Shared Security Podcast

This is the Shared Security Weekly Blaze for May 14, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions, Silent Pocket and CISOBox.  This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here! Help the podcast and leave us a review!  We would really appreciate you leaving a review in iTunes. Reviews really help move us up the podcast ratings list and are greatly appreciated! Show Transcript This is your Shared Security Weekly Blaze for May 14th 2018 with your host, Tom Eston. In this week’s episode: Recent windows vulnerabilities, exposed Twitter and GitHub passwords and the latest credit freeze controversy. The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details. Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. If you like this podcast we would really appreciate you leaving a five star review in iTunes. Reviews really help move us up in the podcast ratings and attract more listeners. We’ll be sure to thank you for your review on the show! Thanks for your support! Microsoft has recently released patches for two rather serious vulnerabilities that are currently being exploited in the wild. One vulnerability, dubbed “Double Kill”, affects the Windows VBScript engine through the Internet Explorer web browser  which impacts most modern Windows operating systems including Windows 10. The other vulnerability is described as an elevation of privilege vulnerability which only affects Windows 7 and Windows Server 2008. With the VBScript engine vulnerability, an attacker leverages a malicious Word document to exploit the flaw through the Internet Explorer web browser. The interesting aspect of this attack is that even if you don’t use Internet Explorer, and use another browser like Chrome or Firefox, you can still fall victim to this attack. This is because Internet Explorer is tightly integrated into the rest of the Windows operating system. Researchers have noted that this vulnerability in particular is looking to be one of the most exploited in the future because of the way it leverages Internet Explorer to conduct the attack.  The other critical vulnerability announced is a little harder to exploit as the attacker needs to login to a Windows system as a regular user, then run an application to exploit the vulnerability, which would give the attacker full control of the victim’s system.  Lastly to note, there were about 20 more critical updates that were part of this most recent patch release from Microsoft that are not yet known to be actively exploited. The best way to protect yourself against these latest vulnerabilities and future ones is to ensure you’re running the most current version of Windows as well as checking that Windows Update is set to automatically download and install critical updates. See our show notes for details on where you can check to see how Windows Update on your system is configured. Are you a CISO or Information Security Manager challenged with tracking and managing information security incidents within your organization? If you are, you need to take a look at CISOBox which is a software appliance built for NIST-compliant management of all types of information security incidents. CISOBox secures and protects sensitive incident data using technology accredited by US Federal Intelligence Agencies and gives your organization an efficient and streamlined process for incident handling. No matter if your business is large or small, we highly recommend the CISOBox solution as it’s extremely easy to use, scalable, and a secure way to implement incident handling within your organization. For more information on the CISOBox solution and to schedule a demo visit cisobox.com/sharedsecurity. That’s cisobox.com/sharedsecurity. Twitter and popular code repository site GitHub announced that user passwords were exposed to internal employees through an internal log due to a system related bug. In the case of Twitter the issue is related to the hashing function that masks passwords before they are stored in their system and in the case of GitHub they have only said that the passwords were discovered in a recent audit and no further details were given. Twitter proactively sent out a notice to all of its 330 million users to change their passwords even though there was no evidence of misuse but as a precautionary measure. In the case of GitHub, no details were released on how many users had passwords exposed but affected users were all contacted individually to initiate a password reset. Kudos to both of these companies for disclosing this issue to its users.  Like anything in the security world it’s better for companies to be up front and honest than to hide or cover it up especially when there is a chance that user security may be compromised. These two events are good reminders on why you should always use unique and complex passwords for each application and service as well as enable two factor authentication wherever possible. Twitter and GitHub both have two-factor authentication available and it’s really easy to set up. Two factor authentication adds another layer that an attacker would have to get through in order to fully compromise your accounts. Check out our show notes for details on how to enable two factor authentication on your Twitter and GitHub accounts and if you’re on Twitter, use this opportunity to not only change your password but to change any bad password habits as well. Brian Krebs from krebsonsecurity.com reported last week that there is yet another credit agency out there that consumers should be aware of. As we’ve mentioned on the podcast before, one of the most important things you can do to prevent identity theft is to freeze your credit by contacting the three major credit agencies Equifax, Experian and Trans Union and requesting a freeze on your credit. There are also two more bureaus you need to freeze your credit with as well. One is called Innovis which is basically another credit bureau and the other is called ChexSystems. ChexSystems is used by many banks to verify new customers creating checking and savings accounts. Now there is a sixth credit bureau that you need to freeze your credit with called the National Consumer Telecommunications and Utilities Exchange or NCTUE. The NCTUE is being used by mobile phone companies, cable and other utilities instead of the traditional large credit bureaus. Hopefully you’re sitting down for this but Brian Krebs also reported that Equifax just so happens to be the company that manages the NCTUE database. Now that news alone is very disturbing considering the recent horrible security track record that we all know about from the Equifax data breach. Now from what has been reported it only seems that you can contact NCTUE via their automated phone system to freeze your credit file. The website system they have is really bad and seems to be the same one that Equifax uses when you attempt to freeze your credit. See our show notes for details on a walkthrough of this (unfortunately) painful process. Note that a fee may apply when freezing your credit at the different credit bureaus as this varies by the state you live in. What a mess this is, isn’t it? Since we now have six bureaus to worry about, you may ask yourself if there is anything being done by the government to make this process easier for everyone and to hold these companies more accountable for protection our private information. Unfortunately, not a lot of movement is going on in that area except for a few bills in Congress that don’t look very promising. However, you may want to call or write your congressperson voicing your concern about the risk we all face with identity theft because of the credit bureaus making it a painful process to protect our own private information. That’s a wrap for this week’s show. Please be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on iTunes, Google Play, Stitcher, TuneIn, Spotify or iHeartRadio.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post The Shared Security Weekly Blaze – Recent Windows Vulnerabilities, Exposed Passwords, Credit Freeze Controversy appeared first on Shared Security Podcast.

