Shared Security Podcast

This is the 56th episode of the Shared Security Podcast sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston and Scott Wright recorded August 17, 2016. Below are the show notes, commentary, links to articles and news mentioned in the podcast: Bitmoji keyboard for Apple iOS devices wants “Allow Full Access”. How bad is this? A word of caution for applications that either replace or allow access to your keyboard on your mobile device! Over 90 per cent of ICS devices exposed to Internet are vulnerable Some rather interesting statistics released by Kaspersky recently that show ICS (Industrial Control Systems) that happen to be exposed to the Internet are vulnerable.  What does this mean for critical systems such as our power grid? Tesla ‘self-driving’ mode linked to first traffic death in potential setback to autonomous cars It was bound to happen eventually but the first documented traffic death has happened due to the self-driving feature of the Tesla.  Like all new technology that humans have used for transportation (i.e. spacecraft) many have problems early on but over time this technology is safer to use (statistically speaking). Facebook activates Safety Check after Orlando massacre You may have seen a notification from Facebook pop up on your feed if you are geographically located near a disaster or new ways for you to “check in” with loved ones.  This is a great new feature which should help improve communication to others when a disaster occurs. Twitter’s ‘blue tick’ Available To The Masses Twitter’s famous “blue tick” validation process is now available to the public.  However, as co-host Tom Eston found out, you have to be a pretty well known public figure and the process is still very subjective.  I guess Tom isn’t famous enough to be validated by the Twitter gods as human. A happy story about a kid’s smart watch that saved him from being kidnapped We don’t hear a lot about new technology saving lives but here’s one that helped a kid from being kidnapped. Scott and Tom discuss chat bots! What are they and how have they evolved? What risks to they present? Chat bots could have been used in this recent crisis with Delta Airlines. Please send any show feedback to feedback [aT] sharedsecurity.net or comment below. You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode. Be sure to visit our website, follow us on Twitter and like us on Facebook. Thanks for listening! The post The Shared Security Podcast Episode 56 – Chat Bots, Self-Driving Cars, Bitmoji Keyboards appeared first on Shared Security Podcast.

This is the 55th episode of the Shared Security Podcast sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston and Scott Wright recorded July 6, 2016. Below are the show notes, commentary, links to articles and news mentioned in the podcast: If Mark Zuckerberg Can Be a Hacking Victim, So Can You Getting hacked can happen to anyone. This is an interesting read about how a previous password breach that happened several years ago may come back to haunt you! Cool geographic tweet map tool This is an interesting tool to see tweets on a map via geolocation.  You may be surprised what you find so always be aware that you may be sharing your location with others while using Twitter. Why you shouldn’t share links on Facebook Tom and Scott discuss a privacy flaw with Facebook Messenger that many would consider a vulnerability but its just how Facebook Messenger was designed. Be careful what links you share via Facebook Messenger! Warning! CCTV Cameras Sold on Amazon Come with Pre-Installed Malware There have been more IoT devices found pre-installed with malware on Amazon! Be sure to check the reviews and do your research before buying cheap camera’s like this. More IoT horror stories… this time security cams again Short story about someone who bought and returned a security cam, then got notifications and could view the new owner’s live cam feed.  This is a great example of poor hardware design. Banks are moving to biometrics instead of passwords for authentication Interesting read on how some large banks are starting to get away from passwords and using more of the biometrics built into your mobile phone. So Hey You Should Stop Using Texts for Two-Factor Authentication The way of doing two-factor authentication by SMS text message isn’t as secure as you might think! Comparing how security experts and non-experts stay safe online What type of advice to stay safe online do the non-experts have vs. the security experts?  This is a fascinating read from the Google security team! Conficker worm used in new medical device hacks Conficker is back! This time infecting medical devices. Please send any show feedback to feedback [aT] sharedsecurity.net or comment below. You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode. Be sure to visit our website, follow us on Twitter and like us on Facebook. Thanks for listening! The post The Shared Security Podcast Episode 55 – IoT Horror Stories, Biometrics, Staying Safe Online appeared first on Shared Security Podcast.

