Shared Security Podcast

You’re listening to the Shared Security Podcast, exploring the trust you put in people, apps, and technology…with your host, Tom Eston. In episode 91 for October 21st 2019: Pitney Bowes becomes the latest ransomware victim, what are the top technology fears, and the latest on the vulnerability that allows a Samsung Galaxy S10 to be unlocked with anyone’s fingerprint. Smart phones and other mobile devices have truly become integrated with our daily lives. So much in fact, these devices are causing a new type of stress injury called “text neck”. Text neck is a stress injury which causes pain in your neck caused by excessive use or texting on a mobile device over a long period of time. This condition is increasingly concerning given that all of us seem to be looking down at our devices every minute of every day. Just take a look around you whenever you’re out in public. Our mobile devices have truly become a “pain in our neck”. So if you want an easy way to prevent this condition, try taking more breaks away from your device and simply just put your device down so you are less tempted to use it. And if you want an easy way to get off the grid for a while, put it in a Silent Pocket faraday bag. The nice thing about this solution is that you don’t even have to power off your device! Check out Silent Pocket’s full line of faraday bags and wallets at silentpocket.com and recieve 15% off your order during checkout using discount code “sharedsecurity”. Welcome to the Shared Security Weekly Blaze Podcast where we update you on this week’s most important cybersecurity and privacy news. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Last week shipping and postage provider Pitney Bowes, which serves 90% of businesses in the Fortune 500, was the victim of a ransomware attack preventing customers from adding postage to packages and may have even impacted some mail delivery at the US Postal Service. In a statement the company said quote “Pitney Bowes was affected by a malware attack that encrypted information on some systems and disrupted customer access to some of our services. At this time, the company has seen no evidence that customer or employee data has been improperly accessed.” end quote Pitney Bowes is most known for its postage meters which can automate the painful process of putting postage on envelopes and packages. Some customers took to Twitter during the outage showing postage meters and associated software with errors and confusing messages about “system faults”. Apparently the meters would still work up until you had to refill funds in order to print out more postage. Check out our show notes for a link to the latest updates from Pitney Bowes on the status of their systems. In related news, late last week business credit rating agency Moody’s issued a “credit negative” event note regarding the ransomware attack meaning the credit agency is cautiously watching the incident but has yet to issue a ratings downgrade. Rating’s agencies like Moody’s are commonly referenced by investors and negative ratings can make it more difficult for a company to raise money and can drive the stock value down. This news is pretty significant in that ratings agencies are now monitoring companies for data breaches and other cybersecurity incidents and issuing ratings adjustments based on the impact of the incident. Just last May, Moody’s downgraded Equifax’s outlook to negative because of the massive data breach that we all know and love. And ironically, Equifax’s outlook remains negative for the foreseeable future. Ransomware attacks like these are continuing to rise, mostly because a lot of companies are paying the ransom because they feel they are left with no other option. The more companies pay, the more incentive there is for attackers to continue finding victims. The advice from law enforcement and the cybersecurity community is to never pay the ransom because there is no guarantee that you will get your data back. Rather, contact law enforcement or a third-party cybersecurity professional to help get your data back in other ways.  For example, there is a site run by a security researcher called “ID Ransomware”  which (as of this podcast recording) can decrypt 771 different types of ransomware by uploading the ransom note or sample encrypted file. This is a free service by the way and you have a much better chance of getting your data back by using a free service like this than ever paying the ransom. A recent survey of about 1,000 Americans from security solutions company Cove revealed people’s modern day safety and cybersecurity fears by gender, generation, and political party. Some of the most interesting findings say that four in five parents said that they were worried about raising their kids in today’s world which included things like talking to strangers online, cyberbullying, and sharing personal information online. These things even ranked higher than parents’ concerns about mass shootings. Surprisingly, social media was seen as the most harmful of modern technology when it comes to safety, while security cameras were considered the most helpful. Voice enabled assistants like Amazon Echo’s, Google Home, and Siri ranked second in terms of being harmful for safety, followed by autonomous cars, facial recognition, wearable technology (like Fitbits, and Apple Watches) and last was security cameras. Not surprising is that data breaches is the largest technology fear followed by election hacking. From a privacy perspective only 3% of those surveyed were worried about their personal information being sold to advertisers. One of the most interesting results of the survey was that Generation Z, which are the demographic of individuals born in the mid-1990’s to early 2000’s and known as the most tech-savvy generation, didn’t really have safety concerns with technology but rather almost half reported that their biggest fear was walking in public alone at night. It seems that some traditional fears are still very valid in a world filled with technology. And now a word from our sponsor, Edgewise Networks. The biggest problem in security that remains unsolved is unprotected attack paths that allow threats to compromise vulnerable targets in the cloud and data center. But traditional microsegmentation is too complex and time consuming, and offers limited value that’s hard to measure. But there’s a better approach… Edgewise “Zero Trust Auto-Segmentation.” Edgewise is impossibly simple microsegmentation … delivering results immediately, with a security outcome that’s provable, and management that’s zero touch. At the core of Edgewise Auto-Segmentation is Zero Trust Identity, which automatically builds unique identities for all communicating software and devices by combining cryptographic properties of the workload with risk classifications. Edgewise protects any application, in any environment, without any architectural changes. Edgewise provides measurable improvement by quantifying attack path risk reduction and demonstrates isolation between critical services—so that your applications can’t be breached. Visit edgewise.net to find out more about how Edgewise can help stop data breaches. In late breaking news last week a British couple discovered a serious flaw in Samsung’s popular Galaxy S10 smart phone which could be unlocked by using anyone’s fingerprint. According to reports from several British news outlets a cheap screen protector is all that’s needed to bypass Samsung’s most advanced authentication system which back when the phone was launched in March was touted by Samsung as “revolutionary”. The technology sends ultrasounds to detect 3D ridges of fingerprints and apparently some screen protectors leave a small air gap between the phone and the user’s finger. In a statement to BBC news, Samsung says that they are aware of the issue and will soon issue a software patch. In the meantime, South Korean bank KaKao Bank has told their customers to turn off fingerprint scanning completely until a patch is issued. This is the first major authentication related issue that I’ve heard of for Samsung in recent years. Typically, we’ve seen many passcode bypass and other fun tricks with Apple iOS devices. In fact we just talked about one back in September on the podcast which would allow you bypass the passcode to view the contacts on someone’s device. This recent news though goes to show you that these types of vulnerabilities happen to other manufactures besides Apple. So now it’s time for Samsung to share the love of fixing a very significant security and privacy vulnerability. That’s a wrap for this week’s show. Visit our website, SharedSecurity.net for previous episodes, links to our social media feeds, our YouTube channel, and to sign-up for our email newsletter. First time listener to the podcast? Please subscribe where ever you like to listen to podcasts and if you like this episode please it share with friends and colleagues.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post Pitney Bowes Ransomware Attack, Samsung Galaxy S10 Fingerprint Bypass, Top Technology Fears appeared first on Shared Security Podcast.

