Shared Security Podcast

This is the Shared Security Weekly Blaze for August 6, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions and Silent Pocket.  This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here! Show Transcript This is your Shared Security Weekly Blaze for August 6, 2018 with your host, Tom Eston. In this week’s episode: The Quiet Skies TSA surveillance program, SIM hijacking and the Reddit data breach and Sextortion scams. The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details. Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. If you like our weekly podcast we would really appreciate you leaving a five star review in iTunes. We’ll be sure to thank you on the show! Click the iTunes link in our show notes for this episode to leave us a review and thank you for your support! Ever feel like you’re being followed when you’re at the airport or while on a flight recently? Well you may actually may have been followed as the Boston Globe reported last week that federal air marshals are following US citizens that are not suspected of a crime at airports and on airplanes. The previously unknown program called “Quiet Skies” has caused controversy within the Transportation Security Administration (aka: the TSA) as thousands of US citizens that are not on any watch list are being surveilled and observed to see if they violate 15 rules which are part of a checklist that air marshals need to follow. Characteristics that air marshals look for include things like: excessive fidgeting, wide-open staring eyes and even if the subject slept on the flight or went to the bathroom. According to the report, about 35 passengers are targeted every day and there are 2,000 to 3,000 federal air marshals that conduct this and other air marshal duties across airports in the United States. What I find interesting is that federal air marshal’s themselves are questioning the need for the Quiet Skies program. One air marshal said to the Boston Globe “What we are doing [in Quiet Skies] is troubling and raising some serious questions as to the validity and legality of what we are doing and how we are doing it”. Groups such as the ACLU are now involved questioning if passenger’s constitutional rights are being violated by this program given that people’s race, religion or mental health may put someone under surveillance. Of course, the TSA declined to discuss the Quiet Skies program but noted that “federal air marshals leverage multiple internal and external intelligence sources in its deployment strategy”. As many of you are hopefully aware, the TSA in the United States has come under much scrutiny over the last several years due to treatment of passengers during screening as well as the federal air marshal program itself. It should be interesting to see how this recent revelation about the previously secret “Quiet Skies” program puts more pressure on Congress to further scrutinize the activities of the TSA and the Department of Homeland Security. Last Thursday, the popular news and social media site Reddit announced that they had a data breach. The data breach apparently happened in June and exposed some user data including current email addresses and a backup database which had usernames and hashed passwords from 2007. The attackers apparently targeted several Reddit employee accounts that were being used with Reddit’s cloud and source code providers. Reddit noted that while they did secure these employee accounts with SMS based two-factor authentication, the attackers were still able to compromise these accounts even with two-factor authentication enabled.  It’s important to note that the attackers did not compromise further Reddit systems or user accounts. This most recent data breach example further demonstrates that sites and services need to move away from using SMS based two-factor authentication and start using authenticator apps like Google Authenticator or provide methods to use a hardware token or solution such as a YubiKey.  As we’ve mentioned before on the podcast, there has been an large increase in attacks targeting SMS two-factor authentication called SIM hijacking or also known as SIM port out scams. SIM hijacking is where an attacker will either call your mobile phone company or show up at the mobile phone store, impersonating you in an attempt to request a new SIM card for your phone number. In some cases the attacker may also attempt to move your mobile number over to a new carrier. Once the attacker has control of your mobile number, they now have access to reset credentials or request SMS two-factor authentication codes for any sites that use a mobile phone number for access. The way to help prevent this attack is to create a validation code with your mobile carrier. Depending on the mobile carrier you use this may be described as a “port validation” code but some carriers may call this a phone passcode or PIN. Once this code is enabled on your account, you’ll need to provide this to the mobile carrier in order to obtain a new SIM card or port your number to a new carrier. Our advice is to enable this feature with your mobile carrier to help prevent this attack from happening to you. You may have to research this process on your mobile carrier’s website as each company has a different procedure for enabling this feature. Also note, you should ensure that this passcode or PIN is unique and different than any other passcode or PIN that may be in use with your mobile carrier such as the password for accessing your account for online access. Lastly, the other option if you find a site that does not allow any other form of two-factor authentication besides SMS, is to set up a free virtual phone number through a service like Google Voice and use that number to receive SMS based text messages. Check out our show notes for a link to further reading about preventing SIM hijacking attacks. The EFF released a really good guide last week regarding what to do if you’re the victim of a sextortion scam. A sextortion scam is when a scammer will send thousands of emails to victims noting that they have your password that can be used to blackmail you.  The scammer will say they have a video of you watching adult videos and will send it to your email contacts you if you don’t pay a ransom in Bitcoin. The scam works because the password noted in the email may actually be a password that you’ve used or are currently using.  The scammer does not get this password by hacking you or your accounts but rather through a previously disclosed data breach where your email address and password have been publicly disclosed. The scam email uses typical phishing tactics of a threat as well as the typical bad grammar which should indicate to you that this is a scam. Check out our show notes for the guide from the EFF about this scam as well as to view several email variations that might end up in your inbox. As always, be sure to use complex and unique passwords, utilize a password manager and always enable two-factor authentication on any online accounts that you use to prevent becoming a victim of a real attack. That’s a wrap for this week’s show. Please be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on iTunes, Google Play, Stitcher, TuneIn, Spotify or iHeartRadio.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post The Shared Security Weekly Blaze – Quiet Skies TSA Surveillance Program, SIM Hijacking and the Reddit Data Breach, Sextortion Scams appeared first on Shared Security Podcast.

