Shared Security Podcast

You’re listening to the Shared Security Podcast, exploring the trust you put in people, apps, and technology…with your host, Tom Eston.  In episode 84 for September 2nd 2019: “Ghost click” Android apps found on the Google Play Store, new privacy protections for Apple’s Siri voice assistant, and did you know that your credit card may spying on you? I have a question for you. How often do you carry your laptop with you? If you’re a frequent traveler, the answer may be all day and every day. So if you are carrying your laptop around, how are you doing it? If you’re like most of us we use some cheap neoprene laptop sleeve or just throw it in a backpack. But what if I told you there is a better approach? Well Silent Pocket makes a fantastic solution called a faraday laptop and tablet sleeve. I have one and I love it. Their laptop sleeve comes in waterproof nylon or beautiful leather to provide protection for your laptop from not only the elements but also by blocking all wireless signals making your laptop instantly secure. Check out Silent Pocket’s Farady Laptop and Tablet Sleeve for yourself at silentpocket.com. And as a listener of this podcast be sure to use discount code “sharedsecurity” to receive 15% off your order. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy news topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Did you know that Android app developers have found creative ways to load ads or conduct “ghost clicks” within an app so that the ad is never shown to you and that you never have to click an ad on the screen? Well last week it was discovered by researchers from Symantec that an Android app developer called “Idea Master” had two apps, a notepad app called “Idea Note: OCR Text Scanner, GTD, Color Notes” and a fitness app called “Beauty Fitness: Daily Workout, Best HIIT Coach”, were downloaded over 1.5 million times in the Google Play Store for close to a year were using this very tactic. According to Symantec researchers, the code to do all of this was hidden due to the way that the apps were compiled. Typically, researchers can easily reverse engineer Android apps to view the source code but in this case a “packer” was used to purposely obfuscate the code. These packers are typically used by app developers to protect intellectual property in their code. How this attack works is that the developer first makes sure the ads show up just outside the viewable area of the of the screen and then they program the app to initiate an automated ad-clicking process that runs in the background. Not only will this drive up ad revenue for the app developer but it has the side-effect of slowing down your Android device and drains your battery. There is also the potential for these developers to use similar tactics to load malicious content or open up websites so that more dangerous things could be installed on your phone. So how can you prevent something like this from happening on your Android device? First, keep your mobile device up-to-date, only install apps from trusted sources, and pay close attention to the permissions that are requested when you install an app. And if you see your battery or data usage spike after installing an app, that should also be a clue that an app may be doing something malicious on your device. Remember on a recent previous episode how I talked about Amazon, Apple, and Google having major privacy issues regarding what was being recorded from their voice assistants like Siri, Amazon Echo, and Google Home? In all of these assistants, recordings were found to have contained very private conversations that were being analyzed by contractors hired to improve the technology behind these digital assistants. Several weeks ago Apple suspended what they call their Siri “grading” program due to privacy concerns with the use of contractors and the very private conversations which included everything from financial data, medical, and other very personal details when Siri was accidentally triggered. This past week Apple has now announced that they will be resuming this program in the Fall but only after some privacy changes are made. These changes include that Apple will no longer retain recordings of Siri interactions and instead will use computer generated transcripts to help Siri improve. Second, users will be able to opt in to have audio samples from Siri analyzed with the option to opt out at any time. And third, for customers that do opt-in, only Apple employees will be allowed to listen to audio samples and that they will delete any recording which happened to be an inadvertent trigger of Siri. Now, let’s see of Google and Amazon follow Apple’s lead to fix some of these recent privacy concerns with all of these voice assistants. And now a word from our sponsor, Edgewise Networks. The biggest problem in security that remains unsolved is unprotected attack paths that allow threats to compromise vulnerable targets in the cloud and data center. But traditional microsegmentation is too complex and time consuming, and offers limited value that’s hard to measure. But there’s a better approach… Edgewise “Zero Trust Auto-Segmentation.” Edgewise is impossibly simple microsegmentation … delivering results immediately, with a security outcome that’s provable, and management that’s zero touch. At the core of Edgewise Auto-Segmentation is Zero Trust Identity, which automatically builds unique identities for all communicating software and devices by combining cryptographic properties of the workload with risk classifications. Edgewise protects any application, in any environment, without any architectural changes. Edgewise provides measurable improvement by quantifying attack path risk reduction and demonstrates isolation between critical services—so that your applications can’t be breached. Visit edgewise.net to find out more about how Edgewise can help stop data breaches. Credit cards are a necessity these days for paying for things either online or when you’re out and about and we all know that credit cards just make paying for things much more convenient. One of the side effects though, as we often talk about on this show, is that your credit card data is a huge target as evidenced by the countless data breaches we hear about almost every day. But have you ever thought that your credit card might be spying on you and that, in fact, your credit card transaction data goes to many different types of companies for lots of things you may not even know about? Well I read a fascinating story last week posted by Geoffrey Fowler, a technology columnist for the Washington Post, about how he purchased two banana’s at Target. Yes, you heard that correctly, bananas. He purchased one banana on a Chase Amazon Prime Rewards Visa credit card, and the other on the new Apple Card which is advertised as  credit card focused on your privacy. Here’s what he found out. First, card data is extremely valuable to all sorts of companies. From your bank, the retailers, the credit card processors, and even the apps that you might use, like Mint, to organize your finances. All of your transactions are often aggregated, anonymized, hashed, or used in some way to eventually target you with marketing or other types of offers based on what you purchase. While we don’t typically think about how our spending habits could reveal information about us, it was pretty eye opening to me to see the path that your data takes as soon as you make a credit card purchase. First, your bank obviously knows you made a purchase but what you might not know is that your bank will send your data to marketing partners and affiliates. You can opt out of this through those yearly privacy notices that you receive in the mail once a year, but by default you opt-in to data sharing just by signing up for a credit card. In fact the Chase credit card used in this experiment was found to share data for seven different reasons to companies not owned by Chase. This is where the Apple Card was different. Goldman Sachs says it does not collect or send any transaction or other data to any third-party companies. Oh and of course, any co-branded credit card like the Chase card that partners with Amazon, gets a piece of your data too. What else? Well there are the card networks run by Mastercard and Visa which also aggregate your data and then sell that data to various third-parties. This is where the Apple Card starts to fail from a privacy perspective. Once data hits the card network, that data is no longer under the privacy restrictions put in place by Apple and Goldman Sachs. There is also the store itself as well as the point-of-sale-systems. For example, both bananas were purchased at Target. Now Target of course knows what you purchased and can start to use your card number as a unique identifier showing what you’ve purchased and when. Target shares your data as well with other companies too. And if a particular store has a loyalty card, it gets even worse as now more of your purchases and related history can be shared. Now where it gets really interesting is with the point-of-sale systems and the merchant banks that actually process your credit card transactions. They too can share your data. I’ve started to see payment terminals asking me if I want to print a receipt at the register, or have it emailed or texted to me. Guess what happens if I choose email or text? Yep, you guessed it. I just gave my phone number and email to the credit card processor. Creepier still, next time I use that credit card at that store the terminal will most likely remember that I chose email or text as my choice of receipt delivery. But wait, there’s more! Mobile wallets and financial apps also send your data to third parties too but I think you get the idea. We’ll have the full article linked in the show notes so that you can read the rest for yourself, but, what are some things we can do about this? First, you could just start using cash everywhere but if you use a loyalty card with a purchase you’ll still be giving away your data. The more sound, and unfortunately painful approach, is to opt-out of as much of this as you can by researching how to opt-out through your bank, credit card company and even some stores may allow you to opt-out too. But as the article noted, “the devil is in the defaults.” Which means that only a small number of us are going to actually take the time to contact all of these companies to opt-out of data sharing. My take is that the Apple Card is doing some good things here but just doesn’t go far enough. I think it’s going to take a combination of some type of new federal privacy law combined with businesses finally realizing that quote “data is the new corporate social responsibility.” That’s a wrap for this week’s show. Visit our website, SharedSecurity.net for previous episodes, links to our social media feeds, our YouTube channel, and to sign-up for our email newsletter. First time listener to the podcast? Please subscribe where ever you like to listen to podcasts and if you like this episode please it share with friends and colleagues.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post Android “Ghost Click” Apps, New Apple Siri Privacy Protections, Credit Card Spying appeared first on Shared Security Podcast.

