Shared Security Podcast

This is the Shared Security Weekly Blaze for March 26, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston. Show Transcript This is your Shared Security Weekly Blaze for March 26th 2018…with your host, Tom Eston. In this week’s episode: Facebook and the Cambridge Analytica Controversy, Vulnerable VPNs and Siri Lock Screen Privacy Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Shout outs this week to @StrongArmSecure, @BrotherBlarneyS and @AANaseer on Twitter as well as @newcybersource and @thebluehawaiipodcast on Instagram and David, Julie, Gary and Jason on Facebook for commenting, liking and sharing our posts on social media. Thank you for your support of the show! Several privacy focused vulnerabilities were identified in three popular VPNs.  According to research done by VPN Mentor, PureVPN, Zenmate and Hotspot Shield were all found to leak your real IP address. This vulnerability could allow an attacker to know your real location while you use the Internet which is not the purpose of a VPN at all. Hotspot Shield and PureVPN appear to have remediated this issue but as of this podcast recording, Zenmate VPN has not fixed these vulnerabilities. In addition, functionality was disabled in the Firefox web browser that could invade your privacy. Mozilla has disabled functionality, called the proximity API, which allows websites you visit to know how far your phone is away from your face as well as the ability to detect what the ambient light levels are of the room you’re in. The reason that Firefox is disabling these features is that they can be used to fingerprint or identify you to target more ads to you.  In regards to the ambient light sensor, some techniques can be used to leak your browsing history in something called a browser history attack. Mozilla is disabling these features in Firefox version 62. As we’ve mentioned on the show many times before, make sure you’re staying up to date with software updates for the apps you use especially VPNs and your web browser. Ensuring you are applying frequent updates is a one of the most important things you can do to from a cybersecurity perspective. Do you have an iPhone with Siri enabled from your lock screen?  If you do, you should know that there is a new vulnerability that can allow Siri to read out messages from the lock screen even if those messages are hidden. This vulnerability allows someone to access hidden messages from many different types of third-party applications including popular secure messaging apps like Facebook Messenger, Signal and WhatsApp.  The good news is that the vulnerability doesn’t apply to Apple iMessage or standard text messages. The vulnerability currently affects version 11.2.6 of iOS and Apple is aware and working on a fix. If you are concerned that someone would be able to gain access to sensitive information in your messages you’ll need to do the following two things. First, turn off screen notifications in your settings for any sensitive applications you may be using and second, disable the feature to allow Siri to be used when your device is locked. Check out our show notes for details on where these settings are on your iOS device. Last weekend Facebook confirmed that back in 2013 an academic researcher named Dr. Aleksandr Kogan created a Facebook app called “This is Your Digital Life” which was a personality quiz distributed through Facebook. When Facebook users took the quiz it harvested profile data from their Facebook account. About 300,000 Facebook users took the quiz, but the data of about 50 million users ended up being harvested because the app also accessed profile data of those users friends. In 2014, this was Facebook’s feature called “friends of friends” where apps could access your friends data under certain conditions.  This data was then given by Kogan to a political consulting and data analytics firm called “Cambridge Analytica” which apparently has ties to US president Trump and his political campaign. According to sources, Cambridge Analytica used this data to profile 50 million people so that they could target them with political propaganda prior to the US election. Many news articles and other sources have been stating that this was a “data breach” and that this data was effectively “stolen” from Facebook users. These statements are absolutely false because that’s not how Facebook applications work at all. Each user that took this quiz willingly installed the app and accepted that their personal data was going to be accessed.  Facebook always shows you the permissions that the app is requesting and you as the user need to accept this or the app won’t be installed. Here’s what happened with the Cambridge Analytica situation. In 2014 Facebook made changes to application privacy settings and type of data that apps like these can harvest. Today, Facebook apps can access your friends data only if they too have authorized the app.  Facebook also stated that the researcher did violate Facebook’s terms of service and that any data collected was not to be shared with any other third-party. In 2015, Facebook also had the app removed and that the developer and Cambridge Analytica certify that the data was deleted. Cambridge Analytica claims that the data was never used but questions still remain if the data was actually deleted or not. This past week Facebook as said that they’ve hired a forensics firm to find this out. Some of the other fallout from this controversy is that US senators as are asking for Facebook CEO Mark Zuckerberg to testify before Congress and to explain how Facebook will protect its users data. Last week in a Facebook post Zuckerburg said quote “This was a breach of trust between Kogan, Cambridge Analytica and Facebook,” as well as “it was also a breach of trust between Facebook and the people who share their data with us and expect us to protect it. We need to fix that.” Look, this is definitely a concerning issue, not because of how the data collected, but how the data was used and the associated cover up. However, you need to understand that collecting your personal data is what Facebook was designed to do. This is how they make money. If you don’t accept this or the other terms of their service then you simply shouldn’t use Facebook. You should also be aware that this won’t be the first and certainly not the last Facebook application that is designed to harvest your personal information for malicious purposes. Ironically, as part of a talk that Kevin Johnson and I did at the DEF CON hacking conference in 2009, we conducted an experiment by posting a quiz on Facebook which asked for “25 Random Things About You”.  These “random things” questions may seem innocent but were actually password reset questions that we pulled off of Yahoo Mail that are asked for when resetting the password for your email account. While this was just an experiment on a much smaller scale than the application used by Cambridge Analytica, it was shocking to see how many people just willingly gave personal information because it seemed like an innocent way to get to know your friends better. For most of us, deleting our Facebook account isn’t an option. Seriously, it’s hard to do because we use Facebook for so many legitimate purposes like keeping in touch with our friends and family. So what can you do to better protect your information on Facebook? First, stop taking all those stupid quizzes and installing or taking survey apps that you see people posting and sharing on the Facebook news feed. All of these apps and quizzes have some type of alternative motive and are sharing your data with many different third-party advertising companies like Cambridge Analytica. Second, limit the amount of information about you that apps your friends are using can access. See the show notes for where this setting is at but note it’s pretty buried within your Facebook app settings. Third, check to see what apps you have installed in your Facebook account and what permissions they have. You might be surprised to see how many apps can access your data, especially if you’ve been using Facebook for a long time. You’ll also want to dig down to see which apps or sites you’ve logged in to with your Facebook login and disable these sites and apps as necessary. Lastly, you can disable your access to what Facebook calls the “Platform” which will turn off all app integrations as well as any access to sites or apps that you’ve chosen to use your Facebook login instead of their own. Be cautious if you turn off the Platform. This is like hitting the “big red button” which will make Facebook almost unusable so you may just be better off deleting your Facebook account altogether. If you do continue to use Facebook make sure you’re staying up-to-date on your privacy settings and stay tuned for more information and news about Facebook privacy in future episodes of the podcast. That’s a wrap for this week’s show. Please be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on iTunes, Google Play, Stitcher, TuneIn, Spotify or iHeartRadio. If you like our podcast we would really appreciate you leaving a review in iTunes or your favorite podcatcher app. Reviews really help move us up the podcast ratings list and attract more great listeners like you.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post The Shared Security Weekly Blaze – Facebook and the Cambridge Analytica Controversy, Vulnerable VPNs, Siri Lock Screen Privacy appeared first on Shared Security Podcast.

