Shared Security Podcast

This is the Shared Security Weekly Blaze for July 16th, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions and Silent Pocket.  This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here! Help the podcast and leave us a review!  We would really appreciate you leaving a review in iTunes. Reviews really help move us up the podcast ratings list and are greatly appreciated! Show Transcript This is your Shared Security Weekly Blaze for July 16th 2018 with your host, Tom Eston. In this week’s episode: Polar fitness app location data exposed, blocking scam phone calls and the Samba TV privacy controversy. The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details. Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. I wanted to clarify a few details about the new California Privacy Act that I discussed on the Weekly Blaze podcast last week.  While this law applies only to California residents, it will most likely have broader implications for all major businesses in the US. Most major companies that deal in personal data, have some California customers. That will leave those businesses with two options: either build systems and procedures to comply with California law, or treat Californians one way and every other customer another. It should be interesting to see how this plays out in the coming months before this law is made official in 2020. Here we go again with more fitness apps exposing the location of spies and military personnel. You may remember back in February on the second episode of the Weekly Blaze podcast we discussed how the popular fitness app Strava inadvertently disclosed locations, daily routines and possible supply routes of known and unknown US military bases and CIA outposts. This information was all found though Strava’s publicly available “world-wide heatmap” of Strava users. This time around it’s fitness tracker Polar’s turn which has an app called “Polar Flow” that has a developer API that can be improperly queried. In addition to viewing the public Polar user map, the data exposed includes all user details including GPS coordinates. Journalists from the Dutch news site De Correspondent were able to identify over 6,400 users across 69 different nationalities that have been using the Polar Flow app to see who they are and where they worked using Google and LinkedIn to correlate the data. Many of these users were found to work for different government agencies including the Dutch military. Dutch authorities have noted that this is a major problem as there are rules about how the Dutch military should not wear their uniforms in public or have other personal information exposed which could identify them due to recent terrorist threats on military members and their families. Polar responded last week by taking it’s publicly available activity map offline and issuing a statement noting that all users have “opted-in” to have their private information shared, as by default all workouts are private. However, no word from Polar about that misconfigured developer API. The Dutch military, as well as other countries, have started banning the use of fitness trackers due to these security concerns. Like we always mention on the show, even if you make sure your privacy setting in fitness apps like these are locked down, there may be ways, like insecure developer APIs, that could be used to pull your private data anyway. Let this issue with Polar be a reminder that you need to determine for yourself if you accept the risk of putting your personal workout data and location out there for anyone to potentially access. Don’t you hate robocalls, telemarketers, and scammers calling our phones day in and day out? Well Google announced last week that they going to be adding a new feature to their phone app called “Call Screen” which will automatically screen calls for unknown and suspicious numbers. This new feature, which looks like it may launch on the Google Phone, will make suspicious calls answer one or more automated questions. The audio and audio transcription of the answers are then relayed to the call recipient so they can decide if they want to answer the call our not. This feature comes on the heels of a new “warning filter” that was implemented for telemarketing calls that is now part of Google Phone. Nothing like this currently exists on Apple iOS, unless you install a third-party app such as RoboKiller which looks for scam calls via a blacklist of known scam numbers. However, it’s good to see Google stepping up to tackle the huge problem we have with scams that are all coming through our phones. According to the most recent fraud report by the US Federal Trade Commission, 70% of all fraud that was reported to the FTC were through phone calls. This totaled around $290 million in loss for victims. Hopefully what we see Google doing to help address this huge problem will carry over to Apple and other device manufactures as well. Last week, two US Senators have called for an investigation into the business practices of smart TV manufactures because of recent privacy concerns about new technology that is being used to track consumer’s viewing habits. Most recently a New York times article called out Samba TV, which admitted that it collected viewing data from 13.5 million homes.  The article questioned Samba TV’s relationship with major TV manufactures like Sony, Sharp, and Philips. Samba TV is installed on many newer smart TVs and allow users to “Interact with your favorite shows. Get recommendations based on the content you love. Connect your devices for exclusive content and special offers. By cleverly recognizing onscreen content, Samba Interactive TV lets you engage with your TV in a whole new way.” What I just read to you is exactly what Samba TV users read before opting in to allow viewing habits to be tracked. What the senators have concerns with is that there is no language about how much data is collected, how the data is shared and how to opt-out of being tracked. By opting into the Samba TV tracking you agree to your viewing habits being completely monitored which can even include what video games you may play, shows and movies you watch and can allow tailored ads sent to phones and laptops that share the same internet connection as your TV. This is not the first time that a company has been in trouble for shady TV tracking practices. You may remember last year popular TV manufacture Vizio settled with the Federal Trade Commission to the tune of $2.2 million dollars for its collection and selling of viewing data of its users without their consent. Our advice is that if you use Samba TV  or any other similar application on your TV, review your settings and opt-out if tracking your viewing habits is a privacy concern to you. As the privacy debate grows stronger in the US and overseas it’s going to get really interesting to see how manufactures react to new government privacy regulations. As always, you have ultimate control of what data you share including your TV viewing habits. That’s a wrap for this week’s show. Please be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on iTunes, Google Play, Stitcher, TuneIn, Spotify or iHeartRadio.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post The Shared Security Weekly Blaze – Polar Fitness App Location Data Exposed, Blocking Scam Phone Calls, Samba TV Privacy Controversy appeared first on Shared Security Podcast.

