Shared Security Podcast

This is your Shared Security Weekly Blaze for May 13th 2019 with your host, Tom Eston. In this week’s episode: Israel bombs a building in retaliation for a cyber-attack, Google adds more privacy settings, and a new blackmail scam that uses traditional mail. Protect your digital privacy with Silent Pocket’s product line of patented Faraday bags, phone cases, and wallets which will make your devices untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order during checkout. Visit silentpocket.com today to take advantage of this exclusive offer. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. In breaking news last week it was reported that the Israeli Defense Force, or also known as the IDF, launched an airstrike on the Palestinian Hamas military intelligence headquarters which apparently was the source of an attempted cyber-attack directed towards Israeli targets. The IDF on Twitter said quote “We thwarted an attempted Hamas cyber offensive against Israeli targets. Following our successful cyber defensive operation, we targeted a building where the Hamas cyber operatives work. HamasCyberHQ.exe has been removed” end quote. No further information or statement from the IDF has since been released. All I can say is, that escalated quickly and that this is the first time that I’ve heard of an actual real-time military strike in response to a cyber-attack. Now the US has done similar attacks in the past, using drones to target a ISIS hacker in 2015 and a British citizen who leaked information about US personnel online. However, those two attacks seemed to be planned out well in advance and were not an immediate response like the one just done by Israel. Now whether you agree with this response or not, it does set an interesting precedent that cyber-attacks could result in a military response especially between two nation states. I don’t know if we’ll see anything like this happen between two major superpowers like the US and Russia, even though there is apparently a lot of evidence that Russia has conducted cyber-attacks on the US. This is, of course, according to the US intelligence community. Now just remember folks, attribution is hard. In a surprise move last week, Google announced that it will be rolling out a feature that will allow users to delete some activity data like location history as well as web and app activity. Google users can also choose if they want this activity data saved for either 3 or 18 months, after which any old data will automatically be removed on a continual basis. Not going away is the current ability to manually delete your location history and app activity data. Now we all know that Google uses your data to recommend you various things like ads and other things based on your search queries and all the data you happen to give all the different Google products that you use. Given the recent privacy uprising over Facebook and even Google’s own grilling by Congress over their policy over user location tracking and data practices back in March, it should be no surprise that Google is now backtracking and finally allowing users more control over their data. I know it’s hard to remove yourself from Google services. Especially ones like Gmail and Google search which are in fact probably the best email and search engines out there. Sure, there are alternatives that we’ve talked about on the podcast but with the increasing concern over how large tech giants like Google are using our data, while not giving us a lot of control over it, are you ready to kick Google to the curb? Or do you think Google is started to change because of the new pressures governments and all of us users are putting on them. And now a word from our sponsor, Edgewise Networks. Organizations’ internal networks are overly permissive and can’t distinguish trusted from untrusted applications. Attackers abuse this condition to move laterally through networks, bypassing address-based controls to spread malware. Edgewise abstracts security policies away from traditional network controls that rely on IP addresses, ports, and protocols and instead ties controls directly to applications and their data paths. Edgewise allows organizations to analyze the network attack surface and segment workloads based on the software and how it’s communicating. Edgewise monitors applications and protects data paths using zero trust segmentation. Visit edgewise.net to get your free month of visibility. This past week I was made aware of a local news story about letters that were being sent to residents of a neighboring community which attempted to blackmail people for bitcoin. The letters, which came in stamped envelopes with no return address, had the massage that they were working a job around your area and stumbled across your misadventures. The lengthy letter goes on to say that there were only two options, that you can either choose to ignore the letter, in which case your wife and all of their friends and neighbors would become aware of your misdeeds or that you pay $20,600 in bitcoin as a “confidentiality fee”. Check out our show notes to read this very entertaining letter but based on the details, it seems that these victims may have been specifically targeted based on their age and location. Now some of the details, like names and address in the letter, were removed but even with some bad grammar in the letter it still leads me to believe that publicly available information through Open Source Intelligence techniques were used to target these individuals. I would also suspect that this is a scammer from outside of the local area, possibly overseas and not in the US. I typically will talk about computer or phone based scams on the podcast but this one uses the regular mail and reminds me of one several years ago where scammers were leaving blackmail letters like this one on people’s car windows. This is just another example that shows scams like these can show up in many different types of non-technology formats, and not just email. That’s all for this week’s show. Be sure to follow the Shared Security Podcast on Facebook, Twitter and Instagram for the latest news and commentary. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or watch and subscribe on our YouTube channel.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post Israel Cyber-Attack Bombing, New Google Privacy Settings, Traditional Mail Blackmail Scam appeared first on Shared Security Podcast.