This is the Shared Security Weekly Blaze for March 19, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston. Show Transcript This is your Shared Security Weekly Blaze for March 19th 2018 with your host, Tom Eston. In this week’s episode: The Insecure Internet of Things, Spectre Patch Updates and Android Malware. Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Shout outs this week to @Yohun, @ClarkWillClark, @drheleno_ca and @eg0sum on Twitter as well as @heath_robinson on Instagram and Tom, Shawn and Jamie on Facebook for commenting, liking and sharing our posts on social media. Thank you for your support! A new paper called the “Secure by Design Report” from the UK government’s Department for Culture Media and Sport describes 13 new security guidelines for manufactures of Internet of Things devices ( also abbreviated as IoT). If you’ve have been listening to past episodes of the podcast or have been paying attention to the news, we’ve seen a huge increase in devices such as smart watches, Internet enabled camera’s and hundreds of other connected devices like coffee machines and even toasters. Yes, you can actually buy a connected toaster that you can control from your mobile phone just in case you want to really fine tune your toasting process. Over the last several years Internet of Things devices have been found to have many different kinds of security vulnerabilities such as being configured with default passwords, having no mechanism to be updated and the lack of features to delete private data. In fact, insecure devices like these have been hacked to steal information and can be hijacked to be used in botnets, like the Marai botnet in 2016, that infected over 300,000 IoT devices with malware.  These new guidelines aim to educate manufactures so they can build and eventually sell secure products. I think these guidelines are a great start to advocate good security practices for IoT device manufactures, however, guidelines are just guidelines.  Will manufactures listen to this advice or will they continue to sell devices that are easily hackable. Unfortunately, it’s very difficult to determine if the IoT device that you’re purchasing is secure or not. From what we’ve seen in the past, many of these new IoT products are cheaply made with the purpose of getting cool technology out to the market to make a quick sale. In fact, it’s really easy to do a quick search on Amazon for pretty much any “connected” device these days to find manufactures or sellers that no one has ever heard of. One tip I’ve found helpful is to check reviews and comments left by owners of products that you may be interested in purchasing to find out if any security or privacy configurations are being discussed or if there are known security issues that the manufacture is aware of and is addressing. Like these guidelines state, it’s up to the device manufactures to bear the burden of securing their products. For us consumers we either need to accept the risk that these products may compromise our security and privacy or just not purchase these devices all together. I mean, it’s still possible to make toast with a regular toaster and not a connected one. Intel is almost ready to release more updated patches for the critical Spectre vulnerability that affects almost all computer processors manufactured within the last 20 years. If you have a Dell, Lenovo or HP PC you should start seeing these updates showing up through your update software within the next few weeks.  Spectre and it’s close cousin, Meltdown, are critical hardware vulnerabilities which allow attackers to steal data that is being processed within your computer. This data could include sensitive information such as passwords, emails, photos and documents.  You may remember that back in late January after releasing the original updates, Intel told PC manufactures to stop the deployment due to random reboots and the “blue screen of death” happening after the patch was installed. These patches need to update the firmware of your PC so make sure you have your software update feature enabled and working. Many times after we buy our PC’s we automatically assume that software update applications that are installed by default are “bloatware” and we either remove or disable this software. We highly recommend you check to see if this software is running, as well as your Windows security updates to ensure you’re receiving timely security patches for your operating system. If you would like more information on the Spectre and Meltdown vulnerabilities, check out episode 72 of the podcast where Scott and I discuss these vulnerabilities in much more detail. Researchers from the Check Point Mobile Security Team released a report this past week about a new form of malware that was found to be installed on over 5 million Android phones called “RottenSys”. Apparently, the malware was found on several different brands of Android phones including some Samsung devices through the phone manufacturing supply chain, which is a frequent security problem for Android device manufactures to control. The malware is disguised as a system wi-fi service app which communicates to a server that downloads the malware to the phone. Once the malicious code is installed it pushes adware to an infected device in order to generate revenue for the malware authors. If that wasn’t bad enough, the malware also has the capability to download other malicious components for accessing things like your microphone or camera and even allow the infected device to join a botnet of other infected Android phones. As mentioned on the show previously, Android has very specific security challenges like supply chain attacks as well as a problem called “device fragmentation” where security updates for Android devices may be hit or miss depending on your device manufacture and wireless carrier. Check out our recent Weekly Blaze podcast where we discussed Android device fragmentation in more detail. For this specific malware, be sure to check out this week’s show notes to see the list of devices affected and on how to remove this malware if your device has the malware installed. That’s a wrap for this week’s show. Please be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on iTunes, Google Play, Stitcher, TuneIn, Spotify or now on iHeartRadio. If you like our podcast we would really appreciate you leaving a review in iTunes or your favorite podcatcher app. Reviews really help move us up the podcast ratings list and attract more great listeners like you.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post The Shared Security Weekly Blaze – The Insecure Internet of Things, Spectre Patch Updates, Android Malware appeared first on Shared Security Podcast.

