Shared Security Podcast

This is the 52nd episode of the Shared Security Podcast sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston and Scott Wright. This episode was recorded March 9, 2016. Below are the show notes, commentary, links to articles and news mentioned in the podcast: Unexpected implications arising from the Internet of Things This was an interesting article about some of the “unexpected” security and privacy things that people don’t really think about.  For example, what are the ramifications of IoT technology that might be hacked to create fake sensor and video data for criminal activity?  What happens to the security budgets of organizations that need to address these new risks?  It’s an interesting time to be in this space. -Tom Peer-Seeking Webcam Reveals the Security Dangers of Internet Things This is just one example but like other new IoT related technology data is being sent to multiple third-parties and peer networks are being created, all without your knowledge. What makes this webcam interesting is that disabling the peer sharing capability doesn’t actually disable anything.  How many other devices like this have the same issue? -Tom Follower: the “creepiest social network” that follows you in real life Just when you thought the traditional social networks we use were sometimes creepy, here comes “Follower”.  Follower is a social network that allows you to have real people follow you around and take pictures of your activities all without you knowing where your “follower” is.  If you’re looking for a real-life stalker this might be the social network you’re looking for. -Tom Payroll data leaked for current, former Snapchat employees Two recent breaches highlight the need for more eduction about targeting phishing attacks.  Both Snapchat and Seagate each fell victim to a very similar phishing attack targeting payroll information.  The attack was very simple and also very easy to spot if you know the signs of an attack like this. -Tom The Cerber Ransomware not only Encrypts Your Data But Also Speaks to You Ransomware has been around for awhile but now we’re starting to see the next evolution of this type of malware…where it talks back to you. Give this article a read if you want to know more about how this malware works and what to do if your computer is infected with it. -Tom Please send any show feedback to feedback [aT] sharedsecurity.net or comment below. You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode. Be sure to visit our website, follow us on Twitter and like us on Facebook. Thanks for listening! The post The Shared Security Podcast Episode 52 – Creepy New Social Network, Phishing Dangers, Ransomware appeared first on Shared Security Podcast.

This is the 51st episode of the Shared Security Podcast sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston and Scott Wright with special interview guest Andrew Patrick from the Office of the Privacy Commissioner (OPC) of Canada. This episode was recorded February 10, 2016. Below are the show notes, commentary, links to articles and news mentioned in the podcast: Online Behavioral Advertising – An interview with Andrew Patrick from the Office of the Privacy Commissioner (OPC) of Canada Today, Scott had a great discussion with Andrew Patrick regarding OBA, or what some listeners might know as “Tracking Ads”. We discussed why the OPC has in interest in OBA, and how it relates to Canadian privacy legislation. We also looked at one of the recent cases of OBA that the OPC was involved in, where a person complained that sensitive health information from searches and web surfing over time was being used to present ads for products to them across many different websites, many of which were not related in any way to the ads being served. Here are some interesting and related articles from the OPC regarding OBA that are worth reading: A policy position on OBA and the situations when opt-out consent may be appropriate. A report of an investigation the OPC did into Google’s OBA practices related to a health-related device. A recent follow up research report where the OPC surveyed OBA practices across a number of leading Canadian websites. Thanks to Andrew Patrick and the Privacy Commissioner for making their time and resources available to us on the Shared Security Podcast.  It is really encouraging to see the Canadian Government taking such an active role in helping citizens protect their privacy and personal information. Security Issues with Connected Toys New technology also comes with great responsibility…even more so if it concerns children.  More “smart” toys are being found with security vulnerabilities that could lead to personal inforamtion about children being exposed. In this case the app used with the Fisher Price “Smart Bear” had security vulnerabilities that if exploited could steal a child’s name, birthdate and gender, along with other data. Fortunately, Fisher Price quickly fixed the issue. -Tom 15 Dangerous Apps Every Parent Should Know About If you’re a parent with teens you should definitely check out this document of the 15 most “dangerous” mobile apps your teens may be using.  I don’t think dangerous is the right word as some of these apps have legitimate purposes.  However, we all know kids will use apps like these for things like sexting and other activity that parents need to be monitoring for.  Give this document a read…you might not be aware of some of these apps and as a parent it’s good to be as educated as possible about these apps.  Also, this document touched a little on this but there are lots of apps that look legitimate but in fact will “hide” photos and videos inside of them.  The most popular with teens seem to be “Calculator +” applications (like this one in the iTunes store).  The lesson here is to check out all the apps your teen has on their mobile device and investigate their usage. -Tom Facebook-prowling predator arrested after mother helps police This is a good article about how a parent did some investigating of their child’s friends list on Facebook and found a convicted sex offender.  There are also some rules for parents (and teens) in the article that are good to review.  We talk about these same “social media” rules in many of our podcast episodes. -Tom Connected devices quietly mine our data, privacy experts say (Scott was featured in this article) The real message here is that you should realize that we are far from over-reacting to these kinds of risks, and in the big picture, we all need to watch the trends to understand the risks. -Scott Please send any show feedback to feedback [aT] sharedsecurity.net or comment below. You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode. Be sure to visit our website, follow us on Twitter and like us on Facebook. Thanks for listening! The post The Shared Security Podcast Episode 51 – Online Behavioral Advertising in Canada, Toy Security, Dangerous Apps for Teens appeared first on Shared Security Podcast.

