Shared Security Podcast

This is your Shared Security Weekly Blaze for October 1st 2018 with your host, Tom Eston. In this week’s episode: Facebook’s fake account crackdown, privacy upgrade to HTTPS, and new security features in Apple iOS 12. Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order. Visit silent-pocket.com to take advantage of this exclusive offer. Hi everyone, this is Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Facebook has recently taken a tougher stand against fake profiles, specifically ones being used by law enforcement. In a letter that Facebook sent to the Memphis Police Department, Facebook states they have disabled fake accounts that were set up by the police department because they violate Facebook’s terms of service which notes, you must use your real name while using the social network. Privacy advocates like the EFF have been critical of this position in the past since in some cases, free speech may put certain users at risk if real identities are being used. However, regardless of how you feel about this policy, it’s good to see Facebook applying these rules to everyone, including law enforcement. In fact, as the EFF has pointed out, Facebook recently updated their help page titled “Information for Law Enforcement Authorities” and under their misrepresentation policy they state “People on Facebook are required to use the name they go by in everyday life and must not maintain multiple accounts. Operating fake accounts, pretending to be someone else, or otherwise misrepresenting your authentic identity is not allowed, and we will act on violating accounts”. Law enforcement aside, fake accounts on Facebook have always been a problem ever since Facebook started getting popular around 2008. In fact, I remember giving a talk at a hacker conference about social network bots and the underground criminal networks that had created automated tools and scripts to target unsuspecting social network users. Check out our show notes for a link to this talk and a nostalgic look into the younger version of yours truly. Oh, and in full disclosure, I may have pushed the limits of fake account creation back then as well. Now I gave that talk back in 2009 but bots and fake accounts are still running rampant on Facebook and other social networks.  They are even using those same techniques I talked about back then to friend thousands of strangers in order to solicit SPAM or to get them to click on links which lead to malware and phishing scams. The best advice to avoid becoming a victim of a fake account or bot in your friends list is to only accept friend requests from people you actually know in real life. But even that can lead to problems though, especially if someone is impersonating one of your friends. Our advice is to contact that friend out of band, for example, via a text message or phone call, to verify that they are who they say they are. In other late breaking Facebook news last Friday, a serious vulnerability in the “View As” profile feature was identified by Facebook’s own engineers that affects almost 50 million accounts. The vulnerability allowed attackers to steal the access tokens which could then be used to take over other people’s accounts. Facebook states that they’ve already fixed the vulnerability and have reset the passwords of around 90 million accounts that may be affected by the issue. Facebook states that they are also working with law enforcement and greatly apologize for any inconvenience this may cause Facebook users. How private do you think your web browsing history is? As we all know, HTTPS encryption helps protect the content of the information we share with websites we are accessing. There has also been new ways to encrypt DNS queries, like DNS over TLS and HTTPS. However, even with an HTTPS connection, your ISP can still see the sites that you’re going to because DNS queries are typically not encrypted. That’s why one company called Cloudflare introduced a new public DNS server called 1.1.1.1 which supports DNS over TLS and HTTPS that encrypts DNS queries as well. But did you know that there are other ways that ISPs can snoop in on the sites that you’re visiting? One large gaping hole that has been identified is something called the “Server Name Indication” extension or SNI. In simplistic terms, you can think of SNI as a way to route HTTPS traffic to the correct website on a server that may host multiple domains. SNI was created as a way to route your web request to the correct site so that the correct SSL certificate can be used to secure your connection. If this sounds confusing, don’t worry. All you need to know is that your ISP and others that may be monitoring your connection can see the sites you visit if SNI is being used. The good news, Cloudflare has introduced encrypted SNI or ESNI which is now part of the Cloudflare network. In addition, Mozilla’s Firefox browser will be the first browser to support this new protocol with other browser manufactures to hopefully follow Mozilla’s lead. This is great news for privacy as one of the long standing privacy issues on the Internet is about to be a problem no longer. If you’re interested in learning more about Cloudflare’s 1.1.1.1 DNS service, check our show notes to our previous episode where we covered this service in more detail. Edgewise Networks is the first zero trust platform that stops data breaches by allowing only verified software to communicate in your cloud and data center. Micro segmentation projects can be costly and difficult, but Edgewise offers a new approach: zero trust segmentation. Without any changes to your network environment, Edgewise puts your data at the heart of your security strategy, giving you: Visibility into workload communication pathways; Security policies built on the cryptographic fingerprint of the software; The ability to apply policies and segment your networks in one click; and A way to continuously monitor and assess risk. Edgewise recommends policies based on the identity of your software, and stops attackers’ lateral movements by requiring authentication and authorization with every workload communication. Visit Edgewise.net to learn how Edgewise can eliminate network attack surface, stop lateral movement, and protect your applications. Apple has released iOS 12 and that means that it’s time to talk about the new security and privacy features that come with a new operating system.  First, Apple now asks if you want to turn on automatic iOS updates. This feature will allow users to ensure that critical security updates are applied without having to manually install them. Second, if you happen to use a third-party password manager like LastPass or Dashline, these apps can now take advantage of the autofill feature built into iOS 12 through a new API Apple has created for password managers. Some apps like LastPass have already updated their apps to support this new API so be sure to check your password manager app to see if this feature is now supported.  Note, this feature must be activated manually by navigating to Settings -> Password & Accounts and then activating the “Autofill Passwords” feature. Third, the built in password manager for iOS 12 now includes an audit feature which will identify when the same or similar passwords are being used across multiple sites. And last but not least, the updated Safari browser in iOS 12 now includes something called Internet Tracking Prevention, or ITP, which will prevent cross-site tracking from large companies like Facebook and Google. ITP basically separates cookies from each website which in turn will prevent things like Facebook’s pixel tracking and like buttons from tracking you across different websites. As we’ve always reminded you on the podcast, updating to the latest version of your operating system almost always includes critical security updates. In the case of iOS 12, Apple noted a very large list of security vulnerabilities that were fixed. Check out our show notes to view this list but in the meantime make sure you update to iOS 12 to ensure you’re running the very latest security updates to protect your device. That’s a wrap for this week’s show. Be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or on our YouTube channel.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post Facebook’s Fake Account Crackdown, Privacy Upgrade to HTTPS, New Security Features in Apple iOS 12 – WB36 appeared first on Shared Security Podcast.

