Shared Security Podcast

This is your Shared Security Weekly Blaze for January 14th 2019 with your host, Tom Eston. In this week’s episode: The US government shutdown and cybersecurity, privacy takes center stage at CES 2019, and a mobile location data controversy. Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order. Visit silent-pocket.com to take advantage of this exclusive offer. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. As of this podcast recording it’s been over 19 days since the US government shutdown due to Congress not able to agree on a bill for border security. This has meant that about a quarter of all federal departments (which is about 800,000 federal workers) are furloughed and the government is unable to pay people working for these departments. While we patiently wait for Congress to figure out how to end the shutdown, there is now cause for concern that because of this shutdown, US national security and cybersecurity may be affected, now and even into the future. Even in a government shutdown, cybersecurity threats to the nation are not going to stop and in fact, attackers love it when a company or government is in chaos which means attacks will increase. Key departments like the new, two month old, Cybersecurity and Infrastructure Security Agency (part of the Department of Homeland Security) has had about 45% of its staff furloughed. In addition, the DHS Office of Intelligence and Analysis, and the Office of Operations Coordination (which both provide security intelligence to the private sector and intelligence community is also on furlough. It’s also important to note other critical cybersecurity services like NIST (which stands for The National Institute of Standards and Technology) has 85% of its staff furloughed. NIST regulates federal agencies and provides security standards for the private sector which includes many new and updated risk management frameworks and guidelines on security controls.  Besides cybersecurity, 90% of airport security TSA agents (who are actually quite underpaid) are working without pay and that has caused many agents to call off sick or quit their jobs. And that means longer lines for you at the airport. Let’s hope that Congress and the President can up to some type of compromise soon, or we may see more longer lasting impacts to US national cybersecurity. Organizations’ internal networks are overly permissive and can’t distinguish trusted from untrusted applications. Attackers abuse this condition to move laterally through networks, bypassing address-based controls to spread malware. Edgewise abstracts security policies away from traditional network controls that rely on IP addresses, ports, and protocols and instead ties controls directly to applications and their data paths. Edgewise allows organizations to analyze the network attack surface and segment workloads based on the software and how it’s communicating. Edgewise monitors applications and protects data paths using zero trust segmentation. Visit edgewise.net to get your free month of visibility. Privacy took center stage at the Consumer Electronics Show in Las Vegas last week when Apple placed a giant ad on a 13-story building, which happens to overlook the CES convention center with the message “What happens on your iPhone, stays on your iPhone.” This ad included a friendly link to apple.com/privacy, which talks about how your data is protected by using Apple products. This is obviously a direct stab at competitors like Amazon, Google, and Facebook which have been continuously in the news about privacy issues and breaches of user data. Many of these stories we cover on this podcast every week. But CES is also about new products and there have been a lot of privacy and security gadgets being shown off at this year’s show. All these new gadgets are connected to the Internet and almost all new products have some relation to privacy and security of user data. Smart speakers and their accessories in particular were a highlight of this year’s show. For example, a device called Mute+ from a startup called Smarte, creates a layer of protection to stop smart speakers from picking up sensitive conversations. And another product called Snips allows you to build voice activated products that run locally on the device and not in the cloud like Google and Amazon’s voice assistants. Because data is stored on the device, there is less of a data harvesting or privacy concern.  According to research firm eMarketer, it’s now estimated that 74 million Americans will use smart speakers in 2019, an increase of over 15% from last year. It should be no surprise that Google Home and Amazon Echo devices control the majority of this market. I’ve also been reading stories and talking with people about how more consumers are concerned that these smart speakers are always listening and recording every conversation like a very invasive spy device. Well, yes, these devices are always listening for key words to activate them (I could say one right now to activate your Amazon Echo…I’ll be nice) but both Google and Amazon are only recording and saving what you’re saying to the device. This data is then send to their cloud services for processing and you hopefully get the information you were looking for. While you can go into the apps for these devices to see your previous recordings, and of course delete them, the bigger issue I think is what happens when these devices malfunction? I mean, how many times have you seen your Amazon Echo device just light up for no reason or just starts saying something when you didn’t even ask it anything? I find these devices are very prone to error and the technology still has a lot of growing pains. These ‘malfunctions’ prove many of the privacy concerns consumers rightfully have. So any improvements or new products that help increase the privacy of using devices like these will be more than welcome this year. In surprising but not so surprising news, an investigation by Motherboard last week showed how a reporter, who gave a bounty hunter $300, was able to get the real-time location of a mobile phone through data that was sold by the major telecommunications companies to private third-parties. In what I would call a fairly complex ecosystem, T-Mobile, AT&T, Verizon, and others routinely sell your real-time location data to what are called data aggregators which then sell that data to other companies which then sell the data to people like landlords, car salesmen, people conducting credit checks and of course shady data dealers like bounty hunters. In the Motherboard story data aggregator firm Zumigo had sold data to a credit reporting company called MicroBilt which sold the real-time location of the mobile phone for only $12.95. Of course, as you might expect, the major telecoms like T-Mobile all stated that “protecting our customers’ privacy and security is a top priority, and we are transparent about that in our Privacy Policy…”. T-Mobile and others have since removed data access for this one particular data aggregator but it begs the question, how many more of these relationships do the major telecoms have? If this story seems strangely familiar, well, it is. Back in May of last year on the show I discussed another very similar situation where a company called Securus was providing real-time mobile phone location data to law enforcement without a warrant. This was in addition to news of another situation where a data aggregator called LocationSmart had a vulnerability in its website which allowed anyone to query the exact location of any phone through any major US carrier. It seems that we will see more of these situations this year which begs the question, why is there no accountability and what will the US government do about it. That’s all for this week’s show. Be sure to follow the Shared Security Podcast on Facebook, Twitter and Instagram for the latest news and commentary. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or watch and subscribe on our YouTube channel.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post US Government Shutdown, Privacy at CES 2019, Mobile Location Data Controversy appeared first on Shared Security Podcast.