This is the Shared Security Weekly Blaze for July 2nd, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions and Silent Pocket.  This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here! Help the podcast and leave us a review!  We would really appreciate you leaving a review in iTunes. Reviews really help move us up the podcast ratings list and are greatly appreciated! Show Transcript This is your Shared Security Weekly Blaze for July 9th 2018 with your host, Tom Eston. In this week’s episode: Mobile app data leaks, the California privacy act, and third-party Gmail access. The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details. Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Researchers from a mobile security company called Appthority have released concerning details about their research into Android and Apple iOS apps that use a cloud-based backend database called Firebase. Firebase was acquired by Google in 2014. Appthority reviewed more than 2.7 million mobile apps and discovered that around two-thousand of these apps had unsecured Firebase databases. These databases were found to be wide-open allowing anyone to view around 2.6 million user names and plain text passwords, 25 million GPS location records, 50 thousand financial transactions and approximately 4.5 million user tokens for social media sites. In addition, over 4 million PHI (Protected Health Information) records were found containing prescription and private chat records. To add more insult to injury, all that was needed to access these unsecured databases was to append a simple “/.json” to the end of a database host name. The good news is that Appthority reached out to Google to alert them of the issue and Google was able to contact app developers to fix the issue. Ironically, in our last episode of the podcast, we discussed the Exactis data leak which exposed 340 million records due to developers not properly securing ElasticSearch databases. Data leaks due to developers not properly securing and configuring databases seems to have reached epidemic proportions. The unfortunate side effect of data leaks like these is that if your data happened to be exposed, you may never know about it. Of course, unless your data happens to show up on list of compromised databases like Troy Hunt’s “Have I been Pwnd” service, it’s very hard to know if criminals have accessed or used data from all these recent data leaks. Until developers and database software takes a “security by default” approach and companies are held more accountable for securing our private information, data leaks like these are going to continue well into the future. The new California Privacy Act of 2018, recently passed by the California legislature, will apply to more than 500,000 US businesses according to the International Association of Privacy Professionals (IAPP). This new law is similar to GDPR privacy legislation that was recently enacted by the European Union.  Beginning in January of 2020 all California residents will now have rights to transparency about data collected, the right to be forgotten, a right to data portability and a right to opt out of having their data sold. This law will apply to any business in California that collects personal information and businesses that sell or disclose personal information for a specific business purpose. Ironically, some of the largest companies that use and sell personal data such as Google and Facebook, are headquartered in California. These new rules will be enforced by the California attorney general and businesses could face fines up to $7,500 for each violation. This bill is currently the strongest privacy law in the United States so it will be interesting to see if other states follow suite or if legislators start discussing a federal privacy law in line with what currently exists with the European GDPR privacy legislation. Google confirmed last week that emails, from Google’s free Gmail email service, can be read by some third-party app developers. Specifically, third-party apps can request access to users Gmail accounts if there is particular functionality that requires email access. For example, there are some apps need to send and receive emails or integrate into a mail account to pull out specific data. Most of the time it’s an automated program that will access someone’s email account. While many people may not be surprised by this, especially if you’re agreeing to allow an app this type of access, what’s not clear is how developers may leverage this access to manually read people’s email. In an article from the BBC about this issue, one company is noted that they will “review the emails of hundreds of users to build a new software feature”. All of this took place without asking for additional permission from the users of these email accounts or Google. We’ve all heard the phrase “with great power, comes great responsibility” right? Well what we seem to have here is an abuse of power that a developer may use with great amounts of personal data. It’s no different than issues we see with Facebook app developers who are already given rights, through the terms of service we all agree to, to access this data with no oversight or restrictions. We also can’t always assume that an automated program is the only thing looking at our personal data, humans will too as it’s in our curious nature. The good news out of all this is that you can review the third-party apps that may have access to your Gmail account by visiting Google’s “Security Check-up” page. See our show notes for a link to this tool. Just a reminder that if you’re not comfortable with any of Google’s terms and conditions, regardless of third-party access, you may want to consider using a different email service that allows you more control of your privacy and is not focused on serving you ads like Google is. Keep in mind, most email services that are focused on your privacy are typically not free since with free services, we all know that you are the product. That’s a wrap for this week’s show. Please be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on iTunes, Google Play, Stitcher, TuneIn, Spotify or iHeartRadio.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post The Shared Security Weekly Blaze – Mobile App Data Leaks, The California Privacy Act, Third-party Gmail Access appeared first on Shared Security Podcast.

This is the Shared Security Weekly Blaze for July 2nd, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions, Silent Pocket and CISOBox.  This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here! Help the podcast and leave us a review!  We would really appreciate you leaving a review in iTunes. Reviews really help move us up the podcast ratings list and are greatly appreciated! Show Transcript This is your Shared Security Weekly Blaze for July 2nd 2018 with your host, Tom Eston. In this week’s episode: New WPA3 Wireless Standard, Malicious Smartphone Batteries and the Exactis Data Leak. The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details. Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Did you know that you can now opt-in to our brand new email list for the podcast? Stay up-to-date on the latest episodes, receive exclusive offers from our sponsors, participate in contests and gain access to content just for our email subscribers! Sign-up at sharedsecurity.net today. The anxiously awaited new wireless standard, WPA3, has officially been launched by the Wi-Fi Alliance last week. This new wireless standard will fix several known vulnerabilities with the previous WPA2 standard such as the KRACK attack which can allow an attacker to intercept and decrypt wireless network traffic. Note that many Wi-Fi device manufactures have already patched for the KRACK attack, however, the Wi-Fi Alliance made sure that WPA3, by default, included protection for this particular attack and other known issues with WPA2. WPA3 will have increased protection against brute-force attacks and support for something called SAE (Simultaneous Authentication of Equals) which will prevent attackers from decrypting previously captured network traffic even with a compromised Wi-Fi network password.  Other new features include individualized data encryption to prevent local “Man-in-the-Middle” attacks and a feature called “Wi-Fi Easy Connect” which will allow simple and secure pairing of Internet of Things devices that don’t have a visual screen or display. This will replace “Wi-Fi Protected Setup” or also known as WPS which has been proven to be insecure. According to the Wi-Fi Alliance, mass adoption by device manufactures and consumers is predicted to start taking place towards the end of 2019. Are you a CISO or Information Security Manager challenged with tracking and managing information security incidents within your organization? If you are, you need to take a look at CISOBox which is a software appliance built for NIST-compliant management of all types of information security incidents. CISOBox secures and protects sensitive incident data using technology accredited by US Federal Intelligence Agencies and gives your organization an efficient and streamlined process for incident handling. No matter if your business is large or small, we highly recommend the CISOBox solution as it’s extremely easy to use, scalable, and a secure way to implement incident handling within your organization. For more information on the CISOBox solution and to schedule a demo visit cisobox.com/sharedsecurity. That’s cisobox.com/sharedsecurity. Last week, security researchers have shown that maliciously crafted smart phone batteries can allow an attacker to harvest sensitive information such as characters typed on the touch screen, browser history, detecting incoming phone calls and when a photo has been taken. It’s also possible to exfiltrate that data, one bit at a time, through the web browser installed on the device. This exfiltration can take place through something called the Battery API that is available in the Google Chrome mobile browser. The Battery API was deemed a privacy issue by Apple and Mozilla so it was removed from Safari and Firefox. While this particular attack seems pretty farfetched, this research shows the possibilities with attacks that may target mobile devices through the supply chain, especially in China where most mobile phones are manufactured. It’s not that far of a stretch when we already have malware that has been installed in hardware and other devices coming through similar supply chains for many years now. One of the researchers that discovered this issue says “The attack may seem like a stretch (requires physical battery replacement – or poisoning hardware at a factory), and at this moment one can imagine multiple simpler methods, nonetheless it is an important study. Is the sky falling? No. Is the work significant? Yes”. Check out our show notes if you’re interested in learning more about this attack and research. Another large data leak was announced last week, this time exposing approximately 340 million individual records.  This data leak was linked to a data aggregator and marketing firm called Exactis which apparently was collecting the names, email addresses, phone numbers, addresses and other demographic information including personal interests. For comparison, the Equifax breach last year exposed 145 million records but also had much more sensitive data exposed such as people’s names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license and credit card numbers. In addition, there is proof that criminal hackers did access and steal the Equifax data. With this latest data leak it’s not known if anyone malicious actually accessed this data besides the security researcher who found the database sitting on a server accessible by anyone without restriction. The data was found by security researcher Vinny Troia who was using the Shodan search tool  looking for ElasticSearch databases that may be exposed to the Internet. ElasticSearch is a database that is frequently found by security researchers on servers that are misconfigured allowing unrestricted access to data within the ElasticSearch database. Upon finding this data the researcher contacted the FBI as well as Exactis about his findings and Exactis fixed the issue so that the data was no longer accessible. Huge data leaks like this one are becoming much more common in just the last year or so and much of this data is found just sitting out on the Internet with the ability for anyone to access. Many of these data leaks we’ve previously discussed on the podcast and in our social media feeds. Let’s see what the remainder of the year brings but in the meantime, we need to continue to do all that we can to limit the amount of private information that firms like Exactis collect. That’s a wrap for this week’s show. Please be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on iTunes, Google Play, Stitcher, TuneIn, Spotify or iHeartRadio.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post The Shared Security Weekly Blaze – New WPA3 Wireless Standard, Malicious Smartphone Batteries, Exactis Data Leak appeared first on Shared Security Podcast.