You’re listening to the Shared Security Podcast, exploring the trust you put in people, apps, and technology…with your host, Tom Eston In episode 90 for October 14th 2019: How protesters in Hong Kong are avoiding facial recognition, Instagram’s new anti-phishing tool, and my recent epic smart device failure incident. Being a frequent traveler myself, I’m always surprised at how many people at airports are not very aware of their privacy. Just last week while I was waiting for my flight I listened as someone was giving their credit card number over the phone, and another person had their laptop open and I was able to see a presentation they were working on which looked to have very sensitive business information. The message here is that we always need to be aware of our surroundings and be careful what you say or expose when you’re in a public place like an airport. And if you’re a privacy aware traveler like me I highly recommend using Silent Pocket’s product line of faraday bags, backpacks and wallets which are built with your digital privacy in mind. Check them out at silentpocket.com and receive 15% off your order at checkout using discount code “sharedsecurity” Welcome to the Shared Security Weekly Blaze Podcast where we update you on this week’s most important cybersecurity and privacy news. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use” Violent protests continued in Hong Kong last week with the local authorities implementing a new anti-mask law which targets protestors wearing masks to avoid being recognized by the police and surveillance cameras. Now such bans are nothing new as Sri Lanka, France, the Netherlands, and Canada have similar controversial bans as well. Some protesters have even been seen wearing face paint in the form of Pepe the Frog which has recently been adopted as an international symbol of liberation for the Hong Kong protesters. Some protesters are even using laser pointers as a way to disable or make facial recognition technology harder to identify themselves. In related news, Apple has been criticized for removing an app from the Apple App Store because of pressure from the Chinese government. The app allowed protesters to crowdsource the locations of police. Apple is just the latest US based company joining the ranks of the NBA, and the video game company Blizzard who have given into Chinese pressure. This is very unfortunate and while I don’t bring up politics too much on this show, freedom loving people and companies should be supporting the protesters. And as a reminder, you as a consumer, have a choice on what products and entertainment you spend your money on. Now I bring up the Hong Kong protests because we all need to know that the technology that governments possess in order to identify protesters should be concerning to all of us. So when does the use of this technology truly become an invasion of our privacy all in the name of more security? Perhaps we’re already there. The good news is that we are seeing more privacy laws that several states in the US are now implementing. Just last week the state of California signed a bill into law that prevents police from using facial recognition technology on video recordings gathered by police officers. The bill states that quote “The use of facial recognition and other biometric surveillance is the functional equivalent of requiring every person to show a personal photo identification card at all times in violation of recognized constitutional rights.” end quote I think this is a positive sign that, at least in the US, facial recognition is beginning to become more regulated. Instagram has added a new security feature which will help you identify if an email was sent by Instagram or may be a phishing email. Here’s how this feature works. Let’s say you receive an email claiming to be from Instagram. You can now see if Instagram sent you that email by going into the “Emails from Instagram” option in your app’s settings. Within this setting you’ll be able to see every email that was sent to you by Instagram over the last 14 days. The new feature also separates emails into two categories; security emails and other. If you see an email that matches with what’s in your inbox than you can assume that this was a legitimate email. As you know, phishing emails are a constant threat and some recent Instagram phishing attacks are looking so legitimate that it’s very difficult to identify a real email vs. a fake one. Be on the lookout for this new and welcome security feature to show up in your Instagram account over the next several weeks. And now a word from our sponsor, Edgewise Networks. The biggest problem in security that remains unsolved is unprotected attack paths that allow threats to compromise vulnerable targets in the cloud and data center. But traditional microsegmentation is too complex and time consuming, and offers limited value that’s hard to measure. But there’s a better approach… Edgewise “Zero Trust Auto-Segmentation.” Edgewise is impossibly simple microsegmentation … delivering results immediately, with a security outcome that’s provable, and management that’s zero touch. At the core of Edgewise Auto-Segmentation is Zero Trust Identity, which automatically builds unique identities for all communicating software and devices by combining cryptographic properties of the workload with risk classifications. Edgewise protects any application, in any environment, without any architectural changes. Edgewise provides measurable improvement by quantifying attack path risk reduction and demonstrates isolation between critical services—so that your applications can’t be breached. Visit edgewise.net to find out more about how Edgewise can help stop data breaches. Researchers last week disclosed a severe remote code execution vulnerability in a range of popular consumer grade D-Link WiFi routers. Routers affected include model numbers DIR-655, 866L, 652, and 1565 which all came out 7-10 years ago. The vulnerability was found in the authentication process of the login page of the router and can allow an attacker to access the admin credentials or install a backdoor. D-Link responded to the researchers report noting that because these routers are at “End of Life” support, no patch will be released for these devices. And this is part of the problem with the “Internet of Things” which is, what happens to our devices which are later found to be vulnerable to attack and the manufacture stops supporting it? And how are customers notified that their devices are end of life and that they should stop using them due to serious security issues? Oh and don’t think this is a problem specific to D-Link. This can happen to any smart device like this including web cams, printers, and really any device that is part of the Internet of Things. Speaking of Internet of Things devices I wanted to share with you a story that happened to me just last week when I was traveling. So I stayed in a newer hotel that have those “smart locks” on your room door where you can unlock the door with your phone. Now in full transparency, I haven’t yet used my phone to unlock my room door when I travel since I just rather stick to the key card that they give you when you check in. I’m really not that paranoid. Well after hanging out with my co-workers, watching the Cleveland Browns lose yet another football game, I headed back to the hotel, went up to my room and found out that my key card wasn’t working when trying to open up the door. So I went back down to the reception desk, they issued me a new key card, and I proceeded to try again. Guess what, no luck. So I used the lobby phone by the elevators to call down to the registration desk letting the attendant know that my card was still not working. The attendant proceeded to tell me that the battery for the card reader on the door was probably dead and that she would be right up to check it out. As she walked to my room I noticed that she had what looks like a battery pack with a small USB mini connector. She proceeds to try and plug this battery pack into the bottom of the card reader in an attempt to “charge” the battery so that the reader could quickly be powered just enough to read the card. Well that didn’t work either so she had to call maintenance to find out how to get the door open. She also proceeded to tell me that they will most likely have to drill a hole through the door in the connecting door, which is the door that most hotel rooms have to create one large room, and displace myself as well as the occupants in the room next to me so that I could get my stuff out. So, it was midnight, I was tired and just wanted to go to bed. I was told the maintenance guy was about 30 minutes out so I sat in the lobby and waited. The maintenance guy gets there and I see him with a drill and a very large drill bit as he headed up to my room with the hotel attendant. I’m thinking the worse at this point and about 10 minutes later the other desk attendant tells me that the maintenance guy just called down to say that they were able to successfully open the door. Awesome! So I head up to my room and the maintenance guy tells me that he was able to get the backup battery connected by using pliers to pull out the connector so that he could connect the battery pack. Apparently, the connector was broken. Now I had several questions at this point. First, why was there not a failsafe for these door locks when the battery fails? He said that they would have to drill through one of the doors, that’s the only option. There was no key back up or any other way to get in the door. Now my next question was, so let’s say someone was having a medical emergency, called 911, and couldn’t get to the door to let paramedics or the police into the room? If the battery to the door is dead, the only option is to break the door down! I was a bit surprised by this thinking of the potential liability that this may leave the hotel, but the more I thought about it…this is the reality that we live in. While these smart locks should probably have a third failsafe, like a key, situations like these should make you think about what happens when the technology we rely on fails and what should manufactures think about when developing smart devices like these locks. And if you’re wondering, I did finally have a good night’s sleep. That’s a wrap for this week’s show. Visit our website, SharedSecurity.net for previous episodes, links to our social media feeds, our YouTube channel, and to sign-up for our email newsletter. First time listener to the podcast? Please subscribe where ever you like to listen to podcasts and if you like this episode please it share with friends and colleagues.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post Hong Kong Protests, Instagram’s Anti-Phishing Tool, Smart Device Fail appeared first on Shared Security Podcast.

