Shared Security Podcast

This is the 66th episode of the Shared Security Podcast sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston and Scott Wright recorded July 24, 2017. Below are the show notes, commentary, links to articles and news mentioned in the podcast: Tom’s review of the Ring doorbell camera Tom discusses his recently purchased a Ring doorbell camera, some of the features, challenges and tips for use. Disclaimer: This review was not sponsored by Ring…although we’re happy to test other Ring products if Ring would like to get in touch with us. When traffic apps hit diminishing returns Using an app like Waze has huge benefits when navigating traffic situations. However, many things can go wrong especially if the app tells you go a route that everyone else is taking to avoid a traffic situation or when others purposely report an “accident” when there is no accident just to route traffic out of their neighborhoods. What a wonderful time to be alive! Verizon Data of at Least Six Million Users Leaked Online Verizon was recently a victim of a data breach that affected six million customers. What makes this breach different was that it was caused by one of Verizon’s third-party partners accidentally misconfigured an Amazon S3 cloud based data repository, which was set to “public”. A great example of why third-party security is so important to businesses. New iOS update fixes a very dangerous bug If you have an Apple iOS device you should update to iOS 10.3.3 ASAP. You should also update your Android device if you so happen to have a vulnerable one of the listed Android devices as well (see this page for more info). This update fixes a very serious vulnerability in the Broadcom wifi chip on the device. The researchers that discovered this vulnerability discussed (at the BlackHat conference in Las Vegas last week) how they were able to take over a vulnerable device all through a wifi connection. Surprise, Echo Owners, You’re Now Part of Amazon’s Random Social Network Did you know that if you have an Amazon Echo device you can use it to make voice calls and send messages to other Echo owners? Sounds great, except that by default Amazon needs access to your entire contact list to see who else is an Amazon Echo owner which allows everyone to be able to call each other. This is fine except, how many of your contacts to you “really” know? Many times we put temporary contacts or have people in our contact list that we really don’t want to talk to again (old bosses?). Unfortunately, Amazon doesn’t allow you to choose who you want to connect with…it’s all or nothing. Please send any show feedback, suggestions for future guests and topics to feedback [aT] sharedsecurity.net or comment below. You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode. Be sure to visit our website, follow us on Twitter and like us on Facebook. Thanks for listening! The post The Shared Security Podcast Episode 66 – Ring Doorbell Camera Review, Traffic Apps, Amazon Echo appeared first on Shared Security Podcast.

This is the 65th episode of the Shared Security Podcast sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston and Scott Wright recorded July 6, 2017. Below are the show notes, commentary, links to articles and news mentioned in the podcast: Smart TV hack embeds attack code into broadcast signal—no access required A new vulnerability has been discovered in the way Smart TV’s use “Digital Video Broadcasting — Terrestrial” (or DVB-T) to receive TV signals. There is low risk on this one as the attack requires a specialized transmitter but it’s interesting to see more research on other ways that new TV technology could be exploited. Before You Hit ‘Submit,’ This Company Has Already Logged Your Personal Data Many sites are now taking advantage of a new technology that will send information that you’re filling out in a web form to a third-party even before you hit the “submit” button. To make matters worse, many of these sites are not informing users through their privacy policy that this activity is taking place. Yet another reason “auto-complete” in your web browser might not be the best feature to keep enabled from a privacy perspective. Facebook is testing a feature that stops profile photo theft Profile photo theft is a real problem on Facebook and is being used for countless scams. It’s good to see Facebook trying to find new ways to prevent others from stealing your profile pictures. However, there are many ways around these controls and this will remain a very hard problem to solve. What’s worse than getting phished? Getting phished *and* sending a selfie of your Photo ID and credit card It’s hard to believe but this real phishing attack seems to be working. Bottom line: never, ever respond to a request for you to take a selfie with your credit card and/or drivers license to prove your identity. Please send any show feedback, suggestions for future guests and topics to feedback [aT] sharedsecurity.net or comment below. You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode. Be sure to visit our website, follow us on Twitter and like us on Facebook. Thanks for listening! The post The Shared Security Podcast Episode 65 – Smart TV Hacks, New Privacy Concerns, Phishing for Selfies appeared first on Shared Security Podcast.