This is the 77th episode of the Shared Security Podcast sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions, Silent Pocket and CISOBox. This episode was hosted by Tom Eston and Scott Wright recorded June 19, 2018. Listen to this episode and previous ones direct via your web browser by clicking here! Help the podcast and leave us a review!  We would really appreciate you leaving a review in iTunes. Reviews really help move us up the podcast ratings list and are greatly appreciated! In this episode Tom and Scott discuss the concept of developing your own privacy threat model and personal risk assessment. We often discuss privacy threats and risk on the podcast so we thought it would make sense to discuss how to put together your own threat model to determine what risk you actually face from potential threats. We define risk, in the context of the topics of this podcast, as how likely is it that a potential threat may compromise your privacy or your personal information. By threat, we define that as something bad that can happen to you like being the receiver of phishing emails, malware being installed installed on your computer or even surveillance being conducted by a nation-state or ISP on your Internet activities. Here’s an example of putting risk and threat together. Lets say you have a nice car and you park it in an area that is known for a high threat of crime and auto thefts, there is a greater risk that your car may be stolen than if it was parked in an area not known for crime and auto theft. The first step in the personal risk assessment is to create a privacy threat model for yourself. We’re going to reference a really great framework for threat modeling put together by the EFF (The Electronic Frontier Foundation) borrowed from their helpful guides on Surveillance Self-Defense. The EFF threat model starts by having you answer the following five questions: What do I want to protect? Who do I want to protect it from? How bad are the consequences if I fail? How likely is it that I will need to protect it? How much trouble am I willing to go through to try to prevent potential consequences? The idea is to answer these questions as best as you can in preparation for an event or action that you may be taking related to your privacy. Based on your threat model you can then determine what tools and techniques are appropriate for your level of risk. This is always a personal decision! Some examples: “I want to hide my browsing habits from third-party ad trackers or my ISP” This scenario may be low risk to you so you may be fine just using a VPN and privacy focused browser plugins like EFF’s Privacy Badger. “I’m not comfortable giving Facebook my personal data” This scenario may be more of a medium risk for you so you may choose to delete your Facebook account or be more careful what you post. “I’m a journalist in a foreign country reporting on human rights abuses” This scenario is most likely high risk to you so you should consider using a burner laptop, Tor and the Signal app for communication. Listen to the full episode where Tom and Scott discuss other real world applications for privacy related threat modeling. We also discuss Stingray surveillance devices which are commonly used by law-enforcement and governments to intercept mobile phone communications. Please send any show feedback, suggestions for future guests and topics to feedback [aT] sharedsecurity.net or comment in our social media feeds. You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next full episode. Be sure to visit our website, follow us on Twitter, Instagram and like us on Facebook. Thanks for listening! The post The Shared Security Podcast Episode 77 – Personal Risk Assessments, Stingray Surveillance Devices appeared first on Shared Security Podcast.

