Shared Security Podcast

This is the 73rd episode of the Shared Security Podcast sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston and Scott Wright recorded February 14, 2018. Below are the show notes, commentary, links to articles and news mentioned in the podcast: The Shared Security Amazing Thing of the Month This month we discuss why it’s important to use a password manager as well as our personal recommendations on which one to use. Tom prefers KeePass, while Scott prefers LastPass. Regardless of our preference…any password manager you choose is better than none! Product Review: Silent Pocket Faraday Laptop Sleeve We were recently contacted by Silent Pocket to review one of their new products, the Faraday Laptop Sleeve and they were kind enough to send Tom one. This is a great privacy and security product which will block all wireless signals from a device including cellular, WiFi, GPS, Bluetooth, RFID and NFC in all frequencies. As mentioned on the show, you don’t need to be a person that is “ultra paranoid” about their privacy to use one of these devices. In fact, in recent months there have been more attacks targeting wireless devices (many of which we’ve mentioned on the show) so products like these add a simple extra layer of protection for your devices. Specifically, if you’re someone that would be considered “high risk” for having your wireless devices targeting (i.e. government, military, journalist or human rights defender) this product is a absolute must have. Here are my observations of the Laptop Sleeve: The sleeve is very durable and made of excellent quality material. I like how the sleeve “snaps” together and seals the itself. In fact, it holds a bit of air that you have to “push” out when you seal it which demonstrates how solid the seal is. I tested the sleeve with a mobile phone and a 15″ MacBook Pro and I was unable to connect to my phone via Bluetooth, Wifi and cellular. My cellphone quickly reconnected once I removed it from the sleeve. As Scott mentioned on the podcast, we wondered if the battery on a mobile phone would drain more quickly looking for a mobile signal while protected in the sleeve. However, according to Silent Pocket’s FAQ, this isn’t an issue. You can use it for practically any wireless device like your car key fob or RFID enabled credit cards and passports. You could easily fit your laptop and a few other devices in the sleeve (it will be crowded and a bit tight, but it can work). On my next business trip I’m curious to see how it goes through the airport security x-ray process. If you’re interested in learning more about the laptop sleeve and other products you can visit silent-pocket.com for more information. Note to other privacy product vendors: We’re happy to review your products as well! Fill out our “Contact Us” form on sharedsecurity.net or send us an email at feedback[aT]sharedsecurity.net for more information. Intel Vaunt Smart Glasses Oh no! Is it Google Glass all over again? Tom and Scott don’t think so and in fact, this may turn out be the next useful device. Germany Picks on Facebook Regarding the use of Real Identities We’ve mentioned this before on the podcast that Facebook doesn’t play nice with it’s users that don’t want to use their real names. Germany has something to say about that with this new court ruling. Will we finally see Facebook change this policy? Google Chrome will show your website as “Not Secure” if you don’t move to HTTPS Google recently announced that they will start showing non-HTTPS websites as “Not Secure” starting in July. If you have a business or own a website, best get started on purchasing a SSL certificate or get one for free through the Let’s Encrypt project. Besides, Google automatically lowers the search results for non-SSL sites and they’ve been doing this for quite some time already. Fun Tweet from Kevin Mitnick (famous hacker)… So I went to the Apple Genius Bar to pick up a repaired iPhone.At the same time, the guy next to me is verbally giving his username and password to the Genius helping him. After he says his credentials he goes on to say he hopes he doesn’t get hacked. Only if he knew — Kevin Mitnick (@kevinmitnick) February 5, 2018 Please send any show feedback, suggestions for future guests and topics to feedback [aT] sharedsecurity.net or comment in our social media feeds. You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode. Be sure to visit our website, follow us on Twitter, Instagram and like us on Facebook. Thanks for listening! The post The Shared Security Podcast Episode 73 – Silent Pocket Faraday Laptop Sleeve Review, Password Managers, Smart Glasses appeared first on Shared Security Podcast.