This is the 76th episode of the Shared Security Podcast sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions, Silent Pocket and CISOBox. This episode was hosted by Tom Eston and Scott Wright with special guest Kevin Johnson recorded May 7, 2018. Listen to this episode direct via this link or through the media player embedded in this post! Interview with special guest Kevin Johnson Kevin Johnson is the Chief Executive Officer of Secure Ideas. Kevin has a long history in the IT field including system administration, network architecture and application development. He has been involved in building incident response and forensic teams, architecting security solutions for large enterprises and penetration testing everything from government agencies to Fortune 100 companies. In addition, Kevin is a faculty member at IANS and was an instructor and author for the SANS Institute . Kevin has performed a large number of trainings, briefings and presentations for both public events and internal trainings. He is the author of three SANS Institute classes: SEC542: Web Application Penetration Testing and Ethical Hacking, SEC642: Advanced Web Application Penetration Testing and SEC571: Mobile Device Security. Kevin has also presented at a large number of conventions, meetings and industry events. Some examples of these are: DerbyCon, ShmooCon, DEFCON, Blackhat, ISACA, Infragard and ISSA. Kevin is also very involved in the open source community. He runs a number of open source projects. These include SamuraiWTF; a web pen-testing environment, Laudanum; a collection of injectable web payloads, Yokoso; an infrastructure fingerprinting project and a number of others. Kevin is also involved in MobiSec and SH5ARK. Kevin was the founder and lead of the BASE project for Snort before transitioning that to another developer. In his free time, Kevin enjoys spending time with his family and is an avid Star Wars fan and member of the 501st Legion (Star Wars charity group). In this episode we discuss a broad range of hot topics with Kevin including how big of a Star Wars fan he is, Russian router hacking, home router security, security awareness of the typical consumer, GDPR, NSA metadata, Facebook and much more! Kevin is always a fun, uncensored and very entertaining guest. We hope you enjoy this interview as much as we did! Thanks to Kevin for being a guest on our show! The post The Shared Security Podcast Episode 76 – Special Guest Kevin Johnson (@secureideas), Router Hacking, GDPR, NSA Metadata appeared first on Shared Security Podcast.

This is the Shared Security Weekly Blaze for May 7, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions, Silent Pocket and CISOBox.  This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here! Leave us a review! If you like this podcast we would really appreciate you leaving a review in iTunes or your favorite podcatcher app. Reviews really help move us up the podcast ratings list and are greatly appreciated! Show Transcript This is your Shared Security Weekly Blaze for May 7th 2018 with your host, Tom Eston. In this week’s episode: DNA Privacy, This Week’s Social Media Privacy News Roundup and Remote Car Hacking. The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details. Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Shout outs this week to @PrivacyAlive, @Yohun and @TASCET on Twitter as well as Michael and Richard on Facebook for commenting, liking and sharing our posts on social media. Thank you for your support of the show! Have you thought about the privacy and security of your DNA? Well recently it was announced that the “Golden State Killer” suspect Joseph DeAngelo was arrested and is accused of 12 homicides, 45 rapes and more than 100 robberies that took place in California from 1976 through 1989. Investigators disclosed that the arrest was due to DNA information that was from an open source genealogy website called “GEDMatch”. Apparently, a distant relative of DeAngelo was found in the database which allowed law enforcement to pinpoint who the killer was through clues such as location, ethnicity and other characteristics. This brings into question that anyone who may have submitted their DNA test results to an open-source database like this could be used by others for more than just criminal investigations. I think it’s fascinating that even if you don’t submit your DNA to one of these services people that have some distant DNA relationship to you may already be in a database like this used to locate criminals. This case has set off numerous discussions and debates to review the privacy policies of popular DNA testing companies such as 23andMe, MyHeritage and Ancestry.com. It’s important to note that all these companies require a court order for law enforcement in order to access DNA records, however, it does not stop someone from taking their own DNA records and importing it into a larger open-source database like the one used to find the Golden State Killer. In my opinion, your DNA records are extremely personal and are  much more valuable than any other piece of personally identifiable information that may be out there about you.  And while many different companies have sprung up recently that are in the business of building out family trees, it begs the question regarding how these companies are protecting your DNA information. Could you imagine the fallout if one of these companies like 23andMe had a data breach? Our advice is for you to determine if it’s really worth submitting your DNA to one of these services as most likely your genetic data, through some distant relative of yours, may get caught up in an investigation or used for another purpose that you may not even be directly involved with. What a time to be alive, isn’t it? Are you a CISO or Information Security Manager challenged with tracking and managing information security incidents within your organization? If you are, you need to take a look at CISOBox which is a software appliance built for NIST-compliant management of all types of information security incidents. CISOBox secures and protects sensitive incident data using technology accredited by US Federal Intelligence Agencies and gives your organization an efficient and streamlined process for incident handling. No matter if your business is large or small, we highly recommend the CISOBox solution as it’s extremely easy to use, scalable, and a secure way to implement incident handling within your organization. For more information on the CISOBox solution and to schedule a demo visit cisobox.com/sharedsecurity. That’s cisobox.com/sharedsecurity. In Facebook and social media privacy news last week it was discovered that Twitter also sold data to Aleksandr Kogan, the researcher who happened to sell the personal information of over 87 million Facebook users to Cambridge Analytica. In Twitter’s case they sold API access to Aleksandr Kogan’s firm called GSR, which allowed access to public tweets from December 2014-April 2015. One thing to note about this is that Twitter doesn’t have very much personal information about its users (unless of course you share that information in your bio or tweets). So this data access, in my opinion, is not very significant. Twitter does sell API access to large organizations quite frequently so there shouldn’t be any surprise that corporations can pay for this level of access. In related news, on Wednesday of last week Cambridge Analytica shut its doors and officially went out of business. This is no surprise given the massive amounts of bad press, pending investigation from the UK Information Commissioner’s Office and other legal entanglements about to happen to the company. Just be aware that this business was a “cash cow” for Cambridge Analytica so be on the lookout for them to start a new company under a different name. Facebook was also back in the news with the announcement that they will be starting a dating service to compete with other dating apps like Tinder and Match.com. Facebook also announced that a new tool is going to be developed, called ‘Clear History’, that will allow you to clear your Facebook history (basically the websites and apps that send Facebook information) and remove tracking that Facebook does on you across the web. Mark Zuckerberg made this announcement at the F8 developer conference last week noting “Once we roll out this update, you’ll be able to see information about the apps and websites you’ve interacted with, and you’ll be able to clear this information from your account. You’ll even be able to turn off having this information stored with your account”. Lastly, it was announced that Instagram will be expanding its antibullying efforts by introducing an enhanced ‘bully filter’. This technology is powered by machine-learning called ‘DeepText’ which was built by Facebook. Since Instagram is owned by Facebook, they share many of the same technologies across the two platforms. Instagram also stated that the new filter will hide comments attacking a person’s appearance or character, and alert Instagram to repeat offenders. It’s good to see Instagram doing something about the issue of bullying as this has been a large problem, especially for teenagers that use Instagram within their social circles. Dutch security researchers have discovered that certain Volkswagen and Audi cars are vulnerable to remote hacking via the onboard in-vehicle “infotainment” system (also called IVI) installed in newer Volkswagen Golf GTE and Audi A3 Sportback models. The researchers used the Internet accessible wifi system via an exposed port to gain access to the IVI which allowed them to listen in on conversations, view location data and the ability to track where the car is in real time. The researchers also discovered that the IVI system was also indirectly connected to the acceleration and braking system in the cars but they stopped their research as they felt that they might be violating intellectual property of Volkswagen (basically, they didn’t want to get sued). The good news is that Volkswagen worked to fix the vulnerabilities after the issues were disclosed to them and that the researchers are not planning on releasing details on how to conduct the attack. However, the bad news is that the fix requires Volkswagen customers to come into the dealer for the update. Volkswagen does not have a remote way to push security fixes to affected cars. In addition, it’s been reported that customers that own these specific models of cars have not received notification from Volkswagen and they have not publicly discussed the vulnerabilities. You may remember back in 2015 when researchers Charlie Miller and Chris Valasek demonstrated to the media how easy it was to hack and take full control of a GM Jeep Cherokee remotely over the Internet. This was actually a vulnerability in the IVI of that car as well. It’s also not the first time that Volkswagen has kept critical vulnerabilities a secret. Back in 2015 it was discovered that over 100 models of cars were vulnerable to a key fob attack which would allow criminals to steal the car. I guess what’s old is now new again! As we’ve mentioned on the podcast before, car manufactures need to be held more accountable for vulnerabilities like these and they need to develop a better process of working with security researchers when vulnerabilities are identified. Transparency also goes a long way with customers, especially with a critical issue like this one that could put customers lives in danger. I don’t know about you but I would be pretty mad if I was a customer who owned one of these cars and found out through the media or other third-party about a serious vulnerability in a product that I just spent a lot of money on. Let’s just hope that other car manufactures are paying attention to this news so that they don’t make the same mistakes. That’s a wrap for this week’s show. Please be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on iTunes, Google Play, Stitcher, TuneIn, Spotify or iHeartRadio.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post The Shared Security Weekly Blaze – DNA Privacy, This Week’s Social Media Privacy News Roundup, Remote Car Hacking appeared first on Shared Security Podcast.