You’re listening to the Shared Security Podcast, exploring the trust you put in people, apps, and technology…with your host, Tom Eston. In episode 89 for October 7th 2019: Microsoft’s new OneDrive personal vault, updated privacy and security controls announced by Google, and the TSA’s announcement about the REAL ID deadline next year. I have a question for you. What’s in your daily carry? Now I’m not talking about your concealed weapon of choice (if you do legally choose to do so) but I’m talking about your wallet, backpack, clutch, or other travel accessory. If you’re looking to upgrade to something that’s high quality, fashionable, and built with your digital privacy in mind you need to check out Silent Pocket. Visit their full line of products at silentpocket.com  and use discount code “sharedsecurity” at checkout to take 15% off your order. Welcome to the Shared Security Weekly Blaze Podcast where we update you on this week’s most important cybersecurity and privacy news. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Microsoft has increased the security and privacy of its OneDrive cloud storage service with a new feature called a “Personal Vault” which is now available worldwide for all OneDrive users except for those on business plans. Personal Vault is a protected area in OneDrive that requires additional authentication, like biometrics, a PIN code, or SMS-based two-factor authentication in order to access and store files. Microsoft has stated that on Windows 10 devices files that are stored in Personal Vault are synced by default to Bitlocker-encrypted locations, and that the vault will lock automatically in 20 minutes by default. I think the real security advantage here is on mobile devices where the OneDrive app will let you scan files or take pictures and video and store it directly into your Personal Vault instead of your camera roll. And because data that is stored in OneDrive is encrypted at rest and in transit, it seems to be a nice addition to increase the security and privacy of your most sensitive data like storing a picture of your driver’s license, passport, birth certificate, or other electronic documents you should protect. One disappointment though, if you have a free OneDrive account or one that you recently upgraded to one of Microsoft’s standalone 100 GB plans, you can only store a maximum of three files in your Personal Vault. To store more, you’ll need to upgrade to an Office 365 Personal or Home subscription. I guess according to Microsoft, much needed personal file security and privacy comes with an additional cost. There were lots of new privacy and security updates from Google last week which includes new features and improvements to give you more control over your data and to make privacy and security controls more seamless across all of Google’s products. First up is the new feature which allows you to auto-delete your YouTube browsing history at a set time period of 3 months, 18 months, or the ability to just delete your history manually. Next, Google has integrated a password checkup tool into the Google Password Manager which will let you know if your passwords are weak, reused, or have been compromised in a previous data breach. This is similar functionality to what Firefox rolled out a few months ago by integrating with Troy Hunt’s ‘Have I been pwnd’ service. In addition to these improvements you’ll be able to tell the Google Assistant to delete what you just said or delete a recording from a specific time period, like last week, and Google has added incognito or private mode to Google Maps which removes any personalization and search history which won’t be linked back to your Google account. In other related Google news, Google has been lobbying congress to let them start forcing Chrome users to automatically use DNS over HTTPS. If you’re not familiar with what DNS over HTTPS is, well it means is that when you type a URL like google.com into your web browser, the query for google.com gets encrypted, therefore, not allowing your ISP (or someone else monitoring your Internet connection) to view the sites you’re going to on the Internet. Keep in mind that this is slightly different than full HTTPS encryption where the contents of data that you send and receive from sites on the Internet is encrypted. Think of DNS over HTTPS as an add-on that will increase the overall security and privacy of the Internet. My take is that I think this and all the recent changes that Google is making is really needed. I don’t know about you but I feel lately that perhaps Amazon, Apple, and now Google are playing a game of “privacy catch up” given how data breaches and privacy concerns are all over the news as of late. Let’s hope this trend continues. And now a word from our sponsor, Edgewise Networks. The biggest problem in security that remains unsolved is unprotected attack paths that allow threats to compromise vulnerable targets in the cloud and data center. But traditional microsegmentation is too complex and time consuming, and offers limited value that’s hard to measure. But there’s a better approach… Edgewise “Zero Trust Auto-Segmentation.” Edgewise is impossibly simple microsegmentation … delivering results immediately, with a security outcome that’s provable, and management that’s zero touch. At the core of Edgewise Auto-Segmentation is Zero Trust Identity, which automatically builds unique identities for all communicating software and devices by combining cryptographic properties of the workload with risk classifications. Edgewise protects any application, in any environment, without any architectural changes. Edgewise provides measurable improvement by quantifying attack path risk reduction and demonstrates isolation between critical services—so that your applications can’t be breached. Visit edgewise.net to find out more about how Edgewise can help stop data breaches. My last story this week is a friendly public service announcement from the Department of Homeland Security. They want to remind you that if you intend to travel by air in the US a year from now you’ll need to upgrade to a “REAL ID” compliment driver’s license by next October 1st 2020. Standard state issued drivers licenses will not be accepted when going through TSA security screening so you will have to use a REAL ID compliment license or use a current US passport, Global Entry card, or military ID to board a flight in the US. The TSA has been hitting the media to let everyone know about this now to avoid a chaotic situation at the airport with TSA lines, aggravation and the financial impact when people with non-refundable airline tickets are turned away next October. The REAL ID act was passed after 9/11 as a way to make drivers licenses harder to obtain by terrorists. You can tell a REAL ID from a regular driver’s license by the “star” located in the top right corner. But the biggest difference from a traditional driver’s license is that you need to submit four forms of identification, including two with your address. Valid forms of ID can include a valid driver’s license, passport, Social Security card, birth certificate, utility bill, payroll stub, rent or mortgage payment, or a military ID. If you happen to live in Oregon, Oklahoma, or New Jersey you will have less than a year to get a REAL ID since these states are behind and have not yet implemented REAL ID. Check out our show notes for a link from the TSA to find out more information about REAL ID and the October 1st 2020 deadline. That’s a wrap for this week’s show. Visit our website, SharedSecurity.net for previous episodes, links to our social media feeds, our YouTube channel, and to sign-up for our email newsletter. First time listener to the podcast? Please subscribe where ever you like to listen to podcasts and if you like this episode please it share with friends and colleagues.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post Microsoft OneDrive Personal Vault, Google’s New Privacy and Security Controls, REAL ID Deadline appeared first on Shared Security Podcast.

