in Europe that has members from 43 countries, said that 7 of those member countries will be filing complaints against Google for breaching the GDPR which is the well-known General Data Protection Regulation in Europe. The issue of complaint is regarding the way that Google tracks and handles users location data, which was specifically called out in a report from the Norwegian Consumer Council. The report states that Google’s design around privacy controls such as ‘Web & App Activity’, which is turned on by default, and ‘Location History’ which stores details about you and your location down to nearby Wi-Fi hotspots and even the battery level on your phone, are deceptive in that users may not be aware that this information is being tracked and also that the settings themselves to turn certain features on or off are confusing to users. This is also not the first time Google has been in hot water regarding how they handle location data of its users. Just this past October, a class action lawsuit here in the US was started, which is accusing Google as well as Facebook of tracking users locations even after users have turned off or opted out of location tracking. If you would like to see all the personal data that Google has collected about you, visit myaccount.google.com and click on the “My Activity” link. That’s all for this week’s show. Be sure to follow the Shared Security Podcast on Facebook, Twitter and Instagram for the latest news and commentary. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or watch and subscribe on our YouTube channel.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post The Quora Data Breach, Facebook’s Private Emails, Google Location Tracking – WB46 appeared first on Shared Security Podcast.

Watch this episode on our YouTube channel! This is your Shared Security Weekly Blaze for December 3rd 2018 with your host, Tom Eston. In this week’s episode: the massive Marriott data breach, secure holiday shopping tips, and phishing sites using HTTPS. Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order. Visit silent-pocket.com to take advantage of this exclusive offer. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. In late breaking news last Friday Marriott, the world’s largest hotel chain, disclosed a massive data breach that was identified on September 8th of this year affecting up to 500 million guests. That will make this data breach one of the largest in history. Apparently, the Starwood guest reservation database had been accessed by an “unauthorized party” since 2014, yes that’s correct someone had access to this database for 4 years. Private information stolen was categorized by Marriott in two groups of guests. First, approximately 327 million guests had some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences accessed. Some of these guests also had their credit card information accessed, even though Marriott states it was encrypted. However, Marriot disclosed that two components used to encrypt the cards (aka: the encryption keys) were potentially stolen as well. For the remaining 173 million guests only name and sometimes other data such as mailing address, email address, or other information was accessed. In our show notes we’ve linked to a web page that Marriot has set up where you can find additional details as well as to sign up for your “complimentary” monitoring service if you’re one of the victims. If you happen to be a victim, like with other data breaches you should change your password for any Starwood Hotels or Marriott rewards program. And while you’re at it, ensure you’re not saving your credit card details for future use. In general, it’s always advisable to never store your credit card with the sites and services you use. While an inconvenience, the majority of the time, even when credit card data is encrypted, is usually compromised in a data breach when the encryption keys are also found. Per the other usual advice we give, enable two-factor authentication and of course, closely monitor your credit card statements for unusual activity. As this story will likely evolve throughout the week, we’ll keep you updated on our Twitter and Facebook with information about this data breach as we receive it. Edgewise Networks is the first zero trust platform that stops data breaches by allowing only verified software to communicate in your cloud and data center. Micro segmentation projects can be costly and difficult, but Edgewise offers a new approach: zero trust segmentation. Without any changes to your network environment, Edgewise puts your data at the heart of your security strategy, giving you: Visibility into workload communication pathways; Security policies built on the cryptographic fingerprint of the software; The ability to apply policies and segment your networks in one click; and A way to continuously monitor and assess risk. Edgewise recommends policies based on the identity of your software, and stops attackers’ lateral movements by requiring authentication and authorization with every workload communication. Visit edgewise.net to learn how Edgewise can eliminate network attack surface, stop lateral movement, and protect your applications. The holiday shopping season is upon us which means we all need to be more aware of fraud and scams that may targeting us while we shop online. According to an article from CBS News, Dave Kennedy from cybersecurity firm TrustedSec, says that they are seeing “a 317 percent increase in these attacks, compared to the average month”. Why might this be the case? Besides the fact that all of us are spending more money compared to other months, the holidays tend to add a lot of additional stress and pressure that can cause us to be more susceptible to scams and fraud. Scams to look out for this holiday season are ones that may lure you with online coupons, discounts, fake ads and threats like ones that state “you must act now because supplies are limited”. The bottom line is to be more aware that scams around the holidays will attempt to get an emotional response from you that will result in some type of action that you might take, such as: clicking on a malicious link or entering in personal information and credit card details.  