This is your Shared Security Weekly Blaze for May 6th 2019 with your host, Tom Eston. In this week’s episode: Is this the end of password expiration policies, are there camera’s recording you on an airplane, and the unknown data breach exposing 80 million records. Protect your digital privacy with Silent Pocket’s product line of patented Faraday bags, phone cases, and wallets which will make your devices untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order during checkout. Visit silentpocket.com today to take advantage of this exclusive offer. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Last week Microsoft has come out and admitted that password expiration policies are essentially useless and said that these requirements are “an ancient and obsolete mitigation of very low value”. In a blog post about updated security baseline settings for Windows 10 and Windows Server, Microsoft says that password expiration policies really don’t provide additional security. Microsoft says that “If a password is never stolen, there’s no need to expire it. And if you have evidence that a password has been stolen, you would presumably act immediately rather than wait for expiration to fix the problem”. Now this doesn’t mean that password expiration’s are going away anytime soon but in regards to the Microsoft security baseline, it means that if an organization uses this baseline, password expiration will be optional and not enforced. The current recommendation in the industry is to use blacklists of banned passwords, implementation of multi-factor authentication, and detection of password guessing attempts. I can say that for once I actually agree with Microsoft here. Password expiration is really an outdated practice so it’s good to see Microsoft getting with the times. Be sure to check out our upcoming monthly show where Scott and I delve deeper into this topic. In the meantime, let’s see how many organizations follow this sound advice from Microsoft. In related news, the UK’s National Cyber Security Centre released an analysis of the 100,000 most common passwords from recent data breaches and hacking campaigns. The most common passwords consist of ‘123456’ at 23.2 million, ‘123456789’ at 7.7 million, followed by ‘qwerty’, ‘password’, and ‘111111’ . My non-scientific analysis tells me that people are just lazy picking weak passwords like this! Let’s hope that more sites use password blacklists that help prevent users from selecting these really poor passwords. If you fly United, Delta, or American Airlines, have you recently noticed that there is now a sticker over what looks to be a camera on the entertainment system that is found on the back of seats? If so, this is because of recent privacy complaints from passengers thinking that these cameras were recording them on the airplane. United told BuzzFeed News that the cameras were never activated and were installed by the manufacture for possible future applications such as video conferencing. As an additional measure all three airlines decided to put stickers on these cameras to alleviate any customer privacy concerns. You may remember that back in February a photo of a camera on a Singapore Airlines entertainment system went viral on Twitter and caused quite the privacy controversy. On top of that there has been a more recent concern over the use of facial recognition technology being used by Delta, JetBlue and other airlines to replace boarding passes. These new systems are being tested out by US Customs and Border Protection right now at certain airports to further screen passengers by matching the picture taken of you to your passport photo. In most cases you can opt-out of these scans but for non-US citizens traveling to or from the US you may not be able to opt-out. And now a word from our sponsor, Edgewise Networks. Organizations’ internal networks are overly permissive and can’t distinguish trusted from untrusted applications. Attackers abuse this condition to move laterally through networks, bypassing address-based controls to spread malware. Edgewise abstracts security policies away from traditional network controls that rely on IP addresses, ports, and protocols and instead ties controls directly to applications and their data paths. Edgewise allows organizations to analyze the network attack surface and segment workloads based on the software and how it’s communicating. Edgewise monitors applications and protects data paths using zero trust segmentation. Visit edgewise.net to get your free month of visibility. Security researchers from vpnMentor discovered an unprotected database that included identifying information of more than 80 million US households. Apparently, a 24 gigabyte database was found on a Microsoft cloud server that contained records of households that included full names, marital status, income bracket, age, address, date of birth and most concerning latitude and longitude of their exact location. In a blog post last week vpnMentor was asking for the public’s help to identify the company that this database belonged to. To me this was a little confusing since the IP address belonged to Microsoft’s cloud service and obviously Microsoft would know the person or company hosting this database. Microsoft did release a statement stating that “We have notified the owner of the database and are taking appropriate steps to help the customer remove the data until it can be properly secured”. Still, no owner of the data itself has been identified or released. What’s also interesting about the data is that it only lists adults ages 40 or older. This means that if this data was already accessed by scammers, more older adults in the US may be targeted with ransomware and other phishing attacks. As I’ve mentioned on the show before, the elderly are frequent targets for these types of attacks. Oh, and I’m in my 40’s but would not consider myself or others my age elderly! But I think you get my point. That’s all for this week’s show. Be sure to follow the Shared Security Podcast on Facebook, Twitter and Instagram for the latest news and commentary. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or watch and subscribe on our YouTube channel.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post The End of Password Expiration Policies, Seat-Back Camera’s on Airplanes, Unknown Data Breach appeared first on Shared Security Podcast.

Protect your digital privacy with Silent Pocket’s product line of patented Faraday bags, phone cases, and wallets which will make your devices untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order during checkout. Visit silentpocket.com today to take advantage of this exclusive offer. Tom Eston: Joining me on the podcast to discuss VPNs is Gaya Polat from vpnMentor. Welcome, Gaya. Gaya Polat: Hello. Tom Eston: Alright. So first question about VPNs is, maybe for our audience that may not be familiar with VPNs, what is a VPN and why should someone use one? Gaya Polat: A VPN stands for virtual private network. Is a tool that routes your online information through specialized service. What this means is that it routes your traffic and then encrypts your data. So by doing so, VPNs hide your online activity and protect you from the many danger on the web, whether it’s hackers, data selling, identity theft, and more. So using a VPN keeps your online activity private and safe, therefore it minimizes the chance that you’ll be hacked. But there are other reasons people use VPNs. One of the more common reasons people have been using VPNs is to access geo-block content. And the way a lot of content online works, let’s say Netflix or Hulu, they have different catalogs based for different countries and places. So if you’re an American, for example, who now is spending a semester in England or anywhere else, you’re gonna see that your Netflix catalog has changed. So a lot of people have been using VPNs to access content that is blocked. Gaya Polat: Another very popular reason people have been using VPNs is, sports fans have found VPNs to be quite useful, because a lot of the times like let’s say you want to watch a certain UFC fight on your pay-for-view, it can cost around $80, but there’s a very likely chance that somewhere in a different country, let’s say the United Kingdom, France, or Canada even, you can watch the game on a regular cable channel. So by using a VPN, you can access that quite freely, and before every important boxing or UFC match, you can… We tell you the best way by using a VPN to watch the game or the fight. There’s also a different segment of people who use VPNs because they want to overcome their local censorship laws. Sadly, some countries don’t have free internet and free online access, and they simply need a VPN to use, for example, in Turkey, Wikipedia is blocked. So whenever someone from Turkey wants to access, say, Wikipedia, they need to use a VPN. Russia, almost all online social media is blocked. So we see a lot of users from Russia. That is it. Yeah. Those are I