This is the 50th episode of the Shared Security Podcast sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston and Scott Wright with special guest Alex Hamerstone from TrustedSec recorded January 21, 2016. Below are the show notes, commentary, links to articles and news mentioned in the podcast: 2016 Reality: Lazy Authentication Still the Norm This is a great story from Brian Krebs own personal experience regarding how his PayPal account was “hacked”. It was not “hacked” in the way you would normally thing via stolen credentials or password guessing. His credentials were reset over the phone via some easy social engineering techniques and information that was easily accessible through some Internet reconnaissance. Brian even had a PayPal two-factor authentication token for extra security. It goes to show you that organizations like PayPal need to look at all the different attack vectors that someone would use to gain access to accounts and protect their customers appropriately. -Tom Stop doing quizzes on Facebook if you place any value on your privacy It’s been awhile since we’ve talked about those Facebook quizzes and surveys that you see many of your friends sharing with you on Facebook. While these may seem fun and harmless on the surface often these “apps” will collect your email address, list of friends and other personal information from your Facebook account. All of this is done within their legal terms of service of course! This is not a Facebook specific issue either. The problem lies with the third-party developer who will receive your personal information and what they do with it. This article is a great reminder of what information can be harvested when you take quizzes and surveys like this on Facebook. -Tom Pre-crime arrives in the UK: Better make sure your face stays off the crowdsourced watch list I love the movie “Minority Report” because it’s a look into the (rather scary) future of facial recognition and this notion of “pre-crime” identification. In the present we’re already seeing some of the technology mentioned in the movie come to reality and this article takes this concept a step further by delving into “pre-crime” and determining if someone is about to commit a crime if their face has been identified in several so called “watch lists”. This is potentially dangerous to innocent people if you tend to look like someone else or if you find yourself in the “wrong time at the wrong place” kind of situation. It will be interesting to see how this technology and government policies around facial recognition evolve to prevent the innocent from being falsely accused of “crimes” they may never commit. -Tom The super creepy side of the Internet of Things and smart homes This is a revisit of some topics we’ve covered in previous episodes. I was fascinated with a statistic from the article that stated: “a Microsoft survey found that 99.6% of people would gladly accept cash in exchange for having their activities tracked, what happens to those who give it up unwillingly because of security vulnerabilities in their smart home appliances?” This is a great question and makes me wonder if many companies that are developing IoT devices (especially ones focused on the consumer ‘smart home’ market) will even start to take vulnerabilities in these devices seriously. -Tom Xfinity’s Security System Flaws Open Homes to Thieves Self-installed wireless home security systems like the Xfinity system are all the rage right now with consumers. These wireless alarm systems are now very affordable and reliable that can help deter and prevent theft. However, how secure are these systems given that this technology rather new and are now part of the “Internet of Things”? If you own one of these alarm systems this is a great article to make yourself aware of some vulnerabilities these systems have. Sparing you the technical details essentially this specific wireless security system can be jammed using a device purchased off of eBay or put together on your own for about $130 in easily obtained parts. The casual thief probably won’t go to this level to break into most homes, however, most people that buy these systems post signs outside of their homes advertising the exact security system they have which also gives away it’s known vulnerabilities. This is a great example of vendors getting involved to either limit the jamming issue or mitigate the risk by implementing a better alerting system to identify when the alarm system is being jammed. -Tom Please send any show feedback to feedback [aT] sharedsecurity.net or comment below. You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode. Be sure to visit our website, follow us on Twitter and like us on Facebook. Thanks for listening! The post The Shared Security Podcast Episode 50 – Facebook Quizzes, Pre-Crime, Wireless Home Security Systems appeared first on Shared Security Podcast.