This is the Shared Security Weekly Blaze for July 30th, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions and Silent Pocket.  This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here! Help the podcast and leave us a review!  We would really appreciate you leaving a review in iTunes. Reviews really help move us up the podcast ratings list and are greatly appreciated! Click here to leave your review in iTunes! Show Transcript This is your Shared Security Weekly Blaze for July 30th 2018 with your host, Tom Eston. In this week’s episode: Bluetooth vulnerabilities, malicious apps removed from Twitter and Gmail confidential mode. The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details. Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Researchers from the Israel Institute of Technology announced a critical vulnerability in Bluetooth technology which could allow an attacker, within physical proximity of the Bluetooth device, to intercept, monitor, or change the data being used by the Bluetooth device. Several vendors of Bluetooth implementations including Apple, Broadcom, Intel and Qualcomm have firmware and some software drivers that are vulnerable to this attack. The vulnerability is caused because the current Bluetooth specification recommends, but does not require, that a device supporting two specific features (called Secure Simple Pairing and LE Secure Connections) validate the public key received over the air when pairing a Bluetooth device. It’s important to note that there is no evidence that this vulnerability is being exploited in the wild and that vendors are working on patches if their implementations of Bluetooth are affected. So what does this Bluetooth vulnerability mean for you? First, always stay up-to-date on patches for any Bluetooth device that you may be using. For this vulnerability in particular the good news is that Apple, Intel and Broadcom have already released patches. What may be more problematic is more obscure “Internet of Things” devices, which happen to use Bluetooth, that may never receive updates because they were either manufactured cheaply or were not designed with security updates in mind. This, of course, is a much larger problem that does not have an immediate solution. However, the risk here seems very low for most of us because an attacker needs to be in very close proximity of the victim. Last week Twitter announced that it removed more than 143,000 malicious apps from their service. Twitter said that the applications were removed between April and June of this year but did not specify which apps were deleted but only saying that they removed these apps because developers have violated Twitter’s policies.  Twitter stated in a blog post that “We do not tolerate the use of our APIs to produce spam, manipulate conversations, or invade the privacy of people using Twitter”. In addition, Twitter announced a new app registration process for developers which have applicants go through a more rigorous approval process including having developers include all details on how their apps will be used and limiting the number of default apps that developers can create to 10. This news from Twitter comes at a time where other large social networking companies like Facebook are cracking down on malicious and spammy apps. In Facebook’s case, the infamous Cambridge Analytica controversy made Facebook audit all apps that had requested user data in the past. Facebook has removed around 200 or so apps since they began this audit earlier this year. Facebook has also significantly changed its developer policies to align with better privacy data practices since the Cambridge Analytica controversy as well. In related Facebook news, it’s worth noting that Facebook suffered its largest drop in market value to the tune of $119 billion dollars when they announced their Q2 quarterly earnings on a call with investors last Wednesday. Facebook stated that they will be taking a “privacy first” approach with their product development which will likely have impact on future revenue growth. This news caused the biggest ever one-day loss in market value for a U.S.-listed company in the history of the US stock market. This is an interesting development as the demand for greater privacy and transparency from Facebook users doesn’t really matter when it comes to how Facebook makes money. This is a huge conflict for Facebook to deal with and it will be really interesting to see how this plays out in the coming weeks. Google’s Gmail has been rolling out its new redesign over the last several months which includes a new feature called “confidential” mode. Confidential mode allows you to restrict how sent emails can be viewed and forwarded. Recipients of confidential mail will not be able to forward or print email designated as confidential and you even have the ability to set an expiration date so that the email can be deleted in the recipients mailbox.  You can also require a code via a text message which can be added for additional security of the email. While all this sounds well and good, the Electronic Frontier Foundation notes that “confidential” mode does not mean that messages are end-to-end encrypted. Google can still see the contents of your emails because, as we all know, Google makes money off using your data for targeted advertising. The EFF also noted concerns about how expiring messages could be captured by a screenshot or picture of the screen and that any expiring message sent is actually kept in your sent items folder, which is really not an expiring message at all. Our advice is that you should use a more vetted and end-to-end encrypted messaging service like Signal or ProtonMail and only use Gmail’s confidential mode for non-confidential messaging. In other Google news, if you happen to use Google Chrome as your web browser you will now start to notice that web sites you visit, that are not using HTTPS encryption, will be noted as “Not Secure” in the URL bar of the browser. This is not a total surprise to most of us as Google announced this change was coming earlier this year. There will also be more changes coming starting with Chrome version 70 (to be released in October) in which the “Not Secure” indicator will be red and not grey like it is now. That’s a wrap for this week’s show. Please be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on iTunes, Google Play, Stitcher, TuneIn, Spotify or iHeartRadio.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post The Shared Security Weekly Blaze – Bluetooth Vulnerabilities, Malicious Apps Removed from Twitter, Gmail Confidential Mode appeared first on Shared Security Podcast.

This is the 78th episode of the Shared Security Podcast sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions and Silent Pocket. This episode was hosted by Tom Eston and Scott Wright recorded July 18, 2018. Listen to this episode and previous ones direct via your web browser by clicking here! Subscribe to our new email list! Stay up-to-date on the latest episodes, receive exclusive offers from our sponsors, participate in contests and gain access to content just for our email subscribers! Sign-up via this link today! In this episode Tom and Scott discuss the recent trend in using facial recognition technology at kids summer camps. While there are many advantages for parents that are looking for easier ways to see what their kids are doing at camp, the use of facial recognition technology also opens up many questions and concerns about the privacy and security of this technology, especially when it comes to our children.  We also discuss the risks of using the “dark web”, what the dark web is, how do you access the dark web, what are the associated risks, and why you may not want to browse and use dark web (.onion) sites if you don’t know what you’re doing. Please send any show feedback, suggestions for future guests and topics to feedback [aT] sharedsecurity.net or comment in our social media feeds. You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next full episode. Be sure to visit our website, follow us on Twitter, Instagram and like us on Facebook. Thanks for listening! The post The Shared Security Podcast Episode 78 – Summer Camp Facial Recognition, Dark Web Dangers appeared first on Shared Security Podcast.