In episode 92 of our monthly show Tom and Scott talk about Amazon’s new smart glasses that work with Alexa, what webkey’s are and how they could be used for social engineering, and why you should always erase old hard drives and other data storage before selling or giving away computers and other electronics. Looking to up your privacy and security game while you travel? Then you need to check out Silent Pocket’s patented product line of faraday bags, wallets, backpacks, and other accessories at silentpocket.com. Be sure to use discount code “sharedsecurity” at checkout to receive 15% off your order. Here are the show notes and links to articles discussed during the show: Give a listen to our 10 year anniversary episode, and our interviews with Aaron Zar from Silent Pocket, and Max Krohn from Keybase.io. A first look at Amazon’s new AirPods competitor, smart glasses and ring “Another experimental product is Echo Frames, but I think these have legs. These aren’t augmented reality glasses like Microsoft’s Hololens or Google Glass — there’s no display on them, and no camera like Glass had. Instead, you talk to the glasses and Alexa talks back to you. They make more sense than the Echo Loop, since the speakers are right near your ears and you don’t need to raise a hand up to listen Amazon has had lots of privacy issues around Alexa recordings including how contractors have been listening to these recordings and that you can only manually delete your recordings one at a time. Amazon’s privacy policies are starting to change! Check out our latest episode of the Weekly Blaze for more details. What is a Webkey? “USB webkeys( USB web keys ) are a great way of getting people to remember your logo, yet it saves the trouble of remembering a lengthy URL. Plug the Webkey into a USB port and your pre-programmed website automatically launches — just like magic! If you’ve read Harry Potter, you’ll appreciate this Muggle equivalent of the Portkey. The USB Web key is a low cost alternative to USB flash memory devices, and an effective way of promoting your company, new product launch, training material, or recruitment campaign. It’s available in various shapes. The USB Web key is pre-programmed with the URL (may up to 110pcs characters) that you provide. Every device is guaranteed to be virus free.” Here’s the Twitter thread that Scott mentioned on the show about the webkey given out at the information security conference: A great physical/cyber #socialEngineering experiment. A honey webkey! Wonder how many inserted this? Did the #InformationSecurity folks approve of this marketing tactic? Hey, @agent0x0 @streetsec the next gen beyond #HoneySticks => #HoneyPhones for you. https://t.co/u9B1vR6Iaj — Rebecca Herold (@PrivacyProf) August 22, 2019 Study: 3 in 5 secondhand hard drives still contain previous owner’s data “59 percent of secondhand hard disks sold on marketplaces like eBay are not properly wiped and still contain data from their previous owners, according to a new study by the University of Hertfordshire and commissioned by Comparitech.We purchased 200 used hard drives from online marketplaces, secondhand shops, and conventional auctions: 100 in the USA and 100 in the UK. University researchers then performed forensic analysis to determine whether any attempt had been made at deleting the contents of the drive and whether those attempts were successful. We uncovered a wide range of sensitive and private information left by previous owners. The remnant data included, among other things, employment and payroll records, family and holiday photos, business documents, visa applications, resumes and job applications, lists of passwords, passport and driver’s license scans, tax documents, bank statements, and lists of students attending senior high schools.” Here’s a great guide we talked about on how to erase/wipe most electronic storage including SD cards. Be sure to follow the Shared Security Podcast on Facebook, Twitter and Instagram for the latest news and commentary. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app or watch and subscribe on our YouTube channel. The post Amazon Smart Glasses, Webkey Social Engineering, Erase Your Old Hard Drives! appeared first on Shared Security Podcast.

You’re listening to the Shared Security Podcast, exploring the trust you put in people, apps, and technology…with your host, Tom Eston. In episode 88 for September 30th 2019: DoorDash announces a data breach affecting 4.9 million people, recent voice assistant privacy changes, and ways that you can limit ad tracking on your mobile device. Are you a frequent traveler that wants a high-quality, fashionable backpack that keeps your digital privacy in mind? Then you need to check out Silent Pocket’s new Faraday Bag Waterproof Backpack. Check it out at silentpocket.com as well as their other products built to protect your privacy. Don’t forget, as a listener of this podcast you receive 15% off your order at checkout using discount code “sharedsecurity”. Welcome to the Shared Security Weekly Blaze Podcast where we update you on this week’s most important cybersecurity and privacy news. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Popular food delivery company DoorDash said in a blog post late last week that 4.9 million customers, delivery workers, and merchants had their information stolen through a third-party service provider who was not named. Data stolen included name, email and delivery address, order history, phone numbers, last four digits of their credit card or bank account, and hashed (and salted) passwords. Users who joined the service prior to April 5th 2018 were affected by this breach and to add insult to injury about 100,000 delivery works also had their driver’s license information stolen as well. And if that wasn’t enough, this news ironically comes almost a year after many DoorDash users complained that their accounts were hacked. At the time, DoorDash denied that there was a breach and blamed it on credential stuffing attacks, where attackers use user names and passwords previously exposed through known data breaches, then use those credentials on other sites like DoorDash. This is basically a way to pass blame to the user for selecting poor passwords. I think DoorDash has a little bit of explaining to do as we now add this latest breach to the long list or breaches that we’ve had just this year alone. If you happen to be a DoorDash customer check out our show notes to a link to the official news release about the breach for more information. Several weeks ago on the podcast I talked about how Apple was changing the way that contractors were analyzing recordings from Siri as part of their “grading” program due to privacy concerns around sensitive and private conversations that were recorded. You may recall that this was also a huge problem for Amazon and Google’s voice assistants as well. Well this past week, Google announced significant changes to how their product, the Google Assistant, handles voice recordings. First, Google says that your audio data is not stored by default and that if you do want it stored, so that it can be used to help improve the Google Assistant, than you can opt-in to this feature. Second, Google has updated their audio settings to highlight that when you choose to opt-in you can choose to opt-out and for existing users that have chosen this already, a chance to review and change the setting if you would prefer. Third, Google said that recordings are never linked to a particular user and that only .2% of all audio recordings are ever analyzed by someone. Lastly, the Google Assistant will automatically delete any audio data when it realizes that it was activated unintentionally. In addition, Google is making changes to their data retention policy so that audio data is deleted older than a few months. And in late breaking news last week, Amazon released several new Echo related products to the market and also announced several new privacy improvements as well. First, Amazon has added two new commands to its Alexa voice assistant in which you can now say “Alexa, tell me what you heard” and, “Alexa, why did you do that?”