This is the 49th episode of the Shared Security Podcast sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston and Scott Wright recorded December 16, 2015. Below are the show notes, commentary, links to articles and news mentioned in the podcast: People’s Deepest, Darkest Google Searches Are Being Used Against Them You should really always be thinking about how your search queries could end up putting you on a “sucker list”. There there seem to be two levels of exploiting your search queries: Direct categorization by the search engine, which leads to more targeted advertising – We may not think about how the entities that have access to our search queries might use them against us (or for us, in their interpretation – “all the better to serve you relevant content, my dear”). In fact, Mikko Hypponen says in his Ted Talk from October, 2013, “We are brutally honest with search engines. You show me your search engine history, and I will find something incriminating or embarrassing in 5 minutes.” So, I’d like you to ask yourself, “Do you really want to trust the guys – whose livelihood is derived from selling information about you – to know exactly what your most burning questions are?” Luring to pages that collect information – These pages try to get you to “self-screen”, using the byproducts of failed searches and application forms (called remnants), which have value to some bottom-feeders There’s a big profit in just trying to categorize people, especially if they can identify people who are better than average candidates for any type of businesses they can sell the lists to. There can also be a lot of bait and switch tactics to get around Google’s predator defences. This is one of the reasons that “data never dies”. As soon as it’s captured, the data is copied and correlated with other data that makes it more valuable. It will quickly end up in a place where you can’t delete it. – Scott Man-in-the-middle attack on Vizio TVs coughs up owners’ viewing habits Product vendors need to stop assuming that nobody cares about the data they collect and/or send over the Internet. It used to be that the Internet was mostly insecure because not much was encrypted. Now, with Google, Facebook, Twitter and many of the most popular sites using the TLS standard for encrypting all data to and from their sites (even if it’s not a form with sensitive data), there’s an expectation that if your product doesn’t secure its communications, it can be the weakest link for customer privacy. So, all data has to be encrypted properly, which means using standard protocols for authenticating end points and encrypting messages. Not using proper data security within new products is inexcusable. The reason I say “standard protocols” is that very often, vendors think they are being clever by inventing their own way of hiding or securing data. This rarely works, especially these days, when virtually every new product is being analyzed by researchers or bad guys to find vulnerabilities. There’s plenty of free software available that can do security properly (e.g. http://libsodium.org ), so why would you try to invent your own, which is going to cost a lot of money, and more than likely will be bypassed at some point. This is all aside from the fact that many product manufacturers seem intent on violating customers’ privacy to gain added “Lifetime Value” from them. – Scott BadBIOS is back – this time on your TV Just like in the days when laptops started to come with built-in webcams, and we recommended covering the camera with some tape, sounds like it’s time to recommend explicitly disabling microphones on all devices. This is probably easier said than done, though… – Scott Your Internet router is a security risk It’s time to dust off that router that never gets touched (or updated). There are many different types of vulnerabilities in those home Internet wifi routers that go beyond not changing those default credentials. It’s worth two minutes to login to your router and to check for any updates that may have been released since you purchased it. – Tom The Healthcare Internet of Things: Becoming a Reality IoT goes beyond FitBit’s and heath tracking apps. Soon we will start to see much more “invasive” use of this technology including thermostats that automatically adjust based on your body temperature and lights that auto-adjust based on your mood and time of day. If anything, something to be aware of especially when it comes to your personal information being used by these devices. – Tom Facebook M — The Anti-Turing Test While Facebook M is still in beta…it’s interesting to see where AI is going and how we may rely more on AI in the future. I like to mention Facebook M because it’s taking AI like Apple’s Siri to the next level and it shows some of the limitations of AI. Meaning, there may be a “human” assisted infrastructure to modern AI implementations. It will also be interesting to see how modern AI is secured and the privacy implications associated with this technology. – Tom Please send any show feedback to feedback [aT] sharedsecurity.net or comment below. You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode. Be sure to visit our website, follow us on Twitter and like us on Facebook. Thanks for listening! The post The Shared Security Podcast Episode 49 – Google Search Privacy, Smart TV Attacks, Internet Router Risks appeared first on Shared Security Podcast.

