Shared Security Podcast

This is your Shared Security Weekly Blaze for July 8th 2019 with your host, Tom Eston. In this week’s episode: Amazon confirms that Alexa recordings are kept forever, details about one of the largest Facebook malware campaigns, and my top three tips for staying private on vacation. Summer is upon us and that means it’s time for some much needed vacation time with friends and family. Summer also means that you need to be aware of data privacy and how to protect your laptops, smartphones and key fobs while traveling. Airports, concert venues, festivals, beaches, and other public areas can often be targeted by attackers looking to gain access to your devices through their wireless signals. Instead of worrying about disabling or turning off wireless functions on these devices it’s so much easier to place them in a Faraday bag when they’re not being used.  And if you want the best protection you can get; you want to be using Silent Pocket’s premium faraday bag product line that blocks all wireless signals keeping your devices secure from attackers. This summer, get your devices the protection they require before you head out on your vacation. Use discount code “sharedsecurity” and receive 15% off your order during checkout right now at silentpocket.com. In this week’s surprising but not so surprising news, Amazon has confirmed that Alexa voice recordings are kept by Amazon forever unless you manually delete each one. Apparently this revelation was noted in a letter from Amazon to US Senator Chris Coons who had asked Amazon about their data handling and privacy practices around Alexa recordings. Amazon stated that they keep transcripts and voice recordings indefinitely, and only removes them if they’re manually deleted by users. The letter went on to say that even if people manually delete their recordings some records and conversations may still remain on Amazon storage systems. Amazon is apparently conducting an ongoing effort to ensure deleted recordings are removed from various internal systems. Amazon and other tech companies have been under increasing pressure to take the privacy of user data more seriously due to the EU’s enforcement of GDPR and the fact that all of this new technology seems to always increase the demand for more and more of our private data. So will this latest revelation make you think twice before talking to Alexa? I think manually deleting each individual recording is a very poor solution and hopefully they take the approach of changing the retention policy on this data or allowing users to delete everything with one single action. But until that day comes (if it ever does) Amazon is going to hold our data indefinitely. Malware distribution has always been a problem on Facebook and this goes way back to the beginnings of the social network. In this most recent example, a malware campaign called “Operation Tripoli” was found that targeted tens of thousands of users in Libya but also had the side effect of impacting users in North America. The most interesting aspect of this particular campaign was that it was started by someone creating a Facebook page impersonating Khalifa Haftar who is the commander of the Libyan National Army. This Facebook page had over 11,000 followers and had links to various types of propaganda that when clicked on, let to the download of various remote access trojans and other spyware. According to researchers from Check Point Software who discovered this campaign, this looks to be the largest seen by the researchers. In fact, this particular campaign may have started all the way back in 2014 and the individual behind this page was found to have 30 other Facebook pages using the same techniques. One of these other pages had close to 140,000 followers. While this particular malware campaign was specifically targeting Libyan citizens, you can bet that other pages targeting you and your country most certainly exist. This is a great reminder for us all that impersonating other people on Facebook is almost too easy and we should be constantly aware of Facebook pages that may look legitimate but are really set up to impersonate a person or organization. Back in 2009 I jokingly talked about how easy it was to impersonate celebrities like Rick Astley on Facebook and Twitter by exploiting people’s trust and getting them to click on malicious links. This was demonstrated in some of the talks I gave at hacker conferences and was the start of my research on the privacy and security of social networks, and ironically the start of this podcast. By the way, at the end of August we’re celebrating the 10 year anniversary of this show! As part of that celebration we’ve recently released an updated version of our popular Facebook Privacy & Security Guide which walks you through the most appropriate privacy settings so that you can still be social. You can get your copy for free by visiting sharedsecurity.net or check out our show notes for a link you can click (don’t worry, this one is non-malicious) so you can download our updated guide. And now a word from our sponsor, Edgewise Networks. The biggest problem in security that remains unsolved is unprotected attack paths that allow threats to compromise vulnerable targets in the cloud and data center. But traditional microsegmentation is too complex and time consuming, and offers limited value that’s hard to measure. But there’s a better approach… Edgewise “Zero Trust Auto-Segmentation.” Edgewise is impossibly simple microsegmentation … delivering results immediately, with a security outcome that’s provable, and management that’s zero touch. At the core of Edgewise Auto-Segmentation is Zero Trust Identity, which automatically builds unique identities for all communicating software and devices by combining cryptographic properties of the workload with risk classifications. Edgewise protects any application, in any environment, without any architectural changes. Edgewise provides measurable improvement by quantifying attack path risk reduction and demonstrates isolation between critical services—so that your applications can’t be breached. Visit edgewise.net to find out more about how Edgewise can help stop data breaches. Many of you listening to this episode are either on vacation right now or planning to be.  You’ve probably seen and heard major news organizations like the NBC Nightly News talking about hackers trying to target you and your data while you travel. We’ve talked a lot about protecting yourself from those threats on this podcast, but what we don’t hear a lot about is what we should all be doing to protect our privacy from…each other. What I mean is that a lot of times in public spaces there are people always around us, and 99.9% of them have no malicious intent to target us specifically, yet, we sometimes unintentionally become victims because of the things we say or do in a public space. Having said that, I thought it would be good to share with you my top three tips for protecting your privacy while you’re on vacation this summer. First, be aware of what you talk about over the phone or with others while in public spaces. I can’t tell you how many times I’ve overheard private conversations while waiting for a flight at the airport. In some of these conversations I was able to hear peoples full social security and credit card numbers. So that means, you should probably not order something over the phone or discuss personal details about your medical history with your doctor while lots of people are around you. Go somewhere private to have conversations like these. Along with that be cautious pulling out your wallet or purse where you may unintentionally show credit cards, cash and other personal items. Other people can learn a great deal about you by observation and you could potentially become a target for a thief or pickpocket. My second tip is to use your laptop or smartphone in an area without a lot of people around or use a privacy screen, especially if you’re are working on something private or sensitive. People on business are the worst offenders, especially on airplanes. But depending on what Netflix show or movie you might be watching, think about if you want the entire airplane to also be watching that show or movie with you. Check out our show notes for links to a few recommended mobile and laptop privacy screens. My last tip is that if you’re renting a car, don’t plug your smartphone into the USB port of the car! Most cars will auto sync all the contacts, text messages, and other data on your device automatically and if you forget to delete it, the rental car company and potentially the next renter, will have access to private information you probably don’t want strangers to see. As always, being aware of your surroundings and using common sense, will help you stay more private in your travels this summer! That’s a wrap for this week’s show. Visit our website, SharedSecurity.net for previous episodes, links to our social media feeds, our YouTube channel, and to sign-up for our email newsletter. First time listener to the podcast? Please subscribe where ever you like to listen to podcasts and if you like this episode please it share with friends and colleagues.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post Amazon Alexa Recordings, Facebook Malware Campaign, Top 3 Tips to Stay Private on Vacation appeared first on Shared Security Podcast.

