Shared Security Podcast

This is your Shared Security Weekly Blaze for November 26th 2018 with your host, Tom Eston. In this week’s episode: Vehicle infotainment privacy, Instagram’s accidental password exposure, and the Firefox monitor data breach notification service. Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order. Visit silent-pocket.com to take advantage of this exclusive offer. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. A new Bluetooth vulnerability and exploit that affects millions of vehicles worldwide, called CarsBlues, was announced by Privacy4Cars founder Andrea Amico. The exploit, which has been disclosed to auto manufactures through the Automotive Information Sharing and Analysis Center (or Auto-ISAC as its also known) can be performed in a few minutes using inexpensive and readily available hardware and software and apparently does not require significant technical knowledge as well.  Information that could be accessed through the vulnerability include stored contacts, call and text logs and text messages. While exact details on the vulnerability have not been released, Privacy4Cars has said that people most vulnerable would be those that may have synched their phones to cars that are no longer under their control like rental cars or leased vehicles. Privacy4Cars, which offers a free mobile app, that shows you how to delete your private data that you may have synced to a car, notes that “industry and consumers alike need to be proactive when it comes to deleting personally identifiable information from vehicle infotainment systems”. This recent news is a great reminder that we all need to be cautious syncing our phones and devices to our car. Especially when we’re syncing our phones to rental cars or we’re in situations where we may be dropping our cars off for repair. I know I’ve noticed that when simply plugging in my phone to the built in USB charger in a rental car, the infotainment system will often times automatically sync your contacts and text messages. If you’re not familiar with how to delete your synced information or if you need to find out how to reset the cars infotainment system, check out the Privacy4Cars app which we have linked in the show notes for this episode. Edgewise Networks is the first zero trust platform that stops data breaches by allowing only verified software to communicate in your cloud and data center. Micro segmentation projects can be costly and difficult, but Edgewise offers a new approach: zero trust segmentation. Without any changes to your network environment, Edgewise puts your data at the heart of your security strategy, giving you: Visibility into workload communication pathways; Security policies built on the cryptographic fingerprint of the software; The ability to apply policies and segment your networks in one click; and A way to continuously monitor and assess risk. Edgewise recommends policies based on the identity of your software, and stops attackers’ lateral movements by requiring authentication and authorization with every workload communication. Visit edgewise.net to learn how Edgewise can eliminate network attack surface, stop lateral movement, and protect your applications. Instagram said last week that they have fixed a vulnerability in its new “download your data” feature that may have inadvertently exposed user’s passwords.  The download your data feature is a recently added privacy enhancement that allows you to download all your photos, comments, posts and other information you may have shared with Instagram. The issue was caused by a feature for added security where Instagram asks you for your password before downloading your data. A vulnerability in this security feature allowed the plain text password to be included in the URL as well as stored on Facebook’s servers. Both of these issues were identified by internal Instagram staff. As you all should be aware, Instagram is part of Facebook and uses  Facebook’s servers and infrastructure. The good news is that the issue has been corrected and the password data has been deleted.  If you happened to be affected, Instagram will notify you to update your password as well as clear your browser cache. It’s worth noting that Instagram added the “download your data” feature to comply with the new European data privacy regulations we all know and love as GDPR.  Back in October, Facebook fixed a more serious vulnerability in the “View As” feature which allowed unknown attackers to steal access tokens to approximately 30 million Facebook users. Like any new feature, especially ones that are used for better privacy or security, should be carefully reviewed for security vulnerabilities just like all other code within an application. Let’s hope that Facebook’s developers and security teams are taking the approach of ensuring future features are vulnerability free before putting them out to the public. Did you know that Mozilla, the maker of the Firefox web browser, has offered a free breach notification service called “Firefox Monitor” since September of this year? Mozilla is apparently partnering with Troy Hunt’s “Have I Been Pwned” database of compromised accounts from past data breaches. You can visit monitor.firefox.com to see if your email address was part of a past data breach.  You can also sign up for a more detailed report and to be alerted when new breaches happen that contain your email address. Just this past week, Mozilla announced that they will now deliver breach alerts from within the Firefox web browser while you surf the web. This will work starting with version 62 and later of Firefox. How this works is when you visit a website that previously had a data breach, you will be notified through an icon that will appear in the address bar. The alert will then give you the breach history of the website as well as a link back to Firefox Monitor to see if your information was part of the data breach.  You can, of course, turn off these alerts within the Firefox preferences if you feel you don’t want to be notified. I think this is a great step forward for data breach notification as often times, we may never know that a particular website we frequent has had our information compromised from a past data breach. I also think that this move by Mozilla may make customers think twice before signing up or purchasing products from a website that may have not had the best track record for security. As we always recommend, if your data was compromised in a data breach you should always change the password that you used for that site and enable whatever form of two-factor authentication that the website hopefully offers. As mentioned on last week’s show, always choose app based two-factor authentication over SMS or text message based solutions if available. That’s all for this week’s show. Be sure to follow the Shared Security Podcast on Facebook, Twitter and Instagram for the latest news and commentary. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or watch and subscribe on our YouTube channel.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post Vehicle Infotainment Privacy, Instagram’s Accidental Password Exposure, Firefox Monitor – WB44 appeared first on Shared Security Podcast.

In this special edition of the podcast we speak to Harry Sverdlove, who is the Founder and Chief Technology Officer of Edgewise. Harry talks with us about the concept of “zero trust” and their innovative technology that can help stop data breaches. Find out more at Edgewise.net and to schedule a demo by clicking on the “Request Demo” button on the main page. Thanks again to Harry for being our guest on the show and to Edgewise for sponsoring the podcast! The post Harry Sverdlove, Edgewise Founder and CTO – Special Edition appeared first on Shared Security Podcast.