This is the Shared Security Weekly Blaze for April 30, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions, Silent Pocket and CISOBox.  This episode was hosted by Tom Eston. Show Transcript This is your Shared Security Weekly Blaze for April 30th 2018 with your host, Tom Eston.  In this week’s episode: Child Identity Fraud, Tech Support Scams and Amazon Key In-Car Delivery. The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details. Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. If you like this podcast we would really appreciate you leaving a review in iTunes or your favorite podcatcher app. Reviews really help move us up the podcast ratings list and are greatly appreciated.  Shout outs this week to @jandrusk and @privacydivas on Twitter as well as itincloud and pacifictech808 on Instagram and Jason, Johann and Richard on Facebook for commenting, liking and sharing our posts on social media. Thank you for your support of the show! A sobering report was released last Tuesday which showed that more than 1 million children in the United States were victims of identity theft last year. The study by Javelin Strategy & Research shows that in 2017 more than $2.6 billion in total losses and over $540 million in out-of-pocket costs to families are attributed to child identity fraud. What’s surprising about this study is that it showed more than half (which is 60%) of child identity fraud victims have a personal relationship with the person stealing their identity. This is in stark contrast to adults where only 7 percent of adult fraud victims know the fraudster. Also of note, there was a strong correlation between a child being bullied and identity fraud. Bullied children are more than nine times more likely to be victims of fraud than children who were not bullied. One of the big problems this study highlights is the challenges we have with the security of credit reports. Given that there have been large breaches like Equifax which highlight how adults can have their identities stolen through the use of their credit reports, I find it disturbing that we don’t give the topic of child identity fraud more attention. Children don’t have credit reports until they are old enough to apply for credit on their own so it’s often overlooked that if the personal information of a child is stolen, it’s much easier for a fraudster to use a fresh, unused credit history to their advantage. Also, given the fact that the fraudsters are people that know these children personally, it makes using their personal information (and credit) much more easier than adult victims. Some signs or indicators specific to child identity fraud include the child being turned down for benefits, receiving notices from the IRS about unpaid taxes or debit collectors calling about products and other things you or your child has never purchased. If you’re a parent I would highly recommend the following advice from the FTC and others about how to secure your child’s identity such as potentially freezing their credit, determining how they are sharing their personal information, monitoring existing accounts and keeping physical documents like birth certificates and social security cards secure and out of reach of household guests and  visitors. Regarding freezing your child’s credit, this is something you should research on your own as not all states allow this and some experts debate if there may be more risk in opening up a credit file before your child is ready to start building their credit. Check out our show notes for links to more advice on this very important topic. Are you a CISO or Information Security Manager challenged with tracking and managing information security incidents within your organization? If you are, you need to take a look at CISOBox which is a software appliance built for NIST-compliant management of all types of information security incidents. CISOBox secures and protects sensitive incident data using technology accredited by US Federal Intelligence Agencies and gives your organization an efficient and streamlined process for incident handling. No matter if your business is large or small, we highly recommend the CISOBox solution as it’s extremely easy to use, scalable, and a secure way to implement incident handling within your organization. For more information on the CISOBox solution and to schedule a demo visit cisobox.com/sharedsecurity. That’s cisobox.com/sharedsecurity. Microsoft recently released statistics on tech support scams which have been on the rise in the last few years. Microsoft states that 153,000 reports were made from customers last year that fell victim to tech support scams in which about 15% of those victims lost money. This is a 24% increase in tech support scam reports from the previous year. A tech support scam is typically a social engineering attack where an attacker will call a victim pretending to be Microsoft or other vendors tech support asking them to install a remote administration tool where they can take control of the victim’s computer, show them fake threats or installing malware and then scaring the victim into buying fake support packages. All of this is done in order for money to be sent to the attacker. Unfortunately, many elderly and non-tech savvy people fall victim to these scams. This is why one of the number one ways to combat threats like these is education. While companies like Microsoft are doing all that they can to help prevent attacks like these by working with ISPs, law enforcement and telecom companies, make sure you take the time to educate yourself and others about these scams. Here are three easy tips to remember. First, vendors like Microsoft will never solicit you via the phone for tech support on your computer. Second, be wary of random calls that seem to be coming from the same local area code that your phone number is in or from other numbers you may not recognize. In fact, our advice is to only pick up calls from people you know in your contact list. If you don’t recognize a number and it’s a call you’re expecting, they will most likely leave you a voice mail if the message is important. Also, we wary of voice mail scams in which attackers use threats to get you to call a number back or visit a website.  Lastly, any threats of going to prison for non-payment (like ones we’ve seen with IRS tax scams) or other scare tactics should also indicate that you’re dealing with a scammer. Check out our show notes for a great overview of how these scams work as well as other tips to protect yourself. How do you feel about giving Amazon access to unlock your car to deliver your order? Well this past week Amazon announced a new service, called Amazon Key In-Car Delivery to deliver packages directly to your car allowing a package carrier to remotely open your trunk or car door to drop a package off. Right now Amazon Key In-Car delivery supports only General Motors brands vehicles such as Chevy, Buick, GMC as well as Volvo that have the OnStar or Volvo On Call service from 2015 model year or newer cars. Amazon Key delivery service is nothing new. You may remember that last year Amazon came out with a delivery service to place packages into your house by using a smart lock and camera which would allow someone to remotely unlock your home to place a package inside. The only difference between Amazon Key In-Car and Amazon Key Home is that Amazon Key Home uses a camera and your home Wi-Fi to track the carrier dropping off your package while the Amazon Key In-Car service does not have a camera involved and uses the car manufacture’s network to unlock your car. Now one can debate the privacy and security aspects of such technology and if you want someone remotely opening up your home or car remotely to deliver a package. This is a very much “opt-in” service and Amazon is not forcing any of its customers to use this to receive deliveries. In fact, many Amazon customers may not realize this but Amazon has been offering what are called “lockers” in many different locations that can be used to pick up packages that you order in cases where you may not want something delivered to your home or if you may be traveling and want to pick up your order while you’re away. Amazon Locker works by emailing you a 6 digit code and you enter in the code into a locker to take your package. Personally, I think Amazon Locker is a great idea. Especially if you may not be home when an expensive item may be delivered and you need a more secure pickup location. Especially since theft of packages from people’s homes is a crime that has been happening much more frequently. However, many of us probably feel a little weary of letting someone we don’t know open our car or enter our home given that new technology like this could be abused either by someone malicious or by the technology not working as designed. In fact, last year security researchers found a vulnerability in the Amazon Key Home system which would allow someone to knock the camera offline which would then allow a malicious delivery driver to steal or rummage through someone’s home without the camera recording the entry. But like any new technology, vulnerabilities are always going to be discovered and eventually fixed but the privacy concerns will be always be an issue for many of us that may just want to resort to getting our packages the old fashioned way. That’s a wrap for this week’s show. Please be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on iTunes, Google Play, Stitcher, TuneIn, Spotify or iHeartRadio.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post The Shared Security Weekly Blaze – Child Identity Fraud, Tech Support Scams, Amazon Key In-Car Delivery appeared first on Shared Security Podcast.