This is your Shared Security Weekly Blaze for July 1st 2019 with your host, Tom Eston. In this week’s episode: The US cyber-attack on Iran, the sad state of cybersecurity in the US government, and what you need to know about malvertising campaigns. Don’t you hate air travel? I know I do! Rude people, crowds, the TSA searching you and your bags because of a toothbrush that for some reason looks like a weapon, and on top of that your flight has a very high chance of being delayed or cancelled! This is the unfortunate reality the minute you get to the airport. While you’re dealing with the stress related to all that, the last thing you need to worry about is your digital privacy while you’re at the airport. That’s why I recommend Silent Pocket’s product line of Faraday bags and wallets which block all wireless signals keeping your devices secure and completely off the grid. As a listener of this podcast you get 15% off your order by using discount code, “sharedsecurity” at checkout. Visit SilentPocket.com to check out their great line of products to make your air travel experience a little less stressful. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Last week the United States launched a cyberattack directed towards Iran which disabled Iranian computer systems that controlled its rocket and missile launchers. This was a response to an escalation by Iran when they shot down a unarmed US drone apparently conducting surveillance in international airspace. Iran denies those claims and states the drone was violating their airspace. The attack was carried out by the US Cyber Command acting upon orders from US President Donald Trump. This was actually the second option to strike back at Iran as the first one was to launch a missile strike against Iranian radar bases which would have resulted in human casualties. According to cybersecurity firms FireEye and Crowdstrike, there has been a recent rise in Iranian attacks on US companies and government agencies as well as critical infrastructure such as the power grid which also prompted for the US government response. This is not the first cyberattack on Iran either. You may remember back in the late 2000’s it’s believed that the US and Israel targeted the Iranian nuclear program with the Stuxnet virus which essentially disabled most of their nuclear program at the time. I find this retaliation interesting as it seems that in more cases traditional warfare, like missile strikes, may start to be a thing of the past when cyberattacks may actually do more damage to critical infrastructure and send a more impactful message than just destroying buildings and killing a bunch of people. Of course, cyberattacks could potentially be used to kill people too. Especially ones that may be targeted towards hospitals or nuclear facilities which could malfunction due to a cyberattack. On the flip side, you may remember back in May Israel bombed a Palestinian Hamas military intelligence headquarters in retaliation for an attempted cyber-attack directed towards Israeli targets. This was the first time a nation state conducted a military strike in response to a cyber-attack. I guess it could go both ways and with the increase in cyber-attacks and capabilities that all nation states now have, it will be interesting to see how the future “cyber-war” may begin to play out. In other US government news, a new report published by the US Senate last week showed that eight government agencies have failed to follow basic cybersecurity protocols and have exposed US citizens private data for over a decade. The investigation itself took about ten months and reviewed the past ten years of compliance reports regarding federal information security standards that these agencies were supposed to follow. One of the eight agencies even included, guess who, the Department of Homeland Security. The biggest issue found was at the Department of Education where it was discovered that anyone could access and maintain a connection to the network for up to 90 seconds which is enough time to launch attacks against servers and systems. In addition to that, five of the eight agencies had not maintained current and complete IT asset inventories. This is a huge problem because if an agency doesn’t know what systems they have on their network, how can they patch, update and protect them? Because of poor asset inventory, six out of eight agencies were unable to deploy security patches or other critical updates. So why is basic network security and asset management so difficult for the government? Well for starters, there is a lot of politics and bureaucracy that takes place in these agencies. First, the people in charge, like the CIO’s don’t have authority to make decisions in many cases and that many of the systems and applications being used are so outdated that they are no longer supported by the vendors. This means that even if they wanted to secure them, there are no patches, updates, or vendor guidance to do so. This of course, is just the tip of the iceberg so if you want to read all the gory details you can check out our show notes to read the full stimulating 99-page government report. And now a word from our sponsor, Edgewise Networks. The biggest problem in security that remains unsolved is unprotected attack paths that allow threats to compromise vulnerable targets in the cloud and data center. But traditional microsegmentation is too complex and time consuming, and offers limited value that’s hard to measure. But there’s a better approach… Edgewise “Zero Trust Auto-Segmentation.” Edgewise is impossibly simple microsegmentation … delivering results immediately, with a security outcome that’s provable, and management that’s zero touch. At the core of Edgewise Auto-Segmentation is Zero Trust Identity, which automatically builds unique identities for all communicating software and devices by combining cryptographic properties of the workload with risk classifications. Edgewise protects any application, in any environment, without any architectural changes. Edgewise provides measurable improvement by quantifying attack path risk reduction and demonstrates isolation between critical services—so that your applications can’t be breached. Visit edgewise.net to find out more about how Edgewise can help stop data breaches. There has been a recent rise in a well-known technique called Malvertising which involves attackers leveraging legitimate domains and services to serve up drive by downloads of ransomware and other types of malicious files. The way it works is that malicious code is embedded in advertisements which get shown to web site visitors. If a user clicks the ad, they get directed to a compromised site serving malware which then gets downloaded and executed on the victims system. The big issue here is that most web site owners have no idea that the ad networks they may be using have been compromised and they have unwillingly become malware distributors. In the past, there have been several large successful Malvertising campaigns that targeted legitimate sites such as the New York Times, the BBC, and MSN. Just recently, researchers found a new form of exploit kit called GreenFlash Sundown that started in Asia but appears to be spreading across the world. This exploit kit was delivered via an ad that was spread through a site called onlinevideoconverter[.]com which is used by 200 million users a month to convert YouTube videos to different audio formats. The payload executed some JavaScript and then ran an Adobe Flash object. Once the exploit kit goes through a series of checks, it will install a form of ransomware called “Seon”. Seon works like most ransomware by encrypting all your files and then demanding you pay a ransom in bitcoin to get your data back. What makes this particular malware a little more devious is that on top of the ransom it also installed a cryptocurrency miner and what appears to be a type of remote access trojan called “Pony”. So how do you protect yourself from Malvertising? First, keep your web browser and plugins up-to-date and ensure that you enable “click-to-play” in your web browser settings. What this setting does is it only allows plugins like Flash to run only when you allow it to. Next, use a decent ad blocker like uBlock in your browser to help prevent ads from showing up in the first place. Lastly, the other common advise still applies. Keep your systems fully patched, updated, use and enable the built in Windows defender anti-virus if you’re on Windows, and always be security aware and vigilant while you use the web. That’s a wrap for this week’s show. Visit our website, SharedSecurity.net for previous episodes, links to our social media feeds, our YouTube channel, and to sign-up for our email newsletter. First time listener to the podcast? Please subscribe where ever you like to listen to podcasts and if you like this episode please it share with friends and colleagues.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post US Cyber-Attack on Iran, Poor Government Cybersecurity, Malvertising Campaigns appeared first on Shared Security Podcast.

