Shared Security Podcast

This is the Shared Security Weekly Blaze for September 10, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions and Silent Pocket.  This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here. You can also watch the podcast by subscribing to our YouTube Channel! Show Transcript This is your Shared Security Weekly Blaze for September 10th 2018 with your host, Tom Eston. In this week’s episode: The five eyes security alliance, Google and your offline purchases, and privacy by default in Firefox. Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order. Visit silent-pocket.com to take advantage of this exclusive offer. Hi everyone, this is Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. The “Five Eyes”, which is a long-running security alliance between the US, UK, Australia, New Zealand, and Canada, agreed in their annual meeting a few weeks ago that “privacy is not absolute” and “Should governments continue to encounter impediments to lawful access to information necessary to aid the protection of the citizens of our countries, we may pursue technological, enforcement, legislative or other measures to achieve lawful access solutions”.  In addition, it was also stated that technology companies should be urged to “voluntarily establish lawful access solutions to their products and services”. If that is not possible, due to push back from technology companies, intelligence agencies may take matters into their own hands. What this means is that if technology companies do not build or develop backdoors into their products, law enforcement may develop their own ways to hack into devices or could work to enact legislation to eventually force technology companies to create these backdoors. Encryption and government backdoor access, as you may remember, has been a very hotly debated topic as the needs of law enforcement often times conflict with the needs of encryption and privacy that we all are entitled to. We all realize that the same encryption that we use to safeguard our legitimate private and business data is the very same encryption that criminals use. However, allowing our governments backdoor access to bypass or circumvent encryption weakens security for all of us.  You may recall the controversy over the FBI asking Apple to break into the seized iPhone from the San Bernardino shooting that took place in 2015. Apple rejected the FBI’s demand so the FBI apparently found their own way to access the device from professional hackers that may have had a 0day vulnerability to allow access to the iPhone. I would suspect that because of this new rhetoric from government alliances such as the “Five Eyes”, the 0day market for exploits allowing governments ways to bypass encryption solutions, are going to be much more popular as the arms race around encryption and privacy continue. It seems that we can’t stop all the news about how Google uses your information to serve you more ads or to track your location, even if you disable the setting to not allow location tracking. If that wasn’t bad enough it was reported last week that Google has a secret deal with Mastercard to track what users are purchasing offline.  According to a report by Bloomberg, sources with knowledge of the deal say that Google and Mastercard have been negotiating for about four years to allow Mastercard transaction data in the US to be encrypted and sent to Google. This data would allow Google to match existing Google users to actual physical purchases. This means that when Google users click on ads, those clicks can be tracked to actual sales in physical stores. In response to this Bloomberg article, Mastercard has stated that they do not provide any transaction data to third-parties and that Mastercard does not “know the individual items that consumers purchase in any shopping cart – physical or digital”. Google has also stated that it does not have access to any personal information from its partners’ credit and debit cards, and that Google does not share any personal information with its partners.  So who are we to believe? First, we need to keep in mind that Google’s ad business had 95.4 billion dollars in sales just last year alone. You know as well as I do that Google is going to do everything that they can to keep these dollars coming in and to keep advertisers happy. If Google can change the advertising world by leveraging data that it collects about its users, financial data or not, they are going to do it. It also means that regardless of what Mastercard and Google tell you, there are large privacy concerns that need to be addressed. Especially if we’re talking about physical transactions being made in a store that could be linked back to you. My take is that more than likely, in the terms and conditions that we agree to when signing up to use a credit card, we allow our personal data to be used for “marketing purposes”. Marketing purposes can have many different meanings but it’s unfortunately not up to us to decide how our data will be used by the credit card companies. The most simple solution is to not use or sign up for a credit card but that is very difficult for many of us to do. What we can do is be more aware of how our data is being used by reading the terms of service and privacy policies of the credit card services that we utilize. If you don’t agree to the terms, simply don’t use the product or service and find an alternative to paying for products, like good old cash. Mozilla, the maker of the Firefox web browser, announced last week that new versions of Firefox, by default, will block third-parties from tracking browser behavior. While current versions of other browsers like Google Chrome have similar options, users must enable these features as by default these settings are not enabled. This move by Mozilla puts the “always on by default” blocking of ads and trackers more in line with newer privacy aware browsers like Brave. Mozilla seems to be moving more in the direction of building in ad-blocking and anti-fingerprinting technology instead of the traditional model of allowing users to install various third-party browser plugins which can be installed in Firebox as an extension. My guess is that browsers like Brave are starting to become more competitive, especially now where the privacy of our data is top of mind for many of us, especially because of high profile coverage of things like the Facebook Cambridge Analytica controversy. My take is that I hope more companies use Mozilla as an example and implement similar “privacy by default” features.  I would also take that a step further and encourage companies to implement something called “privacy by design” as well. In the cybersecurity world we often use the term “secure by design” which means that when anything is developed that security is implemented from the beginning, in the design phase. This always works out better for the product, the consumers and our data than adding security features when a product or service is already out on the market. The same holds true for privacy. The more companies can build in privacy controls into their products and ship them with those controls on by default, the more protected our data will be. And I would be certain, the companies that do “privacy by design and default” will also be more successful and profitable as well. That’s a wrap for this week’s show. Be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or on our YouTube channel.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post Five Eyes Security Alliance, Google and Your Offline Purchases, Privacy by Default in Firefox appeared first on Shared Security Podcast.