think the main reasons people use VPN. Tom Eston: Yeah, that’s great. Lots of good things, especially if you’re in a country that may be censored, like you said, or access to different types of entertainment content that may not be available in your region or region of the world. And of course user privacy which is definitely a big one. So having said that, with all the great use cases for a VPN, what are some of the disadvantages that come with using a VPN? Gaya Polat: So first of all, as you said, there are a lot of advantages to using a VPN, but it’s not a magic potion that you can use and everything will be great. For example, it will not protect you from phishing scams or having your personal data leaked in certain cases. For example, if you entered your personal information to Facebook and that is hacked, even if you use the best VPN, that will not save your private information. Gaya Polat: There is also an issue with speeds, because by default, what a VPN does, as I said, it is that it routes your internet data through a different server. So that means that by using a different server, it can add a bit of lag time to your speed. So when you choose a VPN, you want to choose a VPN that has servers in a lot of countries and a lot of servers. The more servers it has, the more the user usage of the different servers will be spread out, so there will be sort of less traffic. If you want, you can see on our website the different VPNs and the servers they have and the different speeds. But generally speaking, the top brands all have a lot of servers. Gaya Polat: And another thing that can be a big disadvantage when using a VPN has to do… If you turned copyrighted content, then you need to make sure that the VPN you use does not keep blocks because in some countries, like let’s say for the US, your ISP can be required to give your information if it is asked when turned in. And if the VPN keeps logs, then it has to give your information to the ISP. So if you’re using torrent websites, then you need to make sure, absolutely make sure that it could get you in a lot of hot waters. [chuckle] Gaya Polat: And the last thing to know about VPN usage is that some sites block users using a VPN. So, this is especially true if you want to access your bank account. And then they can sometimes block it to prevent foreign people accessing your bank account. So, this can sometimes be a nuance or something that is very annoying to have to disconnect to connect to certain websites, but those are the big disadvantages. And now a word from our sponsor, Edgewise Networks. Organizations’ internal networks are overly permissive and can’t distinguish trusted from untrusted applications. Attackers abuse this condition to move laterally through networks, bypassing address-based controls to spread malware. Edgewise abstracts security policies away from traditional network controls that rely on IP addresses, ports, and protocols and instead ties controls directly to applications and their data paths. Edgewise allows organizations to analyze the network attack surface and segment workloads based on the software and how it’s communicating. Edgewise monitors applications and protects data paths using zero trust segmentation. Visit edgewise.net to get your free month of visibility. Tom Eston: So, what should someone look for when choosing a really good VPN, especially when we’re talking about protecting activities or protecting their privacy? Gaya Polat: So that’s a great question. The most important thing is to skip free VPNs, because as you can imagine, if a company spends money hosting a large and broad server system, it’s quite expensive. It will cost them a lot of money. So as we found out with Facebook and Google, when something is given to you for free, there’s a catch. And it’s also true in the VPN world. If they’re giving you great speeds, and servers everywhere and everything for free, then something is wrong there, that’s a red flag. And usually that red flag means that your data is being searched by third parties, which is what we saw, for example, recently with the Onavo project that Facebook used. It was basically a VPN program that Facebook used to get all the data about how people were using the Internet and use it as a research tool. So that is one thing. Gaya Polat: Either it sells, sometimes, we have seen with some VPNs that were free, that where tools used by the Chinese government to track their own citizens and how they were using the internet and or that were being used for a Malware or other hacks. So generally speaking, you would want to stay away from free VPNs. And what else you would want is you want to make sure, as I said before, that it has no-logs policy. So, no-logs policy means that VPN doesn’t log or doesn’t track, keep any history of your information. So that’s basically why you want to use a VPN for, as you said, for privacy. So you want to make sure that it’s actually private and nothing is kept. And other thing you would want is basically, you would want to have a VPN that uses AES-256, that’s the current state of the art encryption protocol. It’s considered a military grade encryption so that is one you want to keep. Gaya Polat: And another thing, a lot of people, like your money, you want your privacy and activities to be hidden somewhere remote, way outside the jurisdiction of countries like the US, where it can’t be touched. So it’s the same for VPNs. You want a VPN server based in privacy havens like the British Virgin Islands, or Panama. And this is because a lot of countries like US, Canada, Australia, they have a data sharing agreement, which means that they can share your data with other countries. So you want to make sure your VPN is located in one of those privacy or tax havens. And generally speaking, the top brands in the VPN world are based in the British Virgin Islands or Panama. Two top brands that are based in those countries are ExpressVPN and Nord, but on our website, we have the list about where is each VPN based and you can look. Gaya Polat: Yeah. I think those are some of the… As I said before, you want to make sure that it has a big server network, especially if you want it for content, for example, then you have to make sure that you have servers in that country that you want to access the content. And so if you want to have to access from the United States, the BBC, then obviously you need to make sure the VPN that you choose has servers in England, for example. Tom Eston: So does vpnMentor provide a list of recommended VPNs based on your research? Gaya Polat: Yes. So we do VPN studies and also a YouTube channel that we are dedicating to promoting online privacy and security. And we continuously check the top VPNs, make sure that what they say they do, they actually do it. And for just recently, we checked several popular VPNs for DNS leaks, which basically means that they do not leak your IP address. And quite surprisingly, we found that three of the top brands, most popular brands have been leaking IP addresses of users. You can see the full report on their website. And so, yeah, we’ve always check all these VPNs, make sure that they would give you top speeds, and that, we looked at their privacy policy, their no-logs policy. You know, basically, give you a recommendation, if you want to use it for a VPN for torrenting, those are the ones we tested that have true no-logs policy. If you want to use it for Netflix, Hulu, whatever, those are the best VPNs. Tom Eston: Yeah. And we’ll have links in the show notes for more information on vpnMentor and how to see those reviews of the top VPNs. I think that’s really important. And I like the phrase of, “Not all good things are free. You kind of get what you pay for.” [chuckle] I think that’s a… Gaya Polat: Yeah, exactly. I think if we learned that in everywhere you look, I think Milton Friedman was the first person to say, “There’s no such thing as a free lunch.” Tom Eston: That’s right. Gaya Polat: I think in everywhere we look, every part, it’s always the same. If there’s something you get for free, then there’s some trade of. Some free VPNs are okay to use. We have at least on the website, but then either they would limit your data, which means you would not be able to use it for streaming, for example, or you get to watch ads, but there’s no perfect VPN, as there is nothing for free. There’s like… Which is very sad for maybe our bank accounts. [chuckle] Tom Eston: Yeah, that’s right. Well, thank you very much for coming on the show, Gaya. Gaya Polat: Thank you. It was a pleasure coming. Thank you very much for having me. That’s all for this week’s show. Be sure to follow the Shared Security Podcast on Facebook, Twitter and Instagram for the latest news and commentary. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or watch and subscribe on our YouTube channel.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post All about VPN’s with Gaya Polat from vpnMentor appeared first on Shared Security Podcast.