This is the Shared Security Weekly Blaze for February 12, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston. Show Transcript This is your Shared Security Weekly Blaze for February 12th 2018…with your host…Tom Eston In this week’s episode: Tax Season Scams, SIM Hijacking and Smart TV Privacy Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. It’s tax season here in the United States and as you may already know there are three things that are certain in life: death, taxes and criminals trying to scam you out of your hard earned money. Which means it’s time to be aware of common phishing and scam tactics that may target you during this tax season. In fact, this year (due to news of changes to the US tax code) there are now more opportunities for scammers to leverage this news to their advantage. Like any significant event that happens in the world (like natural disasters and terrorist attacks) , attackers will leverage these news events in an attempt to elicit an emotional response from you so that you either click a malicious link or submit your private and sensitive information to the scammer. According to the SANS Internet Storm Center, recent tax related phishing emails that have been identified are asking for personal information in order to receive your tax refund. Keep in mind, it’s not just your email that these scams can originate from. Many of these tax scams also come through phone calls or voicemail’s. These calls will typically ask for personal information or to convince you to make a payment under the threat of being arrested. Note that the IRS will never email or call you about owing taxes or about a potential refund, or threaten to arrest you. Stay vigilant this tax season and please let your elderly friends, parents or relatives know about these tax scams. Unfortunately, the elderly are common targets for these types of attacks. Last week telecom giant T-Mobile sent out a mass text message to its entire customer base alerting them to add an additional security measure to their account. The problem? There has been a major increase in an attack called SIM hijacking or also known as a phone number port out scam. SIM hijacking is where an attacker will either call your mobile phone company or show up at the mobile phone store, impersonating you in an attempt to request a new SIM card for your phone number or in some cases the attacker will attempt to move your mobile number over to a new carrier. Once the attacker has control of your mobile number, they now have access to reset credentials for banking or potentially access to any other accounts that use a mobile phone number for access. SIM hijacking and fraudulent phone porting have become popular attacks for identity thieves as well as other criminals. This is because your mobile number is increasingly becoming the center of your digital identity in that your phone number is a unique identifier for you and is used for things like authentication to reset passwords and for two-factor access to many different types of accounts and systems. The way to help prevent this attack is to create a validation code with your mobile carrier. T-Mobile calls this a “port validation” code but other carriers may call this a phone passcode or PIN. Once this code is enabled on your account, you’ll need to provide this to the mobile carrier in order to obtain a new SIM card or port your number to a new carrier. Our advice is to enable this feature with your mobile carrier to help prevent this attack happening to you. You may have to research this on your mobile carrier’s website as each company has a different procedure for enabling this feature. Also note, you should ensure that this passcode or PIN is unique and different than any other passcode or PIN that may be in use with your mobile carrier such as the password for accessing your account for online access. Our number one story is about research Consumer Reports released this past week which found that millions of smart TVs are vulnerable to hackers and that all smart TVs are collecting private data about your viewing habits. Consumer Reports conducted their own testing as part of a security and privacy evaluation of smart TVs from popular brands such as LG, Sony and Vizio. Specifically, vulnerabilities were identified in Samsung TVs along with models made by TCL and other brands, that use the Roku smart TV platform. These vulnerabilities would allow an attacker to cause havoc on the victims TV like randomly change the channel, mute the TV speakers or pump up the volume unbeknownst to the user. The attacks require a victim to either download a malicious app or malicious code through a phishing or other type of social engineering attack in order to access the smart TV through the victims home wifi network. To prevent this attack on TVs that are using the Roku platform you have to turn off a “external control” feature in the Roku platform settings. Roku noted in a blog post that “We want to assure our customers that there is no security risk” and disputes the Consumer Report findings. However, it’s concerning to me that this “external control” feature is enabled by default. The other concern from the Consumer Reports research is that all smart TVs (at some level) are collecting information