This is your Shared Security Weekly Blaze for November 19th 2018 with your host, Tom Eston. In this week’s episode: USPS Informed delivery vulnerabilities, protecting yourself from credit card fraud and a huge SMS database leak. Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off your order. Visit silent-pocket.com to take advantage of this exclusive offer. Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Are you using or thinking about using the US Postal Service’s “Informed Delivery” feature?  If so, you’ll want to pay close attention to the recent warning from the US Secret Service which was sent to law enforcement across the country earlier this month. This alert stated that fraudsters are leveraging this feature to surveil potential identity theft victims and references a recent case in Michigan where seven people were arrested for apparently stealing credit cards from mailboxes after registering as those victims for the Informed Delivery service. Brian Krebs from KrebsOnSecurity.com, who broke the news about the Secret Service alert, has noted that in the past the postal service has had no way to notify residents when someone signed up for the Informed Delivery service at their address. However, earlier this year the postal service corrected this issue by now mailing residents if someone has signed up for Informed Delivery at their address. Unfortunately, this doesn’t solve this problem if fraudsters simply order credit cards to the address before signing up for the service. Once the cards have been ordered the fraudster can then take advantage of the week or so that it takes to get a credit card in the mail to sign up the victim for Informed Delivery. The other issue with Informed Delivery is that to sign-up for the service you’re asked four knowledge based authentication (or known as “KBA”) questions which typically have answers which can be Googled or found though other searching techniques on the Internet. KBA has been well known for quite some time that it’s not a reliable form of authentication. So what can you do if you’re concerned about having your address hijacked by a fraudster using Informed Delivery?  Unfortunately, not a lot at this point. Putting a freeze on your credit can help as if someone is trying to set up Informed Delivery in your name, then the KBA process can’t access your credit files. However, Brian Krebs reports that this may not be working for everyone with a credit freeze in place. You may also want to “plant your flag” so to speak by signing up for Informed Delivery before someone else does. When signing up myself I was asked to visit my local post office branch to physically verify me or have a “invitation code” sent to me through the mail. Other than that, you can try to email the postal service to attempt to ‘opt-out’ of Informed Delivery but according to reports, emails are going unanswered and those that have had responses are asking KBA questions that are to be responded through plain text email.  And we all know plain text email is not a secure means of communication.  It’s safe to say that Informed Delivery is quite the mess right now. We’ll be sure to keep you updated of any changes or improvements to the security and privacy of Informed Delivery in future episodes. Edgewise Networks is the first zero trust platform that stops data breaches by allowing only verified software to communicate in your cloud and data center. Micro segmentation projects can be costly and difficult, but Edgewise offers a new approach: zero trust segmentation. Without any changes to your network environment, Edgewise puts your data at the heart of your security strategy, giving you: Visibility into workload communication pathways; Security policies built on the cryptographic fingerprint of the software; The ability to apply policies and segment your networks in one click; and A way to continuously monitor and assess risk. Edgewise recommends policies based on the identity of your software, and stops attackers’ lateral movements by requiring authentication and authorization with every workload communication. Visit edgewise.net to learn how Edgewise can eliminate network attack surface, stop lateral movement, and protect your applications. A report last week released by firm Gemini Advisory showed that credit card fraud is still increasing in the US despite the use of new EMV chip-enabled cards. EMV which stands for Europay, Mastercard and Visa; or “chip cards” as they are better known, provide end-to-end encryption during card-present transactions.  The Gemini Advisory report stated that despite financial institutions issuing chip cards to their customers, out of the more than 60 million cards stolen over the last 12 months, 93% of them were chip enabled cards. Moreover, 45.8 million or 75% of card-present transactions were stolen at point-of-sale devices, while only 25% were compromised in online breaches. With all the chip cards out there, what seems to be the problem? The issue is that merchants in the US are still struggling with updating point of sale equipment (often seen abbreviated as POS) to support chip cards. Specifically, because of the high cost associated with purchasing and installing equipment to support EMV technology. I’m sure you’ve noticed that every merchant is different and many still utilize the old fashioned swipe terminals. All credit cards with a chip also have the old magnetic stripe on the back for situations where a chip reader is broken or for merchants that have not upgraded their equipment yet. Gas stations in the US are the biggest culprits since they are not held liable or at fault for credit card fraud until October 2020. This is why in the US you still have to use the old fashioned swipe terminals at the gas station. So how does a chip card get compromised?  The main ways are through malware installed on the point-of-sale system, skimming (where a device reads the magnetic stripe off of the card while you conduct a payment transaction) and “shimming” where a device sits between the chip on your card and the chip reader. Shimming devices can be used to create counterfeit magnetic stripe cards, but not if the bank is validating something called a CVV code which is part of the EMV standard. Some banks and merchants have not fully implemented EMV, which makes point-of-sale malware and credit card cloning the most popular types of credit card fraud. Until the merchants decide to upgrade their equipment, we’re going to see card-present fraud continue to be an issue. In related news, a report from ACI Worldwide shows that there will be a 14% increase in fraud attempts this holiday season. With the highest this week and next due to Black Friday and Cyber Monday.  Having said that, here are some tips to help prevent becoming a victim of credit card fraud this holiday season: First, use a more secure payment method like ApplePay, Samsung Pay or Google Pay with your mobile phone if the merchant supports it. If these methods are not available, you can always fall back to cash. If shopping online check to see if the merchant supports these more secure payment methods as well. Second, if you’re at the gas pump or using an ATM always check to see if a skimmer is installed. This can be as simple as wiggling the credit card reader or by looking for anything that seems out of place with the reader itself or the outside of the machine. Third, set up and configure fraud or text alerts every time a transaction on your credit card occurs. That way, you know right away if your card has been compromised. Also make sure you check your credit card statements often to look for suspicious transactions. Lastly, never use a debit card for making purchases. If your debit card is compromised you lose the cash from your bank immediately and it can take weeks and lots of paperwork to get your money refunded. You’re safer with a credit card and the majority of credit cards these days have zero liability for fraudulent charges. A massive database of over 26 million text messages, belonging to California based communications company Voxox, was discovered by security researcher Sebastien Kaul using the Shodan search engine. This database contained text messages that had password reset links, two-factor authentication codes, shipping notifications, names, cellphone numbers and more. The database server was found completely open to the Internet with no password and provided a web front-end, making the data extremely easy to search through. While access to this particular database has been taken offline, it shows once again, how SMS text messaging should not be used for secure communication or for two-factor authentication. Moreover, this is also another example of how a company that processes millions of sensitive records leaves a massive database like this exposed for anyone to view and access. Many of us don’t think about the third-party companies like Voxox that work on the backend of your mobile carrier to process text messages, two-factor authentication codes and other communications that end up being pushed to your cell phone. SIM Hijacking and other SMS text message attacks, as discussed in previous episodes of the podcast, are continuing to increase. This is one reason we recommend companies and services to move away from SMS based two-factor authentication and use more secure methods like app based solutions such as Google Authenticator, Authy, Duo and other services which do not rely on SMS text messaging. Make sure you look for app based two-factor authentication when signing up for a new online service. Note that popular sites like Facebook, Instagram and Twitter have already provided app based two-factor authentication solutions that you can begin using right now. That’s all for this week’s show. Be sure to follow the Shared Security Podcast on Facebook, Twitter and Instagram for the latest news and commentary. If you have feedback or topic ideas for the show you can email us at feedback@sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or watch and subscribe on our YouTube channel.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post USPS Informed Delivery Vulnerabilities, Holiday Credit Card Fraud, Huge SMS Database Leak – WB43 appeared first on Shared Security Podcast.

