Shared Security Podcast

This is your Shared Security Weekly Blaze for November 5th 2018 with your host, Tom Eston. In this week’s episode: Microsoft and Apple security Updates, Signal’s sealed sender and the Girl Scouts data breach. Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order. Visit silent-pocket.com to take advantage of this exclusive offer. Hi everyone, this is Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. This past week Microsoft announced that its built-in anti-virus application called Windows Defender now has the ability to run within a ‘sandbox” environment. Sandboxing allows an application to run in a separate environment away from the rest of the Windows operating system and other applications installed on a PC. Sandboxing in Windows Defender is a very important security update given that Windows Defender runs as a high-privileged service and is a large target for attackers to compromise. Windows Defender is also the only anti-virus solution on the market with this capability. In order to enable sandboxing in Windows Defender you need to make a quick environment variable change within Windows if you want to use this feature right away. However, Microsoft plans on deploying this update to all Windows Defender users in the near future. See our show notes for details on how to enable sandboxing if you’re interested in using this new feature. In other security update news, Apple has released several new security updates on the heels of the announcement of new Macs and iPads at Apple’s event last Thursday. Security updates for macOS Mojave, High Sierra, Sierra, iOS, watchOS, tvOS, Safari, iTunes, and iCloud for Windows were all released. One particular serious vulnerability for macOS could potentially allow remote code execution or crash your device. During the Apple event on Thursday, Apple also announced that with new MacBooks that have a new T2 security chip, will automatically disable the microphone when the lid of the MacBook is closed. This new privacy control will prevent any type of software, especially spyware or “stalkerware” with root or kernel privileges from engaging the microphone when the lid is closed. This privacy feature is a large step forward to help combat malware that may be installed without user’s knowledge for surveillance and stalking. Be sure to listen to episode 40 of this podcast for more details on stalkerware and how to know if one of these apps may be installed on your device. These two stories once again emphasize that it’s important to keep the operating systems and anti-virus software on your devices and even hardware up-to-date for the most current security and privacy protections. Edgewise Networks is the first zero trust platform that stops data breaches by allowing only verified software to communicate in your cloud and data center. Micro segmentation projects can be costly and difficult, but Edgewise offers a new approach: zero trust segmentation. Without any changes to your network environment, Edgewise puts your data at the heart of your security strategy, giving you: Visibility into workload communication pathways; Security policies built on the cryptographic fingerprint of the software; The ability to apply policies and segment your networks in one click; and A way to continuously monitor and assess risk. Edgewise recommends policies based on the identity of your software, and stops attackers’ lateral movements by requiring authentication and authorization with every workload communication. Visit edgewise.net to learn how Edgewise can eliminate network attack surface, stop lateral movement, and protect your applications. Signal, the highly recommended messaging app that provides end-to-end encryption announced last week a new privacy feature called “Sealed Sender” that is now available in the public beta release of Signal.  The ‘sealed sender’ functionality will now hide details on who is messaging whom on the Signal service. Signal, by design, does not store any information about your contacts, conversations, locations, and group information. However, one small piece of metadata within the Signal service was not able to be hidden which is, who is messaging whom. Sealed sender can be described like a traditional piece of physical mail where the outside of the envelope has the address of both the sender and recipient. You can’t initially see what’s inside the envelope but you can see who it’s from and who the envelope is being sent to. What Sealed Sender does is remove the information on who sent the message but still includes the destination in which the message can be delivered. It’s a pretty complicated technical process to hide who is sending messages within Signal but it’s all done through cryptographically secure sender certificates, delivery tokens and additional layers of encryption. Signal notes in their blog post announcing sealed sender that “as clients upgrade, messages will automatically be delivered using sealed sender whenever possible”. But in the meantime, interested Signal users can participate in the latest public beta to try out this new privacy feature. Find out more information about Signal’s beta program in our show notes. And in case you didn’t know, Signal is a great app that we highly recommend for secure and private end-to-end encrypted messaging and phone calls. The Girl Scouts of America, who are responsible for those selling those delicious cookies each year, were the recent victim of a data breach which compromised the personal information of around 2,800 girls and their families. Personal information compromised included names, birth dates, home addresses, insurance policy numbers, driver’s license numbers, and health history. The data breach apparently happened when an email account, used by the Orange County California branch of the Girl Scouts, used make travel arrangements, was illegally accessed by an unknown third-party. The email account that was compromised was only accessed from September 30th to October 1st and all parties who had their data compromised have been notified. The Girl Scouts say that they have changed the password for the compromised account and have said that they will be implementing a secure online system for travel forms containing personal information to replace the email system previously used. Ironically, last year the Girl Scouts created a “cybersecurity” badge that girls can earn which teaches them how to be safe online, how to protect their personal and financial information, and how to avoid hoaxes or scams. Now that the Girl Scouts themselves are educated, perhaps Girl Scout administrators and staff can earn this badge themselves so that they can avoid another data breach in the future. That’s a wrap for this week’s show. Be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or on our YouTube channel.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post Microsoft and Apple Security Updates, Signal’s Sealed Sender, Girl Scouts Data Breach – WB41 appeared first on Shared Security Podcast.

This is the 81st episode of the Shared Security Podcast sponsored by Silent Pocket and Edgewise Networks was hosted by Tom Eston and Scott Wright recorded on October 29, 2018. Listen to this episode and previous ones direct via your web browser by clicking here. This episode is also available to watch on our YouTube Channel. In this episode Tom and Scott cover the recent rise in Fortnite scams, new privacy controls in Google search and the controversy over the Bloomberg article and SuperMicro. Below are show notes and links mentioned in the podcast: Fortnite scams are increasing due to the massive popularity of the game. Many teens and adults play this game so be on the lookout for scams over email, websites, and even YouTube videos. Google is putting more privacy controls directly in “Google Search”. This is a great idea but your privacy and all the many different Google services will continue to be a challenge.  We also discuss the benefits of using search engines that have your privacy in mind like DuckDuckGo and StartPage. The Bloomberg story that came out several weeks ago about SuperMicro continues to cause controversy in the cybersecurity community. Scott give his take on the situation! Be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or on our YouTube channel.  Thanks for listening! The post Fortnite Scams, Google Search Privacy, Bloomberg SuperMicro Controversy – #81 appeared first on Shared Security Podcast.