This is the Shared Security Weekly Blaze for July 23rd, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions and Silent Pocket.  This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here! Help the podcast and leave us a review!  We would really appreciate you leaving a review in iTunes. Reviews really help move us up the podcast ratings list and are greatly appreciated! Show Transcript This is your Shared Security Weekly Blaze for July 23rd 2018 with your host, Tom Eston. In this week’s episode: Lost and stolen devices, Instagram and SIM hijacking and the LabCorp security breach. The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details. Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. In the spirit of good GDPR compliance you can now opt-in to our brand new email list for the podcast! Stay up-to-date on the latest episodes, receive exclusive offers from our sponsors, participate in contests and gain access to content just for our email subscribers! Sign-up at sharedsecurity.net today. Did you know that over 26,000 electronic devices (including mobile phones, laptops and eReaders) were lost in the London transport system last year? According to a report released from a research firm called Parliament Street showed that the majority of lost devices, to the tune of 23,000, were mobile devices followed by laptops with approximately 1,000 devices that were lost.  This announcement has been a wakeup call of sorts for UK business’ to ensure that there are protections in place for the data being stored on lost or stolen devices. Not only does this present a business risk, but also a personal privacy risk as well. I’m sure many of these devices were not properly protected by very basic device security controls such as passcodes for mobile devices and full disk encryption for laptops. While 26,000 devices does seem like a lot, imagine how many devices go missing in an even larger transportation system like the one in New York City. Physical device security is one of most important, and easiest, security controls you can implement on your devices to avoid having your data accessed if your mobile phone or laptop is ever lost or stolen. Some of the basics for a mobile phone is to ensure you’re setting a long, complex passcode or passphrase, ensure that the device is erased after 10 failed login attempts as well as enabling any GPS or location tracking so that you have a way to find your device if its ever lost. You’d be surprised how many people are able to find their lost device by using a feature like this. Also, for laptops always enable full disk encryption that is enabled upon powering on your laptop. For Windows laptops, depending if you have Windows 10 Professional or not, you can enable BitLocker for full disk encryption. If you have Windows 10 Home Edition, you can use a free and open-source full disk encryption solution called VeraCrypt. MacOS users should enable FileVault which is installed with all modern versions of MacOS. See our show notes for links to these different full disk encryption solutions to ensure your devices are protected if they are ever lost or stolen. Instagram is reported to be developing a more secure way of two-factor authentication by moving away from text messages to more app based solutions like Google Authenticator or Duo. As we’ve previously reported on the Weekly Blaze, SIM card “port out” scams or also known as SIM hijacking attacks have been on the rise in just the last year or so. A SIM hijacking scam is where an attacker will call your mobile carrier and use social engineering techniques to transfer your mobile number to another carrier, thus, giving the attacker access to receive SMS text messages. This access is then used to reset passwords on many popular apps like Instagram as well as your email service which can also be used to reset passwords.  Many celebrities and others with very valuable Instagram user names have been a target of this attack but it can really happen to anyone, especially if you’re known to be trading bitcoin or other cryptocurrency. With the recent popularity of cryptocurrency, this attack is now financially motivated. So what can you do to prevent becoming a victim of a SIM port out scam? First, contact your mobile carrier to ensure you have set up or configured a PIN or passphrase on your account that would be required for any request with customer support to port your number over to a new carrier. See our show notes for a great guide on how to do this. Second, consider using a virtual phone number like Google Voice for two-factor authentication for sensitive accounts like your bank or social media. We’ve also provided a link to several virtual phone number services in our show notes for you to reference. We also suggest removing your phone number or using a virtual one for whatever email provider you’re using. For example, Google’s Gmail gives you many different options besides using a phone number for other forms of authentication. Be safe out there and lets all stop thinking that our phone numbers are a secure method to verify our identity and as a way for secure authentication. Last week it was announced that LabCorp, one of the largest medical laboratories in the United States, had its network breached through what looks to be from a ransomware attack. The attack prompted LabCorp to shut down its entire network while they investigated the incident. LabCorp said in a filing with the Securities and Exchange Commission that it detected suspicious activities on its network the weekend of July 14th and “immediately took certain systems offline as part of its comprehensive response to contain the activity”. The suspicious activity was apparently only detected on LabCorp Diagnostic systems. No other information has been released but LabCorp noted that there has been no evidence of any medical data being compromised thus far in their investigation. It’s important to note that LabCorp is required to notify and patients of a data breach within 60 days after an incident so it will be interesting to see that if this does take place and what data was actually accessed, if any at all. LabCorp provides services for over 115 million patients and processes tests for more than 2.5 million specimens per week. If patient data was compromised during this ransomware attack, it could be one of the largest healthcare breaches in history. The largest healthcare data breach to date was the Anthem Blue Cross data breach in 2015 that affected 78.8 million individuals. We’ll be keeping a close eye on this story so stay tuned for updates in future episodes of the podcast. That’s a wrap for this week’s show. Please be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on iTunes, Google Play, Stitcher, TuneIn, Spotify or iHeartRadio.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post The Shared Security Weekly Blaze – Lost and Stolen Devices, Instagram and SIM Hijacking, LabCorp Security Breach appeared first on Shared Security Podcast.

