Shared Security Podcast

This is the Shared Security Weekly Blaze for June 11, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions, Silent Pocket and CISOBox.  This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here! Help the podcast and leave us a review!  We would really appreciate you leaving a review in iTunes. Reviews really help move us up the podcast ratings list and are greatly appreciated! Show Transcript This is your Shared Security Weekly Blaze for June 11th 2018 with your host, Tom Eston. In this week’s episode: MyHeritage data breach, Facebook’s data sharing partnership and Apple iOS 12 and macOS updates. The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details. Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. MyHeritage, the DNA and ancestry service, announced a large data breach this past week which exposed the email addresses and hashed passwords of approximately 92 million customers. Apparently, a file containing this data was found on a private server by a security researcher who reported it to the Information Security team at MyHeritage. Customers affected include anyone that signed up for an account previous to October 26, 2017. Regarding how user passwords are being stored, MyHeritage stated that “MyHeritage does not store user passwords, but rather a one-way hash of each password, in which the hash key differs for each customer. This means that anyone gaining access to the hashed passwords does not have the actual passwords”. No further details were provided on how the file was found or why it was on a private server to begin with. Other than the typical advice of “change your password” and the announcement that MyHeritage will be implementing two-factor authentication in the near future for added account protection, MyHeritage does not suspect that any IT systems were compromised in the breach. My take on this situation is that it sounds to me like a developer or other internal employee posted this file either in error or there may be the possibility that a disgruntled employee may have maliciously posted the file. We may never find out what really happened here but I do find it ironic that just a few short weeks ago we had discussed the impact of an ancestry company that holds the DNA records of millions of people having a data breach. I’m also surprised that MyHeritage is finally implementing two-factor authentication given that this type of account protection has been the standard for many years now. Like our other advice discussed on the podcast, we can’t rely on third-party companies to keep our personal data secure. You need to decide if you want to risk your data being exposed, either by accident or through a compromise, by choosing the companies you want to supply your personal information to. Are you a CISO or Information Security Manager challenged with tracking and managing information security incidents within your organization? If you are, you need to take a look at CISOBox which is a software appliance built for NIST-compliant management of all types of information security incidents. CISOBox secures and protects sensitive incident data using technology accredited by US Federal Intelligence Agencies and gives your organization an efficient and streamlined process for incident handling. No matter if your business is large or small, we highly recommend the CISOBox solution as it’s extremely easy to use, scalable, and a secure way to implement incident handling within your organization. For more information on the CISOBox solution and to schedule a demo visit cisobox.com/sharedsecurity. That’s cisobox.com/sharedsecurity. Facebook is in the news once again, this time for its data-partnership with 60 companies including Amazon, Apple, BlackBerry, Samsung and several Chinese companies such as Huawei. Huawei was identified as a threat to US national security by government officials which makes this partnership a little bit more interesting. Access to Facebook data was given to these companies as early as 2011 so they could tightly integrate Facebook into their devices. This was a feature implemented before the Facebook app became the most popular way to access Facebook on a mobile device. This type of data access allows devices to pull Facebook data so that they can provide a Facebook like experience.  For example, BlackBerry used Facebook data for an app called the “Hub” which can let BlackBerry users view messages and all social media accounts in one place. Last week through a New York Times investigation, they had found that the data access given to device manufactures included data about a user’s friends and even those who have “denied Facebook permission to share information with any third parties”. This data access also seems to bypass several access restrictions typically in place for developers and can even access data such as ‘friends of friends’ that Facebook has previously restricted. Device manufactures that were involved with this partnership have stated that Facebook data retrieved was only stored on the users device and not on the servers of the device manufactures. How does one know this for sure? Well, we don’t but I find it very hard to believe that some of these companies, especially ones with ties to the Chinese government, would not be abusing this feature. Unfortunately, Facebook has only recently been trying to hold developers and companies with access to Facebook data more accountable mainly because of the Cambridge Analytica scandal.  You may have also noticed that since the Cambridge Analytica scandal Facebook has tried to “rebrand” itself as a friend focused app and not a fake news or data harvesting service through TV commercials and targeted friendly ads on Facebook. As you’re aware, you and your data will always be the product at Facebook no matter what Mark Zuckerberg or their new marketing campaign may tell you. It comes down to making money and that’s ultimately what Facebook will always use your data for. Apple has announced details about new privacy and security features coming out for iOS 12 and macOS Mojave at the Worldwide Developers Conference this past week.  Some of these new features include improved tracking prevention capabilities for the Safari browser, end to end encryption for Facetime group calls and a new password manager integrated into macOS and iOS. Specifically for macOS Mojave there are new data protections that will require apps to ask for user permission before accessing the camera or microphone or before accessing email or iMessage databases. In addition, there is a new USB Restricted Mode in iOS 12 which will prevent a locked iOS device from communicating with a USB port via the lightning connector. Your passcode will still need to be entered at least once a week to allow USB connectivity. This measure was implemented to help prevent or make it more difficult for law enforcement and others from trying to break the passcode on a iOS device. This is typically done using forensic tools like GreyShift and Cellerbrite which are known to be used by law enforcement and nation states to gain access to confiscated iOS devices. Many of these new privacy and security features in macOS for Apple laptops and desktops are starting to mirror what has been available in iOS on mobile devices for quite a while now. This is a positive development as it seems Apple has really started to become the leader in user privacy controls out of the major tech companies like Google, Amazon and especially Facebook. That’s a wrap for this week’s show. Please be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on iTunes, Google Play, Stitcher, TuneIn, Spotify or iHeartRadio.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post The Shared Security Weekly Blaze – MyHeritage Data Breach, Facebook’s Data Sharing Partnership, Apple iOS 12 and macOS Updates appeared first on Shared Security Podcast.