New year, new Cybersecurity job? If you’re looking for a new job or just starting out in Cybersecurity you’ll want to listen to this episode of our monthly show where we’re joined by special guest Kathleen Smith, CMO of ClearedJobs.net and CyberSecJobs.com. We discuss Kathleen’s recent survey on people who advance their career by volunteering in the Cybersecurity community, the Hire Ground career track at the BSides Las Vegas cybersecurity conference, how to work with recruiters and job boards, why you should plan (rather than react) when you look for a new job, and much more! Thanks again to Kathleen for being a guest on our show! Be sure to connect with Kathleen on Twitter. The post Cybersecurity Careers, Recruiting, and Volunteering with Kathleen Smith appeared first on Shared Security Podcast.

This is the 50th episode of the Shared Security Weekly Blaze for January 7th 2019 with your host, Tom Eston. In this week’s episode: Newspaper Ransomware Attack, How Facebook Tracks You on Android, and USB-Type-C Authentication Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order. Visit silent-pocket.com to take advantage of this exclusive offer. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Several large newspapers in the US, owned by media giant Tribune Publishing, started off 2019 by having to respond to a massive ransomware attack that caused major printing and delivery problems. Newspapers affected included the Chicago Tribune, Baltimore Sun, the Los Angeles Times as well as several other Tribune Publishing affiliates.  The attack, which started on December 29th, targeted critical news production systems and other infrastructure responsible for the newspaper printing process. According to the Los Angeles Times, the attack appears to be carried out by a foreign state or other such organization and some sources with knowledge of the attack have said that the malware appears to be a form of “Ryuk” Ransomware which is typically very targeted and has been around since last August where one particular form of Ryuk was found to have collected about $640,000 worth of Bitcoin from victims. Of course, some are quick to blame the Russians due the .ryk naming convention found on the encrypted files that the malware left behind and because most attacks these days seem easy to attribute back to Russia. However, past origins of Ryuk ransomware may actually have its history tied to North Korea where was determined from a research report last year which reviled that some of the Ryuk source code was actually copied from the Hermes ransomware that was used by the Lazarus Group. The Lazarus Group just happens to be a nation state espionage team previously associated with North Korea. As we all know, attribution is hard. Source code of ransomware can be copied and easily reused by others. The best response for most organizations that are hit with ransomware, like in this most recent example, is to ensure you know how to respond to an attack like this as being hacked for most organizations will most likely happen sometime in the future. Organizations’ internal networks are overly permissive and can’t distinguish trusted from untrusted applications. Attackers abuse this condition to move laterally through networks, bypassing address-based controls to spread malware. Edgewise abstracts security policies away from traditional network controls that rely on IP addresses, ports, and protocols and instead ties controls directly to applications and their data paths. Edgewise allows organizations to analyze the network attack surface and segment workloads based on the software and how it’s communicating. Edgewise monitors applications and protects data paths using zero trust segmentation. Visit edgewise.net to get your free month of visibility. In a talk given by UK-based Privacy International at the 35th Chaos Communication Congress hacking conference last week shows that many popular Android applications are sending tracking information to Facebook without you even having a Facebook account. The research focused on 34 Android applications that have between 10 and 500 million users. By decrypting and analyzing all third-party trackers the apps were using, the researchers found that 23 of these apps were sending data to Facebook such as if the app was opened or closed, device information, language and time zone settings, and the user’s Google advertising ID which can allow companies like Facebook to conduct profile matching. The talk also pointed out that what Facebook is doing is also in common with what other companies like Google, Amazon and Twitter are doing, which offer analytics services for application developers. Other points from the talk include criticism of Facebook for only enforcing the collection of user information  through contractual and legal means and that Facebook’s current opt-out cookie policy had no effect on the data the researchers have questioned. Facebook responded to the talk by noting that their upcoming “Clear History” feature, which was one of the developments from the Cambridge Analytica scandal, would be a way for users to remove this data sent by third-party apps. This is just the latest in a long string of seemingly endless data breaches and mishandling of personal data from Facebook. Now that it’s 2019, will we will see more data mishandling issues and breaches from Facebook? Or, have they given themselves a New Year’s resolution to finally make changes to help protect our private information. The non-profit USB Implementers Forum, also known as USB-IF, have announced a new program to support the a new optional security specification called USB Type-C Authentication. This new specification defines cryptographic-based authentication for USB Type-C chargers and devices. This will allow systems to confirm the authenticity of a USB device or charger and will even be able to allow devices to only work with manufacture certified chargers. What this means for you is that this improvement to USB Type-C can reduce the risk of malicious charging stations, make it harder for law enforcement or others to copy data off of a mobile device, or prevent embedded malware installed on USB hardware from exploiting your device. No dates or other details were given in the announcement but it’s good to see some progress being made on the security of USB, which is now the most common way we interface other hardware with our PC’s, mobile phones and other devices. Perhaps now it’s starting to make more sense why more and more manufactures, like Apple, are ditching the old style USB 2 and 3 and moving towards USB Type-C. That’s all for this week’s show. Be sure to follow the Shared Security Podcast on Facebook, Twitter and Instagram for the latest news and commentary. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or watch and subscribe on our YouTube channel.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post Newspaper Ransomware Attack, How Facebook Tracks You on Android, USB-Type-C Authentication appeared first on Shared Security Podcast.