This is the Shared Security Weekly Blaze for September 24, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions and Silent Pocket.  This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here. You can also watch each episode of the podcast on our YouTube Channel! Show Transcript This is your Shared Security Weekly Blaze for September 24th 2018 with your host, Tom Eston. In this week’s episode: Mobile phone call scams, Pegasus mobile spyware, and the Newegg data breach. Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order. Visit silent-pocket.com to take advantage of this exclusive offer. Hi everyone, this is Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Raise your hand if you’re sick and tired of receiving scam and fraudulent phone calls on your mobile phone. I’ll assume that all of you are probably raising your hand right about now, myself included. Well not to be the bearer of bad news but according to a recent report, nearly half of the mobile phone calls received in the US next year will be scams. In a report from First Orion, which makes phone call data transparency solutions, notes a dramatic increase in mobile scam calls “from 3.7% of total calls in 2017 to 29.2% in 2018—and that number is projected to reach 44.6% by early 2019”. Many of these calls are using a technique called “Neighborhood Spoofing” which happens when a scammer makes their number look like a real local number, tricking the victim into picking up the call. Since these numbers are typically spoofs of real numbers, sometimes if you call these numbers back, you’ll get a real innocent person; not the scammer who spoofed the number. While many of us are either manually blocking scam calls through the features on our phones or using a third-party app to screen and block calls, the best way to stop these calls from happening seem to be with the mobile carriers themselves.  First Orion seems to be addressing this with an in-network technology called “CallPrinting” that is said to significantly reduce the volume of scam calls. First Orion’s press release states that this technology will be used by one Tier-One US carrier this fall. In regards to third-party apps, I’ve recently installed an app called “AT&T Call Protect” which seems to work fairly well to block scam calls . This is a free app for AT&T mobile customers. I’d say that it’s slightly reduced the number of scam and robocalls that I’ve received but I find it’s not perfect as blacklisting scam numbers seems to be an endless pursuit. So what are your thoughts? Have any of you used these third-party scam call blocking apps?  If so, we would be interested in hearing what you think about how effective these apps are so we can discuss on the podcast. Send us a message on Twitter, Facebook or email and let us know if these apps are helping or hindering your fight against scam calls on your mobile phone. In a fascinating report released by privacy and security research group Citizen Lab this week shows that a very sophisticated form of mobile spyware, called Pegasus, has been found on Android and Apple iOS phones in 45 countries including the US, UK and Canada. Some of these countries have been known for questionable human rights practices. Citizen Lab researchers point out that Pegasus being installed on devices to conduct cross-border surveillance and may be breaking the law in the US as well as many other countries where Pegasus was found. Pegasus spyware is sold by an Israeli company called the NSO Group and has been used in the past by powerful nation states and governments to target human rights activists and other individuals under surveillance for one reason or another. In this recent research by Citizen Lab they estimate that Pegasus is being used by at least 33 different NSO Group customers. Back in 2016, one of these individuals targeted with Pegasus was UAE activist Ahmed Mansoor who  was able to provide Citizen Lab researchers his iPhone to analyze when he received a very odd and strange link sent to him via a text message. When clicking the link, this particular version of Pegasus launched three zero-day exploits for Ahmed’s particular version of Apple iOS and would have allowed full access to Ahmed’s phone including activating the camera, microphone and sending off all passwords, text messages, and much more. Ahmed is currently serving ten years in UAE prison for his postings about human rights abuse in the UAE. Keep in mind that this was back in 2016, and it’s reported that Pegasus spyware is much more powerful now and most likely is capable of exploiting even the most current versions of Apple iOS and Android phones. Check out our show notes if you’re interested to learn more about the NSO group and its origins. Of course, there may be lawful uses of Pegasus spyware to either prevent terrorism or as part of criminal investigation for national security. However, when a company starts selling very powerful surveillance spyware to any government willing to pay a very high price, side note: Pegasus is reportedly 8 million dollars for 300 licenses, it can be very disturbing to think of the consequences for everyone’s privacy and security across the world. Newegg, which is one of the largest online electronic retailers in the US, became the latest victim of yet another customer credit card data breach this past week. The attack on Newegg exposed the credit card information of anyone purchasing products for more than a month between August 14 and September 18 of this year. This latest breach has been linked to the recent series of data breaches tied to the Magecart criminal group, which is to blame for similar credit card breaches of British Airways and Ticketmaster. The Newegg attack was very similar to the British Airways breach in that simple JavaScript code was inserted into the checkout process which would send credit card data over to a Magecart controlled server. Newegg customers would have no idea that their credit card information was being compromised and their order with Newegg would process as normal. No statement has been released yet from Newegg regarding how many customers were affected or what specifically the attack vector was. However, the Magecart criminal group responsible for the attack seems to be targeting large businesses that are processing lots of orders. In the Ticketmaster attack earlier this year it was found that vulnerable third-party code from a chat system, called Inbenta, was to blame. This latest breach should give all of us a cause for concern when putting our credit card into any third-party site. As we’ve discussed on the show before, card not present fraud, where you provide your credit card details to a merchant over the Internet is the most popular way for attackers to gain access to millions of credit cards very quickly. Using new payment methods like ApplePay, Samsung Pay or Google Pay, is a much more secure way to pay for anything over the web instead of the traditional way of entering in card information into a shopping cart style checkout process. However, not many businesses support these new forms of payment technology and for businesses, there can be a very large cost to integrate new payment systems into legacy systems. Until businesses decide to make the investment, perhaps after they’ve fallen victim to yet another credit card breach, we all need to keep a close eye on our credit card statements and perhaps think of alternative ways to pay for products and services over the web. That’s a wrap for this week’s show. Be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or on our YouTube channel.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post Mobile Phone Call Scams, Pegasus Mobile Spyware, Newegg Data Breach – WB35 appeared first on Shared Security Podcast.