This is the Shared Security Weekly Blaze for March 12, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston. Show Transcript This is your Shared Security Weekly Blaze for March 12th 2018…with your host…Tom Eston In this week’s episode: Malicious Healthcare Workers, New Attacks on Mobile Networks, and Facebook Messenger for Kids Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. I have a few shout outs this week to several of our listeners for commenting, liking and sharing our posts on social media @karinavold, @Yohun and @securid on Twitter as well as @Itincloud and @wearethelightpodcast on Instagram and Tom, Shawn, Malcom and William on Facebook. Thanks to all of you for your support of the show! If you go to your doctor or to the hospital, have you ever wondered if your private healthcare information is being properly protected? Well this past week there were two reports released showing that its own workforce is the biggest cybersecurity problem for the healthcare industry. According to the 2018 Protected Health Information Data Breach Report released by Verizon, 58% of data breach incidents involved insiders. Most of the breaches noted by Verizon were because of corrupt healthcare workers stealing data to commit tax fraud, opening lines of credit from patient data or by looking up personal records of celebrities and family members. Another report, based on a survey of healthcare employees from consulting firm Accenture, showed that 18% of respondents were willing to sell confidential patient data for as little as $500 or $1,000. This data could include selling your login credentials, putting your data on portable drives to be sold and installing malware on internal systems to capture confidential patient data. I don’t know about you but reports and surveys like these are very concerning considering the fragile state of healthcare, especially here in the US. Whether it’s failed security policy oversight or lack of security controls, healthcare remains one of the number one sources for criminals to gain access to your private information for medical identity theft. This is despite having healthcare laws such as HIPAA which are supposed to enforce good security practices within the industry. Like other types of fraud we’ve talked about on the show, you need to take steps to defend against someone using your information to commit fraud or identity theft.  Unfortunately, we can’t rely on others like the healthcare industry or the government to properly protect our information. Much of the same advice we’ve given to protect against fraud, like putting a freeze on your credit and creating strong and unique passwords, also apply to the issues we’re seeing with healthcare data breaches. Some other tips specific to medical identity theft is to keep accurate records of your medical history, always review your medical statements to ensure they are accurate, be aware of fake or real calls from medical debt collectors and physically shred any healthcare related documentation containing personal information. Check out our show notes for a great guide from the Federal Trade Commission about detecting and preventing medical identity theft. Security researchers announced several new security vulnerabilities in 4G LTE mobile networks this past week. The researchers, who are from Purdue University and the University of Iowa, said quote “Among the 10 newly detected attacks, we have verified eight of them in a real test bed with SIM cards from four major US carriers”. End quote. The researchers also noted that using publicly available software-defined radio devices as well as open source software, anyone with enough knowledge could build a tool around $1,300 – $4,000. A fairly cheap solution for most attackers. The vulnerabilities that were identified could be used by criminals to create spoofed locations, impersonate an existing mobile number and allow someone to create mass hysteria over a fake emergency alert sent to thousands of mobile devices all at once. You may remember a few months ago when the Hawaii Emergency Management Agency accidentally sent out an emergency alert to all mobile devices in Hawaii about an impending missile attack. Could you imagine the fallout from something like this happening on a much broader scale? The good news is that it appears that the US carriers that were identified in the research are working to fix these vulnerabilities and the exploit code was not publicly released. There isn’t much we can do at this point but wait for the mobile carriers to fix these vulnerabilities and update their infrastructure to 5G technology which has more robust security features. I should also note that attacks on 4G LTE are not new. Law enforcement and governments have been using devices called IMSI catchers or what are also known as stingray devices for many years now. These devices force your mobile phone to either downgrade to a less secure communication protocol or force your phone to connect to a fake cell tower where communication through voice and text messaging on your device can be intercepted and monitored. If you are concerned about sending and receiving text messages and phone calls securely you should use an application like Signal which would protect you from interception attacks like these. Check out episode 60 of the podcast for more information on Signal and other secure messaging apps. Late last year Facebook released new app called “Facebook Messenger Kids” which is designed for kids age 6 to 13 as safer way for them to message friends and parents. The app includes kid friendly stickers, masks and frames which encourage using the app.   Some of the safety features in the app ensure that parents have to approve who their kids are communicating with and that there is no advertising within the app itself.  This past week CNBC reported that during Facebook’s testing of the Messenger Kids app last year that quote “It was hard for kids to initiate the communication” and that quote “we wanted to give them nudges to start the conversation” end quote. This news have led many critics and child-advocacy groups to say that social media use by young people may be detrimental to their mental health and that kids that young may not be ready or have the mental capacity to use social media. It’s also important to note that last year Facebook said that they had worked with different privacy and child advocacy groups before launching the app in December. What they didn’t tell you was that many of these groups received funding from Facebook. For example, the National PTA who coordinated roundtable discussions about the app and New Mexico State, which conducted some of the research, all received various financial funding from Facebook. These are definitely things that make you go…hmmmm. I’m sure you’re asking yourself why in the world would young kids need the ability to use a Facebook social messaging app? Well according to Facebook, kids are already on social media and they need to learn how to use it safely. However, many others feel that Facebook is using the Messenger kids app to “groom” impressionable young people into getting “hooked” to Facebook so when they become older they continue to use the “adult” version of Facebook. This seems a lot like the path to an addition, doesn’t it? I always go back to education being the best approach when parents need to make decisions about allowing their kids to use apps like Messenger Kids. Educate yourself on the risks as well as the motives that a company may have with the apps kids are using. That means reading the terms of service and privacy policy for apps like these. If you’re a parent check out our show notes for a link to the Messenger Kids privacy policy. It’s ultimately up to you to decide, not Facebook, on what’s best for you kids. That’s a wrap for this week’s show. Please be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on iTunes, Google Play, Stitcher, TuneIn, Spotify or now on iHeartRadio. If you like our podcast we would really appreciate you leaving a review in iTunes or your favorite podcatcher app. Reviews really help move us up the podcast ratings list and attract more great listeners like you.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post The Shared Security Weekly Blaze – Malicious Healthcare Workers, New Attacks on Mobile Networks, Facebook Messenger for Kids appeared first on Shared Security Podcast.