Often times, scams will be disguised as charity requests targeting the poor or even animal rescues. There is nothing worse than seeing some poor puppy or kitten in need, especially around the holidays. See what I did there? Some of these scams will even try to use passwords from previous data breaches targeting you in email phishing attempts. For example, there have been recent phishing scams that, within the email, will include a password that you may have used in the past and say that the they know your password and will attempt to extort you for money. These passwords are found in publicly available databases of past data breaches. Now, if you happened to use the same password for every site and service that you use this scam would probably cause you a rather urgent emotional response, which is exactly what the scammer is going for. So what are the top three tips to protect yourself from online scams and fraud this holiday season? First, be cautious of any email, web or social media advertisement attempting to generate an emotional response from you. Think before you click but if it looks to be a legitimate offer or you’re not sure, you’re better off visiting the site or service by manually typing in the web address in your browser.  Second, do a little research on the company and the site that may selling a product before you make a purchase. You can do this through some simple Google searches for the company or by checking reviews through Amazon and other marketplaces. A lot of times during the holidays, scam sites will show up that might look exactly like popular sites you may have done business with in the past, so be sure to carefully review the URL (aka: the domain information in the address bar of your browser) to make sure you’re not visiting a phishing site. You should also be careful with sellers on Amazon and similar large online retailers. There have been cases of legitimate merchants having their Amazon seller accounts hacked and some scammers can put up fake marketplaces which offer popular toys and other hot items at deep discounts which end up stealing your money or sending you a broken version of the item you were attempting to buy. Lastly, as we mentioned in episode 43 of the podcast when we discussed how to prevent credit card fraud, never use a debit card for your purchases. Instead, use a credit card. Even if your bank says that you have zero liability for debit card transactions, you still lose that money out of your checking account instantly and it can take weeks for your bank to reimburse you that money. And that’s definitely something you don’t want to happen right around the holidays. A recently released study by PhishLabs has shown that almost half of all phishing sites now use HTTPS encryption to trick you into thinking that a phishing site is legitimate. According to Brian Krebs from Krebsosecurity.com, the report found that “49 percent of phishing sites in the third quarter of 2018 bore the padlock security icon next to the phishing site domain name as displayed in a browser address bar. That’s up from 25 percent just one year ago, and from 35 percent in the second quarter of 2018.” This trend is concerning since in the past security professionals and awareness campaigns have said to “look for the lock” to ensure that a site is “secure” and safe to submit your sensitive data. The “look for the lock” education was always not the best advice because the lock only means that the information you submit through a website is secured through the use of HTTPS, or also known as, SSL encryption.  It does not mean that the site may be fake or have other vulnerabilities which could lead to your data being compromised. So how does something good, like HTTPS encryption, also be leveraged by attackers? First, it’s easier than ever to obtain a legitimate and free SSL certificate though projects like Let’s Encrypt. This is actually a good thing as HTTPS encryption helps secure your information in transit which prevents surveillance by an attacker that might be trying access your data while its being transmitted. With the push by tech companies and other privacy advocates, it’s more important than ever to ensure websites are all using HTTPS. However, on the other hand, the barrier for entry to obtain a legitimate SSL certificate is now very low. You don’t have to provide an ID or even other documentation that you own a site or are using the SSL certificate for a valid and legal purpose. I think it goes back to re-educating all of us on the real purpose of HTTPS encryption, which is that it can only provide protection for the information you send and receive from a site, and should not be used as a way to ensure a site is secure and safe to put your information in to. Of course, you should ensure that a site is using HTTPS encryption before putting in sensitive information but specifically, to detect phishing attacks, awareness starts with the email that you receive and the clues which indicate that the email may be a phishing attempt. That’s all for this week’s show. Be sure to follow the Shared Security Podcast on Facebook, Twitter and Instagram for the latest news and commentary. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or watch and subscribe on our YouTube channel.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post Massive Marriott Data Breach, Secure Holiday Shopping Tips, Phishing Sites Using HTTPS – WB45 appeared first on Shared Security Podcast.