This is the Shared Security Weekly Blaze for September 17, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions and Silent Pocket.  This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here. You can also watch each episode of the podcast on our YouTube Channel! Show Transcript This is your Shared Security Weekly Blaze for September 17th 2018 with your host, Tom Eston. In this week’s episode: Malware-less email attacks, Equifax breach updates and the Vizio class action lawsuit. Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order. Visit silent-pocket.com to take advantage of this exclusive offer. Hi everyone, this is Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Security vendor FireEye released research this past week which shows that 90% of the half-a-billion emails, blocked through their product in the first half of 2018, were found to be “malware-less”. Meaning, there were no malicious attachments or other code within the email itself that would attempt to compromise victims. Phishing actually made up 81% of what are considered malware-less attacks. Malware-less attacks also use impersonation of a trusted sender or company and include intimidation, links to malicious sites and sometimes forged requests. Other interesting data points include: malware-based attacks were most common on Mondays and Wednesdays and that malware-less attacks were most likely to occur on Thursdays. Data from the report also notes that phishing attacks will continue to rise. Just for a minute, let’s forget about the day of the week that attacks like these are most likely to occur and focus on what you should do if you do receive a malware or malware-less email in your inbox. As we all know, social engineering techniques are often used to convince you to click a link or submit sensitive information to the attacker. In fact, we just released episode 80 of our monthly show with social engineering expert, Chris Hadnagy in which we talk to him about the different types of social engineering techniques used in phishing and many other types of attacks. It was great having Chris on the show so definitely give this episode a listen. Emails using social engineering techniques are one of the most popular ways to target victims because email is still one of the primary means of communication that we all use, especially in the business world. While many businesses typically have some type of security product to screen emails for potential attacks, it won’t help in situations with personal email or when these products don’t work as expected. Your first line of defense is to “think before you click”. This means for any suspicious email, take a step back for 30 seconds, read the email carefully and look for clues that indicate that the email might be a phishing attack. Check out our show notes for a great guide put together by TripWire on the six most common phishing attacks and how to protect against them. The Equifax data breach last year, which exposed the personal information of almost half of the US population, has yielded very little change in regards to Equifax profits and any federal laws that could be implemented to prevent another breach as large as this one. The Chicago Tribune reported in an article last week that Equifax posted record revenue last quarter of $877 million and will most likely post a record profit next year. In fact, Equifax has recovered about 90 percent of the losses that were because of last year’s data breach. I’m actually a little surprised that Equifax has been able to “skate” around any financial penalty or other serious impact to their business. It does make you wonder how they have been able to keep the public reaction of this data breach to a low roar. It seems that the only positive news coming out of this data breach is that there is more awareness from a consumer and legislative perspective as well as a pending class action lawsuit that is still in the early stages of development. One small but recent win for consumers is that President Trump signed a bill into law this past May which states that consumers can freeze their credit for free this week beginning on September 21st. This new law will remove the $5-$10 fee that was imposed by the various credit agencies when freezing your credit. Freezing your credit is highly recommended so check our show notes for a link to our previous episode on how to go about freezing your credit. Vizio, who is one of the world’s largest manufactures of smart TVs, is developing a notice about a class action lawsuit that will be pushed to and displayed on all Vizio smart TVs. This recent development is because of the class action lawsuit that was initiated after the US Federal Trade Commission made Vizio agree to a $2.2 million dollar settlement.  This settlement was agreed to because in 2015 Vizio was caught collecting and then selling user data to advertisers. This data included information like your IP address, TV viewing habits, TV shows being watched, and even DVD’s being played on your TV. All of this data was being collected without user consent which got Vizio into hot water. Since then Vizio has implemented a user consent policy when first setting up and installing a new Visio TV. However, as we’ve pointed out on the podcast previously, TV manufactures often times require users to consent to allowing viewing habits to be collected or any “smart” TV features, like using Netflix and other streaming apps, are disabled. Essentially, by not allowing your data to be collected and sold, you have made your TV “dumb” which was probably not the desired outcome when you purchased your shiny new smart TV. While  Vizio has until October 3rd to provide this notice to TV owners, it should be interesting to see how a large class action lawsuit like this plays out. If you happen to be a Vizio TV owner, will you participate in the class action lawsuit? We would be interested in hearing from you so we can discuss your thoughts on a future episode of the podcast. Hopefully that this recent controversy with Vizio sets a precedence for smart TV and Internet of Things manufactures that the privacy of our information is not always for sale and that a class action lawsuit may be looming for those manufactures that don’t take the privacy of their customers seriously. That’s a wrap for this week’s show. Be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or on our YouTube channel.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post Malware-Less Email Attacks, Equifax Breach Updates, Vizio Class Action Lawsuit appeared first on Shared Security Podcast.

This is the 80th episode of the Shared Security Podcast sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions and Silent Pocket. This episode was hosted by Tom Eston and Scott Wright recorded September 5, 2018. Listen to this episode and previous ones direct via your web browser by clicking here! This podcast is also available to watch on our YouTube Channel. In this very special episode we’re joined by Chris Hadnagy (@humanhacker) who is the author of the new book “Social Engineering: The Science of Human Hacking”. We talk with Chris about his new book, how Social Engineering has changed over the years and what he’s been up to with his organization the Innocent Lives Foundation, Social-Engineer.com and the recent DEF CON SECTF (Social Engineering CTF). Here are the links that we mentioned on the show: Our previous interview with Chris in Episode 68 Innocent Lives Foundation Social-Engineer.org Order Chris’ new book on Amazon Thanks to Chris for being a guest on our show! The post Episode 80 – Special Guest Chris Hadnagy and Social Engineering The Science of Human Hacking appeared first on Shared Security Podcast.