This is the 48th episode of the Shared Security Podcast sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston and Scott Wright recorded November 23, 2015. Below are the show notes, commentary, links to articles and news mentioned in the podcast: Hacking tool swipes encrypted credentials from password manager This article, and the associated incident, is an excellent reminder that there is no easy solution to securing EVERYTHING. Using an infected computer presents so many catastrophic scenarios, it’s not really wise to view this problem as a problem with password managers. If a computer is infected with malware, the attacker can capture passwords as you enter them into any site. You could add a 2-factor authentication mechanism (like Google Authenticator), or force a user to enter a master password to access anything in a password manager’s database, but you then still have the problem of malware capturing what you enter into a site’s password field (even without a password manager), and the 2-factor MAN-IN-THE-MIDDLE attack we talked about in the last episode of the Shared Security Podcast. This is one of many reasons I often emphasize the need to try to avoid malware risks by having good surfing habits, like: – Not visiting questionable sites – Not clicking on links or attachments in emails you weren’t expecting, or that look suspicious – If you must do the above, do it on a different computer or a Virtual Machine environment, where an infection will probably not compromise your existing data I still use a password manager, because it helps defend against many more risks than it is vulnerable to. – Scott Your Unhashable Fingerprints Secure Nothing Wow! I’ve actually had my concerns about any biometric authentication schemes (like fingerprints, iris scanners, facial recognition, etc.) since watching the movie MINORITY REPORT. Now, I’m CERTAIN they are not the way to go. This is an amazingly well-written story that explains in elegant detail why fingerprints (and, I suspect, most biometric authentication factors) are actually a dangerous way of authenticating people. If you’re not technically inclined, it could be a difficult article to read, but here are my important take-aways: 1) THEY AREN’T REALLY SECRET – Your fingerprints are probably not as secret as any of your well-chosen passwords, because they can be either photographed from a fair distance with a high resolution camera, or lifted using standard forensic techniques from almost anything you’ve touched (e.g. a mug, a door knob, a keyboard, a steering wheel, a water tap, a seat back, etc.); 2) THEY ARE EASY TO REPRODUCE AND USE TO IMPERSONATE YOU – Fingerprints, once known (by lifting or by high resolution photos), can be easily reproduced pretty quickly, and without much effort, on a LATEX SKIN, and used at will; 3) THEY CAN’T BE REVOKED OR CHANGED – If your fingerprint is lifted from something and used to compromise your identity, there is literally no way to revoke – or reset – your fingerprint authenticator. So, it should never be used again, just like when you are asked to change your password after a data breach; 4) THEY AREN’T USUALLY SECURED WELL (or HASHED) – For fingerprint authentication to work properly, an authentication system has to verify that an impression of your print at the time of an authentication request is a CLOSE MATCH to one you gave at the time you registered to the system. To do this, it has to be easy for the system to retrieve your exact original print(s), so they can be compared and scored for SIMILARITY. This requirement means that the database must be MUCH MORE VULNERABLE to brute force attack than a good password hash database. In a well-constructed password hashing scheme, if an attacker manages to guess a correct password (very unlikely), they must start over to get any others. For a fingerprint (or most biometric) databases, it’s likely that the entire database is encrypted in a way that makes it easy to retrieve ALL of the prints. If these points don’t make sense to you, then I’m afraid you’re going to have to read the article – which you really should do anyway – before you use something like Touch-ID on an iPhone. – Scott CCTV Botnet In Our Own Back Yard With the convergence of physical security devices (like CCTV cameras) and networking technologies there was always a risk that something like this could happen. Again, this goes back to the device manufacture and ensuring that IoT devices such as CCTV cameras are built with security in mind from the beginning. It also means that when people and organizations buy CCTV camera’s they need to harden and secure them before deployment.  Default credentials is the number one attack vector we see abused with most IoT devices. – Tom NOTE: Scott recommended a novel called INVASION OF PRIVACY by Ian Sutherland during this discussion. It’s a murder mystery with some good illustrations of plausible social engineering attacks, scenarios of interesting webcam risks and hacking tools used in interesting contexts. Here’s a link to the author’s webpage: http://ianhsutherland.com/. There’s also a free prequel to the novel at: http://ianhsutherland.com/social-engineer-sign-up/. Predicting the future of technology This is a good article for covering the range of technologies that could be affected by the next wave of SMART TECH. It also made me think of a book I recently read by Daniel Burris, called Flash Foresight. Burris is a great thinker and problem solver, who has a methodology for predicting technology evolution based on what he calls HARD TRENDS vs. SOFT TRENDS. If you’re interested in trying to predict or come up with the next successful technology in any of the areas mentioned in this article, or even if you just like to understand how technology is evolving, you should read