Shared Security Podcast

This is the Shared Security Weekly Blaze for April 16, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions, Silent Pocket and CISOBox.  This episode was hosted by Tom Eston. Show Transcript This is your Shared Security Weekly Blaze for April 16th 2018 with your host, Tom Eston In this week’s episode: Facebook goes to Congress, More Data Breach Announcements and a New Hope for Replacing Passwords The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details. Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. If you like this podcast we would really appreciate you leaving a review in iTunes or your favorite podcatcher app. Reviews really help move us up the podcast ratings list and are greatly appreciated.  Shout outs this week to @ZodMagus, @Yohun, @BNI212, @StrongArmSecure, @Borderless_i and @drheleno_ca on Twitter as well as @itincloud, @dahveezy, @grassfedmama and @simpletechla on Instagram and Johann, Richard, Julie, Jason and Stephane on Facebook for commenting, liking and sharing our posts on social media. Thank you for your support of the show! The Facebook news continues this week with the announcement of a new tool to see if you or your friends shared personal information with Cambridge Analytica. This tool won’t tell you who of your friends took the quiz called “This Is Your Digital Life” but will just say how many of your friends may have taken the quiz. If this tool tells you if some of your friends took the quiz which allowed your data to be harvested, be sure to scold them until you find out who did it. Just kidding but you may want to make a post about it so that your friends are aware of what they did.  Also within this tool Facebook gives you a link to review the information you share with other third-party apps. So check out our show notes for the link to this tool and for more information. In other Facebook news, Facebook confirmed recently that it uses automated tools to scan private chats within their Facebook Messenger application for malware links, child porn and other violations of its terms of service. This news was surprising to many users of the Messenger app as most people thought that these conversations were not being monitored by Facebook. Just so you’re aware, the only conversations that are not able to be monitored by Facebook are “secret” conversations which only work on the Apple iOS and Android versions of Facebook Messenger. Facebook’s secret conversation feature is actually the same end-to-end encryption protocol used by Signal, which is one of the most popular secure messaging applications that you can use. To use secret conversations you have to enable this on a per conversation basis. For details on how to do this check out our show notes. One important thing to note about Facebook secret conversations is that if the other party you’re having a private conversation with reports your conversation for something inappropriate, these messages are decrypted and sent to Facebook’s support team. Just something to be aware of if you’re using the secret conversations feature. Last but not least, Facebook CEO Mark Zuckerburg testified to Congress last week which included legislators from both the Senate and House of Representatives. Legislators asked Mark Zukerburg questions about how Facebook secures user data, what type of regulations should the government put in place for Facebook and for Mark to explain the details around the Cambridge Analytica controversy. One thing that I noted during the testimony was that these legislators really have no idea how Facebook or any social network works. It was surprising to me that Mark Zuckerburg had to explain very basic functions and features that are part of using Facebook as well as how Facebook makes revenue. For example, many legislators seemed to be unaware that Facebook has very detailed privacy controls for everything that a user can share and were confused regarding how messaging apps like WhatsApp even work. I believe one Senator even noted that the messaging application WhatsApp can be used to send email. Now I realize this is a very similar situation for those fellow gen X’ers like myself that may have a non-technical parent that may not have a clue about social media or technology. However, if a legislator is proposing to regulate a technology that they know nothing about…we’re in for a very long and scary ride. If the US government does purse regulation let’s hope that they embrace or replicate common sense privacy laws like the European Union’s GDPR privacy law which goes into effect in May. Frankly, it’s probably best that we try to keep the government as far away as possible from regulation of social media technologies. Are you a CISO or Information Security Manager challenged with tracking and managing information security incidents within your organization? If you are, you need to take a look at CISOBox which is a software appliance built for NIST-compliant management of all types of information security incidents. CISOBox secures and protects sensitive incident data using technology accredited by US Federal Intelligence Agencies and gives your organization an efficient and streamlined process for incident handling. No matter if your business is large or small, we highly recommend the CISOBox solution as it’s extremely easy to use, scalable, and a secure way to implement incident handling within your organization. For more information on the CISOBox solution and to schedule a demo visit cisobox.com/sharedsecurity. That’s cisobox.com/sharedsecurity. In news not related to Facebook but as a follow up to last weeks news about the Saks Fifth Avenue and Panera data breaches, Delta Airlines, Sears, Best Buy and Kmart all announced a data breach that happened through a third-party chat service provider called [24]7.ai. This chat service is similar to other help desk chat systems that many companies use for customer support and in some cases allow customers to order products or services. Apparently, [24]7.ai was victim to a malware attack within its software from September 26th through October 12th of last year. During the attack time frame if you happened to put your credit card information in one of the online chat sessions from one of the affected companies web sites, like delta.com, your name, address and credit card information would have been compromised. If you were affected by this breach, stand by for your email notification and complimentary “free credit monitoring” for the next year. These types of breaches, that involve a third-party organization, are very challenging to prevent. You may remember the Target credit card breach back in 2013 that exposed credit card information for around 70 million Target customers. That breach in particular was also conducted through a third-party which led to Targets own systems being compromised. This recent breach is yet another wake up call for organizations to do better vetting of their vendors and the security of third-party software that is often used on internally owned systems. Check out our show notes for a really good overview of the breach that Delta Airlines put together for their customers if you’re interested in learning more or if you think you’ve been affected by this data breach. In some positive news this past week it was announced that Google, Microsoft, Mozilla and Opera have all agreed to support a new standard for web authentication called “WebAuthn”. What this means is that web developers will soon be able to develop their applications to use a more user friendly and secure method of authentication. As you’re probably aware, passwords have always been one of the largest risks for users and businesses in that passwords are challenging to store or manage and are always targeted in phishing attacks and disclosed through data breaches.  This new standard will allow you to use your mobile phone, fingerprint readers already built into many PCs, facial recognition and other hardware that you use to “unlock” your device can now be used to replace passwords for website authentication. This new method of authentication is much more secure as user credentials and biometric data never leave the user’s device and are never stored on servers. There hasn’t been a timeline given yet as to when we may be able to start using this form of authentication but many popular sites like Dropbox, PayPal, Google, Bank of America and others already support WebAuthn through a specification called FIDO which is being used for two-factor authentication on these sites already. This is definitely great news as we may finally see passwords slowly start to go away on the sites and services that we use. Just like how Apple and Samsung Pay makes your credit card transactions much more secure, it will be good to already use a device that we’re familiar with to authenticate to web sites as well. We’ll be providing more updates as we get them about this new form of authentication and when it will be available for all of us to start using. That’s a wrap for this week’s show. Please be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on iTunes, Google Play, Stitcher, TuneIn, Spotify or iHeartRadio.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post The Shared Security Weekly Blaze – Facebook goes to Congress, More Data Breach Announcements, New Hope for Replacing Passwords appeared first on Shared Security Podcast.