This is the Shared Security Weekly Blaze for June 25, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions, Silent Pocket and CISOBox.  This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here! Help the podcast and leave us a review!  We would really appreciate you leaving a review in iTunes. Reviews really help move us up the podcast ratings list and are greatly appreciated! Show Transcript This is your Shared Security Weekly Blaze for June 25th 2018 with your host, Tom Eston. In this week’s episode: MyLobot malware, updates on third-party location data sharing, Fortnite scam websites. The Shared Security Podcast is sponsored by Silent Pocket with their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details. Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. A new serious form of malware called MyLobot (apparently named after the researchers pet dog) was discovered by security firm ‘Deep Instinct’. This new form of malware is quite dangerous as it will make infected systems part of a large botnet and has the ability to install trojans, keyloggers, conduct DDoS attacks as well as ensure that it cannot be detected and even run executable files from within system memory.  Having executable files run from within memory is a newer technique only discovered by malware researchers in 2016 and makes detecting this type of malware much more difficult. Researchers have indicated that this particular form of malware is quite advanced not the typical work of an amateur. In addition to all of this, there is an interesting delay feature which will not allow the malware to communicate to its command and control services for approximately two weeks. This delay was put in to avoid detection from modern endpoint detection and other techniques which usually pick up malware infections like these. To top it all off, the malware will attempt to detect and disable other types of malware already installed, effectively, eliminating other malware competition. Deep Instinct researchers indicate that this type of advanced malware is being sold on the ‘darkweb’ for purchase and that “Other than the malware itself, malware developers can purchase services that assist in the infection process. An attacker can purchase access to exploit kits, buy traffic of tens of thousands of users to a web page, or even buy a full ransomware-as-a-service for his own use”. As we’ve mentioned on the podcast before, one of the primary ways that malware can get installed on your computer is through phishing and social engineering. There are, of course, other ways such as drive by downloads from malicious ads and compromised web sites hosting malicious code. Besides being more aware of phishing and social engineering, you can help defend your computer by keeping your system patched and up-to-date as well as using ad blocking web browser plugins like uBlock Origin and web tracker prevention plugins like EFF’s Privacy Badger. Check out our show notes for details on where to download and how to install these plugins. Are you a CISO or Information Security Manager challenged with tracking and managing information security incidents within your organization? If you are, you need to take a look at CISOBox which is a software appliance built for NIST-compliant management of all types of information security incidents. CISOBox secures and protects sensitive incident data using technology accredited by US Federal Intelligence Agencies and gives your organization an efficient and streamlined process for incident handling. No matter if your business is large or small, we highly recommend the CISOBox solution as it’s extremely easy to use, scalable, and a secure way to implement incident handling within your organization. For more information on the CISOBox solution and to schedule a demo visit cisobox.com/sharedsecurity. That’s cisobox.com/sharedsecurity. This week I wanted to provide an update on the previous news we mentioned on the podcast a few weeks ago regarding how the major wireless carriers were selling your real-time location data to various third party companies. Just this past week Verizon, AT&T and Sprint announced that they will no longer share customer location data with third-party data aggregators like one particular company we discussed on the podcast called ‘LocationSmart’.  This change was most likely due to the investigation conducted by Senator Ron Wyden who sent a letter to Verizon questioning the reason behind allowing real-time location data to be sent to shady third-party companies. In addition, on Friday it was announced by the EFF that in a new ruling, by the United States Supreme Court, said that cell phone location data is protected by the Fourth Amendment. The Court also rejected the government’s argument that sensitive data held by third-parties is automatically devoid of constitutional protection.  Ironically on Friday, I received a privacy notice update from my wireless carrier, AT&T, noting that because of the merger with WarnerMedia (previously known as Time Warner), that data sharing was now taking place between both companies. In reading this revised privacy policy, I noted that you can now “opt-out” of location sharing either from each individual third-party or through the AT&T privacy settings on your account. I’m not sure if this is a new feature due to recent controversy about third-party location data sharing, GRPR or perhaps it’s always been there. However, we highly recommend researching this setting for your own through your mobile carrier website and opting out if don’t want to have your location data shared with third-parties. Do you or your kids play Fortnite? If so, you should be aware of scam websites that are capitalizing on the huge popularity of the game targeting young players to steal money and login credentials. The creators of Fortnite, Epic Games, are warning that many scam websites are offering free or heavily discounted virtual currency called V-Bucks. V-Bucks is the virtual currency that’s used within the Fortnite game. In April alone it’s estimated that players have spent $296 million on this virtual currency. In response to this recent rise in scams, Epic games sent an email to players stating quote “Beware of scam sites offering things like free or discounted V-Bucks. The only official websites for Fortnite are epicgames.com and fortnite.com” end quote. Epic games also noted that players should double check to ensure they are using the real epic games website when purchasing V-Bucks and that they also enable two-factor authentication on their Fortnite accounts. As mentioned before on the podcast, it’s highly recommended to enable two-factor authentication wherever possible. Unfortunately, many companies have two-factor authentication as an optional feature that you have to specifically enable. Be sure to take the time to find out if the games and services you use have two-factor authentication and enable this service to add an additional layer of security to your accounts. That’s a wrap for this week’s show. Please be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on iTunes, Google Play, Stitcher, TuneIn, Spotify or iHeartRadio.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post The Shared Security Weekly Blaze – MyLobot Malware, Updates on Third-Party Location Data Sharing, Fortnite Scam Websites appeared first on Shared Security Podcast.

This is the Shared Security Weekly Blaze for June 18, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions, Silent Pocket and CISOBox.  This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here! Help the podcast and leave us a review!  We would really appreciate you leaving a review in iTunes. Reviews really help move us up the podcast ratings list and are greatly appreciated! Show Transcript This is your Shared Security Weekly Blaze for June 18, 2018 with your host, Tom Eston. In this week’s episode: Ultrasonic Hard Drive Attacks, Dangerous USB Devices and Email Fraudsters Arrested. The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details. Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Researchers from Princeton and Purdue University have shown how sonic and ultrasonic signals, which are not able to be heard by a human, can be used to physically damage computer hard drives by using the computer’s own speaker or by using a speaker that is near the device. In their research they demonstrated how this vulnerability could be leveraged to attack hard drives in CCTV (Closed-Circuit Television) systems as well as desktop and laptop computers. In their experiments, they were able to cause errors in just 5-8 seconds on hard drives from Seagate, Toshiba and Western Digital. In one particular experiment on a Dell XPS laptop, they were able to cause the laptop to freeze and crash within seconds after a malicious file was played over the laptop’s built in speaker. It’s crazy to think that an audio file can be a new attack vector that may start being leveraged by attackers. The good news is that the researchers indicated that these vulnerabilities could be remediated through firmware updates provided by the hard drive manufactures, so not all is lost. I’m sure the threat of this happening to most people is very low, however, I suspect that a nation state or dedicated adversary could easily take this research and ‘weaponize’ it to target specific individuals in order to destroy incriminating information. Two groups most likely targeted could be journalists and human rights defenders. Are you a CISO or Information Security Manager challenged with tracking and managing information security incidents within your organization? If you are, you need to take a look at CISOBox which is a software appliance built for NIST-compliant management of all types of information security incidents. CISOBox secures and protects sensitive incident data using technology accredited by US Federal Intelligence Agencies and gives your organization an efficient and streamlined process for incident handling. No matter if your business is large or small, we highly recommend the CISOBox solution as it’s extremely easy to use, scalable, and a secure way to implement incident handling within your organization. For more information on the CISOBox solution and to schedule a demo visit cisobox.com/sharedsecurity. That’s cisobox.com/sharedsecurity. This week was a historic one for US President Donald Trump and North Korea’s leader Kim Jong-un as they met face to face in Singapore during their very first summit together. However, what happened behind the scenes may have been more interesting. You see, journalists attending the summit were given very special commemorative gift bags which had a guidebook, water bottle, a trial to a newspaper and a fan that plugs into a USB port on your computer. Wait, did you say USB fan that plugs into your computer? Now we all know that you shouldn’t plug random, untrusted USB devices into your computer right? Not to mention that these USB devices are from a foreign country and we’re talking about the United States and North Korea leadership all in the same area together…what could possibly go wrong? In the show notes we’ve linked to a funny but not so funny article showing the tweets that may security researchers posted about this mysterious USB fan. Even if you have nothing to do with this summit, the advice from us and other professionals is to never put a USB device from a conference or other non-trusted source like this in your computer.  There have been many reports of devices like these being infected with malware and given that this is a historic summit with probably spies all over the place, the risk of something nefarious being installed on these devices is definitely increased.  Stay safe and be aware of what you’re plugging into your computer! I guess law enforcement finally got that Nigerian prince they were looking for because this past Monday the US Justice Department reported that 74 people (including 42 in the US and 29 in Nigeria, probably not princes) were arrested for participating and organizing business email compromise schemes (or known as BEC schemes) which were used to steal money from thousands of individuals and businesses.  In addition, authorities confiscated about $2.4 million and recovered about $14 million in fraudulent wire transfers. This was all part of something called “Operation Wire Wire” which was a six month investigation that involved many different US government agencies including the US Department of Homeland Security. In a BEC scheme a fraudster will target specific individuals in an organization, such as finance or accounting employees, because they usually have access to make wire transfers. The fraudsters social engineer victims into giving them sensitive information or by pretending to be a trusted co-worker or manager asking for the victim to complete a urgent wire transfer. It’s reported that BEC scams cost victims more than $3.7 billion according to the Internet Crime Complaint Center. We definitely have to give some kudos to the US Justice Department here. This is a positive change from the typical government surveillance news that we discuss on this podcast, right? These scams are so prevalent that I’ll bet you or someone you know has either been a target of a scam like this or even a victim. As we always say on the podcast, stay vigilant for scams like these and never respond to emails from that elusive Nigerian prince. That’s a wrap for this week’s show. Please be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on iTunes, Google Play, Stitcher, TuneIn, Spotify or iHeartRadio.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post The Shared Security Weekly Blaze – Ultrasonic Hard Drive Attacks, Dangerous USB Devices, Email Fraudsters Arrested appeared first on Shared Security Podcast.