This is your Shared Security Weekly Blaze for December 31st 2018 with your host, Tom Eston. In this week’s episode: a new phishing attack targeting two-factor authentication, Amazon Echo eavesdropping, and a new Netflix email scam. Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order. Visit silent-pocket.com to take advantage of this exclusive offer. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. As this is the last episode in 2018, I wanted to thank all of you for listening and supporting the podcast this year! Happy New Year and we look forward to helping you stay more secure and private in 2019! A recent report from Amnesty International shows that there is a large phishing campaign taking place targeting hundreds of individuals in the Middle East and North Africa. The campaign seems to be targeting email accounts from Google, Yahoo as well as more secure email services from ProtonMail and Tutanota. In the case of attacks targeting ProtonMail and Tutanota, the attackers simply added the letter ‘e’ to the end of ‘proton’ in the domain name ‘protonmail.ch’ and with Tutanota they used the domain ‘tutanota.org’ when the real domain is ‘tutanota.com’.  While these two techniques are very common with many similar phishing attacks, these are specifically designed to bypass common forms of two-factor authentication such as text message based methods. Essentially, the attackers set up a login page to an email service and in the background some fancy scripting acts as a proxy to the real email service while you enter your login credentials and then your two-factor authentication code sent to your phone. This attack could even work against app based two-factor authentication like Google Authenticator as well.  Mitigations from this type of phishing attack are the typical ones we always recommend like carefully looking at the web address in the email or address bar of your web browser and using a newer but more secure form of two-factor authentication such as a hardware security key from companies like Yubikey and others. I found it interesting that the details in this report were specifically directed towards human rights defenders because they are almost always targeted by nation state governments through phishing attacks like these. But as we continue to see, what I would call the arms race, between us and attackers using more creative ways to conduct phishing campaigns, it’s more important than ever to take the stance of ‘think before you click’. In fact, phishing attacks, like the ones described in this report,  are becoming so common that it’s advisable to never click on links in an email all together.  Instead, manually type in the web address of the site you’re being prompted to click on. Edgewise Networks is the first zero trust platform that stops data breaches by allowing only verified software to communicate in your cloud and data center. Micro segmentation projects can be costly and difficult, but Edgewise offers a new approach: zero trust segmentation. Without any changes to your network environment, Edgewise puts your data at the heart of your security strategy, giving you: Visibility into workload communication pathways; Security policies built on the cryptographic fingerprint of the software; The ability to apply policies and segment your networks in one click; and A way to continuously monitor and assess risk. Edgewise recommends policies based on the identity of your software, and stops attackers’ lateral movements by requiring authentication and authorization with every workload communication. Visit edgewise.net to learn how Edgewise can eliminate network attack surface, stop lateral movement, and protect your applications. Did you receive an Amazon Echo device as a gift over the holidays? Well you may want to pay attention to this story as a man in Germany got much more than he asked for when requesting a copy of all the data Amazon had about him. Apparently, when Amazon sent him the download link to his data, he was accidentally given access to 1,700 private audio recordings from an Amazon Echo device that were generated by a completely different household. The man requesting his data from Amazon said he doesn’t even own or use an Amazon Echo device.  A spokesman for Amazon told Reuters last week that, “This unfortunate case was the result of a human error and an isolated single case”. You may recall that this incident follows other similar Amazon Echo issues this past year of Echo devices sending conversations to others that were not the intended recipient. Does it seem surprising that “human error” is the cause of this most recent issue? Something to keep in mind is that in a data request system, that you would think would be automated, we should not be surprised to hear of issues like these when we’re talking about very complex internal systems that are being used to handle potentially thousands of data requests. The GDPR, which we all know as the EU data privacy law, has provided European citizens with the ability to request their data from companies like Amazon. Now this is a huge win for individual privacy but now companies need to make sure internal systems that have issues, like in this example, are properly designed and maintained so that human error and other issues don’t end up creating more privacy concerns. In other phishing related news…tis the season for a new phishing scam targeting Netflix customers. Last week the Federal Trade Commission in the US published an alert to consumers about a phishing email that states that the victim’s Netflix account is ‘on hold’ because the company is having trouble with current billing information.  The email urges the user to click on a link to update their payment details and we all know what happens after that. In the case of this phish, there are several clues that indicate that this is a scam such as using an international support phone number, noting the British spelling of “centre”, and the greeting on the email as “Hi Dear” instead of the victim’s name. Ironically, in our previous story we talked about how phishing attacks are getting more sophisticated, but yet, very simple phishing scams like this one with bad grammar and all (except if your British) continue to be highly effective. Be safe out there and don’t forget to tell your friends and family to be on the lookout for an increase in phishing scams which seem to always increase right after the holidays. That’s all for this week’s show. Be sure to follow the Shared Security Podcast on Facebook, Twitter and Instagram for the latest news and commentary. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or watch and subscribe on our YouTube channel.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post Phishing Attack Targeting Two-Factor Authentication, Amazon Echo Eavesdropping, Netflix Email Scam – WB49 appeared first on Shared Security Podcast.