This is your Shared Security Weekly Blaze for November 12, 2018 with your host, Tom Eston. In this week’s episode: Midterm Election Security, Gait Recognition Surveillance Technology and Caller ID Authentication Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order. Visit silent-pocket.com to take advantage of this exclusive offer. Hi everyone, this is Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. The mid-term elections here in the United States took place last Tuesday and the Department of Homeland Security has said that there has been no evidence of any hacking that took place on the election infrastructure. As many of you may be aware, last Tuesday’s election was the first major election in the United States since Russia attempted to influence the 2016 presidential race.  In fact, Department of Homeland Security Secretary Kristjen Nielson has said that last Tuesday’s election “is the most secure election in the modern era”. Surprisingly, many areas of the country are still using paper ballots. In fact, 21 states are using full paper ballots and others are using a hybrid approach of paper and voting machines. As you can imagine the security of voting machines has been a hotly debated topic ever since the DEF CON hacking conference that took place in August of this year. This conference had a voting machine hacking village in which several different types of real voting machines were found to be vulnerable to many different types of attacks. These attacks could manipulate election results as well as cause other havoc on the overall election system. The biggest concern found with vulnerable voting machines though is physical security as the majority of these hacks require physical access to the voting machine.  As long as polling places and local governments running and managing voting infrastructure takes the physical security of these machines serious, the risk of election result manipulation via the machine itself remains very low. If you’re interested in learning more about voting machine security, Scott and I dedicated an entire episode to this fascinating topic in episode 79 of our monthly show. The bigger issue this election season though has been malicious manipulation of voters through the influence of social media.  Just last week it was reported that Facebook had blocked more than 100 accounts that had ties to a Russian “troll farm” designed to influence the midterm elections. Facebook also noted that it deleted dozens of accounts that were linked to Iran in late October. Our advice is to always be careful of what you see posted on social media, not just political posts, as a lot of this information may be coming from a non-trusted source designed to manipulate your views. Edgewise Networks is the first zero trust platform that stops data breaches by allowing only verified software to communicate in your cloud and data center. Micro segmentation projects can be costly and difficult, but Edgewise offers a new approach: zero trust segmentation. Without any changes to your network environment, Edgewise puts your data at the heart of your security strategy, giving you: Visibility into workload communication pathways; Security policies built on the cryptographic fingerprint of the software; The ability to apply policies and segment your networks in one click; and A way to continuously monitor and assess risk. Edgewise recommends policies based on the identity of your software, and stops attackers’ lateral movements by requiring authentication and authorization with every workload communication. Visit edgewise.net to learn how Edgewise can eliminate network attack surface, stop lateral movement, and protect your applications. A new form of surveillance technology called “gait recognition” software is now being used by Chinese police on the streets of Beijing and Shanghai as well as other areas of China. Gait recognition software can identify someone by their body shape as well as how someone walks. The technology, created by a company called Watrix, does not need special cameras and works even when faces are hidden or unable to be identified through traditional facial recognition technology. Gait recognition has a 94 percent accuracy rate which is good enough right now for commercial use. The software works by first uploading video footage then by extracting someone’s silhouette from a video which then analyzes movement to create a virtual model of how a person walks. This means that even if a person was purposely trying to evade a system like this, by limping or hunching over, the software is still capable of determining someone’s identity. However, identifying people in real-time video footage is not yet available as it currently takes a lot of computing power to analyze someone’s gait because you need a sequence of images rather than a single image as current facial recognition technology uses. In China and other nation states, mass surveillance is big business.  In fact, I recently visited London England, which is known as one of the most surveilled cities in the world. There are CCTV camera’s everywhere! One recent report noted that there are approximately 5.9 million closed-circuit TV cameras in the UK which works out to be one camera for every 11 people. That, of course, is nothing compared to China where its estimated that 176 million surveillance cameras are keeping tabs on China’s 1.3 billion citizens. Keep in mind, surveillance cameras are not always government owned and operated. Many are purchased by homeowners and businesses to help deter theft and other crimes. What I find interesting is that by combining gait recognition with current facial recognition technology, it could mean much more surveillance technology being used in a city near you once this software becomes more mature and cheaper to purchase. The chairman of the FCC, Ajit Pai, stated last week that he is demanding the adoption of an authentication system to prevent caller ID spoofing, which is the primary technique used by robo and spam callers. Ajit Pai sent letters to the CEOs of 14 telecom companies stating that if they did not establish plans to implement call authentication by 2019, the FCC would take action.  Ajit Pai nor the FCC did not specify what action they would take for telecoms that did not comply with the order. Caller ID spoofing is when a scammer uses techniques to hide the real phone number they are calling from to make it look like a call coming from a number you are more likely to answer, like one that has the same area code and prefix as your phone number. Earlier this year the FCC dished out its biggest fine ever, to the tune of $120 million dollars, to a person in Miami Florida that was responsible for 96 million robocalls.  Now if we could just get the FCC to reverse course on net neutrality, that would be even better. If you’re interested in learning more about the technology that telecom companies are looking to implement, one in particular called “CallPrinting”, be sure to listen to episode 35 of the Weekly Blaze linked in the show notes of this episode. That’s a wrap for this week’s show. Be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or on our YouTube channel.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post Midterm Election Security, Gait Recognition Surveillance Technology, Caller ID Authentication – WB42 appeared first on Shared Security Podcast.