This is the Shared Security Weekly Blaze for June 4, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions, Silent Pocket and CISOBox.  This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here! Help the podcast and leave us a review!  We would really appreciate you leaving a review in iTunes. Reviews really help move us up the podcast ratings list and are greatly appreciated! Show Transcript This is your Shared Security Weekly Blaze for June 4th 2018 with your host, Tom Eston. In this week’s episode: Telegram Messenger in Russia, Amazon’s Facial Recognition Technology and Digital License Plates. The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details. Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. In the spirit of good GDPR compliance you can now opt-in to our brand new email list for the podcast! Stay up-to-date on the latest episodes, receive exclusive offers from our sponsors, participate in contests and gain access to content just for our email subscribers! Sign-up at sharedsecurity.net today. The Russian communications agency has given an ultimatum to Apple if they do not remove Telegram, which is a secure messaging app, from the Apple App Store in Russia. Several months ago the Russian government banned the Telegram app because Telegram refused to give them the private encryption keys to access messages being sent through the app. Russia claims that terrorists are using the Telegram app and are demanding what is essentially backdoor access to chats for government investigations and surveillance. Apple now has a month to comply with this request or face regulatory action from the Russian government. It’s also being reported that the same request also went out to Google to ban Telegram from the Google Play app store as well. Now despite this request Telegram is still being actively used by Russian citizens through the use of VPN’s which allow circumvention of any blocking of Telegram servers that the Russian government is actively doing. This news reminds me of the controversy back in 2016 here in the US regarding the iPhone of the San Bernardino shooter in which the FBI asked Apple to unlock the shooter’s iPhone for their investigation. Like the Telegram situation it’s a very dangerous proposal when governments begin asking for companies to install backdoors or to do things that circumvent built in security and privacy controls. This is a debate that will be continuing for sure, in the meantime it’s important that we all support the need to protect our own privacy by keeping encryption and other security technologies built into the devices and apps that we use. Are you a CISO or Information Security Manager challenged with tracking and managing information security incidents within your organization? If you are, you need to take a look at CISOBox which is a software appliance built for NIST-compliant management of all types of information security incidents. CISOBox secures and protects sensitive incident data using technology accredited by US Federal Intelligence Agencies and gives your organization an efficient and streamlined process for incident handling. No matter if your business is large or small, we highly recommend the CISOBox solution as it’s extremely easy to use, scalable, and a secure way to implement incident handling within your organization. For more information on the CISOBox solution and to schedule a demo visit cisobox.com/sharedsecurity. That’s cisobox.com/sharedsecurity. Amazon is in the news recently about a cloud based facial recognition technology they’ve developed called “Rekognition”. Rekognition can identify approximately 100 people in a single image leveraging databases containing the faces of millions of people. The controversy is that Amazon has been offering this service to law enforcement agencies and its already being used by the Orlando Police Department and a Sheriff’s office in Oregon which adds to the growing list of surveillance technology now in the hands of local government. In the case of the Orlando Police Department, Amazon actually gave this technology to them for free as a proof-of-concept. In a blog post written by the American Civil Liberties Union, they express great concern since this is a case of the government partnering up with a large tech company to provide the latest surveillance technology. The ACLU states: “With Rekognition, a government can now build a system to automate the identification and tracking of anyone. If police body cameras, for example, were outfitted with facial recognition, devices intended for officer transparency and accountability would further transform into surveillance machines aimed at the public. With this technology, police would be able to determine who attends protests. ICE could seek to continuously monitor immigrants as they embark on new lives. Cities might routinely track their own residents, whether they have reason to suspect criminal activity or not.” We’re clearly on a slippery slope when it comes to using this type of advanced surveillance technology. While one can clearly see the good that can be done to track known terrorists or criminals about to commit a crime, we all know that technology like this will have problems and innocent people may get caught up in crimes that they didn’t commit. There is also the large possibly of this technology being abused with little or no oversight and accountability. I’m sure this is not the last we’re going to hear about this story and it’s just the tip of the iceberg when it comes to ensuring a balance between providing law enforcement with what they need to stop criminals but to also keep our freedoms intact. How would you feel about installing an Internet enabled digital license plate on your car that gave you the ability to electronically register your vehicle or display personal messages on your license plate? Have you thought about the side effect of allowing the government to not only track if your vehicle is stolen but to know where your vehicle is located at all times? Well even if you were interested this technology is not cheap. The state of California is considering allowing these plates to be purchased by vehicle owners but you’re looking at around $699 not including installation fees to have this technology installed on your vehicle. Now these plates are only being tested in a limited capacity in Sacramento California but if all goes well digital license plate technology will no doubt be adopted by other states as well. As we’ve discussed in previous episodes, we already have police using license plate recognition technology to scan cars in parking lots. This technology alone has caused many privacy concerns and further given the government more surveillance capability. However, now that Internet enabled license plates have started to come out, what level of privacy should we expect and how will this technology be secured? If the current insecurity of IoT devices gives any indication of what the future looks like, the future doesn’t look so bright. Let’s hope that privacy advocacy groups push governments and the device manufactures to consider our privacy and security first before they are installed and being used on all our vehicles. That’s a wrap for this week’s show. Please be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on iTunes, Google Play, Stitcher, TuneIn, Spotify or iHeartRadio.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post The Shared Security Weekly Blaze – Telegram Messenger in Russia, Amazon’s Facial Recognition Technology, Digital License Plates appeared first on Shared Security Podcast.

This is the Shared Security Weekly Blaze for May 28, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions, Silent Pocket and CISOBox.  This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here! Help the podcast and leave us a review!  We would really appreciate you leaving a review in iTunes. Reviews really help move us up the podcast ratings list and are greatly appreciated! Show Transcript This is your Shared Security Weekly Blaze for May 28th 2018 with your host, Tom Eston. In this week’s episode: Real-time Location Tracking, VPNFilter Router Malware and Apple’s GDPR Updates. The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details. Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. In the spirit of good GDPR compliance you can now opt-in to our brand new email list for the podcast! Stay up-to-date on the latest episodes, receive exclusive offers from our sponsors, participate in contests and gain access to content just for our email subscribers! Sign-up at sharedsecurity.net today. How valuable is your real-time location? For many of us, it’s a very scary thought to think that someone may have access to easily track your whereabouts in real-time with no permission from you or little or no recourse for their actions. Well for mobile phone carriers  your location means more profit for them because they have been selling access to real-time location data to different third-party companies. In late breaking news the other week a company called LocationSmart, which is a real-time data aggregator of mobile phone location data, has been able to access the real-time location of every phone from every major US carrier (that includes AT&T, Sprint, T-Mobile and Verizon) without user consent.  