This is the Shared Security Weekly Blaze for September 10, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions and Silent Pocket.  This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here. You can also watch the podcast by subscribing to our YouTube Channel! Show Transcript This is your Shared Security Weekly Blaze for September 10th 2018 with your host, Tom Eston. In this week’s episode: The five eyes security alliance, Google and your offline purchases, and privacy by default in Firefox. Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order. Visit silent-pocket.com to take advantage of this exclusive offer. Hi everyone, this is Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. The “Five Eyes”, which is a long-running security alliance between the US, UK, Australia, New Zealand, and Canada, agreed in their annual meeting a few weeks ago that “privacy is not absolute” and “Should governments continue to encounter impediments to lawful access to information necessary to aid the protection of the citizens of our countries, we may pursue technological, enforcement, legislative or other measures to achieve lawful access solutions”.  In addition, it was also stated that technology companies should be urged to “voluntarily establish lawful access solutions to their products and services”. If that is not possible, due to push back from technology companies, intelligence agencies may take matters into their own hands. What this means is that if technology companies do not build or develop backdoors into their products, law enforcement may develop their own ways to hack into devices or could work to enact legislation to eventually force technology companies to create these backdoors. Encryption and government backdoor access, as you may remember, has been a very hotly debated topic as the needs of law enforcement often times conflict with the needs of encryption and privacy that we all are entitled to. We all realize that the same encryption that we use to safeguard our legitimate private and business data is the very same encryption that criminals use. However, allowing our governments backdoor access to bypass or circumvent encryption weakens security for all of us.  You may recall the controversy over the FBI asking Apple to break into the seized iPhone from the San Bernardino shooting that took place in 2015. Apple rejected the FBI’s demand so the FBI apparently found their own way to access the device from professional hackers that may have had a 0day vulnerability to allow access to the iPhone. I would suspect that because of this new rhetoric from government alliances such as the “Five Eyes”, the 0day market for exploits allowing governments ways to bypass encryption solutions, are going to be much more popular as the arms race around encryption and privacy continue. It seems that we can’t stop all the news about how Google uses your information to serve you more ads or to track your location, even if you disable the setting to not allow location tracking. If that wasn’t bad enough it was reported last week that Google has a secret deal with Mastercard to track what users are purchasing offline.  According to a report by Bloomberg, sources with knowledge of the deal say that Google and Mastercard have been negotiating for about four years to allow Mastercard transaction data in the US to be encrypted and sent to Google. This data would allow Google to match existing Google users to actual physical purchases. This means that when Google users click on ads, those clicks can be tracked to actual sales in physical stores. In response to this Bloomberg article, Mastercard has stated that they do not provide any transaction data to third-parties and that Mastercard does not “know the individual items that consumers purchase in any shopping cart – physical or digital”. Google has also stated that it does not have access to any personal information from its partners’ credit and debit cards, and that Google does not share any personal information with its partners.  So who are we to believe? First, we need to keep in mind that Google’s ad business had 95.4 billion dollars in sales just last year alone. You know as well as I do that Google is going to do everything that they can to keep these dollars coming in and to keep advertisers happy. If Google can change the advertising world by leveraging data that it collects about its users, financial data or not, they are going to do it. It also means that regardless of what Mastercard and Google tell you, there are large privacy concerns that need to be addressed. Especially if we’re talking about physical transactions being made in a store that could be linked back to you. My take is that more than likely, in the terms and conditions that we agree to when signing up to use a credit card, we allow our personal data to be used for “marketing purposes”. Marketing purposes can have many different meanings but it’s unfortunately not up to us to decide how our data will be used by the credit card companies. The most simple solution is to not use or sign up for a credit card but that is very difficult for many of us to do. What we can do is be more aware of how our data is being used by reading the terms of service and privacy policies of the credit card services that we utilize. If you don’t agree to the terms, simply don’t use the product or service and find an alternative to paying for products, like good old cash. Mozilla, the maker of the Firefox web browser, announced last week that new versions of Firefox, by default, will block third-parties from tracking browser behavior. While current versions of other browsers like Google Chrome have similar options, users must enable these features as by default these settings are not enabled. This move by Mozilla puts the “always on by default” blocking of ads and trackers more in line with newer privacy aware browsers like Brave. Mozilla seems to be moving more in the direction of building in ad-blocking and anti-fingerprinting technology instead of the traditional model of allowing users to install various third-party browser plugins which can be installed in Firebox as an extension. My guess is that browsers like Brave are starting to become more competitive, especially now where the privacy of our data is top of mind for many of us, especially because of high profile coverage of things like the Facebook Cambridge Analytica controversy. My take is that I hope more companies use Mozilla as an example and implement similar “privacy by default” features.  I would also take that a step further and encourage companies to implement something called “privacy by design” as well. In the cybersecurity world we often use the term “secure by design” which means that when anything is developed that security is implemented from the beginning, in the design phase. This always works out better for the product, the consumers and our data than adding security features when a product or service is already out on the market. The same holds true for privacy. The more companies can build in privacy controls into their products and ship them with those controls on by default, the more protected our data will be. And I would be certain, the companies that do “privacy by design and default” will also be more successful and profitable as well. That’s a wrap for this week’s show. Be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or on our YouTube channel.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post Five Eyes Security Alliance, Google and Your Offline Purchases, Privacy by Default in Firefox appeared first on Shared Security Podcast.