This is the Shared Security Weekly Blaze for April 23, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions, Silent Pocket and CISOBox.  This episode was hosted by Tom Eston. Show Transcript This is your Shared Security Weekly Blaze for April 23rd 2018 with your host, Tom Eston. In this week’s episode: Android’s Toxic Hellstew of Vulnerabilities, Facebook’s New Privacy Controls and Russian Router Hacking. The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details. Hi everyone, I’m Tom Eston, co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. If you like this podcast we would really appreciate you leaving a review in iTunes or your favorite podcatcher app. Reviews really help move us up the podcast ratings list and are greatly appreciated. Shout outs this week to @securityvoid, @HammerITConsult, @davegeek_ and @Yohun on Twitter as well as Tim Maliyil on Instagram and  Richard, Jason and Eddie on Facebook for commenting, liking and sharing our posts on social media. Thank you for your support of the show! There was an article this past week that totally got my attention and should get yours as well which was titled quote “Is your Android phone a ‘toxic hellstew’ of vulnerabilities?” end quote. Toxic hellstew does sound rather terrible so if you have an Android phone you may want to pay attention to this.  A study was recently released that found that your Android phone may be lying to you about critical patches that should be installed by your device manufacture. This issue called the ‘hidden patch gap’ was discovered by German security firm Security Research Labs.  The research shows that some popular Android devices from Google, Sony, Samsung and many others brands would show that they were fully patched when in fact they were missing security patches, and in some cases up to a dozen patches from a specific time period. This means that without current security patches, these Android devices were left vulnerable to various attacks. The researchers believe that manufactures are setting these false patch levels in an attempt to deliberately deceive consumers that their devices are secure. Device manufactures like Google have responded to the research stating that there are other layers of security in Android devices to protect them from attack and patching is just one of those layers. Of course they did not admit to providing consumers with a false sense of security. While patching of Android devices has always been a challenge because of the known issue of device fragmentation, where older Android devices may never get updated, patching should be of up most importance to device manufactures because of the rise of mobile device attacks. So what can you do to see the real patch level of your Android device? Well the researchers behind the ‘toxic hellstew’ patch issue released an app called ‘SnoopSnitch’ that can run a test to see the real patch level of your device. If your device ends up being fully patched once running the app you should be up-to-date on recent patches. If not, you may want to consider being more careful what you click on, what apps you install and how you use your Android device until your manufacture ‘really’ updates your phone. If you really are concerned, you may want to consider getting a different Android device from another manufacture in the future. Check out our show notes for details on downloading the SnoopSnitch app and for a link to a FAQ about the testing results and what they mean to your device. Are you a CISO or Information Security Manager challenged with tracking and managing information security incidents within your organization? If you are, you need to take a look at CISOBox which is a software appliance built for NIST-compliant management of all types of information security incidents. CISOBox secures and protects sensitive incident data using technology accredited by US Federal Intelligence Agencies and gives your organization an efficient and streamlined process for incident handling. No matter if your business is large or small, we highly recommend the CISOBox solution as it’s extremely easy to use, scalable, and a secure way to implement incident handling within your organization. For more information on the CISOBox solution and to schedule a demo visit cisobox.com/sharedsecurity. That’s cisobox.com/sharedsecurity. In Facebook news this week, Facebook officially announced that they will be introducing new privacy controls and notifications for all of its users to meet the European Union’s General Data Protection Regulation, also known as GDPR which goes into effect in May. What this means to you is that no matter where you reside in the world you will be asked to review your privacy settings and how you choose to allow your data to be used for advertising. In addition, you’ll be asked specifically if you want to have your political, religious and relationship information stated in your profile. As I’m sure you’re well aware, this was information that was harvested from the infamous Cambridge Analytica quiz debacle several weeks ago. Users in the EU will start to see permissions screens show up when they use Facebook this week and users in other parts of the world, including the United States, will see these screens in the near future. One point to make about this new effort from Facebook is that even if the Cambridge Analytica controversy didn’t happen, Facebook was planning on rolling out these revamped privacy controls and notifications either way to comply with the new GDPR regulation. Violation of GDPR rules will subject companies, worldwide, to stiff penalties if they use personal information of EU citizens without official consent so it was always in Facebook’s best interest to comply with GDPR.  I think that GDPR, while a pain for many organizations to implement, is a positive development from a privacy perspective. Let’s hope that legislators in the US, that may be considering new privacy rules to implement, pay close attention to what the EU is doing with GDPR. Apparently Russian hackers have been targeting millions of home routers, corporate firewalls, switches and other widely used networking equipment according to a joint Technical Alert issued by the Department of Homeland Security here in the US. The Technical Alert states “The FBI has high confidence that Russian state-sponsored cyber actors are using compromised routers to conduct man-in-the-middle attacks to support espionage, extract intellectual property, maintain persistent access to victim networks, and potentially lay a foundation for future offensive operations.”. Now state sponsored hacking activities from Russia is nothing new but this alert seems to describe very specific attacks on very common networking devices. The attacks described are also not very complex as the attacks go after device misconfigurations, default passwords and poor security designs which are fairly typical, especially with cheap consumer devices like wifi routers. As we’ve discussed on the podcast before, as a consumer, you need to make sure that any home wifi router or other networking equipment that you use is fully updated with the latest security patches and that any default passwords are changed. One way to ensure that you stay up-to-date with security patches for your wifi router is to register your purchase with the device manufacture so you get email alerts when there are new updates. We also recommend you investigate the reviews and product descriptions of any IoT or (Internet of Things) devices that you may be purchasing to see how they are updated and secured. This can be challenging because many of these cheap devices have either very little security controls or none at all which could leave your home network vulnerable. In addition, many of us use cable modems or wifi routers (often called ‘gateways’) provided by our Internet Service Providers (or ISPs). These devices typically cannot be updated by us and we have to rely on the ISP that they are properly updated and secured . It’s scary to think that your ISP may have never updated the router that they are providing you. You could call your ISP and ask them how they are securing your router but other than that, we unfortunately have to rely on device manufactures to design more secure devices by default and that we as consumers are more careful about the products we buy from device manufactures that may not be serious about the security of their products. That’s a wrap for this week’s show. Please be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on iTunes, Google Play, Stitcher, TuneIn, Spotify or iHeartRadio.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post The Shared Security Weekly Blaze – Android’s Toxic Hellstew of Vulnerabilities, Facebook’s New Privacy Controls, Russian Router Hacking appeared first on Shared Security Podcast.