A researcher named Robert Xiao who is from Carnegie Mellon University was messing around with a web demo of the LocationSmart application and found that he could query the real-time location of some of his friends through a vulnerability in the API of the application. The LocationSmart demo app was not taken down until famed reporter Brian Krebs from KrebsSecurity.com got involved and reported on the issue. This is also not the first time that we’ve recently seen real-time location data from the mobile carriers being used suspiciously. Back in early May, a company called Securus was identified through a New York Times article that was about a former sheriff who was using location data through the Securus service to track people without a warrant or user consent. To add further insult to injury, a hacker broke into Securus systems and stole 2,800 usernames, emails and hashed passwords of Securus customers. Ironically, Securus gets its location data from, you guessed it, LocationSmart. You also shouldn’t be surprised that these are probably not the only two companies that have access to real-time location data. You can bet that many other organizations, including criminals and nation states are also using services from similar companies. This entire situation brings into question what mobile phone carriers are doing with our location data. Of course they need to monitor, track and record your location otherwise your phone wouldn’t work and it would defeat the purpose of having a mobile phone altogether. However, it comes as a surprise that the carriers are blatantly giving your location data to third-party aggregators which in turn is giving this to other companies who work for law enforcement and the government. Seems to me that this is a great way for mobile carriers to make money off of your location data and for law enforcement to “bypass” a warrant and other user privacy protections. It’s also sad that you as the consumer of these mobile services have no control on how your location data is shared with third-parties. Especially since we all advocate to change and lock down location sharing features on your devices and apps as a way to prevent third-parties from receiving this information. With the carriers selling off your location information it makes these settings pretty much useless. Your best course of action to prevent a third-party from tracking you is to use a Faraday Bag like ones from our sponsor, Silent Pocket, which prevent all wireless signals and makes your device completely secure while in the Faraday bag (well except for physical theft of course). The good news is that this situation has gotten the attention of Senator Ron Wyden who has urged all of the main wireless carriers in the US as well as the FCC to take action and do something about this. Given the current state of politics in the US though, it’s anyone’s guess if something will be done to hold wireless carriers more accountable. More to come on this topic for sure and we’ll be following this closely and providing updates in future episodes. Are you a CISO or Information Security Manager challenged with tracking and managing information security incidents within your organization? If you are, you need to take a look at CISOBox which is a software appliance built for NIST-compliant management of all types of information security incidents. CISOBox secures and protects sensitive incident data using technology accredited by US Federal Intelligence Agencies and gives your organization an efficient and streamlined process for incident handling. No matter if your business is large or small, we highly recommend the CISOBox solution as it’s extremely easy to use, scalable, and a secure way to implement incident handling within your organization. For more information on the CISOBox solution and to schedule a demo visit cisobox.com/sharedsecurity. That’s cisobox.com/sharedsecurity. Last week research was released, from researchers at Cisco Talos, about a large botnet spreading malware  named “VPNFilter”. The VPNFilter malware has compromised over 500,000 home and small office wifi routers and NAS storage devices. This particular piece of malware is much different than other similar forms of router malware in that it can maintain persistence on the device once fully installed, even after a reboot. Like other similar types of malware, VPNFilter can spy on web traffic and has the ability to “brick” and completely disable the device from functioning. Cisco Talos researchers also indicate that the VPNFilter malware appears to be targeting routers in the Ukraine. Now one can only guess that a certain large nation state we all know and love is probably behind this recent attack.  Check out our show notes to see the full list of affected devices.  If you review this list you’ll note that several of these routers are very popular consumer devices manufactured by Netgear, Linksys and TP-Link. The way that these devices are being infected include using default login credentials and accessing the device via the remote management feature. As we’ve mentioned on the podcast just a few weeks ago when discussing the recent Department of Homeland Security alert about Russian router hacking; default credentials and the ability to access devices remotely over the Internet are the two biggest attack vectors being used. In regards to the VPNFilter malware, if you think you may be a victim of this attack, it’s best to reboot your router and then change the default administration password and disable any remote management ability over the Internet. Hopefully, you’ve already taken our advice from previous episodes and made these changes already. Also be sure to update your router to its latest firmware as your router may have critical security updates that need to be applied. Especially with older routers, these devices will most likely not update themselves with any auto update feature we see in newer home wifi routers. Be safe out there and be sure to take a few minutes to check the security of your wifi router using the guide posted in the episode show notes on sharedsecurity.net. Apple has taken recent steps to allow its European Union customers to download all of the personal data that Apple has been storing on them. This new feature was launched right before the GDPR European privacy law went into effect last Friday. GDPR is new privacy legislation that requires companies that do business with EU citizens to properly protect, store and allow users to manage or delete the personal data that a company may be storing about them. GDPR also has wide implications to even non-EU citizens as many companies have implemented GDPR privacy changes for all their users. Now that we’re past the GDPR deadline last Friday, I’m sure you’ve had a flurry of “privacy notice” emails so now is a great time to unsubscribe from any service or delete apps that you don’t use anymore. With this recent announcement, Apple customers in the European Union can now select the personal data that they would like to download and Apple will put it all together and have it delivered to the requester within 7 days.  This data can include information on support cases, app store activity as well as a lot of other data that Apple has records of. Check out our show notes for the full list of data that is available to download. Note that countries such as the United States and Canada should see this feature launched in coming weeks. In the meantime, Apple will allow non-EU citizens to request their personal data or delete it via Apple’s privacy site which has more of a manual process for privacy questions. Kudos to Apple for being one of the few tech giants that appear to be addressing GDPR so that it has a positive effect on all customers, not just those located in the EU. That’s a wrap for this week’s show. Please be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on iTunes, Google Play, Stitcher, TuneIn, Spotify or iHeartRadio.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post The Shared Security Weekly Blaze – Real-time Location Tracking, VPNFilter Router Malware, Apple’s GDPR Updates appeared first on Shared Security Podcast.