In episode 87 of our monthly show, frequent guest Kevin Johnson joins us to discuss the current state of cybersecurity training and certifications. If you’re currently in the industry or pursuing a career in cybersecurity this is one episode not to miss! Tom and Kevin cover the following topics: What’s the state of training and certifications in our industry? Why is some training so expensive? How did we get here? What’s the biggest challenge we face? What should we look for in a training provider and are certifications really worth it? What certifications are valuable? We also discuss the recent incident of Kevin’s training provider which was compromised a few weeks ago. Kevin talks about the way they handled the incident, how they disclosed to the public, and the right way to handle a data breach and incident. Full write up of the incident that we mention on the show:  https://blog.secureideas.com/2019/04/we-take-security-seriously-and-other-trite-statements.html This episode was also streamed live over Twitch and YouTube Live! Be sure to subscribe to us on Twitch and YouTube to catch the next live episode. Special thanks to Kevin Johnson for being our guest. It’s always a pleasure to have Kevin on the show! The Shared Security Podcast sponsored by Silent Pocket and Edgewise Networks. Be sure to follow the Shared Security Podcast on Facebook, Twitter and Instagram for the latest news and commentary. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or watch and subscribe on our YouTube channel. The post The State of Cybersecurity Training and Certifications with Kevin Johnson appeared first on Shared Security Podcast.

This is your Shared Security Weekly Blaze for April 22nd 2019 with your host, Tom Eston. In this week’s episode: Microsoft email services hacked, the Instagram “Nasty List” phishing scam, and Facebook’s attempted deals to sell your data. Protect your digital privacy with Silent Pocket’s product line of patented Faraday bags, phone cases, and wallets which will make your devices untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order during checkout. Visit silentpocket.com today to take advantage of this exclusive offer. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Microsoft was in the hot seat this past week with the announcement that email services on Outlook.com, MSN, and Hotmail were breached from January to late March this year. This breach was due to the compromise of a support agent’s privileged credentials, most likely due to a targeted social engineering attack. The attackers apparently had access to email addresses, subject lines, names of people within conversations, and custom folder names. Accounts affected were only free consumer accounts and not accounts that businesses pay for. According to Motherboard, who broke the story, Microsoft has confirmed the breach and have sent breach notification emails to customers that have been affected but didn’t say how many users were impacted by the breach. Other details show that the source, who was used for the Motherboard story, noted that the attacker appeared to have used this access for what are called “iCloud unlocks”. This is where attackers will compromise a victim’s email or iCloud account to remove Apple’s ‘Activation Lock’ from a stolen iPhone. This security feature was implemented to prevent thieves from resetting stolen iPhones and selling them. My take is that this is one of those attacks that as users, is very hard, if not impossible to prevent. Even if you secure your account with multi-factor authentication, you’re still at the mercy of Microsoft and the administrators that may have their credentials compromised. In these cases, it comes down to how quickly a company can respond to a breach to limit impact to it’s customers. Have you been receiving strange messages on Instagram from your followers about you being on something called the “Nasty List”? If so, the message is actually a massive phishing campaign that is being spread though hacked Instagram accounts. The message will say something like quote “OMG your actually on here, @TheNastyList_(some number), your number is 15! Its really messed up” end quote. Grammar Nazis, your first clue that is that this is a scam is the spelling of “your” which should be “you’re”. Unless, of course, your friends naturally have bad grammar. Now if you visit the profile you will see an interesting URL in the profile link which will, you guessed it, take you to a fake Instagram login page. If you happen to enter in your Instagram credentials, you’ll be hacked yourself and your account will then become another zombie also sending out the same message to your followers. For more details on this scam check out the link in our show notes for a great article from Bleeping Computer. Hopefully, as a listener of this podcast, you didn’t fall for this scam but if you did change your password, re-edit your profile, and profusely apologize to your followers that you were hacked. And now a word from our sponsor, Edgewise Networks. Organizations’ internal networks are overly permissive and can’t distinguish trusted from untrusted applications. Attackers abuse this condition to move laterally through networks, bypassing address-based controls to spread malware. Edgewise abstracts security policies away from traditional network controls that rely on IP addresses, ports, and protocols and instead ties controls directly to applications and their data paths. Edgewise allows organizations to analyze the network attack surface and segment workloads based on the software and how it’s communicating. Edgewise monitors applications and protects data paths using zero trust segmentation. Visit edgewise.net to get your free month of visibility. I think I’m starting to sound like a broken record here but surprise, surprise, Facebook was in the news once again this week when NBC News reported that Facebook CEO Mark Zuckerberg once considered making deals with third-party developers to find out how much users’ data might actually be worth. In the report over 4,000 leaked pages of internal Facebook documents show that there were potentially 100 deals with third-party app developers for selling them access to Facebook user data. Zuckerberg reportedly even said that these deals would help decide the “real market value” of Facebook user data and help set a “public rate” for developers. This recent reveal of information comes from a court case in California between Facebook and a company called Six4Three. This company created a creepy app called “Pikinis” which allowed users to find pictures of people in bikini’s and swimsuits. This app was shut down in 2015 once Facebook changed its data sharing policies with developers which is what spurred the lawsuit from Six4Three. Facebook, of course, says that this information only tells one side of the story and have never sold user data.  Regardless, this is yet another example that shows Facebook has always looked for ways to monetize the massive amount of data that they hold on all of us. Oh, and if that wasn’t enough  last Thursday Facebook confirmed that it “unintentially” uploaded email contacts belonging to 1.5 million new users without their knowledge since May of 2016. All I’ll say, it’s not a great time to be Facebook or a user of Facebook. That’s all for this week’s show. Be sure to follow the Shared Security Podcast on Facebook, Twitter and Instagram for the latest news and commentary. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or watch and subscribe on our YouTube channel.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post Microsoft Email Hacked, Instagram Nasty List Phishing Scam, Facebook Third-Party Data Deals appeared first on Shared Security Podcast.