about users viewing habits. Now these concerns are nothing new. There have been many reports over the last several years of multiple brand smart TVs using this technology which is called Automatic Content Recognition (or ACR) since at least 2010. With ACR technology enabled on your TV it means that your viewing habits including everything you watch and stream are being sent to and collected by a third-party. This information is valuable to the TV manufactures and their partners so they can tailor ads and other content to your viewing habits in order to (you guessed it) make more money. In fact, last year Vizio settled with the US Federal Trade Commission for $1.5 million for collecting this kind of data without consumer’s knowledge. Since then, Vizio and other TV manufactures have enabled privacy settings on smart TVs to disable or limit ACR technology. The bigger problem now is that ACR is being implemented in ways designed to force you to accept the ACR privacy policy or you will be unable to use any Internet enabled features like the ability to stream Netflix, Amazon and other popular streaming services. Unfortunately, as a consumer, we’re given very little choice unless we want to revert back to just having a “dumb TV”. So how do you change the ACR and other privacy settings on your smart TV? It’s not easy as the TV manufactures have made this difficult to change. First, make sure your smart TV has the latest update (this is also known as a firmware update). You can usually find this in the system information menu of most TVs. Some TVs will actually update on their own so be sure to check to see if you have the latest version. Next, reset your TV back to its factory default so you can review the privacy policy as well as any prompts to change ACR settings. You can also dig down within the menu system on the TV to find this yourself as they are buried, by design. Well that’s a wrap for this week’s show. Be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram. You can also subscribe and listen to our podcast on iTunes, Android, Google Play, Stitcher and on your Amazon Echo device via TuneIn. We also love to hear feedback from our listeners! Let us know how you like this new weekly format by either commenting on our social media feeds or sending us an email at feedback@sharedsecurity.net. Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze.   The post The Shared Security Weekly Blaze – Tax Season Scams, SIM Hijacking, Smart TV Privacy appeared first on Shared Security Podcast.

This is the Shared Security Weekly Blaze for February 5, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston. Show Transcript This is your Shared Security Weekly Blaze for February 5th 2018…with your host…Tom Eston In this week’s episode: ICE license plate tracking database, the first Jackpotting attacks on US ATMs and the Strava global heatmap controversy. Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”. Our number three story of the week is about ICE, the Immigration and Customs Enforcement Agency and how they now have the ability to track billions of license plate records across the US using ALPR (Automated License Plate Recognition) technology. A company called Vigilant Systems has been putting together a database of license plate records submitted by repo agencies, local law enforcement, traffic cameras as well as data from roving ALPR vehicles (similar to the Google street view cars you may have seen roaming around your neighborhood). Vigilant Systems is partnering with ICE so that they can use this data in deportation and immigration control cases. Several civil liberty groups, such as the ACLU, have stated concerns that this database could be used locate and track anyone in real-time for more than just immigration issues. Even if you’re not connected to a criminal investigation, your license record and driving habits could be in this database. The other controversy is that Vigilant systems entered into a private contract with ICE which is a government agency, therefore, there was no congressional oversight and no accountability with a massive surveillance system like this in government hands. What can you do if you’re concerned about ALPR technology and being tracked? From an legal perspective, several weeks ago the state of California introduced bill S.B 712 which would allow drivers to cover their license plate while parked legally in order to avoid roving ALPR scans, but the bill was rejected by the California senate just this week. No other states to my knowledge are proposing similar legislation.  From a product perspective, there are ALPR “blockers” in the form of IR filters and special reflective coatings that can be applied to license plates in an attempt to block ALPR scans. There are many different types of products out there that are just a Google search away. Friendly disclaimer: you should research the legality of using such ALPR anti-tracking devices in your state and/or country before purchasing or using any of these products. Our number two story this week is about the “jackpotting” attacks that are targeting ATMs in the United States. Jackpotting allows malware installed on ATM machines to shoot out money just like a Las Vegas slot machine. For some strange reason I’m reminded of the movie “Vegas Vacation” in the scene where Clark Griswold jackpot’s his family bank account at the ATM.  