In Episode 91 of this very special episode of our monthly show, Tom and Scott are joined by special guests Kevin Johnson and Jayson E. Street back to celebrate the 10 year anniversary of this podcast! We talk about the history of the show, what’s improved (or not improved) in the last 10 years from a cybersecurity and privacy perspective, Kevin’s Star Wars addiction, Jayson’s #HackerAdventures, and we have a very important debate about the future of security awareness and what can be done to provide better education on phishing which continues to be one of the top attack vectors we’ve seen in the last 10 years. Be sure to stay tuned to the end of the episode for some fun outtakes from this episode and some highlights from our very first episode which we recorded way back in August of 2009. You can also watch the full live stream of this episode on our YouTube channel. Thank you to all of our sponsors (Silent Pocket and Edgewise Networks), listeners, and previous guests for supporting the show over the last 10 years! We really appreciate it and we look forward to many more years of podcasting! Your hosts, Tom Eston and Scott Wright The post 10 Year Anniversary Episode with Kevin Johnson and Jayson E. Street appeared first on Shared Security Podcast.

You’re listening to the Shared Security Podcast, exploring the trust you put in people, apps, and technology…with your host, Tom Eston. In episode 83 for August 26th 2019: Facebook announces new off-Facebook activity privacy controls, how Apple made everyone’s iOS device vulnerable, and details on the massive MoviePass data breach. This week I read yet another news article that talked about how thieves stole a Tesla in about 30-seconds using what is known as a relay or key fob attack. The attack works by using a device to amplify the signal from the car thinking that the key fob is nearby. Once the device relays the signal back to the car, the door is unlocked and the thief can steal the car. This is also an issue for other car manufactures, it’s really any car that uses a technology called PKES or Passive Keyless Entry and Start. Besides disabling this feature, the easiest way to prevent this attack is to put your key fob in a faraday bag which is designed to block all wireless signals making an attack like this completely preventable. And if you want the finest faraday bags available, you’ll want to use one from Silent Pocket. In fact, Silent Pocket offers a key fob guard which is made to specifically to prevent a relay attack. Order one today by visiting silentpocket.com and receive 15% off your order using discount code “sharedsecurity” during checkout. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Ever wonder how certain products that you were thinking about buying mysteriously show up as ads on your Facebook newsfeed? Is there some black magic going on here? Well it’s not black magic and is actually one of the many ways that Facebook serves you more ads. Last week Facebook announced that they are finally implementing new privacy controls around what they are calling “Off-Facebook Activity”. Off-Facebook activity is data that is collected from websites and apps about your online searches. This can only happen when websites and apps use the Facebook login feature or have enabled Facebook’s business tools. These sites and services send certain details about that activity to Facebook so that they can in turn show you ads about those specific products. This is why you see ads show up in Facebook for items or products that you’ve been searching for on the Internet. Now this is how off-Facebook activity works. Say you’re searching for a new backpack on a site that sells backpacks. That site can send information about your device, what was searched for and other details so that Facebook can match up that device to your Facebook account. This in turn sends you an ad about that backpack or company. Facebook has always said that the companies utilizing this feature do not get your personal information like name or email address. All they know about you is a unique device identifier which allows Facebook to match your device to your account. Now for the first time ever, Facebook is allowing more control over this data and is even allowing you to delete and disconnect this data from your Facebook account. Facebook will be slowly rolling this feature out to uses over the coming months. These new privacy settings will give you the ability to see a summary of information other apps and websites have sent Facebook, disconnect this information from your account, and choose to disconnect future off-Facebook activity, or just for specific apps and websites. So if you disconnect all this data from Facebook does that mean you’ll no longer see ads? Not really, you’ll still see ads but they will be less personalized than before. Keep in mind, this applies to Instagram too since Instagram is owned by Facebook and is tightly integrated into the Facebook Platform.So what do you think about this news? Is Facebook finally trying to focus on user privacy or is it too little, too late? This new privacy control is of course a response to the Cambridge Analytica scandal and the beating that Facebook has taken from privacy experts for months now. My take is that any control is only as good as the users that plan on using it and unless Facebook makes this an “opt-out” setting where by default your off-Facebook activity is automatically disconnected, I don’t see many users going through their Facebook settings turning these connections off. We will, of course, be updating our free Facebook Privacy and Security Guide when these settings start rolling out. In the meantime, check out our show notes for the link to download the current version of our Facebook Privacy and Security Guide today. Last week Apple made a huge error with their latest 12.4 iOS update. The problem? Well, it appears that they accidentally unpatched a serious vulnerability that was first patched in iOS 12.3. The vulnerability allows unsigned code to be ran on an iOS device and allows the device to be “jailbroken” which allows unauthorized apps and features to be installed. From a security perspective, this is the first time that I can remember that an Apple update actually made their entire platform vulnerable by unpatching a previous vulnerability. This means that the latest and greatest iOS update, 12.4, leaves almost every iOS device in Apple’s walled garden vulnerable to compromise. So what kind of attacks are we talking about? Well for one, malicious code that might be contained in apps that you might download from the Apple App Store could be one risk and the other being targeted attacks by nation states and others via a malicious text message or by leveraging a bug in another installed application. Of course, the biggest risk for most of us are malicious apps potentially being side-loaded with malware that would take advantage of this vulnerability from the Apple App Store. Devices affected include all Apple iOS devices not running Apple’s latest A12 processor. Unfortunately, the iPhone 10 is vulnerable but not the newer iPhones like the XR, XS, or XS Max. As of this podcast recording, the fix for this issue in 12.4.1 has not been released so for now all we can do is wait and continue to be vigilant with the apps we download and the text messages we receive. In other Apple news, if you have an certain older MacBook Pro from 2015-2017 the FAA has banned these laptops from all flights in the US because of the potential that the battery might explode due to a recall made by Apple. It’s not clear how the FAA plans on enforcing this since most MacBook Pro’s look very similar but if you do happen to have an older MacBook Pro you can visit Apple’s support website to find out if your MacBook Pro happens to be on the recall list. Check out our show notes for a link to this support page. And now a word from our sponsor, Edgewise Networks. The biggest problem in security that remains unsolved is unprotected attack paths that allow threats to compromise vulnerable targets in the cloud and data center. But traditional microsegmentation is too complex and time consuming, and offers limited value that’s hard to measure. But there’s a better approach… Edgewise “Zero Trust Auto-Segmentation.” Edgewise is impossibly simple microsegmentation … delivering results immediately, with a security outcome that’s provable, and management that’s zero touch. At the core of Edgewise Auto-Segmentation is Zero Trust Identity, which automatically builds unique identities for all communicating software and devices by combining cryptographic properties of the workload with risk classifications. Edgewise protects any application, in any environment, without any architectural changes. Edgewise provides measurable improvement by quantifying attack path risk reduction and demonstrates isolation between critical services—so that your applications can’t be breached. Visit edgewise.net to find out more about how Edgewise can help stop data breaches. Another week and yet another data breach. This time movie subscription service MoviePass has exposed tens of thousands of personal credit card numbers due to an unprotected, wide-open database. Security researchers from a Dubai-based cybersecurity firm called SpiderSilk discovered 58,000 credit card records including MoviePass’s own customer card numbers which are used just like a debit card. The data also contained personal information such as name, billing address, and more which could be used to commit credit card fraud. The most surprising aspect was that none of this data was encrypted and that the data appears to have been exposed since May of this year. As in many of these types of breaches, MoviePass didn’t seem to take the issue seriously at first. MoviePass did not respond to emails from the security researcher (even when an email was sent to the CEO) and only took the database offline when TechCrunch contacted the company. A statement about the breach from MoviePass was apparently released but if you go to the MoviePass website you get a notice that the entire MoviePass service is “not accepting new customers”. If you happen to be a MoviePass customer, I’d be very concerned about the security of my credit card details. And like we always say for any credit card breach, make sure you check your credit card statements on a regular basis and enable any kind of fraud alerting that your credit card company might offer. That’s a wrap for this week’s show. Visit our website, SharedSecurity.net for previous episodes, links to our social media feeds, our YouTube channel, and to sign-up for our email newsletter. First time listener to the podcast? Please subscribe where ever you like to listen to podcasts and if you like this episode please it share with friends and colleagues.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post New Facebook Privacy Controls, Apple iOS Patching Mistake, MoviePass Data Breach appeared first on Shared Security Podcast.