This is the 64th episode of the Shared Security Podcast sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston, Scott Wright recorded June 7, 2017. Below are the show notes, commentary, links to articles and news mentioned in the podcast: More Android phones than ever are covertly listening for inaudible sounds in ads Marketers can now use apps to listen for “beacons” that indicate when a person is watching a specific TV commercial or other type of audio. If you have an Android phone there are many apps that are using these functions and violating privacy policies set by Google. Attackers can use video subtitles to hijack your devices Even the movies you watch on your computer or mobile device can be a target for malware distribution. A serious vulnerability was found in several popular media players (VLC, Kodi (XBMC), Popcorn-Time and strem.io) which allowed a malicious subtitle file to be downloaded to the victim’s device. The vulnerability would allow an attacker to take complete control of the device.  Patch your media players! Printer Tracking Dots Back in the News Several years ago there was a lot of news about “printer tracking dots” and how your printer could be used to track who printed a specific document and where.  Recently, this topic has come back in the news with the arrest of Reality Leigh Winner (yes, that’s her real name) who is accused of leaking a document from when she worked as a contractor for the NSA. Guess how she was found? Printer tracking dots! Multiple Home Security Vulnerabilities The security of your home is very important so it’s good to talk about some recent vulnerabilities that were disclosed (now fixed) from several major home security systems including Comcast XFINITY, ADT, and AT&T Digital Life. While the severity of these issues were low, it’s always good to keep an eye issues like these. Side note: Tom now has a Ring Doorbell Camera…he may have done some “testing”…stay tuned for the next episode to learn more. Summary of the ‘WannaCry’ ransomware attack  I’m sure by now you’ve heard about the massive ransomware attack from a few weeks back (thanks to the NSA’s recently released tools).  Scott and Tom provide a short and brief summary to explain what happened and what you should do.  It’s been in the news so much lately…we just wanna cry about it! Lastly, co-host Tom Eston was featured in a blog on Becoming the best Infosec Leader, Even Under Difficult Circumstances. Check it out! Please send any show feedback, suggestions for future guests and topics to feedback [aT] sharedsecurity.net or comment below. You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode. Be sure to visit our website, follow us on Twitter and like us on Facebook. Thanks for listening!   The post The Shared Security Podcast Episode 64 – Ultrasonic Ads, Home Security Vulnerabilities, Printer Tracking Dots appeared first on Shared Security Podcast.

This is the 63rd episode of the Shared Security Podcast sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston, Scott Wright and special guest Jayson E. Street recorded April 12, 2017. Below are the show notes, commentary, links to articles and news mentioned in the podcast: Interview with Special Guest Jayson E. Street In this episode we were joined by “notorious” hacker Jayson E. Street who is the InfoSec Ranger at Pwnie Express, Senior Partner at Krypton Security, CEO of Stratagem 1 Solutions and author of several books. Here is a short snippet of his bio: “Jayson battled a dragon during the Fire Run in Barcelona Spain. He ‘accidentally’ broke into a shark tank in the Dominican Republic and climbed the pyramid of Giza (until the guards carrying AK-47s expressed their displeasure). He consulted with the Secret Service in 2007 on the WIFI security of the White House, and has had tea with a Lebanese General in Beirut. Jayson never finished High School but does have his GED. His first book is used as course material at four colleges in three countries (that he knows of), and he has spoken at numerous universities in the US and gave an eight-hour lecture at the Beijing Institute of Technology in 2014. Outside of standardized education, Jayson has spoken seven times at DEF CON, at the first five DerbyCons and at many other Cons (Hack in Paris, Nuit Du Hack, IT-Defense, SYSCAN360, PH-Neutral, etc…) around the world. Jayson is only one degree away from Kevin Bacon after awkward hugging Oliver Stone and Jimmy Fallon. He started in security and law enforcement over 30 years ago and has always striven to make things more secure. Jayson has been in the Information Security industry for over 17 years, and once broke into a high scale hotel in the South of France – barefoot – wearing Teenage Mutant Ninja Turtles pajamas. He