In episode 89 of our monthly show Scott and Tom discuss everything you need to know about home security with physical security expert, Patrick McNeil. We delve deep into the world of locks, lock bumping, doors, windows, surveillance cameras, alarms, and much more. If you’ve always wanted to know how best to protect your home or residence this is one episode not to miss! Check out the YouTube edition of this episode for Patrick’s presentation on lock bumping and the contest we had during the live stream of this episode. The Shared Security Podcast is proudly sponsored by Silent Pocket and Edgewise Networks. Subscribe to our getVokl channel and get notified when we’ll be live so you can chat and participate in our next show! Here are the home security topics we covered: What you need to know about locks, the quality of the lock you buy at “big box” hardware stores vs. what you get from a locksmith What is lock bumping and how is it performed? Windows and doors: how easy is it for a criminal to break in? What is the proper installation of a dead latch? Why you should hire a professional locksmith vs. trying to increase the security of your locks on your own Crime prevention through environmental design (CPTED) What should you look for in a surveillance camera and where should they be placed? Why dogs (even small ones) are a great deterrent Are alarms worth it and what about placing “fake” alarm company signs? Vulnerabilities in certain popular alarm systems What the number one thing that’s most overlooked with home and neighborhood security. The two talks that Patrick gave on “The Right Way To Do Wrong: Physical security secrets of criminals and professionals alike” at CackalackyCon and Layer8. Thanks again to Patrick for being a guest on our show! Be sure to follow the Shared Security Podcast on Facebook, Twitter and Instagram for the latest news and commentary. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app or watch and subscribe on our YouTube channel. The post The Home Security Episode – Locks, Doors, Cameras, and More! appeared first on Shared Security Podcast.

This is your Shared Security Weekly Blaze for June 24th 2019 with your host, Tom Eston. In this week’s episode: Facebook announces a new cryptocurrency called Libra, two new zero-day vulnerabilities affecting Firefox, and should you be scanning your smart TV for malware? Protect your digital privacy with Silent Pocket’s product line of patented Faraday bags, phone cases, and wallets which will make your devices untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order during checkout. Visit silentpocket.com today to take advantage of this exclusive offer. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Facebook was in the news this past week with the announcement of its own cryptocurrency called “Libra”. This new cryptocurrency will be available starting in the first half of 2020 and is being promoted as a way to buy things and send money with nearly zero fees. Users of Libra will be able to buy or cash out the cryptocurrency at exchange points, like at your grocery store, and use it by utilizing a wallet application like Facebook’s new Calibra cryptocurrency wallet which will be available in WhatsApp, Messenger and in a standalone app. What’s also interesting is that Facebook won’t totally control Libra but will get a share in governance and oversight with other large companies like Visa and Uber. You see, these companies all gave at least $10 million dollars to finance the new Libra Association which is responsible for promoting the Libra blockchain and working with developers that want to build functionality to support Libra payments. This association will also act as a financial reserve to prevent situations like the wild fluctuation we see in the current value of bitcoin. Calibra, which handles the wallet application, will also take care of user privacy and is said to never use or access your Facebook data with Libra payments and that your identity will never be tied to payments or transactions. As you know, privacy is not the first thing that comes to mind when we think of Facebook. And Facebook does make money by selling ads so this seems (from what we know so far) to be quite the departure for Facebook. So how will Facebook make money off this new form of cryptocurrency? Well from what we know so far, Facebook is seeing this as more of an investment in how business’ will want to sell more ads because more people will be using Calibra to buy and sell things using Facebook. I’m wondering if people will really start to use Libra to pay for things becoming something like a new “PayPal”.  As we’ve discussed on the show before, there are lots of security issues around cryptocurrency and the blockchain. Crypto exchanges are always being hacked and the applications that are being developed, such as ones that power smart contracts and other apps that use the blockchain, have very unique vulnerabilities which are challenging to remediate. So with the money and influence of Facebook, do you think this is what will make cryptocurrency a mainstream and popular form of payment? If, of course, makes it past world financial regulators. Or is it just another way for Facebook to eventually make more money by selling even more ads. Using Firefox as your preferred web browser? Well Firefox released two critical updates last week to fix a “zero-day” security vulnerability that has been used in targeted attacks against (guess what) cryptocurrency exchanges like Coinbase. The exploit apparently chained together another similar vulnerability which was used in a phishing attack to drop and execute malicious payloads on machines of victims. This vulnerability, called a sandbox escape, was originally reported by Coinbase’s security team and would allow attackers to escape from the browser’s protective sandbox. But then later in the week it was discovered that chaining this vulnerability to the previous one would allow remote code execution. Even if you don’t happen to use Coinbase, attackers may leverage this vulnerability with other sites so you should update Firefox to version 67.0.4 as soon as possible. As a reminder to update Firefox, go to the Firefox menu, go to Help, then About Firefox. Firefox will then check for an update and install it. And now a word from our sponsor, Edgewise Networks. The biggest problem in security that remains unsolved is unprotected attack paths that allow threats to compromise vulnerable targets in the cloud and data center. But traditional microsegmentation is too complex and time consuming, and offers limited value that’s hard to measure. But there’s a better approach… Edgewise “Zero Trust Auto-Segmentation.” Edgewise is impossibly simple microsegmentation … delivering results immediately, with a security outcome that’s provable, and management that’s zero touch. At the core of Edgewise Auto-Segmentation is Zero Trust Identity, which automatically builds unique identities for all communicating software and devices by combining cryptographic properties of the workload with risk classifications. Edgewise protects any application, in any environment, without any architectural changes. Edgewise provides measurable improvement by quantifying attack path risk reduction and demonstrates isolation between critical services—so that your applications can’t be breached. Visit edgewise.net to find out more about how Edgewise can help stop data breaches. If you happen to own a newer Samsung Smart QLED TV did you know that you should be scanning your TV for malware? Well last week Twitter blew up when Samsung made a Tweet saying “Scanning your computer for malware viruses is important to keep it running smoothly. This is also true for your QLED TV if it’s connected to Wi-Fi! Prevent malicious software attacks on your TV by scanning for viruses on your TV every few weeks. Here’s how”. Now if many of you are asking yourself “how do I actually scan my TV?” well Samsung has a security solution built into their QLED TVs which will attempt to detect and block malicious applications and files attempting to access the device. The TV also includes a scanning tool which will  find and locate whatever Samsung calls malware that might already be installed on the TV. Why scans are not set to automatically run, similar to how anti-virus works on a PC, is beyond me. But, if you’re bored and want to see if your TV might be infected you do have a manual way of doing this. So what’s the risk of your TV being infected with malware? Right now, I’d say that the risk is pretty low. However, back in 2017 during one of the WikiLeak dumps, malware called “Weeping Angel” (which was developed by the CIA and MI5) was found that could infect Samsung F800 TVs. As expected, this malware was capable of recording audio through the TVs microphone, collect browser history and much more. Odds that a nation state may target your TV, which really depends on your personal threat model, is probably not something most of us have to worry about. But the fact that scanning smart devices like our TV for malware seems to be a reality of the “insecure” Internet of Things world in which we live in. That’s a wrap for this week’s show. Visit our website, SharedSecurity.net for previous episodes, links to our social media feeds, our YouTube channel, and to sign-up for our email newsletter. First time listener to the podcast? Please subscribe where ever you like to listen to podcasts and if you like this episode please it share with friends and colleagues.