. The tell me what you heard command lets you know what exactly Alexa is listening to and “why did you do that” is meant to give you more information if Alexa does something random like play a song out of nowhere. In addition, Amazon will now allow people to delete Alexa voice recordings on a rolling 3-month or 18-month basis and is allowing users to opt-out of human reviews of voice recordings. These changes now put Amazon along the same lines as Apple and now Google with current privacy settings of these popular voice assistants. And now a word from our sponsor, Edgewise Networks. The biggest problem in security that remains unsolved is unprotected attack paths that allow threats to compromise vulnerable targets in the cloud and data center. But traditional microsegmentation is too complex and time consuming, and offers limited value that’s hard to measure. But there’s a better approach… Edgewise “Zero Trust Auto-Segmentation.” Edgewise is impossibly simple microsegmentation … delivering results immediately, with a security outcome that’s provable, and management that’s zero touch. At the core of Edgewise Auto-Segmentation is Zero Trust Identity, which automatically builds unique identities for all communicating software and devices by combining cryptographic properties of the workload with risk classifications. Edgewise protects any application, in any environment, without any architectural changes. Edgewise provides measurable improvement by quantifying attack path risk reduction and demonstrates isolation between critical services—so that your applications can’t be breached. Visit edgewise.net to find out more about how Edgewise can help stop data breaches. Did you know that there is a setting on our mobile devices which gives us more control over targeted advertising? I wanted to bring this up on the show because we typically only think about the privacy settings in the apps we use, like Facebook, but Android and Apple iOS also have a very important setting that you can enable at the device level to help limit the information advertisers can obtain about you and your device. How it works is that both Android and iOS have something called an “ad ID” which gets linked to data that advertisers collect from you from the apps that you’re using. This “ad ID” was created in an attempt to reduce the amount of information about your device, such as things that can’t be changed, like your unique device identifier and Wi-Fi MAC address. Advertisers leverage this id instead so that they can have a unique identifier about you and your device without giving away all these other details. By default this “ad ID” is enabled on your device (which is a good thing) but by turning on a setting called “Opt out of Ads Personalization” on Android or “Limit Ad Tracking” in Apple iOS this ad ID is randomly changed or zeroed out. On Android, this setting only changes your ID but in iOS, the ad ID is set to all zero’s. To make this change in Android go to Settings > Privacy > Advanced > Ads and turn on “Opt out of Ads Personalization.” On iOS, go to Settings > Privacy > Advertising and turn on “Limit Ad Tracking”. What this setting means is that advertisers will have to either start a new profile about you or simply won’t be able to link very specific data back to you so that they can serve ads that are more personalized. Now by enabling this setting it doesn’t mean that you won’t receive any more ads, but it does mean that ads may not be as personalized to you. And since we’re all constantly bombarded by ads, anything we can do it throw a wrench into the how advertisers track you, the better off we’ll all be from a privacy perspective. That’s a wrap for this week’s show. Visit our website, SharedSecurity.net for previous episodes, links to our social media feeds, our YouTube channel, and to sign-up for our email newsletter. First time listener to the podcast? Please subscribe where ever you like to listen to podcasts and if you like this episode please it share with friends and colleagues.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post DoorDash Data Breach, Voice Assistant Privacy Changes, Limiting Ad Tracking appeared first on Shared Security Podcast.

On this special edition of the podcast we speak with Aaron Zar, co-founder and CEO of Silent Pocket. Silent Pocket has been a long time sponsor of the show and it was great to catch up with Aaron to get his thoughts on the current state of digital privacy. On the show we also discuss: Why privacy isn’t dead and how Aaron responds to people that say “Who cares about privacy! I have nothing to hide!” How Silent Pocket products are helping people protect their digital privacy and stay more secure The history of Silent Pocket, their first products, and how Aaron started his career What products are recommended for the average person? What new and innovative products are in the pipeline? It was a pleasure having Aaron on the show and we hope you enjoy this episode as much as we did! Check out Silent Pocket’s great line of faraday bags, wallets, and other gear including their new Faraday Bag Waterproof Backpack which we discuss on the show. Don’t forget, because you listen to this podcast, you receive 15% off your order using discount code “sharedsecurity” during checkout at silentpocket.com. The post Aaron Zar, Co-Founder and CEO of Silent Pocket appeared first on Shared Security Podcast.

You’re listening to the Shared Security Podcast, exploring the trust you put in people, apps, and technology…with your host, Tom Eston. In episode 87 for September 22nd 2019: Everything you need to know about Apple iOS 13, Venmo scams you need to be aware of, and new details about “Simjacking” attacks This week I had the pleasure of interviewing Aaron Zar, co-founder and CEO of our sponsor Silent Pocket. Aaron’s a great guy and I think you’ll enjoy hearing how he started Silent Pocket and his take on why our digital privacy is more important than ever. We’ll be publishing this episode soon so be on the lookout for it.  And if you haven’t taken a look at Silent Pocket’s great product line of stylish faraday bags and wallets I highly recommend you check them out at silentpocket.com. Don’t forget because you listen to this podcast you can take 15% off your order using discount code “sharedsecurity”. Welcome to the Shared Security Weekly Blaze Podcast where we update you on this week’s most important cybersecurity and privacy news. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Last week Apple released iOS 13 to the public which also happened to include a passcode bypass vulnerability which allows you to view the contacts on a locked Apple device. In order to conduct the attack you would need access to someone’s device and go through a series of steps, which by the way, would not be that easy to pull off by someone who had physical access to your device. Steps include replying to an incoming call with a custom message, enabling and disabling the VoiceOver feature, adding a new contact to a custom message, and then viewing the contacts information. This of course is not the first time we’ve seen passcode bypass vulnerabilities in Apple iOS, there were two that were patched in iOS 12 as well. Apple will most likely patch this vulnerability in the first update to iOS 13 which will probably happen in the next few weeks. Besides this particular issue, the iOS 13 update comes with several new privacy enhancements including the much anticipated “Sign in with Apple” feature which can create an anonymous email address for you when signing up for new apps and services. Also, phone calls from apps like Facebook Messenger and WhatsApp will have more restrictions in the way that they run in the background to prevent them from collecting user data without permission. Speaking of permissions, someone noticed while testing the new iOS update that an unexpected notification popped up on their device stating that Facebook would like to use your Bluetooth wireless.  