This is the Shared Security Weekly Blaze for September 3, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions and Silent Pocket.  This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here! Show Transcript This is your Shared Security Weekly Blaze for September 3rd 2018 with your host, Tom Eston. In this week’s episode: US Federal Privacy Law, WhatsApp’s Google Drive Warning and Improved Security for Instagram. Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order. Visit silent-pocket.com to take advantage of this exclusive offer. Hi everyone, this is Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. The New York Times reports that the technology industry in the United States is beginning to lobby the Trump administration to create federal privacy legislation.  Sources say that this proposed federal privacy law would first overrule the recent California privacy law and second, be much softer and less restrictive than the California law in regards to the way personal data is handled by technology companies. You may remember that back in July of this year that the state of California passed their own privacy law which is very similar to the European Union’s GDPR privacy legislation that went into effect this past May.  It’s no surprise that technology companies like Google, Facebook, and others who have come under great scrutiny over the way that they protect and use our data are now “freaking out” over the possibility that if they don’t act soon, to heavily influence the creation of a federal privacy law, their businesses and profitability suffer greatly. The California Privacy Act and GDPR have been huge wins for data privacy around the world but have caused much pain for companies like Google and Facebook that rely on advertising revenue which is built from the collection of your private data. Look, there will most likely be a federal privacy law enacted in the US at some point. What that eventually looks like is anyone’s guess. I will say that it’s going to get complicated very quickly when the technology lobbyists that have tons of money, from companies like Facebook and Google, push their own agendas. Moreover, add in the various trade groups such as the US Chamber of Commerce and others that are trying to enact voluntary standards that businesses can follow vs. the federal laws.  Federal laws would most likely enact fines for breaking the law. It’s unfortunate that our digital privacy seems up for grabs by corporations and governments more than ever before. Are you an Android user that is storing your WhatsApp data backups in Google Drive?  If so, you need to know that backups of your WhatsApp messages are not encrypted once it leaves your device and is stored within Google Drive.  Last week, WhatsApp reminded its users that backup services like Google Drive may not have the same protections, such as end-to-end encryption, that WhatsApp provides while using the app. This announcement came to the forefront due to recent news that Google has now allowed WhatsApp backups from counting towards Google Drive space limits. On the other hand, if you’re a WhatsApp user on Apple iOS, your backups are sent to iCloud which does provide end-to-end encryption of WhatsApp backup data by ensuring anything that is stored at the server level is encrypted. This means, that the WhatsApp backup data file itself is not encrypted but the location within Apple’s iCloud storage is. I think that you know why Google Drive is not encrypted, right? Google is using data from your documents, just like your email in Gmail, to serve you more ads. This news from WhatsApp should make you think about how any of your backups are stored and what would happen if backups for your computer, phone or an application that was storing sensitive data was lost or stolen? It’s an interesting question as cloud based storage seems to be all over the place in regards to who encrypts data stored at the server level (or also known as ‘at rest’)and who doesn’t. For example, I was surprised to learn that Microsoft OneDrive is only encrypted for Office 365 business users and not for personal accounts. So what are some quick solutions? With any backup that you make through a cloud based solution, take a few minutes to investigate if they are using encryption to store your data through a simple web search.  If they are not, consider using a tool to encrypt sensitive files before uploading them to a cloud backup solution. Check out our show notes for a good guide on several encryption tools that work well with many different types of cloud storage providers. Instagram finally announced that they will begin rolling out the ability for users to enable app based two-factor authentication as a more secure way to protect access to Instagram accounts. App based two-factor authentication uses an app like Google Authenticator, Authy or Duo to provide a code or to allow a button push (in the case of Duo) instead of receiving a text message. As we’ve reported on the podcast just last week, Instagram has had a major problem with many users reporting that their accounts have been compromised, even with SMS based two-factor authentication enabled. Instagram, like many other apps, only allow SMS based two-factor authentication. SMS based two-factor authentication is no longer considered secure and many apps and business are just starting to think about moving off of it.  As we’ve mentioned several times on the podcast, there has been an large increase in attacks targeting SMS two-factor authentication called SIM hijacking or also known as SIM port out scams. Instagram users should start to see this new feature being rolled out to their accounts in the coming weeks in addition to a few other updates including a new way for high profile accounts to request verification. One interesting bit of research this past week from reporter Brian Krebs showed that SMS two-factor authentication is still the only way to reset your password via the Instagram app. This is a fairly large hole given that app based two factor authentication is now available for the standard login process. Let’s hope that Instagram fixes this issue as well because even with app based two-factor authentication enabled, it won’s stop a dedicated attacker from SIM hijacking your phone number and then resetting your password.  Check out our show notes for a link to a site called twofactorauth.org to see the types of two-factor authentication in use by many of the popular apps that you may be using. We always recommend using some form of two-factor authentication instead of just using a password alone. That’s a wrap for this week’s show. Be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or on our YouTube channel.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post US Federal Privacy Law, WhatsApp Google Drive Warning, Improved Security for Instagram appeared first on Shared Security Podcast.

This is the 79th episode of the Shared Security Podcast sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions and Silent Pocket. This episode was hosted by Tom Eston and Scott Wright recorded August 23, 2018. Listen to this episode and previous ones direct via your web browser by clicking here! This episode is available on our YouTube Channel and is the very first episode that we recorded over video via Skype! We apologize for the poor video quality at times and will be testing additional video streaming via Facebook or YouTube live in the future. Please subscribe to our channel and let us know how you like this new format! In this episode Tom and Scott discuss election hacking which has been top of mind for many of us and a hot topic in the news, especially with the midyear elections coming up in the United States. Tom talks about the DEF CON Voting Machine Hacking Village, what was discovered and how hacking voting machines will hopefully make elections more secure in the future. As mentioned on the show, we recommend checking out previous podcast guest Rachel Tobac’s short video on how easy it was to hack a voting machine used in 18 US states in under 2 minutes: At @defcon hacking conference and just learned how easy it is to physically gain admin access on a voting machine that is used in 18 states. Requires no tools and takes under 2 minutes. I’m concerned for our upcoming elections. pic.twitter.com/Kl9erBsrtl — Rachel Tobac (@RachelTobac) August 12, 2018 Scott also discusses the recent phishing “attack” on the Democratic National Committee (DNC) that actually was a authorized phishing test and some of the challenges with disclosing or not disclosing phishing tests to employees. Please send any show feedback, suggestions for future guests and topics to feedback [aT] sharedsecurity.net or comment in our social media feeds. You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next full episode. Be sure to visit our website, follow us on Twitter, Instagram and like us on Facebook. Thanks for listening! The post Election Hacking and Vulnerable Voting Machines appeared first on Shared Security Podcast.