This attack, on the other hand, is no laughing matter. In order to perform the attack someone needs to physically access the ATM machine and install the malware via a USB port or through another interface, such as the cash dispensing or front loading slot, and eventually get the malware to infect the underlying operating system of the ATM. Brian Krebs from krebsonsecirity.com noted that most attackers quote “typically use an endoscope — a slender, flexible instrument traditionally used in medicine to give physicians a look inside the human body — to locate the internal portion of the cash machine where they can attach a cord that allows them to sync their laptop with the ATM’s computer.” end quote. Now these attacks seem to require a risky amount of time to physically access the ATM and in some cases attackers have used social engineering techniques such as dressing like an ATM technician to con their way to the ATM. It’s important to note that these attacks have focused on smaller ATMs typically located in pharmacies, gas stations and other small locations not your local large bank ATMs. The Secret Service as well as ATM manufactures have sent out alerts notifying owners of these attacks and how to harden and secure their ATMs from physical attack.  In the meantime if you happen to see an ATM jackpotting with money flying out…be sure to alert authorities. The number one story this week is the controversy over the Strava world-wide heatmap release that inadvertently disclosed locations, daily routines and possible supply routes of known and unknown US military bases and CIA outposts. Because of this, the US military is now reviewing its policies and guidelines on fitness trackers and other wireless devices being used by military personnel. This heat map, which shows jogging and running routes, has been available since last November but last week on Twitter people started to dig into the details of the map and started to see some interesting patterns.  If you’re not familiar with Strava, Strava is an app that allows you to sync your runs and workouts with included GPS (geolocation) information from popular fitness trackers like Fitbits, Apple Watches, Garmin and many others. Runners and other sports enthusiasts frequently opt in to share their running routes with people as a way to stay motivated and to build a community around their workout habits.  While the intention of sharing your workout information among friends is good and users of these apps do have some control around the privacy of information being shared, the bigger problem is privacy controls within apps like Strava get complicated really quick. For example, while one privacy setting may prevent a certain group of people from seeing your information, other settings like, sharing data to a leader board for top times in a frequent running route, may inadvertently give someone enough information to figure out who you are. Case in point, the Washington post recently reported on the Strava heat map and said, quote: “On one of the Strava sites, it is possible to click on a frequently used jogging route and see who runs the route and at what times. One Strava user demonstrated how to use the map and Google to identify by name a U.S. Army major and his running route at a base in Afghanistan.” To Strava’s credit, they do have extensive privacy settings which can be enabled so you can limit the amount of private information others can see about you and your activities. You can even turn off sharing of any data altogether. However, you need to opt-out of the default settings. The default Strava privacy settings share all your location and other personal data with other users of Strava. To make matters more confusing, to opt out of the “heatmap” of all Strava users you need to change this privacy setting on the Strava website, there is no ability to do this within the mobile app. This highlights a major problem in that privacy settings and how you control your data on third party apps like Strava are confusing to the users of these apps. In fact, I would go as far to say that it’s “confusing by design” in order for you to share as much information about you as possible. Keep in mind that companies like Strava and other “social sharing” apps make money off of the information you share.  It’s only to their benefit that you share as much information as possible so they can make a profit.  Something to think about next time you allow apps like these to use your location and other personal data. That’s all for this week’s show. Be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram. You can also subscribe and listen to our podcast on iTunes, Android, Google Play, Stitcher and on your Amazon Echo device via TuneIn. We also love to hear feedback from our listeners! Let us know how you like this new weekly format by either commenting on our social media feeds or sending us an email at feedback@sharedsecurity.net. Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze. The post The Shared Security Weekly Blaze – License Plate Tracking, Jackpotting ATMs, Strava Global Heatmap Controversy appeared first on Shared Security Podcast.