This is the Shared Security Weekly Blaze for April 9, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions, Silent Pocket and CISOBox.  This episode was hosted by Tom Eston. Show Transcript This is your Shared Security Weekly Blaze for April 9th 2018 with your host, Tom Eston In this week’s episode: The #DeleteFacebook Movement, Cloudflare’s New Privacy Focused DNS Service and the Saks Fifth Avenue and Panera Data Breaches The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details. Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. If you like this podcast we would really appreciate you leaving a review in iTunes or your favorite podcatcher app. Reviews really help move us up the podcast ratings list and are greatly appreciated. I also have several shout outs this week to @yohun and @nevon on Twitter as well as Richard, David and Johann on Facebook for commenting, liking and sharing our posts on social media. Thank you for your support of the show! Ever since the Facebook Cambridge Analytica controversy an online movement has started to form called #DeleteFacebook. The delete Facebook movement is in response to Facebook’s recent privacy firestorm regarding the way the social network collects your personal information. I’m sure many of you have had friends or family either say they are quitting Facebook or are planning on doing so because of everything that’s been going on in the news about Facebook recently.  Having said that, I wanted to quickly talk about the #DeleteFacebook movement and how it applies to what we talk about on this podcast. When Scott and I started this podcast back in 2009 it was called the “Social Media Security” podcast and for very good reason. Social networks like Facebook were just starting to get popular and it seemed like the wild west in regards to the lack of privacy controls as well as awareness of social network security issues. As the years went on we began speaking more about social network risks and privacy issues but also how to use them safely. We soon realized that all of us were going to use social media at some point so how can we use it with some sense of balance between our privacy and the need to share information with friends and family. Education became the theme rather than “delete your accounts and never use social networks”. In fact, Scott and I make it well known that we use social networks like Facebook all the time and even promote engaging us on various social media platforms so that we can have conversations about these important topics. We strongly believe that education, through the use of social media, can make the most impact to others about privacy and security issues. One of the taglines that the podcast developed over the years is, “we bring you stories, advice and tips to make better risk decisions because no one else can make them for you.” This tagline is what this podcast is all about and tells us that it’s your decision to use Facebook or not. Like most everything in life, there is always a risk of something. If you accept that Facebook is going to harvest your personal information, as what it was designed to do, than you accept that risk. If it seems too risky and you want to delete Facebook and all other social media, that’s fine as well. However, we believe that all of us can use social networks more safely and can limit the amount and type of personal information that we share. Remember that you ultimately have control of what you post and the information you share on social networks. Internet performance and security company Coudflare released a new privacy focused DNS service this past week called 1.1.1.1 which aims to solve several of the privacy issues related to using the DNS service of your Internet Service Provider (or ISP). If you’re not familiar with what DNS is and why it’s important, here’s a quick overview. DNS stands for the Domain Name System. You can think of DNS as a big directory of the Internet. Whenever you type in a website like sharedsecurity.net into your web browser the first thing that happens is that a DNS server needs to be queried to find the IP address of that name. If we didn’t have DNS we would all have to remember IP addresses such as 69.39.236.80 to get to a website like sharedsecurity.net. With Cloudflare’s DNS service, you can use their DNS server instead of the one your ISP provides (or the ISP of the wifi you use at say a coffee shop). What Cloudflare has done is built a DNS service to address two specific privacy issues related to using your ISPs DNS service. First, because of the recent ruling by the FCC on net neutrality, ISPs like Comcast, AT&T and others can potentially sell your browsing history. Without the DNS records associated with your browsing history, this makes it much more difficult for an ISP to track you. Second, ISPs (especially ones in certain foreign countries) have been known to censor access to social media and other sites to prevent communication for journalists and human rights activists. By using a third-party DNS service like Cloudflare you could get around restrictions like these.  However, it’s important to note that even when using a third-party DNS provider, your ISP will still know who you are by your IP address and could eventually put together the sites and services that you’re using because you’re still using your ISPs infrastructure. The only way to fully avoid being tracked by your ISP is to use a VPN service or Tor. VPNs and Tor have their own challenges so be sure to check out the show notes for links to previous episodes of the podcast where we discuss VPNs and Tor in more detail. Other advantages of using Cloudflare’s DNS service include the commitment to delete all logs within 24 hours and implementing better security of the DNS protocol itself by adding the protection of encryption to all queries. In regards to the deletion of logs Cloudflare is hiring KPMG, a large consulting firm, to audit them annually to ensure they are deleting logs like they say they are. Last but not least, Cloudflare promises to speed up your browsing as they have been rated the fastest DNS service even above Google and other third-party DNS services. More speed and more security are always a good thing when using the Internet. So how do you use Cloudflare’s new DNS service? It’s fairly simple to set up and configure on your devices and even your home wifi router so all the devices on your home network will use the Cloudflare DNS service. Check out our show notes for the walk-through Cloudflare provides for full details. Are you a CISO or Information Security Manager challenged with tracking and managing information security incidents within your organization? If you are, you need to take a look at CISOBox which is a software appliance built for NIST-compliant management of all types of information security incidents. CISOBox secures and protects sensitive incident data using technology accredited by US Federal Intelligence Agencies and gives your organization an efficient and streamlined process for incident handling. No matter if your business is large or small, we highly recommend the CISOBox solution as it’s extremely easy to use, scalable, and a secure way to implement incident handling within your organization. For more information on the CISOBox solution and to schedule a demo visit cisobox.com/sharedsecurity. That’s cisobox.com/sharedsecurity. In this week’s data breach news, 5 million credit cards have been compromised from Canadian retail brands company HBC (or known as Hudson’s Bay Company). The company owns popular clothing brands Saks Fifth Avenue, Saks Off 5th and Lord & Taylor. According to a report from security firm Gemini Advisory, only a portion of the compromised cards are being offered for sale on the dark web but expects this to increase over the next several months. From a breach impact perspective it seems that all of Saks Fifth Avenue and Lord & Taylor locations had malware installed on the point of sale systems at each store which allowed the compromise of credit cards from May 2017 to now. If you used your credit card at any Saks Fifth Avenue or Lord & Taylor locations be extra vigilant about checking your credit card statements and it’s highly recommended to call your credit card issuer to obtain a new card. In other related news Panera Bread finally shut down a data leak of potentially millions of customer records through its website.  The vulnerability was actually reported to Panera about eight months ago but wasn’t fixed until the researcher contacted famed reporter Brian Krebs from Krebsonsecurity.com who wrote an article about the breach. Information that was easily accessed included names, emails, addresses, birthdays and the last four digits of credit card numbers from customers that have ordered food through Panera’s online ordering system. Check out the show notes if you’re interested in the gory details about the researcher and his attempts to contact Panera about the vulnerability but this is a great example of how a company should not handle a major security vulnerability that was identified by a researcher in good faith. Compared to the good response we saw from Under Armour with the MyFitnessPal data breach the other week, this response was extremely poor. This recent data leak from Panera shows that companies need to be more accountable for poor security and incident response practices. How can we hold companies like Panera more responsible you may ask? Well as a consumer you have a choice to take your business elsewhere and you should decide if you want to buy products and services from organizations that have poor track records for security and the protection of your personal information. Until we all can agree to hit these companies where it hurts, their bottom line, then we will most likely continue to see incidents like these continue. That’s a wrap for this week’s show. Please be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on iTunes, Google Play, Stitcher, TuneIn, Spotify or iHeartRadio.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post The Shared Security Weekly Blaze – The #DeleteFacebook Movement, Cloudflare’s New Privacy Focused DNS Service, Saks Fifth Avenue and Panera Data Breaches appeared first on Shared Security Podcast.