This is the Shared Security Weekly Blaze for March 5, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston. Show Transcript This is your Shared Security Weekly Blaze for March 5th 2018…with your host…Tom Eston In this week’s episode:  Facebook Face Recognition, Private Web Browsing and Credit Card Fraud Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. I have a few shout outs this week to several of our listeners for commenting, liking and sharing our posts on social media @securid, @WiFI_NY and @drheleno_ca on Twitter as well as Itincloud and thelaurajeans on Instagram and Tom, Lauretta, Jason, Shawn and William on Facebook. A special shout out this week also goes out to sweepa36 who left us a five star review on iTunes. Thanks to all of you for supporting the show! If you’ve been on Facebook recently you may have seen a message in your news feed about a new feature called “Face Recognition”. This feature will analyze faces to automatically tag you in photos and videos that are posted to Facebook. Facebook says that this “feature” will find photos that you’re in but haven’t been tagged, help protect you from others using your photo and to help people with visual impairments who may be in your photo or video. You can opt out of this feature by turning it off in your Facebook privacy settings. Note, some people have reported that this feature was already set to “on” so it’s a good idea to check out your privacy settings to see if this feature is enabled or not. Check out our show notes for information on where to find this setting. Not to be overly suspicious but you know as well as I do that this feature will eventually be used to target more ads to you or to allow Facebook more ways to gather data about your activities and monetize your personal information. What I also find ironic is that just this past week a federal judge in Illinois made a ruling about an ongoing class-action case that Facebook “must face claims that it violated the privacy of millions of users by gathering and storing biometric data without their consent”. This decision means that Facebook could be liable for fines under Illinois law from $1,000 to $5,000 dollars each time a person’s image is used without permission. Of course Facebook is fighting this ruling but I’m sure this is not the end of more legal troubles for Facebook since the social network continues to push technology like Facial Recognition to its user base. Did you know that when you use “private browsing” or “incognito mode” in your web browser, your browsing activities may not be so private after all? Hopefully, you’re aware that the sites you visit can be monitored and logged through your ISP, VPN provider or employer. It’s also important to know that data from a private browsing session can also be retrieved through common computer forensic techniques once someone has physical access to your computer. Recently a group of MIT and Harvard researchers developed a solution called Veil which allows web developers to implement technology to protect data while it’s stored and processed within a private browsing session. To do this Veil uses “blinding servers” which are located in the cloud to encrypt and protect data on a website. That data then gets retrieved by your private browsing session. Essentially, this would make any data stored within your browsing session (or within computer memory) useless from a forensic perspective. What I like about this technology is that it can add an additional layer of privacy for people, like journalists or human rights defenders, that might have their browsing history or computers targeted by say a state-sponsored government or dedicated adversary. Veil might also be the kick start of other technologies that further support protecting our private information while we browse the web. We’ll be closely following this project for sure to see how it evolves in the future. Visa released new statistics that show there has been a 70% drop in counterfeit credit card fraud during the period from December 2015 to September 2017. Other data of note is that over 2.7 million merchant locations are now accepting chip cards which equates to 96% of all credit card transactions in the US. You may remember that chip cards started being implemented back in 2015 to replace the ancient “magnetic stripe” technology that has been used for credit cards since the 1970’s. The move to chip cards was magnified because of the massive Target data breach which happened in 2013. While a 70% drop in counterfeit credit card fraud is impressive. There is still a huge problem with what is called “card-not-present” fraud. Card not present fraud happens when your credit card information is compromised typically through phishing, corrupt employees that work at an establishment where your card was used, online data breaches or through a phone call or other manual  transaction that involved speaking or writing down your credit card number. Anytime you enter in your credit card without using a physical chip reader is called a “card not present” transaction. One topic about credit cards that is always confusing is the difference between “chip and PIN” and “chip and signature” credit card transactions.  Let’s break this down so you understand what this means to you. First, you need to understand the difference between a “credit” card transaction and a “debit” card transaction. A credit card transaction is charged against your credit card account (aka a line of credit) while a debit card transaction draws money from your banking account. Using a chip and PIN card you have to enter a PIN code to authorize a purchase. With a chip and signature card you simply sign for the purchase. This is the most common type of transaction that we see in the United States. Now here is where the confusion lies. In the US most credit cards are “chip and signature” and most debit cards are “chip and PIN”. Debit cards can also be used “as a credit card” skipping the PIN entry altogether. What type of debit transaction is used at the merchants you shop at depend on the merchant because of the fees associated with using a credit or debit card. This is why one store you may shop at requires a signature for using your debit card and others require a PIN. To make matters more confusing Apple, Samsung, and Google have added contactless payment options through your mobile phone in recent years. These type of transactions are much more secure as they use something called tokenization to protect your entire transaction which significantly reduces credit card fraud. So as a good consumer, what can you do to prevent your credit card from being compromised? First, use a credit card where ever possible because you have no liability for fraudulent transactions on your card. If you use a debit card and its compromised you lose that money from your bank account and it could take weeks to get that money back. Secondly, check your credit and debit card statements on a regular basis, and set up text alerts whenever a transaction happens on your card. While banks and credit card companies say they have great fraud detection, unfortunately, it doesn’t always work. Finally, use more secure methods of payment like Apple or Samsung Pay on your mobile device, especially for online transactions if the merchant supports it. Otherwise, your best secure payment option is using the old standby…cash. That’s a wrap for this week’s show. Please be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe to the podcast on iTunes, Google Play, Stitcher, TuneIn, Spotify or now on iHeartRadio. If you like our podcast we would really appreciate you leaving a review in iTunes or your favorite podcatcher app. Reviews really help move us up the podcast ratings list and attract more great listeners like you.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post The Shared Security Weekly Blaze – Facebook Face Recognition, Private Web Browsing, Credit Card Fraud appeared first on Shared Security Podcast.