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post Facebook’s New Cryptocurrency, Firefox Zero Day, Smart TV Malware appeared first on Shared Security Podcast.

This is your Shared Security Weekly Blaze for June 17th 2019 with your host, Tom Eston. In this week’s episode: the US Customs and Border Protection data breach, the new sign in with Apple button, and more leaked Facebook emails. Protect your digital privacy with Silent Pocket’s product line of patented Faraday bags, phone cases, and wallets which will make your devices untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order during checkout. Visit silentpocket.com today to take advantage of this exclusive offer. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Apple made a few big privacy announcements at its Worldwide Developers Conference the other week including: updates to how Apple’s HomeKit securely transmits and stores video from home security systems, new permission settings in iOS 13 to further limit location sharing, heath data that is used by Apple Watch is now being encrypted and stored on your watch or within iCloud, and that you can now lock your Mac remotely through Apple’s activation lock feature if your Mac happens to be lost or stolen. But the biggest privacy announcement was “Sign in with Apple” which is a new feature that looks to roll out later in the year with iOS 13. Sign in with Apple is a button that is very similar to Facebook or Google’s “one-click” sign-on buttons you might see on many apps and websites. These buttons leverage your Facebook or Google accounts to sign you in without creating a separate login ID. The problem with this is that sometimes your personal information, which Facebook and Google collect about you, gets shared with these sites and can be used to track you. Apple’s one-click sign-on solution authenticates using Face ID without sending any personal information to a third-party company. On top of that Apple’s solution will auto-generate a random “relay” email address that will hide your real email address. I like this a lot as email addresses are commonly used as a user name and is one of the ways you happen to be linked back to a data breach. In addition, Apple says you’ll be able to disable these randomly generated email addresses if you don’t want to use an app anymore. Now the biggest challenge for Apple will be if developers will start using this new feature when developing their applications. Many have already been using Facebook and Google for one-click sign-on buttons, so Apple may have to find ways to convince developers that there is a more secure, and private approach to help protect their users personal information. Remember just recently on episode 88 of our monthly show I talked about how US Customs and Border Protection (or CBP) was now using facial recognition at several US airports in order to board flights? Well, it seems that a CBP database, storing images of travelers and license plates, was hacked and compromised. Apparently it was a subcontractor who had the data that had gotten compromised. It’s not known who the subcontractor is nor did CBP provide any other details except that the agency became aware that on May 31st the subcontractor had transferred the photos to its network. CBP also stated that this was a violation of their policies and that several members of Congress have been alerted and that law enforcement is investigating the incident. However, the Washington Post now reports that fewer than 100,000 people were impacted and that initial reports show that the hacked data included photographs of people in vehicles entering and exiting the US over a “single land border crossing” which the CBP did not name. Hmmm, I wonder if that’s Canada or Mexico. What do you think? This breach comes at a controversial time for the CBP as there have been many privacy concerns regarding the use of facial recognition at US airports and now the collection of social media names from foreigners visiting from other countries or applying for a visa. Now that we know that the data they have been collecting wasn’t properly protected, subcontractor or not, do you think this will halt CBPs expanse to collect and use more of our private data? As past government response to previous privacy concerns and data breaches show, probably not. And now a word from our sponsor, Edgewise Networks. The biggest problem in security that remains unsolved is unprotected attack paths that allow threats to compromise vulnerable targets in the cloud and data center. But traditional microsegmentation is too complex and time consuming, and offers limited value that’s hard to measure. But there’s a better approach… Edgewise “Zero Trust Auto-Segmentation.” Edgewise is impossibly simple microsegmentation … delivering results immediately, with a security outcome that’s provable, and management that’s zero touch. At the core of Edgewise Auto-Segmentation is Zero Trust Identity, which automatically builds unique identities for all communicating software and devices by combining cryptographic properties of the workload with risk classifications. Edgewise protects any application, in any environment, without any architectural changes. Edgewise provides measurable improvement by quantifying attack path risk reduction and demonstrates isolation between critical services—so that your applications can’t be breached. Visit edgewise.net to find out more about how Edgewise can help stop data breaches. Facebook is, yet again, in hot water about more leaked emails that show Mark Zuckerberg wasn’t taking the 2012 settlement with the FTC very seriously and that he knew about controversial privacy practices when he should have been focused on user privacy. An anonymous source apparently provided these emails to the Wall Street Journal last week. The emails show that shortly after the FTC’s 2012 consent decree, Zuckerberg had asked employees about building an app tied to a database of Facebook user information and having that data shared with other developers, regardless of the privacy settings of those users. The email chain showed that this was a complex thing to do but was definitely in the realm of possibility. The app appeared to not have been developed but these emails are pretty significant if the FTC is looking for more ammunition in their recent case against Facebook. Facebook is currently looking to settle the FTCs latest investigation where it’s been reported that Facebook may have to pay around $5 billion dollars as part of this most recent settlement. That’s a wrap for this week’s show. Visit our website, SharedSecurity.net for previous episodes, links to our social media feeds, our YouTube channel, and to sign-up for our email newsletter. First time listener to the podcast? Please subscribe where ever you like to listen to podcasts and if you like this episode please it share with friends and colleagues.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post US Customs and Border Protection Data Breach, Sign in with Apple, Leaked Facebook Emails appeared first on Shared Security Podcast.