This is the Shared Security Weekly Blaze for August 27, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions and Silent Pocket.  This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here! Show Transcript This is your Shared Security Weekly Blaze for August 27th 2018 with your host, Tom Eston. In this week’s episode: New TSA Body Scanners, Back to School Cybersecurity, and Instagram Hacking. The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable, and undetectable. Visit silent-pocket.com for more details. Hi everyone, this is Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. The city of Los Angeles California in partnership with the US Transportation and Security Administration jointly announced that the city of Los Angeles is purchasing body scanners that will be used to screen metro riders. This new body scanning technology will be used to help detect weapon and explosive device security threats on one of the largest public transportation systems in the US. The Los Angeles metro system is also the first transportation agency in the nation to purchase such equipment. The technology is similar to what is used at airports, called millimeter wave technology, but does not emit radiation and no anatomical body images are displayed. What makes this type of scanner technology different is that these work off of your body heat and can detect objects that are hidden when heat waves are blocked. The other big difference is that metro passengers just need to walk by the scanners and not stop to line up like you normally would going through airport security.  The other advantage is that the devices are portable, meaning, they can be moved to a different area of a public transportation system if needed. This news reminded of a scene from the 1990 movie “Total Recall” with actor Arnold Schwarzenegger. There was a scene where passengers in the movie walked through a security system that was essentially an “x-ray” of their body. Skeletons of passenger bodies were displayed as security personnel observed passengers to detect weapons that might be coming into the transportation system.  Back in 1990, most people watching that scene must have felt a little uneasy and concerned about the privacy ramifications of such invasive security technology. Funny that this was just a pipe dream back in 1990, but now, very much a reality 28 years later. Given the security climate since 9/11, this technology shouldn’t really be a surprise anyone. Come full circle, privacy concerns are still very real today. In fact, there have been many cases of the TSA screening passengers inappropriately and abusing technology like this by violating passengers privacy all in the name of “keeping us all safer”. Let’s hope that when this new scanning technology rolls out across the US, and I would assume across most of the world, we continue to hold the people in charge of these systems accountable to ensure our privacy while balancing the needs of security. It’s that time again as school is starting back up for most students and we begin the yearly tradition of getting kids ready and prepared for school. With the new school year being top of mind for many of us, it’s a great time to think about the how our schools are protecting student data from attackers looking to compromise and steal confidential student information. As of this podcast recoding, according to the K-12 Cybersecurity Resource Center, there have been 356 cybersecurity related incidents targeting K-12 schools since January 2016. Many of these incidents being ransomware attacks. Surprisingly, in 2016 it was noted by the US Department of Education that 60 percent of K-12 schools that were victims of ransomware attacks actually paid their attackers to get stolen student data back. There has also been other disturbing stories like one recent incident in the Tulsa Oklahoma Public School district where confidential student records were found in a dumpster. But it’s not only the outside attackers and careless school personnel you have to worry about, it’s also the students themselves. There has been a sharp increase in recent years where students are hacking into their school networks and applications in order to change grades and attendance records. Based on these recent statistics and news stories you may be curious to know what the schools your kids go to, or the ones in your area, are doing to protect student data? Well, depending on the school system and the school itself, there may not be much being done. I highly recommend watching this interesting YouTube interview from the Archer News Network about what teachers, students and cybersecurity professionals are saying about this topic. This interview, available in our show notes, shows that most school districts do not have the funding or expertise to properly protect school networks and systems from a cyberattack. But it gets even more basic than that. There is an overall lack of security awareness of teachers, students and school administrators which has led to a huge problem given that there are so many different types of cybersecurity threats to schools. It’s really a human problem, more so than it is a technology problem. I recall many years ago when my daughter was given her first user name and password to access one of the systems that she required for gaining access to class material and homework assignments. The password given to her was “password123” and there was no option to allow my daughter to change it. There was also no education given to her about basic password security. Thankfully, I’m her father so we had a learning opportunity which was a good thing to happen! Now this was about five years ago or so but do you think anything has changed? I’d be willing to bet that the many of the hacks that we see schools falling victim to are because of things like, easy to guess passwords and the lack of vary basic security awareness. So what can we do about improving the cybersecurity of our schools? First, we need to ask our schools what are they doing about this problem and what controls and practices do they have in place to help prevent a cyberattack from occurring. For example, you can ask questions to see if they are monitoring for attacks, are they following any government cybersecurity standards, how are they educating teachers and students on cybersecurity basics, and do they have an incident response plan. So if there ever was a ransomware infection, data breach or student hacking incident how is the school going to react and respond and of course notify parents and authorities. There is no simple answer to solve any of these problems in our schools but what we can do is ask questions and begin to drive these important conversations that need to start happening with school boards and administrators. Over the last week there has been a rise in Instagram accounts that are being hacked, despite users using complex, non-guessable passwords and even two-factor authentication on their accounts. Apparently this started happening since the beginning of August and it’s unknown how attackers have been compromising accounts with no acknowledgement from Facebook which happens to own Instagram. News site Mashable posted an article last week stating that about 275 people have contacted them about their accounts being hacked and noted that several users said their accounts were locked out with no warning, even with two-factor authentication enabled. Many of the Instagram accounts being compromised are ones that are considered “high value”. High value Instagram accounts are ones with thousands of followers, are used by celebrities or accounts that have three-letter or less account names. Many have speculated that the cause may be SIM Hijacking, which is one of the most popular ways to compromise Instagram accounts right now. However, others have speculated that traditional phishing attacks for Instagram credentials, an undisclosed vulnerability in the Instagram app or backend services, or even exploiting the ancient SS7 network protocol that’s still being used by telecommunications companies around the world to send text messages.  SS7 (which stands for Signaling System Number 7) has several known vulnerabilities and can allow an attacker to hijack communications, track the real-time location of someone and has been used in the past to redirect SMS based two-factor authentication for banking logins. Unfortunately for users of Instagram, Instagram has yet to deploy an alternative to SMS based two-factor authentication which we all know by now is considered insecure. However, sources say that a more secure way of two-factor authentication is currently being developed by Instagram and is in the process of being tested. To top this all off, Instagram support hasn’t been very helpful either for users that have had their accounts compromised. This of course is unfortunate given that many people make their living off of Instagram or rely on it for their business. My take is that a lot of times, you could do everything right from a security perspective and still have your account compromised. Just like we see with all the massive data breaches that happen on a weekly basis, we often have no control over our information because we trust that someone else is properly securing it for us. One suggestion I have is to be more aware of who we give our data to and perhaps, not sign up for a particular service if we’re really concerned that someone else may not protect our private data the way we expect. As we like to say on the podcast, we all need to make better risk decisions because nobody else can make them for you. That’s a wrap for this week’s show. Be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or on our YouTube channel.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post New TSA Body Scanners, Back to School Cybersecurity, Instagram Hacking appeared first on Shared Security Podcast.