This is the Shared Security Weekly Blaze for February 26, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston. Show Transcript This is your Shared Security Weekly Blaze for February 26th 2018…with your host…Tom Eston In this week’s episode: AI Enabled Privacy Policies, New Android Updates and Hotel Room Inspections Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Before we jump into the news I wanted to give some shout outs this week to several of our listeners for commenting, liking and sharing our posts on social media @Yohun, @borderless_i, @securid and @b0dach on Twitter as well as @cyberspacearmor and @silentpocket on Instagram and Andrew, Shawn and Jason on Facebook. Thank you for your support of the show! Do you ever read the privacy notices that are found linked in super tiny text at the bottom of a web page or the “privacy notice” emails you receive for the many different services and websites that you use? If you answered no, well you’re not alone. According to studies noted by security firm Sophos, 98% of us don’t read privacy notices. According to another study, it would take a person 30 full working days to read all the privacy notices for services the average person uses. While no one has time for that, let’s not forget that most privacy notices are filled with legal language and typically very difficult to understand. We really need a better way to understand how websites and services are using our personal information. Enter AI to the rescue! A new AI based technology called (POL-IS-IS) “Polisis” aims to visualize privacy notices through machine learning. This tool can create visual flow charts based on what is written in the notice giving users a visual idea of what type of information is being collected and what options are available to users of these services. What I really like about Polisis is that they have thousands of privacy notices on their site that have already been analyzed. For example, you can type in Facebook.com to get analysis of their privacy notice as well as many other sites that you may frequently use. You can even submit links to other policies on the web to have them analyzed as well.  Check out the show notes for the link to Polisis and if you’re interested in learning more about privacy notices be sure to check out the interview with did with Rebecca Herold, also known as the Privacy Professor, in Episode 71 of the podcast. Have an Android phone? If you do you’ll want upgrade to the soon to be released Android 9.0 operating system (or currently known as “Android P”) for two new privacy features that are being added. According to several news sources, the new Android operating system will prevent an app from using the camera or microphone when the app is idling in the background. Once the app becomes active, the camera and microphone are available to the app again. This feature fixes a large privacy concern about the ability of malicious apps being able to monitor you via the camera or microphone on your device. Regarding how Android updates are handled, updates are rolled out by the manufacturer of your phone and sometimes in conjunction with your network provider so the updates can be customized to work with any features that your network provider has added. If you happen to own a newer Google device like the Pixel, you’ll get the update immediately, which is similar to how Apple releases updates to its iOS operating system. It’s important to note that almost all Android devices have an issue with what is called “device fragmentation”. This means that if your device manufacturer and/or network provider decides to stop updating and supporting your device, you’ll never get future updates and most of these updates have patches to fix serious security vulnerabilities. Our advice is that with all the different versions of Android out there it’s important that you update your hardware, as well as your Android operating system, to keep up with security and privacy updates. Sounds like a good excuse to buy that brand new Google Pixel 2 you’ve always wanted. How would you feel if hotel security inspected your hotel room every 24 hours, regardless if you have a “do not disturb” sign on your doorknob? Well Caesars Entertainment told the associated press last week that this new policy will be implemented soon in all of their properties in to address guest security concerns due to the mass shooting at the Mandalay Bay in Las Vegas which killed 58 people last October, as well as other incidents at properties in Atlantic City where a sexual assault occurred as well as a fire at the Tropicana that was started when a guest set up an illegal meth lab in their room. We should note that this is not a new policy for some other hotel chains. Disney, Hilton, and others have policies to check all rooms periodically for guest safety. However, it’s unclear if it’s hotel security or the room cleaning service, as part of their normal duties, doing these checks. In regards to the new policy at Caesars Entertainment properties, hotel security guards will be doing the checks. One can debate the legal aspects of implementing a hotel policy like this and what your rights are to privacy if you’re staying in a hotel room. I’m not a lawyer nor do I play one on the podcast, but logically I go back to defining how real the threat is and what the rate of occurrence of events like, mass shootings at hotels and rooms being used as illegal meth labs, really are. I don’t know, perhaps meth labs are a real problem for some hotel chains. But much like airport security measures here in the US, we continue to see privacy-invading policies being implemented because it seems like the right thing to do to prevent a bad incident from happening again. Time will tell if this new policy is effective but let’s all give some thought to the necessity of these policies and the privacy we may not want to give up for the sake of security. That’s a wrap for this week’s show. Be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First-time listener to the podcast? Please subscribe on iTunes, Google Play, Stitcher, TuneIn and now on Spotify. If you like our podcast we would really appreciate you leaving a review in iTunes or whatever app that you use to listen to the podcast with. Reviews really help move us up the podcast ratings list and attract more great listeners like you.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post The Shared Security Weekly Blaze – AI Enabled Privacy Policies, New Android Updates, Hotel Room Inspections appeared first on Shared Security Podcast.

This is the Shared Security Weekly Blaze for February 19, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston. Show Transcript This is your Shared Security Weekly Blaze for February 19th 2018…with your host…Tom Eston In this week’s episode: Instagram Social Stalking, Cryptojacking, Equifax Breach Updates Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Ever get the feeling that a “social creeper” might be taking screen captures of your Instagram stories without your knowledge? Well this past week Instagram began testing a new feature in which a pop-up message will appear stating that “Next time you take a screenshot or screen recording, the person who posted the story will be able to see it.”. This message will automatically appear when someone takes a screen capture of a story you posted. People taking screen captures of your stories will also be identified in the “seen by” list which is shown to you when you view one of your stories. Interestingly enough, the direct messages feature within Instagram as well as Snapchat have had a similar feature for quite some time. It’s important to note that in regards to Instagram direct messages, users are only notified when a screen capture is taken of a picture or video that you sent them via a direct message. There was no timeline given on when this notification feature will be added but I think this type of notification is a good thing from a privacy and awareness perspective. But, no matter what controls are put in place to bring awareness to “social creepers”, just be aware that any notification or other control won’t be able to prevent someone from using another camera to take a picture of their device with your photos or stories on the screen. Always be mindful of what you post on any social media app and know that everything, even what you send privately, may not be so private after all. Over the last few weeks we’ve seen an increase in what are called “cryptojacking” attacks. A cryptojacking attack is where code within a website is used to hijack your web browser and the computing power of your device to silently mine cryptocurrency while you browse and use a website. With the recent rise in popularity of Bitcoin and other types of cryptocurrency’s, this attack is becoming much more popular. In fact, just this past week, we saw thousands of websites across the world, including many government websites being use to mine cryptocurrency. In this case, a third-party plugin called BrowseAloud (which helps blind and disabled people use websites) was compromised which allowed malicious code to be embedded in every website that had the BrowseAloud plug-in installed. This is a similar attack that we see with ad networks being compromised and pushing malware to unsuspecting users of common web sites. However, some companies are taking a new approach of disclosing to website visitors that by accessing their site you are in fact mining cryptocurrency for them. The news site Salon is one such organization that announced last week that they’ve introduced a feature called “suppress ads” which allows users to quote “block ads by allowing Salon to use your unused computing power” end quote. This is a very ingenious way for companies to help pay for their services while reducing the barrage of ads that we all see when using the Internet because…everyone hates ads, right? It’s interesting to note that this is not the first time an organization has tried to harvest users computing power. Last year, the infamous website “The Pirate Bay” used code within their website to hijack users computing power to mine cryptocurrency back in September. The Pirate Bay called this a “test” in that using this code in the future would be a great way to replace ads completely. I think for most people, if a website disclosed to you that they are going to harvest your computer power to eliminate ads is really no big deal. However, if you’re concerned about having your web browser and computer power hijacked to mine cryptocurrency you can use a browser add-on like No Script or ensure your ad blocker within your browser is blocking known sites used to mine cryptocurrency such as Coinhive. From a privacy perspective, we always recommend the use of a browser add-on such as an ad blocker as well as the Privacy Badger add-on, which will block third-party advertising trackers. Check out the show notes for this episode on sharedsecurity.net for links to the browser add-on’s that we recommend installing. Our final news item from the week is regarding new details that were released about the Equifax data breach and that it was far worse than we first thought. You may remember that back in September of last year that the personal information of 145 million people had been exposed through one of the largest data breaches in history. It’s more than likely, if you’ve ever had a credit check done in the United States, that you’re a victim of this breach.  Last year Equifax stated that information compromised included names, social security numbers, birth dates, credit cards as well as driver’s license numbers. Now, new information was disclosed stating that during the initial investigation that tax id numbers, email addresses, phone numbers as well as expiration dates for credit cards and additional driver’s license data (apparently the state where a driver’s license was issued) have been compromised as well. This breach and the poor communication and response from Equifax, highlights that we as consumers need to be proactive about protecting our personal information as best we can. This can be very difficult because we inherently trust third-party companies like Equifax to protect our private information. However, time and time again we see breaches like this and more of our information continues to be exposed making identity theft a real threat to all of us. So what can you do? Most importantly, put a security freeze on your credit file. Unfortunately, this is a painful process to do but is worthwhile in the long run. Be sure to check our show notes from this episode for a great article by Brian Krebs from Krebsonsecurity.com on how to go about putting a freeze on your credit. That’s all for this week’s show. Be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram. You can also subscribe and listen to our podcast on iTunes, Android, Google Play, Stitcher and on your Amazon Echo device via TuneIn. We also love to hear feedback from our listeners! Let us know how you like this new weekly format by either commenting on our social media feeds or sending us an email at feedback[aT]sharedsecurity.net. Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post The Shared Security Weekly Blaze – Instagram Social Stalking, Cryptojacking, Equifax Breach Updates appeared first on Shared Security Podcast.