You’re listening to the Shared Security Podcast, exploring the trust you put in people, apps, and technology…with your host, Tom Eston. In episode 82 for August 19th 2019: The BioStar2 biometric security data breach, wormable vulnerabilities in Microsoft Windows, and the FBI trying to harvest your social media data. Can you believe that this week we’re celebrating the 10 year anniversary of this podcast? For the last 10 years we’ve been talking about how your private information can be exposed through data breaches, vulnerabilities, exploits, and even through the wireless capabilities of our smartphones and laptops. It seems that in the last 10 years it’s only gotten worse. That’s why I recommend the use of a Silent Pocket faraday bag to protect my smartphone and laptop so I can have true piece of mind that my devices are protected when I’m not using them. Visit silentpocket.com to check out Silent Pocket’s amazing line of faraday bags and other products built to protect your privacy. Don’t forget, as a listener of this podcast you receive 15% off your order at checkout using discount code “sharedsecurity”. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. On August 5th security researchers from vpnMentor disclosed a massive data breach in a biometrics security platform called BioStar2. vpnMentor has been doing a large web-mapping project across the internet which had identified this unsecured database. BioStar2 is a web based biometric security smart lock platform, built by a company called Suprema, and is used to administer physical access controls to facilities. The core technology of the product uses facial recognition and fingerprints to identify users. Suprema recently partnered with a firm to integrate the software into over 5,700 organizations in 83 countries. Most of these customers also happen to be in Europe. Shockingly, many European governments, banks and even the UK Metropolitan Police use this system for the security of their facilities. The data that was leaked in the breach, which totaled over 27.8 million records, included personal information of employees, unencrypted usernames and passwords, and to top it all off over 1 million fingerprint records and facial recognition data. We’re talking about the actual fingerprints and images of users which as you know can’t be changed like a password can. This alone is extremely concerning as this data combined with other personal information from the data leak are perfect for identity theft or other fraud. The good news is that after vpnMentor attempted several times to contact the company about the breach they finally took the database offline. Check out our show notes for links to further information as well as a listing of the companies and countries affected by this data breach. Last week Microsoft announced four new critical vulnerabilities for Windows that are wormable, meaning, they can be exploited by malware to install and propagate from one computer to another without any user interaction. The last time we had to deal with a wormable vulnerability like this was back in May of this year when Microsoft patched another serious vulnerability called ‘Bluekeep’ which at the time had a close resemblance to the WannaCry malware. WannaCry caused major issues for companies and individuals across the world back in 2017. The vulnerabilities in all of these cases reside in Remote Desktop Services (abbreviated as ‘RDP’) and more specifically have to do with vulnerabilities in the protocol itself. RDP is the service that allows a user to remotely connect to another Windows computer to view the desktop in real-time and these vulnerabilities can allow malware to do this without authentication making this vulnerability extremely dangerous. Microsoft stated that quote “no evidence that these vulnerabilities were known to any third party” and that quote “It is important that affected systems are patched as quickly as possible because of the elevated risks associated with wormable vulnerabilities like these.” Affected systems include all newer Microsoft operating systems starting with Windows 7 all the way to the current version of Windows 10 and related server versions. Like Microsoft said, you should update your version of Windows as soon as possible. To check to see if your version of Windows is updated, head to Settings -> Update & Security -> Windows Update and then look to see if KB4512501 from August 13th is installed. As a reminder you should always enable automatic updates for your Windows system so you always get the latest security patches as they are released. And now a word from our sponsor, Edgewise Networks. The biggest problem in security that remains unsolved is unprotected attack paths that allow threats to compromise vulnerable targets in the cloud and data center. But traditional microsegmentation is too complex and time consuming, and offers limited value that’s hard to measure. But there’s a better approach… Edgewise “Zero Trust Auto-Segmentation.” Edgewise is impossibly simple microsegmentation … delivering results immediately, with a security outcome that’s provable, and management that’s zero touch. At the core of Edgewise Auto-Segmentation is Zero Trust Identity, which automatically builds unique identities for all communicating software and devices by combining cryptographic properties of the workload with risk classifications. Edgewise protects any application, in any environment, without any architectural changes. Edgewise provides measurable improvement by quantifying attack path risk reduction and demonstrates isolation between critical services—so that your applications can’t be breached. Visit edgewise.net to find out more about how Edgewise can help stop data breaches. The Federal Bureau of Investigation is making plans to find technology and third-party vendors that are able to harvest publicly available information in massive amounts from Facebook, Twitter, and other social media platforms. The Wall Street Journal reports that the FBI will be using the data collected to quote “proactively identify and reactively monitor threats to the United States and its interests.” In addition President Trump has directed the US Department of Justice to work with thrid-party vendors quote “to develop tools that can detect mass shooters before they strike.” The request was apparently made just a few weeks before the recent mass shootings took place in El Paso Texas and in Dayton Ohio.  Vendors have until August 27th to submit their proposals to the FBI. This news comes on the heels of Facebook’s recent $5 billion dollar settlement with the US Federal Trade Commission and is very likely to create a lot of problems for Facebook when one side of the government wants to punish them for privacy violations and mishandling of data, while the other side wants to access all the data they have. Unfortunately, that means that anyone that uses Facebook or other social networks are the ones stuck in the middle between government demands and how are private information might be shared. That’s a wrap for this week’s show. Visit our website, SharedSecurity.net for previous episodes, links to our social media feeds, our YouTube channel, and to sign-up for our email newsletter. First time listener to the podcast? Please subscribe where ever you like to listen to podcasts and if you like this episode please it share with friends and colleagues.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post Biometric Security Data Breach, Critical Windows Vulnerabilities, FBI Data Harvesting appeared first on Shared Security Podcast.