Watch this episode on our YouTube channel! In this year end episode of the podcast, we’re joined by frequent guest Kevin Johnson to recap the big cybersecurity and privacy news of this past year, talk about a little movie called Star Wars, and have some fun discussing our “predictions” for what’s to come in 2019. The Shared Security Podcast sponsored by Silent Pocket and Edgewise Networks. Thank you to our listeners and sponsors for an amazing year! We really appreciate your support of the show! Be sure to follow the Shared Security Podcast on Facebook, Twitter and Instagram for the latest news and commentary. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or watch and subscribe on our YouTube channel. The post The Year in Review and 2019 Predictions with Special Guest Kevin Johnson appeared first on Shared Security Podcast.

Watch this episode on our YouTube channel! This is your Shared Security Weekly Blaze for December 24th 2018 with your host, Tom Eston. In this week’s episode: Healthcare databases exposed, Facebook’s Photo API bug, and Signal speaks out. Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order. Visit silent-pocket.com to take advantage of this exclusive offer. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. A new report called the “Chronic [Cyber] Pain: Exposed & Misconfigured Databases in the Healthcare Industry,” from threat intelligence firm IntSights shows that about 30 percent of all healthcare databases end up unsecured and exposed to the Internet.  Some key findings during their research included spending 90 hours of research which found 15 databases exposed containing 1.5 million patient records. Based on their calculations this results in approximately 16,667 medical records discovered. Other interesting information from the report note that the estimated price on the black market is $1 for a single medical record. Exposed databases were found using popular cloud data storage and sharing databases like Elasticsearch or MongoDB. Exposed and misconfigured Elasticsearch databases in particular have been a source of countless data breaches this year including one that we discussed on the podcast, the Exactis data leak, which exposed 340 million records back in July. Other interesting attack vectors found that led to healthcare databases being exposed include legacy and outdated file sharing protocols such as SMB and FTP as well as misconfigured APIs and of course our favorite, weak passwords.  Recommendations from the report note the always standard security recommendations such as enabling two-factor authentication for web applications, limit third-party access to databases, closely monitor databases for unusual reads or requests, limit database access to specific IP ranges and conduct penetration testing to find exposed systems and vulnerabilities. One recommendation I would add is for healthcare organizations to evaluate what systems and databases may be exposed to the Internet and to have a process for discovering exposed systems on a continual basis. Certainly, penetration testing can be used for a point-in-time assessment but using vulnerability scanning and other discovery services on all company owned or third-party managed systems that are exposed to the Internet should be part of any good cybersecurity program. Edgewise Networks is the first zero trust platform that stops data breaches by allowing only verified software to communicate in your cloud and data center. Micro segmentation projects can be costly and difficult, but Edgewise offers a new approach: zero trust segmentation. Without any changes to your network environment, Edgewise puts your data at the heart of your security strategy, giving you: Visibility into workload communication pathways; Security policies built on the cryptographic fingerprint of the software; The ability to apply policies and segment your networks in one click; and A way to continuously monitor and assess risk. Edgewise recommends policies based on the identity of your software, and stops attackers’ lateral movements by requiring authentication and authorization with every workload communication. Visit edgewise.net to learn how Edgewise can eliminate network attack surface, stop lateral movement, and protect your applications. Facebook recently announced yet another vulnerability that affected nearly 6.8 million of its users. Apparently, a bug in Facebook’s Photo API allowed third-party apps being used by Facebook developers to access more than the users private photos that were authorized to access, but also photos that were shared on Facebook’s Marketplace, Facebook Stories, or photos that were uploaded but not posted by the user. For example, if someone uploads a photo but doesn’t finish posting it, those photos may have been exposed. Facebook says that this bug only impacted users for 12 days, from September 13th to September 25th of this year and that this issue has been corrected. If you were impacted by this vulnerability Facebook states that you will see an alert pop up when you login to Facebook. Facebook also recommends logging into any apps with which you may have shared Facebook photos with to see which photos these apps may have access to. This most recent issue is a great reminder that you should frequently review the third-party apps that you may have given permission to view personal data from your Facebook account. If you’ve been a long time user of Facebook, it’s easy to forget about all the apps that you may have given various types of permission to your personal data. To see what third-party apps have access to your data, login to Facebook and then visit your Settings, then click on “Apps and Websites”. On this page you can see all the apps that have access to data from your Facebook profile. You can either remove access or in some cases, change the level of permissions for each third-party app.  If you’ve never visited these settings before, you may be surprised how many different apps have access to your data. One way that Facebook makes it easy for developers to access your data is through the Facebook login that you see embedded in many popular sites and services that you may use. Often times, it’s easy to trade convenience over privacy because it’s so easy to just login with Facebook rather than creating a whole new set of user credentials. The key here is for you to make the best decision for you and your level of risk. If you’re ok with a third-party company getting information from your Facebook profile, and in some cases, information you were going to give them anyway, it may not be that big of a deal. However keep in mind, when Facebook has a vulnerability like the one they just announced, it’s not just the third-party that has your data but Facebook has it as well. Signal the popular end-to-end encrypted messaging app said this past week that they would not give in to any requests made by a new law in Australia related to the new “Assistance and Access” bill.  