This is the 73rd episode of the Shared Security Podcast sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston and Scott Wright recorded February 14, 2018. Below are the show notes, commentary, links to articles and news mentioned in the podcast: The Shared Security Amazing Thing of the Month This month we discuss why it’s important to use a password manager as well as our personal recommendations on which one to use. Tom prefers KeePass, while Scott prefers LastPass. Regardless of our preference…any password manager you choose is better than none! Product Review: Silent Pocket Faraday Laptop Sleeve We were recently contacted by Silent Pocket to review one of their new products, the Faraday Laptop Sleeve and they were kind enough to send Tom one. This is a great privacy and security product which will block all wireless signals from a device including cellular, WiFi, GPS, Bluetooth, RFID and NFC in all frequencies. As mentioned on the show, you don’t need to be a person that is “ultra paranoid” about their privacy to use one of these devices. In fact, in recent months there have been more attacks targeting wireless devices (many of which we’ve mentioned on the show) so products like these add a simple extra layer of protection for your devices. Specifically, if you’re someone that would be considered “high risk” for having your wireless devices targeting (i.e. government, military, journalist or human rights defender) this product is a absolute must have. Here are my observations of the Laptop Sleeve: The sleeve is very durable and made of excellent quality material. I like how the sleeve “snaps” together and seals the itself. In fact, it holds a bit of air that you have to “push” out when you seal it which demonstrates how solid the seal is. I tested the sleeve with a mobile phone and a 15″ MacBook Pro and I was unable to connect to my phone via Bluetooth, Wifi and cellular. My cellphone quickly reconnected once I removed it from the sleeve. As Scott mentioned on the podcast, we wondered if the battery on a mobile phone would drain more quickly looking for a mobile signal while protected in the sleeve. However, according to Silent Pocket’s FAQ, this isn’t an issue. You can use it for practically any wireless device like your car key fob or RFID enabled credit cards and passports. You could easily fit your laptop and a few other devices in the sleeve (it will be crowded and a bit tight, but it can work). On my next business trip I’m curious to see how it goes through the airport security x-ray process. If you’re interested in learning more about the laptop sleeve and other products you can visit silent-pocket.com for more information. Note to other privacy product vendors: We’re happy to review your products as well! Fill out our “Contact Us” form on sharedsecurity.net or send us an email at feedback[aT]sharedsecurity.net for more information. Intel Vaunt Smart Glasses Oh no! Is it Google Glass all over again? Tom and Scott don’t think so and in fact, this may turn out be the next useful device. Germany Picks on Facebook Regarding the use of Real Identities We’ve mentioned this before on the podcast that Facebook doesn’t play nice with it’s users that don’t want to use their real names. Germany has something to say about that with this new court ruling. Will we finally see Facebook change this policy? Google Chrome will show your website as “Not Secure” if you don’t move to HTTPS Google recently announced that they will start showing non-HTTPS websites as “Not Secure” starting in July. If you have a business or own a website, best get started on purchasing a SSL certificate or get one for free through the Let’s Encrypt project. Besides, Google automatically lowers the search results for non-SSL sites and they’ve been doing this for quite some time already. Fun Tweet from Kevin Mitnick (famous hacker)… So I went to the Apple Genius Bar to pick up a repaired iPhone.At the same time, the guy next to me is verbally giving his username and password to the Genius helping him. After he says his credentials he goes on to say he hopes he doesn’t get hacked. Only if he knew — Kevin Mitnick (@kevinmitnick) February 5, 2018 Please send any show feedback, suggestions for future guests and topics to feedback [aT] sharedsecurity.net or comment in our social media feeds. You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode. Be sure to visit our website, follow us on Twitter, Instagram and like us on Facebook. Thanks for listening! The post The Shared Security Podcast Episode 73 – Silent Pocket Faraday Laptop Sleeve Review, Password Managers, Smart Glasses appeared first on Shared Security Podcast.