This is the 54th episode of the Shared Security Podcast sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston and Scott Wright recorded June 1, 2016. Below are the show notes, commentary, links to articles and news mentioned in the podcast: How to see all the companies tracking you on Facebook — and block them Have you ever wondered how all those companies can target you and your interests on Facebook? This is some of the best privacy advice for Facebook we’ve seen in a long time. Cluster of “megabreaches” compromises a whopping 642 million passwords There have been many password breaches in the news and these recent ones have happened years ago that we’re just now finding more information about the extent of the breach. One suggestion we have to help combat situations like these is to periodically change your passwords.  If you make this a habit you can prevent the possibility that someone may already have access to one of your accounts due to an undisclosed password breach.  The same good password habits always apply as well: use a password manager and always choose complex and unique passwords for each account. A Whole Lot of Nitwits Will Plug a Random USB Into Their Computer, Study Finds It’s been some time since we’ve talked about how it’s common for people to find random USB drives and plug them into their computers to see whats on them.  This recent academic study talks about some interesting results and as we’ve found out…not much has really changed over the years.  If you’ve been following the podcast for awhile Scott Wright had done similar research during his Honeystick Project that you might find interesting and related to this new study. Hacking into homes: ‘Smart home’ security flaws found in popular system If you have purchased or are using Samsung’s SmartThings IoT platform you should give this article a read. This is another example of  “Internet of Things” products that should not be used for security purposes because of the significant security issues. Here’s What It Looks Like When A ‘Smart Toilet’ Gets Hacked This is a funny video of a hacked “Smart Toilet”. Our professional opinion on this is that hacking toilets isn’t so funny if you’re the victim. Please send any show feedback to feedback [aT] sharedsecurity.net or comment below. You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode. Be sure to visit our website, follow us on Twitter and like us on Facebook. Thanks for listening!   The post The Shared Security Podcast Episode 54 – Facebook Ad Privacy, Password Breaches, Random USBs appeared first on Shared Security Podcast.

This is the 53rd episode of the Shared Security Podcast sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston and Scott Wright recorded May 4, 2016. Below are the show notes, commentary, links to articles and news mentioned in the podcast: Scott and Tom talk about VPNs What is a VPN and why would you want to use one?  Also, Scott talks about a few recommendations for a personal VPN based on his experience using a few.  Here is also a decent list of popular VPNs that you might find helpful. EZCast vulnerability Own an EZCast?  Be sure to read about this recent vulnerability affecting these popular devices. Barracuda firewalls aim to protect IoT Firewall technology is now evolving to protect IoT devices.  This one from Barracuda shows the power of this technology as well as the Eero Mesh Router. Microsoft deletes ‘teen girl’ AI after it became a Hitler-loving sex robot within 24 hours In other news…this is what can happen when AI is given to the general public to interact with.  Hopefully this is a lesson for Microsoft and any other company that is developing AI for the future. Google Nest disabling all Revolv devices illustrates the risks from buying “connected” devices that can be turned off at will by the owner of the service.  This story is another great example of IoT risks when it comes to technology no longer supported. Please send any show feedback to feedback [aT] sharedsecurity.net or comment below. You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode. Be sure to visit our website, follow us on Twitter and like us on Facebook. Thanks for listening! The post The Shared Security Podcast Episode 53 – The VPN Episode, AI Gone Bad, Google Nest appeared first on Shared Security Podcast.