This is your Shared Security Weekly Blaze for August 12th 2019 with your host, Tom Eston. In this week’s episode: My summary of last week’s BSides Las Vegas security conference, how a single text message to your iPhone could get you hacked, and how Stingray surveillance devices can still be used on new 5G networks. Wireless technology such as Wi-Fi, Bluetooth, and RFID are integrated into every part of our daily lives. In fact, because everything these days is wireless we can often take the security risks for granted. So if you’re looking to have the ultimate peace of mind, you should use a faraday bag to protect your devices. A faraday bag blocks all wireless signals which makes any device that uses wireless technology completely undetectable. And using a faraday bag is so much faster than disabling the wireless on a laptop or smartphone. Just stick it in the bag! And if you want the best faraday bags on the market today, you’ll want to use one from Silent Pocket. Visit slientpocket.com and check out their great line of products and receive 15% off your order using discount code, “sharedsecurity”. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. The annual BSides Las Vegas security conference took place last week which also coincides with the Black Hat and infamous DEF CON hacking conference. This is the week that all of us in the cybersecurity industry lovingly call “security summer camp”. BSides would be considered the smaller conference of the three and in my opinion, provides a much more intimate experience to network with other cybersecurity and privacy professionals. As part of this year’s BSides conference, I participated in the “Proving Ground” speaking track where I was a mentor helping out a fantastic new speaker work on the talk that he gave at the conference. It was a very rewarding experience that I highly recommend other speakers volunteer for if they have the time to do so.  I also attended several talks and met several speakers that had some very interesting research to share. While many of the talks at BSides were about all the latest topics on how anything is hackable, there were two talks in particular that were on topics that we don’t hear much about. These talks were “Satellite Vulnerabilities 101” by Elizabeth Wilson and “Human Honey Pots or How I learned to love the NFC implant” by Nick Koch. Satellites provide means for different forms of communication as well as GPS, military, and other critical systems. Elizabeth presented a really nice overview of the many different types of vulnerabilities that are present in satellites including everything from, timing of banking transactions, nation states using anti-satellite weapons, and even the threat of space junk. Here’s Elizabeth’s take on the threat of space junk and how this is a major problem. Elizabeth: The debris is growing and growing and the more you put up there the more potential damage you’re putting up as well. It’s like I said during my talk, the difference between a hundred .01 meter satellites and one single satellite that’s 1 meter is 30 times of an increase in risk. And when you consider that, the more you have these small hard to track things that sometimes don’t even have propulsion systems, yeah it’s going to create a lot of issues. This is one of the most pressing areas that we need. We really need some way to manage this debris. We need some sort of clean up system in a way. And there has been some ideas people have had on that like sending capture satellites up there to capture the debris and things but we don’t have anything yet that’s currently really viable. What I also found fascinating from her talk was that organizations that support satellites, like NASA, are getting hacked all the time. For example, in 2007 Chinese hackers actually gained access to NASA’s satellite control systems and came very close to issuing commands to these satellites. Thankfully, that did not happen. The other takeaway from this talk was how satellites are a lot like the “Internet of Things” devices where security was never built in because the threat model at the time didn’t conceive the types of attacks that we see today. By the way, the typical satellite has a lifespan of about 50 years! Is it even feasible to think that satellites can be patched and updated? Here’s Elizabeth speaking to me about this problem and what the solutions might be. Elizabeth: That is one of the big challenges right now because a lot of these systems, unless you’re going to completely replace it, you just can’t update it in some cases. And maybe the solution is we need to completely replace them, take them down and put something else up but that’s extremely expensive, time consuming, and are they going to put the time and money into it? Probably not. They’re probably going to just deal with the vulnerabilities until the lifecycle ends. I feel like the real solution here is going to be making sure to proactively set these systems up to be  more resilient and have the availability for like updating actively in the future. The other interesting talk I attended was by Nick Koch (here’s his blog) who discussed biohacking and NFC implants. NFC, which stands for Near Field Communication, is a short range wireless technology that is used for transferring or receiving information from an electronic tag or other supported device. For example, all modern phones like your iPhone or Android device all have NFC capabilities. Now many of us wouldn’t think about putting an NFC implant into our bodies, but the fact is, more and more people are starting to do this. Why on earth would someone implant a small wireless device into their body? Well, there are some conveniences like unlocking the door on your house with a wireless implant, or having some other type of information easily available like quickly paying for things such as subway fares. And on the flip side, there are some interesting attacks where an attacker could use an NFC implant to get your device to open up a web browser and send you to a malicious link or conduct other types of attacks by leveraging an NFC implant. According to Nick, attackers with NFC implants could be a future form of attack vector. Especially when combined with social engineering. According to Nick, he feels that his generation, has become more aware of phishing and that most of his generation is pretty well trained to not click on suspicious links. This means that future attacks that direct people to malicious links could take a wireless form where now the attacks happen by being physically close to someone with one of these implants. Now I think the risk for this type of attack right now is very low but as NFC and other wireless technologies evolve, I think Nick is on to something here. It’s quite possible that in the future, malicious NFC or other new wireless implants may be a future threat we have to be aware of. And now a word from our sponsor, Edgewise Networks. The biggest problem in security that remains unsolved is unprotected attack paths that allow threats to compromise vulnerable targets in the cloud and data center. But traditional microsegmentation is too complex and time consuming, and offers limited value that’s hard to measure. But there’s a better approach… Edgewise “Zero Trust Auto-Segmentation.” Edgewise is impossibly simple microsegmentation … delivering results immediately, with a security outcome that’s provable, and management that’s zero touch. At the core of Edgewise Auto-Segmentation is Zero Trust Identity, which automatically builds unique identities for all communicating software and devices by combining cryptographic properties of the workload with risk classifications. Edgewise protects any application, in any environment, without any architectural changes. Edgewise provides measurable improvement by quantifying attack path risk reduction and demonstrates isolation between critical services—so that your applications can’t be breached. Visit edgewise.net to find out more about how Edgewise can help stop data breaches. Last week at the Black Hat security conference in Las Vegas Google Project Zero researcher Natalie Silvanovich announced six “interaction-less” vulnerabilities in iMessage which means that an attacker can exploit and gain control of an iOS device by simply sending a text message with no interaction from the user. You don’t even have to open up the message. Just receiving the message alone is enough to exploit these vulnerabilities. It’s worth noting that these are the types of vulnerabilities could be worth tens of millions of dollars because nation states and other threat actors would find exploits like these extremely attractive. The good news here is that the researcher has been working with Apple to patch these vulnerabilities, however, there are several more that do not have a patch yet. Keeping your devices fully patched and updated is one of the best ways to protect yourself from attacks like these. If you happen to be using an Apple iOS device or running macOS, you should immediately update to iOS version 12.4 and macOS 10.14.6. One thing I noticed with this specific update is that Apple may not notify you automatically that a new update is ready to install. So make sure you go into your settings and manually check for an update to make sure you’re protected. 5G networks are finally starting to be rolled out in several large US cities but it’s probably going to be awhile before we have devices as well as the infrastructure across the world that supports this much faster data network. But while we wait, researchers at the Black Hat security conference last week presented their findings on flaws that they found in the new 5G standard that were meant to stop the use of surveillance devices called stingrays. Now we’ve talked about stingray devices on this show in the past but as a reminder these  devices being used by nation states and governments to intercept phone calls, text messages and track the movements of a specific device. Stingrays create fake cell towers which trick your mobile phone to think it’s a legitimate cell tower. The research that they discussed was quite technical but to break it down to layman’s terms they were able to find that there were weaknesses in the way that mobile devices are identified as well as new ways to downgrade the devices network connection to an older and more vulnerable 4G or 3G network. This particular issue is actually not a flaw in the 5G standard itself but is an issue with how 5G is implemented by the mobile carriers themselves. Oh and this is not the first time that researchers have found flaws in the 5G standard, there were previous flaws that have since been fixed. The good news is that the researcher has started working with the 5G standards committee to hopefully fix these flaws as well. This will hopefully bring 5G closer to helping stop, or at least make mass surveillance of mobile networks much more difficult to perform. That’s a wrap for this week’s show. Visit our website, SharedSecurity.net for previous episodes, links to our social media feeds, our YouTube channel, and to sign-up for our email newsletter. First time listener to the podcast? Please subscribe where ever you like to listen to podcasts and if you like this episode please it share with friends and colleagues.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post BSides Las Vegas, iMessage Exploit, 5G and Stingray Surveillance appeared first on Shared Security Podcast.