In this episode Tom and Scott are joined by special guest Tanya Janca who is a Senior Cloud Developer Advocate for Microsoft. We speak with Tanya about her journey into the world of AppSec, women and minorities in Cybersecurity, her advice for getting started in AppSec, her OWASP project (DevSlop), the current state of DevOps and privacy, and much more! Tanya is one of our most fun and engaging guests, it’s one not to miss! Below are show notes and links mentioned in the podcast: Tanya’s blog on Medium and her article on getting started in AppSec. Follow Tanya on Twitter. You can try connecting with her on LinkedIn but she’s maxed out her connections! (we didn’t even know this was possible) Tanya hosts a weekly live streaming OWASP DevSlop show every Sunday at 1pm Eastern. Check it out on Mixer, Twitch, or YouTube. You can also watch this episode with Tanya on YouTube! Be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or on our YouTube channel.  Thanks for listening! The post Special Guest Tanya Janca, DevOps and AppSec, Women in Cybersecurity – #82 appeared first on Shared Security Podcast.

This is your Shared Security Weekly Blaze for November 26th 2018 with your host, Tom Eston. In this week’s episode: Vehicle infotainment privacy, Instagram’s accidental password exposure, and the Firefox monitor data breach notification service. Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order. Visit silent-pocket.com to take advantage of this exclusive offer. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. A new Bluetooth vulnerability and exploit that affects millions of vehicles worldwide, called CarsBlues, was announced by Privacy4Cars founder Andrea Amico. The exploit, which has been disclosed to auto manufactures through the Automotive Information Sharing and Analysis Center (or Auto-ISAC as its also known) can be performed in a few minutes using inexpensive and readily available hardware and software and apparently does not require significant technical knowledge as well.  Information that could be accessed through the vulnerability include stored contacts, call and text logs and text messages. While exact details on the vulnerability have not been released, Privacy4Cars has said that people most vulnerable would be those that may have synched their phones to cars that are no longer under their control like rental cars or leased vehicles. Privacy4Cars, which offers a free mobile app, that shows you how to delete your private data that you may have synced to a car, notes that “industry and consumers alike need to be proactive when it comes to deleting personally identifiable information from vehicle infotainment systems”. This recent news is a great reminder that we all need to be cautious syncing our phones and devices to our car. Especially when we’re syncing our phones to rental cars or we’re in situations where we may be dropping our cars off for repair. I know I’ve noticed that when simply plugging in my phone to the built in USB charger in a rental car, the infotainment system will often times automatically sync your contacts and text messages. If you’re not familiar with how to delete your synced information or if you need to find out how to reset the cars infotainment system, check out the Privacy4Cars app which we have linked in the show notes for this episode. Edgewise Networks is the first zero trust platform that stops data breaches by allowing only verified software to communicate in your cloud and data center. Micro segmentation projects can be costly and difficult, but Edgewise offers a new approach: zero trust segmentation. Without any changes to your network environment, Edgewise puts your data at the heart of your security strategy, giving you: Visibility into workload communication pathways; Security policies built on the cryptographic fingerprint of the software; The ability to apply policies and segment your networks in one click; and A way to continuously monitor and assess risk. Edgewise recommends policies based on the identity of your software, and stops attackers’ lateral movements by requiring authentication and authorization with every workload communication. Visit edgewise.net to learn how Edgewise can eliminate network attack surface, stop lateral movement, and protect your applications. Instagram said last week that they have fixed a vulnerability in its new “download your data” feature that may have inadvertently exposed user’s passwords.  