This is the Shared Security Weekly Blaze for June 11, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions, Silent Pocket and CISOBox.  This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here! Help the podcast and leave us a review!  We would really appreciate you leaving a review in iTunes. Reviews really help move us up the podcast ratings list and are greatly appreciated! Show Transcript This is your Shared Security Weekly Blaze for June 11th 2018 with your host, Tom Eston. In this week’s episode: MyHeritage data breach, Facebook’s data sharing partnership and Apple iOS 12 and macOS updates. The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details. Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. MyHeritage, the DNA and ancestry service, announced a large data breach this past week which exposed the email addresses and hashed passwords of approximately 92 million customers. Apparently, a file containing this data was found on a private server by a security researcher who reported it to the Information Security team at MyHeritage. Customers affected include anyone that signed up for an account previous to October 26, 2017. Regarding how user passwords are being stored, MyHeritage stated that “MyHeritage does not store user passwords, but rather a one-way hash of each password, in which the hash key differs for each customer. This means that anyone gaining access to the hashed passwords does not have the actual passwords”. No further details were provided on how the file was found or why it was on a private server to begin with. Other than the typical advice of “change your password” and the announcement that MyHeritage will be implementing two-factor authentication in the near future for added account protection, MyHeritage does not suspect that any IT systems were compromised in the breach. My take on this situation is that it sounds to me like a developer or other internal employee posted this file either in error or there may be the possibility that a disgruntled employee may have maliciously posted the file. We may never find out what really happened here but I do find it ironic that just a few short weeks ago we had discussed the impact of an ancestry company that holds the DNA records of millions of people having a data breach. I’m also surprised that MyHeritage is finally implementing two-factor authentication given that this type of account protection has been the standard for many years now. Like our other advice discussed on the podcast, we can’t rely on third-party companies to keep our personal data secure. You need to decide if you want to risk your data being exposed, either by accident or through a compromise, by choosing the companies you want to supply your personal information to. Are you a CISO or Information Security Manager challenged with tracking and managing information security incidents within your organization? If you are, you need to take a look at CISOBox which is a software appliance built for NIST-compliant management of all types of information security incidents. CISOBox secures and protects sensitive incident data using technology accredited by US Federal Intelligence Agencies and gives your organization an efficient and streamlined process for incident handling. No matter if your business is large or small, we highly recommend the CISOBox solution as it’s extremely easy to use, scalable, and a secure way to implement incident handling within your organization. For more information on the CISOBox solution and to schedule a demo visit cisobox.com/sharedsecurity. That’s cisobox.com/sharedsecurity. Facebook is in the news once again, this time for its data-partnership with 60 companies including Amazon, Apple, BlackBerry, Samsung and several Chinese companies such as Huawei. Huawei was identified as a threat to US national security by government officials which makes this partnership a little bit more interesting. Access to Facebook data was given to these companies as early as 2011 so they could tightly integrate Facebook into their devices. This was a feature implemented before the Facebook app became the most popular way to access Facebook on a mobile device. This type of data access allows devices to pull Facebook data so that they can provide a Facebook like experience.  For example, BlackBerry used Facebook data for an app called the “Hub” which can let BlackBerry users view messages and all social media accounts in one place. Last week through a New York Times investigation, they had found that the data access given to device manufactures included data about a user’s friends and even those who have “denied Facebook permission to share information with any third parties”. This data access also seems to bypass several access restrictions typically in place for developers and can even access data such as ‘friends of friends’ that Facebook has previously restricted. Device manufactures that were involved with this partnership have stated that Facebook data retrieved was only stored on the users device and not on the servers of the device manufactures. How does one know this for sure? Well, we don’t but I find it very hard to believe that some of these companies, especially ones with ties to the Chinese government, would not be abusing this feature. Unfortunately, Facebook has only recently been trying to hold developers and companies with access to Facebook data more accountable mainly because of the Cambridge Analytica scandal.  You may have also noticed that since the Cambridge Analytica scandal Facebook has tried to “rebrand” itself as a friend focused app and not a fake news or data harvesting service through TV commercials and targeted friendly ads on Facebook. As you’re aware, you and your data will always be the product at Facebook no matter what Mark Zuckerberg or their new marketing campaign may tell you. It comes down to making money and that’s ultimately what Facebook will always use your data for. Apple has announced details about new privacy and security features coming out for iOS 12 and macOS Mojave at the Worldwide Developers Conference this past week.  Some of these new features include improved tracking prevention capabilities for the Safari browser, end to end encryption for Facetime group calls and a new password manager integrated into macOS and iOS. Specifically for macOS Mojave there are new data protections that will require apps to ask for user permission before accessing the camera or microphone or before accessing email or iMessage databases. In addition, there is a new USB Restricted Mode in iOS 12 which will prevent a locked iOS device from communicating with a USB port via the lightning connector. Your passcode will still need to be entered at least once a week to allow USB connectivity. This measure was implemented to help prevent or make it more difficult for law enforcement and others from trying to break the passcode on a iOS device. This is typically done using forensic tools like GreyShift and Cellerbrite which are known to be used by law enforcement and nation states to gain access to confiscated iOS devices. Many of these new privacy and security features in macOS for Apple laptops and desktops are starting to mirror what has been available in iOS on mobile devices for quite a while now. This is a positive development as it seems Apple has really started to become the leader in user privacy controls out of the major tech companies like Google, Amazon and especially Facebook. That’s a wrap for this week’s show. Please be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on iTunes, Google Play, Stitcher, TuneIn, Spotify or iHeartRadio.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post The Shared Security Weekly Blaze – MyHeritage Data Breach, Facebook’s Data Sharing Partnership, Apple iOS 12 and macOS Updates appeared first on Shared Security Podcast.