This is your Shared Security Weekly Blaze for April 15th 2019 with your host, Tom Eston. In this week’s episode: Amazon Echo’s recording controversy, a new mobile phone scam, and hotels leaking your private information. Protect your digital privacy with Silent Pocket’s product line of patented Faraday bags, phone cases, and wallets which will make your devices untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order during checkout. Visit silentpocket.com today to take advantage of this exclusive offer. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. In late breaking news last week, it was reported by Bloomberg that Amazon employs thousands of workers to listen to what customers say to Amazon Echo devices. According to the report workers can listen to as many as 1,000 audio clips in 9 hour work shifts. Apparently, workers listen to audio clips that are “mundane” and even sometimes “possibly criminal”. Amazon responded to the report by saying that it only annotates “extremely small number of interactions from a random set of customers.” and that it uses “requests to Alexa to train our speech recognition and natural language understanding systems”. While Amazon employees don’t have access to names or addresses of customers, they do have access to the Amazon account number and device serial number. Amazon further clarified that no audio is stored unless the wake word is used to activate the Alexa-enabled device. While you can go in to the Alexa app to view the privacy configuration of your Echo device and individually delete audio clips, there currently is no way to completely opt-out of recording all together. The only option available is to disable the use of recordings for the development of new features. However, its reported that Amazon may still have recordings analyzed by hand over an occasional review process. A new scam, where someone calls asking for your mobile carrier’s verification code, has been making the rounds. The way it works is that you’ll receive an email which looks like it’s come from your mobile carrier, like Verizon, with the message saying that fraud has been found on your account and you need to call the number noted in the email immediately. If you call the number the scammer will say they need your verification PIN that you set up with them to verify your account.  Once you do that, the scammer will reset your password and make themselves the “primary” account user. After that, the scammer will have full access to potentially buy devices at your carriers store as well as hijack your phone number to reset two-factor authentication on other critical accounts. In two recent cases that took place in Florida, scammers attempted to purchase several brand new phones from a Verizon store using this scam. Fortunately, police showed up at the store to arrest the perpetrators after being alerted by Verizon that something wasn’t quite right. So what can you do to prevent becoming a victim of a scam like this? First, even with the threat of phishing and social engineering, you should always have a PIN, or also known as a “port validation” code set up through your mobile carrier. See our show notes for a great guide on how to do this as each company has a different procedure. Also note, you should ensure that this passcode or PIN is unique and different than any other passcode or PIN that may be in use with your mobile carrier. Lastly, if you receive an email or phone call from someone that says they are from your mobile carrier, hang up. You’re not going to be contacted over the phone like this and if you are concerned about fraud or to find out if a request is legitimate or not, it’s best to just give your mobile carrier a call yourself. And now a word from our sponsor, Edgewise Networks. Organizations’ internal networks are overly permissive and can’t distinguish trusted from untrusted applications. Attackers abuse this condition to move laterally through networks, bypassing address-based controls to spread malware. Edgewise abstracts security policies away from traditional network controls that rely on IP addresses, ports, and protocols and instead ties controls directly to applications and their data paths. Edgewise allows organizations to analyze the network attack surface and segment workloads based on the software and how it’s communicating. Edgewise monitors applications and protects data paths using zero trust segmentation. Visit edgewise.net to get your free month of visibility. New research from Symantec shows that hotels are leaking detailed guest reservation data to different types of third-party advertisers, websites and data aggregators. Registration information can include everything from name, address, phone numbers, and even passport number and last four digits of credit card numbers. Symantec’s research data comes from more than 1,500 hotels in 54 countries in which 67% were leaking this data through the booking reservation code which is typically distributed through a link that allows anyone to view reservation data without logging in to a hotel account. The other problem here is that in these same emails, there is additional content that loads ads within these booking emails. This content was found to share the hotel booking code with more than 30 different third-parties which in many cases were transmitted over non-encrypted HTTP. While there may be no indication that personal data was compromised here. It does show that hotel chains need to review the security of how a hotel booking number is used within these emails. And it also creates a very large problem for the hotel industry, specifically for hotel’s that may be operating in Europe or the State of California due to GDPR and the California Consumer Privacy Act.  Unfortunately, this is yet, another example of third-party companies mishandling our private data. That’s all for this week’s show. Be sure to follow the Shared Security Podcast on Facebook, Twitter and Instagram for the latest news and commentary. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or watch and subscribe on our YouTube channel.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post Amazon Echo Recording Controversy, New Mobile Phone Scam, Hotels Leaking Data appeared first on Shared Security Podcast.