This is your Shared Security Weekly Blaze for June 10th 2019 with your host, Tom Eston. In this week’s episode: the Quest Diagnostics and LabCorp Data Breach, what happens to your smart devices when the Internet goes down, and US visa applicants now required to share their social media names. Protect your digital privacy with Silent Pocket’s product line of patented Faraday bags, phone cases, and wallets which will make your devices untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order during checkout. Visit silentpocket.com today to take advantage of this exclusive offer. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Everyone ready for news about yet another massive data breach? Well, last Monday Quest Diagnostics (which is the world’s largest blood testing company) disclosed that a data breach affecting 11.9 million customers was due to a website breach of a third-party collections vendor called American Medical Collection Agency (or AMCA). This breach in particular was a little different because Quest uses a contractor (Optum360) which in turn uses another contractor, AMCA, for medical billing and collections. According to the SEC filing, the AMCA payment system was compromised on August 1st 2018 and was vulnerable until March 30th of this year. Information compromised included names, birth dates, address, phone number, dates of service, medical providers, and balance information. To make matters worse, LabCorp (who also used AMCA) disclosed later in the week that 7.7 million of their patients were also affected by this breach. LabCorp also indicated that about 200,000 people also had their credit cards and bank account information compromised as well. The only good news out of all this is that medical data and laboratory test results were not compromised. What this latest breach shows us that companies like Quest Diagnostics routinely outsource functions like billing and collections to third-party companies. In this case it was a contractor of a contractor but in many similar breaches, we never know how far or how deep the rabbit hole may go with all these third-party relationships. Third-party security is very challenging for organizations, especially when there are multiple parties involved processing and storing customer data. One thing is clear, I think we’ve all had enough of free credit monitoring for 24 months and statements like “we take the security and privacy of your data seriously” type responses we always hear after every data breach. I know personally, I’d like to hear more statements like: we are doing the following things to make sure a breach like this doesn’t happen again. Perhaps it’s just a pipe dream but for now, I guess we continue to let the data breaches flow. Last week Google had a major outage that affected YouTube, Gmail, G Suite, and several other services like Nest which by the way is now a Google owned company. While network outages are not that uncommon, in this case the outage caused Nest products to not function which left many customers without any way to control thermostats, security cameras, and other Nest products like their smart door locks. Now most of these devices have manual overrides in the case of an Internet outage, that is until they lose power or battery then you may be in trouble. It just depends on your device. For example, the Nest smart lock in particular has a way to use the key pad even if the battery is dead. This outage made me think that incidents like this may be a significant disadvantage of cloud controlled products like Nest. We often only think of the convenience of products like these but when the Internet or cloud infrastructure goes down, well they all go back to the “dumb” devices that they were. And why would we ever go back to using an old fashioned thermostat or door lock? This is crazy talk! Potential privacy and security concerns with Internet of Things devices aside, think for a minute about all the smart devices in your home and what you would do if you lost Internet or there was a large network outage or even loss of power to your home. If you have smart devices being used for security, what will your plan be so that you can continue to use these devices. And now a word from our sponsor, Edgewise Networks. The biggest problem in security that remains unsolved is unprotected attack paths that allow threats to compromise vulnerable targets in the cloud and data center. But traditional microsegmentation is too complex and time consuming, and offers limited value that’s hard to measure. But there’s a better approach… Edgewise “Zero Trust Auto-Segmentation.” Edgewise is impossibly simple microsegmentation … delivering results immediately, with a security outcome that’s provable, and management that’s zero touch. At the core of Edgewise Auto-Segmentation is Zero Trust Identity, which automatically builds unique identities for all communicating software and devices by combining cryptographic properties of the workload with risk classifications. Edgewise protects any application, in any environment, without any architectural changes. Edgewise provides measurable improvement by quantifying attack path risk reduction and demonstrates isolation between critical services—so that your applications can’t be breached. Visit edgewise.net to find out more about how Edgewise can help stop data breaches. If you’re from another country coming over to the US on a visa, surprise, surprise but you’ll now need to share the social media names that you’ve used for the past five years in your visa application. Of course, you could choose not to share this information and just say that you don’t use social media, but according to the US State Department, it would be unwise to lie in your application as lying could present serious consequences. The purpose of this allows the US government a  way to identify potentially terrorists, public safety threats, and other dangerous individuals from gaining access to the US. The way the process works is that visa applicants will have background checks completed against watchlists that are maintained by the US government. Future “improvements” to the visa application process may also require applicants to provide more extensive information about their travel history. Reports say that much of this new policy stems from the 2015 mass shooting that took place in San Bernard-ino California where Syed Farook killed 14 people. Farook’s wife, Tashfeen Malik, was found to have terrorist sympathies in her social media communications before she was granted a US visa. So what do you think? Is this a worthwhile effort to stop real terrorists from coming to the US or will it end up causing more privacy problems and controversy for the US government. That’s a wrap for this week’s show. Visit our website, SharedSecurity.net for previous episodes, links to our social media feeds, our YouTube channel, and to sign-up for our email newsletter. First time listener to the podcast? Please subscribe where ever you like to listen to podcasts and if you like this episode please it share with friends and colleagues.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post Quest Diagnostics Data Breach, Google’s Network Outage, US Visa Applicants and Social Media Names appeared first on Shared Security Podcast.