This is the 75th episode of the Shared Security Podcast sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions, Silent Pocket and CISOBox. This episode was hosted by Tom Eston and Scott Wright with special guests Gotham Sharma and Dr. Brian Krupp recorded April 16, 2018. The Cybersecurity Education Episode In this episode we’re joined by two cybersecurity educators for their perspective on the current state of education in the cybersecurity industry. This is a really important topic given the current cybersecurity skills shortage where its becoming more difficult to find qualified and skilled individuals to fill cybersecurity jobs. Gotham Sharma serves as the Managing Director of the Exeltek Consulting Group, where he manages daily operations of the New York City based cybersecurity advisory firm. Previously a Wall Street consultant for Global Technology Operations at various Fortune 500 Organizations, Gotham left financial services to consult for the nonprofit world, where he focused on youth development and STEM education. In particular, his work centered around designing Career and Technical Education (CTE) Programs for traditionally disconnected young adults. You can contact Gotham via his LinkedIn page. Dr. Brian Krupp is an Assistant Professor in the Computer Science department at Baldwin Wallace University. He is the faculty advisor of the Mobile Privacy and Security (MOPS) research group where their current research is investigating methods to increase consumer awareness of privacy issues in smartphone and tablet applications. He is also the faculty advisor of CS+ which provides computer science opportunities for elementary to high school students through Tech Camps, school visits, and partnerships in the NEO region. You can contact Dr. Krupp via his Twitter or find out more about the classes he teaches and his work with students via his Baldwin Wallace University home page. On this podcast we discuss if there really is a shortage of cybersecurity talent and what programs are available for young kids as well as teenagers and college students that may be interested in a cybersecurity career. We also discuss the importance of mentorship, being a good mentor as well as the need for more women, minorities and diversity in the cybersecurity industry. Thanks to Gotham and Dr. Krupp for being guests on our show! The post The Shared Security Podcast Episode 75 – Cybersecurity Education with Gotham Sharma (@g0thamsharma) and Dr. Brian Krupp (@briankrupp) appeared first on Shared Security Podcast.

This is the Shared Security Weekly Blaze for April 16, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions, Silent Pocket and CISOBox.  This episode was hosted by Tom Eston. Show Transcript This is your Shared Security Weekly Blaze for April 16th 2018 with your host, Tom Eston In this week’s episode: Facebook goes to Congress, More Data Breach Announcements and a New Hope for Replacing Passwords The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details. Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. If you like this podcast we would really appreciate you leaving a review in iTunes or your favorite podcatcher app. Reviews really help move us up the podcast ratings list and are greatly appreciated.  Shout outs this week to @ZodMagus, @Yohun, @BNI212, @StrongArmSecure, @Borderless_i and @drheleno_ca on Twitter as well as @itincloud, @dahveezy, @grassfedmama and @simpletechla on Instagram and Johann, Richard, Julie, Jason and Stephane on Facebook for commenting, liking and sharing our posts on social media. Thank you for your support of the show! The Facebook news continues this week with the announcement of a new tool to see if you or your friends shared personal information with Cambridge Analytica. This tool won’t tell you who of your friends took the quiz called “This Is Your Digital Life” but will just say how many of your friends may have taken the quiz. If this tool tells you if some of your friends took the quiz which allowed your data to be harvested, be sure to scold them until you find out who did it. Just kidding but you may want to make a post about it so that your friends are aware of what they did.  Also within this tool Facebook gives you a link to review the information you share with other third-party apps. So check out our show notes for the link to this tool and for more information. In other Facebook news, Facebook confirmed recently that it uses automated tools to scan private chats within their Facebook Messenger application for malware links, child porn and other violations of its terms of service. This news was surprising to many users of the Messenger app as most people thought that these conversations were not being monitored by Facebook. Just so you’re aware, the only conversations that are not able to be monitored by Facebook are “secret” conversations which only work on the Apple iOS and Android versions of Facebook Messenger. Facebook’s secret conversation feature is actually the same end-to-end encryption protocol used by Signal, which is one of the most popular secure messaging applications that you can use. To use secret conversations you have to enable this on a per conversation basis. For details on how to do this check out our show notes. One important thing to note about Facebook secret conversations is that if the other party you’re having a private conversation with reports your conversation for something inappropriate, these messages are decrypted and sent to Facebook’s support team. Just something to be aware of if you’re using the secret conversations feature. Last but not least, Facebook CEO Mark Zuckerburg testified to Congress last week which included legislators from both the Senate and House of Representatives. Legislators asked Mark Zukerburg questions about how Facebook secures user data, what type of regulations should the government put in place for Facebook and for Mark to explain the details around the Cambridge Analytica controversy. One thing that I noted during the testimony was that these legislators really have no idea how Facebook or any social network works. It was surprising to me that Mark Zuckerburg had to explain very basic functions and features that are part of using Facebook as well as how Facebook makes revenue. For example, many legislators seemed to be unaware that Facebook has very detailed privacy controls for everything that a user can share and were confused regarding how messaging apps like WhatsApp even work. I believe one Senator even noted that the messaging application WhatsApp can be used to send email. Now I realize this is a very similar situation for those fellow gen X’ers like myself that may have a non-technical parent that may not have a clue about social media or technology. However, if a legislator is proposing to regulate a technology that they know nothing about…we’re in for a very long and scary ride. If the US government does purse regulation let’s hope that they embrace or replicate common sense privacy laws like the European Union’s GDPR privacy law which goes into effect in May. Frankly, it’s probably best that we try to keep the government as far away as possible from regulation of social media technologies. Are you a CISO or Information Security Manager challenged with tracking and managing information security incidents within your organization? If you are, you need to take a look at CISOBox which is a software appliance built for NIST-compliant management of all types of information security incidents. CISOBox secures and protects sensitive incident data using technology accredited by US Federal Intelligence Agencies and gives your organization an efficient and streamlined process for incident handling. No matter if your business is large or small, we highly recommend the CISOBox solution as it’s extremely easy to use, scalable, and a secure way to implement incident handling within your organization. For more information on the CISOBox solution and to schedule a demo visit cisobox.com/sharedsecurity. That’s cisobox.com/sharedsecurity. In news not related to Facebook but as a follow up to last weeks news about the Saks Fifth Avenue and Panera data breaches, Delta Airlines, Sears, Best Buy and Kmart all announced a data breach that happened through a third-party chat service provider called [24]7.ai. This chat service is similar to other help desk chat systems that many companies use for customer support and in some cases allow customers to order products or