This is the Shared Security Weekly Blaze for April 2, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions and Silent Pocket.  This episode was hosted by Tom Eston. Show Transcript This is your Shared Security Weekly Blaze for April 2nd 2018 with your host, Tom Eston. In this week’s episode: Facebook’s Privacy Firestorm, the MyFitnessPal Data Breach and Ramifications of the CLOUD and FOSTA Bills The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details. Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Shout outs this week to @Yohun, @zroone, @StrongArmSecure, and @CamilleEsq on Twitter as well as @vanishedvpn and @newcybersource on Instagram and Lou, Shawn, Jun, and Andrew on Facebook for commenting, liking and sharing our posts on social media. Thank you for your support of the show! Since the news broke about Facebook and the Cambridge Analytica controversy the other week, there has been a firestorm of information coming out about Facebook’s data harvesting practices as well as new tools and information about Facebook’s privacy settings which are in response to Facebook’s recent privacy challenges. For example, Mozilla the creator of the Firefox web browser released a new browser extension called “Facebook Container” which lets you isolate your Facebook activity to just Facebook.com which will limit the amount of tracking that Facebook can do while you browse the web. Keep in mind, when using a browser extension like this any sites that you “sign-in” using Facebook will no longer work. In other Facebook news, details also came out about Facebook collecting phone call metadata from Android phones that have the Facebook mobile app installed. This data included names, phone numbers and the length of each call made or received on the device. This access is given during the installation of the Facebook app which asks for permission to read contacts off of the device. The reason Facebook does this is so your contact data can be used to find and match more Facebook friends for you. Apparently older versions of Android allowed access to call and message logs in addition to contacts on your device. The issue has been fixed in newer versions of Android but if you had the Facebook app installed before these updates were made, the Facebook app would still be able to access this data. It’s important to note that Apple iOS has never allowed apps to access call logs and other call data. So if you have an Apple iOS device, you’re safe…for now. Check out our show notes for instructions on how to remove these permissions if you have the Facebook app installed on your Android device. Given all the news about Facebook recently, and where your data may have been collected, you may be thinking it’s time to re-evaluate your use of Facebook and to ponder on the reasons why you may or may not want to continue using the social network. One tip we have to share is that you do have the ability to download all the data that Facebook has about you so you can see for yourself what information has been collected. See our show notes for details on how you can do this but you may be surprised to see all the data that Facebook has collected about you, especially if you’ve been a long time user of Facebook. In other breaking news this past week, Under Armour announced that their app MyFitnessPal was breached sometime in February of this year. This breach affects 150 million user accounts making it the second largest data breach of consumer data in U.S. history right behind the infamous Yahoo data breach which happened in 2016.  The information compromised included usernames, email addresses and hashed passwords. While details about how the breach happened have not been released there are a few good things to mention. First, in the breach disclosure Under Armour mentioned that bcrypt was used as the hashing function for storing passwords. Bcrypt is a much more secure method of storing passwords so depending on how bcrypt was implemented it will be very difficult for an attacker to find out users passwords. Second, Under Armour announced the breach very quickly which is far different than other similar breaches we’ve seen like the Equifax breach last year. So what should you do if you’re a user of the MyFitnessPal app? First, change your password by going to the MyFitnessPal website. Hopefully, you’ve taken our advice from previous podcast episodes and are not using that same password on other sites and apps. If you are, you’ll need to change those passwords as well. Second, be on the lookout for phishing emails related to the breach. Whenever there are emails, names and other personal details exposed in a data breach like this one, there is always in increase in phishing emails. Be aware and always, think before you click or don’t click on anything in an email at all. Two significant privacy related bills, the CLOUD Act, which was snuck in and attached to the recent $1.3 trillion dollar government spending bill, and the combined SESTA and FOSTA bill (which is now called FOSTA) were both recently passed by Congress here in the United States. Because the CLOUD Act was attached to the spending bill, it was signed into law by President Trump . The FOSTA bill is also expected to be signed as well. The CLOUD Act, which stands for Clarifying Overseas Use of Data, allows foreign police to collect and wiretap people’s communications from US companies, without obtaining a warrant. The Act also allows foreign nations to demand personal data stored in the U.S. without review by a judge and allow U.S. police to grab any data, regardless if it’s a U.S. person’s or not and no matter where this data is stored. The bill would also allow the President to enter into what are called “executive agreements” with other governments to allow each government to access data stored in the other country without the need to follow each countries privacy laws.  The Electronic Frontier Foundation (EFF) says “This bill has large privacy implications both in the U.S. and abroad. It was never given the attention it deserved in Congress.” What does the CLOUD Act mean to you? As you’re aware, we have laws in this country that protect us from warrant less searches of our property and similar laws should apply to our digital lives as well. Many of us will use the argument that “I have nothing to hide” so who cares if law enforcement gets my personal data. But like many investigations by law enforcement, sometimes innocent people get caught up in the trove of data that is obtained and analyzed. This data could include your data as well. Privacy is also a fundamental human right. It’s the reason we have windows and curtains on our house and private stalls in public bathrooms (well most bathrooms anyway). There needs to be proper checks and balances within our government to conduct lawful investigations, but also to uphold this fundamental right. FOSTA, which was also passed, attempts to stop online sex trafficking. SESTA stands for the Stop Enabling Sex Traffickers Act and FOSTA stands for the Fight Online Sex Trafficking Act. This combined bill will hold Internet Service Providers (or ISPs) liable if they intentionally facilitate sex trafficking. FOSTA will also have ramifications to sites like Backpage and Craigslist that have personals sections, which are well known for soliciting sex trafficking. In fact, Craigslist has already shut down its popular personals section noting that quote “Any tool or service can be misused. We can’t take such risk without jeopardizing all our other services, so we are regretfully taking craigslist personals offline. Hopefully we can bring them back some day.” end quote The EFF and other privacy advocates argue that ISPs are protected by Section 230 of the Communications Decency Act which is one of the most important laws that protect free speech on the Internet. Section 230 states that ISPs and other “intermediaries” are not liable for any third-party content posted on services that they control. Without Section 230 the Internet would be a very different place and it’s argued that companies like YouTube, Facebook and Twitter would not even exist without this provision. I think we can all applaud the US government for trying to address the serious situation we have with sex trafficking in the US and across the world. However, the question to ask is that will laws like these cause more harm than good? Will free speech and your privacy be stifled because of laws like FOSTA? Will more online businesses be forced to shut down because they are now held liable for content posted that they may not even know about? Only time will tell but our advice is to support groups like the Electronic Frontier Foundation and other privacy groups that advocate and lobby for our rights to privacy. There are also more privacy tools available than ever before that you can use to help protect your communications. We’ve mentioned several of these tools on the podcast before such as products to protect your devices like those from Silent Pocket, apps like Signal, web browsers like Tor and of course VPNs (with some caveats about logging). These are all good ways to protect your privacy in a world where it seems our fundamental rights are slowly eroding away. That’s a wrap for this week’s show. Please be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on iTunes, Google Play, Stitcher, TuneIn, Spotify or iHeartRadio. If you like our podcast we would really appreciate you leaving a review in iTunes or your favorite podcatcher app. Reviews really help move us up the podcast ratings list and attract more great listeners like you.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post The Shared Security Weekly Blaze – Facebook’s Privacy Firestorm, MyFitnessPal Data Breach, Ramifications of CLOUD and FOSTA appeared first on Shared Security Podcast.