This is the Shared Security Weekly Blaze for June 4, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions, Silent Pocket and CISOBox.  This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here! Help the podcast and leave us a review!  We would really appreciate you leaving a review in iTunes. Reviews really help move us up the podcast ratings list and are greatly appreciated! Show Transcript This is your Shared Security Weekly Blaze for June 4th 2018 with your host, Tom Eston. In this week’s episode: Telegram Messenger in Russia, Amazon’s Facial Recognition Technology and Digital License Plates. The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details. Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. In the spirit of good GDPR compliance you can now opt-in to our brand new email list for the podcast! Stay up-to-date on the latest episodes, receive exclusive offers from our sponsors, participate in contests and gain access to content just for our email subscribers! Sign-up at sharedsecurity.net today. The Russian communications agency has given an ultimatum to Apple if they do not remove Telegram, which is a secure messaging app, from the Apple App Store in Russia. Several months ago the Russian government banned the Telegram app because Telegram refused to give them the private encryption keys to access messages being sent through the app. Russia claims that terrorists are using the Telegram app and are demanding what is essentially backdoor access to chats for government investigations and surveillance. Apple now has a month to comply with this request or face regulatory action from the Russian government. It’s also being reported that the same request also went out to Google to ban Telegram from the Google Play app store as well. Now despite this request Telegram is still being actively used by Russian citizens through the use of VPN’s which allow circumvention of any blocking of Telegram servers that the Russian government is actively doing. This news reminds me of the controversy back in 2016 here in the US regarding the iPhone of the San Bernardino shooter in which the FBI asked Apple to unlock the shooter’s iPhone for their investigation. Like the Telegram situation it’s a very dangerous proposal when governments begin asking for companies to install backdoors or to do things that circumvent built in security and privacy controls. This is a debate that will be continuing for sure, in the meantime it’s important that we all support the need to protect our own privacy by keeping encryption and other security technologies built into the devices and apps that we use. Are you a CISO or Information Security Manager challenged with tracking and managing information security incidents within your organization? If you are, you need to take a look at CISOBox which is a software appliance built for NIST-compliant management of all types of information security incidents. CISOBox secures and protects sensitive incident data using technology accredited by US Federal Intelligence Agencies and gives your organization an efficient and streamlined process for incident handling. No matter if your business is large or small, we highly recommend the CISOBox solution as it’s extremely easy to use, scalable, and a secure way to implement incident handling within your organization. For more information on the CISOBox solution and to schedule a demo visit cisobox.com/sharedsecurity. That’s cisobox.com/sharedsecurity. Amazon is in the news recently about a cloud based facial recognition technology they’ve developed called “Rekognition”. Rekognition can identify approximately 100 people in a single image leveraging databases containing the faces of millions of people. The controversy is that Amazon has been offering this service to law enforcement agencies and its already being used by the Orlando Police Department and a Sheriff’s office in Oregon which adds to the growing list of surveillance technology now in the hands of local government. In the case of the Orlando Police Department, Amazon actually gave this technology to them for free as a proof-of-concept. In a blog post written by the American Civil Liberties Union, they express great concern since this is a case of the government partnering up with a large tech company to provide the latest surveillance technology. The ACLU states: “With Rekognition, a government can now build a system to automate the identification and tracking of anyone. If police body cameras, for example, were outfitted with facial recognition, devices intended for officer transparency and accountability would further transform into surveillance machines aimed at the public. With this technology, police would be able to determine who attends protests. ICE could seek to continuously monitor immigrants as they embark on new lives. Cities might routinely track their own residents, whether they have reason to suspect criminal activity or not.” We’re clearly on a slippery slope when it comes to using this type of advanced surveillance technology. While one can clearly see the good that can be done to track known terrorists or criminals about to commit a crime, we all know that technology like this will have problems and innocent people may get caught up in crimes that they didn’t commit. There is also the large possibly of this technology being abused with little or no oversight and accountability. I’m sure this is not the last we’re going to hear about this story and it’s just the tip of the iceberg when it comes to ensuring a balance between providing law enforcement with what they need to stop criminals but to also keep our freedoms intact. How would you feel about installing an Internet enabled digital license plate on your car that gave you the ability to electronically register your vehicle or display personal messages on your license plate? Have you thought about the side effect of allowing the government to not only track if your vehicle is stolen but to know where your vehicle is located at all times? Well even if you were interested this technology is not cheap. The state of California is considering allowing these plates to be purchased by vehicle owners but you’re looking at around $699 not including installation fees to have this technology installed on your vehicle. Now these plates are only being tested in a limited capacity in Sacramento California but if all goes well digital license plate technology will no doubt be adopted by other states as well. As we’ve discussed in previous episodes, we already have police using license plate recognition technology to scan cars in parking lots. This technology alone has caused many privacy concerns and further given the government more surveillance capability. However, now that Internet enabled license plates have started to come out, what level of privacy should we expect and how will this technology be secured? If the current insecurity of IoT devices gives any indication of what the future looks like, the future doesn’t look so bright. Let’s hope that privacy advocacy groups push governments and the device manufactures to consider our privacy and security first before they are installed and being used on all our vehicles. That’s a wrap for this week’s show. Please be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on iTunes, Google Play, Stitcher, TuneIn, Spotify or iHeartRadio.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post The Shared Security Weekly Blaze – Telegram Messenger in Russia, Amazon’s Facial Recognition Technology, Digital License Plates appeared first on Shared Security Podcast.