This is your Shared Security Weekly Blaze for October 29th 2018 with your host, Tom Eston. In this week’s episode: Spy apps and Stalkerware with special guest Jeff Tang. Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order. Visit silent-pocket.com to take advantage of this exclusive offer. Spy apps, or better known as “stalkerware”, are apps that can be used to track and spy on the activities that someone does on a mobile device.  Activities can include everything from being able to read text messages, view photos, emails, see websites visited, track real-time GPS location, turn on the microphone or camera, view social media usage, and much more. These apps go by the names of mSpy, FlexiSPY, Retina-X, and many others that are widely available for purchase. While there may be legitimate purposes for installing an app like these, for example, parents that might want to track what their kids are doing on their mobile devices or employers monitoring company issued mobile phones; criminals as well as stalkers are also using these apps to conduct surveillance and monitoring of a victim’s device. These apps are very concerning for someone that might be in a domestic abuse situation or is being criminally stalked. In this episode we’re going to cover why these apps have become so popular, how they are installed and how you can detect if someone has installed one of these apps on your mobile device. Tom Eston: Joining me to talk about spy apps and stalker-ware is Jeff Tang, who is the Senior Manager of Applied Research at Cylance. Welcome to the show, Jeff. Jeff Tang: Hey Tom, thanks for having me. Tom Eston: So what’s your take on these apps, and why do you think they’re becoming so popular? Jeff Tang: I think there’s a lot of interest in these apps because we’re in a new society where we’re actually recording everything, and everything is becoming digital. Our entire lives are captured onto our cell phones from photos, to text messages, to emails, to just GPS location. And we’re in this age were all this data is now available, and I think we’re seeing the commoditization of the spying applications that take advantage of the availability of this data. So I think a lot of the popularity is just like this wasn’t possible before smartphones existed, it was much more difficult to try to capture someone’s location, but now we all carry a GPS device in our pockets. Tom Eston: Yeah, I’m kind of reminded of… If you’re a fan of the Breaking Bad TV show where they put a GPS locator on somebody’s car and then they use a old style type of GPS tracker to follow the car around, right? Jeff Tang: Yeah, and those are actually still really common, right? You can go on Amazon and buy them for as cheap as 20 bucks. Tom Eston: So the technology has definitely evolved. So, is it just because we now have more power in our finger tips that it makes these apps a lot easier for people to use? Jeff Tang: Yeah, I think it’s… We’ve all had kind of an inclination to know what’s going on. And now in 30 seconds we can go and search for something like this. And there are other vendors out there that are willing to provide this as a service. Tom Eston: So how do these apps get installed? I would think that you either have to have physical access to the device, or are there other ways that somebody would install this on your device? Jeff Tang: So there are effectively two ways that these apps can work. The first way is if you are an iCloud customer where your phone is constantly being backed up to the Cloud. If your iCloud credentials get compromised, as we’ve seen in the past when celebrities were getting their phones hacked, these services can just go download the backup off from the Cloud, extract all the information, and present it to you in their dashboard. The second way is having physical access to the device or having some way of installing this malicious application onto the device. So if for instance, if you lose sight of your phone for a few minutes and you don’t have a pass code on it, someone can easily just grab your phone, install the app, allow it the necessary permissions to access your microphone, your contacts, your GPS location and so on, and then it functions like a normal application. Tom Eston: So are there any dangers to having one of these apps installed on your phone? So I know a couple of these apps do things like they jail break or root your device. I would assume that that’s dangerous in terms of disabling certain things on your device in order for this app to run, correct? Jeff Tang: They can run in different modes. For the most part, mobile devices have good sandboxes, which constrain the application to only operating within its sandbox. Some of them do support jail breaking, which compromises the security integrity of the device, allowing it to access other information outside of its sandbox. So you can actually become more vulnerable, say, to another malicious application that was on your device, maybe something that pretended to be something that it wasn’t… It really wasn’t. Like pretending to be some sort of text messaging service, when reality it’s some piece of malware. And then we also see things like if a phone is vulnerable to… And it hasn’t been updated and is vulnerable to some browser-based exploits, that’s one less thing that a malicious attacker has to do in order to gain access to your phone. Edgewise Networks is the first zero trust platform that stops data breaches by allowing only verified software to communicate in your cloud and data center. Micro segmentation projects can be costly and difficult, but Edgewise offers a new approach: zero trust segmentation. Without any changes to your network environment, Edgewise puts your data at the heart of your security strategy, giving you: Visibility into workload communication pathways; Security policies built on the cryptographic fingerprint of the software; The ability to apply policies and segment your networks in one click; and A way to continuously monitor and assess risk. Edgewise recommends policies based on the identity of your software, and stops attackers’ lateral movements by requiring authentication and authorization with every workload communication. Visit edgewise.net to learn how Edgewise can eliminate network attack surface, stop lateral movement, and protect your applications. Tom Eston: So it sounds like a lot of these apps in the way that they function, they are very similar to techniques that a government or, say, a very large nation state, that was going to target, maybe, an individual. You’ve probably seen the news about the Pegasus malware created by that group… The NSO group over in Israel, and at which they’re selling that software to governments. But for somebody that like, say, is in a domestic abuse situation or might fear that they are being stalked, how could these people defend themselves from having these applications installed on their devices? Jeff Tang: The first step is to maintain physical security over your device, which isn’t always possible, right? So the second part is making sure that you have a strong passcode on the device that no one else knows. And it’s pretty common to have simple four-digit pins on phones, in the case of Android, the little connecting the dots, we should really start moving towards something much more stronger, having longer passcodes, full alphanumeric and so on. And the second part of that is, if you’re using some sort of Cloud backup service that your phone constantly sends data to, is ensuring that the credentials for that service is also strong. Making sure that we’re not reusing the same passwords for our phone and that backup service. And then following that, if there’s a suspicion that the device is compromised, it might be best to pick up a new device and start using that so that we know that that one isn’t compromised at the time. Tom Eston: Is there any best practices? Should someone use an Apple iOS device versus an Android, or are they both about the same? Jeff Tang: They’re both reasonably the same. The same best practices have been around for almost two decades now. It’s using strong credentials, and is keeping the device up to date. And then we can also go and routinely eye what applications are installed on the phone. And then it also might be just a good time to start cleaning out the phone for applications that you don’t use. Some of these tend to masquerade as a patsy application, right? They’re not all gonna claim that they’re spying device… That they’re spyware applications. Tom Eston: They would have to be installed as some type of app, correct? Probably hidden? Jeff Tang: Yeah, for the most part they are installed as a normal application. I’d imagine some of the fancier ones, especially when you start going towards like Pegasus, that they are being hidden from your display. But when we’re looking at the run of the mill spyware, stalker-ware apps, they’re typically not going that far. Tom Eston: Well, great advice, Jeff. I really appreciate your time, and thanks for coming on the show. Jeff Tang: Alright. Thanks Tom. That’s a wrap for this week’s show. Be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or on our YouTube channel.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post Spy Apps and Stalkerware with Special Guest Jeff Tang – WB40 appeared first on Shared Security Podcast.