This is the Shared Security Weekly Blaze for July 16th, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions and Silent Pocket.  This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here! Help the podcast and leave us a review!  We would really appreciate you leaving a review in iTunes. Reviews really help move us up the podcast ratings list and are greatly appreciated! Show Transcript This is your Shared Security Weekly Blaze for July 16th 2018 with your host, Tom Eston. In this week’s episode: Polar fitness app location data exposed, blocking scam phone calls and the Samba TV privacy controversy. The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details. Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. I wanted to clarify a few details about the new California Privacy Act that I discussed on the Weekly Blaze podcast last week.  While this law applies only to California residents, it will most likely have broader implications for all major businesses in the US. Most major companies that deal in personal data, have some California customers. That will leave those businesses with two options: either build systems and procedures to comply with California law, or treat Californians one way and every other customer another. It should be interesting to see how this plays out in the coming months before this law is made official in 2020. Here we go again with more fitness apps exposing the location of spies and military personnel. You may remember back in February on the second episode of the Weekly Blaze podcast we discussed how the popular fitness app Strava inadvertently disclosed locations, daily routines and possible supply routes of known and unknown US military bases and CIA outposts. This information was all found though Strava’s publicly available “world-wide heatmap” of Strava users. This time around it’s fitness tracker Polar’s turn which has an app called “Polar Flow” that has a developer API that can be improperly queried. In addition to viewing the public Polar user map, the data exposed includes all user details including GPS coordinates. Journalists from the Dutch news site De Correspondent were able to identify over 6,400 users across 69 different nationalities that have been using the Polar Flow app to see who they are and where they worked using Google and LinkedIn to correlate the data. Many of these users were found to work for different government agencies including the Dutch military. Dutch authorities have noted that this is a major problem as there are rules about how the Dutch military should not wear their uniforms in public or have other personal information exposed which could identify them due to recent terrorist threats on military members and their families. Polar responded last week by taking it’s publicly available activity map offline and issuing a statement noting that all users have “opted-in” to have their private information shared, as by default all workouts are private. However, no word from Polar about that misconfigured developer API. The Dutch military, as well as other countries, have started banning the use of fitness trackers due to these security concerns. Like we always mention on the show, even if you make sure your privacy setting in fitness apps like these are locked down, there may be ways, like insecure developer APIs, that could be used to pull your private data anyway. Let this issue with Polar be a reminder that you need to determine for yourself if you accept the risk of putting your personal workout data and location out there for anyone to potentially access. Don’t you hate robocalls, telemarketers, and scammers calling our phones day in and day out? Well Google announced last week that they going to be adding a new feature to their phone app called “Call Screen” which will automatically screen calls for unknown and suspicious numbers. This new feature, which looks like it may launch on the Google Phone, will make suspicious calls answer one or more automated questions. The audio and audio transcription of the answers are then relayed to the call recipient so they can decide if they want to answer the call our not. This feature comes on the heels of a new “warning filter” that was implemented for telemarketing calls that is now part of Google Phone. Nothing like this currently exists on Apple iOS, unless you install a third-party app such as RoboKiller which looks for scam calls via a blacklist of known scam numbers. However, it’s good to see Google stepping up to tackle the huge problem we have with scams that are all coming through our phones. According to the most recent fraud report by the US Federal Trade Commission, 70% of all fraud that was reported to the FTC were through phone calls. This totaled around $290 million in loss for victims. Hopefully what we see Google doing to help address this huge problem will carry over to Apple and other device manufactures as well. Last week, two US Senators have called for an investigation into the business practices of smart TV manufactures because of recent privacy concerns about new technology that is being used to track consumer’s viewing habits. Most recently a New York times article called out Samba TV, which admitted that it collected viewing data from 13.5 million homes.  The article questioned Samba TV’s relationship with major TV manufactures like Sony, Sharp, and Philips. Samba TV is installed on many newer smart TVs and allow users to “Interact with your favorite shows. Get recommendations based on the content you love. Connect your devices for exclusive content and special offers. By cleverly recognizing onscreen content, Samba Interactive TV lets you engage with your TV in a whole new way.” What I just read to you is exactly what Samba TV users read before opting in to allow viewing habits to be tracked. What the senators have concerns with is that there is no language about how much data is collected, how the data is shared and how to opt-out of being tracked. By opting into the Samba TV tracking you agree to your viewing habits being completely monitored which can even include what video games you may play, shows and movies you watch and can allow tailored ads sent to phones and laptops that share the same internet connection as your TV. This is not the first time that a company has been in trouble for shady TV tracking practices. You may remember last year popular TV manufacture Vizio settled with the Federal Trade Commission to the tune of $2.2 million dollars for its collection and selling of viewing data of its users without their consent. Our advice is that if you use Samba TV  or any other similar application on your TV, review your settings and opt-out if tracking your viewing habits is a privacy concern to you. As the privacy debate grows stronger in the US and overseas it’s going to get really interesting to see how manufactures react to new government privacy regulations. As always, you have ultimate control of what data you share including your TV viewing habits. That’s a wrap for this week’s show. Please be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on iTunes, Google Play, Stitcher, TuneIn, Spotify or iHeartRadio.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post The Shared Security Weekly Blaze – Polar Fitness App Location Data Exposed, Blocking Scam Phone Calls, Samba TV Privacy Controversy appeared first on Shared Security Podcast.