This is the Shared Security Weekly Blaze for February 12, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston. Show Transcript This is your Shared Security Weekly Blaze for February 12th 2018…with your host…Tom Eston In this week’s episode: Tax Season Scams, SIM Hijacking and Smart TV Privacy Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. It’s tax season here in the United States and as you may already know there are three things that are certain in life: death, taxes and criminals trying to scam you out of your hard earned money. Which means it’s time to be aware of common phishing and scam tactics that may target you during this tax season. In fact, this year (due to news of changes to the US tax code) there are now more opportunities for scammers to leverage this news to their advantage. Like any significant event that happens in the world (like natural disasters and terrorist attacks) , attackers will leverage these news events in an attempt to elicit an emotional response from you so that you either click a malicious link or submit your private and sensitive information to the scammer. According to the SANS Internet Storm Center, recent tax related phishing emails that have been identified are asking for personal information in order to receive your tax refund. Keep in mind, it’s not just your email that these scams can originate from. Many of these tax scams also come through phone calls or voicemail’s. These calls will typically ask for personal information or to convince you to make a payment under the threat of being arrested. Note that the IRS will never email or call you about owing taxes or about a potential refund, or threaten to arrest you. Stay vigilant this tax season and please let your elderly friends, parents or relatives know about these tax scams. Unfortunately, the elderly are common targets for these types of attacks. Last week telecom giant T-Mobile sent out a mass text message to its entire customer base alerting them to add an additional security measure to their account. The problem? There has been a major increase in an attack called SIM hijacking or also known as a phone number port out scam. SIM hijacking is where an attacker will either call your mobile phone company or show up at the mobile phone store, impersonating you in an attempt to request a new SIM card for your phone number or in some cases the attacker will attempt to move your mobile number over to a new carrier. Once the attacker has control of your mobile number, they now have access to reset credentials for banking or potentially access to any other accounts that use a mobile phone number for access. SIM hijacking and fraudulent phone porting have become popular attacks for identity thieves as well as other criminals. This is because your mobile number is increasingly becoming the center of your digital identity in that your phone number is a unique identifier for you and is used for things like authentication to reset passwords and for two-factor access to many different types of accounts and systems. The way to help prevent this attack is to create a validation code with your mobile carrier. T-Mobile calls this a “port validation” code but other carriers may call this a phone passcode or PIN. Once this code is enabled on your account, you’ll need to provide this to the mobile carrier in order to obtain a new SIM card or port your number to a new carrier. Our advice is to enable this feature with your mobile carrier to help prevent this attack happening to you. You may have to research this on your mobile carrier’s website as each company has a different procedure for enabling this feature. Also note, you should ensure that this passcode or PIN is unique and different than any other passcode or PIN that may be in use with your mobile carrier such as the password for accessing your account for online access. Our number one story is about research Consumer Reports released this past week which found that millions of smart TVs are vulnerable to hackers and that all smart TVs are collecting private data about your viewing habits. Consumer Reports conducted their own testing as part of a security and privacy evaluation of smart TVs from popular brands such as LG, Sony and Vizio. Specifically, vulnerabilities were identified in Samsung TVs along with models made by TCL and other brands, that use the Roku smart TV platform. These vulnerabilities would allow an attacker to cause havoc on the victims TV like randomly change the channel, mute the TV speakers or pump up the volume unbeknownst to the user. The attacks require a victim to either download a malicious app or malicious code through a phishing or other type of social engineering attack in order to access the smart TV through the victims home wifi network. To prevent this attack on TVs that are using the Roku platform you have to turn off a “external control” feature in the Roku platform settings. Roku noted in a blog post that “We want to assure our customers that there is no security risk” and disputes the Consumer Report findings. However, it’s concerning to me that this “external control” feature is enabled by default. The other concern from the Consumer Reports research is that all smart TVs (at some level) are collecting information about users viewing habits. Now these concerns are nothing new. There have been many reports over the last several years of multiple brand smart TVs using this technology which is called Automatic Content Recognition (or ACR) since at least 2010. With ACR technology enabled on your TV it means that your viewing habits including everything you watch and stream are being sent to and collected by a third-party. This information is valuable to the TV manufactures and their partners so they can tailor ads and other content to your viewing habits in order to (you guessed it) make more money. In fact, last year Vizio settled with the US Federal Trade Commission for $1.5 million for collecting this kind of data without consumer’s knowledge. Since then, Vizio and other TV manufactures have enabled privacy settings on smart TVs to disable or limit ACR technology. The bigger problem now is that ACR is being implemented in ways designed to force you to accept the ACR privacy policy or you will be unable to use any Internet enabled features like the ability to stream Netflix, Amazon and other popular streaming services. Unfortunately, as a consumer, we’re given very little choice unless we want to revert back to just having a “dumb TV”. So how do you change the ACR and other privacy settings on your smart TV? It’s not easy as the TV manufactures have made this difficult to change. First, make sure your smart TV has the latest update (this is also known as a firmware update). You can usually find this in the system information menu of most TVs. Some TVs will actually update on their own so be sure to check to see if you have the latest version. Next, reset your TV back to its factory default so you can review the privacy policy as well as any prompts to change ACR settings. You can also dig down within the menu system on the TV to find this yourself as they are buried, by design. Well that’s a wrap for this week’s show. Be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram. You can also subscribe and listen to our podcast on iTunes, Android, Google Play, Stitcher and on your Amazon Echo device via TuneIn. We also love to hear feedback from our listeners! Let us know how you like this new weekly format by either commenting on our social media feeds or sending us an email at feedback@sharedsecurity.net. Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze.   The post The Shared Security Weekly Blaze – Tax Season Scams, SIM Hijacking, Smart TV Privacy appeared first on Shared Security Podcast.