This is the Shared Security Weekly Blaze for September 3, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions and Silent Pocket.  This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here! Show Transcript This is your Shared Security Weekly Blaze for September 3rd 2018 with your host, Tom Eston. In this week’s episode: US Federal Privacy Law, WhatsApp’s Google Drive Warning and Improved Security for Instagram. Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order. Visit silent-pocket.com to take advantage of this exclusive offer. Hi everyone, this is Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. The New York Times reports that the technology industry in the United States is beginning to lobby the Trump administration to create federal privacy legislation.  Sources say that this proposed federal privacy law would first overrule the recent California privacy law and second, be much softer and less restrictive than the California law in regards to the way personal data is handled by technology companies. You may remember that back in July of this year that the state of California passed their own privacy law which is very similar to the European Union’s GDPR privacy legislation that went into effect this past May.  It’s no surprise that technology companies like Google, Facebook, and others who have come under great scrutiny over the way that they protect and use our data are now “freaking out” over the possibility that if they don’t act soon, to heavily influence the creation of a federal privacy law, their businesses and profitability suffer greatly. The California Privacy Act and GDPR have been huge wins for data privacy around the world but have caused much pain for companies like Google and Facebook that rely on advertising revenue which is built from the collection of your private data. Look, there will most likely be a federal privacy law enacted in the US at some point. What that eventually looks like is anyone’s guess. I will say that it’s going to get complicated very quickly when the technology lobbyists that have tons of money, from companies like Facebook and Google, push their own agendas. Moreover, add in the various trade groups such as the US Chamber of Commerce and others that are trying to enact voluntary standards that businesses can follow vs. the federal laws.  Federal laws would most likely enact fines for breaking the law. It’s unfortunate that our digital privacy seems up for grabs by corporations and governments more than ever before. Are you an Android user that is storing your WhatsApp data backups in Google Drive?  If so, you need to know that backups of your WhatsApp messages are not encrypted once it leaves your device and is stored within Google Drive.  Last week, WhatsApp reminded its users that backup services like Google Drive may not have the same protections, such as end-to-end encryption, that WhatsApp provides while using the app. This announcement came to the forefront due to recent news that Google has now allowed WhatsApp backups from counting towards Google Drive space limits. On the other hand, if you’re a WhatsApp user on Apple iOS, your backups are sent to iCloud which does provide end-to-end encryption of WhatsApp backup data by ensuring anything that is stored at the server level is encrypted. This means, that the WhatsApp backup data file itself is not encrypted but the location within Apple’s iCloud storage is. I think that you know why Google Drive is not encrypted, right? Google is using data from your documents, just like your email in Gmail, to serve you more ads. This news from WhatsApp should make you think about how any of your backups are stored and what would happen if backups for your computer, phone or an application that was storing sensitive data was lost or stolen? It’s an interesting question as cloud based storage seems to be all over the place in regards to who encrypts data stored at the server level (or also known as ‘at rest’)and who doesn’t. For example, I was surprised to learn that Microsoft OneDrive is only encrypted for Office 365 business users and not for personal accounts. So what are some quick solutions? With any backup that you make through a cloud based solution, take a few minutes to investigate if they are using encryption to store your data through a simple web search.  If they are not, consider using a tool to encrypt sensitive files before uploading them to a cloud backup solution. Check out our show notes for a good guide on several encryption tools that work well with many different types of cloud storage providers. Instagram finally announced that they will begin rolling out the ability for users to enable app based two-factor authentication as a more secure way to protect access to Instagram accounts. App based two-factor authentication uses an app like Google Authenticator, Authy or Duo to provide a code or to allow a button push (in the case of Duo) instead of receiving a text message. As we’ve reported on the podcast just last week, Instagram has had a major problem with many users reporting that their accounts have been compromised, even with SMS based two-factor authentication enabled. Instagram, like many other apps, only allow SMS based two-factor authentication. SMS based two-factor authentication is no longer considered secure and many apps and business are just starting to think about moving off of it.  As we’ve mentioned several times on the podcast, there has been an large increase in attacks targeting SMS two-factor authentication called SIM hijacking or also known as SIM port out scams. Instagram users should start to see this new feature being rolled out to their accounts in the coming weeks in addition to a few other updates including a new way for high profile accounts to request verification. One interesting bit of research this past week from reporter Brian Krebs showed that SMS two-factor authentication is still the only way to reset your password via the Instagram app. This is a fairly large hole given that app based two factor authentication is now available for the standard login process. Let’s hope that Instagram fixes this issue as well because even with app based two-factor authentication enabled, it won’s stop a dedicated attacker from SIM hijacking your phone number and then resetting your password.  Check out our show notes for a link to a site called twofactorauth.org to see the types of two-factor authentication in use by many of the popular apps that you may be using. We always recommend using some form of two-factor authentication instead of just using a password alone. That’s a wrap for this week’s show. Be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or on our YouTube channel.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post US Federal Privacy Law, WhatsApp Google Drive Warning, Improved Security for Instagram appeared first on Shared Security Podcast.

This is the 79th episode of the Shared Security Podcast sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions and Silent Pocket. This episode was hosted by Tom Eston and Scott Wright recorded August 23, 2018. Listen to this episode and previous ones direct via your web browser by clicking here! This episode is available on our YouTube Channel and is the very first episode that we recorded over video via Skype! We apologize for the poor video quality at times and will be testing additional video streaming via Facebook or YouTube live in the future. Please subscribe to our channel and let us know how you like this new format! In this episode Tom and Scott discuss election hacking which has been top of mind for many of us and a hot topic in the news, especially with the midyear elections coming up in the United States. Tom talks about the DEF CON Voting Machine Hacking Village, what was discovered and how hacking voting machines will hopefully make elections more secure in the future. As mentioned on the show, we recommend checking out previous podcast guest Rachel Tobac’s short video on how easy it was to hack a voting machine used in 18 US states in under 2 minutes: At @defcon hacking conference and just learned how easy it is to physically gain admin access on a voting machine that is used in 18 states. Requires no tools and takes under 2 minutes. I’m concerned for our upcoming elections. pic.twitter.com/Kl9erBsrtl — Rachel Tobac (@RachelTobac) August 12, 2018 Scott also discusses the recent phishing “attack” on the Democratic National Committee (DNC) that actually was a authorized phishing test and some of the challenges with disclosing or not disclosing phishing tests to employees. Please send any show feedback, suggestions for future guests and topics to feedback [aT] sharedsecurity.net or comment in our social media feeds. You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next full episode. Be sure to visit our website, follow us on Twitter, Instagram and like us on Facebook. Thanks for listening! The post Election Hacking and Vulnerable Voting Machines appeared first on Shared Security Podcast.