was also noted as the best janitor of all McDonald’s in the South East Texas region for 2 consecutive years.” Jayson provides us his perspective on the current state of privacy and security in the world, his thoughts on VPNs and hearing stories about his most interesting adventures including breaking into banks and other organizations (with permission of course). We also find out how he became Time Magazine’s “Person of the Year” in 2006 (true story!). Jayson is probably the most interesting hacker and security professional you will ever meet! Jayson is going to be on the National Geographic series “Breakthrough” called “Cyber Terror” which airs Tuesday, May 9th at 10pm Eastern on the National Geographic Channel.  You can see a preview of Jayson and this really cool series at the National Geographic website. Misconceptions about VPNs There is lots of talk about using VPNs given the recent news that ISPs in the US can now sell your data. However, there are many misconceptions going around about VPNs and how they should be used from a privacy perspective.  Jayson, Tom and Scott share our thoughts on this topic and what VPNs should be used for. Someone hacked every tornado siren in Dallas While it may not have been “hacking” (more so “phreaking”) it goes to show you what can happen when critical infrastructure has been compromised or simply malfunctions. Please send any show feedback, suggestions for future guests and topics to feedback [aT] sharedsecurity.net or comment below. You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode. Be sure to visit our website, follow us on Twitter and like us on Facebook. Thanks for listening! The post The Shared Security Podcast Episode 63 – Special Guest Jayson E. Street, Misconceptions About VPNs appeared first on Shared Security Podcast.

This is the 62nd episode of the Shared Security Podcast sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston and Scott Wright recorded March 1, 2017. Below are the show notes, commentary, links to articles and news mentioned in the podcast: “CloudBleed” what is it and are you affected? Internet company Cloudflare recently discovered that they were vulnerable to a rather significant memory leak in which “1 in every 3,300,000 HTTP requests through Cloudflare” was potentially exposed.  What this means is that if you were using one of the 3,400 applications that were exposed through the Cloudflare vulnerability, some sensitive information (such as passwords) could have been leaked. On the podcast we discuss that the impact to you is most likely extremely low, however, its a good reminder to periodically change your passwords especially for sites you consider high risk. You can use the search function on this site to see if any applications you use were exposed. This is also a great technical write-up if you’re interested in more details on what happened. Hackers can access your phone via Wi-Fi – even when it’s not connected Notorious hacker (and good guy) Jayson E. Street did a good story for a local news station in Boston about how someone could be trying to get your phone or other device to connect to their malicious wifi access point while you travel through airports and other public places. This is something to be aware of while you travel and probably a good idea to just leave your wifi and bluetooth disabled while you’re not using it. Side note: we need to get Jayson on the podcast! ATM Skimmers in the wild ATM skimmers are getting more sophisticated and harder to detect.  Our advice is to double check ATM’s and other credit card machines before you use them for anything unusual going on. Frank Abagnale, world-famous con man, explains why technology won’t stop breaches Very good read from one of the most famous social engineers in modern history. Frank explains why technology won’t stop breaches and why it really comes down to people and education. Children’s Voice Messages Leaked in CloudPets Database Breach Scott discusses a data breach in the “CloudPets” database that someone was able to access. Unfortunately, these types of attacks are becoming more common and are very concerning considering children’s private information is involved. We made a list! Looks like the podcast made a list of popular information security podcasts.  Pretty cool!  Check out the list of other great podcasts. Please send any show feedback, suggestions for future guests and topics to feedback [aT] sharedsecurity.net or comment below. You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode. Be sure to visit our website, follow us on Twitter and like us on Facebook. Thanks for listening! The post The Shared Security Podcast Episode 62 – CloudBleed, Wifi Risks, ATM Skimmers appeared first on Shared Security Podcast.