The download your data feature is a recently added privacy enhancement that allows you to download all your photos, comments, posts and other information you may have shared with Instagram. The issue was caused by a feature for added security where Instagram asks you for your password before downloading your data. A vulnerability in this security feature allowed the plain text password to be included in the URL as well as stored on Facebook’s servers. Both of these issues were identified by internal Instagram staff. As you all should be aware, Instagram is part of Facebook and uses  Facebook’s servers and infrastructure. The good news is that the issue has been corrected and the password data has been deleted.  If you happened to be affected, Instagram will notify you to update your password as well as clear your browser cache. It’s worth noting that Instagram added the “download your data” feature to comply with the new European data privacy regulations we all know and love as GDPR.  Back in October, Facebook fixed a more serious vulnerability in the “View As” feature which allowed unknown attackers to steal access tokens to approximately 30 million Facebook users. Like any new feature, especially ones that are used for better privacy or security, should be carefully reviewed for security vulnerabilities just like all other code within an application. Let’s hope that Facebook’s developers and security teams are taking the approach of ensuring future features are vulnerability free before putting them out to the public. Did you know that Mozilla, the maker of the Firefox web browser, has offered a free breach notification service called “Firefox Monitor” since September of this year? Mozilla is apparently partnering with Troy Hunt’s “Have I Been Pwned” database of compromised accounts from past data breaches. You can visit monitor.firefox.com to see if your email address was part of a past data breach.  You can also sign up for a more detailed report and to be alerted when new breaches happen that contain your email address. Just this past week, Mozilla announced that they will now deliver breach alerts from within the Firefox web browser while you surf the web. This will work starting with version 62 and later of Firefox. How this works is when you visit a website that previously had a data breach, you will be notified through an icon that will appear in the address bar. The alert will then give you the breach history of the website as well as a link back to Firefox Monitor to see if your information was part of the data breach.  You can, of course, turn off these alerts within the Firefox preferences if you feel you don’t want to be notified. I think this is a great step forward for data breach notification as often times, we may never know that a particular website we frequent has had our information compromised from a past data breach. I also think that this move by Mozilla may make customers think twice before signing up or purchasing products from a website that may have not had the best track record for security. As we always recommend, if your data was compromised in a data breach you should always change the password that you used for that site and enable whatever form of two-factor authentication that the website hopefully offers. As mentioned on last week’s show, always choose app based two-factor authentication over SMS or text message based solutions if available. That’s all for this week’s show. Be sure to follow the Shared Security Podcast on Facebook, Twitter and Instagram for the latest news and commentary. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or watch and subscribe on our YouTube channel.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post Vehicle Infotainment Privacy, Instagram’s Accidental Password Exposure, Firefox Monitor – WB44 appeared first on Shared Security Podcast.

In this special edition of the podcast we speak to Harry Sverdlove, who is the Founder and Chief Technology Officer of Edgewise. Harry talks with us about the concept of “zero trust” and their innovative technology that can help stop data breaches. Find out more at Edgewise.net and to schedule a demo by clicking on the “Request Demo” button on the main page. Thanks again to Harry for being our guest on the show and to Edgewise for sponsoring the podcast! The post Harry Sverdlove, Edgewise Founder and CTO – Special Edition appeared first on Shared Security Podcast.