This is your Shared Security Weekly Blaze for November 5th 2018 with your host, Tom Eston. In this week’s episode: Microsoft and Apple security Updates, Signal’s sealed sender and the Girl Scouts data breach. Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order. Visit silent-pocket.com to take advantage of this exclusive offer. Hi everyone, this is Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. This past week Microsoft announced that its built-in anti-virus application called Windows Defender now has the ability to run within a ‘sandbox” environment. Sandboxing allows an application to run in a separate environment away from the rest of the Windows operating system and other applications installed on a PC. Sandboxing in Windows Defender is a very important security update given that Windows Defender runs as a high-privileged service and is a large target for attackers to compromise. Windows Defender is also the only anti-virus solution on the market with this capability. In order to enable sandboxing in Windows Defender you need to make a quick environment variable change within Windows if you want to use this feature right away. However, Microsoft plans on deploying this update to all Windows Defender users in the near future. See our show notes for details on how to enable sandboxing if you’re interested in using this new feature. In other security update news, Apple has released several new security updates on the heels of the announcement of new Macs and iPads at Apple’s event last Thursday. Security updates for macOS Mojave, High Sierra, Sierra, iOS, watchOS, tvOS, Safari, iTunes, and iCloud for Windows were all released. One particular serious vulnerability for macOS could potentially allow remote code execution or crash your device. During the Apple event on Thursday, Apple also announced that with new MacBooks that have a new T2 security chip, will automatically disable the microphone when the lid of the MacBook is closed. This new privacy control will prevent any type of software, especially spyware or “stalkerware” with root or kernel privileges from engaging the microphone when the lid is closed. This privacy feature is a large step forward to help combat malware that may be installed without user’s knowledge for surveillance and stalking. Be sure to listen to episode 40 of this podcast for more details on stalkerware and how to know if one of these apps may be installed on your device. These two stories once again emphasize that it’s important to keep the operating systems and anti-virus software on your devices and even hardware up-to-date for the most current security and privacy protections. Edgewise Networks is the first zero trust platform that stops data breaches by allowing only verified software to communicate in your cloud and data center. Micro segmentation projects can be costly and difficult, but Edgewise offers a new approach: zero trust segmentation. Without any changes to your network environment, Edgewise puts your data at the heart of your security strategy, giving you: Visibility into workload communication pathways; Security policies built on the cryptographic fingerprint of the software; The ability to apply policies and segment your networks in one click; and A way to continuously monitor and assess risk. Edgewise recommends policies based on the identity of your software, and stops attackers’ lateral movements by requiring authentication and authorization with every workload communication. Visit edgewise.net to learn how Edgewise can eliminate network attack surface, stop lateral movement, and protect your applications. Signal, the highly recommended messaging app that provides end-to-end encryption announced last week a new privacy feature called “Sealed Sender” that is now available in the public beta release of Signal.  The ‘sealed sender’ functionality will now hide details on who is messaging whom on the Signal service. Signal, by design, does not store any information about your contacts, conversations, locations, and group information. However, one small piece of metadata within the Signal service was not able to be hidden which is, who is messaging whom. Sealed sender can be described like a traditional piece of physical mail where the outside of the envelope has the address of both the sender and recipient. You can’t initially see what’s inside the envelope but you can see who it’s from and who the envelope is being sent to. What Sealed Sender does is remove the information on who sent the message but still includes the destination in which the message can be delivered. It’s a pretty complicated technical process to hide who is sending messages within Signal but it’s all done through cryptographically secure sender certificates, delivery tokens and additional layers of encryption. Signal notes in their blog post announcing sealed sender that “as clients upgrade, messages will automatically be delivered using sealed sender whenever possible”. But in the meantime, interested Signal users can participate in the latest public beta to try out this new privacy feature. Find out more information about Signal’s beta program in our show notes. And in case you didn’t know, Signal is a great app that we highly recommend for secure and private end-to-end encrypted messaging and phone calls. The Girl Scouts of America, who are responsible for those selling those delicious cookies each year, were the recent victim of a data breach which compromised the personal information of around 2,800 girls and their families. Personal information compromised included names, birth dates, home addresses, insurance policy numbers, driver’s license numbers, and health history. The data breach apparently happened when an email account, used by the Orange County California branch of the Girl Scouts, used make travel arrangements, was illegally accessed by an unknown third-party. The email account that was compromised was only accessed from September 30th to October 1st and all parties who had their data compromised have been notified. The Girl Scouts say that they have changed the password for the compromised account and have said that they will be implementing a secure online system for travel forms containing personal information to replace the email system previously used. Ironically, last year the Girl Scouts created a “cybersecurity” badge that girls can earn which teaches them how to be safe online, how to protect their personal and financial information, and how to avoid hoaxes or scams. Now that the Girl Scouts themselves are educated, perhaps Girl Scout administrators and staff can earn this badge themselves so that they can avoid another data breach in the future. That’s a wrap for this week’s show. Be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or on our YouTube channel.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post Microsoft and Apple Security Updates, Signal’s Sealed Sender, Girl Scouts Data Breach – WB41 appeared first on Shared Security Podcast.

This is the 81st episode of the Shared Security Podcast sponsored by Silent Pocket and Edgewise Networks was hosted by Tom Eston and Scott Wright recorded on October 29, 2018. Listen to this episode and previous ones direct via your web browser by clicking here. This episode is also available to watch on our YouTube Channel. In this episode Tom and Scott cover the recent rise in Fortnite scams, new privacy controls in Google search and the controversy over the Bloomberg article and SuperMicro. Below are show notes and links mentioned in the podcast: Fortnite scams are increasing due to the massive popularity of the game. Many teens and adults play this game so be on the lookout for scams over email, websites, and even YouTube videos. Google is putting more privacy controls directly in “Google Search”. This is a great idea but your privacy and all the many different Google services will continue to be a challenge.  We also discuss the benefits of using search engines that have your privacy in mind like DuckDuckGo and StartPage. The Bloomberg story that came out several weeks ago about SuperMicro continues to cause controversy in the cybersecurity community. Scott give his take on the situation! Be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or on our YouTube channel.  Thanks for listening! The post Fortnite Scams, Google Search Privacy, Bloomberg SuperMicro Controversy – #81 appeared first on Shared Security Podcast.

This is your Shared Security Weekly Blaze for October 29th 2018 with your host, Tom Eston. In this week’s episode: Spy apps and Stalkerware with special guest Jeff Tang. Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order. Visit silent-pocket.com to take advantage of this exclusive offer. Spy apps, or better known as “stalkerware”, are apps that can be used to track and spy on the activities that someone does on a mobile device.  Activities can include everything from being able to read text messages, view photos, emails, see websites visited, track real-time GPS location, turn on the microphone or camera, view social media usage, and much more. These apps go by the names of mSpy, FlexiSPY, Retina-X, and many others that are widely available for purchase. While there may be legitimate purposes for installing an app like these, for example, parents that might want to track what their kids are doing on their mobile devices or employers monitoring company issued mobile phones; criminals as well as stalkers are also using these apps to conduct surveillance and monitoring of a victim’s device. These apps are very concerning for someone that might be in a domestic abuse situation or is being criminally stalked. In this episode we’re going to cover why these apps have become so popular, how they are installed and how you can detect if someone has installed one of these apps on your mobile device. Tom Eston: Joining me to talk about spy apps and stalker-ware is Jeff Tang, who is the Senior Manager of Applied Research at Cylance. Welcome to the show, Jeff. Jeff Tang: Hey Tom, thanks for having me. Tom Eston: So what’s your take on these apps, and why do you think they’re becoming so popular? Jeff Tang: I think there’s a lot of interest in these apps because we’re in a new society where we’re actually recording everything, and everything is becoming digital. Our entire lives are captured onto our cell phones from photos, to text messages, to emails, to just GPS location. And we’re in