This is the 52nd episode of the Shared Security Podcast sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston and Scott Wright. This episode was recorded March 9, 2016. Below are the show notes, commentary, links to articles and news mentioned in the podcast: Unexpected implications arising from the Internet of Things This was an interesting article about some of the “unexpected” security and privacy things that people don’t really think about.  For example, what are the ramifications of IoT technology that might be hacked to create fake sensor and video data for criminal activity?  What happens to the security budgets of organizations that need to address these new risks?  It’s an interesting time to be in this space. -Tom Peer-Seeking Webcam Reveals the Security Dangers of Internet Things This is just one example but like other new IoT related technology data is being sent to multiple third-parties and peer networks are being created, all without your knowledge. What makes this webcam interesting is that disabling the peer sharing capability doesn’t actually disable anything.  How many other devices like this have the same issue? -Tom Follower: the “creepiest social network” that follows you in real life Just when you thought the traditional social networks we use were sometimes creepy, here comes “Follower”.  Follower is a social network that allows you to have real people follow you around and take pictures of your activities all without you knowing where your “follower” is.  If you’re looking for a real-life stalker this might be the social network you’re looking for. -Tom Payroll data leaked for current, former Snapchat employees Two recent breaches highlight the need for more eduction about targeting phishing attacks.  Both Snapchat and Seagate each fell victim to a very similar phishing attack targeting payroll information.  The attack was very simple and also very easy to spot if you know the signs of an attack like this. -Tom The Cerber Ransomware not only Encrypts Your Data But Also Speaks to You Ransomware has been around for awhile but now we’re starting to see the next evolution of this type of malware…where it talks back to you. Give this article a read if you want to know more about how this malware works and what to do if your computer is infected with it. -Tom Please send any show feedback to feedback [aT] sharedsecurity.net or comment below. You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode. Be sure to visit our website, follow us on Twitter and like us on Facebook. Thanks for listening! The post The Shared Security Podcast Episode 52 – Creepy New Social Network, Phishing Dangers, Ransomware appeared first on Shared Security Podcast.

This is the 51st episode of the Shared Security Podcast sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston and Scott Wright with special interview guest Andrew Patrick from the Office of the Privacy Commissioner (OPC) of Canada. This episode was recorded February 10, 2016. Below are the show notes, commentary, links to articles and news mentioned in the podcast: Online Behavioral Advertising – An interview with Andrew Patrick from the Office of the Privacy Commissioner (OPC) of Canada Today, Scott had a great discussion with Andrew Patrick regarding OBA, or what some listeners might know as “Tracking Ads”. We discussed why the OPC has in interest in OBA, and how it relates to Canadian privacy legislation. We also looked at one of the recent cases of OBA that the OPC was involved in, where a person complained that sensitive health information from searches and web surfing over time was being used to present ads for products to them across many different websites, many of which were not related in any way to the ads being served. Here are some interesting and related articles from the OPC regarding OBA that are worth reading: A policy position on OBA and the situations when opt-out consent may be appropriate. A report of an investigation the OPC did into Google’s OBA practices related to a health-related device. A recent follow up research report where the OPC surveyed OBA practices across a number of leading Canadian websites. Thanks to Andrew Patrick and the Privacy Commissioner for making their time and resources available to us on the Shared Security Podcast.  It is really encouraging to see the Canadian Government taking such an active role in helping citizens protect their privacy and personal information. Security Issues with Connected Toys New technology also comes with great responsibility…even more so if it concerns children.  More “smart” toys are being found with security vulnerabilities that could lead to personal inforamtion about children being exposed. In this case the app used with the Fisher Price “Smart Bear” had security vulnerabilities that if exploited could steal a child’s name, birthdate and gender, along with other data. Fortunately, Fisher Price quickly fixed the issue. -Tom 15 Dangerous Apps Every Parent Should Know About If you’re a parent with teens you should definitely check out this document of the 15 most “dangerous” mobile apps your teens may be using.  I don’t think dangerous is the right word as some of these apps have legitimate purposes.  However, we all know kids will use apps like these for things like sexting and other activity that parents need to be monitoring for.  Give this document a read…you might not be aware of some of these apps and as a parent it’s good to be as educated as possible about these apps.  Also, this document touched a little on this but there are lots of apps that look legitimate but in fact will “hide” photos and videos inside of them.  The most popular with teens seem to be “Calculator +” applications (like this one in the iTunes store).  The lesson here is to check out all the apps your teen has on their mobile device and investigate their usage. -Tom Facebook-prowling predator arrested after mother helps police This is a good article about how a parent did some investigating of their child’s friends list on Facebook and found a convicted sex offender.  There are also some rules for parents (and teens) in the article that are good to review.  We talk about these same “social media” rules in many of our podcast episodes. -Tom Connected devices quietly mine our data, privacy experts say (Scott was featured in this article) The real message here is that you should realize that we are far from over-reacting to these kinds of risks, and in the big picture, we all need to watch the trends to understand the risks. -Scott Please send any show feedback to feedback [aT] sharedsecurity.net or comment below. You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode. Be sure to visit our website, follow us on Twitter and like us on Facebook. Thanks for listening! The post The Shared Security Podcast Episode 51 – Online Behavioral Advertising in Canada, Toy Security, Dangerous Apps for Teens appeared first on Shared Security Podcast.