This is the 61st episode of the Shared Security Podcast sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston and Scott Wright recorded February 15, 2017. Below are the show notes, commentary, links to articles and news mentioned in the podcast: Here Is How to Fend Off a Hijacking of Home Devices This article has some very good tips on how to secure your IoT devices and home network.  Here are our suggestions as well: 1. Research the device you’re about to buy. Google search for the “device name” and “security vulnerabilities”. Read their privacy policy! 2. Create a second wireless network for your smart devices (utilize the “guest” network feature). Ensure a strong passcode using WPA2. 3. Change default passwords on all IoT devices (if you can!), especially your wifi router. 4. Register your product with the manufacture to be updated on new firmware and security issues Used government computers bought at auction filled with personal information It’s hard to believe that you can still buy previously owned computer equipment (in this case the local government in Houston Texas) and find a treasure trove of personal data!  This news story is a great reminder to always erase and/or wipe the data from your personally owned devices (laptops, iPad’s, phones, etc.) before selling them to someone else! Facebook’s Creepiest Search Tool Is Back Thanks to This Site This “creepy” new search tool is called “Stalkscan” and it gives you a web front-end that will create creative “Facebook Graph” searches. The application shows a lot of information if you’re not careful with your FB privacy settings. You can also search for others and what information they’ve posted publicly as well.  Note that this site does not bypass any Facebook privacy settings it just shows you what you and others have publicly available.  Want to fix this?  Adjust your Facebook privacy settings for specific posts or for all posts going forward. Hotel ransomed by hackers as guests locked out of rooms What could possibly go wrong when someone hacks a hotel, locks everyone out of their room and demands a ransom paid in Bitcoin? Attacks like these are setting an interesting precedent and a potential new form of “ransomware”. The Confide app is being used by certain paranoid politicians The Confide app tries to allow “secure” message sharing but this is proving more difficult.  See our last episode for our run down of secure messaging apps. Where has all the climate data gone?  To Canada… Canada is now becoming a safe haven for climate data from the US. Scott gives us his take on this interesting development. Please send any show feedback to feedback [aT] sharedsecurity.net or comment below. You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode. Be sure to visit our website, follow us on Twitter and like us on Facebook. Thanks for listening! The post The Shared Security Podcast Episode 61 – Home Device Hijacking, Used Device Security, Creepy Facebook Search Tool appeared first on Shared Security Podcast.

This is the 60th episode of the Shared Security Podcast sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston and Scott Wright recorded February 1, 2017. Below are the show notes, commentary, links to articles and news mentioned in the podcast: In this episode we focus on secure messaging apps like Signal, Wire, WhatsApp as well as other popular apps like Facebook Messenger.  Tom and Scott delve into the reasons why people are starting to use these apps and the security and privacy features.  We also discuss if using these apps for text messaging and phone calls are really more secure than traditional communication methods. What’s the biggest issue that we found with these apps?  Lack of adoption from friends, family and the general public.  Many people don’t know these apps exist or think they don’t have good reasons to use them. However, as the famous song by Bob Dylan once said “The Times They Are a-Changin”. Tom and Scott’s Recommendations: Our recommended secure messaging app: Signal If you need a secure way to communicate that many of your friends may already be using: WhatsApp Using Facebook Messenger? Enable the “Secret” conversation option when starting a new conversation Honorable mention: Wire Links and articles mentioned in the podcast: Good article on the security and privacy features of Signal and WhatsApp Facebook Messenger and end-to-end encryption Top 10 best secure messaging apps of 2017 Please send any show feedback to feedback [aT] sharedsecurity.net or comment below. You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode. Be sure to visit our website, follow us on Twitter and like us on Facebook. Thanks for listening! The post The Shared Security Podcast Episode 60 – The Secure Messaging Episode: Signal, WhatsApp, Facebook Messenger appeared first on Shared Security Podcast.