This is your Shared Security Weekly Blaze for August 5th 2019 with your host, Tom Eston. In this week’s episode: everything you need to know about the Capital One data breach, changes in the payouts from the Equifax settlement, and Nextdoor app scams. If you happen to be in the cybersecurity industry this week is what we call “security summer camp” where thousands of cybersecurity professionals, enthusiasts, and even black hat hackers all meet in Las Vegas to attend the Bsides, BlackHat, and the infamous hacker conference, DEF CON. These conferences are probably the most dangerous place on the plant because your laptop or smart phone could easily be compromised since everyone is hacking everyone else either intentionally and even unintentionally as part of quote unquote “research”. I know that I’ll be using a faraday bag for all my devices while I’m at the conferences this week. That way I know my devices are completely secure and off the grid. If you’re heading to Vegas this week make sure you protect your devices with Silent Pocket’s great product line of faraday bags. In fact, stop by the Silent Pocket booth at DEF CON this weekend and check out their products for yourself while you’re at the conference. Don’t forget you can also visit slientpocket.com and receive 15% off your order using discount code, “sharedsecurity”. Stay safe this week and be sure to mind the grid! Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. The big news last week was the massive Capital One data breach affecting more than 100 million customers in the US and 6 million in Canada. This is actually the third largest data breach in history with Equifax being number one followed by the Heartland Payment Systems data breach which took place in 2009. The 30 gigabytes of personal information exposed in this breach included names, addresses, phone numbers, email addresses, dates of birth, and self-reported income as well as 140,000 Social Security and 80,000 bank account numbers. All of this data appears to be from credit card applications dating back to 2005. In the announcement posted by Capital One the breach was discovered on July 19th and the person responsible, Paige Thompson a former Amazon employee, was arrested by the FBI. Perhaps the most interesting aspect of the breach is how the perpetrator was caught. Paige had posted details about the data she had stolen on her GitHub page and boasted about it on her Twitter account. Someone had saw this information posted in the GitHub account and sent an email to a Capital One’s security vulnerability disclosure email alerting them of the issue. So how did this data get compromised in the first place? Well she was able to download this data from an Amazon S3 bucket through a misconfigured web application firewall (which is also known as a WAF). Now this isn’t the typical Amazon S3 vulnerability we commonly hear about where this data was left wide-open for anyone to access and there is much debate in the security community about how the breach actually occurred. It’s largely suspected that one of the user roles that was assigned to the WAF may have been exposed through a Server Side Request Forgery (or SSRF) which is a vulnerability that affects public cloud environments like Amazon. What’s even more fascinating is how she tried to steal this data without getting caught.  The official complaint filed by the FBI states that she attempted to cover up her tracks by using a VPN as well as Tor (which is also used to hide your IP address) when she was downloading Capital One data from the Amazon S3 server. However, that didn’t matter much when she discussed how she could steal data from Amazon S3 buckets on Twitter and in a Slack chat room, as well as storing the data in a public GitHub repository with her real name tied to it. It’s almost like she wanted to get caught! Quite the lesson of how criminals make mistakes and how those mistakes could put someone in prison for a very long time.  In this case, the accused could face up to five years in prison and a $250,000 fine. Now we don’t know if this data was accessed by anyone else and Capital One has stated that they don’t think it has either. But I think some positives here are that Capital One did have a way for people to report security vulnerabilities and that the incident response from Capital One seemed to have been handled very quickly. It’s also the first data breach I’ve heard of where an arrest was made within days of the breach being detected. The negatives? Well, for starters be on the lookout for phishing emails capitalizing (no pun intended) on this data breach asking you to verify your personal data or pay for credit monitoring services which attempt to steal more of your data and your credit card number. Also, we weary of spam from identity theft protection or monitoring services as well. Many of these services are a waste of money and you’re better off freezing your credit on your own and monitoring your credit card statements, bank accounts, and other financials on a monthly basis. Plus, its one less company that you have to give your private data to just so they can monitor your credit.  We’ve talked about how to freeze your credit and do all of this on your own in episode 16 of this podcast and we’ve linked to a great guide put together by Brian Krebs. Check out our show notes for links to these resources. And now a word from our sponsor, Edgewise Networks. The biggest problem in security that remains unsolved is unprotected attack paths that allow threats to compromise vulnerable targets in the cloud and data center. But traditional microsegmentation is too complex and time consuming, and offers limited value that’s hard to measure. But there’s a better approach… Edgewise “Zero Trust Auto-Segmentation.” Edgewise is impossibly simple microsegmentation … delivering results immediately, with a security outcome that’s provable, and management that’s zero touch. At the core of Edgewise Auto-Segmentation is Zero Trust Identity, which automatically builds unique identities for all communicating software and devices by combining cryptographic properties of the workload with risk classifications. Edgewise protects any application, in any environment, without any architectural changes. Edgewise provides measurable improvement by quantifying attack path risk reduction and demonstrates isolation between critical services—so that your applications can’t be breached. Visit edgewise.net to find out more about how Edgewise can help stop data breaches. These days, it’s rarely a case of “if” you’ll be hacked and more a question of “when.” Once a hacker gets past your defenses, they cover their tracks and systematically infiltrate your network to steal information or shut your business down. And, more often than not, they do it quietly and methodically. There is one single source of truth that can expose the hacker — the packets on the network. They contain the information necessary to understand where a hacker may be, what they’re stealing, and where they’re going next. That’s where NETSCOUT comes in. Their Smart Data approach gives you high resolution, consistent, and continuous monitoring everywhere in the IT infrastructure and in any workload. NETSCOUT gives you Visibility Without Borders. Their solutions detect the most comprehensive array of threats and provide visibility any place a hacker travels, even in the public cloud. With NETSCOUT’s Visibility Without Borders you’ll get the visibility you need to see across any network, data center, Cloud, 5G and more. Rethink the way security is delivered for your digitally transformed business. Get a clearer view at www. NETSCOUT.com. Speaking of data breaches last week remember how I talked about how you should go and claim your $125 if you happen to have been a victim of the Equifax breach? Well the FTC announced this past week that too many people have filed claims and that the actual payout will be significantly less than the stated $125. The FTC said in a updated FAQ posted on the official settlement web site quote “The public response to the settlement has been overwhelming. Millions of people have visited this site in just the first week. Because the total amount available for these alternative payments is $31 million, each person who takes the money option is going to get a very small amount. Nowhere near the $125 they could have gotten if there hadn’t been such an enormous number of claims filed.” end quote. The FTC goes on further to say that the free credit monitoring is a better value which has a market value of hundreds of dollars per year. I think that statement about value is debatable and what about the people who already have paid for credit monitoring? Why would they get another service on top of the one they already have? What this means is that most of us will get nothing out of this settlement unless you did happen to get your identity stolen and can prove it in your claim. In that case there is still money for real victims of the breach, up to $20,000 per claim. Oh, and don’t bother getting a credit monitoring service by giving Equifax even more of your data. You’re better off freezing your credit on your own. Nextdoor, the popular app that your neighbors use to discuss everything from lost cats to loud cars going down your street and of course the one neighbor that hasn’t cut their lawn in two weeks, is also being used by criminals for identity theft and other scams. Buzzfeed news reported last week that more and more of these types of scams are happening because people have a higher level of trust since the app only lets your neighbors register. This has led to people blindly trusting recommendations by neighbors for contractors and other services which end up being scams.  In fact a recent 2018 study by the Better Business Bureau showed that people between the ages of 35 and 54 were more susceptible to home improvement scams. The sad part is that the elderly are also common targets because they often have a nest egg and also have excellent credit according to the FBI. And just because Nextdoor tries on its own to verify your neighbors when they register, by the way which seems like a privacy nightmare waiting to happen, don’t think for a second that criminals won’t pretend to be one of your neighbors in order to post fake recommendations and other scams.  Also, Nextdoor shares your full name and address to other neighbors by default so this gives criminals even more information about you and your address unless you’re changing the default settings. And this problem is not just limited to Nextdoor. The same thing can happen on those private Facebook groups for neighborhoods and cities that everyone is using. Now I’m not saying that you shouldn’t use apps like Nextdoor but before you hire a contractor for anything you should be doing your own research outside of just a good recommendation from your neighbor. That means, check the Better Business Bureau , Angie’s List and simply Google the contractor to see what type of reviews have been left before you move forward with hiring someone. A little extra due diligence and research can go a long way to help prevent becoming a victim of these increasingly popular scams. That’s a wrap for this week’s show. Visit our website, SharedSecurity.net for previous episodes, links to our social media feeds, our YouTube channel, and to sign-up for our email newsletter. First time listener to the podcast? Please subscribe where ever you like to listen to podcasts and if you like this episode please it share with friends and colleagues.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post Capital One Data Breach, Equifax Settlement Payouts, Nextdoor App Scams appeared first on Shared Security Podcast.