Flash Foresight. It’s very interesting. – Scott A Teen Instagram Star Is Quitting Social Media And Revealing The Truth Behind Her “Perfect Photos” Can you really “quit” social media? This was an interesting article and sheds light on how people can be consumed with social media and the negative impact it can have on our lives. However, I find it ironic that she still uses social media (like Youtube and Vimeo videos) to start an entire new campaign against social media. Love it or hate it social media is part of our lives whether you like it or not. It comes down to responsible use and knowing when its consumed your life and has become an addiction (just like anything else in our life). Too much of anything can be a bad thing. – Tom What is Tor? With all the talk about encryption and Edward Snowden in the news I thought it would be helpful to give our listeners a quick overview of what the Tor Proxy (aka: The Onion Router) is and how it’s used.  Tor is used by people with good intentions to protect their privacy but is also used by criminals (such as the case of the infamous ‘Silk Road’).  Tor should also not be relied upon to be 100% anonymous on the Internet as it does have a few risks you should be aware of (especially if you’re running a Tor ‘exit node’).  For further reading check out this great article on Lifehacker about Tor.  If you’re feeling technically adventurous and want to play with Tor you can also build yourself a Tor enabled wifi network which I thought was a pretty cool project if you have a Raspberry Pi. Free eBook: Securing Your Network and Application Infrastructure Shared Security Podcast co-host Tom Eston was recently featured with several other security professionals in a free eBook titled “Securing Your Network and Application Infrastructure”. Check it out for lots of great advice and tips to secure your business. Please send any show feedback to feedback [aT] sharedsecurity.net or comment below. You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode. Be sure to visit our website, follow us on Twitter and like us on Facebook. Thanks for listening! The post The Shared Security Podcast Episode 48 – Password Manager Compromise, Fingerprint Insecurity, Quitting Social Media appeared first on Shared Security Podcast.

This is the 47th episode of the Shared Security Podcast (formally the Social Media Security Podcast) sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston and Scott Wright recorded October 28, 2015. Below are the show notes, commentary, links to articles and news mentioned in the podcast: Do you know which of these stars have the most celebrity impersonations? I did a quick check of which celebrity had the most impersonators on each social networking site: Facebook – Bradley Cooper Twitter – Angelina Jolie and Channing Tatum Google Plus – Angelina Jolie and Jared Leto Instagram – Jennifer Lawrence and Angelina Jolie Youtube – Jennifer Lawrence LinkedIn – Brad Pitt I also noted that there were less than 30 impersonators in total, for all the celebrities in the picture, on LinkedIn. What does this mean? It might mean scammers are less excited about using LinkedIn, but it could also mean that businesses don’t use LinkedIn so much for communicating with their followers. I think there’s just as much scamming going on by attackers who impersonate businesses in the more popular social networking applications. What I also think is interesting is how ZeroFox uses advanced tools to categorize the potential attackers and prioritize the risk from each impersonator, which involves separating the parodies from the real scammers. – Scott Our kids need to talk about it This is a really an important and eye-opening article. It digs a little deeper into the frequent negative impacts that social media have on children and families. It strikes me that both parents and teachers – those who see kids most often every day – really should receive some guidance for dealing with these issues, both in a preventative sense, and in a responsive attitude. You’re never going to be able to completely protect your kids from some of these effects. So, you will have to be able to recognize the signs, and try to act to limit the potential damage. Knowledge of child psychology might help. But it’s also just letting your kids know that you’re trying to understand the pressures they are feeling, so you can help them through. I think discussing stories of incidents that may have happened to others (either in the news, or in your community) makes it easier for them to relate, and discuss their views. As a parent of 3 kids, I think you also have to resist the urge to judge your child’s actions or feelings. They really can’t help the way they feel, and they are still immature, so they’re going to make mistakes. What you can do is help them have a healthy attitude and recognize the merits and impacts of the actions they might want to take. As the article hints at the end, you need to understand the environment your kids are in. So, as much as you may hate the idea of having a Facebook account, setting one up and using it (not to spy on your kids, but to experience what’s going on in today’s culture) can make it easier to see things from their point of view. It is a conflicting situation for parents, though, to rationalize whether you are really spying on your kids, simply intruding on their privacy, or looking out for their best interests. – Scott Europe’s highest court strikes down Safe Harbor data sharing between EU, US This is huge news as this ruling will likely force Facebook, Twitter, Google to keep EU data in the EU. It is important that privacy laws be respected and enforced. And in this case, the CJEU seems to be doing a good job of overseeing the Safe Harbor agreement. This agreement basically says that, if