services. Apparently, [24]7.ai was victim to a malware attack within its software from September 26th through October 12th of last year. During the attack time frame if you happened to put your credit card information in one of the online chat sessions from one of the affected companies web sites, like delta.com, your name, address and credit card information would have been compromised. If you were affected by this breach, stand by for your email notification and complimentary “free credit monitoring” for the next year. These types of breaches, that involve a third-party organization, are very challenging to prevent. You may remember the Target credit card breach back in 2013 that exposed credit card information for around 70 million Target customers. That breach in particular was also conducted through a third-party which led to Targets own systems being compromised. This recent breach is yet another wake up call for organizations to do better vetting of their vendors and the security of third-party software that is often used on internally owned systems. Check out our show notes for a really good overview of the breach that Delta Airlines put together for their customers if you’re interested in learning more or if you think you’ve been affected by this data breach. In some positive news this past week it was announced that Google, Microsoft, Mozilla and Opera have all agreed to support a new standard for web authentication called “WebAuthn”. What this means is that web developers will soon be able to develop their applications to use a more user friendly and secure method of authentication. As you’re probably aware, passwords have always been one of the largest risks for users and businesses in that passwords are challenging to store or manage and are always targeted in phishing attacks and disclosed through data breaches.  This new standard will allow you to use your mobile phone, fingerprint readers already built into many PCs, facial recognition and other hardware that you use to “unlock” your device can now be used to replace passwords for website authentication. This new method of authentication is much more secure as user credentials and biometric data never leave the user’s device and are never stored on servers. There hasn’t been a timeline given yet as to when we may be able to start using this form of authentication but many popular sites like Dropbox, PayPal, Google, Bank of America and others already support WebAuthn through a specification called FIDO which is being used for two-factor authentication on these sites already. This is definitely great news as we may finally see passwords slowly start to go away on the sites and services that we use. Just like how Apple and Samsung Pay makes your credit card transactions much more secure, it will be good to already use a device that we’re familiar with to authenticate to web sites as well. We’ll be providing more updates as we get them about this new form of authentication and when it will be available for all of us to start using. That’s a wrap for this week’s show. Please be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on iTunes, Google Play, Stitcher, TuneIn, Spotify or iHeartRadio.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post The Shared Security Weekly Blaze – Facebook goes to Congress, More Data Breach Announcements, New Hope for Replacing Passwords appeared first on Shared Security Podcast.

This is the Shared Security Weekly Blaze for April 9, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions, Silent Pocket and CISOBox.  This episode was hosted by Tom Eston. Show Transcript This is your Shared Security Weekly Blaze for April 9th 2018 with your host, Tom Eston In this week’s episode: The #DeleteFacebook Movement, Cloudflare’s New Privacy Focused DNS Service and the Saks Fifth Avenue and Panera Data Breaches The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details. Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. If you like this podcast we would really appreciate you leaving a review in iTunes or your favorite podcatcher app. Reviews really help move us up the podcast ratings list and are greatly appreciated. I also have several shout outs this week to @yohun and @nevon on Twitter as well as Richard, David and Johann on Facebook for commenting, liking and sharing our posts on social media. Thank you for your support of the show! Ever since the Facebook Cambridge Analytica controversy an online movement has started to form called #DeleteFacebook. The delete Facebook movement is in response to Facebook’s recent privacy firestorm regarding the way the social network collects your personal information. I’m sure many of you have had friends or family either say they are quitting Facebook or are planning on doing so because of everything that’s been going on in the news about Facebook recently.  Having said that, I wanted to quickly talk about the #DeleteFacebook movement and how it applies to what we talk about on this podcast. When Scott and I started this podcast back in 2009 it was called the “Social Media Security” podcast and for very good reason. Social networks like Facebook were just starting to get popular and it seemed like the wild west in regards to the lack of privacy controls as well as awareness of social network security issues. As the years went on we began speaking more about social network risks and privacy issues but also how to use them safely. We soon realized that all of us were going to use social media at some point so how can we use it with some sense of balance between our privacy and the need to share information with friends and family. Education became the theme rather than “delete your accounts and never use social networks”. In fact, Scott and I make it well known that we use social networks like Facebook all the time and even promote engaging us on various social media platforms so that we can have conversations about these important topics. We strongly believe that education, through the use of social media, can make the most impact to others about privacy and security issues. One of the taglines that the podcast developed over the years is, “we bring you stories, advice and tips to make better risk decisions because no one else can make them for you.” This tagline is what this podcast is all about and tells us that it’s your decision to use Facebook or not. Like most everything in life, there is always a risk of something. If you accept that Facebook is going to harvest your personal information, as what it was designed to do, than you accept that risk. If it seems too risky and you want to delete Facebook and all other social media, that’s fine as well. However, we believe that all of us can use social networks more safely and can limit the amount and type of personal information that we share. Remember that you ultimately have control of what you post and the information you share on social networks. Internet performance and security company Coudflare released a new privacy focused DNS service this past week called 1.1.1.1 which aims to solve several of the privacy issues related to using the DNS service of your Internet Service Provider (or ISP). If you’re not familiar with what DNS is and why it’s important, here’s a quick overview. DNS stands for the Domain Name System. You can think of DNS as a big directory of the Internet. Whenever you type in a website like sharedsecurity.net into your web browser the first thing that happens is that a DNS server needs to be queried to find the IP address of that name. If we didn’t have DNS we would all have to remember IP addresses such as 69.39.236.80 to get to a website like sharedsecurity.net. With Cloudflare’s DNS service, you can use their DNS server instead of the one your ISP provides (or the ISP of the wifi you use at say a coffee shop). What Cloudflare has done is built a DNS service to address two specific privacy issues related to using your ISPs DNS service. First, because of the recent ruling by the FCC on net neutrality, ISPs like Comcast, AT&T and others can potentially sell your browsing history. Without the DNS records associated with your browsing history, this makes it much more difficult for an ISP to track you. Second, ISPs (especially ones in certain foreign countries) have been known to censor access to social media and other sites to prevent communication for journalists and human rights activists. By using a third-party DNS service like Cloudflare you could get around restrictions like these.  