This is the Shared Security Weekly Blaze for July 2nd, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions and Silent Pocket.  This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here! Help the podcast and leave us a review!  We would really appreciate you leaving a review in iTunes. Reviews really help move us up the podcast ratings list and are greatly appreciated! Show Transcript This is your Shared Security Weekly Blaze for July 9th 2018 with your host, Tom Eston. In this week’s episode: Mobile app data leaks, the California privacy act, and third-party Gmail access. The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details. Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Researchers from a mobile security company called Appthority have released concerning details about their research into Android and Apple iOS apps that use a cloud-based backend database called Firebase. Firebase was acquired by Google in 2014. Appthority reviewed more than 2.7 million mobile apps and discovered that around two-thousand of these apps had unsecured Firebase databases. These databases were found to be wide-open allowing anyone to view around 2.6 million user names and plain text passwords, 25 million GPS location records, 50 thousand financial transactions and approximately 4.5 million user tokens for social media sites. In addition, over 4 million PHI (Protected Health Information) records were found containing prescription and private chat records. To add more insult to injury, all that was needed to access these unsecured databases was to append a simple “/.json” to the end of a database host name. The good news is that Appthority reached out to Google to alert them of the issue and Google was able to contact app developers to fix the issue. Ironically, in our last episode of the podcast, we discussed the Exactis data leak which exposed 340 million records due to developers not properly securing ElasticSearch databases. Data leaks due to developers not properly securing and configuring databases seems to have reached epidemic proportions. The unfortunate side effect of data leaks like these is that if your data happened to be exposed, you may never know about it. Of course, unless your data happens to show up on list of compromised databases like Troy Hunt’s “Have I been Pwnd” service, it’s very hard to know if criminals have accessed or used data from all these recent data leaks. Until developers and database software takes a “security by default” approach and companies are held more accountable for securing our private information, data leaks like these are going to continue well into the future. The new California Privacy Act of 2018, recently passed by the California legislature, will apply to more than 500,000 US businesses according to the International Association of Privacy Professionals (IAPP). This new law is similar to GDPR privacy legislation that was recently enacted by the European Union.  Beginning in January of 2020 all California residents will now have rights to transparency about data collected, the right to be forgotten, a right to data portability and a right to opt out of having their data sold. This law will apply to any business in California that collects personal information and businesses that sell or disclose personal information for a specific business purpose. Ironically, some of the largest companies that use and sell personal data such as Google and Facebook, are headquartered in California. These new rules will be enforced by the California attorney general and businesses could face fines up to $7,500 for each violation. This bill is currently the strongest privacy law in the United States so it will be interesting to see if other states follow suite or if legislators start discussing a federal privacy law in line with what currently exists with the European GDPR privacy legislation. Google confirmed last week that emails, from Google’s free Gmail email service, can be read by some third-party app developers. Specifically, third-party apps can request access to users Gmail accounts if there is particular functionality that requires email access. For example, there are some apps need to send and receive emails or integrate into a mail account to pull out specific data. Most of the time it’s an automated program that will access someone’s email account. While many people may not be surprised by this, especially if you’re agreeing to allow an app this type of access, what’s not clear is how developers may leverage this access to manually read people’s email. In an article from the BBC about this issue, one company is noted that they will “review the emails of hundreds of users to build a new software feature”. All of this took place without asking for additional permission from the users of these email accounts or Google. We’ve all heard the phrase “with great power, comes great responsibility” right? Well what we seem to have here is an abuse of power that a developer may use with great amounts of personal data. It’s no different than issues we see with Facebook app developers who are already given rights, through the terms of service we all agree to, to access this data with no oversight or restrictions. We also can’t always assume that an automated program is the only thing looking at our personal data, humans will too as it’s in our curious nature. The good news out of all this is that you can review the third-party apps that may have access to your Gmail account by visiting Google’s “Security Check-up” page. See our show notes for a link to this tool. Just a reminder that if you’re not comfortable with any of Google’s terms and conditions, regardless of third-party access, you may want to consider using a different email service that allows you more control of your privacy and is not focused on serving you ads like Google is. Keep in mind, most email services that are focused on your privacy are typically not free since with free services, we all know that you are the product. That’s a wrap for this week’s show. Please be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on iTunes, Google Play, Stitcher, TuneIn, Spotify or iHeartRadio.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post The Shared Security Weekly Blaze – Mobile App Data Leaks, The California Privacy Act, Third-party Gmail Access appeared first on Shared Security Podcast.