This is your Shared Security Weekly Blaze for October 22nd 2018 with your host, Tom Eston. In this week’s episode: Hotel Room Security and Privacy with Special Guest Patrick McNeil. Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order. Visit silent-pocket.com to take advantage of this exclusive offer. Hotel security has been a hot topic being debated in the cybersecurity and privacy communities ever since the annual DEF CON hacking conference which was recently held in Las Vegas. The conference hotel security staff at Caesars Palace, conducted random hotel room searches unbeknownst to conference attendees. This caused a firestorm of criticism from conference goers but also brought attention to how we all should all think about the security and privacy of the hotel rooms we stay in. In this episode I want to share with you some helpful tips and advice to increase your security and privacy while staying in a hotel room. Tom Eston: Joining me to discuss hotel room security and privacy is physical security expert, Patrick McNeil. Patrick has a background ranging from software development, networking, operations, and product security and currently works for an application security company. He has travelled extensively for work over the last nine years, staying in hotels, ranging from five star hotels, to hotels with blood stains on the carpet. I think I want to hear more about that. And Patrick is also a lifelong martial arts practitioner, runs Oak City Locksport and does physical security consulting for Stern Security when time permits. Welcome to the show, Patrick. Patrick McNeil: Thank you very much, Tom, appreciate the opportunity to be on. Tom Eston: So tell me a little bit about these hotels you’re staying in. Blood stains on the carpet, what’s that all about? Patrick McNeil: Yeah, that was an unfortunate situation where I went to a conference and the conference coordinator had some hotels nearby that were recommended, and this was in downtown Chicago. And let’s just say, while she thought it was a safe neighborhood, it really wasn’t. And the hotel of course, is completely booked up. I check into my room and do my normal walk around and there’s literally blood stains on the carpet probably the size of a dinner plate and some blood spray on one of the [chuckle] walls. Tom Eston: Oh no. Patrick McNeil: It wasn’t a whole lot, but it was enough to freak me out, and I know I’m asking for a new room and it’s completely booked up. So I ended up staying there but it was like put the towel over it so I didn’t have to look at it. And just stay away from that area. It was obviously old. Tom Eston: Obviously [chuckle] old. Yeah, that’s scary, but… Hopefully you’re not staying in hotels like that anymore. Patrick McNeil: I try to avoid that. [chuckle] Tom Eston: But you wrote a really great blog post recently about safety in and around your hotel room. And I think you wrote this because of the controversy that happened at Caesars Palace back during DEF CON in August in Las Vegas, with the conference attendees of the conference. Could you give us just a brief overview of what happened at DEF CON for our listeners that may not be familiar with the controversy? Patrick McNeil: Sure. And you’re right, I did write the first post and it turned into a follow-on as well, but it all was because of the mass shooting that happened last year in October in Las Vegas. Basically the big casino hotels decided that they wanted to ensure the safety of their guests and the public at large by inspecting the rooms of guests when they hadn’t been seen for a while, they had refused service, or maybe they were seen with large pelican cases or something when they were traveling in. You get an event like DEF CON, between the DEF CON shoot and all the electronics equipment that people bring in [chuckle], there’s gonna be a lot of pelican cases. Those are all similar things, that the shooter had actually done. Patrick McNeil: And unfortunately they had a policy that allowed people to opt out of room service as an environmental or green initiative. So they were setting themselves up for rooms that had refused room service. So when they decided to start investigating what was up in some of these rooms just doing what they were calling a wellness check, it would appear that their policy either was implemented inconsistently or maybe some employees weren’t trained appropriately because they ended up having issues with employees walking in on partially clothed guests after the pre-visitive knock or even pounding on their doors, demanding to be let in and not necessarily even providing appropriate identification or allowing the guests to check with the front desk or someone to see if they were legitimate. Tom Eston: Would you consider that a common practice in most hotels? Patrick McNeil: I would say no. I think this is a little bit of an over-correction. And maybe it’s necessary, based on their threat model but it’s definitely not something that I would consider normal, no. Tom Eston: I think a lot of us think about when we go to a hotel, we are paying for our privacy. There is this expectation of privacy because we are paying money to stay in a room that is supposed to be ours. And we don’t expect anyone to barge in and look through our stuff. So is there any truth to this statement that hotels are really private? Patrick McNeil: There’s only a little bit of truth in that. Hotels do have the right to enter your room at any time if they believe there’s a safety issue, if you’re involved in something illegal, to keep you from destroying property or even to perform maintenance. And of course, the regular cleaning that they do. Where you do pay for privacy is as part of that contract with the hotel. They have to respect your Fourth Amendment rights against illegal search and seizure. If a law enforcement agency wants to enter your room, they do need a warrant. But that protection expires as soon as you hit checkout time, whether you’ve actually gone to the front desk or not. But really the hotel employees don’t necessarily have to respect your privacy if there’s any reason they can manufacture. Tom Eston: Is there anywhere that people can view hotels’ policies? Patrick McNeil: Yeah, I know that some hotels do actually have that in their agreement that you sign when you make the reservation or that you pretty much ignore when you make the reservation [chuckle] But I have not done the research to see does each individual brand post their policy or anything, no. Edgewise Networks is the first zero trust platform that stops data breaches by allowing only verified software to communicate in your cloud and data center. Micro segmentation projects can be costly and difficult, but Edgewise offers a new approach: zero trust segmentation. Without any changes to your network environment, Edgewise puts your data at the heart of your security strategy, giving you: Visibility into workload communication pathways; Security policies built on the cryptographic fingerprint of the software; The ability to apply policies and segment your networks in one click; and A way to continuously monitor and assess risk. Edgewise recommends policies based on the identity of your software, and stops attackers’ lateral movements by requiring authentication and authorization with every workload communication. Visit edgewise.net to learn how Edgewise can eliminate network attack surface, stop lateral movement, and protect your applications. Tom Eston: What are your top three or four things that you recommend everyone always do when staying at a hotel? Patrick McNeil: The things that I think are really common, the top basics, I always inspect a room with my bag just right inside the door and don’t unpack or anything before I get comfortable. I’m walking around like anybody would to see, is the place clean? But I’m looking at the physical security items first. Maybe even before I get to the room, on my way there, I’m just checking out to see where is my room in relation to any exit stairs or elevators, in case of a fire or other emergency situation. And then once I get into the room, the first thing I check, of course, is the locks on any doors, windows, sliding glass doors, anything adjoining, and that any additional security devices like the little flipper that you can use to reinforce your door or the dead bolt, that those actually align correctly. And that they actually work. And then I’ll go and check my phone, which seems a little crazy given that most of us are gonna travel with mobile phones but I do that just because it’s got that direct line right to the hotel front desk or security, to make sure that you have it in an emergency or if somebody does wanna inspect the room, you can just hit one button and then you’re on the phone with somebody. And then the last thing I’ll typically do is [chuckle], and it sounds silly I’ll pop some toilet paper in the peephole and put a hand towel right behind the handle. So nobody’s peeping in and you can’t use an under door tool to open that door. Tom Eston: So what are a few things that listeners can do from a counter-surveillance perspective? Patrick McNeil: In my opinion, the easiest thing to do is just be tidy. I know you’re gonna relax when you’re in a hotel and things may get spread out. But if you’re really concerned about snooping, just clean things up and organize your stuff. Put stuff back into your suitcase, put