This is your Shared Security Weekly Blaze for November 19th 2018 with your host, Tom Eston. In this week’s episode: USPS Informed delivery vulnerabilities, protecting yourself from credit card fraud and a huge SMS database leak. Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off your order. Visit silent-pocket.com to take advantage of this exclusive offer. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Are you using or thinking about using the US Postal Service’s “Informed Delivery” feature?  If so, you’ll want to pay close attention to the recent warning from the US Secret Service which was sent to law enforcement across the country earlier this month. This alert stated that fraudsters are leveraging this feature to surveil potential identity theft victims and references a recent case in Michigan where seven people were arrested for apparently stealing credit cards from mailboxes after registering as those victims for the Informed Delivery service. Brian Krebs from KrebsOnSecurity.com, who broke the news about the Secret Service alert, has noted that in the past the postal service has had no way to notify residents when someone signed up for the Informed Delivery service at their address. However, earlier this year the postal service corrected this issue by now mailing residents if someone has signed up for Informed Delivery at their address. Unfortunately, this doesn’t solve this problem if fraudsters simply order credit cards to the address before signing up for the service. Once the cards have been ordered the fraudster can then take advantage of the week or so that it takes to get a credit card in the mail to sign up the victim for Informed Delivery. The other issue with Informed Delivery is that to sign-up for the service you’re asked four knowledge based authentication (or known as “KBA”) questions which typically have answers which can be Googled or found though other searching techniques on the Internet. KBA has been well known for quite some time that it’s not a reliable form of authentication. So what can you do if you’re concerned about having your address hijacked by a fraudster using Informed Delivery?  Unfortunately, not a lot at this point. Putting a freeze on your credit can help as if someone is trying to set up Informed Delivery in your name, then the KBA process can’t access your credit files. However, Brian Krebs reports that this may not be working for everyone with a credit freeze in place. You may also want to “plant your flag” so to speak by signing up for Informed Delivery before someone else does. When signing up myself I was asked to visit my local post office branch to physically verify me or have a “invitation code” sent to me through the mail. Other than that, you can try to email the postal service to attempt to ‘opt-out’ of Informed Delivery but according to reports, emails are going unanswered and those that have had responses are asking KBA questions that are to be responded through plain text email.  And we all know plain text email is not a secure means of communication.  It’s safe to say that Informed Delivery is quite the mess right now. We’ll be sure to keep you updated of any changes or improvements to the security and privacy of Informed Delivery in future episodes. Edgewise Networks is the first zero trust platform that stops data breaches by allowing only verified software to communicate in your cloud and data center. Micro segmentation projects can be costly and difficult, but Edgewise offers a new approach: zero trust segmentation. Without any changes to your network environment, Edgewise puts your data at the heart of your security strategy, giving you: Visibility into workload communication pathways; Security policies built on the cryptographic fingerprint of the software; The ability to apply policies and segment your networks in one click; and A way to continuously monitor and assess risk. Edgewise recommends policies based on the identity of your software, and stops attackers’ lateral movements by requiring authentication and authorization with every workload communication. Visit edgewise.net to learn how Edgewise can eliminate network attack surface, stop lateral movement, and protect your applications. A report last week released by firm Gemini Advisory showed that credit card fraud is still increasing in the US despite the use of new EMV chip-enabled cards. EMV which stands for Europay, Mastercard and Visa; or “chip cards” as they are better known, provide end-to-end encryption during card-present transactions.  The Gemini Advisory report stated that despite financial institutions issuing chip cards to their customers, out of the more than 60 million cards stolen over the last 12 months, 93% of them were chip enabled cards. Moreover, 45.8 million or 75% of card-present transactions were stolen at point-of-sale devices, while only 25% were compromised in online breaches. With all the chip cards out there, what seems to be the problem? The issue is that merchants in the US are still struggling with updating point of sale equipment (often seen abbreviated as POS) to support chip cards. Specifically, because of the high cost associated with purchasing and installing equipment to support EMV technology. I’m sure you’ve noticed that every merchant is different and many still utilize the old fashioned swipe terminals. All credit cards with a chip also have the old magnetic stripe on the back for situations where a chip reader is broken or for merchants that have not upgraded their equipment yet. Gas stations in the US are the biggest culprits since they are not held liable or at fault for credit card fraud until October 2020. This is why in the US you still have to use the old fashioned swipe terminals at the gas station. So how does a chip card get compromised?  