This is the Shared Security Weekly Blaze for May 21, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions, Silent Pocket and CISOBox.  This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here! Help the podcast and leave us a review!  We would really appreciate you leaving a review in iTunes. Reviews really help move us up the podcast ratings list and are greatly appreciated! Show Transcript This is your Shared Security Weekly Blaze for May 21st 2018 with your host, Tom Eston. In this week’s episode: Efail vulnerabilities and PGP encryption, Facebook’s app investigation and Nest password notifications. The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details. Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. If you like this podcast we would really appreciate you leaving a five star review in iTunes. Reviews really help move us up in the podcast ratings and attract more listeners. We’ll be sure to thank you for your review on the show! Thanks for your support! Multiple vulnerabilities dubbed “Efail” were announced by European security researchers in several popular email clients that make it possible for attackers to view the plaintext of email messages encrypted with PGP (also known as Pretty Good Privacy) and S/MIME encryption standards. Email, as you’re hopefully aware, is not encrypted by default. This is often referred to as “plaintext” email. PGP and S/MIME have been the standard for email encryption for many years now and is used by many people and businesses to secure email communication. The Efail vulnerabilities allow an attacker to embed previously obtained encrypted text into a new email and also include a web URL of the attackers server. When the email is sent to the victim the email client decrypts the email like normal but inadvertently sends the plaintext of the previously encrypted email to the attackers server. The issue lies in the way vulnerable email clients decrypt encrypted email. One very important point to make is that PGP and S/MIME encryption is not broken. While it may not be a modern encryption solution, it’s still a viable and secure method to safeguard sensitive emails and other information such as documents and files. This particular issue is about vulnerable email clients, not in the encryption protocol itself. Organizations such as the EFF have advised to disable PGP and S/MIME within your email clients as a temporary solution until a fix for email clients identified as vulnerable are released. You can still encrypt and decrypt emails outside of your email client if you’re already using PGP. However, the disabling of encryption software should be based on your own level of risk vs. just turning off encryption safeguards all together. For example, if you are a human rights activist that knows your email communication is being monitored by say, a nation-state, there may be much more risk to you of being a victim of this attack because its more than likely that all of your encrypted email communications have already been collected. If you were at this level of risk, you absolutely should take heed and disable PGP in your email client and perform encryption and decryption through other means. You should also consider using other secure end-to-end encryption services like Signal to send sensitive messages. If you’re a low risk PGP or S/MIME user you should determine if you have a vulnerable email client and ensure you update when patches are released. Check out our show notes for details on what email clients are vulnerable and for more details about the Efail vulnerabilities. Are you a CISO or Information Security Manager challenged with tracking and managing information security incidents within your organization? If you are, you need to take a look at CISOBox which is a software appliance built for NIST-compliant management of all types of information security incidents. CISOBox secures and protects sensitive incident data using technology accredited by US Federal Intelligence Agencies and gives your organization an efficient and streamlined process for incident handling. No matter if your business is large or small, we highly recommend the CISOBox solution as it’s extremely easy to use, scalable, and a secure way to implement incident handling within your organization. For more information on the CISOBox solution and to schedule a demo visit cisobox.com/sharedsecurity. That’s cisobox.com/sharedsecurity. In Facebook news this week, an ongoing investigation by Facebook into apps that have had access to large amounts of personal information continues. Facebook provided an update stating that the investigation process is in two phases. The first phase is to review all apps that have had access to large amounts of data and second, to conduct interviews, ask more detailed questions and even perform on-site audits of companies if necessary. Currently, Facebook has reviewed thousands of apps and around 200 have been suspended. Once they compete an investigation, if any of these apps are banned, Facebook will notify affected users through the same process they did for the Cambridge Analytica situation by showing users if they or their friends installed a banned app. Hopefully, you or your friends are not notified that you shared personal information with one of these new banned apps. In related Facebook news, the personal data of about 4 million users that took yet another personality quiz, this one called “myPersonality”, was found unsecured due to a developer posting a username and password on the popular code sharing site GitHub. These credentials allowed direct access to the data. The kicker is that this username and password was publicly available on GitHub for four years before it was recently identified. Fortunately, unlike the personality quiz data used Cambridge Analytica, this data only included personal information of the people that took the quiz, not the data of their friends. I think that it’s a positive development that Facebook is finally taking a stronger stance on Facebook app developers and attempting to hold them more accountable. The bigger problem here is that no matter what Facebook does, it is near impossible to ensure that developers are properly securing the data that they are collecting. And that means, not posting login credentials on publicly available sites that are a simple Google search away from this data falling into the wrong hands. Nest (which is the Google owned company of Internet enabled thermostats) sent out an email notification to users that had their Nest account passwords found in leaked password databases. It’s not known what specific databases were used by Nest but it may be from a service such as Troy Hunt’s “Have I been Pwned” service which will notify you if your user accounts and password show up in their database of over a half a billion passwords that are collected from previous data breaches. Nest apparently took its list of hashed user account passwords and compared it to ones that have been previously disclosed. So, if you received this email it may not mean that someone has accessed your Nest account, rather, it means that you should change your Nest password immediately and also change it on sites and services that you may have used that same password. Hopefully as a listener of this podcast you know better than to reuse the same password across multiple sites and services. Check out our previous episode on password managers if you would like more details. I really commend Nest for being proactive by notifying affected users about the security of their accounts. Nest also went as far to let users know how to enable two-factor authentication on their accounts as an additional layer of protection. We need to see more companies doing this because ensuring users are following good password management not only protects their own users but it sets the precedence for other companies to do the same thing. I’d also argue that it’s good for business too. The password problem is not going away anytime soon but the more education that can be done like this recent example from Nest, the better off we’ll all be. That’s a wrap for this week’s show. Please be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on iTunes, Google Play, Stitcher, TuneIn, Spotify or iHeartRadio.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post The Shared Security Weekly Blaze – Efail Vulnerabilities and PGP Encryption, Facebook’s App Investigation, Nest Password Notifications appeared first on Shared Security Podcast.

This is the Shared Security Weekly Blaze for May 14, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions, Silent Pocket and CISOBox.  This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here! Help the podcast and leave us a review!  We would really appreciate you leaving a review in iTunes. Reviews really help move us up the podcast ratings list and are greatly appreciated! Show Transcript This is your Shared Security Weekly Blaze for May 14th 2018 with your host, Tom Eston. In this week’s episode: Recent windows vulnerabilities, exposed Twitter and GitHub passwords and the latest credit freeze controversy. The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details. Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. If you like this podcast we would really appreciate you leaving a five star review in iTunes. Reviews really help move us up in the podcast ratings and attract more listeners. We’ll be sure to thank you for your review on the show! Thanks for your support! Microsoft has recently released patches for two rather serious vulnerabilities that are currently being exploited in the wild. One vulnerability, dubbed “Double Kill”, affects the Windows VBScript engine through the Internet Explorer web browser  which impacts most modern Windows operating systems including Windows 10. The other vulnerability is described as an elevation of privilege vulnerability which only affects Windows 7 and Windows Server 2008. With the VBScript engine vulnerability, an attacker leverages a malicious Word document to exploit the flaw through the Internet Explorer web browser. The interesting aspect of this attack is that even if you don’t use Internet Explorer, and use another browser like Chrome or Firefox, you can still fall victim to this attack. This is because Internet Explorer is tightly integrated into the rest of the Windows operating system. Researchers have noted that this vulnerability in particular is looking to be one of the most exploited in the future because of the way it leverages Internet Explorer to conduct the attack.  