this age were all this data is now available, and I think we’re seeing the commoditization of the spying applications that take advantage of the availability of this data. So I think a lot of the popularity is just like this wasn’t possible before smartphones existed, it was much more difficult to try to capture someone’s location, but now we all carry a GPS device in our pockets. Tom Eston: Yeah, I’m kind of reminded of… If you’re a fan of the Breaking Bad TV show where they put a GPS locator on somebody’s car and then they use a old style type of GPS tracker to follow the car around, right? Jeff Tang: Yeah, and those are actually still really common, right? You can go on Amazon and buy them for as cheap as 20 bucks. Tom Eston: So the technology has definitely evolved. So, is it just because we now have more power in our finger tips that it makes these apps a lot easier for people to use? Jeff Tang: Yeah, I think it’s… We’ve all had kind of an inclination to know what’s going on. And now in 30 seconds we can go and search for something like this. And there are other vendors out there that are willing to provide this as a service. Tom Eston: So how do these apps get installed? I would think that you either have to have physical access to the device, or are there other ways that somebody would install this on your device? Jeff Tang: So there are effectively two ways that these apps can work. The first way is if you are an iCloud customer where your phone is constantly being backed up to the Cloud. If your iCloud credentials get compromised, as we’ve seen in the past when celebrities were getting their phones hacked, these services can just go download the backup off from the Cloud, extract all the information, and present it to you in their dashboard. The second way is having physical access to the device or having some way of installing this malicious application onto the device. So if for instance, if you lose sight of your phone for a few minutes and you don’t have a pass code on it, someone can easily just grab your phone, install the app, allow it the necessary permissions to access your microphone, your contacts, your GPS location and so on, and then it functions like a normal application. Tom Eston: So are there any dangers to having one of these apps installed on your phone? So I know a couple of these apps do things like they jail break or root your device. I would assume that that’s dangerous in terms of disabling certain things on your device in order for this app to run, correct? Jeff Tang: They can run in different modes. For the most part, mobile devices have good sandboxes, which constrain the application to only operating within its sandbox. Some of them do support jail breaking, which compromises the security integrity of the device, allowing it to access other information outside of its sandbox. So you can actually become more vulnerable, say, to another malicious application that was on your device, maybe something that pretended to be something that it wasn’t… It really wasn’t. Like pretending to be some sort of text messaging service, when reality it’s some piece of malware. And then we also see things like if a phone is vulnerable to… And it hasn’t been updated and is vulnerable to some browser-based exploits, that’s one less thing that a malicious attacker has to do in order to gain access to your phone. Edgewise Networks is the first zero trust platform that stops data breaches by allowing only verified software to communicate in your cloud and data center. Micro segmentation projects can be costly and difficult, but Edgewise offers a new approach: zero trust segmentation. Without any changes to your network environment, Edgewise puts your data at the heart of your security strategy, giving you: Visibility into workload communication pathways; Security policies built on the cryptographic fingerprint of the software; The ability to apply policies and segment your networks in one click; and A way to continuously monitor and assess risk. Edgewise recommends policies based on the identity of your software, and stops attackers’ lateral movements by requiring authentication and authorization with every workload communication. Visit edgewise.net to learn how Edgewise can eliminate network attack surface, stop lateral movement, and protect your applications. Tom Eston: So it sounds like a lot of these apps in the way that they function, they are very similar to techniques that a government or, say, a very large nation state, that was going to target, maybe, an individual. You’ve probably seen the news about the Pegasus malware created by that group… The NSO group over in Israel, and at which they’re selling that software to governments. But for somebody that like, say, is in a domestic abuse situation or might fear that they are being stalked, how could these people defend themselves from having these applications installed on their devices? Jeff Tang: The first step is to maintain physical security over your device, which isn’t always possible, right? So the second part is making sure that you have a strong passcode on the device that no one else knows. And it’s pretty common to have simple four-digit pins on phones, in the case of Android, the little connecting the dots, we should really start moving towards something much more stronger, having longer passcodes, full alphanumeric and so on. And the second part of that is, if you’re using some sort of Cloud backup service that your phone constantly sends data to, is ensuring that the credentials for that service is also strong. Making sure that we’re not reusing the same passwords for our phone and that backup service. And then following that, if there’s a suspicion that the device is compromised, it might be best to pick up a new device and start using that so that we know that that one isn’t compromised at the time. Tom Eston: Is there any best practices? Should someone use an Apple iOS device versus an Android, or are they both about the same? Jeff Tang: They’re both reasonably the same. The same best practices have been around for almost two decades now. It’s using strong credentials, and is keeping the device up to date. And then we can also go and routinely eye what applications are installed on the phone. And then it also might be just a good time to start cleaning out the phone for applications that you don’t use. Some of these tend to masquerade as a patsy application, right? They’re not all gonna claim that they’re spying device… That they’re spyware applications. Tom Eston: They would have to be installed as some type of app, correct? Probably hidden? Jeff Tang: Yeah, for the most part they are installed as a normal application. I’d imagine some of the fancier ones, especially when you start going towards like Pegasus, that they are being hidden from your display. But when we’re looking at the run of the mill spyware, stalker-ware apps, they’re typically not going that far. Tom Eston: Well, great advice, Jeff. I really appreciate your time, and thanks for coming on the show. Jeff Tang: Alright. Thanks Tom. That’s a wrap for this week’s show. Be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or on our YouTube channel.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post Spy Apps and Stalkerware with Special Guest Jeff Tang – WB40 appeared first on Shared Security Podcast.

This is your Shared Security Weekly Blaze for October 22nd 2018 with your host, Tom Eston. In this week’s episode: Hotel Room Security and Privacy with Special Guest Patrick McNeil. Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order. Visit silent-pocket.com to take advantage of this exclusive offer. Hotel security has been a hot topic being debated in the cybersecurity and privacy communities ever since the annual DEF CON hacking conference which was recently held in Las Vegas. The conference hotel security staff at Caesars Palace, conducted random hotel room searches unbeknownst to conference attendees. This caused a firestorm of criticism from conference goers but also brought attention to how we all should all think about the security and privacy of the hotel rooms we stay in. In this episode I want to share with you some helpful tips and advice to increase your security and privacy while staying in a hotel room. Tom Eston: Joining me to discuss hotel room security and privacy is physical security expert, Patrick McNeil. Patrick has a background ranging from software development, networking, operations, and product security and currently works for an application security company. He has travelled extensively for work over the last nine years, staying in hotels, ranging from five star hotels, to hotels with blood stains on the carpet. I think I want to hear more about that. And Patrick is also a lifelong martial arts practitioner, runs Oak City Locksport and does physical security consulting for Stern Security when time permits. Welcome to the show, Patrick. Patrick McNeil: Thank you very much, Tom, appreciate the opportunity to be on. Tom Eston: So tell me a little bit about these hotels you’re staying in. Blood stains on the carpet, what’s that all about? Patrick McNeil: Yeah, that was an unfortunate situation where I went to a conference and the conference coordinator had some hotels nearby that were recommended, and this was in downtown Chicago. And let’s just say, while she thought it was a safe neighborhood, it really wasn’t. And the hotel of course, is completely booked up. I check into my room and do my normal walk around and there’s literally blood stains on the carpet probably the size of a dinner plate and some blood spray on one of the [chuckle] walls. Tom Eston: Oh no. Patrick McNeil: It wasn’t a whole lot, but it was enough to freak me out, and I know I’m asking for a new room and it’s completely booked up. So I ended up staying there but it was like put the towel over it so I didn’t have to look at it. And just stay away from that area. It was obviously old. Tom Eston: Obviously [chuckle] old. Yeah, that’s scary, but… Hopefully you’re not staying in hotels like that anymore. Patrick McNeil: I try to avoid that. [chuckle] Tom Eston: But you wrote a really great blog post recently about safety in and around your hotel room. And I think you wrote this because of the controversy that happened at Caesars Palace back during DEF CON in August in Las Vegas, with the conference attendees of the conference. Could you give us just a