This is the 59th episode of the Shared Security Podcast sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston and Scott Wright recorded January 11, 2017 (Happy New Year!). Below are the show notes, commentary, links to articles and news mentioned in the podcast: Amazon Is Already Winning the Next Big Arms Race in Tech If you haven’t heard this mentioned in the news (real news, not the fake news) but Amazon’s Echo virtual assistant (Alexa) as been a hot selling device this holiday season. Other recent announcements coming from the CES show in Las Vegas have shown that other manufactures of lots of different products like your “smart” refrigerator to your “Internet enabled” patio lights are all able to be controlled through Amazon’s Echo.  We’ve also heard about some very interesting privacy issues where the device can order things off of Amazon without you really knowing and a host of other privacy related challenges.  Tom recently purchased an Amazon Echo Dot to test…for science of course! In related news, did you know Google is recording your voice when you use it’s voice “search” service?  Time to check this out for yourself and adjust those privacy settings if necessary. Carnival Announces Wearable Medallion, a Device that will Transform Cruising Hmmm…where have we seen this before? Remember Disney “Magic Bands”? The cruise industry is now implementing similar technology on it’s cruise ships.  Is this any different than what Disney has done and what are some of the privacy issues you should know about. Popular Netgear wifi home router has critical flaw – Now patched The media sounded the alarm about a “critical” flaw in the most popular wifi router sold on Amazon (Netgear Nighthawk Series). Unfortunately, many of these stories in the media said to stop using your router immediately.  This was not really good advice and the risk of being exploited by this vulnerability would be very rare.  Scott and Tom discuss the ramifications of “alarmist” announcements over security vulnerabilities as well as what you should do if you have one of these routers in your home. Federal Trade Commission comes down on DLINK for poor security In a rather unprecedented announcement the FTC in the United States recently issued a lawsuit against DLINK who manufactures home wifi routers for poor security practices. Will this become a trend? If it helps improve the security of these devices we’re all for it (within limits). EFF’s Privacy Badger 2.0 browser plugin Shout out to the EFF (Electronic Frontier Foundation) who recently released the next version of their Privacy Badger browser plugin.  This plugin blocks ads and prevents known “trackers” from pulling information about you and your browsing habits. Here is a full description from the EFF website: Privacy Badger is a browser add-on that stops advertisers and other third-party trackers from secretly tracking where you go and what pages you look at on the web. If an advertiser seems to be tracking you across multiple websites without your permission, Privacy Badger automatically blocks that advertiser from loading any more content in your browser. To the advertiser, it’s like you suddenly disappeared. We highly recommend installing and using it to protect your privacy while using the Internet.  You should also check out all the great tools and other projects that the EFF does to fight for your privacy on the Internet. Please send any show feedback to feedback [aT] sharedsecurity.net or comment below. You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode. Be sure to visit our website, follow us on Twitter and like us on Facebook. Thanks for listening! The post The Shared Security Podcast Episode 59 – Amazon Echo, Wifi Router Security, EFF Privacy Badger appeared first on Shared Security Podcast.