This is the 72nd episode of the Shared Security Podcast sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston and Scott Wright recorded January 22, 2018. Below are the show notes, commentary, links to articles and news mentioned in the podcast: The Shared Security Amazing Thing of the Month (we’re not sure what to name this new segment so we’re rolling with this for now…) Tom and Scott discuss the emergency SOS feature on your mobile device. There was a recent story in the news about a college student who was able to text message and send her location when she was being kidnapped. Even though the college student was able to find a way to text and send out her location, there are some easier and more discreet ways that you can make an emergency phone call as well as alert authorities to your location. Here are the instructions we mentioned on the show if you have an Apple iOS 11 device or on your Apple Watch. Android is not left out of the emergency notification party either! Here are details if you have an Android phone to enable or install this feature with an app. Overview of the Meltdown and Spectre Critical Vulnerabilities CPU hardware implementations (manufactured in the last 20 years) are vulnerable to side-channel attacks referred to as Meltdown and Spectre. Modern processors perform speculative execution. To maximize performance, processors try to execute instructions even before it is certain that those instructions need to be executed. The best description of these vulnerabilities is from the original website announcing these issues: Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware vulnerabilities allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents. Meltdown and Spectre work on personal computers, mobile devices, and in the cloud. Depending on the cloud provider’s infrastructure, it might be possible to steal data from other customers. Spectre in particular is quite interesting from an attackers perspective. For example, malicious JavaScript code on a website could use Spectre to trick a web browser into revealing user and password information. Software patches are starting to come out for both of these vulnerabilities but there are reports of additional problems that the patches are causing, including impacting system performance in some cases. Announcing the Shared Security Weekly Blaze Podcast We’re starting a new weekly podcast which will bring you the hot security and privacy news of the week. The first episode has been released and you can still listen to the new podcast just like you do now. The idea is to give you fast and consumable security and privacy “news that you can use” in 15 minutes or less. These weekly podcasts are in addition to our traditional monthly podcast which will continue to cover security and privacy topics in more detail. We hope you enjoy the new format! Please send any show feedback, suggestions for future guests and topics to feedback [aT] sharedsecurity.net or comment in our social media feeds. You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode. Be sure to visit our website, follow us on Twitter, Instagram and like us on Facebook. Thanks for listening! The post The Shared Security Podcast Episode 72 – Mobile Phone Emergency SOS, Overview of Meltdown and Spectre appeared first on Shared Security Podcast.

This is the first episode of the Shared Security Weekly Blaze podcast. This episode was hosted by Tom Eston. Every Monday we’ll be releasing a short podcast, in 15 minutes or less, covering the top 3 hot news topics happening in the security and privacy world. The idea is to give you fast and consumable security and privacy “news that you can use”. These weekly podcasts are in addition to our traditional monthly podcast which will continue to cover security and privacy topics in more detail. In this week’s episode we talk about a new form of mobile malware called Dark Caracal, recent news about patching for the Meltdown and Spectre vulnerabilities and the launch of Amazon Go in downtown Seattle. Show Transcript This is your Shared Security Weekly Blaze for January 29th 2018 with your host, Tom Eston In this week’s episode we’re going to talk about a new form of mobile malware called Dark Caracal, recent news about patching for the Meltdown and Spectre vulnerabilities and the launch of Amazon Go in downtown Seattle. Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the first episode of the Shared Security Weekly Blaze where we update you on the top three security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news you can use”. Our number three story for the week is about a new form of mobile malware that has been identified called Dark Caracal. The Electronic Frontier Foundation and security firm Lookout Security jointly announced research last week on what they are calling a new “malware espionage campaign” which has been targeting military personnel, activists, journalists and lawyers all across the world. The Dark Caracal malware campaign appears be traced back to the Lebanese government. The malware affects Android mobile devices primarily but other systems like Windows could be affected as well. The Dark Caracal malware has the capability to install trojanized versions of popular secure messaging apps like Signal and WhatsApp as well as gain access to text messages, photos and data from other apps. This doesn’t mean that legitimate apps you may be using (like Signal) are infected with malware, it means that the malware can trick you into installing a fake version of that app. The Dark Caracal malware uses phishing and social engineering techniques through WhatsApp messages and Facebook Group posts to install the malware on the device.  