Why on Earth would Facebook need access to your Bluetooth? Well apparently, some apps are tracking your physical location and the proximity you are to other people’s smartphones. Potential uses of this data could include deeper analysis of the people around you and their relationships. Not only that but it could also be used to serve you ads and I could even see the potential use in Facebook’s new dating service in which having location services turned on is a requirement. Now this “feature” has been going on for quite some time and it’s not just Facebook. YouTube just so happens to be doing the same thing. Do you use the popular peer-to-peer payment app, Venmo?  If you are, then you need to be aware of a new text message based phishing scam that directs you to a fake Venmo website. Here’s how it works. You’ll receive a text message saying that your Venmo account is about to be charged and if you want to cancel the withdrawal, you need to login to your account and decline it. When clicking the link, a site that looks just like Venmo will ask you for your phone number and password, then prompt you to enter in your bank card and other personal and financial information. In another, more advanced variation that is most likely tied to criminal money laundering, you may receive a legitimate text message from Venmo staying that you just received money from someone you don’t know. This is typically a large amount like $1,000. If you accept the payment, later down the road the scammer will ask you for the money back due to an error on their part and even ask you to keep $50 or so for your “trouble”. When you return the money back to the scammer, the scammer will contact Venmo to “correct” their mistake in which Venmo may also reverse the payment again or put you on the hook for accepting a fraudulent transaction. The best advice, of course, is to never accept money from people you don’t know and to never enter in financial details through a link that comes through a text message. Scams like these that leverage text messages are only going to increase because payment services like Venmo are rapidly growing in popularity. Just in Q1 of this year the number of Venmo users has grown to 40 million people! And as we always say…scammers will always try to target apps that are extremely popular and apps that have the ability to transfer money. And now a word from our sponsor, Edgewise Networks. The biggest problem in security that remains unsolved is unprotected attack paths that allow threats to compromise vulnerable targets in the cloud and data center. But traditional microsegmentation is too complex and time consuming, and offers limited value that’s hard to measure. But there’s a better approach… Edgewise “Zero Trust Auto-Segmentation.” Edgewise is impossibly simple microsegmentation … delivering results immediately, with a security outcome that’s provable, and management that’s zero touch. At the core of Edgewise Auto-Segmentation is Zero Trust Identity, which automatically builds unique identities for all communicating software and devices by combining cryptographic properties of the workload with risk classifications. Edgewise protects any application, in any environment, without any architectural changes. Edgewise provides measurable improvement by quantifying attack path risk reduction and demonstrates isolation between critical services—so that your applications can’t be breached. Visit edgewise.net to find out more about how Edgewise can help stop data breaches. If you’ve been listening to the podcast for a while you’ve probably heard me talk about “Simjacking” attacks. Simjacking is where someone will call your mobile carrier and attempt to transfer your number to a SIM card and other device under their control. This is how many celebrities and others are getting their social media and other accounts hacked, even with two-factor authentication enabled. Well just last week a new Simjacking attack was announced by researchers from AdaptiveMobile Security that would allow an attacker to “take over” a mobile phone, obtaining information like its location and potentially forcing it to make calls or send texts by simply sending an SMS text message to the device. What’s most concerning about the attack is that its device agnostic, meaning, Apple, Samsung and all brands of mobile phones are affected. And while the researchers did not say who was responsible for this exploit, stating that only that it was a private company that happens to work with governments to monitor individuals, you can pretty much conclude that certain nation states are using this capability to monitor and track individuals of interest. US mobile carriers do not seem to be affected by this attack but that does leave potentially a billion smartphone users across 30 countries vulnerable to attack. The bad news here is only the mobile carriers can fix this vulnerability themselves. The good news? Industry groups such as the SIMalliance issued a new set of security guidelines for cellular carriers. The recommendations include  implementing filtering at the network level to intercept and block “illegitimate binary SMS messages” and making changes to the security settings of SIM cards issued to mobile phone customers. That’s a wrap for this week’s show. Visit our website, SharedSecurity.net for previous episodes, links to our social media feeds, our YouTube channel, and to sign-up for our email newsletter. First time listener to the podcast? Please subscribe where ever you like to listen to podcasts and if you like this episode please it share with friends and colleagues.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post Apple iOS 13, Venmo Scams, Simjacking Attacks appeared first on Shared Security Podcast.

You’re listening to the Shared Security Podcast, exploring the trust you put in people, apps, and technology…with your host, Tom Eston. In episode 86 for September 16th 2019: All about end-to-end encryption with Max Krohn from Keybase.io. Are you looking for the very best products to protect your digital privacy? Well, Silent Pocket has everything you need to mind the grid with their patented product line of faraday bags and wallets. Visit silentpocket.com today and receive 15% off your order with discount code “sharedsecurity”. The Shared Security Podcast is also sponsored by Edgewise Networks. Visit edgewise.net to find out about how Edgewise can help stop data breaches. In this special edition of the Weekly Blaze, Tom interviews Max Krohn co-founder of Keybase.io to discuss the current state of encryption and why end-to-end encryption is so important. Here are the topics that we covered with Max on the show: Who is Max Krohn and what is Keybase.io? What is end-to-end encryption and how is it different than other types of encryption? Recent news about governments asking tech companies to build in “encryption backdoors” into services and products to prevent terrorism and mass shootings. Max’s take on the controversial talk given by Crown Sterling at the Black Hat USA security conference on the “discovery” of quasi-prime numbers. Is this snake oil or real research that will change encryption forever? Find out more about Keybase.io and follow Max on Twitter Visit our website, SharedSecurity.net for previous episodes, links to our social media feeds, our YouTube channel, and to sign-up for our email newsletter. First time listener to the podcast? Please subscribe where ever you like to listen to podcasts and if you like this episode please it share with friends and colleagues.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post End-to-End Encryption with Max Krohn from Keybase.io appeared first on Shared Security Podcast.