This is the Shared Security Weekly Blaze for July 2nd, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions, Silent Pocket and CISOBox.  This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here! Help the podcast and leave us a review!  We would really appreciate you leaving a review in iTunes. Reviews really help move us up the podcast ratings list and are greatly appreciated! Show Transcript This is your Shared Security Weekly Blaze for July 2nd 2018 with your host, Tom Eston. In this week’s episode: New WPA3 Wireless Standard, Malicious Smartphone Batteries and the Exactis Data Leak. The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details. Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Did you know that you can now opt-in to our brand new email list for the podcast? Stay up-to-date on the latest episodes, receive exclusive offers from our sponsors, participate in contests and gain access to content just for our email subscribers! Sign-up at sharedsecurity.net today. The anxiously awaited new wireless standard, WPA3, has officially been launched by the Wi-Fi Alliance last week. This new wireless standard will fix several known vulnerabilities with the previous WPA2 standard such as the KRACK attack which can allow an attacker to intercept and decrypt wireless network traffic. Note that many Wi-Fi device manufactures have already patched for the KRACK attack, however, the Wi-Fi Alliance made sure that WPA3, by default, included protection for this particular attack and other known issues with WPA2. WPA3 will have increased protection against brute-force attacks and support for something called SAE (Simultaneous Authentication of Equals) which will prevent attackers from decrypting previously captured network traffic even with a compromised Wi-Fi network password.  Other new features include individualized data encryption to prevent local “Man-in-the-Middle” attacks and a feature called “Wi-Fi Easy Connect” which will allow simple and secure pairing of Internet of Things devices that don’t have a visual screen or display. This will replace “Wi-Fi Protected Setup” or also known as WPS which has been proven to be insecure. According to the Wi-Fi Alliance, mass adoption by device manufactures and consumers is predicted to start taking place towards the end of 2019. Are you a CISO or Information Security Manager challenged with tracking and managing information security incidents within your organization? If you are, you need to take a look at CISOBox which is a software appliance built for NIST-compliant management of all types of information security incidents. CISOBox secures and protects sensitive incident data using technology accredited by US Federal Intelligence Agencies and gives your organization an efficient and streamlined process for incident handling. No matter if your business is large or small, we highly recommend the CISOBox solution as it’s extremely easy to use, scalable, and a secure way to implement incident handling within your organization. For more information on the CISOBox solution and to schedule a demo visit cisobox.com/sharedsecurity. That’s cisobox.com/sharedsecurity. Last week, security researchers have shown that maliciously crafted smart phone batteries can allow an attacker to harvest sensitive information such as characters typed on the touch screen, browser history, detecting incoming phone calls and when a photo has been taken. It’s also possible to exfiltrate that data, one bit at a time, through the web browser installed on the device. This exfiltration can take place through something called the Battery API that is available in the Google Chrome mobile browser. The Battery API was deemed a privacy issue by Apple and Mozilla so it was removed from Safari and Firefox. While this particular attack seems pretty farfetched, this research shows the possibilities with attacks that may target mobile devices through the supply chain, especially in China where most mobile phones are manufactured. It’s not that far of a stretch when we already have malware that has been installed in hardware and other devices coming through similar supply chains for many years now. One of the researchers that discovered this issue says “The attack may seem like a stretch (requires physical battery replacement – or poisoning hardware at a factory), and at this moment one can imagine multiple simpler methods, nonetheless it is an important study. Is the sky falling? No. Is the work significant? Yes”. Check out our show notes if you’re interested in learning more about this attack and research. Another large data leak was announced last week, this time exposing approximately 340 million individual records.  This data leak was linked to a data aggregator and marketing firm called Exactis which apparently was collecting the names, email addresses, phone numbers, addresses and other demographic information including personal interests. For comparison, the Equifax breach last year exposed 145 million records but also had much more sensitive data exposed such as people’s names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license and credit card numbers. In addition, there is proof that criminal hackers did access and steal the Equifax data. With this latest data leak it’s not known if anyone malicious actually accessed this data besides the security researcher who found the database sitting on a server accessible by anyone without restriction. The data was found by security researcher Vinny Troia who was using the Shodan search tool  looking for ElasticSearch databases that may be exposed to the Internet. ElasticSearch is a database that is frequently found by security researchers on servers that are misconfigured allowing unrestricted access to data within the ElasticSearch database. Upon finding this data the researcher contacted the FBI as well as Exactis about his findings and Exactis fixed the issue so that the data was no longer accessible. Huge data leaks like this one are becoming much more common in just the last year or so and much of this data is found just sitting out on the Internet with the ability for anyone to access. Many of these data leaks we’ve previously discussed on the podcast and in our social media feeds. Let’s see what the remainder of the year brings but in the meantime, we need to continue to do all that we can to limit the amount of private information that firms like Exactis collect. That’s a wrap for this week’s show. Please be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on iTunes, Google Play, Stitcher, TuneIn, Spotify or iHeartRadio.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post The Shared Security Weekly Blaze – New WPA3 Wireless Standard, Malicious Smartphone Batteries, Exactis Data Leak appeared first on Shared Security Podcast.

This is the 77th episode of the Shared Security Podcast sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions, Silent Pocket and CISOBox. This episode was hosted by Tom Eston and Scott Wright recorded June 19, 2018. Listen to this episode and previous ones direct via your web browser by clicking here! Help the podcast and leave us a review!  We would really appreciate you leaving a review in iTunes. Reviews really help move us up the podcast ratings list and are greatly appreciated! In this episode Tom and Scott discuss the concept of developing your own privacy threat model and personal risk assessment. We often discuss privacy threats and risk on the podcast so we thought it would make sense to discuss how to put together your own threat model to determine what risk you actually face from potential threats. We define risk, in the context of the topics of this podcast, as how likely is it that a potential threat may compromise your privacy or your personal information. By threat, we define that as something bad that can happen to you like being the receiver of phishing emails, malware being installed installed on your computer or even surveillance being conducted by a nation-state or ISP on your Internet activities. Here’s an example of putting risk and threat together. Lets say you have a nice car and you park it in an area that is known for a high threat of crime and auto thefts, there is a greater risk that your car may be stolen than if it was parked in an area not known for crime and auto theft. The first step in the personal risk assessment is to create a privacy threat model for yourself. We’re going to reference a really great framework for threat modeling put together by the EFF (The Electronic Frontier Foundation) borrowed from their helpful guides on Surveillance Self-Defense. The EFF threat model starts by having you answer the following five questions: What do I want to protect? Who do I want to protect it from? How bad are the consequences if I fail? How likely is it that I will need to protect it? How much trouble am I willing to go through to try to prevent potential consequences? The idea is to answer these questions as best as you can in preparation for an event or action that you may be taking related to your privacy. Based on your threat model you can then determine what tools and techniques are appropriate for your level of risk. This is always a personal decision! Some examples: “I want to hide my browsing habits from third-party ad trackers or my ISP” This scenario may be low risk to you so you may be fine just using a VPN and privacy focused browser plugins like EFF’s Privacy Badger. “I’m not comfortable giving Facebook my personal data” This scenario may be more of a medium risk for you so you may choose to delete your Facebook account or be more careful what you post. “I’m a journalist in a foreign country reporting on human rights abuses” This scenario is most likely high risk to you so you should consider using a burner laptop, Tor and the Signal app for communication. Listen to the full episode where Tom and Scott discuss other real world applications for privacy related threat modeling. We also discuss Stingray surveillance devices which are commonly used by law-enforcement and governments to intercept mobile phone communications. Please send any show feedback, suggestions for future guests and topics to feedback [aT] sharedsecurity.net or comment in our social media feeds. You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next full episode. Be sure to visit our website, follow us on Twitter, Instagram and like us on Facebook. Thanks for listening! The post The Shared Security Podcast Episode 77 – Personal Risk Assessments, Stingray Surveillance Devices appeared first on Shared Security Podcast.