This is the Shared Security Weekly Blaze for August 27, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions and Silent Pocket.  This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here! Show Transcript This is your Shared Security Weekly Blaze for August 27th 2018 with your host, Tom Eston. In this week’s episode: New TSA Body Scanners, Back to School Cybersecurity, and Instagram Hacking. The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable, and undetectable. Visit silent-pocket.com for more details. Hi everyone, this is Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. The city of Los Angeles California in partnership with the US Transportation and Security Administration jointly announced that the city of Los Angeles is purchasing body scanners that will be used to screen metro riders. This new body scanning technology will be used to help detect weapon and explosive device security threats on one of the largest public transportation systems in the US. The Los Angeles metro system is also the first transportation agency in the nation to purchase such equipment. The technology is similar to what is used at airports, called millimeter wave technology, but does not emit radiation and no anatomical body images are displayed. What makes this type of scanner technology different is that these work off of your body heat and can detect objects that are hidden when heat waves are blocked. The other big difference is that metro passengers just need to walk by the scanners and not stop to line up like you normally would going through airport security.  The other advantage is that the devices are portable, meaning, they can be moved to a different area of a public transportation system if needed. This news reminded of a scene from the 1990 movie “Total Recall” with actor Arnold Schwarzenegger. There was a scene where passengers in the movie walked through a security system that was essentially an “x-ray” of their body. Skeletons of passenger bodies were displayed as security personnel observed passengers to detect weapons that might be coming into the transportation system.  Back in 1990, most people watching that scene must have felt a little uneasy and concerned about the privacy ramifications of such invasive security technology. Funny that this was just a pipe dream back in 1990, but now, very much a reality 28 years later. Given the security climate since 9/11, this technology shouldn’t really be a surprise anyone. Come full circle, privacy concerns are still very real today. In fact, there have been many cases of the TSA screening passengers inappropriately and abusing technology like this by violating passengers privacy all in the name of “keeping us all safer”. Let’s hope that when this new scanning technology rolls out across the US, and I would assume across most of the world, we continue to hold the people in charge of these systems accountable to ensure our privacy while balancing the needs of security. It’s that time again as school is starting back up for most students and we begin the yearly tradition of getting kids ready and prepared for school. With the new school year being top of mind for many of us, it’s a great time to think about the how our schools are protecting student data from attackers looking to compromise and steal confidential student information. As of this podcast recoding, according to the K-12 Cybersecurity Resource Center, there have been 356 cybersecurity related incidents targeting K-12 schools since January 2016. Many of these incidents being ransomware attacks. Surprisingly, in 2016 it was noted by the US Department of Education that 60 percent of K-12 schools that were victims of ransomware attacks actually paid their attackers to get stolen student data back. There has also been other disturbing stories like one recent incident in the Tulsa Oklahoma Public School district where confidential student records were found in a dumpster. But it’s not only the outside attackers and careless school personnel you have to worry about, it’s also the students themselves. There has been a sharp increase in recent years where students are hacking into their school networks and applications in order to change grades and attendance records. Based on these recent statistics and news stories you may be curious to know what the schools your kids go to, or the ones in your area, are doing to protect student data? Well, depending on the school system and the school itself, there may not be much being done. I highly recommend watching this interesting YouTube interview from the Archer News Network about what teachers, students and cybersecurity professionals are saying about this topic. This interview, available in our show notes, shows that most school districts do not have the funding or expertise to properly protect school networks and systems from a cyberattack. But it gets even more basic than that. There is an overall lack of security awareness of teachers, students and school administrators which has led to a huge problem given that there are so many different types of cybersecurity threats to schools. It’s really a human problem, more so than it is a technology problem. I recall many years ago when my daughter was given her first user name and password to access one of the systems that she required for gaining access to class material and homework assignments. The password given to her was “password123” and there was no option to allow my daughter to change it. There was also no education given to her about basic password security. Thankfully, I’m her father so we had a learning opportunity which was a good thing to happen! Now this was about five years ago or so but do you think anything has changed? I’d be willing to bet that the many of the hacks that we see schools falling victim to are because of things like, easy to guess passwords and the lack of vary basic security awareness. So what can we do about improving the cybersecurity of our schools? First, we need to ask our schools what are they doing about this problem and what controls and practices do they have in place to help prevent a cyberattack from occurring. For example, you can ask questions to see if they are monitoring for attacks, are they following any government cybersecurity standards, how are they educating teachers and students on cybersecurity basics, and do they have an incident response plan. So if there ever was a ransomware infection, data breach or student hacking incident how is the school going to react and respond and of course notify parents and authorities. There is no simple answer to solve any of these problems in our schools but what we can do is ask questions and begin to drive these important conversations that need to start happening with school boards and administrators. Over the last week there has been a rise in Instagram accounts that are being hacked, despite users using complex, non-guessable passwords and even two-factor authentication on their accounts. Apparently this started happening since the beginning of August and it’s unknown how attackers have been compromising accounts with no acknowledgement from Facebook which happens to own Instagram. News site Mashable posted an article last week stating that about 275 people have contacted them about their accounts being hacked and noted that several users said their accounts were locked out with no warning, even with two-factor authentication enabled. Many of the Instagram accounts being compromised are ones that are considered “high value”. High value Instagram accounts are ones with thousands of followers, are used by celebrities or accounts that have three-letter or less account names. Many have speculated that the cause may be SIM Hijacking, which is one of the most popular ways to compromise Instagram accounts right now. However, others have speculated that traditional phishing attacks for Instagram credentials, an undisclosed vulnerability in the Instagram app or backend services, or even exploiting the ancient SS7 network protocol that’s still being used by telecommunications companies around the world to send text messages.  SS7 (which stands for Signaling System Number 7) has several known vulnerabilities and can allow an attacker to hijack communications, track the real-time location of someone and has been used in the past to redirect SMS based two-factor authentication for banking logins. Unfortunately for users of Instagram, Instagram has yet to deploy an alternative to SMS based two-factor authentication which we all know by now is considered insecure. However, sources say that a more secure way of two-factor authentication is currently being developed by Instagram and is in the process of being tested. To top this all off, Instagram support hasn’t been very helpful either for users that have had their accounts compromised. This of course is unfortunate given that many people make their living off of Instagram or rely on it for their business. My take is that a lot of times, you could do everything right from a security perspective and still have your account compromised. Just like we see with all the massive data breaches that happen on a weekly basis, we often have no control over our information because we trust that someone else is properly securing it for us. One suggestion I have is to be more aware of who we give our data to and perhaps, not sign up for a particular service if we’re really concerned that someone else may not protect our private data the way we expect. As we like to say on the podcast, we all need to make better risk decisions because nobody else can make them for you. That’s a wrap for this week’s show. Be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or on our YouTube channel.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post New TSA Body Scanners, Back to School Cybersecurity, Instagram Hacking appeared first on Shared Security Podcast.