This is the 50th episode of the Shared Security Podcast sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston and Scott Wright with special guest Alex Hamerstone from TrustedSec recorded January 21, 2016. Below are the show notes, commentary, links to articles and news mentioned in the podcast: 2016 Reality: Lazy Authentication Still the Norm This is a great story from Brian Krebs own personal experience regarding how his PayPal account was “hacked”. It was not “hacked” in the way you would normally thing via stolen credentials or password guessing. His credentials were reset over the phone via some easy social engineering techniques and information that was easily accessible through some Internet reconnaissance. Brian even had a PayPal two-factor authentication token for extra security. It goes to show you that organizations like PayPal need to look at all the different attack vectors that someone would use to gain access to accounts and protect their customers appropriately. -Tom Stop doing quizzes on Facebook if you place any value on your privacy It’s been awhile since we’ve talked about those Facebook quizzes and surveys that you see many of your friends sharing with you on Facebook. While these may seem fun and harmless on the surface often these “apps” will collect your email address, list of friends and other personal information from your Facebook account. All of this is done within their legal terms of service of course! This is not a Facebook specific issue either. The problem lies with the third-party developer who will receive your personal information and what they do with it. This article is a great reminder of what information can be harvested when you take quizzes and surveys like this on Facebook. -Tom Pre-crime arrives in the UK: Better make sure your face stays off the crowdsourced watch list I love the movie “Minority Report” because it’s a look into the (rather scary) future of facial recognition and this notion of “pre-crime” identification. In the present we’re already seeing some of the technology mentioned in the movie come to reality and this article takes this concept a step further by delving into “pre-crime” and determining if someone is about to commit a crime if their face has been identified in several so called “watch lists”. This is potentially dangerous to innocent people if you tend to look like someone else or if you find yourself in the “wrong time at the wrong place” kind of situation. It will be interesting to see how this technology and government policies around facial recognition evolve to prevent the innocent from being falsely accused of “crimes” they may never commit. -Tom The super creepy side of the Internet of Things and smart homes This is a revisit of some topics we’ve covered in previous episodes. I was fascinated with a statistic from the article that stated: “a Microsoft survey found that 99.6% of people would gladly accept cash in exchange for having their activities tracked, what happens to those who give it up unwillingly because of security vulnerabilities in their smart home appliances?” This is a great question and makes me wonder if many companies that are developing IoT devices (especially ones focused on the consumer ‘smart home’ market) will even start to take vulnerabilities in these devices seriously. -Tom Xfinity’s Security System Flaws Open Homes to Thieves Self-installed wireless home security systems like the Xfinity system are all the rage right now with consumers. These wireless alarm systems are now very affordable and reliable that can help deter and prevent theft. However, how secure are these systems given that this technology rather new and are now part of the “Internet of Things”? If you own one of these alarm systems this is a great article to make yourself aware of some vulnerabilities these systems have. Sparing you the technical details essentially this specific wireless security system can be jammed using a device purchased off of eBay or put together on your own for about $130 in easily obtained parts. The casual thief probably won’t go to this level to break into most homes, however, most people that buy these systems post signs outside of their homes advertising the exact security system they have which also gives away it’s known vulnerabilities. This is a great example of vendors getting involved to either limit the jamming issue or mitigate the risk by implementing a better alerting system to identify when the alarm system is being jammed. -Tom Please send any show feedback to feedback [aT] sharedsecurity.net or comment below. You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode. Be sure to visit our website, follow us on Twitter and like us on Facebook. Thanks for listening! The post The Shared Security Podcast Episode 50 – Facebook Quizzes, Pre-Crime, Wireless Home Security Systems appeared first on Shared Security Podcast.