In episode 90 of our monthly show we discuss medical device security with John Nye, Senior Director of Cybersecurity Research and Communication at CynergisTek. Do you use an insulin pump, have a pacemaker or other medical device implant? Are you concerned about medical device security and what the future holds for technology like this? If so, this is one show not to miss! The Shared Security Podcast is proudly sponsored by Silent Pocket and Edgewise Networks. Here are show notes and topics we covered with John: Should we be concerned about medical device security? Are the attacks we hear about in the news theoretical or is there really cause for concern? Some recent medical device news stories that are concerning: Doctors concerned about medical device security, Insulin pump hacking How medical devices get hacked and what the real threat is What should hospitals and other health care organizations should do to help better secure medical devices What the FDA on other government regulators are doing What can the cybersecurity industry do to better secure medical devices Thanks again to John for being a guest on our show! Be sure to follow the Shared Security Podcast on Facebook, Twitter and Instagram for the latest news and commentary. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app or watch and subscribe on our YouTube channel. The post Medical Device Security with Special Guest John Nye appeared first on Shared Security Podcast.

This is your Shared Security Weekly Blaze for July 29th 2019 with your host, Tom Eston. In this week’s episode: Details on the Equifax breach settlement, why your Android phone could be exploited by simply watching a video file, and encryption backdoors being requested by world-wide governments. Can you believe that its almost August and that summer is almost over? I was just in Target the other day and noticed that the school supplies are already out! Once you see that you know the Halloween supplies are also right around the corner. It’s totally crazy! I don’t know about you but I want to plan at least a few more short trips with my friends and family which is my own desperate way to hold on to the last few fleeting moments of summer. So don’t let protecting your digital privacy get in the way of your plans. You should be using a Silent Pocket faraday bag or phone case which will block all wireless signals keeping your devices secure and completely off the grid so you can be focused on your time away. As a listener of this podcast you get 15% off your order by using discount code, “sharedsecurity” at checkout. See Silent Pocket’s full line of products at silentpocket.com today before summer gets away. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Everyone remember the Equifax breach that affected 147 million people? Do you think you may have been financially or otherwise impacted from this data breach? If so, you may be entitled to up to $20,000 for documented breach related expenses or 10 years of free credit monitoring services. You can also collect $125 if you already have a credit monitoring service (which, by the way, really doesn’t do much for you). This news broke last Monday when the FTC announced a proposed settlement that will cost Equifax $700 million dollars which will be the largest settlement related to a data breach in history. Equifax would be required to pay at least $300 million but up to $425 million and provide free credit monitoring for all victims of the data breach. In addition, Equifax will offer free resources for victims recovering from identity theft and six free credit reports for all US consumers starting in 2020.  If you think you want to collect on this settlement, you’ll need to file a claim on the official claim site. Check out our show notes for a link to the FTC website which has all the details on where to file a claim. Note that fake sites are bound to pop up so be sure you only use the site linked from the FTC. If you think you may have a case to file a claim you’ll want to move quickly as you’ll only have 6 months to make your claim once the settlement is approved. So is this settlement too little, too late? Even with the FTC now requiring Equifax to overhaul their security procedures does a fine like this even matter much? Like I talked about on last week’s show the 5 billion dollar fine about to be issued to Facebook for their handling of the Cambridge Analytica scandal, Facebook was able to make most of this fine up through the jump in their stock price. I think we will see the same with Equifax but with the caveat that I’m sure security teams internally at Equifax will actually have money now to spend on security personnel and additional security controls including incident response. Are you going to at least make a claim for $125 of this settlement? I’d love to hear your thoughts on this topic for discussion on a future episode of the podcast. So visit our contact us page at sharedsecurity.net/contact and tell us what you think is needed to keep companies like Equifax more accountable for protecting our personal information. Do you happen to use an Android phone? Not only do you need to worry about malware, fake apps, and phishing attacks but now there is a new exploit making the rounds that’s delivered through simply playing a video on your Android device. According to the Hacker News, there is a remote code execution vulnerability that affects over 1 billion devices running Android versions 7 through 9. That would be Android Nougat, Oreo, and Pie. The vulnerability itself resides in the Android media framework which if exploited could allow an attacker full control of an Android device. The attack works by tricking the user to play a malicious video file within the native Android video player application. That is, the video player that’s installed by default on most Android devices. The good news is that Google has already released a patch earlier in July for this specific vulnerability but the bad news is that with the way Android patching works this update may or may not be pushed to Android devices depending on your carrier and device manufacture. This is one of the biggest problems with Android devices and that is, device fragmentation and the way security updates are delivered to Android devices, if at all. Note that if you receive a video through an app like Facebook Messenger or WhatsApp the video is always compressed and encoded so this type of exploit won’t work. The best course of action is to never click on video links via untrusted sources and of course update your Android operating system as frequently as possible. And now a word from our sponsor, Edgewise Networks. The biggest problem in security that remains unsolved is unprotected attack paths that allow threats to compromise vulnerable targets in the cloud and data center. But traditional microsegmentation is too complex and time consuming, and offers limited value that’s hard to measure. But there’s a better approach… Edgewise “Zero Trust Auto-Segmentation.” Edgewise is impossibly simple microsegmentation … delivering results immediately, with a security outcome that’s provable, and management that’s zero touch. At the core of Edgewise Auto-Segmentation is Zero Trust Identity, which automatically builds unique identities for all communicating software and devices by combining cryptographic properties of the workload with risk classifications. Edgewise protects any application, in any environment, without any architectural changes. Edgewise provides measurable improvement by quantifying attack path risk reduction and demonstrates isolation between critical services—so that your applications can’t be breached. Visit edgewise.net to find out more about how Edgewise can help stop data breaches. These days, it’s rarely a case of “if” you’ll be hacked and more a question of “when.” Once a hacker gets past your defenses, they cover their tracks and systematically infiltrate your network to steal information or shut your business down. And, more often than not, they do it quietly and methodically. There is one single source of truth that can expose the hacker — the packets on the network. They contain the information necessary to understand where a hacker may be, what they’re stealing, and where they’re going next. That’s where NETSCOUT comes in. Their Smart Data approach gives you high resolution, consistent, and continuous monitoring everywhere in the IT infrastructure and in any workload. NETSCOUT gives you Visibility Without Borders. Their solutions detect the most comprehensive array of threats and provide visibility any place a hacker travels, even in the public cloud. With NETSCOUT’s Visibility Without Borders you’ll get the visibility you need to see across any network, data center, Cloud, 5G and more. Rethink the way security is delivered for your digitally transformed business. Get a clearer view at www. NETSCOUT.com. I read an interesting op-ed this past week (that we have linked in the show notes for you) about a comment that current US Attorney General Bill Barr told attendees at a cybersecurity conference last week regarding encryption. And that was “warrant-proof encryption is already imposing huge costs on society,” and that he has had enough of “dogmatic pronouncements that lawful access simply cannot be done.” He went on further to say “It can be, and it must be,”. Now this isn’t the first time that the US or other worldwide governments have made similar demands to the tech industry to create what would essentially be “backdoors” into apps and systems that use encryption, all in the name of “lawful access” to prevent terrorists and to enhance “public safety”. A great example is when the Australian government last year asked the maker of Signal, which is an end-to-end encrypted messaging app, to build in a backdoor For government use. Now the problem with backdoors is that they cause a weakness in not just the software, but the entire product or solution allowing an area for real attackers to exploit and find weakness. I like the authors analogy in which she says “Should a technology service provider bow to such demands and citizens are made aware of the existence of a deliberate backdoor, this is akin to asking them to have a front door installed in their home which is always left slightly ajar.”  And it’s not just the encryption itself that governments are trying to backdoor. Just this past May Apple, Google, Microsoft, and WhatsApp rejected the UK governments request to add “ghost” users to private chats so that law enforcement could monitor conversations. Not too much different than a backdoor but still a way to circumvent existing security controls and the trust of the users using the app. And guess what, when users find out that an app has been either backdoored or surveilled by a government entity users, will find some other app to use. The good news here is that that all the major tech companies like Google, Apple, and Microsoft have not given in to these demands nor should they. I like the authors opinion that requests like these are nothing more than self-fulfilling prophecy when encryption was originally adopted to protect government communications from the enemy within a time of war. Ironic, that its now us who may be the new enemy in the continuing battle for encryption and our privacy. That’s a wrap for this week’s show. Visit our website, SharedSecurity.net for previous episodes, links to our social media feeds, our YouTube channel, and to sign-up for our email newsletter. First time listener to the podcast? Please subscribe where ever you like to listen to podcasts and if you like this episode please it share with friends and colleagues.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post Equifax Settlement, Android Video File Exploit, Encryption Backdoors appeared first on Shared Security Podcast.