This is the Shared Security Weekly Blaze for August 20, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions and Silent Pocket.  This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here! Show Transcript This is your Shared Security Weekly Blaze for August 20th 2018 with your host, Tom Eston. In this week’s episode: ATM cashout attacks, mobile phone voicemail security and Google location tracking. The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details. Hi everyone, this is Tom Eston, co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. This the 30th episode of the Weekly Blaze Podcast! I wanted to give a quick shout out and thank you to our listeners and sponsors for supporting the show! Thank you for all the feedback that you provide and we look forward to bringing you more great content in the coming weeks and months. Thanks for listening! The Federal Bureau of Investigation is warning banks that criminals are looking to carry out a highly organized global “ATM cash out” in which criminals take previously cloned credit cards and use them at ATMs around the world to withdraw millions of dollars of cash all within a few hours. In the past, this attack has been done around a holiday when banks and financial institutions are closed. This is because the limited staff at banks during a holiday make it difficult for a bank to quickly respond to an attack like this. Similar attacks in the past have targeted small to medium sized banks, which may not have the robust security and fraud teams that a larger bank may have. Brian Krebs from Krebsonsecurity.com reports that this most recent FBI alert was related to a card breach of a bank in India called Cosmos. In this incident attackers drained $13.5 million from accounts using cloned cards at 25 different ATMs located in India, Hong Kong and Canada. Malware was also installed on the bank network which was used to help process the fraudulent ATM transactions. In the alert to banks the FBI noted several common tips to help prevent banks from becoming a victim but the truth of the matter is that many small and medium sized banks do not have the resources or staff to properly defend their systems from a dedicated attacker on their network. The best course of action for the rest of us is to stay vigilant about checking our credit and debit card statements and ensure you set up some type of fraud alerts for any transactions that may happen on your card. As a reminder, using a debit card instead of a credit card can be more risky due to the fact that money is instantly removed from your checking account and can take weeks for the bank to reimburse you. Check out our show notes for a link to our episode on credit card fraud in which we discuss tips how to prevent becoming a victim of this type of crime. When was the last time you thought about the security of the voicemail on your mobile phone? If you’re like most of us, probably not at all. But as one security researcher named Martin Vigo demonstrated at the DEF CON hacking conference in Las Vegas this past week, it’s all too easy to hack into someone’s voicemail. Why would someone want to hack into your voicemail you may ask?  Well there are many popular online apps and services that use a phone call to deliver a code that you can use to verify your identity through things like a password reset process. You may be surprised to know that this is a popular option for authentication alongside SMS text messaging, which hopefully all of you know is considered insecure.  If you can hack someone’s voice mail, you now have the potential to compromise someone’s email, social networks, banking apps, conversations and much more. Martin’s research showed that sites like PayPal, WhatsApp, Instagram and LinkedIn all have a feature to call you to reset your password. So how does one go about hacking into someone’s voicemail? The first step is to find the backdoor number for the victim’s mobile carrier which allows you to login to the voicemail system to hear messages. Voice mailboxes are protected with a PIN code and many of these mailboxes are configured with default or easy to guess PINs codes, many of which are only 4 or 6 digits in length. In fact, Martin wrote a tool that can brute force common PIN codes and can also try random combinations of numbers until one of them works. Once this access is gained there are several techniques that Martin describes are available to flood the victims number or to determine if the phone is powered on or not so that when the password reset process calls the victim’s number, the call goes straight to voicemail. In a blog post written by the researcher, he describes multiple attack scenarios using several workarounds for bypassing different types of voicemail systems. Check out our show notes for a link to this really impressive research. While Martin did contact the major mobile carriers about the issues he found, the response from these companies was, not surprisingly, less than impressive. There are, however, some things that you can do to protect your voicemail. First, use a strong PIN on your voicemail account. That means something greater than the default given to you and make sure its long and unique. You may have to look up your own mobile carrier’s process for changing your PIN but in the show notes we’ve provided links to AT&T’s and Verizon’s process. Next, don’t provide your phone number to online services unless it’s required or it’s the only way available for two-factor authentication. As mentioned on the podcast previously, we recommend using a virtual phone number like Google voice to prevent SIM Hijacking attacks that are very popular right now. Lastly, use app based two-factor authentication like Authy or Duo if it’s available from the online service you’re using. Hopefully through awareness and research done from security researchers like Martin Vigo, the mobile carriers look at further ways to increase the security of voice mail systems. Google was in the news this past week regarding an Associated Press investigation that found many Google services store your location data despite disabling Google’s own privacy controls that allow you to prevent your location from being shared. In most cases while using apps like, Google Maps, it’s a given that your location is going to be used. However, if you disable a setting called “location history” Google will still collect your location data.  Regardless of this setting, just by opening up the Google Maps app your location is shared, the built in weather app if you have an Android phone shares your location and many other different situations like making certain web searches may trigger Google to also record your location. Google argues that the location history setting is doing what it was designed to do but critics, like Jonathan Mayer, the Princeton researcher that worked with the Associated Press on this, quickly points out that quote “If you’re going to allow users to turn off something called ‘location history’, then all the places where you maintain location history should be turned off,” Mayer said. “That seems like a pretty straightforward position to have.” end quote Totally turning off location sharing on all Google apps and services is quite the daunting task and it’s not clear if in certain cases your location data is being tracked or not. Not only do you have to disable location history but you need to disable something called “web and app activity” which stores all types of information about your activities on Google’s various apps and services. Changing this setting only prevents Google from adding your location to something called their “timeline” but it does not fully prevent Google from tracking you through other means. You’ll have to delete each location record individually or delete all of your stored activity which is essentially what we call hitting the “big red button”.  It should be no surprise to anyone that Google insists on tracking your location, and making it difficult to turn off, because it’s another way for Google to boost advertising revenue.  If you’re interested in seeing all the data that Google is collecting about you can visit myactivity.google.com while logged into your Google account. If you use many different Google services you may be very surprised to see the amount of detail that Google collects about your activities. With the news of this recent location tracking issue it may be yet another reason to move off of Google’s services completely. Especially, if you’re really concerned about your location privacy. That’s a wrap for this week’s show. Be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or on our YouTube channel.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post The Shared Security Weekly Blaze – ATM Cashout Attacks, Mobile Phone Voicemail Security, Google Location Tracking appeared first on Shared Security Podcast.