The other critical vulnerability announced is a little harder to exploit as the attacker needs to login to a Windows system as a regular user, then run an application to exploit the vulnerability, which would give the attacker full control of the victim’s system.  Lastly to note, there were about 20 more critical updates that were part of this most recent patch release from Microsoft that are not yet known to be actively exploited. The best way to protect yourself against these latest vulnerabilities and future ones is to ensure you’re running the most current version of Windows as well as checking that Windows Update is set to automatically download and install critical updates. See our show notes for details on where you can check to see how Windows Update on your system is configured. Are you a CISO or Information Security Manager challenged with tracking and managing information security incidents within your organization? If you are, you need to take a look at CISOBox which is a software appliance built for NIST-compliant management of all types of information security incidents. CISOBox secures and protects sensitive incident data using technology accredited by US Federal Intelligence Agencies and gives your organization an efficient and streamlined process for incident handling. No matter if your business is large or small, we highly recommend the CISOBox solution as it’s extremely easy to use, scalable, and a secure way to implement incident handling within your organization. For more information on the CISOBox solution and to schedule a demo visit cisobox.com/sharedsecurity. That’s cisobox.com/sharedsecurity. Twitter and popular code repository site GitHub announced that user passwords were exposed to internal employees through an internal log due to a system related bug. In the case of Twitter the issue is related to the hashing function that masks passwords before they are stored in their system and in the case of GitHub they have only said that the passwords were discovered in a recent audit and no further details were given. Twitter proactively sent out a notice to all of its 330 million users to change their passwords even though there was no evidence of misuse but as a precautionary measure. In the case of GitHub, no details were released on how many users had passwords exposed but affected users were all contacted individually to initiate a password reset. Kudos to both of these companies for disclosing this issue to its users.  Like anything in the security world it’s better for companies to be up front and honest than to hide or cover it up especially when there is a chance that user security may be compromised. These two events are good reminders on why you should always use unique and complex passwords for each application and service as well as enable two factor authentication wherever possible. Twitter and GitHub both have two-factor authentication available and it’s really easy to set up. Two factor authentication adds another layer that an attacker would have to get through in order to fully compromise your accounts. Check out our show notes for details on how to enable two factor authentication on your Twitter and GitHub accounts and if you’re on Twitter, use this opportunity to not only change your password but to change any bad password habits as well. Brian Krebs from krebsonsecurity.com reported last week that there is yet another credit agency out there that consumers should be aware of. As we’ve mentioned on the podcast before, one of the most important things you can do to prevent identity theft is to freeze your credit by contacting the three major credit agencies Equifax, Experian and Trans Union and requesting a freeze on your credit. There are also two more bureaus you need to freeze your credit with as well. One is called Innovis which is basically another credit bureau and the other is called ChexSystems. ChexSystems is used by many banks to verify new customers creating checking and savings accounts. Now there is a sixth credit bureau that you need to freeze your credit with called the National Consumer Telecommunications and Utilities Exchange or NCTUE. The NCTUE is being used by mobile phone companies, cable and other utilities instead of the traditional large credit bureaus. Hopefully you’re sitting down for this but Brian Krebs also reported that Equifax just so happens to be the company that manages the NCTUE database. Now that news alone is very disturbing considering the recent horrible security track record that we all know about from the Equifax data breach. Now from what has been reported it only seems that you can contact NCTUE via their automated phone system to freeze your credit file. The website system they have is really bad and seems to be the same one that Equifax uses when you attempt to freeze your credit. See our show notes for details on a walkthrough of this (unfortunately) painful process. Note that a fee may apply when freezing your credit at the different credit bureaus as this varies by the state you live in. What a mess this is, isn’t it? Since we now have six bureaus to worry about, you may ask yourself if there is anything being done by the government to make this process easier for everyone and to hold these companies more accountable for protection our private information. Unfortunately, not a lot of movement is going on in that area except for a few bills in Congress that don’t look very promising. However, you may want to call or write your congressperson voicing your concern about the risk we all face with identity theft because of the credit bureaus making it a painful process to protect our own private information. That’s a wrap for this week’s show. Please be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on iTunes, Google Play, Stitcher, TuneIn, Spotify or iHeartRadio.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post The Shared Security Weekly Blaze – Recent Windows Vulnerabilities, Exposed Passwords, Credit Freeze Controversy appeared first on Shared Security Podcast.

This is the 76th episode of the Shared Security Podcast sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions, Silent Pocket and CISOBox. This episode was hosted by Tom Eston and Scott Wright with special guest Kevin Johnson recorded May 7, 2018. Listen to this episode direct via this link or through the media player embedded in this post! Interview with special guest Kevin Johnson Kevin Johnson is the Chief Executive Officer of Secure Ideas. Kevin has a long history in the IT field including system administration, network architecture and application development. He has been involved in building incident response and forensic teams, architecting security solutions for large enterprises and penetration testing everything from government agencies to Fortune 100 companies. In addition, Kevin is a faculty member at IANS and was an instructor and author for the SANS Institute . Kevin has performed a large number of trainings, briefings and presentations for both public events and internal trainings. He is the author of three SANS Institute classes: SEC542: Web Application Penetration Testing and Ethical Hacking, SEC642: Advanced Web Application Penetration Testing and SEC571: Mobile Device Security. Kevin has also presented at a large number of conventions, meetings and industry events. Some examples of these are: DerbyCon, ShmooCon, DEFCON, Blackhat, ISACA, Infragard and ISSA. Kevin is also very involved in the open source community. He runs a number of open source projects. These include SamuraiWTF; a web pen-testing environment, Laudanum; a collection of injectable web payloads, Yokoso; an infrastructure fingerprinting project and a number of others. Kevin is also involved in MobiSec and SH5ARK. Kevin was the founder and lead of the BASE project for Snort before transitioning that to another developer. In his free time, Kevin enjoys spending time with his family and is an avid Star Wars fan and member of the 501st Legion (Star Wars charity group). In this episode we discuss a broad range of hot topics with Kevin including how big of a Star Wars fan he is, Russian router hacking, home router security, security awareness of the typical consumer, GDPR, NSA metadata, Facebook and much more! Kevin is always a fun, uncensored and very entertaining guest. We hope you enjoy this interview as much as we did! Thanks to Kevin for being a guest on our show! The post The Shared Security Podcast Episode 76 – Special Guest Kevin Johnson (@secureideas), Router Hacking, GDPR, NSA Metadata appeared first on Shared Security Podcast.