This is the Shared Security Weekly Blaze for February 5, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston. Show Transcript This is your Shared Security Weekly Blaze for February 5th 2018…with your host…Tom Eston In this week’s episode: ICE license plate tracking database, the first Jackpotting attacks on US ATMs and the Strava global heatmap controversy. Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Our number three story of the week is about ICE, the Immigration and Customs Enforcement Agency and how they now have the ability to track billions of license plate records across the US using ALPR (Automated License Plate Recognition) technology. A company called Vigilant Systems has been putting together a database of license plate records submitted by repo agencies, local law enforcement, traffic cameras as well as data from roving ALPR vehicles (similar to the Google street view cars you may have seen roaming around your neighborhood). Vigilant Systems is partnering with ICE so that they can use this data in deportation and immigration control cases. Several civil liberty groups, such as the ACLU, have stated concerns that this database could be used locate and track anyone in real-time for more than just immigration issues. Even if you’re not connected to a criminal investigation, your license record and driving habits could be in this database. The other controversy is that Vigilant systems entered into a private contract with ICE which is a government agency, therefore, there was no congressional oversight and no accountability with a massive surveillance system like this in government hands. What can you do if you’re concerned about ALPR technology and being tracked? From an legal perspective, several weeks ago the state of California introduced bill S.B 712 which would allow drivers to cover their license plate while parked legally in order to avoid roving ALPR scans, but the bill was rejected by the California senate just this week. No other states to my knowledge are proposing similar legislation.  From a product perspective, there are ALPR “blockers” in the form of IR filters and special reflective coatings that can be applied to license plates in an attempt to block ALPR scans. There are many different types of products out there that are just a Google search away. Friendly disclaimer: you should research the legality of using such ALPR anti-tracking devices in your state and/or country before purchasing or using any of these products. Our number two story this week is about the “jackpotting” attacks that are targeting ATMs in the United States. Jackpotting allows malware installed on ATM machines to shoot out money just like a Las Vegas slot machine. For some strange reason I’m reminded of the movie “Vegas Vacation” in the scene where Clark Griswold jackpot’s his family bank account at the ATM.  This attack, on the other hand, is no laughing matter. In order to perform the attack someone needs to physically access the ATM machine and install the malware via a USB port or through another interface, such as the cash dispensing or front loading slot, and eventually get the malware to infect the underlying operating system of the ATM. Brian Krebs from krebsonsecirity.com noted that most attackers quote “typically use an endoscope — a slender, flexible instrument traditionally used in medicine to give physicians a look inside the human body — to locate the internal portion of the cash machine where they can attach a cord that allows them to sync their laptop with the ATM’s computer.” end quote. Now these attacks seem to require a risky amount of time to physically access the ATM and in some cases attackers have used social engineering techniques such as dressing like an ATM technician to con their way to the ATM. It’s important to note that these attacks have focused on smaller ATMs typically located in pharmacies, gas stations and other small locations not your local large bank ATMs. The Secret Service as well as ATM manufactures have sent out alerts notifying owners of these attacks and how to harden and secure their ATMs from physical attack.  In the meantime if you happen to see an ATM jackpotting with money flying out…be sure to alert authorities. The number one story this week is the controversy over the Strava world-wide heatmap release that inadvertently disclosed locations, daily routines and possible supply routes of known and unknown US military bases and CIA outposts. Because of this, the US military is now reviewing its policies and guidelines on fitness trackers and other wireless devices being used by military personnel. This heat map, which shows jogging and running routes, has been available since last November but last week on Twitter people started to dig into the details of the map and started to see some interesting patterns.  If you’re not familiar with Strava, Strava is an app that allows you to sync your runs and workouts with included GPS (geolocation) information from popular fitness trackers like Fitbits, Apple Watches, Garmin and many others. Runners and other sports enthusiasts frequently opt in to share their running routes with people as a way to stay motivated and to build a community around their workout habits.  While the intention of sharing your workout information among friends is good and users of these apps do have some control around the privacy of information being shared, the bigger problem is privacy controls within apps like Strava get complicated really quick. For example, while one privacy setting may prevent a certain group of people from seeing your information, other settings like, sharing data to a leader board for top times in a frequent running route, may inadvertently give someone enough information to figure out who you are. Case in point, the Washington post recently reported on the Strava heat map and said, quote: “On one of the Strava sites, it is possible to click on a frequently used jogging route and see who runs the route and at what times. One Strava user demonstrated how to use the map and Google to identify by name a U.S. Army major and his running route at a base in Afghanistan.” To Strava’s credit, they do have extensive privacy settings which can be enabled so you can limit the amount of private information others can see about you and your activities. You can even turn off sharing of any data altogether. However, you need to opt-out of the default settings. The default Strava privacy settings share all your location and other personal data with other users of Strava. To make matters more confusing, to opt out of the “heatmap” of all Strava users you need to change this privacy setting on the Strava website, there is no ability to do this within the mobile app. This highlights a major problem in that privacy settings and how you control your data on third party apps like Strava are confusing to the users of these apps. In fact, I would go as far to say that it’s “confusing by design” in order for you to share as much information about you as possible. Keep in mind that companies like Strava and other “social sharing” apps make money off of the information you share.  It’s only to their benefit that you share as much information as possible so they can make a profit.  Something to think about next time you allow apps like these to use your location and other personal data. That’s all for this week’s show. Be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram. You can also subscribe and listen to our podcast on iTunes, Android, Google Play, Stitcher and on your Amazon Echo device via TuneIn. We also love to hear feedback from our listeners! Let us know how you like this new weekly format by either commenting on our social media feeds or sending us an email at feedback@sharedsecurity.net. Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post The Shared Security Weekly Blaze – License Plate Tracking, Jackpotting ATMs, Strava Global Heatmap Controversy appeared first on Shared Security Podcast.

This is the 72nd episode of the Shared Security Podcast sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston and Scott Wright recorded January 22, 2018. Below are the show notes, commentary, links to articles and news mentioned in the podcast: The Shared Security Amazing Thing of the Month (we’re not sure what to name this new segment so we’re rolling with this for now…) Tom and Scott discuss the emergency SOS feature on your mobile device. There was a recent story in the news about a college student who was able to text message and send her location when she was being kidnapped. Even though the college student was able to find a way to text and send out her location, there are some easier and more discreet ways that you can make an emergency phone call as well as alert authorities to your location. Here are the instructions we mentioned on the show if you have an Apple iOS 11 device or on your Apple Watch. Android is not left out of the emergency notification party either! Here are details if you have an Android phone to enable or install this feature with an app. Overview of the Meltdown and Spectre Critical Vulnerabilities CPU hardware implementations (manufactured in the last 20 years) are vulnerable to side-channel attacks referred to as Meltdown and Spectre. Modern processors perform speculative execution. To maximize performance, processors try to execute instructions even before it is certain that those instructions need to be executed. The best description of these vulnerabilities is from the original website announcing these issues: Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware vulnerabilities allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents. Meltdown and Spectre work on personal computers, mobile devices, and in the cloud. Depending on the cloud provider’s infrastructure, it might be possible to steal data from other customers. Spectre in particular is quite interesting from an attackers perspective. For example, malicious JavaScript code on a website could use Spectre to trick a web browser into revealing user and password information. Software patches are starting to come out for both of these vulnerabilities but there are reports of additional problems that the patches are causing, including impacting system performance in some cases. Announcing the Shared Security Weekly Blaze Podcast We’re starting a new weekly podcast which will bring you the hot security and privacy news of the week. The first episode has been released and you can still listen to the new podcast just like you do now. The idea is to give you fast and consumable security and privacy “news that you can use” in 15 minutes or less. These weekly podcasts are in addition to our traditional monthly podcast which will continue to cover security and privacy topics in more detail. We hope you enjoy the new format! Please send any show feedback, suggestions for future guests and topics to feedback [aT] sharedsecurity.net or comment in our social media feeds. You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode. Be sure to visit our website, follow us on Twitter, Instagram and like us on Facebook. Thanks for listening! The post The Shared Security Podcast Episode 72 – Mobile Phone Emergency SOS, Overview of Meltdown and Spectre appeared first on Shared Security Podcast.