things on shelves, put things in drawers, basically keep everything away from where one could reasonably expect the cleaning staff to be. They’re not gonna be rearranging things that you’ve left all over the desk or dresser, what have you. You’re not giving them an excuse, essentially, then you can lay a suitcase strap a certain way or put a certain fold in your clothes or a hair or thread in a zipper that will fall out or get destroyed when the zip is opened. Then that way you can take a photo of how you left things and compare versus later. While it’s not absolute because they could bump into something, or what have you, it at least gives you an indication. And if you’re super paranoid, you could do stuff like the UV detective dust that you can put on things. Just do a light dusting in one place and shine with a UV light and then if that dust is spread all over the room, you know that they went in that one spot where you put the UV dust. As far as the recording… Yeah, this is definitely what I would consider more of an extreme measure. And I’d reserve it for situations where you’re reasonably sure that your stuff is being gone through, or there’s a significant chance of it. Patrick McNeil: You’ve got something expensive that maybe you can’t secure. [chuckle] I’ll do the standard, I’m not a lawyer. This is not legal advice [chuckle], but you have to be careful with where you’re recording. Certainly pretty much every state has a law that says people have a reasonable expectation of privacy. So you should never ever record in the bathroom in particular because the cleaning staff could use the bathroom. There’s nothing wrong with that. We get into the whole gray area of whether this is legally your home or somebody else’s place. So while it is legal to record inside your home, with hidden cameras, without notice, trespassers do waive the rights to be recorded. You do have to be careful and know local laws ’cause they may apply. So watch the state that you’re traveling to, to determine whether they’re called what’s called a one-party state versus a two-party state. And what that means is if you’re a one-party state, only one party has to consent to the recording, I.e., you, the person making the recording. And in two-party states, both have to consent. So that would rule out some of your recording. Patrick McNeil: And though that may also be different for audio versus video. So it may be one or two-party state for audio but video may be completely different and covered under separate laws. And of course, you’re gonna run into the county and state laws. So [chuckle] basically use this with caution, understand where you’re recording. If you do get a recording and it shows evidence of a crime, the first thing you do is not march down to the front desk and show it to them. The first step is consult with an attorney before deciding how to use it, and definitely like a lot of things, it comes down to how you decide to actually use the recording. If you get a recording and you see that something’s going on, maybe you can take other steps to secure your stuff that doesn’t involve showing somebody the recording. Like a lot of things, once you start using that and publicizing it, that’s when you can get into hot water. Tom Eston: So, any last advice you’d like to give our listeners? Patrick McNeil: I think really from a travel perspective, it’s all about awareness. We tend to get wrapped up in finding the restaurant or the workout facility, or looking at our phone or what have you, and we just really don’t notice what’s going on in the parking lot on the way to our room. And just having that situational awareness, ’cause you are a little bit more susceptible when you’re traveling alone. Tom Eston: Well, great advice, Patrick. Thanks for coming on the show. Patrick McNeil: Thank you, Tom. That’s a wrap for this week’s show. Be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or on our YouTube channel.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post Hotel Room Security and Privacy with Special Guest Patrick McNeil – WB39 appeared first on Shared Security Podcast.

This is your Shared Security Weekly Blaze for October 15th 2018 with your host, Tom Eston. In this week’s episode: Google+ shutdown, weapons systems vulnerabilities, and new data on voice phishing scams. Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order. Visit silent-pocket.com to take advantage of this exclusive offer. Hi everyone, this is Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Google announced this past week that it’s shutting down Google+, due to a bug in the “people” API that may have exposed private profile information for more than 500,000 Google+ users. The bug allowed third-party apps to have access to certain optional profile data such as name, email, address, occupation, gender, and age.  This access was limited to only Google+ and not any other data you may have had with other Google services.  While the bug was patched back in March, Google decided to start the process to shut down Google+, in the next 10 months. Mostly because it was found that 90% of Google+ user sessions only last about 5 seconds. Google states that even though approximately 500,000 Google+ accounts were affected by the bug and that up to 438 applications may have used this API, they found “no evidence that any developer was aware of this bug, or abusing the API, and (we) found no evidence that any Profile data was misused”. Also included in the announcement about the Google+ bug were two other improvements targeting user privacy. First, Google is adding more fine-grained control over what account data you share with apps through the use of new individual dialog boxes. These dialog boxed will show each requested permission, one at a time, within its own dialog box. This will allow more detailed permissions to be selected instead of the traditional “all or nothing” permissions approach.  Lastly, Google is limiting the ability of third-party apps requesting to receive call log and SMS data. Google will now only allow whichever default app you use for making phone calls or sending text messages to make these requests. In addition, the Android contacts permission is also changing. Going forward, apps will no longer be able to access basic interaction data like showing you your most recent contacts. In all, I don’t think Google+ will be missed by anyone but it’s good to see that Google is making these small but impactful privacy changes. A new report released from the Government Accountability Office (or also known as the GAO) here in the United States shows that previous cybersecurity vulnerabilities identified in the Department of Defense’s newest weapons systems, were never fixed.  Testing was apparently conducted on weapons systems from 2012 to 2017 and shows that these problems seem to be widespread in nearly all weapons systems under development. Some of these vulnerabilities are extremely easy to exploit.  For example, guessable and default passwords were easily exploitable and in some cases the report noted that some default passwords were easily identified through simple Internet searches. The report had also stated that during tests conducted on these weapons systems “using relatively simple tools and techniques, testers were able to take control of systems and largely operate undetected”. Given that the Department of Defense plans on spending $1.6 trillion to create more weapons systems, cybersecurity and the significant importance of related computer systems needs to be a top government priority. Many of the vulnerabilities in these systems are very common in Internet of Things devices so it’s not that far of a stretch to see weapons systems that may be using some of the same technology that is available in the consumer market. As we all know, Internet of Things devices often time have very easy vulnerabilities to exploit like default passwords.  On top of that, there is a large issue right now with the cybersecurity workforce in the government not nearly getting the level of pay that they do out in the private sector. This means that many entry level cybersecurity analysts spend a short amount of time building their skills in a government job, then end up leaving to get paid much more in the private sector. It really goes back to the weapons systems manufactures making sure they are building security into the products that they are developing. Of course, that’s easier said than done. Edgewise Networks is the first zero trust platform that stops data breaches by allowing only verified software to communicate in your cloud and data center. Micro segmentation projects can be costly and difficult, but Edgewise offers a new approach: zero trust segmentation. Without any changes to your network environment, Edgewise puts your data at the heart of your security strategy, giving you: Visibility into workload communication pathways; Security policies built on the cryptographic fingerprint of the software; The ability to apply policies and segment your networks in one click; and A way to continuously monitor and assess risk. Edgewise recommends policies based on the identity of your software, and stops attackers’ lateral movements by requiring authentication and authorization with every workload communication. Visit edgewise.net to learn how Edgewise can eliminate network attack surface, stop lateral movement, and protect your applications. According to research released at the recent DerbyCon security and hacking conference by previous podcast guest Chris Hadnagy, CEO of Social-Engineer.org and his co-worker Cat Murdock, you’re more likely to receive voice phishing scams on Fridays and that they are most successful in the afternoon vs. the morning. According to an interview conducted by Dark Reading, Chris and his team started recording and collecting data on vishing calls that were conducted by his company over a three-year period which ended up totaling more than 20,000 calls. Out of these calls, 5,690 were completed, meaning that the social engineer talked with someone on the other line. Of the calls that were compromised, 3,017 were compromises which ended up being a success ratio of 53%. These compromises gathered 8,685 pieces of information such as social security numbers, information about company internal projects and answers to security questions. Why is the end of the week and late afternoon, around 5pm, the best time for scammers to be successful?  