This is the 74th episode of the Shared Security Podcast sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston and Scott Wright with special guest Rachel Tobac recorded March 25, 2018. Below are the show notes, commentary, links to articles and news mentioned in the podcast: Interview with special guest Rachel Tobac Rachel is the CEO & Co-founder of SocialProof Security where she helps people and companies keep their data safe by training them on social engineering risks. Rachel also placed second place two years in a row in the DEF CON hacking conference’s Social Engineering Capture the Flag contest (SECTF). In her remaining spare time, Rachel works as the Chair of the Board for the nonprofit Women in Security and Privacy (WISP) where she empowers women to lead the converging fields. In this episode, Tom and Scott speak to Rachel about her adventures participating in the Social Engineering Capture the Flag contest at DEF CON. Rachel also discusses her thoughts on how to avoid being a victim of a social engineering attack and how more young women can get into cybersecurity and technology careers. Of course, no interview with Rachel would be complete without discussing her favorite (and least favorite) David Lynch movies as well as her book recommendations. Rachel was super fun to chat with! On the show Tom and Rachel mentioned the call that the Chris Kirsch, the winner of last years DEF CON SECTF, performed. Here’s the re-enactment you should definitely check out!  Thanks again to Rachel for being a guest on our show! Please send any show feedback, suggestions for future guests and topics to feedback [aT] sharedsecurity.net or comment in our social media feeds. You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode. Be sure to visit our website, follow us on Twitter, Instagram and like us on Facebook. Thanks for listening! The post The Shared Security Podcast Episode 74 – Special Guest Rachel Tobac (@RachelTobac) appeared first on Shared Security Podcast.

This is the Shared Security Weekly Blaze for March 26, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston. Show Transcript This is your Shared Security Weekly Blaze for March 26th 2018…with your host, Tom Eston. In this week’s episode: Facebook and the Cambridge Analytica Controversy, Vulnerable VPNs and Siri Lock Screen Privacy Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Shout outs this week to @StrongArmSecure, @BrotherBlarneyS and @AANaseer on Twitter as well as @newcybersource and @thebluehawaiipodcast on Instagram and David, Julie, Gary and Jason on Facebook for commenting, liking and sharing our posts on social media. Thank you for your support of the show! Several privacy focused vulnerabilities were identified in three popular VPNs.  According to research done by VPN Mentor, PureVPN, Zenmate and Hotspot Shield were all found to leak your real IP address. This vulnerability could allow an attacker to know your real location while you use the Internet which is not the purpose of a VPN at all. Hotspot Shield and PureVPN appear to have remediated this issue but as of this podcast recording, Zenmate VPN has not fixed these vulnerabilities. In addition, functionality was disabled in the Firefox web browser that could invade your privacy. Mozilla has disabled functionality, called the proximity API, which allows websites you visit to know how far your phone is away from your face as well as the ability to detect what the ambient light levels are of the room you’re in. The reason that Firefox is disabling these features is that they can be used to fingerprint or identify you to target more ads to you.  In regards to the ambient light sensor, some techniques can be used to leak your browsing history in something called a browser history attack. Mozilla is disabling these features in Firefox version 62. As we’ve mentioned on the show many times before, make sure you’re staying up to date with software updates for the apps you use especially VPNs and your web browser. Ensuring you are applying frequent updates is a one of the most important things you can do to from a cybersecurity perspective. Do you have an iPhone with Siri enabled from your lock screen?  If you do, you should know that there is a new vulnerability that can allow Siri to read out messages from the lock screen even if those messages are hidden. This vulnerability allows someone to access hidden messages from many different types of third-party applications including popular secure messaging apps like Facebook Messenger, Signal and WhatsApp.  The good news is that the vulnerability doesn’t apply to Apple iMessage or standard text messages. The vulnerability currently affects version 11.2.6 of iOS and Apple is aware and working on a fix. If you are concerned that someone would be able to gain access to sensitive information in your messages you’ll need to do the following two things. First, turn off screen notifications in your settings for any sensitive applications you may be using and second, disable the feature to allow Siri to be used when your device is locked. Check out our show notes for details on where these settings are on your iOS device. Last weekend Facebook confirmed that back in 2013 an academic researcher named Dr. Aleksandr Kogan created a Facebook app called “This is Your Digital Life” which was a personality quiz distributed through Facebook. When Facebook users took the quiz it harvested profile data from their Facebook account. About 300,000 Facebook users took the quiz, but the data of about 50 million users ended up being harvested because the app also accessed profile data of those users friends. In 2014, this was Facebook’s feature called “friends of friends” where apps could access your friends data under certain conditions.  This data was then given by Kogan to a political consulting and data analytics firm called “Cambridge Analytica” which apparently has ties to US president Trump and his political campaign. According to sources, Cambridge Analytica used this data to profile 50 million people so that they could target them with political propaganda prior to the US election. Many news articles and other sources have been stating that this was a “data breach” and that this data was effectively “stolen” from Facebook users. These statements are absolutely false because that’s not how Facebook applications work at all. Each user that took this quiz willingly installed the app and accepted that their personal data was going to be accessed.  Facebook always shows you the permissions that the app is requesting and you as the user need to accept this or the app won’t be installed. Here’s what happened with the Cambridge Analytica situation. In 2014 Facebook made changes to application privacy settings and type of data that apps like these can harvest. Today, Facebook apps can access your friends data only if they too have authorized the app.  Facebook also stated that the researcher did violate Facebook’s terms of service and that any data collected was not to be shared with any other third-party. In 2015, Facebook also had the app removed and that the developer and Cambridge Analytica certify that the data was deleted. Cambridge Analytica claims that the data was never used but questions still remain if the data was actually deleted or not. This past week Facebook as said that they’ve hired a forensics firm to find this out. Some of the other fallout from this controversy is that US senators as are asking for Facebook CEO Mark Zuckerberg to testify before Congress and to explain how Facebook will protect its users data. Last week in a Facebook post Zuckerburg said quote “This was a breach of trust between Kogan, Cambridge Analytica and Facebook,” as well as “it was also a breach of trust between Facebook and the people who share their data with us and expect us to protect it. We need to fix that.” Look, this is definitely a concerning issue, not because of how the data collected, but how the data was used and the associated cover up. However, you need to understand that collecting your personal data is what Facebook was designed to do. This is how they make money. If you don’t accept this or the other terms of their service then you simply shouldn’t use Facebook. You should also be aware that this won’t be the first and certainly not the last Facebook application that is designed to harvest your personal information for malicious purposes. Ironically, as part of a talk that Kevin Johnson and I did at the DEF CON hacking conference in 2009, we conducted an experiment by posting a quiz on Facebook which asked for “25 Random Things About You”.  These “random things” questions may seem innocent but were actually password reset questions that we pulled off of Yahoo Mail that are asked for when resetting the password for your email account. While this was just an experiment on a much smaller scale than the application used by Cambridge Analytica, it was shocking to see how many people just willingly gave personal information because it seemed like an innocent way to get to know your friends better. For most of us, deleting our Facebook account isn’t an option. Seriously, it’s hard to do because we use Facebook for so many legitimate purposes like keeping in touch with our friends and family. So what can you do to better protect your information on Facebook? First, stop taking all those stupid quizzes and installing or taking survey apps that you see people posting and sharing on the Facebook news feed. All of these apps and quizzes have some type of alternative motive and are sharing your data with many different third-party advertising companies like Cambridge Analytica. Second, limit the amount of information about you that apps your friends are using can access. See the show notes for where this setting is at but note it’s pretty buried within your Facebook app settings. Third, check to see what apps you have installed in your Facebook account and what permissions they have. You might be surprised to see how many apps can access your data, especially if you’ve been using Facebook for a long time. You’ll also want to dig down to see which apps or sites you’ve logged in to with your Facebook login and disable these sites and apps as necessary. Lastly, you can disable your access to what Facebook calls the “Platform” which will turn off all app integrations as well as any access to sites or apps that you’ve chosen to use your Facebook login instead of their own. Be cautious if you turn off the Platform. This is like hitting the “big red button” which will make Facebook almost unusable so you may just be better off deleting your Facebook account altogether. If you do continue to use Facebook make sure you’re staying up-to-date on your privacy settings and stay tuned for more information and news about Facebook privacy in future episodes of the podcast. That’s a wrap for this week’s show. Please be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on iTunes, Google Play, Stitcher, TuneIn, Spotify or iHeartRadio. If you like our podcast we would really appreciate you leaving a review in iTunes or your favorite podcatcher app. Reviews really help move us up the podcast ratings list and attract more great listeners like you.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post The Shared Security Weekly Blaze – Facebook and the Cambridge Analytica Controversy, Vulnerable VPNs, Siri Lock Screen Privacy appeared first on Shared Security Podcast.