This is your Shared Security Weekly Blaze for June 3rd 2019 with your host, Tom Eston. In this week’s episode: US cities are being rampaged with ransomware, mobile phishing attacks on the rise, and do you know what your iPhone is doing while you sleep? Protect your digital privacy with Silent Pocket’s product line of patented Faraday bags, phone cases, and wallets which will make your devices untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order during checkout. Visit silentpocket.com today to take advantage of this exclusive offer. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. I was intrigued by an opinion piece posted to Dark Reading about the recent rise in ransomware attacks targeting cities and local governments. From Atlanta, Cleveland’s airport, and now the city of Baltimore, ransomware is grinding communication and critical processes to a halt in many cities across the country. Local governments are expected to provide certain critical services for citizens, such as obtaining permits, and closing home sales, so without computer systems working it’s like going back to the ice age with paper and a manual process. My hometown of Cleveland Ohio had a ransomware attack hit the airport but thankfully, only affected the flight and baggage information screens and not the security of flights or the airport itself. This latest string of ransomware attacks appears to be attributed to the previously leaked “EternalBlue” exploit back from 2017 which was created by the NSA. Anyone else find it ironic that our own cities are being used against us with the same tools and exploits designed to attack other nation states? One thing is clear, cyber criminals see a massive target in cities and local government because they know (as well as many of us) that IT budgets are tight and more often than not systems are not being patched or maintained. The other ethical dilemma this brings up is if cities should pay the ransom. While we always say to never give in and pay a ransom, the recent ransomware incident in Atlanta cost the city an estimated $17 million in recovery costs when the ransom was only $50,000. Now just paying the ransom may not work out either as there have been cases of criminals asking for more money or just not giving the keys to unlock the data regardless of being paid. It’s a tough situation for sure and will continue to be hotly debated as attacks on cities increase. From a prevention perspective, perhaps with limited IT and security budgets money may best spent by focusing on security awareness training. Many of these ransomware attacks start though a phishing email or by clicking on a malicious link to a compromised website which then allows the malware to propagate through the network. If the first line of defense, the users, knows how to identify a malicious email or link that alone may prevent the entire ransomware attack from happening. I started a Twitter post which I’ve linked in the show notes about this very topic so I’d love to hear your thoughts and ideas on how we can help the cities that we live in defend themselves from a ransomware attack. Speaking of social engineering, Phishlabs released a report on mobile phishing attacks which have not gotten the past attention like we see with email based attacks. With the rise in mobile phone usage there has been quite the increase in phishing attacks using SMS text messages and leveraging specially designed phishing exploit kits which mimic login screens of legitimate apps. According to the report, the financial industry appears to be the main target and attacks are looking to replicate your bank’s mobile login screen so that you’re tricked into entering credentials and even two-factor authentication codes. SMS phishing in particular is getting more complicated to prevent. For example, phone numbers can be easily spoofed and filtering of SMS or text based spam is pretty much non-existent. In addition, mobile phishing attacks take advantage of small screen sizes and uses techniques like URL padding which can hide the full URL making the site seem legitimate. Also in the report Phishlabs noted that Android is currently the number one target for mobile malware and that banking trojans are the most popular malware that’s being used today. Ironically the Bankbot Anubis malware uses a Twitter account for command and control of the malware to avoid detection. This is something myself and researchers Kevin Johnson and Robin Wood, who developed a proof of concept of this,  first talked about in a DEF CON and subsequent ShmooCon talk way back in 2009. Crazy that this concept that I was a part of is actually being used in modern day malware. In related phishing news, Brian Krebs from Krebsonsecurity.com posted an article about people being fired for failing phishing tests put on by their companies. He goes on to interview several phishing industry experts to get their opinion, which of course, are not in agreement to fire employees over an awareness exercise. We’ll link the article in the show notes so you read it for yourself but what do you think? Is the hard handed and fear based approach the best way to increase awareness? And now a word from our sponsor, Edgewise Networks. Organizations’ internal networks are overly permissive and can’t distinguish trusted from untrusted applications. Attackers abuse this condition to move laterally through networks, bypassing address-based controls to spread malware. Edgewise abstracts security policies away from traditional network controls that rely on IP addresses, ports, and protocols and instead ties controls directly to applications and their data paths. Edgewise allows organizations to analyze the network attack surface and segment workloads based on the software and how it’s communicating. Edgewise monitors applications and protects data paths using zero trust segmentation. Visit edgewise.net to get your free month of visibility. Have you wondered what your iPhone is doing while you’re sleeping? Like most of us, our phones go into “do not disturb” mode and we gently drift off into our quiet slumber to be awakened by the horrible sound of the alarm we set for some ungodly hour so we can get up and go to work. But did you know, your phone is constantly communicating and your apps in particular are sending tons of information about you and your device to marketing companies, research firms and ad agencies? Well a technology columnist from the Washington post worked with a privacy firm to find out exactly what was going on here. Through their research they found that there were over 5,400 trackers in a single week, mostly from apps, which resulted in 1.5 gigabytes of data being used over the course of a month. Information sent from these apps included his phone number, email address, exact location and device fingerprints, while also helping trackers link back to his phone. And these trackers do activate at night or when the device is plugged in because of the background refresh setting that is on by default with an iPhone. And don’t think that just because you don’t own an iPhone you’re immune. Android users face the same issue with apps that use trackers like these as well. Now none of this news should be at all surprising, except for the volume of data we’re talking about here. The most concerning part is that we really don’t know where apps are sending our data and we don’t know what these companies are doing with our data. There is no disclosure system by Apple or anyone that shows you what these ad trackers are doing unless you do what this columnist did and dig into the technical details of how these apps work. Privacy notices and polices don’t help much either because they don’t go into the gory details of what these trackers do and transmit. You can read the article for yourself in the show notes but I think the best quote from the story is about transparency and that quote is “If we don’t know where our data is going, how can we ever hope to keep it private?”. That’s a wrap for this week’s show. Visit our website, SharedSecurity.net for previous episodes, links to our social media feeds, our YouTube channel, and to sign-up for our email newsletter. First time listener to the podcast? Please subscribe where ever you like to listen to podcasts and if you like this episode please it share with friends and colleagues.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post Ransomware Rampage, Mobile Phishing Attacks, iPhone App Ad Trackers appeared first on Shared Security Podcast.