This is your Shared Security Weekly Blaze for April 8th 2019 with your host, Tom Eston. In this week’s episode: Facebook’s very bad week, Stalkerware on the rise, and tax season scams. Protect your digital privacy with Silent Pocket’s product line of patented Faraday bags, phone cases, and wallets which will make your devices untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order during checkout. Visit silentpocket.com today to take advantage of this exclusive offer. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. I know you’ll be shocked to hear this but Facebook had yet another painful week of data breaches and controversy. First was the announcement that over 540 million Facebook user records and associated data was found unsecured on two Amazon AWS servers discovered earlier in the year by cybersecurity firm, UpGuard. The first server, belonging to a company called Cultura Colectiva, which is a Mexico based media platform, had the majority of the exposed data containing usernames, Facebook IDs, comments, likes, and other data that may have been used for social media analytics.  The second server had data from a Facebook game called “At the Pool” which had details such as Facebook ID, friends list, likes, photos, groups, checkins, user interests, and of course 22,000 passwords. The passwords were apparently only for the game account and not the Facebook login, however, we all know that most people reuse passwords across the same sites and services that they use. Both servers are now locked down after quite the ordeal noted by UpGuard in their incident report which we’ll have linked in our show notes. This particular breach shows one of the many problems that Facebook has had with all the data that third-party app developers have been collecting over the years. Just like the Cambridge Analytica scandal, it’s nearly impossible for Facebook to oversee and regulate the security of user data that leaves the Facebook Platform. The second Facebook story that made the news last week was how Facebook is asking some new users to provide the password to their email account. Apparently, if you happen to use an email account from some email service providers like Yandex and GMX, you’ll be prompted to enter your email account password to confirm your email address. Once you do that, a pop-up appears stating that Facebook is importing your email contacts without any authorization by the user to do so. According to the report from Business Insider, Facebook stated that this “feature” is being discontinued but in the meantime, it’s set off groups like the Electronic Frontier Foundation which said that this “feature” is indistinguishable to a phishing attack which will also ask you to enter in passwords to verify who you say you are. According to anti-virus company Kaspersky over 58,000 Android users had “stalkerware” installed on their phones last year. 35,000 out of this number had no idea that they had stalkerware installed on their device until they installed Kaspersky’s mobile antivirus product. Stalkerware or also known as spouseware or legal spyware, is sold by various companies under the guise of an easy way to monitor your child’s activities or tracking employee device usage. In reality, most of these apps are being used maliciously and having these apps installed means that someone has had physical access to your device as the majority of these apps require someone to install the application manually, mostly because these apps require the device to be “jailbroken” or “rooted” so that the app can be installed. Last year, on episode 40 of the Weekly Blaze, we recorded an entire podcast about stalkerapps and spyware I encourage you to check out. This episode goes into more detail on how these apps work and what to look for if you suspect one of these apps are installed on your mobile device or laptop. In related news, Kaspersky has said that they will now start alerting Android users, that have their antivirus product, whenever a stalkerware app is installed on a user’s device. This push by Kaspersky was initiated by Eva Galperin head of the Electronic Frontier Foundation’s Threat Lab in which she’s spearheading a push in the cybersecurity industry to finally take the threat of stalkerware seriously. In her list of demands she’s asking antivirus companies to start detecting and alerting on these types of apps, asking Apple to allow antivirus apps in their app store (Apple currently does not allow this), have Apple alert and detect when an Apple device is jailbroken or rooted, and to have more state and federal officials start filing charges against executives of stalkerware companies for hacking. My take is that it’s great to see at least one antivirus company doing something about the threat of stalkerware and with the EFF and people like Eva Galperin, perhaps we’ll see positive changes in the months to come. And now a word from our sponsor, Edgewise Networks. Organizations’ internal networks are overly permissive and can’t distinguish trusted from untrusted applications. Attackers abuse this condition to move laterally through networks, bypassing address-based controls to spread malware. Edgewise abstracts security policies away from traditional network controls that rely on IP addresses, ports, and protocols and instead ties controls directly to applications and their data paths. Edgewise allows organizations to analyze the network attack surface and segment workloads based on the software and how it’s communicating. Edgewise monitors applications and protects data paths using zero trust segmentation. Visit edgewise.net to get your free month of visibility. Guess what season it is? It may be Spring in the United States but it’s also tax season which means it’s time to be aware of common phishing and scam tactics that may target you while you file your taxes. In fact, it’s so bad this year that the IRS recently released their “dirty dozen” in which they’ve detailed the top tax fraud scams of the year. Check our show notes for a link to the full list but it should be no surprise that phishing scams come in at number one. Things to lookout for include emails posing as the IRS promising a big refund, or threatening you with arrest if you don’t reply or submit personal or sensitive details about yourself or your finances. In one recent variation, a scammer has already stolen personal data and filed a tax return on the victim’s behalf. The scammer then uses the victims own bank account to direct deposit their tax refund and attempt to reclaim the funds by posing as the IRS or someone from a collection agency. Keep in mind, it’s not just your email that these scams can originate from. Many of these tax scams also come through phone calls or voicemail’s. Phone scams are number two in the IRS’s “dirty dozen” this year. These calls will typically ask for personal information or to convince you to make a tax payment or threaten you with arrest just like similar IRS phishing emails. In some calls the scammer can change the caller ID to indicate the IRS is calling or from another number in your same prefix. Note that the IRS will never email or call you about owing taxes or about a potential refund, or threaten to arrest you. Stay vigilant and be more aware of phishing and phone scams this tax season and please let your elderly friends, parents or relatives know about these scams as well. Unfortunately, the elderly are common targets for these types of attacks. That’s all for this week’s show. Be sure to follow the Shared Security Podcast on Facebook, Twitter and Instagram for the latest news and commentary. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or watch and subscribe on our YouTube channel.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post Facebook’s Bad Week, Stalkerware, Tax Season Scams appeared first on Shared Security Podcast.