This is the Shared Security Weekly Blaze for May 7, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions, Silent Pocket and CISOBox.  This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here! Leave us a review! If you like this podcast we would really appreciate you leaving a review in iTunes or your favorite podcatcher app. Reviews really help move us up the podcast ratings list and are greatly appreciated! Show Transcript This is your Shared Security Weekly Blaze for May 7th 2018 with your host, Tom Eston. In this week’s episode: DNA Privacy, This Week’s Social Media Privacy News Roundup and Remote Car Hacking. The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details. Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Shout outs this week to @PrivacyAlive, @Yohun and @TASCET on Twitter as well as Michael and Richard on Facebook for commenting, liking and sharing our posts on social media. Thank you for your support of the show! Have you thought about the privacy and security of your DNA? Well recently it was announced that the “Golden State Killer” suspect Joseph DeAngelo was arrested and is accused of 12 homicides, 45 rapes and more than 100 robberies that took place in California from 1976 through 1989. Investigators disclosed that the arrest was due to DNA information that was from an open source genealogy website called “GEDMatch”. Apparently, a distant relative of DeAngelo was found in the database which allowed law enforcement to pinpoint who the killer was through clues such as location, ethnicity and other characteristics. This brings into question that anyone who may have submitted their DNA test results to an open-source database like this could be used by others for more than just criminal investigations. I think it’s fascinating that even if you don’t submit your DNA to one of these services people that have some distant DNA relationship to you may already be in a database like this used to locate criminals. This case has set off numerous discussions and debates to review the privacy policies of popular DNA testing companies such as 23andMe, MyHeritage and Ancestry.com. It’s important to note that all these companies require a court order for law enforcement in order to access DNA records, however, it does not stop someone from taking their own DNA records and importing it into a larger open-source database like the one used to find the Golden State Killer. In my opinion, your DNA records are extremely personal and are  much more valuable than any other piece of personally identifiable information that may be out there about you.  And while many different companies have sprung up recently that are in the business of building out family trees, it begs the question regarding how these companies are protecting your DNA information. Could you imagine the fallout if one of these companies like 23andMe had a data breach? Our advice is for you to determine if it’s really worth submitting your DNA to one of these services as most likely your genetic data, through some distant relative of yours, may get caught up in an investigation or used for another purpose that you may not even be directly involved with. What a time to be alive, isn’t it? Are you a CISO or Information Security Manager challenged with tracking and managing information security incidents within your organization? If you are, you need to take a look at CISOBox which is a software appliance built for NIST-compliant management of all types of information security incidents. CISOBox secures and protects sensitive incident data using technology accredited by US Federal Intelligence Agencies and gives your organization an efficient and streamlined process for incident handling. No matter if your business is large or small, we highly recommend the CISOBox solution as it’s extremely easy to use, scalable, and a secure way to implement incident handling within your organization. For more information on the CISOBox solution and to schedule a demo visit cisobox.com/sharedsecurity. That’s cisobox.com/sharedsecurity. In Facebook and social media privacy news last week it was discovered that Twitter also sold data to Aleksandr Kogan, the researcher who happened to sell the personal information of over 87 million Facebook users to Cambridge Analytica. In Twitter’s case they sold API access to Aleksandr Kogan’s firm called GSR, which allowed access to public tweets from December 2014-April 2015. One thing to note about this is that Twitter doesn’t have very much personal information about its users (unless of course you share that information in your bio or tweets). So this data access, in my opinion, is not very significant. Twitter does sell API access to large organizations quite frequently so there shouldn’t be any surprise that corporations can pay for this level of access. In related news, on Wednesday of last week Cambridge Analytica shut its doors and officially went out of business. This is no surprise given the massive amounts of bad press, pending investigation from the UK Information Commissioner’s Office and other legal entanglements about to happen to the company. Just be aware that this business was a “cash cow” for Cambridge Analytica so be on the lookout for them to start a new company under a different name. Facebook was also back in the news with the announcement that they will be starting a dating service to compete with other dating apps like Tinder and Match.com. Facebook also announced that a new tool is going to be developed, called ‘Clear History’, that will allow you to clear your Facebook history (basically the websites and apps that send Facebook information) and remove tracking that Facebook does on you across the web. Mark Zuckerberg made this announcement at the F8 developer conference last week noting “Once we roll out this update, you’ll be able to see information about the apps and websites you’ve interacted with, and you’ll be able to clear this information from your account. You’ll even be able to turn off having this information stored with your account”. Lastly, it was announced that Instagram will be expanding its antibullying efforts by introducing an enhanced ‘bully filter’. This technology is powered by machine-learning called ‘DeepText’ which was built by Facebook. Since Instagram is owned by Facebook, they share many of the same technologies across the two platforms. Instagram also stated that the new filter will hide comments attacking a person’s appearance or character, and alert Instagram to repeat offenders. It’s good to see Instagram doing something about the issue of bullying as this has been a large problem, especially for teenagers that use Instagram within their social circles. Dutch security researchers have discovered that certain Volkswagen and Audi cars are vulnerable to remote hacking via the onboard in-vehicle “infotainment” system (also called IVI) installed in newer Volkswagen Golf GTE and Audi A3 Sportback models. The researchers used the Internet accessible wifi system via an exposed port to gain access to the IVI which allowed them to listen in on conversations, view location data and the ability to track where the car is in real time. The researchers also discovered that the IVI system was also indirectly connected to the acceleration and braking system in the cars but they stopped their research as they felt that they might be violating intellectual property of Volkswagen (basically, they didn’t want to get sued). The good news is that Volkswagen worked to fix the vulnerabilities after the issues were disclosed to them and that the researchers are not planning on releasing details on how to conduct the attack. However, the bad news is that the fix requires Volkswagen customers to come into the dealer for the update. Volkswagen does not have a remote way to push security fixes to affected cars. In addition, it’s been reported that customers that own these specific models of cars have not received notification from Volkswagen and they have not publicly discussed the vulnerabilities. You may remember back in 2015 when researchers Charlie Miller and Chris Valasek demonstrated to the media how easy it was to hack and take full control of a GM Jeep Cherokee remotely over the Internet. This was actually a vulnerability in the IVI of that car as well. It’s also not the first time that Volkswagen has kept critical vulnerabilities a secret. Back in 2015 it was discovered that over 100 models of cars were vulnerable to a key fob attack which would allow criminals to steal the car. I guess what’s old is now new again! As we’ve mentioned on the podcast before, car manufactures need to be held more accountable for vulnerabilities like these and they need to develop a better process of working with security researchers when vulnerabilities are identified. Transparency also goes a long way with customers, especially with a critical issue like this one that could put customers lives in danger. I don’t know about you but I would be pretty mad if I was a customer who owned one of these cars and found out through the media or other third-party about a serious vulnerability in a product that I just spent a lot of money on. Let’s just hope that other car manufactures are paying attention to this news so that they don’t make the same mistakes. That’s a wrap for this week’s show. Please be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on iTunes, Google Play, Stitcher, TuneIn, Spotify or iHeartRadio.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post The Shared Security Weekly Blaze – DNA Privacy, This Week’s Social Media Privacy News Roundup, Remote Car Hacking appeared first on Shared Security Podcast.