Chris notes that most office workers are less alert on a Friday compared to a Monday and that at the end of a work day, most people are ready to head out of the office and sometimes more willing to tell you anything you want to know so that they can go home. The other takeaway from Chris’ research is what are the most common pretexts that vishing victims seem to fall for. Calls with a pretext of someone calling from HR regarding an employee’s health care open enrollment had a compromise rate of 28% and the other was IT related pretexts where a social engineer uses a pretext related to audits, security updates and employee badges. This research seems like a great reminder for all of us to re-evaluate our awareness about voice phishing scams and to ensure we don’t let our guard down especially towards the end of the week and towards the end of our working day. That’s a wrap for this week’s show. Be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or on our YouTube channel.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post Google+ Shutdown, Weapons Systems Vulnerabilities, Voice Phishing Scams – WB38 appeared first on Shared Security Podcast.

This is your Shared Security Weekly Blaze for October 8th 2018 with your host, Tom Eston. In this week’s episode: Chinese Spying, Facebook Shadow Contact Information and iPhone X FaceID Privacy. Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order. Visit silent-pocket.com to take advantage of this exclusive offer. Hi everyone, this is Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. I have a small favor to ask you. We would really appreciate it if you could leave us a review on iTunes. To leave a review, simply click the iTunes link in our show notes for this episode. We’ll be sure to thank you for your review on a future episode of the podcast. Thanks for your support! In late breaking news on Thursday last week, a report from Bloomberg has detailed a large scale supply chain attack which is believed to be one of the largest spying programs ever conducted by a nation-state. According to the report, a very small microchip about the size of a pencil tip or grain of rice was installed and hidden in servers that were being used by approximately 30 American companies which include Apple and Amazon. These chips were apparently installed during the manufacturing process in server motherboards manufactured by a company called Super Micro, which happens to manufacture its products in China. Of course, as you might assume, these chips were allegedly installed by the Chinese government to spy on American companies giving China the competitive advantage in the highly competitive technology space.  While Amazon, Apple, Supermicro and even China are denying the claims made in this report from Bloomberg, it’s not that far of a stretch when you consider that China has been known to install malicious software into the hardware supply chain in the past and that 75% of all mobile devices and 90% of all PC’s in the world are manufactured in China. Whether this story is true or not, securing the hardware supply chain is a very difficult problem to solve, even when hardware is manufactured in a country like the United States. For example, back in 2016 one US based mobile phone company, that makes cheap Android based phones, found a software backdoor installed on their devices which would send information from the device, you guessed it, back to China. So while the hardware itself was not manufactured in China, the software on the Android device was. I remember when I was working as a security consultant several years ago we would strongly advise business clients that when traveling to China they should use a “disposable” laptop and mobile device with very little or no corporate data on them. When our clients returned from China we strongly told them to never ever plug their laptop back into their corporate network and to give it to us for forensic analysis. We gave this advice to our clients because we actually had one client in particular that had their laptops and phones hacked while they either went through Chinese customs or during their stay in China. This client in particular had their proprietary design information about a new product on said laptop. Time will tell how this Bloomberg story pans out, but in the meantime, especially if you’re in the business of having confidential or proprietary business information that might be valuable to a nation-state such as China, be sure to take extra caution with devices that store or handle sensitive or propriety business information. Facebook was back in the news this past week with the revelation that the phone number that you may have provided Facebook for security purposes, like for two-factor authentication, is being shared with advertisers. To make matters worse, you don’t even have to willingly provide your phone number at all because of something called “shadow” contact information. Shadow contact information is any contact information, like your phone number, that is shared when your friends upload their contact information to Facebook. What this means is that even if you’ve never given your number to Facebook, your friends may have without you knowing. What’s also unfortunate about this news is that once again, we seem to be forced to make a privacy trade-off where we have the need to secure our accounts with two-factor authentication but must also allow our phone number to be harvested by advertisers so that we can be served more ads. This news should give you pause, once again, that even if you’re someone that is careful with the personal information that you give Facebook, or any social network for that matter, you can’t really stop others like your friends that may inadvertently upload your contact information to a social network.  Our advice is that if the constant news about Facebook using any and all of our data is concerning to you, perhaps it may be time for you to join the millions of others that are “deleting Facebook” (#DeleteFacebook). However, like many of us, we still see the value of social networks like Facebook so this news may not be that concerning considering that most of our information, like our phone number, is probably easy for advertisers to obtain, whether Facebook has your number or not. What do you think? Is this the final straw to get you to stop using Facebook, or is the privacy of your phone number not that concerning to you after all. Let us know by commenting on the video of this podcast on our YouTube channel or on the post of this episode on sharedsecurity.net. Edgewise Networks is the first zero trust platform that stops data breaches by allowing only verified software to communicate in your cloud and data center. Micro segmentation projects can be costly and difficult, but Edgewise offers a new approach: zero trust segmentation. Without any changes to your network environment, Edgewise puts your data at the heart of your security strategy, giving you: Visibility into workload communication pathways; Security policies built on the cryptographic fingerprint of the software; The ability to apply policies and segment your networks in one click; and A way to continuously monitor and assess risk. Edgewise recommends policies based on the identity of your software, and stops attackers’ lateral movements by requiring authentication and authorization with every workload communication. Visit edgewise.net to learn how Edgewise can eliminate network attack surface, stop lateral movement, and protect your applications. Forbes reports that for the first time ever, there is now a documented case of law enforcement forcing an Apple iPhone X owner to unlock their device with their face. According to the report, FBI agents searched the house of a suspected child abuser and told the suspect to put his face in front of the phone so that the device would unlock. This action, of course, allowed the FBI agents to search through the suspects phone for anything that might pertain to the investigation. However, only very little was able to be extracted once the iPhone was unlocked. That’s because the passcode was still unknown to the FBI. Upon attempting to connect the iPhone to a computer to forensically extract all the data off of the device, it had been locked for more than an hour, which requires the passcode to be entered. You may remember that back in July of