This is the Shared Security Weekly Blaze for August 20, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions and Silent Pocket.  This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here! Show Transcript This is your Shared Security Weekly Blaze for August 20th 2018 with your host, Tom Eston. In this week’s episode: ATM cashout attacks, mobile phone voicemail security and Google location tracking. The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details. Hi everyone, this is Tom Eston, co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. This the 30th episode of the Weekly Blaze Podcast! I wanted to give a quick shout out and thank you to our listeners and sponsors for supporting the show! Thank you for all the feedback that you provide and we look forward to bringing you more great content in the coming weeks and months. Thanks for listening! The Federal Bureau of Investigation is warning banks that criminals are looking to carry out a highly organized global “ATM cash out” in which criminals take previously cloned credit cards and use them at ATMs around the world to withdraw millions of dollars of cash all within a few hours. In the past, this attack has been done around a holiday when banks and financial institutions are closed. This is because the limited staff at banks during a holiday make it difficult for a bank to quickly respond to an attack like this. Similar attacks in the past have targeted small to medium sized banks, which may not have the robust security and fraud teams that a larger bank may have. Brian Krebs from Krebsonsecurity.com reports that this most recent FBI alert was related to a card breach of a bank in India called Cosmos. In this incident attackers drained $13.5 million from accounts using cloned cards at 25 different ATMs located in India, Hong Kong and Canada. Malware was also installed on the bank network which was used to help process the fraudulent ATM transactions. In the alert to banks the FBI noted several common tips to help prevent banks from becoming a victim but the truth of the matter is that many small and medium sized banks do not have the resources or staff to properly defend their systems from a dedicated attacker on their network. The best course of action for the rest of us is to stay vigilant about checking our credit and debit card statements and ensure you set up some type of fraud alerts for any transactions that may happen on your card. As a reminder, using a debit card instead of a credit card can be more risky due to the fact that money is instantly removed from your checking account and can take weeks for the bank to reimburse you. Check out our show notes for a link to our episode on credit card fraud in which we discuss tips how to prevent becoming a victim of this type of crime. When was the last time you thought about the security of the voicemail on your mobile phone? If you’re like most of us, probably not at all. But as one security researcher named Martin Vigo demonstrated at the DEF CON hacking conference in Las Vegas this past week, it’s all too easy to hack into someone’s voicemail. Why would someone want to hack into your voicemail you may ask?  Well there are many popular online apps and services that use a phone call to deliver a code that you can use to verify your identity through things like a password reset process. You may be surprised to know that this is a popular option for authentication alongside SMS text messaging, which hopefully all of you know is considered insecure.  If you can hack someone’s voice mail, you now have the potential to compromise someone’s email, social networks, banking apps, conversations and much more. Martin’s research showed that sites like PayPal, WhatsApp, Instagram and LinkedIn all have a feature to call you to reset your password. So how does one go about hacking into someone’s voicemail? The first step is to find the backdoor number for the victim’s mobile carrier which allows you to login to the voicemail system to hear messages. Voice mailboxes are protected with a PIN code and many of these mailboxes are configured with default or easy to guess PINs codes, many of which are only 4 or 6 digits in length. In fact, Martin wrote a tool that can brute force common PIN codes and can also try random combinations of numbers until one of them works. Once this access is gained there are several techniques that Martin describes are available to flood the victims number or to determine if the phone is powered on or not so that when the password reset process calls the victim’s number, the call goes straight to voicemail. In a blog post written by the researcher, he describes multiple attack scenarios using several workarounds for bypassing different types of voicemail systems. Check out our show notes for a link to this really impressive research. While Martin did contact the major mobile carriers about the issues he found, the response from these companies was, not surprisingly, less than impressive. There are, however, some things that you can do to protect your voicemail. First, use a strong PIN on your voicemail account. That means something greater than the default given to you and make sure its long and unique. You may have to look up your own mobile carrier’s process for changing your PIN but in the show notes we’ve provided links to AT&T’s and Verizon’s process. Next, don’t provide your phone number to online services unless it’s required or it’s the only way available for two-factor authentication. As mentioned on the podcast previously, we recommend using a virtual phone number like Google voice to prevent SIM Hijacking attacks that are very popular right now. Lastly, use app based two-factor authentication like Authy or Duo if it’s available from the online service you’re using. Hopefully through awareness and research done from security researchers like Martin Vigo, the mobile carriers look at further ways to increase the security of voice mail systems. Google was in the news this past week regarding an Associated Press investigation that found many Google services store your location data despite disabling Google’s own privacy controls that allow you to prevent your location from being shared. In most cases while using apps like, Google Maps, it’s a given that your location is going to be used. However, if you disable a setting called “location history” Google will still collect your location data.  Regardless of this setting, just by opening up the Google Maps app your location is shared, the built in weather app if you have an Android phone shares your location and many other different situations like making certain web searches may trigger Google to also record your location. Google argues that the location history setting is doing what it was designed to do but critics, like Jonathan Mayer, the Princeton researcher that worked with the Associated Press on this, quickly points out that quote “If you’re going to allow users to turn off something called ‘location history’, then all the places where you maintain location history should be turned off,” Mayer said. “That seems like a pretty straightforward position to have.” end quote Totally turning off location sharing on all Google apps and services is quite the daunting task and it’s not clear if in certain cases your location data is being tracked or not. Not only do you have to disable location history but you need to disable something called “web and app activity” which stores all types of information about your activities on Google’s various apps and services. Changing this setting only prevents Google from adding your location to something called their “timeline” but it does not fully prevent Google from tracking you through other means. You’ll have to delete each location record individually or delete all of your stored activity which is essentially what we call hitting the “big red button”.  