This is the Shared Security Weekly Blaze for April 30, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions, Silent Pocket and CISOBox.  This episode was hosted by Tom Eston. Show Transcript This is your Shared Security Weekly Blaze for April 30th 2018 with your host, Tom Eston.  In this week’s episode: Child Identity Fraud, Tech Support Scams and Amazon Key In-Car Delivery. The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details. Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. If you like this podcast we would really appreciate you leaving a review in iTunes or your favorite podcatcher app. Reviews really help move us up the podcast ratings list and are greatly appreciated.  Shout outs this week to @jandrusk and @privacydivas on Twitter as well as itincloud and pacifictech808 on Instagram and Jason, Johann and Richard on Facebook for commenting, liking and sharing our posts on social media. Thank you for your support of the show! A sobering report was released last Tuesday which showed that more than 1 million children in the United States were victims of identity theft last year. The study by Javelin Strategy & Research shows that in 2017 more than $2.6 billion in total losses and over $540 million in out-of-pocket costs to families are attributed to child identity fraud. What’s surprising about this study is that it showed more than half (which is 60%) of child identity fraud victims have a personal relationship with the person stealing their identity. This is in stark contrast to adults where only 7 percent of adult fraud victims know the fraudster. Also of note, there was a strong correlation between a child being bullied and identity fraud. Bullied children are more than nine times more likely to be victims of fraud than children who were not bullied. One of the big problems this study highlights is the challenges we have with the security of credit reports. Given that there have been large breaches like Equifax which highlight how adults can have their identities stolen through the use of their credit reports, I find it disturbing that we don’t give the topic of child identity fraud more attention. Children don’t have credit reports until they are old enough to apply for credit on their own so it’s often overlooked that if the personal information of a child is stolen, it’s much easier for a fraudster to use a fresh, unused credit history to their advantage. Also, given the fact that the fraudsters are people that know these children personally, it makes using their personal information (and credit) much more easier than adult victims. Some signs or indicators specific to child identity fraud include the child being turned down for benefits, receiving notices from the IRS about unpaid taxes or debit collectors calling about products and other things you or your child has never purchased. If you’re a parent I would highly recommend the following advice from the FTC and others about how to secure your child’s identity such as potentially freezing their credit, determining how they are sharing their personal information, monitoring existing accounts and keeping physical documents like birth certificates and social security cards secure and out of reach of household guests and  visitors. Regarding freezing your child’s credit, this is something you should research on your own as not all states allow this and some experts debate if there may be more risk in opening up a credit file before your child is ready to start building their credit. Check out our show notes for links to more advice on this very important topic. Are you a CISO or Information Security Manager challenged with tracking and managing information security incidents within your organization? If you are, you need to take a look at CISOBox which is a software appliance built for NIST-compliant management of all types of information security incidents. CISOBox secures and protects sensitive incident data using technology accredited by US Federal Intelligence Agencies and gives your organization an efficient and streamlined process for incident handling. No matter if your business is large or small, we highly recommend the CISOBox solution as it’s extremely easy to use, scalable, and a secure way to implement incident handling within your organization. For more information on the CISOBox solution and to schedule a demo visit cisobox.com/sharedsecurity. That’s cisobox.com/sharedsecurity. Microsoft recently released statistics on tech support scams which have been on the rise in the last few years. Microsoft states that 153,000 reports were made from customers last year that fell victim to tech support scams in which about 15% of those victims lost money. This is a 24% increase in tech support scam reports from the previous year. A tech support scam is typically a social engineering attack where an attacker will call a victim pretending to be Microsoft or other vendors tech support asking them to install a remote administration tool where they can take control of the victim’s computer, show them fake threats or installing malware and then scaring the victim into buying fake support packages. All of this is done in order for money to be sent to the attacker. Unfortunately, many elderly and non-tech savvy people fall victim to these scams. This is why one of the number one ways to combat threats like these is education. While companies like Microsoft are doing all that they can to help prevent attacks like these by working with ISPs, law enforcement and telecom companies, make sure you take the time to educate yourself and others about these scams. Here are three easy tips to remember. First, vendors like Microsoft will never solicit you via the phone for tech support on your computer. Second, be wary of random calls that seem to be coming from the same local area code that your phone number is in or from other numbers you may not recognize. In fact, our advice is to only pick up calls from people you know in your contact list. If you don’t recognize a number and it’s a call you’re expecting, they will most likely leave you a voice mail if the message is important. Also, we wary of voice mail scams in which attackers use threats to get you to call a number back or visit a website.  Lastly, any threats of going to prison for non-payment (like ones we’ve seen with IRS tax scams) or other scare tactics should also indicate that you’re dealing with a scammer. Check out our show notes for a great overview of how these scams work as well as other tips to protect yourself. How do you feel about giving Amazon access to unlock your car to deliver your order? Well this past week Amazon announced a new service, called Amazon Key In-Car Delivery to deliver packages directly to your car allowing a package carrier to remotely open your trunk or car door to drop a package off. Right now Amazon Key In-Car delivery supports only General Motors brands vehicles such as Chevy, Buick, GMC as well as Volvo that have the OnStar or Volvo On Call service from 2015 model year or newer cars. Amazon Key delivery service is nothing new. You may remember that last year Amazon came out with a delivery service to place packages into your house by using a smart lock and camera which would allow someone to remotely unlock your home to place a package inside. The only difference between Amazon Key In-Car and Amazon Key Home is that Amazon Key Home uses a camera and your home Wi-Fi to track the carrier dropping off your package while the Amazon Key In-Car service does not have a camera involved and uses the car manufacture’s network to unlock your car. Now one can debate the privacy and security aspects of such technology and if you want someone remotely opening up your home or car remotely to deliver a package. This is a very much “opt-in” service and Amazon is not forcing any of its customers to use this to receive deliveries. In fact, many Amazon customers may not realize this but Amazon has been offering what are called “lockers” in many different locations that can be used to pick up packages that you order in cases where you may not want something delivered to your home or if you may be traveling and want to pick up your order while you’re away. Amazon Locker works by emailing you a 6 digit code and you enter in the code into a locker to take your package. Personally, I think Amazon Locker is a great idea. Especially if you may not be home when an expensive item may be delivered and you need a more secure pickup location. Especially since theft of packages from people’s homes is a crime that has been happening much more frequently. However, many of us probably feel a little weary of letting someone we don’t know open our car or enter our home given that new technology like this could be abused either by someone malicious or by the technology not working as designed. In fact, last year security researchers found a vulnerability in the Amazon Key Home system which would allow someone to knock the camera offline which would then allow a malicious delivery driver to steal or rummage through someone’s home without the camera recording the entry. But like any new technology, vulnerabilities are always going to be discovered and eventually fixed but the privacy concerns will be always be an issue for many of us that may just want to resort to getting our packages the old fashioned way. That’s a wrap for this week’s show. Please be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on iTunes, Google Play, Stitcher, TuneIn, Spotify or iHeartRadio.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post The Shared Security Weekly Blaze – Child Identity Fraud, Tech Support Scams, Amazon Key In-Car Delivery appeared first on Shared Security Podcast.