You’re listening to the Shared Security Podcast, exploring the trust you put in people, apps, and technology…with your host, Tom Eston. In episode 85 for September 9th 2019: Firefox will now block all third-party tracking cookies and more by default, serious vulnerabilities found in Apple iOS, and the latest on the huge database of Facebook users’ phone numbers found online. Did you know that all electronic devices emit a form of electromagnetic radiation? Well recently we’re starting to see more scientific research come out about the potential health effects of using our mobile devices and other wireless electronics so close to our body. In fact, just recently a class action lawsuit was filed against Apple and Samsung for exceeding the radiation limit on the smartphones that they sell. And while this research is debatable in some circles, more and more experts are recommending keeping our smartphones away from our bodies. If this is something that concerns you one product that can help is a Silent Pocket faraday bag which can block all wireless signals emitting from a device. Visit silentpocket.com to check out their great line of faraday bags and other products to protect your digital privacy. Don’t forget, as a listener of this podcast you receive 15% off your order at checkout using discount code “sharedsecurity”. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. It should be no surprise that I’m a huge fan of Firefox. In my opinion it’s probably the best web browser out there that is truly focused on your privacy. And with the latest release of Firefox, version 69, Mozilla has made a change to its enhanced tracking protection feature by enabling this for all users by default. Enhanced Tracking Protection is a privacy control which blocks all third-party tracking cookies and more. Back in June Firefox enabled this feature only for new users but over the last few months of testing and improvements they are finally ready to enable this setting for everyone which is a huge benefit from a privacy perspective. Enhanced Tracking Protection works behind-the-scenes to keep websites from developing a profile of you based on how they are tracking your web browser behavior across different websites. These profiles are then collected and even sold to third-party marketing companies without your consent. In addition, Firefox is also now blocking cryptominers by default too. Cryptominers access your computer’s CPU slowing it down and draining your battery to generate cryptocurrency for someone else to profit from. Oh and if that wasn’t enough, Fingerprinting scripts are being blocked too but not by default. These scripts attempt to harvest information about your computers configuration when you visit a website. If you want to take advantage of blocking these types of scripts you’ll need to enable “Strict Mode” within your Firefox privacy settings. Eventually, Firefox plans on turning this blocking on by default in the near future. Now I’ve also been recommending the EFF’s Privacy Badger as a great add-on for Firefox too. So it will be interesting to see how Privacy Badger compares to Enhanced Tracking Protection built in now by default into Firefox. Perhaps, we’ll do a comparison for you in a future episode of the podcast but in the meantime, if you are using Firefox make sure you update to the latest version to take advantage of these great new privacy protections. The big news being discussed in the cybersecurity community recently was the big reveal from Google’s Project Zero vulnerability research team which found that over a dozen Apple iOS vulnerabilities have been exploited by attackers for at least two-years to steal everything on a vulnerable device including passwords, photos, text messages, and more.  Most surprising though is the method used to infect iOS devices which was by simply visiting certain websites which would exploit the vulnerabilities without you even knowing it. The researchers did not disclose the websites that were used but said that these sites received thousands of visitors per week. Oh, and the exploit only persisted until you rebooted your iOS device but like many of us you remember the last time you powered off or rebooted your device? What’s also interesting is that typically iOS zero-days like this would be used by nation states to target specific groups or individuals but in this case the attackers didn’t have a particular target in mind, rather was a mass attack on any Apple device running iOS 10 through iOS 12. This also brings into question how secure Apple devices really are given that they have a reputation of iOS being one of the hardest operating systems to compromise. Typically vulnerabilities like these are worth tens of millions of dollars and are usually only funded by nation states with deep pockets and specific targets in mind. The question here is who was behind this massive undertaking and was any particular nation state involved? We may never know but the good news is that Apple did patch these particular vulnerabilities back in February of this year with iOS 12.1.4. This is yet another reason you should always keep your devices up to date and patched. And now a word from our sponsor, Edgewise Networks. The biggest problem in security that remains unsolved is unprotected attack paths that allow threats to compromise vulnerable targets in the cloud and data center. But traditional microsegmentation is too complex and time consuming, and offers limited value that’s hard to measure. But there’s a better approach… Edgewise “Zero Trust Auto-Segmentation.” Edgewise is impossibly simple microsegmentation … delivering results immediately, with a security outcome that’s provable, and management that’s zero touch. At the core of Edgewise Auto-Segmentation is Zero Trust Identity, which automatically builds unique identities for all communicating software and devices by combining cryptographic properties of the workload with risk classifications. Edgewise protects any application, in any environment, without any architectural changes. Edgewise provides measurable improvement by quantifying attack path risk reduction and demonstrates isolation between critical services—so that your applications can’t be breached. Visit edgewise.net to find out more about how Edgewise can help stop data breaches. In Facebook news this week, and I know you’ll be so surprised to hear this, but a unprotected server was found exposing more that 419 million Facebook users’ phone numbers that also included a user’s Facebook ID which is a unique number associated with a Facebook user account. These user records break out to 133 million from the US, 18 million from the UK, and more than 50 million from Vietnam. What’s most interesting is that the data appears to be older than at least a year, since Facebook removed public access to phone numbers in April of last year which was due to the Cambridge Analytica scandal. A security researcher names Sanyam Jain, found the database and contacted media outlet TechCrunch after he was unable to find the owner of the database. A spokesperson from Facebook commented that the data set is old and that there are no indications that anyone’s Facebook account was compromised due to this specific database being exposed. TechCrunch also stated that the web hosting company pulled the data once they were notified. This most recent exposure is on top of the long list of previous data leaks that have been a huge problem for Facebook in recent months. Not only that, it’s another example of a database found completely unprotected and available for anyone to harvest for whatever purpose they wanted. In other Facebook news, Facebook is migrating users that had a setting called “tag suggestions” to the current face recognition setting. Apparently, some new users and others still had this old setting and now will be fully moved over to the new setting. Back in December of 2017, Facebook introduced a setting specifically for face recognition. In addition to this, Facebook will also provide users with more information on how face recognition works and with the option to turn this feature on. Facebook also notes that if you do not currently have the face recognition setting and do nothing, Facebook will not use face recognition to recognize you or suggest tags unless you opt in. We’ll have a link to the full news release in our show notes if you want more information but we always recommend not enabling face recognition for the obvious privacy reasons. Oh, and if you haven’t downloaded our free Facebook Privacy and Security Guide I highly recommend you do so. Our guide will walk you through all of your Facebook privacy settings so that you can remain as private as possible while still being social. Visit sharedsecurity.net/Facebook to get your copy today! That’s a wrap for this week’s show. Visit our website, SharedSecurity.net for previous episodes, links to our social media feeds, our YouTube channel, and to sign-up for our email newsletter. First time listener to the podcast? Please subscribe where ever you like to listen to podcasts and if you like this episode please it share with friends and colleagues.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post New Firefox Privacy Protections, Apple iOS Zero-Days, Facebook User Phone Numbers Exposed appeared first on Shared Security Podcast.