this year Apple released an update for iOS 11.4 which required the passcode to be entered every seven days to maintain a USB connection to a computer. Now with iOS 12, this requirement has been reduced to every hour, which is probably the restriction that the FBI ran into. Keep in mind that forensic software companies like Greyshift and Cellebrite make software and hardware devices that can extract all data from mobile devices by exploiting either known or unknown vulnerabilities in a particular mobile device. The techniques these companies utilize are not really known, however, its most likely that they have access to either 0-day vulnerabilities (that means vulnerabilities unknown to the device manufacturers) or have found techniques to brute force the passcode on a device. It’s important to note that both of these companies have very large contracts with several different government and various state and local law enforcement agencies. What I find fascinating about this story is I really think we’re entering uncharted territory when it comes to Fifth Amendment rights which protects individuals from incriminating themselves. The law was already sketchy around TouchID and using a fingerprint to unlock a device for law enforcement but now with FaceID, its unknown if it’s really a breach of Fifth Amendment rights. There also has been lots of other challenges for law enforcement such as “dead” suspects. For example, with TouchID, law enforcement could take a dead suspect’s finger and unlock the device successfully. However, with Apple’s FaceID technology, they can’t get a dead suspect to unlock an iPhone X as the technology has a “liveliness test” which can detect if the person is dead or alive. If this news is concerning to you from a privacy perspective, you can easily shut down TouchID and FaceID using something called “SOS” mode. On a new iPhone such as the iPhone 8 and X, hold down the side button and one of the volume buttons and for older iPhone models press the power button 5 times.  Also note if your device hasn’t been opened in 48 hours, a passcode is required to unlock the device. Lastly, don’t forget about creating a long and complex passcode which means not using a four digit PIN. That way if your device was confiscated or stolen, it would be much more difficult to brute force the passcode to access your device. That’s a wrap for this week’s show. Be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or on our YouTube channel.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post Chinese Spying, Facebook Shadow Contact Information, iPhone X FaceID Privacy – WB37 appeared first on Shared Security Podcast.

This is your Shared Security Weekly Blaze for October 1st 2018 with your host, Tom Eston. In this week’s episode: Facebook’s fake account crackdown, privacy upgrade to HTTPS, and new security features in Apple iOS 12. Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order. Visit silent-pocket.com to take advantage of this exclusive offer. Hi everyone, this is Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Facebook has recently taken a tougher stand against fake profiles, specifically ones being used by law enforcement. In a letter that Facebook sent to the Memphis Police Department, Facebook states they have disabled fake accounts that were set up by the police department because they violate Facebook’s terms of service which notes, you must use your real name while using the social network. Privacy advocates like the EFF have been critical of this position in the past since in some cases, free speech may put certain users at risk if real identities are being used. However, regardless of how you feel about this policy, it’s good to see Facebook applying these rules to everyone, including law enforcement. In fact, as the EFF has pointed out, Facebook recently updated their help page titled “Information for Law Enforcement Authorities” and under their misrepresentation policy they state “People on Facebook are required to use the name they go by in everyday life and must not maintain multiple accounts. Operating fake accounts, pretending to be someone else, or otherwise misrepresenting your authentic identity is not allowed, and we will act on violating accounts”. Law enforcement aside, fake accounts on Facebook have always been a problem ever since Facebook started getting popular around 2008. In fact, I remember giving a talk at a hacker conference about social network bots and the underground criminal networks that had created automated tools and scripts to target unsuspecting social network users. Check out our show notes for a link to this talk and a nostalgic look into the younger version of yours truly. Oh, and in full disclosure, I may have pushed the limits of fake account creation back then as well. Now I gave that talk back in 2009 but bots and fake accounts are still running rampant on Facebook and other social networks.  They are even using those same techniques I talked about back then to friend thousands of strangers in order to solicit SPAM or to get them to click on links which lead to malware and phishing scams. The best advice to avoid becoming a victim of a fake account or bot in your friends list is to only accept friend requests from people you actually know in real life. But even that can lead to problems though, especially if someone is impersonating one of your friends. Our advice is to contact that friend out of band, for example, via a text message or phone call, to verify that they are who they say they are. In other late breaking Facebook news last Friday, a serious vulnerability in the “View As” profile feature was identified by Facebook’s own engineers that affects almost 50 million accounts. The vulnerability allowed attackers to steal the access tokens which could then be used to take over other people’s accounts. Facebook states that they’ve already fixed the vulnerability and have reset the passwords of around 90 million accounts that may be affected by the issue. Facebook states that they are also working with law enforcement and greatly apologize for any inconvenience this may cause Facebook users. How private do you think your web browsing history is? As we all know, HTTPS encryption helps protect the content of the information we share with websites we are accessing. There has also been new ways to encrypt DNS queries, like DNS over TLS and HTTPS. However, even with an HTTPS connection, your ISP can still see the sites that you’re going to because DNS queries are typically not encrypted. That’s why one company called Cloudflare introduced a new public DNS server called 1.1.1.1 which supports DNS over TLS and HTTPS that encrypts DNS queries as well. But did you know that there are other ways that ISPs can snoop in on the sites that you’re visiting? One large gaping hole that has been identified is something called the “Server Name Indication” extension or SNI. In simplistic terms, you can think of SNI as a way to route HTTPS traffic to the correct website on a server that may host multiple domains. SNI was created as a way to route your web request to the correct site so that the correct SSL certificate can be used to secure your connection. If this sounds confusing, don’t worry. All you need to know is that your ISP and others that may be monitoring your connection can see the sites you visit if SNI is being used. The good news, Cloudflare has introduced encrypted SNI or ESNI which is now part of the Cloudflare network. In addition, Mozilla’s Firefox browser will be the first browser to support this new protocol with other browser manufactures to hopefully follow Mozilla’s lead. This is great news for privacy as one of the long standing privacy issues on the Internet is about to be a problem no longer. If you’re interested in learning more about Cloudflare’s 1.1.1.1 DNS service, check our show notes to our previous episode where we covered this service in more detail. Edgewise Networks is the first zero trust platform that stops data breaches by allowing only verified software to communicate in your cloud and data center. Micro segmentation projects can be costly and difficult, but Edgewise offers a new approach: zero trust segmentation. Without any changes to your network environment, Edgewise puts your data at the heart of your security strategy, giving you: Visibility into workload communication pathways; Security policies built on the cryptographic fingerprint of the software; The ability to apply policies and segment your networks in one click; and A way to continuously monitor and assess risk. Edgewise recommends policies based on the identity of your software, and stops attackers’ lateral movements by requiring authentication and authorization with every workload communication. Visit Edgewise.net to learn how Edgewise can eliminate network attack surface, stop lateral movement, and protect your applications. Apple has released iOS 12 and that means that it’s time to talk about the new security and privacy features that come with a new operating system.  First, Apple now asks if you want to turn on automatic iOS updates. This feature will allow users to ensure that critical security updates are applied without having to manually install them. Second, if you happen to use a third-party password manager like LastPass or Dashline, these apps can now take advantage of the autofill feature built into iOS 12 through a new API Apple has created for password managers. Some apps like LastPass have already updated their apps to support this new API so be sure to check your password manager app to see if this feature is now supported.  