EFF Director of Cybersecurity Eva Galperin said “This is a very large, global campaign, focused on mobile devices. Mobile is the future of spying, because phones are full of so much data about a person’s day-to-day life.” This is not the first case of a large global mobile malware campaign. The Pegasus mobile malware, which targets Apple iOS, has been used by nation states such as the United Arab Emirates and the Mexican government to target individuals since 2016. It’s important to note that anyone could be a target for mobile malware, you don’t necessarily have to be targeted by a nation state! So what can you do to protect yourself? First and foremost be aware that phishing attacks typically start with emails, texts and social media posts and always try to elicit some type of urgent response or emotion from you to get you to click a link or provide sensitive information like passwords. Our advice? Think before you click! Check out previous episodes of the Shared Security Podcast where we talk about phishing and social engineering if you’re interested in learning more. The number two story of the week is the Meltdown and Spectre vulnerability patching debacle. In fact it’s such a debacle that the creator of the Linux operating system,   Linus Torvalds, has said “All of this is pure garbage, The patches are COMPLETE AND UTTER GARBAGE. …They do things that do not make sense.” If you’re not familiar with the Meltdown and Spectre vulnerabilities here’s the deal: Earlier this month security researchers discovered two critical vulnerabilities in modern computer processors (or CPUs). These vulnerabilities allow an attacker to access data on a computer system that would be very difficult to obtain such as passwords stored in your browser, photos, emails and even documents. The reason this problem is so big is that the vulnerability affects many different types of systems including personal computers, mobile devices as well as systems in the “cloud” and it applies to all these different types of devices manufactured within the last 20 years. The guidance from the processor manufactures like Intel has been to install patches that would be released by the different operating systems like Microsoft and Apple while they figure out how to fix these vulnerabilities in future processors. But not so fast! Some of these patches have already been rolling out and have been causing lots of problems like the infamous “blue screen of death” on some Microsoft Windows systems. So now, Intel has come out to say stop installing patches because they are causing many more problems. Now the different computer vendors, such as Dell, HP and Lenovo are recalling their previously issued patches and have notified customers that their existing patches are defective. It’s literally a total mess out there folks. The best course of action is to hold off on installing patches until the computer vendors can come up with a revised plan. Stay tuned, I’m sure it’s going to continue to be a wild ride! Our final news story of the week is last week’s launch of the very first Amazon Go grocery store in downtown Seattle. Amazon go is Amazon’s “grocery store experiment” which allows you to simply scan your Amazon Go app at the entrance, grab what you want off the shelves, put it in your bag and then walk out. No cashiers, no wait. Your receipt is then emailed to you shortly after leaving the store. Sounds pretty cool, huh? Well what you may not realize is that there are potentially hundreds of cameras watching your every move in the store. Obviously, this goes beyond preventing shoplifting but is actually part of the tech that makes a store like this work. For example, how does Amazon know if I take an item off the shelf and return it back to where it was? What if I hand an item to another person I’m shopping with, do they get charged for it or do I? Well, shopping scenarios like these are all addressed with cutting edge surveillance technology that Amazon isn’t so keen to talk about. All that Amazon has said so far is that this technology is very similar to what’s being used in self-driving cars. Amazon states that its using things like sensor fusion and deep learning…basically AI technology. There’s not a lot of info about how all this technology is being used within a Amazon Go store and how data about you like video footage is being processed or stored.  The other day I did a little research on this and noted that the Amazon Go “Terms of use” only says is that they use “in-store technology” and “cloud computing” to determine the items you select. A quick review of the Amazon Privacy notice, on the other hand, has no details about what Amazon Go technology does with your information. All we can say for now is that it’s in the “cloud” along with everything else Amazon has about you.  Hey, Alexa…where does your data live? That’s what I thought. That’s a wrap for this week. Be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook and Twitter and even on Instagram. You can also subscribe and listen to our podcast on iTunes, Google Play, Stitcher and even on your Amazon Echo device via TuneIn. We also love to hear feedback from our listeners! Let us know how you like this new weekly format by either commenting on our social media feeds or sending us an email at feedback [aT] sharedsecurity.net. Thanks for listening and see you next Monday for another episode of the Shared Security Weekly Blaze. The post The Shared Security Weekly Blaze – Dark Caracal, Meltdown and Spectre Debacle, Amazon Go appeared first on Shared Security Podcast.