This is your Shared Security Weekly Blaze for April 1st 2019 with your host, Tom Eston. In this week’s episode: Apple’s new privacy focused credit card, the ASUS live update software backdoor, and recent statistics on Malware attacks. Protect your digital privacy with Silent Pocket’s product line of patented Faraday bags, phone cases, and wallets which will make your devices untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order during checkout. Visit silentpocket.com today to take advantage of this exclusive offer. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Apple announced last week that it’s partnered with financial firm Goldman Sachs on a new type of credit card which is focused on privacy and security. The credit card, which is called “Apple Card”, is paired with Apple Pay so you can use it like you normally do with your iPhone, but it also includes a traditional physical card made out of titanium, laser-etched and has no visible card number, CVV code, expiration date, or signature on the card itself. Now that credit card, completely has Apple written all over it. In regards to the technology, the credit card number will be stored in the iPhone’s Secure Element chip and all purchases must be authenticated through Touch ID or Face ID. Apple also says that they will not track what you’ve purchased, where you’ve shopped, or how much you’ve paid for purchases and that Goldman Sachs will not share or sell your data to third-party marketing firms. Other perks include a cash back program on all purchases, no annual fees, and insight into spending habits right on your iPhone. If this all sounds amazing, you may be asking yourself “What’s the catch?”. Well, the Apple Card is still a credit card so from what we know so far is that interest rates will vary between 13 and 24% and are based on your “creditworthiness” and that any late or missed payments will drive up your interest rate. My take is that I think it’s great to see Apple making more of their products and services with privacy and security in mind. I think we all give Apple some grief over their sometimes overly aggressive marketing campaigns like they did at CES in Las Vegas this year when they proclaimed on a large billboard “What happens on your iPhone, stays on your iPhone”. But perhaps, now we’re really starting to see Apple put their money where their mouth is. Computer hardware manufacture ASUS confirmed that their “live update” tool, which provides firmware updates, drivers, and patches for all of their laptops and other consumer hardware, was compromised by an Advanced Persistent Threat group. This is a great example of what is called a supply chain attack where a central update repository was compromised to spread malware. ASUS said in their press release that “a small number of devices have been implanted with malicious code through a sophisticated attack on our Live Update servers in an attempt to target a very small and specific user group”.  ASUS also stated that it had reached out to affected users and worked with them to ensure any security risks were removed. Kaspersky, which makes anti-virus software, claims it’s detected the ASUS supply-chain malware, conveniently named ShadowHammer, on 57,000 computers. Kaspersky says that there may be even more devices that have been affected. In related news, TechCrunch reports that a security researcher warned ASUS about two months ago that ASUS developers were disclosing passwords within their GitHub code repositories which could be used to access the ASUS corporate network. These repositories were publicly available and the researcher notes that one of the repositories was a daily release mailbox where automated build notifications were sent. Within these emails contained the full file path of where drivers and other files were stored on the ASUS internal network. This information, combined with access to this mailbox could have easily have been used for phishing or targeting other developers via social engineering.  While there have been no reports of compromised systems, it does show a lack of overall security awareness of ASUS’s developers. Now in regards to remediation, ASUS says the backdoor has been fixed and that ASUS users should update to the latest version of its “Live Update” software. Do you own a ASUS laptop or other device? If you do, be sure to check out our show notes for a link where you can download a tool from ASUS which will determine if your ASUS system was affected by the backdoor. And now a word from our sponsor, Edgewise Networks. Organizations’ internal networks are overly permissive and can’t distinguish trusted from untrusted applications. Attackers abuse this condition to move laterally through networks, bypassing address-based controls to spread malware. Edgewise abstracts security policies away from traditional network controls that rely on IP addresses, ports, and protocols and instead ties controls directly to applications and their data paths. Edgewise allows organizations to analyze the network attack surface and segment workloads based on the software and how it’s communicating. Edgewise monitors applications and protects data paths using zero trust segmentation. Visit edgewise.net to get your free month of visibility. For the third-year in a row malware, and in particular ransomware attacks have significantly increased according to cybersecurity company SonicWall which analyzed  10.52 million malware attacks in 2018 via the network of one million sensors used by SonicWall’s customers. Other interesting data from SonicWall’s report show that Ransomware volume from a global perspective reached 206.4 million attacks in 2018 which is an 11 percent year-over-year increase. This increase has to do with ransomware authors mixing and matching different malware components to create new variants which become harder to block. Ironically, the US in particular had the largest increase in ransomware attacks from last year. From a phishing perspective, SonicWall recorded 26 million attacks and noted a 4.1 percent drop. The reason? Well attackers seem to be changing their approach by moving towards hiding malware in PDF’s as well as Microsoft Office documents and conducting more targeted attacks. You may remember on last week’s podcast I noted that Microsoft Office is the biggest target for cybercriminals which is why we all need to be more aware of phishing attacks using attachments that may be hiding malware. Check out our show notes to download the full SonicWall report. That’s all for this week’s show. Be sure to follow the Shared Security Podcast on Facebook, Twitter and Instagram for the latest news and commentary. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or watch and subscribe on our YouTube channel.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post Apple Card, ASUS Live Update Backdoor, Statistics on Malware Attacks appeared first on Shared Security Podcast.