This is the 49th episode of the Shared Security Podcast sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston and Scott Wright recorded December 16, 2015. Below are the show notes, commentary, links to articles and news mentioned in the podcast: People’s Deepest, Darkest Google Searches Are Being Used Against Them You should really always be thinking about how your search queries could end up putting you on a “sucker list”. There there seem to be two levels of exploiting your search queries: Direct categorization by the search engine, which leads to more targeted advertising – We may not think about how the entities that have access to our search queries might use them against us (or for us, in their interpretation – “all the better to serve you relevant content, my dear”). In fact, Mikko Hypponen says in his Ted Talk from October, 2013, “We are brutally honest with search engines. You show me your search engine history, and I will find something incriminating or embarrassing in 5 minutes.” So, I’d like you to ask yourself, “Do you really want to trust the guys – whose livelihood is derived from selling information about you – to know exactly what your most burning questions are?” Luring to pages that collect information – These pages try to get you to “self-screen”, using the byproducts of failed searches and application forms (called remnants), which have value to some bottom-feeders There’s a big profit in just trying to categorize people, especially if they can identify people who are better than average candidates for any type of businesses they can sell the lists to. There can also be a lot of bait and switch tactics to get around Google’s predator defences. This is one of the reasons that “data never dies”. As soon as it’s captured, the data is copied and correlated with other data that makes it more valuable. It will quickly end up in a place where you can’t delete it. – Scott Man-in-the-middle attack on Vizio TVs coughs up owners’ viewing habits Product vendors need to stop assuming that nobody cares about the data they collect and/or send over the Internet. It used to be that the Internet was mostly insecure because not much was encrypted. Now, with Google, Facebook, Twitter and many of the most popular sites using the TLS standard for encrypting all data to and from their sites (even if it’s not a form with sensitive data), there’s an expectation that if your product doesn’t secure its communications, it can be the weakest link for customer privacy. So, all data has to be encrypted properly, which means using standard protocols for authenticating end points and encrypting messages. Not using proper data security within new products is inexcusable. The reason I say “standard protocols” is that very often, vendors think they are being clever by inventing their own way of hiding or securing data. This rarely works, especially these days, when virtually every new product is being analyzed by researchers or bad guys to find vulnerabilities. There’s plenty of free software available that can do security properly (e.g. http://libsodium.org ), so why would you try to invent your own, which is going to cost a lot of money, and more than likely will be bypassed at some point. This is all aside from the fact that many product manufacturers seem intent on violating customers’ privacy to gain added “Lifetime Value” from them. – Scott BadBIOS is back – this time on your TV Just like in the days when laptops started to come with built-in webcams, and we recommended covering the camera with some tape, sounds like it’s time to recommend explicitly disabling microphones on all devices. This is probably easier said than done, though… – Scott Your Internet router is a security risk It’s time to dust off that router that never gets touched (or updated). There are many different types of vulnerabilities in those home Internet wifi routers that go beyond not changing those default credentials. It’s worth two minutes to login to your router and to check for any updates that may have been released since you purchased it. – Tom The Healthcare Internet of Things: Becoming a Reality IoT goes beyond FitBit’s and heath tracking apps. Soon we will start to see much more “invasive” use of this technology including thermostats that automatically adjust based on your body temperature and lights that auto-adjust based on your mood and time of day. If anything, something to be aware of especially when it comes to your personal information being used by these devices. – Tom Facebook M — The Anti-Turing Test While Facebook M is still in beta…it’s interesting to see where AI is going and how we may rely more on AI in the future. I like to mention Facebook M because it’s taking AI like Apple’s Siri to the next level and it shows some of the limitations of AI. Meaning, there may be a “human” assisted infrastructure to modern AI implementations. It will also be interesting to see how modern AI is secured and the privacy implications associated with this technology. – Tom Please send any show feedback to feedback [aT] sharedsecurity.net or comment below. You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode. Be sure to visit our website, follow us on Twitter and like us on Facebook. Thanks for listening! The post The Shared Security Podcast Episode 49 – Google Search Privacy, Smart TV Attacks, Internet Router Risks appeared first on Shared Security Podcast.