This is your Shared Security Weekly Blaze for May 27th 2019 with your host, Tom Eston. In this week’s episode: Investment firm Moody’s downgrades Equifax, Huawei’s US technology ban, and how Google is tracking all your purchases. Protect your digital privacy with Silent Pocket’s product line of patented Faraday bags, phone cases, and wallets which will make your devices untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order during checkout. Visit silentpocket.com today to take advantage of this exclusive offer. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Equifax was back in the news late last week with the announcement that Moody’s has cut its rating outlook for Equifax, from stable to negative, because of their massive data breach of 146 million users which took place in 2017. This is the first time that a company has had its investment rating downgraded because of a data breach.  Moody’s noted that the downgrade was due to the large expense that Equifax has had to pay such as $786.8 million in general costs, $82.8 million is data security costs, $12.5 million in legal fees, and $1.5 million in product liability charges. If you’re not familiar with the details about the Equifax breach we’ll have a link in our show notes to one of our previous episodes on the topic, but for a short recap, Equifax was breached due to a well-known vulnerability in Apache Struts that remained unpatched on an Equifax server. The breach could have been preventable since the patch for the vulnerability was released two months prior to the breach. Unless you work for Equifax, this is actually really good news and honestly I’m not feeling that sorry for Equifax. I’ve always said that until companies are held financially accountable for poor security, we will continue to see more breaches and unfortunately, more massive ones like Equifax. A few weeks ago the Trump administration banned US companies from doing business with the Chinese telecom giant, Huawei. This ban resulted in Google and many other tech firms halting business with them. While there has been no evidence produced or further details provided by the US government regarding the Huawei ban, Huawei in the past has been accused of intellectual property violations and theft of trade secrets not that long ago, not to mention some potential ties to the Chinese communist party. Now last week chip designer ARM has officially suspended all business with Huawei. This is a huge blow and will prevent Huawei from creating their own chips. What’s interesting is that ARM is based in the UK and owned by a Japanese company. However, ARM develops some possessors in the US which they feel put them in hot water with the US government if ARM was to continue selling to Huawei. Look from a cybersecurity perspective, my take is this has something to do with the potential and perhaps past evidence of Chinese spying on the US. The biggest issue is that Huawei is the one of the main suppliers for the technology that cell towers use to communicate with our devices.  Now with the talk of 5G networks and upgrades to support this new technology there may be the threat of Chinese surveillance or backdoors in the backbone of mobile communication in the US. Is there evidence to support this? Who knows at this point. The US government isn’t saying but one thing is for sure, this won’t be the end of this story and neither will the impact of Huawei’s technology in the US. And now a word from our sponsor, Edgewise Networks. Organizations’ internal networks are overly permissive and can’t distinguish trusted from untrusted applications. Attackers abuse this condition to move laterally through networks, bypassing address-based controls to spread malware. Edgewise abstracts security policies away from traditional network controls that rely on IP addresses, ports, and protocols and instead ties controls directly to applications and their data paths. Edgewise allows organizations to analyze the network attack surface and segment workloads based on the software and how it’s communicating. Edgewise monitors applications and protects data paths using zero trust segmentation. Visit edgewise.net to get your free month of visibility. It should be no surprise that if you have a Google Gmail account you already know that while you’re signed into a Google account and browse the web, your search history is harvested for Google to serve you ads in your Gmail account. By the way, it’s a common misconception that Google scans your email to serve you ads through your Gmail account. Something that may be surprising though was the revelation from a CNBC report which revealed that Google has created a page called “Purchases” which shows you a list of all the purchases that you’ve made. This list is pulled form your emails which show receipts from previous purchases that were emailed to your Gmail account. This list of purchases goes way back, all the way to the day you created your Gmail account and for some of us that could be decades worth of purchase data. Now this page is only accessible to you only but what I find interesting is that it’s really difficult to delete this data if you happen to be creeped out about Google collecting all of your past purchase history. The only way you can delete your purchase data is to actually delete the email that contains the purchase receipt. From the “Purchase” page you can individually delete a receipt but that takes you back to your Gmail to delete the actual message. There appears to be no mass delete option or ability to prevent Google from collecting your purchase history. In fact, Google told CNBC that there was a way to turn off this ability in the search preferences, but the reporter found out that changing these settings didn’t work. In other Google news, Google announced that they discovered that passwords for some G Suite business users’ were being stored in plain text. The data was apparently being stored on internal Google servers and the issue was quickly corrected. Affected G Suite business users have been notified by Google to change their passwords. This is very reminiscent of a similar situation back in March where Facebook discovered hundreds of millions of user passwords were also stored plain text and were accessible by over 20,000 Facebook employees. That’s all for this week’s show. Be sure to follow the Shared Security Podcast on Facebook, Twitter and Instagram for the latest news and commentary. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or watch and subscribe on our YouTube channel.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post Equifax Downgraded, Huawei Ban, Google is Tracking Your Purchases appeared first on Shared Security Podcast.

In episode 88 of our monthly show we streamed live on GetVokl! Subscribe to our channel and get notified when we’ll be live so you can chat and participate in our next show! Here are the topics we covered and links to articles we discussed: Hacker Finds He Can Remotely Kill Car Engines After Breaking Into GPS Tracking A hacker by the name of L&M broke into to GPS systems from iTrack and ProTrack which are apps used to manage and monitor fleets of trucks and vehicles. About 27,000 accounts. He could track and shut down the engines of any vehicle either parked or driving under 12 miles per hour He found a flaw in their Android app which set the default password to 123456 for all new user accounts and brute forced the user names. He also wrote a script to login to the accounts. Microsoft says password expiration policies are stupid and will be removing them from their security baselines Skip the Surveillance By Opting Out of Face Recognition At Airports Debate: Is it InfoSec or Cybersecurity ? What do you think? Does the term “cybersecurity” best describe this industry? Send us a message on Instagram, Twitter, Facebook or by email (feedback[aT]sharedsecurity.net) to let us know! Check out Scott’s new company: ClickArmor More news about Scott’s new venture coming soon on the show! The Shared Security Podcast sponsored by Silent Pocket and Edgewise Networks. Be sure to follow the Shared Security Podcast on Facebook, Twitter and Instagram for the latest news and commentary. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or watch and subscribe on our YouTube channel. The post Remotely Killing Car Engines, Password Expiration Policies, Facial Recognition at Airports, InfoSec vs. Cybersecurity appeared first on Shared Security Podcast.