This is the Shared Security Weekly Blaze for March 19, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston. Show Transcript This is your Shared Security Weekly Blaze for March 19th 2018 with your host, Tom Eston. In this week’s episode: The Insecure Internet of Things, Spectre Patch Updates and Android Malware. Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Shout outs this week to @Yohun, @ClarkWillClark, @drheleno_ca and @eg0sum on Twitter as well as @heath_robinson on Instagram and Tom, Shawn and Jamie on Facebook for commenting, liking and sharing our posts on social media. Thank you for your support! A new paper called the “Secure by Design Report” from the UK government’s Department for Culture Media and Sport describes 13 new security guidelines for manufactures of Internet of Things devices ( also abbreviated as IoT). If you’ve have been listening to past episodes of the podcast or have been paying attention to the news, we’ve seen a huge increase in devices such as smart watches, Internet enabled camera’s and hundreds of other connected devices like coffee machines and even toasters. Yes, you can actually buy a connected toaster that you can control from your mobile phone just in case you want to really fine tune your toasting process. Over the last several years Internet of Things devices have been found to have many different kinds of security vulnerabilities such as being configured with default passwords, having no mechanism to be updated and the lack of features to delete private data. In fact, insecure devices like these have been hacked to steal information and can be hijacked to be used in botnets, like the Marai botnet in 2016, that infected over 300,000 IoT devices with malware.  These new guidelines aim to educate manufactures so they can build and eventually sell secure products. I think these guidelines are a great start to advocate good security practices for IoT device manufactures, however, guidelines are just guidelines.  Will manufactures listen to this advice or will they continue to sell devices that are easily hackable. Unfortunately, it’s very difficult to determine if the IoT device that you’re purchasing is secure or not. From what we’ve seen in the past, many of these new IoT products are cheaply made with the purpose of getting cool technology out to the market to make a quick sale. In fact, it’s really easy to do a quick search on Amazon for pretty much any “connected” device these days to find manufactures or sellers that no one has ever heard of. One tip I’ve found helpful is to check reviews and comments left by owners of products that you may be interested in purchasing to find out if any security or privacy configurations are being discussed or if there are known security issues that the manufacture is aware of and is addressing. Like these guidelines state, it’s up to the device manufactures to bear the burden of securing their products. For us consumers we either need to accept the risk that these products may compromise our security and privacy or just not purchase these devices all together. I mean, it’s still possible to make toast with a regular toaster and not a connected one. Intel is almost ready to release more updated patches for the critical Spectre vulnerability that affects almost all computer processors manufactured within the last 20 years. If you have a Dell, Lenovo or HP PC you should start seeing these updates showing up through your update software within the next few weeks.  Spectre and it’s close cousin, Meltdown, are critical hardware vulnerabilities which allow attackers to steal data that is being processed within your computer. This data could include sensitive information such as passwords, emails, photos and documents.  You may remember that back in late January after releasing the original updates, Intel told PC manufactures to stop the deployment due to random reboots and the “blue screen of death” happening after the patch was installed. These patches need to update the firmware of your PC so make sure you have your software update feature enabled and working. Many times after we buy our PC’s we automatically assume that software update applications that are installed by default are “bloatware” and we either remove or disable this software. We highly recommend you check to see if this software is running, as well as your Windows security updates to ensure you’re receiving timely security patches for your operating system. If you would like more information on the Spectre and Meltdown vulnerabilities, check out episode 72 of the podcast where Scott and I discuss these vulnerabilities in much more detail. Researchers from the Check Point Mobile Security Team released a report this past week about a new form of malware that was found to be installed on over 5 million Android phones called “RottenSys”. Apparently, the malware was found on several different brands of Android phones including some Samsung devices through the phone manufacturing supply chain, which is a frequent security problem for Android device manufactures to control. The malware is disguised as a system wi-fi service app which communicates to a server that downloads the malware to the phone. Once the malicious code is installed it pushes adware to an infected device in order to generate revenue for the malware authors. If that wasn’t bad enough, the malware also has the capability to download other malicious components for accessing things like your microphone or camera and even allow the infected device to join a botnet of other infected Android phones. As mentioned on the show previously, Android has very specific security challenges like supply chain attacks as well as a problem called “device fragmentation” where security updates for Android devices may be hit or miss depending on your device manufacture and wireless carrier. Check out our recent Weekly Blaze podcast where we discussed Android device fragmentation in more detail. For this specific malware, be sure to check out this week’s show notes to see the list of devices affected and on how to remove this malware if your device has the malware installed. That’s a wrap for this week’s show. Please be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on iTunes, Google Play, Stitcher, TuneIn, Spotify or now on iHeartRadio. If you like our podcast we would really appreciate you leaving a review in iTunes or your favorite podcatcher app. Reviews really help move us up the podcast ratings list and attract more great listeners like you.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post The Shared Security Weekly Blaze – The Insecure Internet of Things, Spectre Patch Updates, Android Malware appeared first on Shared Security Podcast.