This is the 58th episode of the Shared Security Podcast sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston and Scott Wright recorded November 29, 2016. Below are the show notes, commentary, links to articles and news mentioned in the podcast: Privacy Panic? Snapchat Spectacles raise eyebrows Anyone remember Google Glass (which was a failed product by the way)? This time Snapchat is releasing their own type of wearable tech called “Spectacles”. What are the privacy ramifications to be concerned about?  Not much, and we’ll see if they take off with the younger generation. Oh, and don’t be a “Snap-Hole”! A new app that lets users’ friends ‘virtually walk them home at night’ is exploding in popularity We think this personal safety app is a great use of GPS and location sharing technology. Hopefully the “Companion” app catches on with college campuses helping to make people feel more safe. A 10-Digit Key Code to Your Private Life: Your Cellphone Number We often think about securing information that we deem “private” like a SSN but what about your mobile number?  This article explores the privacy and security issues of how your mobile number can be used to find out personal details about you and link this information together.  It can be a goldmine for advertisers as well as potential attackers! Meet PoisonTap, the $5 tool that ransacks password-protected computers PoisonTap is a device recently released by a security researcher that can be plugged into a “screen locked” computer to intercept web traffic and install backdoor malware.  The device is cheap to make with a RaspberryPi. We don’t think this is a huge threat but businesses should review their desktop/laptop security procedures to ensure devices like these can’t be inserted (locked or unlocked). What happens when bots start writing code instead of humans Are we at the point where bots are going to be writing code and all of our security problems will just disappear?  Not yet! This is an interesting article that Tom and Scott discuss about how new web and mobile applications are being developed without much “coding” involved.  Essentially with new development frameworks you really don’t need to know anything about computer programming. Of course like anything there are positives and negatives to this approach but education is going to be the key or we’re going to have bots that are programmed by humans to write insecure code (just Tom’s unsupported theory) Please send any show feedback to feedback [aT] sharedsecurity.net or comment below. You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode. Be sure to visit our website, follow us on Twitter and like us on Facebook. Thanks for listening! The post The Shared Security Podcast Episode 58 – Snapchat Spectacles, Mobile Number Privacy, PoisonTap appeared first on Shared Security Podcast.

This is the 57th episode of the Shared Security Podcast sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston and Scott Wright recorded October 5, 2016. Below are the show notes, commentary, links to articles and news mentioned in the podcast: Hackers Stole Account Details for Over 60 Million Dropbox Users Have a Dropbox account? Change your password immediately! Yahoo: The Largest Password Breach in History (and what you should do about it if you use Yahoo services) This is another breach that happened years ago but we’re just now finding out about it. This breach in particular is the largest ever, 500 million users! Scott and Tom discuss the ramifications of this breach and what you need to do if you use Yahoo services. Also interesting to note that Yahoo was just purchased by Verizon. It will be interesting to see how this acquisition plays out given the recent breach and negative publicity. Record-breaking DDoS reportedly delivered by >145k hacked cameras The largest DDoS (Distributed Denial of Service) attack has also taken place! (many firsts and record breaking security news this time around). Scott and Tom discuss who was targeted and how thousands of hacked camera’s were used in the attack. Hackers can track your keystrokes through your Wi-Fi signal While this headline may seem scary, Scott and Tom discuss why this new threat may not be such a threat after all (at least not right now). L0phtCrack 7 Shows Windows Passwords Easier to Crack Now Than 20 Years Ago Password cracking programs like L0phtCrack have not evolved much over the last 20 years because unfortunately not much has changed with password security (especially with Windows systems). Those chip and PIN cards aren’t as secure as we thought Chip and PIN is here in the USA! Is it secure? Like anything, everything is hackable. Scott and Tom discuss some new research that was presented at the DEF CON hacking conference that sheds new light on some interesting ways to compromise Chip and PIN. (You can read that as: it’s possible but difficult to pull off). Fun with LinkedIn Endorsements (a lesson on client side security) Want to have fun with your LinkedIn contacts? Here’s a great story about how you can abuse LinkedIn’s “endorsement” feature. (for fun of course!) Please send any show feedback to feedback [aT] sharedsecurity.net or comment below. You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode. Be sure to visit our website, follow us on Twitter and like us on Facebook. Thanks for listening! The post The Shared Security Podcast Episode 57 – Dropbox and Yahoo Breach, IoT DDoS, LinkedIn Endorsements appeared first on Shared Security Podcast.