This is the 71st episode of the Shared Security Podcast sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston and Scott Wright with special guest Rebecca Herold recorded December 13, 2017. Below are the show notes, commentary, links to articles and news mentioned in the podcast: Interview and discussion about privacy with Rebecca Herold Rebecca has over 25 years of IT, info sec, privacy & security experience; is CEO & Founder (2004) of Rebecca Herold & Associates, LLC, aka The Privacy Professor(R); and President & Co-Founder (2014) of SIMBUS360. Rebecca is also an entrepreneur, author and Adjunct Professor for the Norwich University Master of Science in Information Assurance Program. Rebecca has led the NIST Smart Grid privacy group since June 2009 and has been an officer for the IEEE P1912 Privacy and Security Architecture for Consumer Wireless Devices Working Group since June 2015. Rebecca has received numerous awards and recognitions for her work throughout the course of her career. Rebecca has written 19 books to date, chapters in many books and hundreds of articles. In this podcast we discuss Rebecca’s background in privacy, how she got into her area of expertise as well as her thoughts on the evolution of privacy policies (aka: privacy notices that are found on websites and services that you may use). Thanks again to Rebecca for being a guest on the show! Be sure to connect with Rebecca through her website, Twitter, and LinkedIn. Please send any show feedback, suggestions for future guests and topics to feedback [aT] sharedsecurity.net or comment below. You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode. Be sure to visit our website, follow us on Twitter and like us on Facebook. Thanks for listening! The post The Shared Security Podcast Episode 71 – Special Guest Rebecca Herold “The Privacy Professor” (@PrivacyProf) appeared first on Shared Security Podcast.

This is the 70th episode of the Shared Security Podcast sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston and Scott Wright with special guest Dr Helen Ofosu recorded November 29, 2017. Below are the show notes, commentary, links to articles and news mentioned in the podcast: Interview and discussion about insider threat psychology with Dr Helen Ofosu Dr Ofosu has more than 15 years of experience using industrial and organizational psychology in the business and government sectors. Dr Ofosu brings her vast knowledge, sensitivity, and special brand of humor to her career consultations, business, and government clients, and her presentations and speaking engagements. In this podcast Scott and Tom discuss insider threat psychology with Dr Ofosu, how to address insider threats in the workplace as well as what the most common “psychological factors” are that manifest as insider security threats to organizations. We also discuss some recent news stories about insider threats and what they mean to you and your organization. Thanks again to Dr Ofosu for being a guest on our show! Be sure to connect with Dr Ofosu through her website, Twitter, Facebook and LinkedIn. Please send any show feedback, suggestions for future guests and topics to feedback [aT] sharedsecurity.net or comment below. You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode. Be sure to visit our website, follow us on Twitter and like us on Facebook. Thanks for listening! The post The Shared Security Podcast Episode 70 – Insider Threat Psychology with Special Guest Dr Helen Ofosu appeared first on Shared Security Podcast.

This is the 69th episode of the Shared Security Podcast sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston and Scott Wright recorded October 25, 2017. Below are the show notes, commentary, links to articles and news mentioned in the podcast: Amazon Key opens your home for indoor deliveries A new Amazon Prime service now allows your package couriers access to your home to drop off deliveries.  The system uses a Amazon smart lock and connected camera.  Innovation or invasion of privacy/security nightmare? Tom and Scott debate the pros and cons! Severe WiFi security flaw puts millions of devices at risk (KRACK) A new attack (called KRACK – Key Reinstallation Attack) on the current standard for WiFi security (WPA2) allows an attacker to decrypt Internet traffic from devices being used on a WiFi network with WPA2 encryption enabled. While patches for most modern devices and operating systems will be released (i.e. Apple iOS, Windows 10, etc), many devices such as older Android phones and IoT devices may never get patched. Tom also mentioned a tool which can be used to “downgrade” secure HTTPS connections with this attack called SSL Strip. DUHK (Don’t Use Hard-coded Keys) Vulnerability Another recent attack (with a funny name) was announced on a specific type of cryptography implementation being used by certain VPN’s. Specifically, VPNs which use specific versions of FortiOS are vulnerable. If you or your business uses one of these VPNs make sure you patch ASAP. Just a Pair of These $11 Radio Gadgets Can Steal a Car Stealing cars just got easier with a recently updated attack on certain keyless entry systems that cars use. Researchers have now demonstrated how easy it is to steal a car with just a pair of $11 radio gadgets. Best way to prevent this (until car manufactures can patch/address the vulnerability) is to keep your car key in a “Faraday bag” or metal protective sleeve like they have available for wallets to protect RFID enabled credit cards. Please send any show feedback, suggestions for future guests and topics to feedback [aT] sharedsecurity.net or comment below. You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode. Be sure to visit our website, follow us on Twitter and like us on Facebook. Thanks for listening! The post The Shared Security Podcast Episode 69 – Amazon Key, KRACK and DUHK Attacks, New Devices to Steal a Car appeared first on Shared Security Podcast.