The main ways are through malware installed on the point-of-sale system, skimming (where a device reads the magnetic stripe off of the card while you conduct a payment transaction) and “shimming” where a device sits between the chip on your card and the chip reader. Shimming devices can be used to create counterfeit magnetic stripe cards, but not if the bank is validating something called a CVV code which is part of the EMV standard. Some banks and merchants have not fully implemented EMV, which makes point-of-sale malware and credit card cloning the most popular types of credit card fraud. Until the merchants decide to upgrade their equipment, we’re going to see card-present fraud continue to be an issue. In related news, a report from ACI Worldwide shows that there will be a 14% increase in fraud attempts this holiday season. With the highest this week and next due to Black Friday and Cyber Monday.  Having said that, here are some tips to help prevent becoming a victim of credit card fraud this holiday season: First, use a more secure payment method like ApplePay, Samsung Pay or Google Pay with your mobile phone if the merchant supports it. If these methods are not available, you can always fall back to cash. If shopping online check to see if the merchant supports these more secure payment methods as well. Second, if you’re at the gas pump or using an ATM always check to see if a skimmer is installed. This can be as simple as wiggling the credit card reader or by looking for anything that seems out of place with the reader itself or the outside of the machine. Third, set up and configure fraud or text alerts every time a transaction on your credit card occurs. That way, you know right away if your card has been compromised. Also make sure you check your credit card statements often to look for suspicious transactions. Lastly, never use a debit card for making purchases. If your debit card is compromised you lose the cash from your bank immediately and it can take weeks and lots of paperwork to get your money refunded. You’re safer with a credit card and the majority of credit cards these days have zero liability for fraudulent charges. A massive database of over 26 million text messages, belonging to California based communications company Voxox, was discovered by security researcher Sebastien Kaul using the Shodan search engine. This database contained text messages that had password reset links, two-factor authentication codes, shipping notifications, names, cellphone numbers and more. The database server was found completely open to the Internet with no password and provided a web front-end, making the data extremely easy to search through. While access to this particular database has been taken offline, it shows once again, how SMS text messaging should not be used for secure communication or for two-factor authentication. Moreover, this is also another example of how a company that processes millions of sensitive records leaves a massive database like this exposed for anyone to view and access. Many of us don’t think about the third-party companies like Voxox that work on the backend of your mobile carrier to process text messages, two-factor authentication codes and other communications that end up being pushed to your cell phone. SIM Hijacking and other SMS text message attacks, as discussed in previous episodes of the podcast, are continuing to increase. This is one reason we recommend companies and services to move away from SMS based two-factor authentication and use more secure methods like app based solutions such as Google Authenticator, Authy, Duo and other services which do not rely on SMS text messaging. Make sure you look for app based two-factor authentication when signing up for a new online service. Note that popular sites like Facebook, Instagram and Twitter have already provided app based two-factor authentication solutions that you can begin using right now. That’s all for this week’s show. Be sure to follow the Shared Security Podcast on Facebook, Twitter and Instagram for the latest news and commentary. If you have feedback or topic ideas for the show you can email us at feedback@sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or watch and subscribe on our YouTube channel.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post USPS Informed Delivery Vulnerabilities, Holiday Credit Card Fraud, Huge SMS Database Leak – WB43 appeared first on Shared Security Podcast.

This is your Shared Security Weekly Blaze for November 12, 2018 with your host, Tom Eston. In this week’s episode: Midterm Election Security, Gait Recognition Surveillance Technology and Caller ID Authentication Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order. Visit silent-pocket.com to take advantage of this exclusive offer. Hi everyone, this is Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. The mid-term elections here in the United States took place last Tuesday and the Department of Homeland Security has said that there has been no evidence of any hacking that took place on the election infrastructure. As many of you may be aware, last Tuesday’s election was the first major election in the United States since Russia attempted to influence the 2016 presidential race.  In fact, Department of Homeland Security Secretary Kristjen Nielson has said that last Tuesday’s election “is the most secure election in the modern era”. Surprisingly, many areas of the country are still using paper ballots. In fact, 21 states are using full paper ballots and others are using a hybrid approach of paper and voting machines. As you can imagine the security of voting machines has been a hotly debated topic ever since the DEF CON hacking conference that took place in August of this year. This conference had a voting machine hacking village in which several different types of real voting machines were found to be vulnerable to many different types of attacks. These attacks could manipulate election results as well as cause other havoc on the overall election system. The biggest concern found with vulnerable voting machines though is physical security as the majority of these hacks require physical access to the voting machine.  