This is the Shared Security Weekly Blaze for June 25, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions, Silent Pocket and CISOBox.  This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here! Help the podcast and leave us a review!  We would really appreciate you leaving a review in iTunes. Reviews really help move us up the podcast ratings list and are greatly appreciated! Show Transcript This is your Shared Security Weekly Blaze for June 25th 2018 with your host, Tom Eston. In this week’s episode: MyLobot malware, updates on third-party location data sharing, Fortnite scam websites. The Shared Security Podcast is sponsored by Silent Pocket with their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details. Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. A new serious form of malware called MyLobot (apparently named after the researchers pet dog) was discovered by security firm ‘Deep Instinct’. This new form of malware is quite dangerous as it will make infected systems part of a large botnet and has the ability to install trojans, keyloggers, conduct DDoS attacks as well as ensure that it cannot be detected and even run executable files from within system memory.  Having executable files run from within memory is a newer technique only discovered by malware researchers in 2016 and makes detecting this type of malware much more difficult. Researchers have indicated that this particular form of malware is quite advanced not the typical work of an amateur. In addition to all of this, there is an interesting delay feature which will not allow the malware to communicate to its command and control services for approximately two weeks. This delay was put in to avoid detection from modern endpoint detection and other techniques which usually pick up malware infections like these. To top it all off, the malware will attempt to detect and disable other types of malware already installed, effectively, eliminating other malware competition. Deep Instinct researchers indicate that this type of advanced malware is being sold on the ‘darkweb’ for purchase and that “Other than the malware itself, malware developers can purchase services that assist in the infection process. An attacker can purchase access to exploit kits, buy traffic of tens of thousands of users to a web page, or even buy a full ransomware-as-a-service for his own use”. As we’ve mentioned on the podcast before, one of the primary ways that malware can get installed on your computer is through phishing and social engineering. There are, of course, other ways such as drive by downloads from malicious ads and compromised web sites hosting malicious code. Besides being more aware of phishing and social engineering, you can help defend your computer by keeping your system patched and up-to-date as well as using ad blocking web browser plugins like uBlock Origin and web tracker prevention plugins like EFF’s Privacy Badger. Check out our show notes for details on where to download and how to install these plugins. Are you a CISO or Information Security Manager challenged with tracking and managing information security incidents within your organization? If you are, you need to take a look at CISOBox which is a software appliance built for NIST-compliant management of all types of information security incidents. CISOBox secures and protects sensitive incident data using technology accredited by US Federal Intelligence Agencies and gives your organization an efficient and streamlined process for incident handling. No matter if your business is large or small, we highly recommend the CISOBox solution as it’s extremely easy to use, scalable, and a secure way to implement incident handling within your organization. For more information on the CISOBox solution and to schedule a demo visit cisobox.com/sharedsecurity. That’s cisobox.com/sharedsecurity. This week I wanted to provide an update on the previous news we mentioned on the podcast a few weeks ago regarding how the major wireless carriers were selling your real-time location data to various third party companies. Just this past week Verizon, AT&T and Sprint announced that they will no longer share customer location data with third-party data aggregators like one particular company we discussed on the podcast called ‘LocationSmart’.  This change was most likely due to the investigation conducted by Senator Ron Wyden who sent a letter to Verizon questioning the reason behind allowing real-time location data to be sent to shady third-party companies. In addition, on Friday it was announced by the EFF that in a new ruling, by the United States Supreme Court, said that cell phone location data is protected by the Fourth Amendment. The Court also rejected the government’s argument that sensitive data held by third-parties is automatically devoid of constitutional protection.  Ironically on Friday, I received a privacy notice update from my wireless carrier, AT&T, noting that because of the merger with WarnerMedia (previously known as Time Warner), that data sharing was now taking place between both companies. In reading this revised privacy policy, I noted that you can now “opt-out” of location sharing either from each individual third-party or through the AT&T privacy settings on your account. I’m not sure if this is a new feature due to recent controversy about third-party location data sharing, GRPR or perhaps it’s always been there. However, we highly recommend researching this setting for your own through your mobile carrier website and opting out if don’t want to have your location data shared with third-parties. Do you or your kids play Fortnite? If so, you should be aware of scam websites that are capitalizing on the huge popularity of the game targeting young players to steal money and login credentials. The creators of Fortnite, Epic Games, are warning that many scam websites are offering free or heavily discounted virtual currency called V-Bucks. V-Bucks is the virtual currency that’s used within the Fortnite game. In April alone it’s estimated that players have spent $296 million on this virtual currency. In response to this recent rise in scams, Epic games sent an email to players stating quote “Beware of scam sites offering things like free or discounted V-Bucks. The only official websites for Fortnite are epicgames.com and fortnite.com” end quote. Epic games also noted that players should double check to ensure they are using the real epic games website when purchasing V-Bucks and that they also enable two-factor authentication on their Fortnite accounts. As mentioned before on the podcast, it’s highly recommended to enable two-factor authentication wherever possible. Unfortunately, many companies have two-factor authentication as an optional feature that you have to specifically enable. Be sure to take the time to find out if the games and services you use have two-factor authentication and enable this service to add an additional layer of security to your accounts. That’s a wrap for this week’s show. Please be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on iTunes, Google Play, Stitcher, TuneIn, Spotify or iHeartRadio.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post The Shared Security Weekly Blaze – MyLobot Malware, Updates on Third-Party Location Data Sharing, Fortnite Scam Websites appeared first on Shared Security Podcast.