This is your Shared Security Weekly Blaze for May 20th 2019 with your host, Tom Eston. In this week’s episode: A serious spyware vulnerability in WhatsApp, San Francisco bans facial recognition, and a wormable vulnerability in older Microsoft systems. Protect your digital privacy with Silent Pocket’s product line of patented Faraday bags, phone cases, and wallets which will make your devices untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order during checkout. Visit silentpocket.com today to take advantage of this exclusive offer. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Facebook has revealed a major vulnerability in its popular WhatsApp messaging app which is used by 1.5 billion users. This vulnerability allows malicious spyware to be installed by initiating a call over WhatsApp’s voice calling feature. The vulnerability is so serious that the spyware would be installed even if the call wasn’t picked up. WhatsApp said that only a select number of users were victims and that the vulnerability affects all but the latest version available for Apple iOS and Android. Now it should be no surprise that this spyware was also linked back to the infamous Israeli NSO Group which is known for selling highly advanced spyware to governments and nation states. We’ve mentioned the NSO Group many times on the podcast before when we had talked about their Pegasus spyware which can read messages, turn on the microphone and camera and completely take over the device. Of course reports say that the NSO Group has denied any involvement in the WhatsApp vulnerability. WhatsApp has fixed the vulnerability and if you happen to use WhatsApp you need to update to the latest version immediately. What’s really disturbing about a vulnerability like this is that you as the victim can’t really do anything to protect yourself, except not have the app installed. We’re seeing more of these types of vulnerabilities and many of them are taking advantage of zero-day vulnerabilities where only the exploit developer has the exploit, and the device manufacture like Apple is unaware. This is not going to be the last time we see something as dangerous like this so our best advice is to keep your device and apps always updated. That’s about all you can do to protect yourself, or just not use a mobile phone. The other controversy around the WhatsApp vulnerability I want to talk about was a related story that came out in a Bloomberg article which said that end-to-end encryption is nothing but a marketing gimmick. The article went as far to say quote “End-to-end encryption is a marketing device used by companies such as Facebook to lull consumers wary about cyber-surveillance into a false sense of security.” end quote. First of all, this is wrong and extremely misleading. But don’t take my work for it, the cybersecurity community reaction on social media was swift to dismiss the FUD being thrown in this article. Look, zero-days and app vulnerabilities aside, end-to-end encryption is not a gimmick. It’s a real and very important technology to protect your information. End-to-end encryption has nothing to do with this particular vulnerability as the exploit completely compromises the device not the transit of messages themselves which is what end-to-end encryption protects. Oy vey. Check out our show notes to read this terrible article for yourself. And let’s hope news organizations like Bloomberg will learn that click-bait articles like this one are dangerous and don’t help anyone stay more secure. In breaking news last week, San Francisco became the first city in the US to ban the use of facial recognition by police and several other local government agencies. Facial recognition has been used by police and other law enforcement for over a decade now but more recently this technology has come under great scrutiny because of privacy concerns as well as the risk of government abuse. Not only that, but there is concern about facial recognition technology not having a 100% success rate, meaning, there is a risk of people being falsely identified if law enforcement was using this technology, in say an investigation. As I’ve mentioned on previous episodes of this podcast, US Customs and Boarder Protection are now using facial recognition at airports and ports of entry for the last several weeks now. There is some good news, that there seem to be ways to opt-out of facial recognition if you don’t want your face scanned, but reports say that if you’re not a US citizen you can’t opt-out. Now not being able to opt-out is one thing but what’s really fascinating is that this technology has become so common that even our personal devices have it installed by default. For example, you can use FaceID to unlock your iPhone or login to your Windows PC using Windows “Hello”. While there is less of a privacy concern since these are devices we own and control, the bigger concern is that in larger surveillance situations, like in large public areas that are using facial recognition, we all unwillingly become a subject and potential suspect in which it becomes impossible to opt out. So have we gotten to the point that we have no choice but to trade our privacy for mass surveillance which uses a technology which isn’t 100% accurate? I think San Francisco is on to something and let’s see if other US cities follow suit. And now a word from our sponsor, Edgewise Networks. Organizations’ internal networks are overly permissive and can’t distinguish trusted from untrusted applications. Attackers abuse this condition to move laterally through networks, bypassing address-based controls to spread malware. Edgewise abstracts security policies away from traditional network controls that rely on IP addresses, ports, and protocols and instead ties controls directly to applications and their data paths. Edgewise allows organizations to analyze the network attack surface and segment workloads based on the software and how it’s communicating. Edgewise monitors applications and protects data paths using zero trust segmentation. Visit edgewise.net to get your free month of visibility. Late last week Microsoft took the unusual step to release several critical security updates for out of support operating systems like Windows Server 2003, and Windows XP. Other updates were also issued for Windows Server 2008 and Windows 7 which are still being supported by Microsoft. This update fixes a critical Remote Code Execution Vulnerability in Remote Desktop Services or also known as Terminal Services back in the day. This particular vulnerability requires no user interaction and is ‘wormable’, meaning, if malware was to exploit this particular vulnerability it could easily be spread to other systems that are also vulnerable. You may remember that back in 2017 the WannaCry ransomware spread in a similar fashion which used the “EternalBlue” exploit that was developed by the NSA. That exploit was leaked by the Shadow Brokers hacking group which published several hacking tools and zero-day exploits leaked from the NSA. The bottom line here is that hopefully all of you listening to this podcast are no longer using ancient and outdated operating systems like Windows XP. However, the reality is that these systems are still being used. In 2017 when WannaCry was released it was estimated that over 200,000 Windows XP computers across 150 countries were infected. Just recently, I saw people posting pictures on Twitter showing Windows XP being used in a dentist office, hospitals and other systems like digital signs at airports. Now, older systems in the healthcare industry is actually pretty common. There is always the attitude of, if it’s not broke, why fix it and these systems may not be connected to a network or the Internet, as they may just run a unique type of software for a medical device. Still, business and consumers alike need to upgrade or decommission older systems like these because the longer they stay in use, history shows us the more vulnerable they become. That’s all for this week’s show. Be sure to follow the Shared Security Podcast on Facebook, Twitter and Instagram for the latest news and commentary. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or watch and subscribe on our YouTube channel.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post Critical WhatsApp Vulnerability, Facial Recognition Ban, Wormable Flaw in Windows appeared first on Shared Security Podcast.