the personal data of EU citizens is transferred to a country outside the EU, it must be protected to a certain standard. However, the case has brought to light that the standard for safe harbour does not really go as far as it needs to in order to properly protect the privacy rights of EU citizens. So, the conclusion is that companies like Facebook should not be allowed to move EU citizens’ data overseas, since privacy will not be upheld. One instance they give, as an example of how the agreement is too weak, is the potential access rights that the US government has to all data held within the USA. But this is an argument that can be extended to the UK itself, given what is now publicly known about the UK government’s surveillance activities. In this sense, the EU citizens’ data may be no better protected inside the EU than outside. So, it will take a long time to sort all the implications out. But, as the article states, it is likely that companies will start to segregate data geographically. I’m not sure how this will affect, for example, Facebook users, or even advertisers. So, as always, don’t post sensitive information on social media sites if you are concerned about this. But you might also have to start wondering about the safety of cloud-based services such as Microsoft Office 365. What protection does your business have if you are storing data in these kinds of cloud-based services? Is “Safe-Harbor” really feasible, even if the vendors promise it? – Scott Consumers think IoT security is a piece of cake; IT pros have another name for it “manufacturers don’t make consumers sufficiently aware of the types of information connected devices can collect.” Not only do they not make them aware of the facts, they don’t have much interest in helping consumers understand the risks. That’s why we see blatant statements like Spotify’s privacy policy that is scary if you understand the risks of what they are doing, but they seem to be counting on people not really understanding or caring about the risks. – Scott Hackers Can Silently Control Siri From 16 Feet Away This is really not a threat at all right now.  There are a lot of caveats to this attack and I would just note that these types of hacks are always evolving. – Tom An elaborate combined phishing and phone social-engineering attack against 2-factor authenticated Gmail accounts This kind of attack is not new, but with the increase in use of Gmail’s two-factor authentication, an attacker can gather the password and SMS second factor code in real time using a phishing scheme. It’s often primed by a social engineering phone call in which the attacker contacts the victim using an issue that the victim is likely to care about. The caller then says they will send a link with more information that can be found in a Google Drive shared document. When the user tries to access it, the fake site presents a real-looking login and two-factor form. Since it is all done in real-time, the caller can access the victim’s real Gmail if they act before the two-factor code expires. The combination of phone and email gives people the impression that it’s not likely to be a scam. So, be careful about acting on hot button issues when you receive a call or email “out of the blue” that leads you to a Google drive or other similar login page. – Scott Please send any show feedback to feedback [aT] sharedsecurity.net or comment below. You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode. Be sure to visit our website, follow us on Twitter and like us on Facebook. Thanks for listening! The post The Shared Security Podcast Episode 47 – Celebrity Impersonations, Social Media and Kids, EU Safe Harbor appeared first on Shared Security Podcast.

This is the 46th episode of the Shared Security Podcast (formally the Social Media Security Podcast) sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston and Scott Wright recorded October 7, 2015. Below are the show notes, commentary, links to articles and news mentioned in the podcast: Scott gives an overview of the BSides Ottawa Security Conference If you’re in the Information Security industry I highly recommend you attend a local BSides conference. Always great content and networking opportunities! -Tom Everyone you know will be able to rate you on the terrifying ‘Yelp for people’ — whether you want them to or not Yelp for people? What could possibly go wrong? What are the ramifications when we start “rating” everyone we know or encounter? In a recent twist everything available about the Peeple app has been removed (social media, website, etc) by the founders most likely because of the firestorm of news media and privacy concerns. While the Peeple app looks like it may not happen..I’m sure there are other similar apps that will pop up and try something similar in the near future. -Tom The Power of Privacy Video Series by The Guardian The first episode takes a very thought provoking look at the digital shadows you leave and how someone can find personal and private information about you on the Internet…highly recommended! Episode 2 was recently released and talks about how easy it is to get hacked through phishing and common social engineering techniques. – Tom Anatomy of an enterprise social cyber attack  This is some interesting ZeroFOX research on customer scams, specifically one called “hashtag hijacking”. I’ve heard of several cases in the news about this type of attach using social engineering and social media as attack vectors. Check out this great infographic to learn more. -Tom Thousands of ‘directly hackable’ hospital devices exposed online This research was released at the DerbyCon security conference last month. I found it fascinating that now MRI and other critical medical equipment can be found using the search tool Shodan