This is the Shared Security Weekly Blaze for April 23, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions, Silent Pocket and CISOBox.  This episode was hosted by Tom Eston. Show Transcript This is your Shared Security Weekly Blaze for April 23rd 2018 with your host, Tom Eston. In this week’s episode: Android’s Toxic Hellstew of Vulnerabilities, Facebook’s New Privacy Controls and Russian Router Hacking. The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details. Hi everyone, I’m Tom Eston, co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. If you like this podcast we would really appreciate you leaving a review in iTunes or your favorite podcatcher app. Reviews really help move us up the podcast ratings list and are greatly appreciated. Shout outs this week to @securityvoid, @HammerITConsult, @davegeek_ and @Yohun on Twitter as well as Tim Maliyil on Instagram and  Richard, Jason and Eddie on Facebook for commenting, liking and sharing our posts on social media. Thank you for your support of the show! There was an article this past week that totally got my attention and should get yours as well which was titled quote “Is your Android phone a ‘toxic hellstew’ of vulnerabilities?” end quote. Toxic hellstew does sound rather terrible so if you have an Android phone you may want to pay attention to this.  A study was recently released that found that your Android phone may be lying to you about critical patches that should be installed by your device manufacture. This issue called the ‘hidden patch gap’ was discovered by German security firm Security Research Labs.  The research shows that some popular Android devices from Google, Sony, Samsung and many others brands would show that they were fully patched when in fact they were missing security patches, and in some cases up to a dozen patches from a specific time period. This means that without current security patches, these Android devices were left vulnerable to various attacks. The researchers believe that manufactures are setting these false patch levels in an attempt to deliberately deceive consumers that their devices are secure. Device manufactures like Google have responded to the research stating that there are other layers of security in Android devices to protect them from attack and patching is just one of those layers. Of course they did not admit to providing consumers with a false sense of security. While patching of Android devices has always been a challenge because of the known issue of device fragmentation, where older Android devices may never get updated, patching should be of up most importance to device manufactures because of the rise of mobile device attacks. So what can you do to see the real patch level of your Android device? Well the researchers behind the ‘toxic hellstew’ patch issue released an app called ‘SnoopSnitch’ that can run a test to see the real patch level of your device. If your device ends up being fully patched once running the app you should be up-to-date on recent patches. If not, you may want to consider being more careful what you click on, what apps you install and how you use your Android device until your manufacture ‘really’ updates your phone. If you really are concerned, you may want to consider getting a different Android device from another manufacture in the future. Check out our show notes for details on downloading the SnoopSnitch app and for a link to a FAQ about the testing results and what they mean to your device. Are you a CISO or Information Security Manager challenged with tracking and managing information security incidents within your organization? If you are, you need to take a look at CISOBox which is a software appliance built for NIST-compliant management of all types of information security incidents. CISOBox secures and protects sensitive incident data using technology accredited by US Federal Intelligence Agencies and gives your organization an efficient and streamlined process for incident handling. No matter if your business is large or small, we highly recommend the CISOBox solution as it’s extremely easy to use, scalable, and a secure way to implement incident handling within your organization. For more information on the CISOBox solution and to schedule a demo visit cisobox.com/sharedsecurity. That’s cisobox.com/sharedsecurity. In Facebook news this week, Facebook officially announced that they will be introducing new privacy controls and notifications for all of its users to meet the European Union’s General Data Protection Regulation, also known as GDPR which goes into effect in May. What this means to you is that no matter where you reside in the world you will be asked to review your privacy settings and how you choose to allow your data to be used for advertising. In addition, you’ll be asked specifically if you want to have your political, religious and relationship information stated in your profile. As I’m sure you’re well aware, this was information that was harvested from the infamous Cambridge Analytica quiz debacle several weeks ago. Users in the EU will start to see permissions screens show up when they use Facebook this week and users in other parts of the world, including the United States, will see these screens in the near future. One point to make about this new effort from Facebook is that even if the Cambridge Analytica controversy didn’t happen, Facebook was planning on rolling out these revamped privacy controls and notifications either way to comply with the new GDPR regulation. Violation of GDPR rules will subject companies, worldwide, to stiff penalties if they use personal information of EU citizens without official consent so it was always in Facebook’s best interest to comply with GDPR.  I think that GDPR, while a pain for many organizations to implement, is a positive development from a privacy perspective. Let’s hope that legislators in the US, that may be considering new privacy rules to implement, pay close attention to what the EU is doing with GDPR. Apparently Russian hackers have been targeting millions of home routers, corporate firewalls, switches and other widely used networking equipment according to a joint Technical Alert issued by the Department of Homeland Security here in the US. The Technical Alert states “The FBI has high confidence that Russian state-sponsored cyber actors are using compromised routers to conduct man-in-the-middle attacks to support espionage, extract intellectual property, maintain persistent access to victim networks, and potentially lay a foundation for future offensive operations.”. Now state sponsored hacking activities from Russia is nothing new but this alert seems to describe very specific attacks on very common networking devices. The attacks described are also not very complex as the attacks go after device misconfigurations, default passwords and poor security designs which are fairly typical, especially with cheap consumer devices like wifi routers. As we’ve discussed on the podcast before, as a consumer, you need to make sure that any home wifi router or other networking equipment that you use is fully updated with the latest security patches and that any default passwords are changed. One way to ensure that you stay up-to-date with security patches for your wifi router is to register your purchase with the device manufacture so you get email alerts when there are new updates. We also recommend you investigate the reviews and product descriptions of any IoT or (Internet of Things) devices that you may be purchasing to see how they are updated and secured. This can be challenging because many of these cheap devices have either very little security controls or none at all which could leave your home network vulnerable. In addition, many of us use cable modems or wifi routers (often called ‘gateways’) provided by our Internet Service Providers (or ISPs). These devices typically cannot be updated by us and we have to rely on the ISP that they are properly updated and secured . It’s scary to think that your ISP may have never updated the router that they are providing you. You could call your ISP and ask them how they are securing your router but other than that, we unfortunately have to rely on device manufactures to design more secure devices by default and that we as consumers are more careful about the products we buy from device manufactures that may not be serious about the security of their products. That’s a wrap for this week’s show. Please be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on iTunes, Google Play, Stitcher, TuneIn, Spotify or iHeartRadio.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post The Shared Security Weekly Blaze – Android’s Toxic Hellstew of Vulnerabilities, Facebook’s New Privacy Controls, Russian Router Hacking appeared first on Shared Security Podcast.

This is the 75th episode of the Shared Security Podcast sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions, Silent Pocket and CISOBox. This episode was hosted by Tom Eston and Scott Wright with special guests Gotham Sharma and Dr. Brian Krupp recorded April 16, 2018. The Cybersecurity Education Episode In this episode we’re joined by two cybersecurity educators for their perspective on the current state of education in the cybersecurity industry. This is a really important topic given the current cybersecurity skills shortage where its becoming more difficult to find qualified and skilled individuals to fill cybersecurity jobs. Gotham Sharma serves as the Managing Director of the Exeltek Consulting Group, where he manages daily operations of the New York City based cybersecurity advisory firm. Previously a Wall Street consultant for Global Technology Operations at various Fortune 500 Organizations, Gotham left financial services to consult for the nonprofit world, where he focused on youth development and STEM education. In particular, his work centered around designing Career and Technical Education (CTE) Programs for traditionally disconnected young adults. You can contact Gotham via his LinkedIn page. Dr. Brian Krupp is an Assistant Professor in the Computer Science department at Baldwin Wallace University. He is the faculty advisor of the Mobile Privacy and Security (MOPS) research group where their current research is investigating methods to increase consumer awareness of privacy issues in smartphone and tablet applications. He is also the faculty advisor of CS+ which provides computer science opportunities for elementary to high school students through Tech Camps, school visits, and partnerships in the NEO region. You can contact Dr. Krupp via his Twitter or find out more about the classes he teaches and his work with students via his Baldwin Wallace University home page. On this podcast we discuss if there really is a shortage of cybersecurity talent and what programs are available for young kids as well as teenagers and college students that may be interested in a cybersecurity career. We also discuss the importance of mentorship, being a good mentor as well as the need for more women, minorities and diversity in the cybersecurity industry. Thanks to Gotham and Dr. Krupp for being guests on our show! The post The Shared Security Podcast Episode 75 – Cybersecurity Education with Gotham Sharma (@g0thamsharma) and Dr. Brian Krupp (@briankrupp) appeared first on Shared Security Podcast.