This is the Shared Security Weekly Blaze for August 13, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions and Silent Pocket.  This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here! Show Transcript This is your Shared Security Weekly Blaze for August 13th 2018 with your host, Tom Eston. In this week’s episode: Facebook and your financial transactions, Smart Home security and critical HP printer vulnerabilities. The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details. Hi everyone, this is Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. The Wall Street Journal reports that Facebook is asking large banks to share customer information and financial records so that they can potentially offer financial services via Facebook Messenger. The proposal from Facebook includes getting access to bank customer’s card transactions, account balances as well as information on where customers are spending their money. In return for customer information, Facebook will provide banks with access to Facebook user information, which may be lucrative to a large bank looking to sell and target their services to existing and new customers. Facebook has said that they would not use any information provided by banks for targeted ads and would not share this data with third-parties. This news comes as Facebook is still conducting damage control on their public relations after the infamous Cambridge Analytica scandal where the personal data of approximately 87 million Facebook users was harvested without user consent. My take on this story is that Facebook needs to find new and innovative ways to collect user data which in turn allows companies to use the Facebook Platform to give you, guess what, more ads. We all know how Facebook makes money and that’s through your data being used to sell you more stuff. It should be no surprise then that Facebook is looking to get into the social financial business recently made popular by PayPal’s Venmo app.  Haven’t heard of Venmo?  Venmo is an application which allows social sharing of financial transactions. Venmo itself has been also in the news recently for the ease of which anyone can publicly view the financial transactions of anyone using the app. This is because all Venmo transactions are made public by default. This past July a savvy developer created a Twitter bot called “@VenmoDrugs” to showcase any financial transactions related to drug deals, sex or alcohol. The developer eventually removed the Twitter account after being the center of some controversy and news reports, but it does demonstrate that there is money to be made with an app that allows transactions to be public by default. Venmo won’t be the last app that will monetize the social sharing of financial transactions and it seems Facebook doesn’t want to be the last. Have you recently sold your home or moved into a home that has smart devices like thermostats, lights, cameras, alarm systems and other “Internet of Things” devices installed? Have you thought about resetting or changing the passwords that would allow access to those devices? Smart-device security, especially in a home that is being sold or if someone is moving out because of a domestic abuse situation, is being reported as a large problem that many people are now dealing with. For example, it can be very common for an ex-husband to leave a home due to a pending divorce but still have access to all the smart-devices like lights, cameras and even thermostats. This can lead to abuse of this technology and causing real privacy concerns, especially with victims of domestic abuse. In regards to new homes we all know that whenever you purchase a home, that had a previous owner, you should always change the locks, garage and alarm codes and anything else that the previous owner had knowledge of. But if you happen to inherit smart devices as part of the purchase, you need to make sure you reset these devices back to default to ensure any previous access is removed.  For other domestic situations, it’s advisable to reset any Internet of Things devices as well ensure you have administrative access to these accounts or disable or change passwords as necessary. With the increase of smart-devices in our homes we need ensure we add smart devices to the list of things to secure whenever our living situations change. Do you own an HP Inkjet printer? If so, you may have to patch your printer due to recent critical vulnerabilities that were identified by security researchers in approximately 166 different models of HP Inkjet printers. These models include popular OfficeJet, DeskJet, Envy, as well as DesignJet and PageWide Pro printers. HP states that these two vulnerabilities would allow an attacker to create a file that can be sent to the printer to cause a stack or stack buffer overflow allowing remote code execution.  Check out our show notes for details from HP to see if your specific printer is vulnerable and to learn how to update your printer if affected. So, you may be asking yourself…why should I care about printer security anyway? Well, printer security is something that is often overlooked since it’s a device that does a very simple task which is printing a document for us. However, most printers these days are multifunction, meaning, you can scan, print, fax and connect to various cloud based services to retrieve and save documents. Most modern printers also allow you to print to your home printer from any Internet connection and sometimes allow this access by default when you first set up a new printer.  If your printer happens to be accessible to the entire Internet and you allow files to be uploaded, an attacker could compromise your printer which would allow a foothold into your home network. This type of attack vector is much more serious for businesses that may be using their printers in this way. Especially if your business requires printing and storing of sensitive or confidential information.  Check out our show notes for this episode for links to articles on printer security best practices. That’s a wrap for this week’s show. Be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or on our YouTube channel.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post The Shared Security Weekly Blaze – Facebook and your Financial Transactions, Smart Home Security, Critical HP Printer Vulnerabilities appeared first on Shared Security Podcast.