This is your Shared Security Weekly Blaze for July 22nd 2019 with your host, Tom Eston. In this week’s episode: The FaceApp privacy panic, Facebook’s 5 billion dollar fine from the FTC, and what you need to know about two new types of Amazon scams. Traveling internationally this summer? If so, make sure you protect one of the most valuable documents that you’re going to carry, and that’s your passport. Not only do you have to worry about losing your passport but you also need to consider the privacy issues if your passport information is exposed. Passport information is often exposed through simple information disclosure where you can be identified by shoulder surfing and having your nationality and other personal information on your passport exposed. Not only that, you need to protect your passport from damage and physical theft. My recommendation is to check out Silent Pocket’s Passport Wallet which provides a stylish way to protect your passport while you travel with the added benefit of RFID blocking. Pick one up today at slientpocket.com and use discount code “sharedsecurity” to receive 15% off of your order during checkout. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. The Federal Trade Commission has approved a 5 billion dollar settlement with Facebook over its investigation into their handling of the Cambridge Analytica privacy scandal which exposed the private information of 87 million users. According to the Wall Street Journal, the settlement also allows the FTC to have more oversight and restrictions on Facebook’s privacy practices. While 5 billion dollars seems like a lot, it’s really just a drop in the bucket for a company like Facebook. In fact, when the news hit last week about the FTC settlement, Facebook’s stock shares went up 1.8%. So let’s run the numbers, Facebook made $15.1 billion just in Q1 of this year and $5 billion is only about 9% of their total revenue for 2018 which came in at $55.83 billion. Again, this is not that big of a deal for Facebook when we’re talking about billions and billions in revenue. Now we do have to keep in mind this is the largest fine ever issued by the FTC. The last fine, which wasn’t even close to this magnitude, was the $22.5 million issued to Google in 2012 for their mishandling of privacy issues. A drop in the bucket compared to 5 billion but has the privacy issues and controversy stopped with Google? No, it hasn’t as we talk about privacy missteps from both Google and Facebook on this podcast almost every week. So are “massive” fines the solution for companies that mishandle our privacy? It certainly doesn’t seem like it. What do you think is needed besides fines? Perhaps jail time for CEOs? One thing is for sure, something else needs to be done besides fines. Do you read the privacy policies and the terms of service of the apps that you use? If not, the recent drama over an app called FaceApp may want to make you start reading these policies before you start using an app. FaceApp is an app that will make a selfie look younger, older, or turn yourself into the opposite sex all by using facial recognition and AI technology. The app went viral last week all over social media and has been downloaded over 95 million times across the world. So what’s the controversy? Well first, there were unfounded claims on social media that because the app is created by a Russian company, called Wireless Lab, that somehow there are ties to the Russian government in some giant conspiracy to harvest all the pictures on the devices of millions of users. The truth is that FaceApp only uploads the pictures you want to manipulate and those photos are actually sent to an Amazon AWS server which happens to be based in the US. But the bigger problem is what is said and in some cases, not said, in the FaceApp privacy policy and terms of service. First, you give FaceApp all rights to use the photos you upload for anything they want including using your photos for commercial purposes. Going further, your name, likeness, and other data like your voice can also be used for commercial purposes, forever. Now, this type of policy is not that much different than Facebook or other social apps but the recent drama of this particular app should be a good reminder for all of us to read these policies to make sure you know what data is collected about you and how it may be used.  While I think the controversy over FaceApp is a little overblown think about all the similar or other “fun” apps like these that you may be using and think twice before allowing your data to be used for something you don’t approve of. And now a word from our sponsor, Edgewise Networks. The biggest problem in security that remains unsolved is unprotected attack paths that allow threats to compromise vulnerable targets in the cloud and data center. But traditional microsegmentation is too complex and time consuming, and offers limited value that’s hard to measure. But there’s a better approach… Edgewise “Zero Trust Auto-Segmentation.” Edgewise is impossibly simple microsegmentation … delivering results immediately, with a security outcome that’s provable, and management that’s zero touch. At the core of Edgewise Auto-Segmentation is Zero Trust Identity, which automatically builds unique identities for all communicating software and devices by combining cryptographic properties of the workload with risk classifications. Edgewise protects any application, in any environment, without any architectural changes. Edgewise provides measurable improvement by quantifying attack path risk reduction and demonstrates isolation between critical services—so that your applications can’t be breached. Visit edgewise.net to find out more about how Edgewise can help stop data breaches. These days, it’s rarely a case of “if” you’ll be hacked and more a question of “when.” Once a hacker gets past your defenses, they cover their tracks and systematically infiltrate your network to steal information or shut your business down. And, more often than not, they do it quietly and methodically. There is one single source of truth that can expose the hacker — the packets on the network. They contain the information necessary to understand where a hacker may be, what they’re stealing, and where they’re going next. That’s where NETSCOUT comes in. Their Smart Data approach gives you high resolution, consistent, and continuous monitoring everywhere in the IT infrastructure and in any workload. NETSCOUT gives you Visibility Without Borders. Their solutions detect the most comprehensive array of threats and provide visibility any place a hacker travels, even in the public cloud. With NETSCOUT’s Visibility Without Borders you’ll get the visibility you need to see across any network, data center, Cloud, 5G and more. Rethink the way security is delivered for your digitally transformed business. Get a clearer view at www. NETSCOUT.com. Did you take advantage of Amazon Prime Day deals last week and you happen to live in Florida or Texas? If so, and according to cybersecurity firm MonsterCloud, you could have been targeted with spoofed Amazon ads, and fraudulent email marketing with fake deals and coupons that were actually malware and ransomware links.  MonsterCloud CEO Zohar Pinhasi says “Florida in particular is off the charts – 200% higher rate of attack around Prime Day compared with the rest of the country. That likely may be because criminals are trying to take advantage of an older demographic that may not be as familiar with online shopping and the Internet, let alone cybercrime.” It’s obvious that shopping days like Amazon Prime Day and Black Friday are huge targets for attackers to use and leverage for more success in delivering all types of attacks including ransomware. What I find interesting about the MonsterCloud report is that it shows very specific states like Florida being targeted because of a large demographic of retired and elderly people. Like I’ve covered on the podcast before, the elderly are common targets of scams like these. One thing we can do is check in on our elderly friends and family members, especially around shopping events like these, to make sure they have some awareness of these types of scams. Besides malware and ransomware scams you should also be aware of an increasingly popular Amazon scam called “brushing”. A brushing scam is where a third-party seller on Amazon will somehow get the name and address of a consumer. The seller will purchase an item and then send it to that person, claiming it’s a gift.  Amazon allows the person who purchases a gift to leave a review for that item so the seller will leave a fake review after the item ships. This creates fake positive reviews which increase the reputation of the seller and pushes their products up higher in the Amazon search results. Products that show up to your house can be totally random with no return address or other identifying information except that it’s in an Amazon shipping box. And while getting a ton of free stuff might be awesome, the bigger problem is that it’s obvious that some of your personal information like name, address and phone number have been compromised either from some shady seller that you bought something from on Amazon, you happen to be targeted, or your data was found in a data breach. So what do you do if you happen to receive random packages you didn’t order from Amazon? First, contact Amazon immediately. Next, change your Amazon password just in case your account happens to be compromised (you did of course enable two-step verification, right?) and last, it’s always a good idea to research the product and vendor before you buy something on Amazon by doing a search on Google to see if there are reports of scams with that particular vendor. Also, check to see if you’re purchasing from Amazon directly or through a third-party. That’s a wrap for this week’s show. Visit our website, SharedSecurity.net for previous episodes, links to our social media feeds, our YouTube channel, and to sign-up for our email newsletter. First time listener to the podcast? Please subscribe where ever you like to listen to podcasts and if you like this episode please it share with friends and colleagues.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post FaceApp Privacy Panic, Facebook’s 5 Billion Dollar Fine, Amazon Brushing Scams appeared first on Shared Security Podcast.