This is the Shared Security Weekly Blaze for March 12, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston. Show Transcript This is your Shared Security Weekly Blaze for March 12th 2018…with your host…Tom Eston In this week’s episode: Malicious Healthcare Workers, New Attacks on Mobile Networks, and Facebook Messenger for Kids Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. I have a few shout outs this week to several of our listeners for commenting, liking and sharing our posts on social media @karinavold, @Yohun and @securid on Twitter as well as @Itincloud and @wearethelightpodcast on Instagram and Tom, Shawn, Malcom and William on Facebook. Thanks to all of you for your support of the show! If you go to your doctor or to the hospital, have you ever wondered if your private healthcare information is being properly protected? Well this past week there were two reports released showing that its own workforce is the biggest cybersecurity problem for the healthcare industry. According to the 2018 Protected Health Information Data Breach Report released by Verizon, 58% of data breach incidents involved insiders. Most of the breaches noted by Verizon were because of corrupt healthcare workers stealing data to commit tax fraud, opening lines of credit from patient data or by looking up personal records of celebrities and family members. Another report, based on a survey of healthcare employees from consulting firm Accenture, showed that 18% of respondents were willing to sell confidential patient data for as little as $500 or $1,000. This data could include selling your login credentials, putting your data on portable drives to be sold and installing malware on internal systems to capture confidential patient data. I don’t know about you but reports and surveys like these are very concerning considering the fragile state of healthcare, especially here in the US. Whether it’s failed security policy oversight or lack of security controls, healthcare remains one of the number one sources for criminals to gain access to your private information for medical identity theft. This is despite having healthcare laws such as HIPAA which are supposed to enforce good security practices within the industry. Like other types of fraud we’ve talked about on the show, you need to take steps to defend against someone using your information to commit fraud or identity theft.  Unfortunately, we can’t rely on others like the healthcare industry or the government to properly protect our information. Much of the same advice we’ve given to protect against fraud, like putting a freeze on your credit and creating strong and unique passwords, also apply to the issues we’re seeing with healthcare data breaches. Some other tips specific to medical identity theft is to keep accurate records of your medical history, always review your medical statements to ensure they are accurate, be aware of fake or real calls from medical debt collectors and physically shred any healthcare related documentation containing personal information. Check out our show notes for a great guide from the Federal Trade Commission about detecting and preventing medical identity theft. Security researchers announced several new security vulnerabilities in 4G LTE mobile networks this past week. The researchers, who are from Purdue University and the University of Iowa, said quote “Among the 10 newly detected attacks, we have verified eight of them in a real test bed with SIM cards from four major US carriers”. End quote. The researchers also noted that using publicly available software-defined radio devices as well as open source software, anyone with enough knowledge could build a tool around $1,300 – $4,000. A fairly cheap solution for most attackers. The vulnerabilities that were identified could be used by criminals to create spoofed locations, impersonate an existing mobile number and allow someone to create mass hysteria over a fake emergency alert sent to thousands of mobile devices all at once. You may remember a few months ago when the Hawaii Emergency Management Agency accidentally sent out an emergency alert to all mobile devices in Hawaii about an impending missile attack. Could you imagine the fallout from something like this happening on a much broader scale? The good news is that it appears that the US carriers that were identified in the research are working to fix these vulnerabilities and the exploit code was not publicly released. There isn’t much we can do at this point but wait for the mobile carriers to fix these vulnerabilities and update their infrastructure to 5G technology which has more robust security features. I should also note that attacks on 4G LTE are not new. Law enforcement and governments have been using devices called IMSI catchers or what are also known as stingray devices for many years now. These devices force your mobile phone to either downgrade to a less secure communication protocol or force your phone to connect to a fake cell tower where communication through voice and text messaging on your device can be intercepted and monitored. If you are concerned about sending and receiving text messages and phone calls securely you should use an application like Signal which would protect you from interception attacks like these. Check out episode 60 of the podcast for more information on Signal and other secure messaging apps. Late last year Facebook released new app called “Facebook Messenger Kids” which is designed for kids age 6 to 13 as safer way for them to message friends and parents. The app includes kid friendly stickers, masks and frames which encourage using the app.   Some of the safety features in the app ensure that parents have to approve who their kids are communicating with and that there is no advertising within the app itself.  This past week CNBC reported that during Facebook’s testing of the Messenger Kids app last year that quote “It was hard for kids to initiate the communication” and that quote “we wanted to give them nudges to start the conversation” end quote. This news have led many critics and child-advocacy groups to say that social media use by young people may be detrimental to their mental health and that kids that young may not be ready or have the mental capacity to use social media. It’s also important to note that last year Facebook said that they had worked with different privacy and child advocacy groups before launching the app in December. What they didn’t tell you was that many of these groups received funding from Facebook. For example, the National PTA who coordinated roundtable discussions about the app and New Mexico State, which conducted some of the research, all received various financial funding from Facebook. These are definitely things that make you go…hmmmm. I’m sure you’re asking yourself why in the world would young kids need the ability to use a Facebook social messaging app? Well according to Facebook, kids are already on social media and they need to learn how to use it safely. However, many others feel that Facebook is using the Messenger kids app to “groom” impressionable young people into getting “hooked” to Facebook so when they become older they continue to use the “adult” version of Facebook. This seems a lot like the path to an addition, doesn’t it? I always go back to education being the best approach when parents need to make decisions about allowing their kids to use apps like Messenger Kids. Educate yourself on the risks as well as the motives that a company may have with the apps kids are using. That means reading the terms of service and privacy policy for apps like these. If you’re a parent check out our show notes for a link to the Messenger Kids privacy policy. It’s ultimately up to you to decide, not Facebook, on what’s best for you kids. That’s a wrap for this week’s show. Please be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on iTunes, Google Play, Stitcher, TuneIn, Spotify or now on iHeartRadio. If you like our podcast we would really appreciate you leaving a review in iTunes or your favorite podcatcher app. Reviews really help move us up the podcast ratings list and attract more great listeners like you.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post The Shared Security Weekly Blaze – Malicious Healthcare Workers, New Attacks on Mobile Networks, Facebook Messenger for Kids appeared first on Shared Security Podcast.