It should be no surprise to anyone that Google insists on tracking your location, and making it difficult to turn off, because it’s another way for Google to boost advertising revenue.  If you’re interested in seeing all the data that Google is collecting about you can visit myactivity.google.com while logged into your Google account. If you use many different Google services you may be very surprised to see the amount of detail that Google collects about your activities. With the news of this recent location tracking issue it may be yet another reason to move off of Google’s services completely. Especially, if you’re really concerned about your location privacy. That’s a wrap for this week’s show. Be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or on our YouTube channel.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post The Shared Security Weekly Blaze – ATM Cashout Attacks, Mobile Phone Voicemail Security, Google Location Tracking appeared first on Shared Security Podcast.

This is the Shared Security Weekly Blaze for August 13, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions and Silent Pocket.  This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here! Show Transcript This is your Shared Security Weekly Blaze for August 13th 2018 with your host, Tom Eston. In this week’s episode: Facebook and your financial transactions, Smart Home security and critical HP printer vulnerabilities. The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details. Hi everyone, this is Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. The Wall Street Journal reports that Facebook is asking large banks to share customer information and financial records so that they can potentially offer financial services via Facebook Messenger. The proposal from Facebook includes getting access to bank customer’s card transactions, account balances as well as information on where customers are spending their money. In return for customer information, Facebook will provide banks with access to Facebook user information, which may be lucrative to a large bank looking to sell and target their services to existing and new customers. Facebook has said that they would not use any information provided by banks for targeted ads and would not share this data with third-parties. This news comes as Facebook is still conducting damage control on their public relations after the infamous Cambridge Analytica scandal where the personal data of approximately 87 million Facebook users was harvested without user consent. My take on this story is that Facebook needs to find new and innovative ways to collect user data which in turn allows companies to use the Facebook Platform to give you, guess what, more ads. We all know how Facebook makes money and that’s through your data being used to sell you more stuff. It should be no surprise then that Facebook is looking to get into the social financial business recently made popular by PayPal’s Venmo app.  Haven’t heard of Venmo?  Venmo is an application which allows social sharing of financial transactions. Venmo itself has been also in the news recently for the ease of which anyone can publicly view the financial transactions of anyone using the app. This is because all Venmo transactions are made public by default. This past July a savvy developer created a Twitter bot called “@VenmoDrugs” to showcase any financial transactions related to drug deals, sex or alcohol. The developer eventually removed the Twitter account after being the center of some controversy and news reports, but it does demonstrate that there is money to be made with an app that allows transactions to be public by default. Venmo won’t be the last app that will monetize the social sharing of financial transactions and it seems Facebook doesn’t want to be the last. Have you recently sold your home or moved into a home that has smart devices like thermostats, lights, cameras, alarm systems and other “Internet of Things” devices installed? Have you thought about resetting or changing the passwords that would allow access to those devices? Smart-device security, especially in a home that is being sold or if someone is moving out because of a domestic abuse situation, is being reported as a large problem that many people are now dealing with. For example, it can be very common for an ex-husband to leave a home due to a pending divorce but still have access to all the smart-devices like lights, cameras and even thermostats. This can lead to abuse of this technology and causing real privacy concerns, especially with victims of domestic abuse. In regards to new homes we all know that whenever you purchase a home, that had a previous owner, you should always change the locks, garage and alarm codes and anything else that the previous owner had knowledge of. But if you happen to inherit smart devices as part of the purchase, you need to make sure you reset these devices back to default to ensure any previous access is removed.  For other domestic situations, it’s advisable to reset any Internet of Things devices as well ensure you have administrative access to these accounts or disable or change passwords as necessary. With the increase of smart-devices in our homes we need ensure we add smart devices to the list of things to secure whenever our living situations change. Do you own an HP Inkjet printer? If so, you may have to patch your printer due to recent critical vulnerabilities that were identified by security researchers in approximately 166 different models of HP Inkjet printers. These models include popular OfficeJet, DeskJet, Envy, as well as DesignJet and PageWide Pro printers. HP states that these two vulnerabilities would allow an attacker to create a file that can be sent to the printer to cause a stack or stack buffer overflow allowing remote code execution.  Check out our show notes for details from HP to see if your specific printer is vulnerable and to learn how to update your printer if affected. So, you may be asking yourself…why should I care about printer security anyway? Well, printer security is something that is often overlooked since it’s a device that does a very simple task which is printing a document for us. However, most printers these days are multifunction, meaning, you can scan, print, fax and connect to various cloud based services to retrieve and save documents. Most modern printers also allow you to print to your home printer from any Internet connection and sometimes allow this access by default when you first set up a new printer.  If your printer happens to be accessible to the entire Internet and you allow files to be uploaded, an attacker could compromise your printer which would allow a foothold into your home network. This type of attack vector is much more serious for businesses that may be using their printers in this way. Especially if your business requires printing and storing of sensitive or confidential information.  Check out our show notes for this episode for links to articles on printer security best practices. That’s a wrap for this week’s show. Be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or on our YouTube channel.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post The Shared Security Weekly Blaze – Facebook and your Financial Transactions, Smart Home Security, Critical HP Printer Vulnerabilities appeared first on Shared Security Podcast.