This law requires that companies provide a way to access encrypted communications and can even impose massive fines to companies and individuals who do not comply. In a blog post from Signal, they are quick to note that by design Signal does not have a record of any conversations, contact lists or other profile information and that “the end-to-end encrypted contents of every message and voice/video call are protected by keys that are entirely inaccessible to us. In most cases now we don’t even have access to who is messaging whom”.  Signal even points out that the Prime Minister of Australia uses their application to prove the point that everyone benefits from the way that Signal was designed, even the people trying to enforce laws that make no sense in an ever increasing digital and online world. This is not the first time that governments around the world have either tried to ban encryption or compel companies into creating backdoors into applications and products to circumvent encryption. Here in the United States back in 2016, a federal judge asked Apple to help the FBI unlock an iPhone that belonged to the San Bernardino mass shooter . Ironically, even after the case went to court, the FBI never needed Apple to build a encryption backdoor since the FBI had paid a third-party firm called Cellebrite to unlock the phone for them. This latest example will not be the last case of a government that doesn’t have a good understanding of why banning encryption or creating backdoors within popular end-to-end encrypted communications software weakens protection for everyone. That’s all for this week’s show. Be sure to follow the Shared Security Podcast on Facebook, Twitter and Instagram for the latest news and commentary. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or watch and subscribe on our YouTube channel.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post Healthcare Databases Exposed, Facebook’s Photo API Bug, Signal Speaks Out – WB48 appeared first on Shared Security Podcast.

Watch this episode on our YouTube channel! This is your Shared Security Weekly Blaze for December 17th 2018 with your host, Tom Eston. In this week’s episode: Equifax data breach details released, more Google+ API bugs and Supermicro strikes back. Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order. Visit silent-pocket.com to take advantage of this exclusive offer. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. A report released last week from the U.S. House of Representatives Committee on Oversight and Government Reform about the Equifax data breach, known as the largest consumer data breach in US history, shows that the breach could have been entirely preventable. The 96-page report, which we’ve linked in the show notes for a very stimulating and exciting read, goes into great detail on how attackers were able to exploit an Apache Struts vulnerability on an application called the Automated Consumer Interview System (or known as ACIS). For 76 days Equifax failed to detect the breach even though massive amounts of data was being exfiltrated. The report said “Attackers sent 9,000 queries on these 48 databases, successfully locating unencrypted personally identifiable information (PII) data 265 times”. The breach went undetected because the device used to monitor ACIS network traffic was inactive for 19 months due to an expired SSL certificate on the data exfiltration monitoring system. Ironically, at the same time, Equifax had also allowed at least 324 other SSL certificates to expire and “including 79 certificates for monitoring business-critical domains”. Once the SSL certificate was renewed for the data exfiltration service, it was then immediately identified that a data breach was taking place.  One of the interesting highlights I noticed in the report was about how the attackers were able to deploy 30 “web shells” (which are essentially backdoors) across the Equifax network due to the Apache Struts vulnerability. Because of these web shells, they were able to find a file containing unencrypted credentials which gave them access to 48 databases outside of the ACIS environment. After that, the rest is history. The other shocking, but not so shocking part of the report was the very passive and pretty much voluntary recommendations from the committee. Some of the recommendations include requiring credit agencies to offer a free summary of all data that they’ve collected about you, consider offering more than one year of pre-paid identity theft protection, and giving the Federal Trade Commission more power to monitor data security practices of credit agencies like Equifax. There was no mention of any federal law or government enforcement that would penalize credit agencies for maintaining poor cybersecurity.  In my opinion, this is unacceptable. How many more data breaches will it take for the government to take the security and privacy of our personal data seriously? Only time will tell and we have a brand new year coming up to find out. Edgewise Networks is the first zero trust platform that stops data breaches by allowing only verified software to communicate in your cloud and data center. Micro segmentation projects can be costly and difficult, but Edgewise offers a new approach: zero trust segmentation. Without any changes to your network environment, Edgewise puts your data at the heart of your security strategy, giving you: Visibility into workload communication pathways; Security policies built on the cryptographic fingerprint of the software; The ability to apply policies and segment your networks in one click; and A way to continuously monitor and assess risk. Edgewise recommends policies based on the identity of your software, and stops attackers’ lateral movements by requiring authentication and authorization with every workload communication. Visit edgewise.net to learn how Edgewise can eliminate network attack surface, stop lateral movement, and protect your applications. Google announced this week that they are expediting the shutdown of Google+ from August 2019 to April and that the Google+ API will be retired in 90 days. Why the sudden change? Well, back in November a software update caused a vulnerability in the Google+ API that may have impacted 52.5 million users. This vulnerability was found through internal testing procedures and it was fixed within a week of it being found. The vulnerability caused apps that were using the Google+ API that requested permission to view certain profile information like name, email address and more, were granted permission to view profile information about a user, even when set to not-public. In addition, apps with access to a user’s Google+ profiles also had access to profile data that had been shared with approved users which happened to be not publicly shared. The good news is that Google says that there is no evidence that app developers had accessed or abused this information before Google fixed the issue. You may remember that back in October Google announced another similar vulnerability in the Google+ API that exposed the private information of 500,000 Google+ users. That initial vulnerability led Google to decide to retire the struggling Google+ social network altogether.  