You’re listening to the Shared Security Podcast, exploring the trust you put in people, apps, and technology…with your host, Tom Eston.  In episode 84 for September 2nd 2019: “Ghost click” Android apps found on the Google Play Store, new privacy protections for Apple’s Siri voice assistant, and did you know that your credit card may spying on you? I have a question for you. How often do you carry your laptop with you? If you’re a frequent traveler, the answer may be all day and every day. So if you are carrying your laptop around, how are you doing it? If you’re like most of us we use some cheap neoprene laptop sleeve or just throw it in a backpack. But what if I told you there is a better approach? Well Silent Pocket makes a fantastic solution called a faraday laptop and tablet sleeve. I have one and I love it. Their laptop sleeve comes in waterproof nylon or beautiful leather to provide protection for your laptop from not only the elements but also by blocking all wireless signals making your laptop instantly secure. Check out Silent Pocket’s Farady Laptop and Tablet Sleeve for yourself at silentpocket.com. And as a listener of this podcast be sure to use discount code “sharedsecurity” to receive 15% off your order. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy news topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Did you know that Android app developers have found creative ways to load ads or conduct “ghost clicks” within an app so that the ad is never shown to you and that you never have to click an ad on the screen? Well last week it was discovered by researchers from Symantec that an Android app developer called “Idea Master” had two apps, a notepad app called “Idea Note: OCR Text Scanner, GTD, Color Notes” and a fitness app called “Beauty Fitness: Daily Workout, Best HIIT Coach”, were downloaded over 1.5 million times in the Google Play Store for close to a year were using this very tactic. According to Symantec researchers, the code to do all of this was hidden due to the way that the apps were compiled. Typically, researchers can easily reverse engineer Android apps to view the source code but in this case a “packer” was used to purposely obfuscate the code. These packers are typically used by app developers to protect intellectual property in their code. How this attack works is that the developer first makes sure the ads show up just outside the viewable area of the of the screen and then they program the app to initiate an automated ad-clicking process that runs in the background. Not only will this drive up ad revenue for the app developer but it has the side-effect of slowing down your Android device and drains your battery. There is also the potential for these developers to use similar tactics to load malicious content or open up websites so that more dangerous things could be installed on your phone. So how can you prevent something like this from happening on your Android device? First, keep your mobile device up-to-date, only install apps from trusted sources, and pay close attention to the permissions that are requested when you install an app. And if you see your battery or data usage spike after installing an app, that should also be a clue that an app may be doing something malicious on your device. Remember on a recent previous episode how I talked about Amazon, Apple, and Google having major privacy issues regarding what was being recorded from their voice assistants like Siri, Amazon Echo, and Google Home? In all of these assistants, recordings were found to have contained very private conversations that were being analyzed by contractors hired to improve the technology behind these digital assistants. Several weeks ago Apple suspended what they call their Siri “grading” program due to privacy concerns with the use of contractors and the very private conversations which included everything from financial data, medical, and other very personal details when Siri was accidentally triggered. This past week Apple has now announced that they will be resuming this program in the Fall but only after some privacy changes are made. These changes include that Apple will no longer retain recordings of Siri interactions and instead will use computer generated transcripts to help Siri improve. Second, users will be able to opt in to have audio samples from Siri analyzed with the option to opt out at any time. And third, for customers that do opt-in, only Apple employees will be allowed to listen to audio samples and that they will delete any recording which happened to be an inadvertent trigger of Siri. Now, let’s see of Google and Amazon follow Apple’s lead to fix some of these recent privacy concerns with all of these voice assistants. And now a word from our sponsor, Edgewise Networks. The biggest problem in security that remains unsolved is unprotected attack paths that allow threats to compromise vulnerable targets in the cloud and data center. But traditional microsegmentation is too complex and time consuming, and offers limited value that’s hard to measure. But there’s a better approach… Edgewise “Zero Trust Auto-Segmentation.” Edgewise is impossibly simple microsegmentation … delivering results immediately, with a security outcome that’s provable, and management that’s zero touch. At the core of Edgewise Auto-Segmentation is Zero Trust Identity, which automatically builds unique identities for all communicating software and devices by combining cryptographic properties of the workload with risk classifications. Edgewise protects any application, in any environment, without any architectural changes. Edgewise provides measurable improvement by quantifying attack path risk reduction and demonstrates isolation between critical services—so that your applications can’t be breached. Visit edgewise.net to find out more about how Edgewise can help stop data breaches. Credit cards are a necessity these days for paying for things either online or when you’re out and about and we all know that credit cards just make paying for things much more convenient. One of the side effects though, as we often talk about on this show, is that your credit card data is a huge target as evidenced by the countless data breaches we hear about almost every day. But have you ever thought that your credit card might be spying on you and that, in fact, your credit card transaction data goes to many different types of companies for lots of things you may not even know about? Well I read a fascinating story last week posted by Geoffrey Fowler, a technology columnist for the Washington Post, about how he purchased two banana’s at Target. Yes, you heard that correctly, bananas. He purchased one banana on a Chase Amazon Prime Rewards Visa credit card, and the other on the new Apple Card which is advertised as  credit card focused on your privacy. Here’s what he found out. First, card data is extremely valuable to all sorts of companies. From your bank, the retailers, the credit card processors, and even the apps that you might use, like Mint, to organize your finances. All of your transactions are often aggregated, anonymized, hashed, or used in some way to eventually target you with marketing or other types of offers based on what you purchase. While we don’t typically think about how our spending habits could reveal information about us, it was pretty eye opening to me to see the path that your data takes as soon as you make a credit card purchase. First, your bank obviously knows you made a purchase but what you might not know is that your bank will send your data to marketing partners and affiliates. You can opt out of this through those yearly privacy notices that you receive in the mail once a year, but by default you opt-in to data sharing just by signing up for a credit card. In fact the Chase credit card used in this experiment was found to share data for seven different reasons to companies not owned by Chase. This is where the Apple Card was different. Goldman Sachs says it does not collect or send any transaction or other data to any third-party companies. Oh and of course, any co-branded credit card like the Chase card that partners with Amazon, gets a piece of your data too. What else? Well there are the card networks run by Mastercard and Visa which also aggregate your data and then sell that data to various third-parties. This is where the Apple Card starts to fail from a privacy perspective. Once data hits the card network, that data is no longer under the privacy restrictions put in place by Apple and Goldman Sachs. There is also the store itself as well as the point-of-sale-systems. For example, both bananas were purchased at Target. Now Target of course knows what you purchased and can start to use your card number as a unique identifier showing what you’ve purchased and when. Target shares your data as well with other companies too. And if a particular store has a loyalty card, it gets even worse as now more of your purchases and related history can be shared. Now where it gets really interesting is with the point-of-sale systems and the merchant banks that actually process your credit card transactions. They too can share your data. I’ve started to see payment terminals asking me if I want to print a receipt at the register, or have it emailed or texted to me. Guess what happens if I choose email or text? Yep, you guessed it. I just gave my phone number and email to the credit card processor. Creepier still, next time I use that credit card at that store the terminal will most likely remember that I chose email or text as my choice of receipt delivery. But wait, there’s more! Mobile wallets and financial apps also send your data to third parties too but I think you get the idea. We’ll have the full article linked in the show notes so that you can read the rest for yourself, but, what are some things we can do about this? First, you could just start using cash everywhere but if you use a loyalty card with a purchase you’ll still be giving away your data. The more sound, and unfortunately painful approach, is to opt-out of as much of this as you can by researching how to opt-out through your bank, credit card company and even some stores may allow you to opt-out too. But as the article noted, “the devil is in the defaults.” Which means that only a small number of us are going to actually take the time to contact all of these companies to opt-out of data sharing. My take is that the Apple Card is doing some good things here but just doesn’t go far enough. I think it’s going to take a combination of some type of new federal privacy law combined with businesses finally realizing that quote “data is the new corporate social responsibility.” That’s a wrap for this week’s show. Visit our website, SharedSecurity.net for previous episodes, links to our social media feeds, our YouTube channel, and to sign-up for our email newsletter. First time listener to the podcast? Please subscribe where ever you like to listen to podcasts and if you like this episode please it share with friends and colleagues.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post Android “Ghost Click” Apps, New Apple Siri Privacy Protections, Credit Card Spying appeared first on Shared Security Podcast.