This is the Shared Security Weekly Blaze for August 6, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions and Silent Pocket.  This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here! Show Transcript This is your Shared Security Weekly Blaze for August 6, 2018 with your host, Tom Eston. In this week’s episode: The Quiet Skies TSA surveillance program, SIM hijacking and the Reddit data breach and Sextortion scams. The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details. Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. If you like our weekly podcast we would really appreciate you leaving a five star review in iTunes. We’ll be sure to thank you on the show! Click the iTunes link in our show notes for this episode to leave us a review and thank you for your support! Ever feel like you’re being followed when you’re at the airport or while on a flight recently? Well you may actually may have been followed as the Boston Globe reported last week that federal air marshals are following US citizens that are not suspected of a crime at airports and on airplanes. The previously unknown program called “Quiet Skies” has caused controversy within the Transportation Security Administration (aka: the TSA) as thousands of US citizens that are not on any watch list are being surveilled and observed to see if they violate 15 rules which are part of a checklist that air marshals need to follow. Characteristics that air marshals look for include things like: excessive fidgeting, wide-open staring eyes and even if the subject slept on the flight or went to the bathroom. According to the report, about 35 passengers are targeted every day and there are 2,000 to 3,000 federal air marshals that conduct this and other air marshal duties across airports in the United States. What I find interesting is that federal air marshal’s themselves are questioning the need for the Quiet Skies program. One air marshal said to the Boston Globe “What we are doing [in Quiet Skies] is troubling and raising some serious questions as to the validity and legality of what we are doing and how we are doing it”. Groups such as the ACLU are now involved questioning if passenger’s constitutional rights are being violated by this program given that people’s race, religion or mental health may put someone under surveillance. Of course, the TSA declined to discuss the Quiet Skies program but noted that “federal air marshals leverage multiple internal and external intelligence sources in its deployment strategy”. As many of you are hopefully aware, the TSA in the United States has come under much scrutiny over the last several years due to treatment of passengers during screening as well as the federal air marshal program itself. It should be interesting to see how this recent revelation about the previously secret “Quiet Skies” program puts more pressure on Congress to further scrutinize the activities of the TSA and the Department of Homeland Security. Last Thursday, the popular news and social media site Reddit announced that they had a data breach. The data breach apparently happened in June and exposed some user data including current email addresses and a backup database which had usernames and hashed passwords from 2007. The attackers apparently targeted several Reddit employee accounts that were being used with Reddit’s cloud and source code providers. Reddit noted that while they did secure these employee accounts with SMS based two-factor authentication, the attackers were still able to compromise these accounts even with two-factor authentication enabled.  It’s important to note that the attackers did not compromise further Reddit systems or user accounts. This most recent data breach example further demonstrates that sites and services need to move away from using SMS based two-factor authentication and start using authenticator apps like Google Authenticator or provide methods to use a hardware token or solution such as a YubiKey.  As we’ve mentioned before on the podcast, there has been an large increase in attacks targeting SMS two-factor authentication called SIM hijacking or also known as SIM port out scams. SIM hijacking is where an attacker will either call your mobile phone company or show up at the mobile phone store, impersonating you in an attempt to request a new SIM card for your phone number. In some cases the attacker may also attempt to move your mobile number over to a new carrier. Once the attacker has control of your mobile number, they now have access to reset credentials or request SMS two-factor authentication codes for any sites that use a mobile phone number for access. The way to help prevent this attack is to create a validation code with your mobile carrier. Depending on the mobile carrier you use this may be described as a “port validation” code but some carriers may call this a phone passcode or PIN. Once this code is enabled on your account, you’ll need to provide this to the mobile carrier in order to obtain a new SIM card or port your number to a new carrier. Our advice is to enable this feature with your mobile carrier to help prevent this attack from happening to you. You may have to research this process on your mobile carrier’s website as each company has a different procedure for enabling this feature. Also note, you should ensure that this passcode or PIN is unique and different than any other passcode or PIN that may be in use with your mobile carrier such as the password for accessing your account for online access. Lastly, the other option if you find a site that does not allow any other form of two-factor authentication besides SMS, is to set up a free virtual phone number through a service like Google Voice and use that number to receive SMS based text messages. Check out our show notes for a link to further reading about preventing SIM hijacking attacks. The EFF released a really good guide last week regarding what to do if you’re the victim of a sextortion scam. A sextortion scam is when a scammer will send thousands of emails to victims noting that they have your password that can be used to blackmail you.  The scammer will say they have a video of you watching adult videos and will send it to your email contacts you if you don’t pay a ransom in Bitcoin. The scam works because the password noted in the email may actually be a password that you’ve used or are currently using.  The scammer does not get this password by hacking you or your accounts but rather through a previously disclosed data breach where your email address and password have been publicly disclosed. The scam email uses typical phishing tactics of a threat as well as the typical bad grammar which should indicate to you that this is a scam. Check out our show notes for the guide from the EFF about this scam as well as to view several email variations that might end up in your inbox. As always, be sure to use complex and unique passwords, utilize a password manager and always enable two-factor authentication on any online accounts that you use to prevent becoming a victim of a real attack. That’s a wrap for this week’s show. Please be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on iTunes, Google Play, Stitcher, TuneIn, Spotify or iHeartRadio.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post The Shared Security Weekly Blaze – Quiet Skies TSA Surveillance Program, SIM Hijacking and the Reddit Data Breach, Sextortion Scams appeared first on Shared Security Podcast.