I don’t think many of us are going to miss Google+, I know I never used it and I’ll bet you never did either. Hopefully, because of this issue with Google+, Google is testing other similar APIs in their infrastructure for vulnerabilities to prevent this same issue from happening in the future. Supermicro, the company at the heart of the controversial Bloomberg report from this past October, which said tiny chips were installed into their boards by the Chinese government, released a letter and YouTube video this past week to customers stating that their own internal audit found no evidence of any tampering of the companies servers or supply chain. The letter states that a leading third-party investigations firm was hired for the audit and motherboard models mentioned in the Bloomberg article were tested including several recent products. This letter follows other major tech companies like Apple and Amazon (who happen to be Supermicro customers) as well as representatives of the Department of Homeland Security, the director of National Intelligence, and the director of the FBI, which have all denied and questioned the truth about claims made by the Bloomberg report.  Bloomberg still sticks to its story even though details about their sources have been very sketchy. Even more so after a subsequent Bloomberg story saying that the Chinese government had implanted spy chips in Supermicro hardware inside a major telecommunications provider. The source of this story came from a company called Sepio Systems but due to non-disclosure agreements with Bloomberg, the telecommunications company has remained unnamed. I think now, with this latest news, the Bloomberg story has even less credibility than when it was first announced. Sure, the Chinese may be capable of infiltrating a supply chain with tainted hardware. However, I think there is something fishy about this story and we should pay attention to the facts and not always trust media speculation without hard evidence. That’s all for this week’s show. Be sure to follow the Shared Security Podcast on Facebook, Twitter and Instagram for the latest news and commentary. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or watch and subscribe on our YouTube channel.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post Equifax Data Breach Details Released, More Google+ API Bugs, Supermicro Strikes Back – WB47 appeared first on Shared Security Podcast.

Watch this episode on our YouTube channel! This is your Shared Security Weekly Blaze for December 10th 2018 with your host, Tom Eston. In this week’s episode: In this week’s episode: the Quora data breach, Facebook’s private emails, and Google location tracking. Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order. Visit silent-pocket.com to take advantage of this exclusive offer. Be sure to enter our Silent Pocket Faraday Bag giveaway currently taking place until December 17th 2018. This prize package is valued at over $100! See our show notes for the link to enter and good luck! ENTER THE SILENT POCKET GIVEAWAY: https://kingsumo.com/g/ydnieb/silent-pocket-faraday-bag-prize-package Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Another week and yet another massive data breach. This time the company is Quora, the popular question-and-answer website. In an announcement last week Quora disclosed that 100 million users may have had their private information stolen when a malicious third-party gained access to one of Quora’s systems. Quora states that the issue was discovered on November 30th and that investigation is ongoing. However, they did disclose that account information which is name, email address, encrypted password hashes (apparently using bcrypt with a salt), data imported from linked networks, public content and actions as well as non-public content such as direct messages have all been compromised.  One interesting point they made was that anonymous questions and answers were not affected by this breach because Quora does not store details of anonymous users using their site.  If you’re a Quora user, the typical data breach recommendations apply. Change your password and don’t use the same password for every site and service that you use. I did find it surprising that they did not mention enabling two-factor authentication. That’s because, unfortunately, two-factor authentication is not available for Quora’s users (at least as of this podcast recording). Just two weeks ago Marriott announced that 500 million customers had their personal information stolen as well. Just as an update to this news, recent reports from Reuters now indicate that Chinese nation-state hackers may have been to blame as private investigators looking into the breach have found hacking tools and techniques previously attributed to China.  Having yet another announcement of a data breach that reaches into the hundreds of millions is becoming so common, I think many of us believe that this is just the new normal. While there isn’t much we can do about how third-party companies are protecting our information, what is under our control though is the very basics of good cybersecurity practices and that is, password management. Which means you should be using a password manager, create complex and unique passwords for every site that you use, and always enable two-factor authentication if available. Edgewise Networks is the first zero trust platform that stops data breaches by allowing only verified software to communicate in your cloud and data center. Micro segmentation projects can be costly and difficult, but Edgewise offers a new approach: zero trust segmentation. Without any changes to your network environment, Edgewise puts your data at the heart of your security strategy, giving you: Visibility into workload communication pathways; Security policies built on the cryptographic fingerprint of the software; The ability to apply policies and segment your networks in one click; and A way to continuously monitor and assess risk. Edgewise recommends policies based on the identity of your software, and stops attackers’ lateral movements by requiring authentication and authorization with every workload communication. Visit edgewise.net to learn how Edgewise can eliminate network attack surface, stop lateral movement, and protect your applications. Facebook was in the news again this past week when private internal Facebook emails were disclosed in documents provided by the UK Parliament during a recent government panel that is investigating Facebook. The emails paint a very clear picture that back in 2012, many years before the Cambridge Analytica scandal, that Facebook was looking for ways to monetize the private information it had about its users. One of the ideas discussed with Facebook CEO Mark Zuckerburg was about charging apps and developers for access to user data, at about 10 cents per every data user request per year, but Zuckerberg rejected that approach and went with the one that