Note, this feature must be activated manually by navigating to Settings -> Password & Accounts and then activating the “Autofill Passwords” feature. Third, the built in password manager for iOS 12 now includes an audit feature which will identify when the same or similar passwords are being used across multiple sites. And last but not least, the updated Safari browser in iOS 12 now includes something called Internet Tracking Prevention, or ITP, which will prevent cross-site tracking from large companies like Facebook and Google. ITP basically separates cookies from each website which in turn will prevent things like Facebook’s pixel tracking and like buttons from tracking you across different websites. As we’ve always reminded you on the podcast, updating to the latest version of your operating system almost always includes critical security updates. In the case of iOS 12, Apple noted a very large list of security vulnerabilities that were fixed. Check out our show notes to view this list but in the meantime make sure you update to iOS 12 to ensure you’re running the very latest security updates to protect your device. That’s a wrap for this week’s show. Be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or on our YouTube channel.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post Facebook’s Fake Account Crackdown, Privacy Upgrade to HTTPS, New Security Features in Apple iOS 12 – WB36 appeared first on Shared Security Podcast.

This is the Shared Security Weekly Blaze for September 24, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions and Silent Pocket.  This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here. You can also watch each episode of the podcast on our YouTube Channel! Show Transcript This is your Shared Security Weekly Blaze for September 24th 2018 with your host, Tom Eston. In this week’s episode: Mobile phone call scams, Pegasus mobile spyware, and the Newegg data breach. Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order. Visit silent-pocket.com to take advantage of this exclusive offer. Hi everyone, this is Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Raise your hand if you’re sick and tired of receiving scam and fraudulent phone calls on your mobile phone. I’ll assume that all of you are probably raising your hand right about now, myself included. Well not to be the bearer of bad news but according to a recent report, nearly half of the mobile phone calls received in the US next year will be scams. In a report from First Orion, which makes phone call data transparency solutions, notes a dramatic increase in mobile scam calls “from 3.7% of total calls in 2017 to 29.2% in 2018—and that number is projected to reach 44.6% by early 2019”. Many of these calls are using a technique called “Neighborhood Spoofing” which happens when a scammer makes their number look like a real local number, tricking the victim into picking up the call. Since these numbers are typically spoofs of real numbers, sometimes if you call these numbers back, you’ll get a real innocent person; not the scammer who spoofed the number. While many of us are either manually blocking scam calls through the features on our phones or using a third-party app to screen and block calls, the best way to stop these calls from happening seem to be with the mobile carriers themselves.  First Orion seems to be addressing this with an in-network technology called “CallPrinting” that is said to significantly reduce the volume of scam calls. First Orion’s press release states that this technology will be used by one Tier-One US carrier this fall. In regards to third-party apps, I’ve recently installed an app called “AT&T Call Protect” which seems to work fairly well to block scam calls . This is a free app for AT&T mobile customers. I’d say that it’s slightly reduced the number of scam and robocalls that I’ve received but I find it’s not perfect as blacklisting scam numbers seems to be an endless pursuit. So what are your thoughts? Have any of you used these third-party scam call blocking apps?  If so, we would be interested in hearing what you think about how effective these apps are so we can discuss on the podcast. Send us a message on Twitter, Facebook or email and let us know if these apps are helping or hindering your fight against scam calls on your mobile phone. In a fascinating report released by privacy and security research group Citizen Lab this week shows that a very sophisticated form of mobile spyware, called Pegasus, has been found on Android and Apple iOS phones in 45 countries including the US, UK and Canada. Some of these countries have been known for questionable human rights practices. Citizen Lab researchers point out that Pegasus being installed on devices to conduct cross-border surveillance and may be breaking the law in the US as well as many other countries where Pegasus was found. Pegasus spyware is sold by an Israeli company called the NSO Group and has been used in the past by powerful nation states and governments to target human rights activists and other individuals under surveillance for one reason or another. In this recent research by Citizen Lab they estimate that Pegasus is being used by at least 33 different NSO Group customers. Back in 2016, one of these individuals targeted with Pegasus was UAE activist Ahmed Mansoor who  was able to provide Citizen Lab researchers his iPhone to analyze when he received a very odd and strange link sent to him via a text message. When clicking the link, this particular version of Pegasus launched three zero-day exploits for Ahmed’s particular version of Apple iOS and would have allowed full access to Ahmed’s phone including activating the camera, microphone and sending off all passwords, text messages, and much more. Ahmed is currently serving ten years in UAE prison for his postings about human rights abuse in the UAE. Keep in mind that this was back in 2016, and it’s reported that Pegasus spyware is much more powerful now and most likely is capable of exploiting even the most current versions of Apple iOS and Android phones. Check out our show notes if you’re interested to learn more about the NSO group and its origins. Of course, there may be lawful uses of Pegasus spyware to either prevent terrorism or as part of criminal investigation for national security. However, when a company starts selling very powerful surveillance spyware to any government willing to pay a very high price, side note: Pegasus is reportedly 8 million dollars for 300 licenses, it can be very disturbing to think of the consequences for everyone’s privacy and security across the world. Newegg, which is one of the largest online electronic retailers in the US, became the latest victim of yet another customer credit card data breach this past week. The attack on Newegg exposed the credit card information of anyone purchasing products for more than a month between August 14 and September 18 of this year. This latest breach has been linked to the recent series of data breaches tied to the Magecart criminal group, which is to blame for similar credit card breaches of British Airways and Ticketmaster. The Newegg attack was very similar to the British Airways breach in that simple JavaScript code was inserted into the checkout process which would send credit card data over to a Magecart controlled server. Newegg customers would have no idea that their credit card information was being compromised and their order with Newegg would process as normal. No statement has been released yet from Newegg regarding how many customers were affected or what specifically the attack vector was. However, the Magecart criminal group responsible for the attack seems to be targeting large businesses that are processing lots of orders. In the Ticketmaster attack earlier this year it was found that vulnerable third-party code from a chat system, called Inbenta, was to blame. This latest breach should give all of us a cause for concern when putting our credit card into any third-party site. As we’ve discussed on the show before, card not present fraud, where you provide your credit card details to a merchant over the Internet is the most popular way for attackers to gain access to millions of credit cards very quickly. Using new payment methods like ApplePay, Samsung Pay or Google Pay, is a much more secure way to pay for anything over the web instead of the traditional way of entering in card information into a shopping cart style checkout process. However, not many businesses support these new forms of payment technology and for businesses, there can be a very large cost to integrate new payment systems into legacy systems. Until businesses decide to make the investment, perhaps after they’ve fallen victim to yet another credit card breach, we all need to keep a close eye on our credit card statements and perhaps think of alternative ways to pay for products and services over the web. That’s a wrap for this week’s show. Be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or on our YouTube channel.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post Mobile Phone Call Scams, Pegasus Mobile Spyware, Newegg Data Breach – WB35 appeared first on Shared Security Podcast.