This is the Shared Security Weekly Blaze for May 28, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions, Silent Pocket and CISOBox.  This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here! Help the podcast and leave us a review!  We would really appreciate you leaving a review in iTunes. Reviews really help move us up the podcast ratings list and are greatly appreciated! Show Transcript This is your Shared Security Weekly Blaze for May 28th 2018 with your host, Tom Eston. In this week’s episode: Real-time Location Tracking, VPNFilter Router Malware and Apple’s GDPR Updates. The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details. Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. In the spirit of good GDPR compliance you can now opt-in to our brand new email list for the podcast! Stay up-to-date on the latest episodes, receive exclusive offers from our sponsors, participate in contests and gain access to content just for our email subscribers! Sign-up at sharedsecurity.net today. How valuable is your real-time location? For many of us, it’s a very scary thought to think that someone may have access to easily track your whereabouts in real-time with no permission from you or little or no recourse for their actions. Well for mobile phone carriers  your location means more profit for them because they have been selling access to real-time location data to different third-party companies. In late breaking news the other week a company called LocationSmart, which is a real-time data aggregator of mobile phone location data, has been able to access the real-time location of every phone from every major US carrier (that includes AT&T, Sprint, T-Mobile and Verizon) without user consent.  A researcher named Robert Xiao who is from Carnegie Mellon University was messing around with a web demo of the LocationSmart application and found that he could query the real-time location of some of his friends through a vulnerability in the API of the application. The LocationSmart demo app was not taken down until famed reporter Brian Krebs from KrebsSecurity.com got involved and reported on the issue. This is also not the first time that we’ve recently seen real-time location data from the mobile carriers being used suspiciously. Back in early May, a company called Securus was identified through a New York Times article that was about a former sheriff who was using location data through the Securus service to track people without a warrant or user consent. To add further insult to injury, a hacker broke into Securus systems and stole 2,800 usernames, emails and hashed passwords of Securus customers. Ironically, Securus gets its location data from, you guessed it, LocationSmart. You also shouldn’t be surprised that these are probably not the only two companies that have access to real-time location data. You can bet that many other organizations, including criminals and nation states are also using services from similar companies. This entire situation brings into question what mobile phone carriers are doing with our location data. Of course they need to monitor, track and record your location otherwise your phone wouldn’t work and it would defeat the purpose of having a mobile phone altogether. However, it comes as a surprise that the carriers are blatantly giving your location data to third-party aggregators which in turn is giving this to other companies who work for law enforcement and the government. Seems to me that this is a great way for mobile carriers to make money off of your location data and for law enforcement to “bypass” a warrant and other user privacy protections. It’s also sad that you as the consumer of these mobile services have no control on how your location data is shared with third-parties. Especially since we all advocate to change and lock down location sharing features on your devices and apps as a way to prevent third-parties from receiving this information. With the carriers selling off your location information it makes these settings pretty much useless. Your best course of action to prevent a third-party from tracking you is to use a Faraday Bag like ones from our sponsor, Silent Pocket, which prevent all wireless signals and makes your device completely secure while in the Faraday bag (well except for physical theft of course). The good news is that this situation has gotten the attention of Senator Ron Wyden who has urged all of the main wireless carriers in the US as well as the FCC to take action and do something about this. Given the current state of politics in the US though, it’s anyone’s guess if something will be done to hold wireless carriers more accountable. More to come on this topic for sure and we’ll be following this closely and providing updates in future episodes. Are you a CISO or Information Security Manager challenged with tracking and managing information security incidents within your organization? If you are, you need to take a look at CISOBox which is a software appliance built for NIST-compliant management of all types of information security incidents. CISOBox secures and protects sensitive incident data using technology accredited by US Federal Intelligence Agencies and gives your organization an efficient and streamlined process for incident handling. No matter if your business is large or small, we highly recommend the CISOBox solution as it’s extremely easy to use, scalable, and a secure way to implement incident handling within your organization. For more information on the CISOBox solution and to schedule a demo visit cisobox.com/sharedsecurity. That’s cisobox.com/sharedsecurity. Last week research was released, from researchers at Cisco Talos, about a large botnet spreading malware  named “VPNFilter”. The VPNFilter malware has compromised over 500,000 home and small office wifi routers and NAS storage devices. This particular piece of malware is much different than other similar forms of router malware in that it can maintain persistence on the device once fully installed, even after a reboot. Like other similar types of malware, VPNFilter can spy on web traffic and has the ability to “brick” and completely disable the device from functioning. Cisco Talos researchers also indicate that the VPNFilter malware appears to be targeting routers in the Ukraine. Now one can only guess that a certain large nation state we all know and love is probably behind this recent attack.  Check out our show notes to see the full list of affected devices.  If you review this list you’ll note that several of these routers are very popular consumer devices manufactured by Netgear, Linksys and TP-Link. The way that these devices are being infected include using default login credentials and accessing the device via the remote management feature. As we’ve mentioned on the podcast just a few weeks ago when discussing the recent Department of Homeland Security alert about Russian router hacking; default credentials and the ability to access devices remotely over the Internet are the two biggest attack vectors being used. In regards to the VPNFilter malware, if you think you may be a victim of this attack, it’s best to reboot your router and then change the default administration password and disable any remote management ability over the Internet. Hopefully, you’ve already taken our advice from previous episodes and made these changes already. Also be sure to update your router to its latest firmware as your router may have critical security updates that need to be applied. Especially with older routers, these devices will most likely not update themselves with any auto update feature we see in newer home wifi routers. Be safe out there and be sure to take a few minutes to check the security of your wifi router using the guide posted in the episode show notes on sharedsecurity.net. Apple has taken recent steps to allow its European Union customers to download all of the personal data that Apple has been storing on them. This new feature was launched right before the GDPR European privacy law went into effect last Friday. GDPR is new privacy legislation that requires companies that do business with EU citizens to properly protect, store and allow users to manage or delete the personal data that a company may be storing about them. GDPR also has wide implications to even non-EU citizens as many companies have implemented GDPR privacy changes for all their users. Now that we’re past the GDPR deadline last Friday, I’m sure you’ve had a flurry of “privacy notice” emails so now is a great time to unsubscribe from any service or delete apps that you don’t use anymore. With this recent announcement, Apple customers in the European Union can now select the personal data that they would like to download and Apple will put it all together and have it delivered to the requester within 7 days.  This data can include information on support cases, app store activity as well as a lot of other data that Apple has records of. Check out our show notes for the full list of data that is available to download. Note that countries such as the United States and Canada should see this feature launched in coming weeks. In the meantime, Apple will allow non-EU citizens to request their personal data or delete it via Apple’s privacy site which has more of a manual process for privacy questions. Kudos to Apple for being one of the few tech giants that appear to be addressing GDPR so that it has a positive effect on all customers, not just those located in the EU. That’s a wrap for this week’s show. Please be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on iTunes, Google Play, Stitcher, TuneIn, Spotify or iHeartRadio.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post The Shared Security Weekly Blaze – Real-time Location Tracking, VPNFilter Router Malware, Apple’s GDPR Updates appeared first on Shared Security Podcast.