is currently being used today, which is to get people to share more information on Facebook. Other interesting emails within the disclosure show that there were internal discussions on how to move Facebook to more mobile platforms instead of desktop and laptop computers which was more of a threat to their revenue model. In one of these emails they go as far as discussing how Facebook could gain access to call logs on Android phones without the user being alerted. These emails indicate that Facebook would rather decide to risk it, try to hide it through an app upgrade and deal with the public relations fallout later if anyone ever found out. Look, we should all know by now that you and your information is the product when we talk about Facebook’s business model. Even with all the scandals surrounding Facebook, their business model, to monetize your data, is not going to change. What can change is what you want to do about it. Will you continue to allow your private data to be used so that Facebook can make more money? Have your really thought about the risk vs. the rewards of using Facebook?  These are all questions to ponder but no matter what Facebook does, ultimately, it becomes your risk decision to use Facebook or not because no one else can make that decision for you. The BEUC, a large consumer organization in Europe that has members from 43 countries, said that 7 of those member countries will be filing complaints against Google for breaching the GDPR which is the well-known General Data Protection Regulation in Europe. The issue of complaint is regarding the way that Google tracks and handles users location data, which was specifically called out in a report from the Norwegian Consumer Council. The report states that Google’s design around privacy controls such as ‘Web & App Activity’, which is turned on by default, and ‘Location History’ which stores details about you and your location down to nearby Wi-Fi hotspots and even the battery level on your phone, are deceptive in that users may not be aware that this information is being tracked and also that the settings themselves to turn certain features on or off are confusing to users. This is also not the first time Google has been in hot water regarding how they handle location data of its users. Just this past October, a class action lawsuit here in the US was started, which is accusing Google as well as Facebook of tracking users locations even after users have turned off or opted out of location tracking. If you would like to see all the personal data that Google has collected about you, visit myaccount.google.com and click on the “My Activity” link. That’s all for this week’s show. Be sure to follow the Shared Security Podcast on Facebook, Twitter and Instagram for the latest news and commentary. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or watch and subscribe on our YouTube channel.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post The Quora Data Breach, Facebook’s Private Emails, Google Location Tracking – WB46 appeared first on Shared Security Podcast.

Watch this episode on our YouTube channel! This is your Shared Security Weekly Blaze for December 3rd 2018 with your host, Tom Eston. In this week’s episode: the massive Marriott data breach, secure holiday shopping tips, and phishing sites using HTTPS. Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order. Visit silent-pocket.com to take advantage of this exclusive offer. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. In late breaking news last Friday Marriott, the world’s largest hotel chain, disclosed a massive data breach that was identified on September 8th of this year affecting up to 500 million guests. That will make this data breach one of the largest in history. Apparently, the Starwood guest reservation database had been accessed by an “unauthorized party” since 2014, yes that’s correct someone had access to this database for 4 years. Private information stolen was categorized by Marriott in two groups of guests. First, approximately 327 million guests had some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences accessed. Some of these guests also had their credit card information accessed, even though Marriott states it was encrypted. However, Marriot disclosed that two components used to encrypt the cards (aka: the encryption keys) were potentially stolen as well. For the remaining 173 million guests only name and sometimes other data such as mailing address, email address, or other information was accessed. In our show notes we’ve linked to a web page that Marriot has set up where you can find additional details as well as to sign up for your “complimentary” monitoring service if you’re one of the victims. If you happen to be a victim, like with other data breaches you should change your password for any Starwood Hotels or Marriott rewards program. And while you’re at it, ensure you’re not saving your credit card details for future use. In general, it’s always advisable to never store your credit card with the sites and services you use. While an inconvenience, the majority of the time, even when credit card data is encrypted, is usually compromised in a data breach when the encryption keys are also found. Per the other usual advice we give, enable two-factor authentication and of course, closely monitor your credit card statements for unusual activity. As this story will likely evolve throughout the week, we’ll keep you updated on our Twitter and Facebook with information about this data breach as we receive it. Edgewise Networks is the first zero trust platform that stops data breaches by allowing only verified software to communicate in your cloud and data center. Micro segmentation projects can be costly and difficult, but Edgewise offers a new approach: zero trust segmentation. Without any changes to your network environment, Edgewise puts your data at the heart of your security strategy, giving you: Visibility into workload communication pathways; Security policies built on the cryptographic fingerprint of the software; The ability to apply policies and segment your networks in one click; and A way to continuously monitor and assess risk. Edgewise recommends policies based on the identity of your software, and stops attackers’ lateral movements by requiring authentication and authorization with every workload communication. Visit edgewise.net to learn how Edgewise can eliminate network attack surface, stop lateral movement, and protect your applications. The holiday shopping season is upon us which means we all need to be more aware of fraud and scams that may targeting us while we shop online. According to an article from CBS News, Dave Kennedy from cybersecurity firm TrustedSec, says that they are seeing “a 317 percent increase in these attacks, compared to the average month”. Why might this be the case? Besides the fact that all of us are spending more money compared to other months, the holidays tend to add a lot of additional stress and pressure that can cause us to be more susceptible to scams and fraud. Scams to look out for this holiday season are ones that may lure you with online coupons, discounts, fake ads and threats like ones that state “you must act now because supplies are limited”. The bottom line is to be more aware that scams around the holidays will attempt to get an emotional response from you that will result in some type of action that you might take, such as: clicking on a malicious link or entering in personal information and credit card details.  