outside of the firewall of some major healthcare providers. Most likely this happens because of poor network segmentation as well as separate Internet connections outside of the healthcare provider. To top that off many of these devices are configured with default credentials and/or weak passwords (some running vulnerable Windows XP and older systems too). The researchers built a honeypot defibrillator machine to prove their points which “attracted a whopping 55,416 successful SSH and web logins and some 299 malware payloads”. Medical devices (pretty much in the same category of IoT) which lack any security is very scary, especially the potential impact to human life if these devices are compromised! -Tom The Social Network Where Doctors Swap Gross Pics of Patients HIPAA nightmare? Apparently doctors, nurses and other healthcare staff have been uploading patient pictures to a app/social network called “Figure 1” (aka: Instagram for doctors). While the founders intentions seem good (as in a good way for doctors to get second opinions or to treat patients better) there is definitely a cause for privacy concern. The founders apparently have monitoring, oversight and remove any metadata from each picture but as this app’s user base grows it will be harder to oversee this type of information, even with automation built in. In addition, the app founders said that they don’t have a plan yet to make money so time will tell if this even sticks around. -Tom Netflix shows you how to make your own “IoT switch”. Turn on Netflix. Dim the Lights. Kick Back and Relax. Netflix continues to innovate with unique ways to watch their programming…even to get you to build your own IoT device (I’m soon sure to be available for purchase). -Tom Our friendly PSA: Please stop posting those Facebook privacy notices Posting those Facebook “privacy notices” on your status does nothing as you’ve agreed to hand over everything you post to Facebook according to their terms of service. You agreed to this when you created your Facebook account. Don’t like it? Stop using Facebook and delete your account. See Snopes for more information about this hoax. -Tom Please send any show feedback to feedback [aT] sharedsecurity.net or comment below. You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode. Be sure to visit our website, follow us on Twitter and like us on Facebook. Thanks for listening! The post The Shared Security Podcast Episode 46 – Peeple App, Medical Devices Exposed, Instagram for Doctors appeared first on Shared Security Podcast.

This is the 45th episode of the Shared Security Podcast (formally the Social Media Security Podcast) sponsored by the Streetwise Security Zone. This episode was hosted by Tom Eston and Scott Wright recorded September 24, 2015. Below are the show notes, commentary, links to articles and news mentioned in the podcast: How The Internet of Things Could Revolutionize Our Lives, Work The above article does a good job of painting a Utopian future, with your office doors opening and computers logging you in with appropriate privileges “without having to manually tap into 10 different interfaces every day.” You may also enjoy dreaming of entering a restaurant where the menu is customized to your social preference, saving you the hassle of actually having to turn multiple pages. This may be a good thing, or it may just be a sign that we are getting lazy. Did you ever see the Disney movie “Wall-E”, where all the humans looked like the Michelin man, and floated around on hovering chairs? Isn’t it just a little bit sad that we are getting so excited about not having to move any muscles to get our jobs done? Not only does this image of the future seem a little unhealthy, but I just can’t help but think about all the potential vulnerabilities in all the interfaces between these devices and systems that have to work with each other to accomplish these feats. I think this is especially true, in light of the point raised in the article about the lack of standardization between devices that I think will almost always exist. – Scott A Smartwatch Could Reveal What You’re Typing by How Your Hand Moves This is one of those articles that pops up every year or so that describes how somebody has demonstrated a way to capture keystrokes or other personal movements of individuals through vibrations, light rays, electromagnetic variations, etc. It’s just a reminder that when we adopt a new form factor or a whole new device, somebody is going to try to find a way to spy on your actions when using it. In most cases, these demonstrations are done in very controlled environments, and can be very hard to reproduce. In other, more successful cases, the researchers probably end up getting bought out or employed by large and powerful organizations, never to be heard from again… ;o) – Scott Top 10 Implantable Wearables Soon To Be In Your Body Is there such a thing as being too close to technology? It will be interesting to see how far people are willing to go to be connected. This article discuses a number of ways I which scientists (or franken-scientists) are experimenting with implanting everything from phones to speakers to video displays in peoples’ bodies. I think it’s more likely that many of us will accept some of the new medical applications of implantable technologies. Sensors for real-time monitoring of sugar levels, cholesterol and other undesirables could be really valuable. Of course, the swallowable pill for colonoscopies is the one many of my friends are waiting for… There may even be devices you can take as pills that will monitor and dispense therapeutic chemicals that make you feel full, or even contraceptives. It’s also possible that with the right materials and smart functionality, entire organs could be replaced. Maybe this is how