This is your Shared Security Weekly Blaze for July 15th 2019 with your host, Tom Eston. In this week’s episode: Zoom video conferencing zero-day, massive fines being issued for violating GDPR, and who might be listening when you talk to your Google Assistant. Looking to protect your laptop, smartphone, and key fobs this summer? Well this week I’m excited to announce that you could win one of two Silent Pocket vacation prize packages which includes a passport wallet, medium faraday sleeve, and 5 liter drybag! Check out our post on Twitter @sharedsec or on Instagram @sharedsecurity for contest rules and how to enter. And don’t forget, listeners of this podcast receive 15%  off at checkout using discount code “sharedsecurity”. Visit slientpocket.com to see the latest Silent Pocket products built to protect your digital privacy. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Do you or your organization use Zoom for video conferencing? If so, and you happen to be using it on a Mac, you’ll want to pay close attention to this story. The problem? Well a security researcher last Monday disclosed that a vulnerable web server is automatically installed on Apple Mac computers during the installation of the Zoom client. What this means is that any website could be used to forcibly join a user to a Zoom call, with their video camera activated, and without the user’s permission. On top of that the researcher also discovered that the vulnerability would allow any webpage to conduct a Denial of Service attack on a victim’s Mac by constantly joining a user to an invalid call. And if that wasn’t enough when you uninstall the Zoom client, the web server continues to be installed and active. The researcher disclosed the vulnerability to Zoom back in March but after many meetings (and fixes that didn’t work) the researcher decided to disclose the vulnerability to the public. The next day Zoom issued a patch to remove the web server and to allow users to uninstall the Zoom client which will now fully remove the web server. Zoom’s CEO posted a blog post apologizing to customers and noting that they will be improving their bug bounty program as well as issuing another update that took place over the weekend of July 13th to further lock-down the “video on” by default setting. Also, Apple made a surprising move on Wednesday by issuing a silent update to all Macs automatically uninstalling the Zoom web server. Many people don’t realize that Apple has the power to issue patches and updates to Macs connected to the Internet at any time and while this seems creepy, it’s actually a good thing when Apple can take immediate and swift action to patch a critical vulnerability without user interaction. Check out our social media feeds for the latest updates on this developing story. The General Data Protection Regulation, or also known as GDPR, is now starting to penalize organizations which are found to have violated these now enforced consumer privacy protections in the European Union. Last week the Information Commissioner’s Office in the UK has issued British Airways a staggering fine of 183.4 million pounds (which is about $230 million dollars) because of the data breach affecting 500,000 customers last year. This $230 million dollar fine is roughly 1.5% of British Airways revenue and is the largest fine issued to date for violating GDPR regulations. And that’s not all, the global hotel giant Marriot was also issued a fine of $125 million for their data breach which impacted 339 million customers across the world. Of course both companies can contest the fines to make their case but this is the first time we’ve seen a large financial impact due to a GDPR violation. But does issuing fines for violating regulations actually help prevent data breaches? If we use PCI DSS compliance fines as an example, not much will probably change. PCI DSS (which stands for the Payment Card Industry Data Security Standards) is what US merchants who process and store credit card data need to comply with. Fines from the card brands can vary between $5,000 – $100,000 per month depending on lots of things like the size of your business and the type of non-compliance you happen to be violating. And in some extreme cases, violations can prevent a company from taking credit card payments. Now PCI has been around for a long time, and have we seen the amount of data breaches related to credit cards go down? Not reallly. In fact as I talk about on this podcast all the time, data breaches seem to be increasing. So is that the game that’s being played? The more data breaches that happen, the more money the regulators make? Look, I’m sure fines are a pretty severe penalty for most businesses, but when it comes to giant companies like Marriott and British Airways, will this just be another accounting write off or will GDPR really set the stage to force more organizations to take data privacy seriously. And now a word from our sponsor, Edgewise Networks. The biggest problem in security that remains unsolved is unprotected attack paths that allow threats to compromise vulnerable targets in the cloud and data center. But traditional microsegmentation is too complex and time consuming, and offers limited value that’s hard to measure. But there’s a better approach… Edgewise “Zero Trust Auto-Segmentation.” Edgewise is impossibly simple microsegmentation … delivering results immediately, with a security outcome that’s provable, and management that’s zero touch. At the core of Edgewise Auto-Segmentation is Zero Trust Identity, which automatically builds unique identities for all communicating software and devices by combining cryptographic properties of the workload with risk classifications. Edgewise protects any application, in any environment, without any architectural changes. Edgewise provides measurable improvement by quantifying attack path risk reduction and demonstrates isolation between critical services—so that your applications can’t be breached. Visit edgewise.net to find out more about how Edgewise can help stop data breaches. These days, it’s rarely a case of “if” you’ll be hacked and more a question of “when.” Once a hacker gets past your defenses, they cover their tracks and systematically infiltrate your network to steal information or shut your business down. And, more often than not, they do it quietly and methodically. There is one single source of truth that can expose the hacker — the packets on the network. They contain the information necessary to understand where a hacker may be, what they’re stealing, and where they’re going next. That’s where NETSCOUT comes in. Their Smart Data approach gives you high resolution, consistent, and continuous monitoring everywhere in the IT infrastructure and in any workload. NETSCOUT gives you Visibility Without Borders. Their solutions detect the most comprehensive array of threats and provide visibility any place a hacker travels, even in the public cloud. With NETSCOUT’s Visibility Without Borders you’ll get the visibility you need to see across any network, data center, Cloud, 5G and more. Rethink the way security is delivered for your digitally transformed business. Get a clearer view at www. NETSCOUT.com. If you think Amazon is the only company that is taking heat about privacy issues with their popular voice assistants, think again as Google is also in the hot seat as they admitted last week that Google contractors can access voice recordings from Google Assistant. This all started with a Belgian journalist who obtained audio files which contained voice recordings of about 1,000 users. The recordings were found to have had personal data like names and addresses disclosed as well as conversations that would be deemed extremely private. Google hires contractors to assist with making translations as well as making the technology better by having humans review thousands of voice recordings. The Google Assistant works just like Amazon and Apple’s voice assistants by saying a wake word or key phrase like “OK, Google”. But like all of these voice assistants they will sometimes record unintentionally if you happen to say a word similar to a key phrase or when recordings for some reason continue when you’re finished asking a question.  Google issued a statement noting that the contractor who disclosed these recordings violated their data security policies and that they do hire language experts to do transcriptions on about .2 percent of all recordings, which are not associated with user accounts.  So what do you think? If your personal information was disclosed in a Google Assistant or other Amazon Alexa recording would you be concerned? Or are you OK with giving up a little bit of your privacy for the convenience of using a voice assistant. That’s a wrap for this week’s show. Visit our website, SharedSecurity.net for previous episodes, links to our social media feeds, our YouTube channel, and to sign-up for our email newsletter. First time listener to the podcast? Please subscribe where ever you like to listen to podcasts and if you like this episode please it share with friends and colleagues.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post Zoom Zero-Day, GDPR Fines, Google Assistant Recordings appeared first on Shared Security Podcast.