However, it’s important to note that even when using a third-party DNS provider, your ISP will still know who you are by your IP address and could eventually put together the sites and services that you’re using because you’re still using your ISPs infrastructure. The only way to fully avoid being tracked by your ISP is to use a VPN service or Tor. VPNs and Tor have their own challenges so be sure to check out the show notes for links to previous episodes of the podcast where we discuss VPNs and Tor in more detail. Other advantages of using Cloudflare’s DNS service include the commitment to delete all logs within 24 hours and implementing better security of the DNS protocol itself by adding the protection of encryption to all queries. In regards to the deletion of logs Cloudflare is hiring KPMG, a large consulting firm, to audit them annually to ensure they are deleting logs like they say they are. Last but not least, Cloudflare promises to speed up your browsing as they have been rated the fastest DNS service even above Google and other third-party DNS services. More speed and more security are always a good thing when using the Internet. So how do you use Cloudflare’s new DNS service? It’s fairly simple to set up and configure on your devices and even your home wifi router so all the devices on your home network will use the Cloudflare DNS service. Check out our show notes for the walk-through Cloudflare provides for full details. Are you a CISO or Information Security Manager challenged with tracking and managing information security incidents within your organization? If you are, you need to take a look at CISOBox which is a software appliance built for NIST-compliant management of all types of information security incidents. CISOBox secures and protects sensitive incident data using technology accredited by US Federal Intelligence Agencies and gives your organization an efficient and streamlined process for incident handling. No matter if your business is large or small, we highly recommend the CISOBox solution as it’s extremely easy to use, scalable, and a secure way to implement incident handling within your organization. For more information on the CISOBox solution and to schedule a demo visit cisobox.com/sharedsecurity. That’s cisobox.com/sharedsecurity. In this week’s data breach news, 5 million credit cards have been compromised from Canadian retail brands company HBC (or known as Hudson’s Bay Company). The company owns popular clothing brands Saks Fifth Avenue, Saks Off 5th and Lord & Taylor. According to a report from security firm Gemini Advisory, only a portion of the compromised cards are being offered for sale on the dark web but expects this to increase over the next several months. From a breach impact perspective it seems that all of Saks Fifth Avenue and Lord & Taylor locations had malware installed on the point of sale systems at each store which allowed the compromise of credit cards from May 2017 to now. If you used your credit card at any Saks Fifth Avenue or Lord & Taylor locations be extra vigilant about checking your credit card statements and it’s highly recommended to call your credit card issuer to obtain a new card. In other related news Panera Bread finally shut down a data leak of potentially millions of customer records through its website.  The vulnerability was actually reported to Panera about eight months ago but wasn’t fixed until the researcher contacted famed reporter Brian Krebs from Krebsonsecurity.com who wrote an article about the breach. Information that was easily accessed included names, emails, addresses, birthdays and the last four digits of credit card numbers from customers that have ordered food through Panera’s online ordering system. Check out the show notes if you’re interested in the gory details about the researcher and his attempts to contact Panera about the vulnerability but this is a great example of how a company should not handle a major security vulnerability that was identified by a researcher in good faith. Compared to the good response we saw from Under Armour with the MyFitnessPal data breach the other week, this response was extremely poor. This recent data leak from Panera shows that companies need to be more accountable for poor security and incident response practices. How can we hold companies like Panera more responsible you may ask? Well as a consumer you have a choice to take your business elsewhere and you should decide if you want to buy products and services from organizations that have poor track records for security and the protection of your personal information. Until we all can agree to hit these companies where it hurts, their bottom line, then we will most likely continue to see incidents like these continue. That’s a wrap for this week’s show. Please be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on iTunes, Google Play, Stitcher, TuneIn, Spotify or iHeartRadio.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post The Shared Security Weekly Blaze – The #DeleteFacebook Movement, Cloudflare’s New Privacy Focused DNS Service, Saks Fifth Avenue and Panera Data Breaches appeared first on Shared Security Podcast.

This is the Shared Security Weekly Blaze for April 2, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions and Silent Pocket.  This episode was hosted by Tom Eston. Show Transcript This is your Shared Security Weekly Blaze for April 2nd 2018 with your host, Tom Eston. In this week’s episode: Facebook’s Privacy Firestorm, the MyFitnessPal Data Breach and Ramifications of the CLOUD and FOSTA Bills The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details. Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Shout outs this week to @Yohun, @zroone, @StrongArmSecure, and @CamilleEsq on Twitter as well as @vanishedvpn and @newcybersource on Instagram and Lou, Shawn, Jun, and Andrew on Facebook for commenting, liking and sharing our posts on social media. Thank you for your support of the show! Since the news broke about Facebook and the Cambridge Analytica controversy the other week, there has been a firestorm of information coming out about Facebook’s data harvesting practices as well as new tools and information about Facebook’s privacy settings which are in response to Facebook’s recent privacy challenges. For example, Mozilla the creator of the Firefox web browser released a new browser extension called “Facebook Container” which lets you isolate your Facebook activity to just Facebook.com which will limit the amount of tracking that Facebook can do while you browse the web. Keep in mind, when using a browser extension like this any sites that you “sign-in” using Facebook will no longer work. In other Facebook news, details also came out about Facebook collecting phone call metadata from Android phones that have the Facebook mobile app installed. This data included names, phone numbers and the length of each call made or received on the device. This access is given during the installation of the Facebook app which asks for permission to read contacts off of the device. The reason Facebook does this is so your contact data can be used to find and match more Facebook friends for you. Apparently older versions of Android allowed access to call and message logs in addition to contacts on your device. The issue has been fixed in newer versions of Android but if you had the Facebook app installed before these updates were made, the Facebook app would still be able to access this data. It’s important to note that Apple iOS has never allowed apps to access call logs and other call data. So if you have an Apple iOS device, you’re safe…for now. Check out our show notes for instructions on how to remove these permissions if you have the Facebook app installed on your Android device. Given all the news about Facebook recently, and where your data may have been collected, you may be thinking it’s time to re-evaluate your use of Facebook and to ponder on the reasons why you may or may not want to continue using the social network. One tip we have to share is that you do have the ability to download all the data that Facebook has about you so you can see for yourself what information has been collected. See our show notes for details on how you can do this but you may be surprised to see all the data that Facebook has collected about you, especially if you’ve been a long time user of Facebook. In other breaking news this past week, Under Armour announced that their app MyFitnessPal was breached sometime in February of this year. This breach affects 150 million user accounts making it the second largest data breach of consumer data in U.S. history right behind the infamous Yahoo data breach which happened in 2016.  