This is the Shared Security Weekly Blaze for June 18, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions, Silent Pocket and CISOBox.  This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here! Help the podcast and leave us a review!  We would really appreciate you leaving a review in iTunes. Reviews really help move us up the podcast ratings list and are greatly appreciated! Show Transcript This is your Shared Security Weekly Blaze for June 18, 2018 with your host, Tom Eston. In this week’s episode: Ultrasonic Hard Drive Attacks, Dangerous USB Devices and Email Fraudsters Arrested. The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details. Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Researchers from Princeton and Purdue University have shown how sonic and ultrasonic signals, which are not able to be heard by a human, can be used to physically damage computer hard drives by using the computer’s own speaker or by using a speaker that is near the device. In their research they demonstrated how this vulnerability could be leveraged to attack hard drives in CCTV (Closed-Circuit Television) systems as well as desktop and laptop computers. In their experiments, they were able to cause errors in just 5-8 seconds on hard drives from Seagate, Toshiba and Western Digital. In one particular experiment on a Dell XPS laptop, they were able to cause the laptop to freeze and crash within seconds after a malicious file was played over the laptop’s built in speaker. It’s crazy to think that an audio file can be a new attack vector that may start being leveraged by attackers. The good news is that the researchers indicated that these vulnerabilities could be remediated through firmware updates provided by the hard drive manufactures, so not all is lost. I’m sure the threat of this happening to most people is very low, however, I suspect that a nation state or dedicated adversary could easily take this research and ‘weaponize’ it to target specific individuals in order to destroy incriminating information. Two groups most likely targeted could be journalists and human rights defenders. Are you a CISO or Information Security Manager challenged with tracking and managing information security incidents within your organization? If you are, you need to take a look at CISOBox which is a software appliance built for NIST-compliant management of all types of information security incidents. CISOBox secures and protects sensitive incident data using technology accredited by US Federal Intelligence Agencies and gives your organization an efficient and streamlined process for incident handling. No matter if your business is large or small, we highly recommend the CISOBox solution as it’s extremely easy to use, scalable, and a secure way to implement incident handling within your organization. For more information on the CISOBox solution and to schedule a demo visit cisobox.com/sharedsecurity. That’s cisobox.com/sharedsecurity. This week was a historic one for US President Donald Trump and North Korea’s leader Kim Jong-un as they met face to face in Singapore during their very first summit together. However, what happened behind the scenes may have been more interesting. You see, journalists attending the summit were given very special commemorative gift bags which had a guidebook, water bottle, a trial to a newspaper and a fan that plugs into a USB port on your computer. Wait, did you say USB fan that plugs into your computer? Now we all know that you shouldn’t plug random, untrusted USB devices into your computer right? Not to mention that these USB devices are from a foreign country and we’re talking about the United States and North Korea leadership all in the same area together…what could possibly go wrong? In the show notes we’ve linked to a funny but not so funny article showing the tweets that may security researchers posted about this mysterious USB fan. Even if you have nothing to do with this summit, the advice from us and other professionals is to never put a USB device from a conference or other non-trusted source like this in your computer.  There have been many reports of devices like these being infected with malware and given that this is a historic summit with probably spies all over the place, the risk of something nefarious being installed on these devices is definitely increased.  Stay safe and be aware of what you’re plugging into your computer! I guess law enforcement finally got that Nigerian prince they were looking for because this past Monday the US Justice Department reported that 74 people (including 42 in the US and 29 in Nigeria, probably not princes) were arrested for participating and organizing business email compromise schemes (or known as BEC schemes) which were used to steal money from thousands of individuals and businesses.  In addition, authorities confiscated about $2.4 million and recovered about $14 million in fraudulent wire transfers. This was all part of something called “Operation Wire Wire” which was a six month investigation that involved many different US government agencies including the US Department of Homeland Security. In a BEC scheme a fraudster will target specific individuals in an organization, such as finance or accounting employees, because they usually have access to make wire transfers. The fraudsters social engineer victims into giving them sensitive information or by pretending to be a trusted co-worker or manager asking for the victim to complete a urgent wire transfer. It’s reported that BEC scams cost victims more than $3.7 billion according to the Internet Crime Complaint Center. We definitely have to give some kudos to the US Justice Department here. This is a positive change from the typical government surveillance news that we discuss on this podcast, right? These scams are so prevalent that I’ll bet you or someone you know has either been a target of a scam like this or even a victim. As we always say on the podcast, stay vigilant for scams like these and never respond to emails from that elusive Nigerian prince. That’s a wrap for this week’s show. Please be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on iTunes, Google Play, Stitcher, TuneIn, Spotify or iHeartRadio.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post The Shared Security Weekly Blaze – Ultrasonic Hard Drive Attacks, Dangerous USB Devices, Email Fraudsters Arrested appeared first on Shared Security Podcast.