brief overview of what happened at DEF CON for our listeners that may not be familiar with the controversy? Patrick McNeil: Sure. And you’re right, I did write the first post and it turned into a follow-on as well, but it all was because of the mass shooting that happened last year in October in Las Vegas. Basically the big casino hotels decided that they wanted to ensure the safety of their guests and the public at large by inspecting the rooms of guests when they hadn’t been seen for a while, they had refused service, or maybe they were seen with large pelican cases or something when they were traveling in. You get an event like DEF CON, between the DEF CON shoot and all the electronics equipment that people bring in [chuckle], there’s gonna be a lot of pelican cases. Those are all similar things, that the shooter had actually done. Patrick McNeil: And unfortunately they had a policy that allowed people to opt out of room service as an environmental or green initiative. So they were setting themselves up for rooms that had refused room service. So when they decided to start investigating what was up in some of these rooms just doing what they were calling a wellness check, it would appear that their policy either was implemented inconsistently or maybe some employees weren’t trained appropriately because they ended up having issues with employees walking in on partially clothed guests after the pre-visitive knock or even pounding on their doors, demanding to be let in and not necessarily even providing appropriate identification or allowing the guests to check with the front desk or someone to see if they were legitimate. Tom Eston: Would you consider that a common practice in most hotels? Patrick McNeil: I would say no. I think this is a little bit of an over-correction. And maybe it’s necessary, based on their threat model but it’s definitely not something that I would consider normal, no. Tom Eston: I think a lot of us think about when we go to a hotel, we are paying for our privacy. There is this expectation of privacy because we are paying money to stay in a room that is supposed to be ours. And we don’t expect anyone to barge in and look through our stuff. So is there any truth to this statement that hotels are really private? Patrick McNeil: There’s only a little bit of truth in that. Hotels do have the right to enter your room at any time if they believe there’s a safety issue, if you’re involved in something illegal, to keep you from destroying property or even to perform maintenance. And of course, the regular cleaning that they do. Where you do pay for privacy is as part of that contract with the hotel. They have to respect your Fourth Amendment rights against illegal search and seizure. If a law enforcement agency wants to enter your room, they do need a warrant. But that protection expires as soon as you hit checkout time, whether you’ve actually gone to the front desk or not. But really the hotel employees don’t necessarily have to respect your privacy if there’s any reason they can manufacture. Tom Eston: Is there anywhere that people can view hotels’ policies? Patrick McNeil: Yeah, I know that some hotels do actually have that in their agreement that you sign when you make the reservation or that you pretty much ignore when you make the reservation [chuckle] But I have not done the research to see does each individual brand post their policy or anything, no. Edgewise Networks is the first zero trust platform that stops data breaches by allowing only verified software to communicate in your cloud and data center. Micro segmentation projects can be costly and difficult, but Edgewise offers a new approach: zero trust segmentation. Without any changes to your network environment, Edgewise puts your data at the heart of your security strategy, giving you: Visibility into workload communication pathways; Security policies built on the cryptographic fingerprint of the software; The ability to apply policies and segment your networks in one click; and A way to continuously monitor and assess risk. Edgewise recommends policies based on the identity of your software, and stops attackers’ lateral movements by requiring authentication and authorization with every workload communication. Visit edgewise.net to learn how Edgewise can eliminate network attack surface, stop lateral movement, and protect your applications. Tom Eston: What are your top three or four things that you recommend everyone always do when staying at a hotel? Patrick McNeil: The things that I think are really common, the top basics, I always inspect a room with my bag just right inside the door and don’t unpack or anything before I get comfortable. I’m walking around like anybody would to see, is the place clean? But I’m looking at the physical security items first. Maybe even before I get to the room, on my way there, I’m just checking out to see where is my room in relation to any exit stairs or elevators, in case of a fire or other emergency situation. And then once I get into the room, the first thing I check, of course, is the locks on any doors, windows, sliding glass doors, anything adjoining, and that any additional security devices like the little flipper that you can use to reinforce your door or the dead bolt, that those actually align correctly. And that they actually work. And then I’ll go and check my phone, which seems a little crazy given that most of us are gonna travel with mobile phones but I do that just because it’s got that direct line right to the hotel front desk or security, to make sure that you have it in an emergency or if somebody does wanna inspect the room, you can just hit one button and then you’re on the phone with somebody. And then the last thing I’ll typically do is [chuckle], and it sounds silly I’ll pop some toilet paper in the peephole and put a hand towel right behind the handle. So nobody’s peeping in and you can’t use an under door tool to open that door. Tom Eston: So what are a few things that listeners can do from a counter-surveillance perspective? Patrick McNeil: In my opinion, the easiest thing to do is just be tidy. I know you’re gonna relax when you’re in a hotel and things may get spread out. But if you’re really concerned about snooping, just clean things up and organize your stuff. Put stuff back into your suitcase, put things on shelves, put things in drawers, basically keep everything away from where one could reasonably expect the cleaning staff to be. They’re not gonna be rearranging things that you’ve left all over the desk or dresser, what have you. You’re not giving them an excuse, essentially, then you can lay a suitcase strap a certain way or put a certain fold in your clothes or a hair or thread in a zipper that will fall out or get destroyed when the zip is opened. Then that way you can take a photo of how you left things and compare versus later. While it’s not absolute because they could bump into something, or what have you, it at least gives you an indication. And if you’re super paranoid, you could do stuff like the UV detective dust that you can put on things. Just do a light dusting in one place and shine with a UV light and then if that dust is spread all over the room, you know that they went in that one spot where you put the UV dust. As far as the recording… Yeah, this is definitely what I would consider more of an extreme measure. And I’d reserve it for situations where you’re reasonably sure that your stuff is being gone through, or there’s a significant chance of it. Patrick McNeil: You’ve got something expensive that maybe you can’t secure. [chuckle] I’ll do the standard, I’m not a lawyer. This is not legal advice [chuckle], but you have to be careful with where you’re recording. Certainly pretty much every state has a law that says people have a reasonable expectation of privacy. So you should never ever record in the bathroom in particular because the cleaning staff could use the bathroom. There’s nothing wrong with that. We get into the whole gray area of whether this is legally your home or somebody else’s place. So while it is legal to record inside your home, with hidden cameras, without notice, trespassers do waive the rights to be recorded. You do have to be careful and know local laws ’cause they may apply. So watch the state that you’re traveling to, to determine whether they’re called what’s called a one-party state versus a two-party state. And what that means is if you’re a one-party state, only one party has to consent to the recording, I.e., you, the person making the recording. And in two-party states, both have to consent. So that would rule out some of your recording. Patrick McNeil: And though that may also be different for audio versus video. So it may be one or two-party state for audio but video may be completely different and covered under separate laws. And of course, you’re gonna run into the county and state laws. So [chuckle] basically use this with caution, understand where you’re recording. If you do get a recording and it shows evidence of a crime, the first thing you do is not march down to the front desk and show it to them. The first step is consult with an attorney before deciding how to use it, and definitely like a lot of things, it comes down to how you decide to actually use the recording. If you get a recording and you see that something’s going on, maybe you can take other steps to secure your stuff that doesn’t involve showing somebody the recording. Like a lot of things, once you start using that and publicizing it, that’s when you can get into hot water. Tom Eston: So, any last advice you’d like to give our listeners? Patrick McNeil: I think really from a travel perspective, it’s all about awareness. We tend to get wrapped up in finding the restaurant or the workout facility, or looking at our phone or what have you, and we just really don’t notice what’s going on in the parking lot on the way to our room. And just having that situational awareness, ’cause you are a little bit more susceptible when you’re traveling alone. Tom Eston: Well, great advice, Patrick. Thanks for coming on the show. Patrick McNeil: Thank you, Tom. That’s a wrap for this week’s show. Be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or on our YouTube channel.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post Hotel Room Security and Privacy with Special Guest Patrick McNeil – WB39 appeared first on Shared Security Podcast.