The information compromised included usernames, email addresses and hashed passwords. While details about how the breach happened have not been released there are a few good things to mention. First, in the breach disclosure Under Armour mentioned that bcrypt was used as the hashing function for storing passwords. Bcrypt is a much more secure method of storing passwords so depending on how bcrypt was implemented it will be very difficult for an attacker to find out users passwords. Second, Under Armour announced the breach very quickly which is far different than other similar breaches we’ve seen like the Equifax breach last year. So what should you do if you’re a user of the MyFitnessPal app? First, change your password by going to the MyFitnessPal website. Hopefully, you’ve taken our advice from previous podcast episodes and are not using that same password on other sites and apps. If you are, you’ll need to change those passwords as well. Second, be on the lookout for phishing emails related to the breach. Whenever there are emails, names and other personal details exposed in a data breach like this one, there is always in increase in phishing emails. Be aware and always, think before you click or don’t click on anything in an email at all. Two significant privacy related bills, the CLOUD Act, which was snuck in and attached to the recent $1.3 trillion dollar government spending bill, and the combined SESTA and FOSTA bill (which is now called FOSTA) were both recently passed by Congress here in the United States. Because the CLOUD Act was attached to the spending bill, it was signed into law by President Trump . The FOSTA bill is also expected to be signed as well. The CLOUD Act, which stands for Clarifying Overseas Use of Data, allows foreign police to collect and wiretap people’s communications from US companies, without obtaining a warrant. The Act also allows foreign nations to demand personal data stored in the U.S. without review by a judge and allow U.S. police to grab any data, regardless if it’s a U.S. person’s or not and no matter where this data is stored. The bill would also allow the President to enter into what are called “executive agreements” with other governments to allow each government to access data stored in the other country without the need to follow each countries privacy laws.  The Electronic Frontier Foundation (EFF) says “This bill has large privacy implications both in the U.S. and abroad. It was never given the attention it deserved in Congress.” What does the CLOUD Act mean to you? As you’re aware, we have laws in this country that protect us from warrant less searches of our property and similar laws should apply to our digital lives as well. Many of us will use the argument that “I have nothing to hide” so who cares if law enforcement gets my personal data. But like many investigations by law enforcement, sometimes innocent people get caught up in the trove of data that is obtained and analyzed. This data could include your data as well. Privacy is also a fundamental human right. It’s the reason we have windows and curtains on our house and private stalls in public bathrooms (well most bathrooms anyway). There needs to be proper checks and balances within our government to conduct lawful investigations, but also to uphold this fundamental right. FOSTA, which was also passed, attempts to stop online sex trafficking. SESTA stands for the Stop Enabling Sex Traffickers Act and FOSTA stands for the Fight Online Sex Trafficking Act. This combined bill will hold Internet Service Providers (or ISPs) liable if they intentionally facilitate sex trafficking. FOSTA will also have ramifications to sites like Backpage and Craigslist that have personals sections, which are well known for soliciting sex trafficking. In fact, Craigslist has already shut down its popular personals section noting that quote “Any tool or service can be misused. We can’t take such risk without jeopardizing all our other services, so we are regretfully taking craigslist personals offline. Hopefully we can bring them back some day.” end quote The EFF and other privacy advocates argue that ISPs are protected by Section 230 of the Communications Decency Act which is one of the most important laws that protect free speech on the Internet. Section 230 states that ISPs and other “intermediaries” are not liable for any third-party content posted on services that they control. Without Section 230 the Internet would be a very different place and it’s argued that companies like YouTube, Facebook and Twitter would not even exist without this provision. I think we can all applaud the US government for trying to address the serious situation we have with sex trafficking in the US and across the world. However, the question to ask is that will laws like these cause more harm than good? Will free speech and your privacy be stifled because of laws like FOSTA? Will more online businesses be forced to shut down because they are now held liable for content posted that they may not even know about? Only time will tell but our advice is to support groups like the Electronic Frontier Foundation and other privacy groups that advocate and lobby for our rights to privacy. There are also more privacy tools available than ever before that you can use to help protect your communications. We’ve mentioned several of these tools on the podcast before such as products to protect your devices like those from Silent Pocket, apps like Signal, web browsers like Tor and of course VPNs (with some caveats about logging). These are all good ways to protect your privacy in a world where it seems our fundamental rights are slowly eroding away. That’s a wrap for this week’s show. Please be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on iTunes, Google Play, Stitcher, TuneIn, Spotify or iHeartRadio. If you like our podcast we would really appreciate you leaving a review in iTunes or your favorite podcatcher app. Reviews really help move us up the podcast ratings list and attract more great listeners like you.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post The Shared Security Weekly Blaze – Facebook’s Privacy Firestorm, MyFitnessPal Data Breach, Ramifications of CLOUD and FOSTA appeared first on Shared Security Podcast.

This is the 74th episode of the Shared Security Podcast sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston and Scott Wright with special guest Rachel Tobac recorded March 25, 2018. Below are the show notes, commentary, links to articles and news mentioned in the podcast: Interview with special guest Rachel Tobac Rachel is the CEO & Co-founder of SocialProof Security where she helps people and companies keep their data safe by training them on social engineering risks. Rachel also placed second place two years in a row in the DEF CON hacking conference’s Social Engineering Capture the Flag contest (SECTF). In her remaining spare time, Rachel works as the Chair of the Board for the nonprofit Women in Security and Privacy (WISP) where she empowers women to lead the converging fields. In this episode, Tom and Scott speak to Rachel about her adventures participating in the Social Engineering Capture the Flag contest at DEF CON. Rachel also discusses her thoughts on how to avoid being a victim of a social engineering attack and how more young women can get into cybersecurity and technology careers. Of course, no interview with Rachel would be complete without discussing her favorite (and least favorite) David Lynch movies as well as her book recommendations. Rachel was super fun to chat with! On the show Tom and Rachel mentioned the call that the Chris Kirsch, the winner of last years DEF CON SECTF, performed. Here’s the re-enactment you should definitely check out!  Thanks again to Rachel for being a guest on our show! Please send any show feedback, suggestions for future guests and topics to feedback [aT] sharedsecurity.net or comment in our social media feeds. You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode. Be sure to visit our website, follow us on Twitter, Instagram and like us on Facebook. Thanks for listening! The post The Shared Security Podcast Episode 74 – Special Guest Rachel Tobac (@RachelTobac) appeared first on Shared Security Podcast.