we evolve into Cyborgs… My security and privacy concerns around these devices are along the lines of them being hijacked by attackers, which could literally be fatal in some cases. But you also have to worry a little about how those devices could be detected and matched to your identity for tracking purposes. – Scott You Can’t Do Squat About Spotify’s Eerie New Privacy Policy It’s not just Google, Linked In and Facebook who want to know everything about you. Spotify is seriously trying to get in on the act. Did you know that Spotify’s privacy policy is hoping you might break the law, while their fine print is saying you agree to do the due diligence? Spotify’s privacy policy apparently wants you to implicitly accept how they use information about your phone’s contacts, even when they know it may not be legal for you to share it with Spotify without their permission? They literally expect you to seek every contact’s permission to let Spotify use their contact information for its vague purposes, before you use Spotify on your phone. Unfortunately, as the article points out, it is becoming the norm for businesses to try to monetize the personal information they have about you. – Scott Self-driving cars can be hacked using a laser pointer Before you get in that self-driving car… The next wave in vehicle technology, if you haven’t been paying attention to it, is the self-driving vehicle. Google has been test-driving self-driving vehicles for a number of years now, with some success. I think there are some great benefits to be had from automating vehicles, especially in environmental and safety areas. Think of the gas that can be saved if the optimal acceleration and routing is used every day by all (or most) vehicles on the road. And automated safeguards are very likely to save a lot of lives where human error is often the cause. However, we have to keep in mind all the bad things that can happen when a computer can completely control a car. In this article, a simple laser pointer can be used to cause the Laser-based ranging and imaging systems on self-driving cars to believe there are objects where they aren’t. This kind of attack has to be considered, and in general, any malicious action from an outsider has to be considered by the cars’ control systems. They have to do more complex checks for “reasonability” of their sensor inputs. So, I’m glad we have hackers actively researching the latest vehicle automation technologies. This way, we have a chance of having vehicles come off the production lines with security built in. I’m not so naïve as to think they will be totally safe. There are some real risks that need to be thought out, and some won’t be resolved before we’re driving them (I mean, they’re driving us). Things like legal liability when a vehicle makes a decision that directly ends up injuring or killing people. – Scott Check out our friends over at ZeroFOX ZeroFOX provides detection and defense for social media security threats.  We hope to have the team at ZeroFOX share more of their research and technology with us in future episodes. – Tom Please send any show feedback to feedback [aT] sharedsecurity.net or comment below. You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode. Be sure to visit our website, follow us on Twitter and like us on Facebook. Thanks for listening! The post The Shared Security Podcast Episode 45 – Implantable Wearables, Spotify Privacy, Hacking Self-Driving Cars appeared first on Shared Security Podcast.

This is the 44th episode of the Shared Security Podcast (formally the Social Media Security Podcast) sponsored by the Streetwise Security Zone. This episode was hosted by Tom Eston and Scott Wright recorded September 2, 2015. Below are the show notes, links to articles and news mentioned in the podcast: Facebook urged to tighten privacy settings after harvest of user data Make an Apple Watch Door Unlocker Severe weaknesses in Android handsets could leak user fingerprints Big Android makers will now push monthly security updates How I Hacked the Amazon WiFi Button to track Baby Data Oracle security chief to customers: Stop checking our code for vulnerabilities Please send any show feedback to feedback [aT] sharedsecurity.net or comment below. You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode. Be sure to visit our website, follow us on Twitter and like us on Facebook. Thanks for listening! The post The Shared Security Podcast Episode 44 – Facebook Data, Apple Watch, Android, Amazon Dash Buttons appeared first on Shared Security Podcast.

This is the 43rd episode of the Shared Security Podcast (formally the Social Media Security Podcast) sponsored by the Streetwise Security Zone.  This episode was hosted by Tom Eston and Scott Wright recorded August 6, 2015.  Below are the show notes, links to articles and news mentioned in the podcast: Car hack reveals peril on the road to Internet of Things (IoT) Smart watches and activity monitors usually connect to the cloud, sometimes without good security Really great article from Venture Beat about IoT risks Good research and whitepaper from Veracode about several popular IoT devices being sold and the security risks Scott talks about a recent Facebook scam that he received which was really hard to tell if it was legit or not Tom talks about Vizio SmartTV’s and how they know everything that you watch. Make sure you read those privacy policies! Please send any show feedback to feedback [aT] sharedsecurity.net or comment below.  You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode. Be sure to visit our website, follow us on Twitter and like us on Facebook. Thanks for listening! The post The Shared Security Podcast Episode 43 – Car Hacking, IoT Risks, Facebook Scams, SmartTV Privacy appeared first on Shared Security Podcast.