This is the Shared Security Weekly Blaze for March 5, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston. Show Transcript This is your Shared Security Weekly Blaze for March 5th 2018…with your host…Tom Eston In this week’s episode:  Facebook Face Recognition, Private Web Browsing and Credit Card Fraud Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. I have a few shout outs this week to several of our listeners for commenting, liking and sharing our posts on social media @securid, @WiFI_NY and @drheleno_ca on Twitter as well as Itincloud and thelaurajeans on Instagram and Tom, Lauretta, Jason, Shawn and William on Facebook. A special shout out this week also goes out to sweepa36 who left us a five star review on iTunes. Thanks to all of you for supporting the show! If you’ve been on Facebook recently you may have seen a message in your news feed about a new feature called “Face Recognition”. This feature will analyze faces to automatically tag you in photos and videos that are posted to Facebook. Facebook says that this “feature” will find photos that you’re in but haven’t been tagged, help protect you from others using your photo and to help people with visual impairments who may be in your photo or video. You can opt out of this feature by turning it off in your Facebook privacy settings. Note, some people have reported that this feature was already set to “on” so it’s a good idea to check out your privacy settings to see if this feature is enabled or not. Check out our show notes for information on where to find this setting. Not to be overly suspicious but you know as well as I do that this feature will eventually be used to target more ads to you or to allow Facebook more ways to gather data about your activities and monetize your personal information. What I also find ironic is that just this past week a federal judge in Illinois made a ruling about an ongoing class-action case that Facebook “must face claims that it violated the privacy of millions of users by gathering and storing biometric data without their consent”. This decision means that Facebook could be liable for fines under Illinois law from $1,000 to $5,000 dollars each time a person’s image is used without permission. Of course Facebook is fighting this ruling but I’m sure this is not the end of more legal troubles for Facebook since the social network continues to push technology like Facial Recognition to its user base. Did you know that when you use “private browsing” or “incognito mode” in your web browser, your browsing activities may not be so private after all? Hopefully, you’re aware that the sites you visit can be monitored and logged through your ISP, VPN provider or employer. It’s also important to know that data from a private browsing session can also be retrieved through common computer forensic techniques once someone has physical access to your computer. Recently a group of MIT and Harvard researchers developed a solution called Veil which allows web developers to implement technology to protect data while it’s stored and processed within a private browsing session. To do this Veil uses “blinding servers” which are located in the cloud to encrypt and protect data on a website. That data then gets retrieved by your private browsing session. Essentially, this would make any data stored within your browsing session (or within computer memory) useless from a forensic perspective. What I like about this technology is that it can add an additional layer of privacy for people, like journalists or human rights defenders, that might have their browsing history or computers targeted by say a state-sponsored government or dedicated adversary. Veil might also be the kick start of other technologies that further support protecting our private information while we browse the web. We’ll be closely following this project for sure to see how it evolves in the future. Visa released new statistics that show there has been a 70% drop in counterfeit credit card fraud during the period from December 2015 to September 2017. Other data of note is that over 2.7 million merchant locations are now accepting chip cards which equates to 96% of all credit card transactions in the US. You may remember that chip cards started being implemented back in 2015 to replace the ancient “magnetic stripe” technology that has been used for credit cards since the 1970’s. The move to chip cards was magnified because of the massive Target data breach which happened in 2013. While a 70% drop in counterfeit credit card fraud is impressive. There is still a huge problem with what is called “card-not-present” fraud. Card not present fraud happens when your credit card information is compromised typically through phishing, corrupt employees that work at an establishment where your card was used, online data breaches or through a phone call or other manual  transaction that involved speaking or writing down your credit card number. Anytime you enter in your credit card without using a physical chip reader is called a “card not present” transaction. One topic about credit cards that is always confusing is the difference between “chip and PIN” and “chip and signature” credit card transactions.  Let’s break this down so you understand what this means to you. First, you need to understand the difference between a “credit” card transaction and a “debit” card transaction. A credit card transaction is charged against your credit card account (aka a line of credit) while a debit card transaction draws money from your banking account. Using a chip and PIN card you have to enter a PIN code to authorize a purchase. With a chip and signature card you simply sign for the purchase. This is the most common type of transaction that we see in the United States. Now here is where the confusion lies. In the US most credit cards are “chip and signature” and most debit cards are “chip and PIN”. Debit cards can also be used “as a credit card” skipping the PIN entry altogether. What type of debit transaction is used at the merchants you shop at depend on the merchant because of the fees associated with using a credit or debit card. This is why one store you may shop at requires a signature for using your debit card and others require a PIN. To make matters more confusing Apple, Samsung, and Google have added contactless payment options through your mobile phone in recent years. These type of transactions are much more secure as they use something called tokenization to protect your entire transaction which significantly reduces credit card fraud. So as a good consumer, what can you do to prevent your credit card from being compromised? First, use a credit card where ever possible because you have no liability for fraudulent transactions on your card. If you use a debit card and its compromised you lose that money from your bank account and it could take weeks to get that money back. Secondly, check your credit and debit card statements on a regular basis, and set up text alerts whenever a transaction happens on your card. While banks and credit card companies say they have great fraud detection, unfortunately, it doesn’t always work. Finally, use more secure methods of payment like Apple or Samsung Pay on your mobile device, especially for online transactions if the merchant supports it. Otherwise, your best secure payment option is using the old standby…cash. That’s a wrap for this week’s show. Please be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe to the podcast on iTunes, Google Play, Stitcher, TuneIn, Spotify or now on iHeartRadio. If you like our podcast we would really appreciate you leaving a review in iTunes or your favorite podcatcher app. Reviews really help move us up the podcast ratings list and attract more great listeners like you.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post The Shared Security Weekly Blaze – Facebook Face Recognition, Private Web Browsing, Credit Card Fraud appeared first on Shared Security Podcast.

This is the Shared Security Weekly Blaze for February 26, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston. Show Transcript This is your Shared Security Weekly Blaze for February 26th 2018…with your host…Tom Eston In this week’s episode: AI Enabled Privacy Policies, New Android Updates and Hotel Room Inspections Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Before we jump into the news I wanted to give some shout outs this week to several of our listeners for commenting, liking and sharing our posts on social media @Yohun, @borderless_i, @securid and @b0dach on Twitter as well as @cyberspacearmor and @silentpocket on Instagram and Andrew, Shawn and Jason on Facebook. Thank you for your support of the show! Do you ever read the privacy notices that are found linked in super tiny text at the bottom of a web page or the “privacy notice” emails you receive for the many different services and websites that you use? If you answered no, well you’re not alone. According to studies noted by security firm Sophos, 98% of us don’t read privacy notices. According to another study, it would take a person 30 full working days to read all the privacy notices for services the average person uses. While no one has time for that, let’s not forget that most privacy notices are filled with legal language and typically very difficult to understand. We really need a better way to understand how websites and services are using our personal information. Enter AI to the rescue! A new AI based technology called (POL-IS-IS) “Polisis” aims to visualize privacy notices through machine learning. This tool can create visual flow charts based on what is written in the notice giving users a visual idea of what type of information is being collected and what options are available to users of these services. What I really like about Polisis is that they have thousands of privacy notices on their site that have already been analyzed. For example, you can type in Facebook.com to get analysis of their privacy notice as well as many other sites that you may frequently use. You can even submit links to other policies on the web to have them analyzed as well.  