As long as polling places and local governments running and managing voting infrastructure takes the physical security of these machines serious, the risk of election result manipulation via the machine itself remains very low. If you’re interested in learning more about voting machine security, Scott and I dedicated an entire episode to this fascinating topic in episode 79 of our monthly show. The bigger issue this election season though has been malicious manipulation of voters through the influence of social media.  Just last week it was reported that Facebook had blocked more than 100 accounts that had ties to a Russian “troll farm” designed to influence the midterm elections. Facebook also noted that it deleted dozens of accounts that were linked to Iran in late October. Our advice is to always be careful of what you see posted on social media, not just political posts, as a lot of this information may be coming from a non-trusted source designed to manipulate your views. Edgewise Networks is the first zero trust platform that stops data breaches by allowing only verified software to communicate in your cloud and data center. Micro segmentation projects can be costly and difficult, but Edgewise offers a new approach: zero trust segmentation. Without any changes to your network environment, Edgewise puts your data at the heart of your security strategy, giving you: Visibility into workload communication pathways; Security policies built on the cryptographic fingerprint of the software; The ability to apply policies and segment your networks in one click; and A way to continuously monitor and assess risk. Edgewise recommends policies based on the identity of your software, and stops attackers’ lateral movements by requiring authentication and authorization with every workload communication. Visit edgewise.net to learn how Edgewise can eliminate network attack surface, stop lateral movement, and protect your applications. A new form of surveillance technology called “gait recognition” software is now being used by Chinese police on the streets of Beijing and Shanghai as well as other areas of China. Gait recognition software can identify someone by their body shape as well as how someone walks. The technology, created by a company called Watrix, does not need special cameras and works even when faces are hidden or unable to be identified through traditional facial recognition technology. Gait recognition has a 94 percent accuracy rate which is good enough right now for commercial use. The software works by first uploading video footage then by extracting someone’s silhouette from a video which then analyzes movement to create a virtual model of how a person walks. This means that even if a person was purposely trying to evade a system like this, by limping or hunching over, the software is still capable of determining someone’s identity. However, identifying people in real-time video footage is not yet available as it currently takes a lot of computing power to analyze someone’s gait because you need a sequence of images rather than a single image as current facial recognition technology uses. In China and other nation states, mass surveillance is big business.  In fact, I recently visited London England, which is known as one of the most surveilled cities in the world. There are CCTV camera’s everywhere! One recent report noted that there are approximately 5.9 million closed-circuit TV cameras in the UK which works out to be one camera for every 11 people. That, of course, is nothing compared to China where its estimated that 176 million surveillance cameras are keeping tabs on China’s 1.3 billion citizens. Keep in mind, surveillance cameras are not always government owned and operated. Many are purchased by homeowners and businesses to help deter theft and other crimes. What I find interesting is that by combining gait recognition with current facial recognition technology, it could mean much more surveillance technology being used in a city near you once this software becomes more mature and cheaper to purchase. The chairman of the FCC, Ajit Pai, stated last week that he is demanding the adoption of an authentication system to prevent caller ID spoofing, which is the primary technique used by robo and spam callers. Ajit Pai sent letters to the CEOs of 14 telecom companies stating that if they did not establish plans to implement call authentication by 2019, the FCC would take action.  Ajit Pai nor the FCC did not specify what action they would take for telecoms that did not comply with the order. Caller ID spoofing is when a scammer uses techniques to hide the real phone number they are calling from to make it look like a call coming from a number you are more likely to answer, like one that has the same area code and prefix as your phone number. Earlier this year the FCC dished out its biggest fine ever, to the tune of $120 million dollars, to a person in Miami Florida that was responsible for 96 million robocalls.  Now if we could just get the FCC to reverse course on net neutrality, that would be even better. If you’re interested in learning more about the technology that telecom companies are looking to implement, one in particular called “CallPrinting”, be sure to listen to episode 35 of the Weekly Blaze linked in the show notes of this episode. That’s a wrap for this week’s show. Be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or on our YouTube channel.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post Midterm Election Security, Gait Recognition Surveillance Technology, Caller ID Authentication – WB42 appeared first on Shared Security Podcast.