This is your Shared Security Weekly Blaze for March 25th 2019 with your host, Tom Eston. In this week’s episode: Facebook passwords exposed in plain text, Android Q’s new privacy features, and why Microsoft Office is the most popular target for cybercriminals. Protect your digital privacy with Silent Pocket’s product line of patented Faraday bags, phone cases, and wallets which will make your devices untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order during checkout. Visit silentpocket.com today to take advantage of this exclusive offer. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. I want to mention a correction from last week’s show when I talked about the service called CLEAR. CLEAR does not use Facial Recognition technology, they only use iris or fingerprint biometric scans. And now, on to this week’s news. In late breaking news last week Facebook announced that hundreds of millions of its users had their account passwords stored in plain-text going all the way back to 2012.  Apparently, through an internal security review, Facebook had found these passwords exposed on internal servers.  Apps affected include Facebook, Instagram and Facebook Lite, which is a version of Facebook made for underpowered phones and low speed connections. Famed reporter Brian Krebs from Krebsonsecurity.com said a source at Facebook told him that between 200 and 600 million Facebook users had their passwords stored in plain text and the data was searchable by over 20,000 Facebook employees. The source also said that about 2,000 internal developers made about 9 million queries for information that contained those plain text passwords. Facebook stated that it appears no one outside of Facebook had compromised this data and that (for now) there is no evidence that anyone internally at Facebook accessed or abused anyone’s password. Now, are you shocked to hear this latest news? If you’re not, how much more can we all take before it’s time to finally delete Facebook from our lives? It seems this is just yet another security and privacy blunder that continues to plague the world’s largest social network on pretty much a weekly basis. Our advice is if you plan on sticking around Facebook, change your Facebook and Instagram password, and if you haven’t already, enable two-factor authentication. In fact, if you have two-factor authentication already enabled on your account, you’re already a step ahead protecting your Facebook password from potential compromise. Android users rejoice! Android Q, Google’s new version of Android set to be released this summer, is coming with several new and exciting privacy features. Here’s our take on the top three features. First up is that Android apps can no longer access clipboard data, unless the app is actively being used. This can help prevent malicious apps from gaining access to copied clipboard data like passwords from a password manager. Next, MAC address randomization will be enabled by default. A MAC address is the unique ID that your Wi-Fi and Bluetooth chips installed on your devices use when communicating on a network. This feature was available in Android 6.0 but now will be enabled by default. This feature will also help prevent some data harvesting and tracking used by some third-party app providers. And probably the biggest new privacy feature is having more control over your location data. Android Q will now have a permissions prompt whenever an app wants to use your location data. So now you can give the app access to location data all the time, only when the app is in use, or completely deny the app access to your location data. Check out our show notes for a link to all the new privacy features coming in the upcoming release of Android Q. And now a word from our sponsor, Edgewise Networks. Organizations’ internal networks are overly permissive and can’t distinguish trusted from untrusted applications. Attackers abuse this condition to move laterally through networks, bypassing address-based controls to spread malware. Edgewise abstracts security policies away from traditional network controls that rely on IP addresses, ports, and protocols and instead ties controls directly to applications and their data paths. Edgewise allows organizations to analyze the network attack surface and segment workloads based on the software and how it’s communicating. Edgewise monitors applications and protects data paths using zero trust segmentation. Visit edgewise.net to get your free month of visibility. A recent report by threat intelligence firm Recorded Future, shows that for the second year in a row, Microsoft was the biggest target for cybercriminals, with 8 of the top 10 vulnerabilities affecting their products. Surprisingly, half of those vulnerabilities were in Microsoft Office, followed by Internet Explorer. Oh and if you’re still using Internet Explorer, please stop what you’re doing right now and switch to a new modern browser like Chrome, Firefox, or even Microsoft Edge. What we’re trying to say is that while web browsers are getting more secure there are still older versions, like Internet Explorer, which are still major targets for attackers. Other details worth noting in the report show that the number of new exploit kits, which are typically offered for sale on dark web markets and are used to exploit the top 10 vulnerabilities noted in the report, are continuing to drop in 2018 by 50 percent, with only five new exploit kits, compared to ten from the year before. Lastly, the report shows the progression from what are called web exploit kits to more phishing attacks in 2018. While many older browsers are still major targets, it’s much easier to use exploits tied to a phishing email while using social engineering tactics to lure victims into clicking a link or running an executable. Microsoft Office is a very popular target, not just because it is the world’s most popular business software, but because people are more susceptible to opening a malicious Word or Excel documents mostly because it’s so common to send those types of attachments over email. Some may say that the best advice is to never click on links or attachments in an email but that can be really hard to do, especially you’re in a business environment. But it really does come down to compromise and your own personal risk assessment. We still need to use Microsoft Office and open email attachments so the best advice is to rely on your instinct and remember if an email seems phishy, it probably is. That’s all for this week’s show. Be sure to follow the Shared Security Podcast on Facebook, Twitter and Instagram for the latest news and commentary. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or watch and subscribe on our YouTube channel.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post Facebook Passwords Exposed, Android Q Privacy, Microsoft Office Targeted appeared first on Shared Security Podcast.

In episode 86 of our monthly show we discuss Tom’s new garbage service (yep, that’s right) and why taking credit cards by filling out a form and mailing it is never a good idea, the Verifications.io data breach, how a cyberattack could capsize a ship, and the world’s most dangerous malware.  This was also the first show we streamed live over Twitch. Be sure to subscribe to us on Twitch to get notified when we’ll be live! Links to articles mentioned on the show: Verifications.io data breach How a cyberattack can capsize a ship Triton is the world’s most murderous malware, and it’s spreading   The Shared Security Podcast sponsored by Silent Pocket and Edgewise Networks. Be sure to follow the Shared Security Podcast on Facebook, Twitter and Instagram for the latest news and commentary. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or watch and subscribe on our YouTube channel. The post Verifications.io Data Breach, Capsizing a Ship with a Cyberattack, World’s Most Dangerous Malware appeared first on Shared Security Podcast.