Often times, scams will be disguised as charity requests targeting the poor or even animal rescues. There is nothing worse than seeing some poor puppy or kitten in need, especially around the holidays. See what I did there? Some of these scams will even try to use passwords from previous data breaches targeting you in email phishing attempts. For example, there have been recent phishing scams that, within the email, will include a password that you may have used in the past and say that the they know your password and will attempt to extort you for money. These passwords are found in publicly available databases of past data breaches. Now, if you happened to use the same password for every site and service that you use this scam would probably cause you a rather urgent emotional response, which is exactly what the scammer is going for. So what are the top three tips to protect yourself from online scams and fraud this holiday season? First, be cautious of any email, web or social media advertisement attempting to generate an emotional response from you. Think before you click but if it looks to be a legitimate offer or you’re not sure, you’re better off visiting the site or service by manually typing in the web address in your browser.  Second, do a little research on the company and the site that may selling a product before you make a purchase. You can do this through some simple Google searches for the company or by checking reviews through Amazon and other marketplaces. A lot of times during the holidays, scam sites will show up that might look exactly like popular sites you may have done business with in the past, so be sure to carefully review the URL (aka: the domain information in the address bar of your browser) to make sure you’re not visiting a phishing site. You should also be careful with sellers on Amazon and similar large online retailers. There have been cases of legitimate merchants having their Amazon seller accounts hacked and some scammers can put up fake marketplaces which offer popular toys and other hot items at deep discounts which end up stealing your money or sending you a broken version of the item you were attempting to buy. Lastly, as we mentioned in episode 43 of the podcast when we discussed how to prevent credit card fraud, never use a debit card for your purchases. Instead, use a credit card. Even if your bank says that you have zero liability for debit card transactions, you still lose that money out of your checking account instantly and it can take weeks for your bank to reimburse you that money. And that’s definitely something you don’t want to happen right around the holidays. A recently released study by PhishLabs has shown that almost half of all phishing sites now use HTTPS encryption to trick you into thinking that a phishing site is legitimate. According to Brian Krebs from Krebsosecurity.com, the report found that “49 percent of phishing sites in the third quarter of 2018 bore the padlock security icon next to the phishing site domain name as displayed in a browser address bar. That’s up from 25 percent just one year ago, and from 35 percent in the second quarter of 2018.” This trend is concerning since in the past security professionals and awareness campaigns have said to “look for the lock” to ensure that a site is “secure” and safe to submit your sensitive data. The “look for the lock” education was always not the best advice because the lock only means that the information you submit through a website is secured through the use of HTTPS, or also known as, SSL encryption.  It does not mean that the site may be fake or have other vulnerabilities which could lead to your data being compromised. So how does something good, like HTTPS encryption, also be leveraged by attackers? First, it’s easier than ever to obtain a legitimate and free SSL certificate though projects like Let’s Encrypt. This is actually a good thing as HTTPS encryption helps secure your information in transit which prevents surveillance by an attacker that might be trying access your data while its being transmitted. With the push by tech companies and other privacy advocates, it’s more important than ever to ensure websites are all using HTTPS. However, on the other hand, the barrier for entry to obtain a legitimate SSL certificate is now very low. You don’t have to provide an ID or even other documentation that you own a site or are using the SSL certificate for a valid and legal purpose. I think it goes back to re-educating all of us on the real purpose of HTTPS encryption, which is that it can only provide protection for the information you send and receive from a site, and should not be used as a way to ensure a site is secure and safe to put your information in to. Of course, you should ensure that a site is using HTTPS encryption before putting in sensitive information but specifically, to detect phishing attacks, awareness starts with the email that you receive and the clues which indicate that the email may be a phishing attempt. That’s all for this week’s show. Be sure to follow the Shared Security Podcast on Facebook, Twitter and Instagram for the latest news and commentary. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or watch and subscribe on our YouTube channel.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post Massive Marriott Data Breach, Secure Holiday Shopping Tips, Phishing Sites Using HTTPS – WB45 appeared first on Shared Security Podcast.

In this episode Tom and Scott are joined by special guest Tanya Janca who is a Senior Cloud Developer Advocate for Microsoft. We speak with Tanya about her journey into the world of AppSec, women and minorities in Cybersecurity, her advice for getting started in AppSec, her OWASP project (DevSlop), the current state of DevOps and privacy, and much more! Tanya is one of our most fun and engaging guests, it’s one not to miss! Below are show notes and links mentioned in the podcast: Tanya’s blog on Medium and her article on getting started in AppSec. Follow Tanya on Twitter. You can try connecting with her on LinkedIn but she’s maxed out her connections! (we didn’t even know this was possible) Tanya hosts a weekly live streaming OWASP DevSlop show every Sunday at 1pm Eastern. Check it out on Mixer, Twitch, or YouTube. You can also watch this episode with Tanya on YouTube! Be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or on our YouTube channel.  Thanks for listening! The post Special Guest Tanya Janca, DevOps and AppSec, Women in Cybersecurity – #82 appeared first on Shared Security Podcast.