This is the Shared Security Weekly Blaze for July 30th, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions and Silent Pocket.  This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here! Help the podcast and leave us a review!  We would really appreciate you leaving a review in iTunes. Reviews really help move us up the podcast ratings list and are greatly appreciated! Click here to leave your review in iTunes! Show Transcript This is your Shared Security Weekly Blaze for July 30th 2018 with your host, Tom Eston. In this week’s episode: Bluetooth vulnerabilities, malicious apps removed from Twitter and Gmail confidential mode. The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details. Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Researchers from the Israel Institute of Technology announced a critical vulnerability in Bluetooth technology which could allow an attacker, within physical proximity of the Bluetooth device, to intercept, monitor, or change the data being used by the Bluetooth device. Several vendors of Bluetooth implementations including Apple, Broadcom, Intel and Qualcomm have firmware and some software drivers that are vulnerable to this attack. The vulnerability is caused because the current Bluetooth specification recommends, but does not require, that a device supporting two specific features (called Secure Simple Pairing and LE Secure Connections) validate the public key received over the air when pairing a Bluetooth device. It’s important to note that there is no evidence that this vulnerability is being exploited in the wild and that vendors are working on patches if their implementations of Bluetooth are affected. So what does this Bluetooth vulnerability mean for you? First, always stay up-to-date on patches for any Bluetooth device that you may be using. For this vulnerability in particular the good news is that Apple, Intel and Broadcom have already released patches. What may be more problematic is more obscure “Internet of Things” devices, which happen to use Bluetooth, that may never receive updates because they were either manufactured cheaply or were not designed with security updates in mind. This, of course, is a much larger problem that does not have an immediate solution. However, the risk here seems very low for most of us because an attacker needs to be in very close proximity of the victim. Last week Twitter announced that it removed more than 143,000 malicious apps from their service. Twitter said that the applications were removed between April and June of this year but did not specify which apps were deleted but only saying that they removed these apps because developers have violated Twitter’s policies.  Twitter stated in a blog post that “We do not tolerate the use of our APIs to produce spam, manipulate conversations, or invade the privacy of people using Twitter”. In addition, Twitter announced a new app registration process for developers which have applicants go through a more rigorous approval process including having developers include all details on how their apps will be used and limiting the number of default apps that developers can create to 10. This news from Twitter comes at a time where other large social networking companies like Facebook are cracking down on malicious and spammy apps. In Facebook’s case, the infamous Cambridge Analytica controversy made Facebook audit all apps that had requested user data in the past. Facebook has removed around 200 or so apps since they began this audit earlier this year. Facebook has also significantly changed its developer policies to align with better privacy data practices since the Cambridge Analytica controversy as well. In related Facebook news, it’s worth noting that Facebook suffered its largest drop in market value to the tune of $119 billion dollars when they announced their Q2 quarterly earnings on a call with investors last Wednesday. Facebook stated that they will be taking a “privacy first” approach with their product development which will likely have impact on future revenue growth. This news caused the biggest ever one-day loss in market value for a U.S.-listed company in the history of the US stock market. This is an interesting development as the demand for greater privacy and transparency from Facebook users doesn’t really matter when it comes to how Facebook makes money. This is a huge conflict for Facebook to deal with and it will be really interesting to see how this plays out in the coming weeks. Google’s Gmail has been rolling out its new redesign over the last several months which includes a new feature called “confidential” mode. Confidential mode allows you to restrict how sent emails can be viewed and forwarded. Recipients of confidential mail will not be able to forward or print email designated as confidential and you even have the ability to set an expiration date so that the email can be deleted in the recipients mailbox.  You can also require a code via a text message which can be added for additional security of the email. While all this sounds well and good, the Electronic Frontier Foundation notes that “confidential” mode does not mean that messages are end-to-end encrypted. Google can still see the contents of your emails because, as we all know, Google makes money off using your data for targeted advertising. The EFF also noted concerns about how expiring messages could be captured by a screenshot or picture of the screen and that any expiring message sent is actually kept in your sent items folder, which is really not an expiring message at all. Our advice is that you should use a more vetted and end-to-end encrypted messaging service like Signal or ProtonMail and only use Gmail’s confidential mode for non-confidential messaging. In other Google news, if you happen to use Google Chrome as your web browser you will now start to notice that web sites you visit, that are not using HTTPS encryption, will be noted as “Not Secure” in the URL bar of the browser. This is not a total surprise to most of us as Google announced this change was coming earlier this year. There will also be more changes coming starting with Chrome version 70 (to be released in October) in which the “Not Secure” indicator will be red and not grey like it is now. That’s a wrap for this week’s show. Please be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on iTunes, Google Play, Stitcher, TuneIn, Spotify or iHeartRadio.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post The Shared Security Weekly Blaze – Bluetooth Vulnerabilities, Malicious Apps Removed from Twitter, Gmail Confidential Mode appeared first on Shared Security Podcast.