This is the 68th episode of the Shared Security Podcast sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston and Scott Wright with special guest Chris Hadnagy from the Innocent Lives Foundation and Social-Engineer.org recorded September 27, 2017. Below are the show notes, commentary, links to articles and news mentioned in the podcast: Interview with Chris Hadnagy from the Innocent Lives Foundation Chris Hadnagy is a professional social engineer, founder of Social-Engineer.org, book author, host of the Social Engineer Podcast and founder of the Innocent Lives Foundation. Chris talks to us about his new organization and  discusses the topic of social engineering. Please help support Chris’ organization which has a mission to unmask child predators in order to bring them to justice. You can find out more about volunteer opportunities as well as providing financial support at the Innocent Lives Foundation website. Chris also talks with us about the art of Social Engineering and what you can do to educate and protect yourself. Lastly, Chris provides a recap from the recent DEF CON Social Engineering CTF event. As mentioned on the show, be sure to check out this video from the Veracode blog about the winner from this year’s event. Thanks again to Chris for being our guest! The post The Shared Security Podcast Episode 68 – Special Guest Chris Hadnagy, Innocent Lives Foundation, Social Engineering appeared first on Shared Security Podcast.

This is the 67th episode of the Shared Security Podcast sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston and Scott Wright recorded September 6, 2017. Below are the show notes, commentary, links to articles and news mentioned in the podcast: Over 711 Million Email Addresses Exposed From SpamBot Server Apparently, one of the largest cache of email addresses and SMTP credentials has been discovered. This list was used to distribute SPAM and banking malware. Tom and Scott recommend that you sign up for breach notifications from Troy Hunt’s “Have I been Pwned” service so you can take action to change any account passwords if necessary. 465k patients told to visit doctor to patch critical pacemaker vulnerability What happens when your wireless pacemaker requires a firmware update to patch a serious vulnerability? You’ll need to head into your doctors office for an update.  That’s what happened to nearly 465,000 patients that have this particular brand of pacemaker. A security researcher discovered AccuWeather app tracked, shared your location — even if you ‘opt out’ Mobile apps that share your location, even when you opt out, are very common.  This app in particular still tracks your location via wifi and doesn’t need your GPS. This is yet another reminder to read the app’s privacy policy, but to also be aware that many apps don’t disclose who they share your location data with. In related news, the popular app “Sarahah” will quietly upload your address book. This is more of a problem with older Android devices since there is no prompt to “allow” sharing of your address book with older Android operating systems. Update gone wrong leaves 500 smart locks inoperable Smartlock manufacturer, LockState, pushed the wrong update to approximately 500 devices which made them inoperable. This is a great lesson in regards to how not to update IoT devices and the customer service nightmare that will happen when things like this go wrong. Just remember, you take a risk when using devices like these! Especially when they are used for physical security. Scott’s Amazing Tip of the Month… (they don’t happen very often) Here’s how to make yourself less annoying to your friends on Facebook by turning off “New Friend Reports”. Please send any show feedback, suggestions for future guests and topics to feedback [aT] sharedsecurity.net or comment below. You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode. Be sure to visit our website, follow us on Twitter and like us on Facebook. Thanks for listening! The post The Shared Security Podcast Episode 67 – SpamBot Exposed, Mobile App Tracking, Smart Lock Fail appeared first on Shared Security Podcast.