Check out the show notes for the link to Polisis and if you’re interested in learning more about privacy notices be sure to check out the interview with did with Rebecca Herold, also known as the Privacy Professor, in Episode 71 of the podcast. Have an Android phone? If you do you’ll want upgrade to the soon to be released Android 9.0 operating system (or currently known as “Android P”) for two new privacy features that are being added. According to several news sources, the new Android operating system will prevent an app from using the camera or microphone when the app is idling in the background. Once the app becomes active, the camera and microphone are available to the app again. This feature fixes a large privacy concern about the ability of malicious apps being able to monitor you via the camera or microphone on your device. Regarding how Android updates are handled, updates are rolled out by the manufacturer of your phone and sometimes in conjunction with your network provider so the updates can be customized to work with any features that your network provider has added. If you happen to own a newer Google device like the Pixel, you’ll get the update immediately, which is similar to how Apple releases updates to its iOS operating system. It’s important to note that almost all Android devices have an issue with what is called “device fragmentation”. This means that if your device manufacturer and/or network provider decides to stop updating and supporting your device, you’ll never get future updates and most of these updates have patches to fix serious security vulnerabilities. Our advice is that with all the different versions of Android out there it’s important that you update your hardware, as well as your Android operating system, to keep up with security and privacy updates. Sounds like a good excuse to buy that brand new Google Pixel 2 you’ve always wanted. How would you feel if hotel security inspected your hotel room every 24 hours, regardless if you have a “do not disturb” sign on your doorknob? Well Caesars Entertainment told the associated press last week that this new policy will be implemented soon in all of their properties in to address guest security concerns due to the mass shooting at the Mandalay Bay in Las Vegas which killed 58 people last October, as well as other incidents at properties in Atlantic City where a sexual assault occurred as well as a fire at the Tropicana that was started when a guest set up an illegal meth lab in their room. We should note that this is not a new policy for some other hotel chains. Disney, Hilton, and others have policies to check all rooms periodically for guest safety. However, it’s unclear if it’s hotel security or the room cleaning service, as part of their normal duties, doing these checks. In regards to the new policy at Caesars Entertainment properties, hotel security guards will be doing the checks. One can debate the legal aspects of implementing a hotel policy like this and what your rights are to privacy if you’re staying in a hotel room. I’m not a lawyer nor do I play one on the podcast, but logically I go back to defining how real the threat is and what the rate of occurrence of events like, mass shootings at hotels and rooms being used as illegal meth labs, really are. I don’t know, perhaps meth labs are a real problem for some hotel chains. But much like airport security measures here in the US, we continue to see privacy-invading policies being implemented because it seems like the right thing to do to prevent a bad incident from happening again. Time will tell if this new policy is effective but let’s all give some thought to the necessity of these policies and the privacy we may not want to give up for the sake of security. That’s a wrap for this week’s show. Be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First-time listener to the podcast? Please subscribe on iTunes, Google Play, Stitcher, TuneIn and now on Spotify. If you like our podcast we would really appreciate you leaving a review in iTunes or whatever app that you use to listen to the podcast with. Reviews really help move us up the podcast ratings list and attract more great listeners like you.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post The Shared Security Weekly Blaze – AI Enabled Privacy Policies, New Android Updates, Hotel Room Inspections appeared first on Shared Security Podcast.

This is the Shared Security Weekly Blaze for February 19, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston. Show Transcript This is your Shared Security Weekly Blaze for February 19th 2018…with your host…Tom Eston In this week’s episode: Instagram Social Stalking, Cryptojacking, Equifax Breach Updates Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Ever get the feeling that a “social creeper” might be taking screen captures of your Instagram stories without your knowledge? Well this past week Instagram began testing a new feature in which a pop-up message will appear stating that “Next time you take a screenshot or screen recording, the person who posted the story will be able to see it.”. This message will automatically appear when someone takes a screen capture of a story you posted. People taking screen captures of your stories will also be identified in the “seen by” list which is shown to you when you view one of your stories. Interestingly enough, the direct messages feature within Instagram as well as Snapchat have had a similar feature for quite some time. It’s important to note that in regards to Instagram direct messages, users are only notified when a screen capture is taken of a picture or video that you sent them via a direct message. There was no timeline given on when this notification feature will be added but I think this type of notification is a good thing from a privacy and awareness perspective. But, no matter what controls are put in place to bring awareness to “social creepers”, just be aware that any notification or other control won’t be able to prevent someone from using another camera to take a picture of their device with your photos or stories on the screen. Always be mindful of what you post on any social media app and know that everything, even what you send privately, may not be so private after all. Over the last few weeks we’ve seen an increase in what are called “cryptojacking” attacks. A cryptojacking attack is where code within a website is used to hijack your web browser and the computing power of your device to silently mine cryptocurrency while you browse and use a website. With the recent rise in popularity of Bitcoin and other types of cryptocurrency’s, this attack is becoming much more popular. In fact, just this past week, we saw thousands of websites across the world, including many government websites being use to mine cryptocurrency. In this case, a third-party plugin called BrowseAloud (which helps blind and disabled people use websites) was compromised which allowed malicious code to be embedded in every website that had the BrowseAloud plug-in installed. This is a similar attack that we see with ad networks being compromised and pushing malware to unsuspecting users of common web sites. However, some companies are taking a new approach of disclosing to website visitors that by accessing their site you are in fact mining cryptocurrency for them. The news site Salon is one such organization that announced last week that they’ve introduced a feature called “suppress ads” which allows users to quote “block ads by allowing Salon to use your unused computing power” end quote. This is a very ingenious way for companies to help pay for their services while reducing the barrage of ads that we all see when using the Internet because…everyone hates ads, right? It’s interesting to note that this is not the first time an organization has tried to harvest users computing power. Last year, the infamous website “The Pirate Bay” used code within their website to hijack users computing power to mine cryptocurrency back in September. The Pirate Bay called this a “test” in that using this code in the future would be a great way to replace ads completely. I think for most people, if a website disclosed to you that they are going to harvest your computer power to eliminate ads is really no big deal. However, if you’re concerned about having your web browser and computer power hijacked to mine cryptocurrency you can use a browser add-on like No Script or ensure your ad blocker within your browser is blocking known sites used to mine cryptocurrency such as Coinhive. From a privacy perspective, we always recommend the use of a browser add-on such as an ad blocker as well as the Privacy Badger add-on, which will block third-party advertising trackers. Check out the show notes for this episode on sharedsecurity.net for links to the browser add-on’s that we recommend installing. Our final news item from the week is regarding new details that were released about the Equifax data breach and that it was far worse than we first thought. You may remember that back in September of last year that the personal information of 145 million people had been exposed through one of the largest data breaches in history. It’s more than likely, if you’ve ever had a credit check done in the United States, that you’re a victim of this breach.  Last year Equifax stated that information compromised included names, social security numbers, birth dates, credit cards as well as driver’s license numbers. Now, new information was disclosed stating that during the initial investigation that tax id numbers, email addresses, phone numbers as well as expiration dates for credit cards and additional driver’s license data (apparently the state where a driver’s license was issued) have been compromised as well. This breach and the poor communication and response from Equifax, highlights that we as consumers need to be proactive about protecting our personal information as best we can. This can be very difficult because we inherently trust third-party companies like Equifax to protect our private information. However, time and time again we see breaches like this and more of our information continues to be exposed making identity theft a real threat to all of us. So what can you do? Most importantly, put a security freeze on your credit file. Unfortunately, this is a painful process to do but is worthwhile in the long run. Be sure to check our show notes from this episode for a great article by Brian Krebs from Krebsonsecurity.com on how to go about putting a freeze on your credit. That’s all for this week’s show. Be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram. You can also subscribe and listen to our podcast on iTunes, Android, Google Play, Stitcher and on your Amazon Echo device via TuneIn. We also love to hear feedback from our listeners! Let us know how you like this new weekly format by either commenting on our social media feeds or sending us an email at feedback[aT]sharedsecurity.net. Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post The Shared Security Weekly Blaze – Instagram Social Stalking, Cryptojacking, Equifax Breach Updates appeared first on Shared Security Podcast.