This is the 78th episode of the Shared Security Podcast sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions and Silent Pocket. This episode was hosted by Tom Eston and Scott Wright recorded July 18, 2018. Listen to this episode and previous ones direct via your web browser by clicking here! Subscribe to our new email list! Stay up-to-date on the latest episodes, receive exclusive offers from our sponsors, participate in contests and gain access to content just for our email subscribers! Sign-up via this link today! In this episode Tom and Scott discuss the recent trend in using facial recognition technology at kids summer camps. While there are many advantages for parents that are looking for easier ways to see what their kids are doing at camp, the use of facial recognition technology also opens up many questions and concerns about the privacy and security of this technology, especially when it comes to our children.  We also discuss the risks of using the “dark web”, what the dark web is, how do you access the dark web, what are the associated risks, and why you may not want to browse and use dark web (.onion) sites if you don’t know what you’re doing. Please send any show feedback, suggestions for future guests and topics to feedback [aT] sharedsecurity.net or comment in our social media feeds. You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next full episode. Be sure to visit our website, follow us on Twitter, Instagram and like us on Facebook. Thanks for listening! The post The Shared Security Podcast Episode 78 – Summer Camp Facial Recognition, Dark Web Dangers appeared first on Shared Security Podcast.

This is the Shared Security Weekly Blaze for July 23rd, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions and Silent Pocket.  This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here! Help the podcast and leave us a review!  We would really appreciate you leaving a review in iTunes. Reviews really help move us up the podcast ratings list and are greatly appreciated! Show Transcript This is your Shared Security Weekly Blaze for July 23rd 2018 with your host, Tom Eston. In this week’s episode: Lost and stolen devices, Instagram and SIM hijacking and the LabCorp security breach. The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details. Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. In the spirit of good GDPR compliance you can now opt-in to our brand new email list for the podcast! Stay up-to-date on the latest episodes, receive exclusive offers from our sponsors, participate in contests and gain access to content just for our email subscribers! Sign-up at sharedsecurity.net today. Did you know that over 26,000 electronic devices (including mobile phones, laptops and eReaders) were lost in the London transport system last year? According to a report released from a research firm called Parliament Street showed that the majority of lost devices, to the tune of 23,000, were mobile devices followed by laptops with approximately 1,000 devices that were lost.  This announcement has been a wakeup call of sorts for UK business’ to ensure that there are protections in place for the data being stored on lost or stolen devices. Not only does this present a business risk, but also a personal privacy risk as well. I’m sure many of these devices were not properly protected by very basic device security controls such as passcodes for mobile devices and full disk encryption for laptops. While 26,000 devices does seem like a lot, imagine how many devices go missing in an even larger transportation system like the one in New York City. Physical device security is one of most important, and easiest, security controls you can implement on your devices to avoid having your data accessed if your mobile phone or laptop is ever lost or stolen. Some of the basics for a mobile phone is to ensure you’re setting a long, complex passcode or passphrase, ensure that the device is erased after 10 failed login attempts as well as enabling any GPS or location tracking so that you have a way to find your device if its ever lost. You’d be surprised how many people are able to find their lost device by using a feature like this. Also, for laptops always enable full disk encryption that is enabled upon powering on your laptop. For Windows laptops, depending if you have Windows 10 Professional or not, you can enable BitLocker for full disk encryption. If you have Windows 10 Home Edition, you can use a free and open-source full disk encryption solution called VeraCrypt. MacOS users should enable FileVault which is installed with all modern versions of MacOS. See our show notes for links to these different full disk encryption solutions to ensure your devices are protected if they are ever lost or stolen. Instagram is reported to be developing a more secure way of two-factor authentication by moving away from text messages to more app based solutions like Google Authenticator or Duo. As we’ve previously reported on the Weekly Blaze, SIM card “port out” scams or also known as SIM hijacking attacks have been on the rise in just the last year or so. A SIM hijacking scam is where an attacker will call your mobile carrier and use social engineering techniques to transfer your mobile number to another carrier, thus, giving the attacker access to receive SMS text messages. This access is then used to reset passwords on many popular apps like Instagram as well as your email service which can also be used to reset passwords.  Many celebrities and others with very valuable Instagram user names have been a target of this attack but it can really happen to anyone, especially if you’re known to be trading bitcoin or other cryptocurrency. With the recent popularity of cryptocurrency, this attack is now financially motivated. So what can you do to prevent becoming a victim of a SIM port out scam? First, contact your mobile carrier to ensure you have set up or configured a PIN or passphrase on your account that would be required for any request with customer support to port your number over to a new carrier. See our show notes for a great guide on how to do this. Second, consider using a virtual phone number like Google Voice for two-factor authentication for sensitive accounts like your bank or social media. We’ve also provided a link to several virtual phone number services in our show notes for you to reference. We also suggest removing your phone number or using a virtual one for whatever email provider you’re using. For example, Google’s Gmail gives you many different options besides using a phone number for other forms of authentication. Be safe out there and lets all stop thinking that our phone numbers are a secure method to verify our identity and as a way for secure authentication. Last week it was announced that LabCorp, one of the largest medical laboratories in the United States, had its network breached through what looks to be from a ransomware attack. The attack prompted LabCorp to shut down its entire network while they investigated the incident. LabCorp said in a filing with the Securities and Exchange Commission that it detected suspicious activities on its network the weekend of July 14th and “immediately took certain systems offline as part of its comprehensive response to contain the activity”. The suspicious activity was apparently only detected on LabCorp Diagnostic systems. No other information has been released but LabCorp noted that there has been no evidence of any medical data being compromised thus far in their investigation. It’s important to note that LabCorp is required to notify and patients of a data breach within 60 days after an incident so it will be interesting to see that if this does take place and what data was actually accessed, if any at all. LabCorp provides services for over 115 million patients and processes tests for more than 2.5 million specimens per week. If patient data was compromised during this ransomware attack, it could be one of the largest healthcare breaches in history. The largest healthcare data breach to date was the Anthem Blue Cross data breach in 2015 that affected 78.8 million individuals. We’ll be keeping a close eye on this story so stay tuned for updates in future episodes of the podcast. That’s a wrap for this week’s show. Please be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on iTunes, Google Play, Stitcher, TuneIn, Spotify or iHeartRadio.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post The Shared Security Weekly Blaze – Lost and Stolen Devices, Instagram and SIM Hijacking, LabCorp Security Breach appeared first on Shared Security Podcast.