This is your Shared Security Weekly Blaze for October 15th 2018 with your host, Tom Eston. In this week’s episode: Google+ shutdown, weapons systems vulnerabilities, and new data on voice phishing scams. Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order. Visit silent-pocket.com to take advantage of this exclusive offer. Hi everyone, this is Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Google announced this past week that it’s shutting down Google+, due to a bug in the “people” API that may have exposed private profile information for more than 500,000 Google+ users. The bug allowed third-party apps to have access to certain optional profile data such as name, email, address, occupation, gender, and age.  This access was limited to only Google+ and not any other data you may have had with other Google services.  While the bug was patched back in March, Google decided to start the process to shut down Google+, in the next 10 months. Mostly because it was found that 90% of Google+ user sessions only last about 5 seconds. Google states that even though approximately 500,000 Google+ accounts were affected by the bug and that up to 438 applications may have used this API, they found “no evidence that any developer was aware of this bug, or abusing the API, and (we) found no evidence that any Profile data was misused”. Also included in the announcement about the Google+ bug were two other improvements targeting user privacy. First, Google is adding more fine-grained control over what account data you share with apps through the use of new individual dialog boxes. These dialog boxed will show each requested permission, one at a time, within its own dialog box. This will allow more detailed permissions to be selected instead of the traditional “all or nothing” permissions approach.  Lastly, Google is limiting the ability of third-party apps requesting to receive call log and SMS data. Google will now only allow whichever default app you use for making phone calls or sending text messages to make these requests. In addition, the Android contacts permission is also changing. Going forward, apps will no longer be able to access basic interaction data like showing you your most recent contacts. In all, I don’t think Google+ will be missed by anyone but it’s good to see that Google is making these small but impactful privacy changes. A new report released from the Government Accountability Office (or also known as the GAO) here in the United States shows that previous cybersecurity vulnerabilities identified in the Department of Defense’s newest weapons systems, were never fixed.  Testing was apparently conducted on weapons systems from 2012 to 2017 and shows that these problems seem to be widespread in nearly all weapons systems under development. Some of these vulnerabilities are extremely easy to exploit.  For example, guessable and default passwords were easily exploitable and in some cases the report noted that some default passwords were easily identified through simple Internet searches. The report had also stated that during tests conducted on these weapons systems “using relatively simple tools and techniques, testers were able to take control of systems and largely operate undetected”. Given that the Department of Defense plans on spending $1.6 trillion to create more weapons systems, cybersecurity and the significant importance of related computer systems needs to be a top government priority. Many of the vulnerabilities in these systems are very common in Internet of Things devices so it’s not that far of a stretch to see weapons systems that may be using some of the same technology that is available in the consumer market. As we all know, Internet of Things devices often time have very easy vulnerabilities to exploit like default passwords.  On top of that, there is a large issue right now with the cybersecurity workforce in the government not nearly getting the level of pay that they do out in the private sector. This means that many entry level cybersecurity analysts spend a short amount of time building their skills in a government job, then end up leaving to get paid much more in the private sector. It really goes back to the weapons systems manufactures making sure they are building security into the products that they are developing. Of course, that’s easier said than done. Edgewise Networks is the first zero trust platform that stops data breaches by allowing only verified software to communicate in your cloud and data center. Micro segmentation projects can be costly and difficult, but Edgewise offers a new approach: zero trust segmentation. Without any changes to your network environment, Edgewise puts your data at the heart of your security strategy, giving you: Visibility into workload communication pathways; Security policies built on the cryptographic fingerprint of the software; The ability to apply policies and segment your networks in one click; and A way to continuously monitor and assess risk. Edgewise recommends policies based on the identity of your software, and stops attackers’ lateral movements by requiring authentication and authorization with every workload communication. Visit edgewise.net to learn how Edgewise can eliminate network attack surface, stop lateral movement, and protect your applications. According to research released at the recent DerbyCon security and hacking conference by previous podcast guest Chris Hadnagy, CEO of Social-Engineer.org and his co-worker Cat Murdock, you’re more likely to receive voice phishing scams on Fridays and that they are most successful in the afternoon vs. the morning. According to an interview conducted by Dark Reading, Chris and his team started recording and collecting data on vishing calls that were conducted by his company over a three-year period which ended up totaling more than 20,000 calls. Out of these calls, 5,690 were completed, meaning that the social engineer talked with someone on the other line. Of the calls that were compromised, 3,017 were compromises which ended up being a success ratio of 53%. These compromises gathered 8,685 pieces of information such as social security numbers, information about company internal projects and answers to security questions. Why is the end of the week and late afternoon, around 5pm, the best time for scammers to be successful?  Chris notes that most office workers are less alert on a Friday compared to a Monday and that at the end of a work day, most people are ready to head out of the office and sometimes more willing to tell you anything you want to know so that they can go home. The other takeaway from Chris’ research is what are the most common pretexts that vishing victims seem to fall for. Calls with a pretext of someone calling from HR regarding an employee’s health care open enrollment had a compromise rate of 28% and the other was IT related pretexts where a social engineer uses a pretext related to audits, security updates and employee badges. This research seems like a great reminder for all of us to re-evaluate our awareness about voice phishing scams and to ensure we don’t let our guard down especially towards the end of the week and towards the end of our working day. That’s a wrap for this week’s show. Be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or on our YouTube channel.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post Google+ Shutdown, Weapons Systems Vulnerabilities, Voice Phishing Scams – WB38 appeared first on Shared Security Podcast.