This is the Shared Security Weekly Blaze for September 17, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions and Silent Pocket.  This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here. You can also watch each episode of the podcast on our YouTube Channel! Show Transcript This is your Shared Security Weekly Blaze for September 17th 2018 with your host, Tom Eston. In this week’s episode: Malware-less email attacks, Equifax breach updates and the Vizio class action lawsuit. Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order. Visit silent-pocket.com to take advantage of this exclusive offer. Hi everyone, this is Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Security vendor FireEye released research this past week which shows that 90% of the half-a-billion emails, blocked through their product in the first half of 2018, were found to be “malware-less”. Meaning, there were no malicious attachments or other code within the email itself that would attempt to compromise victims. Phishing actually made up 81% of what are considered malware-less attacks. Malware-less attacks also use impersonation of a trusted sender or company and include intimidation, links to malicious sites and sometimes forged requests. Other interesting data points include: malware-based attacks were most common on Mondays and Wednesdays and that malware-less attacks were most likely to occur on Thursdays. Data from the report also notes that phishing attacks will continue to rise. Just for a minute, let’s forget about the day of the week that attacks like these are most likely to occur and focus on what you should do if you do receive a malware or malware-less email in your inbox. As we all know, social engineering techniques are often used to convince you to click a link or submit sensitive information to the attacker. In fact, we just released episode 80 of our monthly show with social engineering expert, Chris Hadnagy in which we talk to him about the different types of social engineering techniques used in phishing and many other types of attacks. It was great having Chris on the show so definitely give this episode a listen. Emails using social engineering techniques are one of the most popular ways to target victims because email is still one of the primary means of communication that we all use, especially in the business world. While many businesses typically have some type of security product to screen emails for potential attacks, it won’t help in situations with personal email or when these products don’t work as expected. Your first line of defense is to “think before you click”. This means for any suspicious email, take a step back for 30 seconds, read the email carefully and look for clues that indicate that the email might be a phishing attack. Check out our show notes for a great guide put together by TripWire on the six most common phishing attacks and how to protect against them. The Equifax data breach last year, which exposed the personal information of almost half of the US population, has yielded very little change in regards to Equifax profits and any federal laws that could be implemented to prevent another breach as large as this one. The Chicago Tribune reported in an article last week that Equifax posted record revenue last quarter of $877 million and will most likely post a record profit next year. In fact, Equifax has recovered about 90 percent of the losses that were because of last year’s data breach. I’m actually a little surprised that Equifax has been able to “skate” around any financial penalty or other serious impact to their business. It does make you wonder how they have been able to keep the public reaction of this data breach to a low roar. It seems that the only positive news coming out of this data breach is that there is more awareness from a consumer and legislative perspective as well as a pending class action lawsuit that is still in the early stages of development. One small but recent win for consumers is that President Trump signed a bill into law this past May which states that consumers can freeze their credit for free this week beginning on September 21st. This new law will remove the $5-$10 fee that was imposed by the various credit agencies when freezing your credit. Freezing your credit is highly recommended so check our show notes for a link to our previous episode on how to go about freezing your credit. Vizio, who is one of the world’s largest manufactures of smart TVs, is developing a notice about a class action lawsuit that will be pushed to and displayed on all Vizio smart TVs. This recent development is because of the class action lawsuit that was initiated after the US Federal Trade Commission made Vizio agree to a $2.2 million dollar settlement.  This settlement was agreed to because in 2015 Vizio was caught collecting and then selling user data to advertisers. This data included information like your IP address, TV viewing habits, TV shows being watched, and even DVD’s being played on your TV. All of this data was being collected without user consent which got Vizio into hot water. Since then Vizio has implemented a user consent policy when first setting up and installing a new Visio TV. However, as we’ve pointed out on the podcast previously, TV manufactures often times require users to consent to allowing viewing habits to be collected or any “smart” TV features, like using Netflix and other streaming apps, are disabled. Essentially, by not allowing your data to be collected and sold, you have made your TV “dumb” which was probably not the desired outcome when you purchased your shiny new smart TV. While  Vizio has until October 3rd to provide this notice to TV owners, it should be interesting to see how a large class action lawsuit like this plays out. If you happen to be a Vizio TV owner, will you participate in the class action lawsuit? We would be interested in hearing from you so we can discuss your thoughts on a future episode of the podcast. Hopefully that this recent controversy with Vizio sets a precedence for smart TV and Internet of Things manufactures that the privacy of our information is not always for sale and that a class action lawsuit may be looming for those manufactures that don’t take the privacy of their customers seriously. That’s a wrap for this week’s show. Be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or on our YouTube channel.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post Malware-Less Email Attacks, Equifax Breach Updates, Vizio Class Action Lawsuit appeared first on Shared Security Podcast.

This is the 80th episode of the Shared Security Podcast sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions and Silent Pocket. This episode was hosted by Tom Eston and Scott Wright recorded September 5, 2018. Listen to this episode and previous ones direct via your web browser by clicking here! This podcast is also available to watch on our YouTube Channel. In this very special episode we’re joined by Chris Hadnagy (@humanhacker) who is the author of the new book “Social Engineering: The Science of Human Hacking”. We talk with Chris about his new book, how Social Engineering has changed over the years and what he’s been up to with his organization the Innocent Lives Foundation, Social-Engineer.com and the recent DEF CON SECTF (Social Engineering CTF). Here are the links that we mentioned on the show: Our previous interview with Chris in Episode 68 Innocent Lives Foundation Social-Engineer.org Order Chris’ new book on Amazon Thanks to Chris for being a guest on our show! The post Episode 80 – Special Guest Chris Hadnagy and Social Engineering The Science of Human Hacking appeared first on Shared Security Podcast.