This is the Shared Security Weekly Blaze for May 21, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions, Silent Pocket and CISOBox.  This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here! Help the podcast and leave us a review!  We would really appreciate you leaving a review in iTunes. Reviews really help move us up the podcast ratings list and are greatly appreciated! Show Transcript This is your Shared Security Weekly Blaze for May 21st 2018 with your host, Tom Eston. In this week’s episode: Efail vulnerabilities and PGP encryption, Facebook’s app investigation and Nest password notifications. The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details. Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. If you like this podcast we would really appreciate you leaving a five star review in iTunes. Reviews really help move us up in the podcast ratings and attract more listeners. We’ll be sure to thank you for your review on the show! Thanks for your support! Multiple vulnerabilities dubbed “Efail” were announced by European security researchers in several popular email clients that make it possible for attackers to view the plaintext of email messages encrypted with PGP (also known as Pretty Good Privacy) and S/MIME encryption standards. Email, as you’re hopefully aware, is not encrypted by default. This is often referred to as “plaintext” email. PGP and S/MIME have been the standard for email encryption for many years now and is used by many people and businesses to secure email communication. The Efail vulnerabilities allow an attacker to embed previously obtained encrypted text into a new email and also include a web URL of the attackers server. When the email is sent to the victim the email client decrypts the email like normal but inadvertently sends the plaintext of the previously encrypted email to the attackers server. The issue lies in the way vulnerable email clients decrypt encrypted email. One very important point to make is that PGP and S/MIME encryption is not broken. While it may not be a modern encryption solution, it’s still a viable and secure method to safeguard sensitive emails and other information such as documents and files. This particular issue is about vulnerable email clients, not in the encryption protocol itself. Organizations such as the EFF have advised to disable PGP and S/MIME within your email clients as a temporary solution until a fix for email clients identified as vulnerable are released. You can still encrypt and decrypt emails outside of your email client if you’re already using PGP. However, the disabling of encryption software should be based on your own level of risk vs. just turning off encryption safeguards all together. For example, if you are a human rights activist that knows your email communication is being monitored by say, a nation-state, there may be much more risk to you of being a victim of this attack because its more than likely that all of your encrypted email communications have already been collected. If you were at this level of risk, you absolutely should take heed and disable PGP in your email client and perform encryption and decryption through other means. You should also consider using other secure end-to-end encryption services like Signal to send sensitive messages. If you’re a low risk PGP or S/MIME user you should determine if you have a vulnerable email client and ensure you update when patches are released. Check out our show notes for details on what email clients are vulnerable and for more details about the Efail vulnerabilities. Are you a CISO or Information Security Manager challenged with tracking and managing information security incidents within your organization? If you are, you need to take a look at CISOBox which is a software appliance built for NIST-compliant management of all types of information security incidents. CISOBox secures and protects sensitive incident data using technology accredited by US Federal Intelligence Agencies and gives your organization an efficient and streamlined process for incident handling. No matter if your business is large or small, we highly recommend the CISOBox solution as it’s extremely easy to use, scalable, and a secure way to implement incident handling within your organization. For more information on the CISOBox solution and to schedule a demo visit cisobox.com/sharedsecurity. That’s cisobox.com/sharedsecurity. In Facebook news this week, an ongoing investigation by Facebook into apps that have had access to large amounts of personal information continues. Facebook provided an update stating that the investigation process is in two phases. The first phase is to review all apps that have had access to large amounts of data and second, to conduct interviews, ask more detailed questions and even perform on-site audits of companies if necessary. Currently, Facebook has reviewed thousands of apps and around 200 have been suspended. Once they compete an investigation, if any of these apps are banned, Facebook will notify affected users through the same process they did for the Cambridge Analytica situation by showing users if they or their friends installed a banned app. Hopefully, you or your friends are not notified that you shared personal information with one of these new banned apps. In related Facebook news, the personal data of about 4 million users that took yet another personality quiz, this one called “myPersonality”, was found unsecured due to a developer posting a username and password on the popular code sharing site GitHub. These credentials allowed direct access to the data. The kicker is that this username and password was publicly available on GitHub for four years before it was recently identified. Fortunately, unlike the personality quiz data used Cambridge Analytica, this data only included personal information of the people that took the quiz, not the data of their friends. I think that it’s a positive development that Facebook is finally taking a stronger stance on Facebook app developers and attempting to hold them more accountable. The bigger problem here is that no matter what Facebook does, it is near impossible to ensure that developers are properly securing the data that they are collecting. And that means, not posting login credentials on publicly available sites that are a simple Google search away from this data falling into the wrong hands. Nest (which is the Google owned company of Internet enabled thermostats) sent out an email notification to users that had their Nest account passwords found in leaked password databases. It’s not known what specific databases were used by Nest but it may be from a service such as Troy Hunt’s “Have I been Pwned” service which will notify you if your user accounts and password show up in their database of over a half a billion passwords that are collected from previous data breaches. Nest apparently took its list of hashed user account passwords and compared it to ones that have been previously disclosed. So, if you received this email it may not mean that someone has accessed your Nest account, rather, it means that you should change your Nest password immediately and also change it on sites and services that you may have used that same password. Hopefully as a listener of this podcast you know better than to reuse the same password across multiple sites and services. Check out our previous episode on password managers if you would like more details. I really commend Nest for being proactive by notifying affected users about the security of their accounts. Nest also went as far to let users know how to enable two-factor authentication on their accounts as an additional layer of protection. We need to see more companies doing this because ensuring users are following good password management not only protects their own users but it sets the precedence for other companies to do the same thing. I’d also argue that it’s good for business too. The password problem is not going away anytime soon but the more education that can be done like this recent example from Nest, the better off we’ll all be. That’s a wrap for this week’s show. Please be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on iTunes, Google Play, Stitcher, TuneIn, Spotify or iHeartRadio.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post The Shared Security Weekly Blaze – Efail Vulnerabilities and PGP Encryption, Facebook’s App Investigation, Nest Password Notifications appeared first on Shared Security Podcast.