This is your Shared Security Weekly Blaze for October 8th 2018 with your host, Tom Eston. In this week’s episode: Chinese Spying, Facebook Shadow Contact Information and iPhone X FaceID Privacy. Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order. Visit silent-pocket.com to take advantage of this exclusive offer. Hi everyone, this is Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. I have a small favor to ask you. We would really appreciate it if you could leave us a review on iTunes. To leave a review, simply click the iTunes link in our show notes for this episode. We’ll be sure to thank you for your review on a future episode of the podcast. Thanks for your support! In late breaking news on Thursday last week, a report from Bloomberg has detailed a large scale supply chain attack which is believed to be one of the largest spying programs ever conducted by a nation-state. According to the report, a very small microchip about the size of a pencil tip or grain of rice was installed and hidden in servers that were being used by approximately 30 American companies which include Apple and Amazon. These chips were apparently installed during the manufacturing process in server motherboards manufactured by a company called Super Micro, which happens to manufacture its products in China. Of course, as you might assume, these chips were allegedly installed by the Chinese government to spy on American companies giving China the competitive advantage in the highly competitive technology space.  While Amazon, Apple, Supermicro and even China are denying the claims made in this report from Bloomberg, it’s not that far of a stretch when you consider that China has been known to install malicious software into the hardware supply chain in the past and that 75% of all mobile devices and 90% of all PC’s in the world are manufactured in China. Whether this story is true or not, securing the hardware supply chain is a very difficult problem to solve, even when hardware is manufactured in a country like the United States. For example, back in 2016 one US based mobile phone company, that makes cheap Android based phones, found a software backdoor installed on their devices which would send information from the device, you guessed it, back to China. So while the hardware itself was not manufactured in China, the software on the Android device was. I remember when I was working as a security consultant several years ago we would strongly advise business clients that when traveling to China they should use a “disposable” laptop and mobile device with very little or no corporate data on them. When our clients returned from China we strongly told them to never ever plug their laptop back into their corporate network and to give it to us for forensic analysis. We gave this advice to our clients because we actually had one client in particular that had their laptops and phones hacked while they either went through Chinese customs or during their stay in China. This client in particular had their proprietary design information about a new product on said laptop. Time will tell how this Bloomberg story pans out, but in the meantime, especially if you’re in the business of having confidential or proprietary business information that might be valuable to a nation-state such as China, be sure to take extra caution with devices that store or handle sensitive or propriety business information. Facebook was back in the news this past week with the revelation that the phone number that you may have provided Facebook for security purposes, like for two-factor authentication, is being shared with advertisers. To make matters worse, you don’t even have to willingly provide your phone number at all because of something called “shadow” contact information. Shadow contact information is any contact information, like your phone number, that is shared when your friends upload their contact information to Facebook. What this means is that even if you’ve never given your number to Facebook, your friends may have without you knowing. What’s also unfortunate about this news is that once again, we seem to be forced to make a privacy trade-off where we have the need to secure our accounts with two-factor authentication but must also allow our phone number to be harvested by advertisers so that we can be served more ads. This news should give you pause, once again, that even if you’re someone that is careful with the personal information that you give Facebook, or any social network for that matter, you can’t really stop others like your friends that may inadvertently upload your contact information to a social network.  Our advice is that if the constant news about Facebook using any and all of our data is concerning to you, perhaps it may be time for you to join the millions of others that are “deleting Facebook” (#DeleteFacebook). However, like many of us, we still see the value of social networks like Facebook so this news may not be that concerning considering that most of our information, like our phone number, is probably easy for advertisers to obtain, whether Facebook has your number or not. What do you think? Is this the final straw to get you to stop using Facebook, or is the privacy of your phone number not that concerning to you after all. Let us know by commenting on the video of this podcast on our YouTube channel or on the post of this episode on sharedsecurity.net. Edgewise Networks is the first zero trust platform that stops data breaches by allowing only verified software to communicate in your cloud and data center. Micro segmentation projects can be costly and difficult, but Edgewise offers a new approach: zero trust segmentation. Without any changes to your network environment, Edgewise puts your data at the heart of your security strategy, giving you: Visibility into workload communication pathways; Security policies built on the cryptographic fingerprint of the software; The ability to apply policies and segment your networks in one click; and A way to continuously monitor and assess risk. Edgewise recommends policies based on the identity of your software, and stops attackers’ lateral movements by requiring authentication and authorization with every workload communication. Visit edgewise.net to learn how Edgewise can eliminate network attack surface, stop lateral movement, and protect your applications. Forbes reports that for the first time ever, there is now a documented case of law enforcement forcing an Apple iPhone X owner to unlock their device with their face. According to the report, FBI agents searched the house of a suspected child abuser and told the suspect to put his face in front of the phone so that the device would unlock. This action, of course, allowed the FBI agents to search through the suspects phone for anything that might pertain to the investigation. However, only very little was able to be extracted once the iPhone was unlocked. That’s because the passcode was still unknown to the FBI. Upon attempting to connect the iPhone to a computer to forensically extract all the data off of the device, it had been locked for more than an hour, which requires the passcode to be entered. You may remember that back in July of this year Apple released an update for iOS 11.4 which required the passcode to be entered every seven days to maintain a USB connection to a computer. Now with iOS 12, this requirement has been reduced to every hour, which is probably the restriction that the FBI ran into. Keep in mind that forensic software companies like Greyshift and Cellebrite make software and hardware devices that can extract all data from mobile devices by exploiting either known or unknown vulnerabilities in a particular mobile device. The techniques these companies utilize are not really known, however, its most likely that they have access to either 0-day vulnerabilities (that means vulnerabilities unknown to the device manufacturers) or have found techniques to brute force the passcode on a device. It’s important to note that both of these companies have very large contracts with several different government and various state and local law enforcement agencies. What I find fascinating about this story is I really think we’re entering uncharted territory when it comes to Fifth Amendment rights which protects individuals from incriminating themselves. The law was already sketchy around TouchID and using a fingerprint to unlock a device for law enforcement but now with FaceID, its unknown if it’s really a breach of Fifth Amendment rights. There also has been lots of other challenges for law enforcement such as “dead” suspects. For example, with TouchID, law enforcement could take a dead suspect’s finger and unlock the device successfully. However, with Apple’s FaceID technology, they can’t get a dead suspect to unlock an iPhone X as the technology has a “liveliness test” which can detect if the person is dead or alive. If this news is concerning to you from a privacy perspective, you can easily shut down TouchID and FaceID using something called “SOS” mode. On a new iPhone such as the iPhone 8 and X, hold down the side button and one of the volume buttons and for older iPhone models press the power button 5 times.  Also note if your device hasn’t been opened in 48 hours, a passcode is required to unlock the device. Lastly, don’t forget about creating a long and complex passcode which means not using a four digit PIN. That way if your device was confiscated or stolen, it would be much more difficult to brute force the passcode to access your device. That’s a wrap for this week’s show. Be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or on our YouTube channel.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post Chinese Spying, Facebook Shadow Contact Information, iPhone X FaceID Privacy – WB37 appeared first on Shared Security Podcast.