This is the 48th episode of the Shared Security Podcast sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston and Scott Wright recorded November 23, 2015. Below are the show notes, commentary, links to articles and news mentioned in the podcast: Hacking tool swipes encrypted credentials from password manager This article, and the associated incident, is an excellent reminder that there is no easy solution to securing EVERYTHING. Using an infected computer presents so many catastrophic scenarios, it’s not really wise to view this problem as a problem with password managers. If a computer is infected with malware, the attacker can capture passwords as you enter them into any site. You could add a 2-factor authentication mechanism (like Google Authenticator), or force a user to enter a master password to access anything in a password manager’s database, but you then still have the problem of malware capturing what you enter into a site’s password field (even without a password manager), and the 2-factor MAN-IN-THE-MIDDLE attack we talked about in the last episode of the Shared Security Podcast. This is one of many reasons I often emphasize the need to try to avoid malware risks by having good surfing habits, like: – Not visiting questionable sites – Not clicking on links or attachments in emails you weren’t expecting, or that look suspicious – If you must do the above, do it on a different computer or a Virtual Machine environment, where an infection will probably not compromise your existing data I still use a password manager, because it helps defend against many more risks than it is vulnerable to. – Scott Your Unhashable Fingerprints Secure Nothing Wow! I’ve actually had my concerns about any biometric authentication schemes (like fingerprints, iris scanners, facial recognition, etc.) since watching the movie MINORITY REPORT. Now, I’m CERTAIN they are not the way to go. This is an amazingly well-written story that explains in elegant detail why fingerprints (and, I suspect, most biometric authentication factors) are actually a dangerous way of authenticating people. If you’re not technically inclined, it could be a difficult article to read, but here are my important take-aways: 1) THEY AREN’T REALLY SECRET – Your fingerprints are probably not as secret as any of your well-chosen passwords, because they can be either photographed from a fair distance with a high resolution camera, or lifted using standard forensic techniques from almost anything you’ve touched (e.g. a mug, a door knob, a keyboard, a steering wheel, a water tap, a seat back, etc.); 2) THEY ARE EASY TO REPRODUCE AND USE TO IMPERSONATE YOU – Fingerprints, once known (by lifting or by high resolution photos), can be easily reproduced pretty quickly, and without much effort, on a LATEX SKIN, and used at will; 3) THEY CAN’T BE REVOKED OR CHANGED – If your fingerprint is lifted from something and used to compromise your identity, there is literally no way to revoke – or reset – your fingerprint authenticator. So, it should never be used again, just like when you are asked to change your password after a data breach; 4) THEY AREN’T USUALLY SECURED WELL (or HASHED) – For fingerprint authentication to work properly, an authentication system has to verify that an impression of your print at the time of an authentication request is a CLOSE MATCH to one you gave at the time you registered to the system. To do this, it has to be easy for the system to retrieve your exact original print(s), so they can be compared and scored for SIMILARITY. This requirement means that the database must be MUCH MORE VULNERABLE to brute force attack than a good password hash database. In a well-constructed password hashing scheme, if an attacker manages to guess a correct password (very unlikely), they must start over to get any others. For a fingerprint (or most biometric) databases, it’s likely that the entire database is encrypted in a way that makes it easy to retrieve ALL of the prints. If these points don’t make sense to you, then I’m afraid you’re going to have to read the article – which you really should do anyway – before you use something like Touch-ID on an iPhone. – Scott CCTV Botnet In Our Own Back Yard With the convergence of physical security devices (like CCTV cameras) and networking technologies there was always a risk that something like this could happen. Again, this goes back to the device manufacture and ensuring that IoT devices such as CCTV cameras are built with security in mind from the beginning. It also means that when people and organizations buy CCTV camera’s they need to harden and secure them before deployment.  Default credentials is the number one attack vector we see abused with most IoT devices. – Tom NOTE: Scott recommended a novel called INVASION OF PRIVACY by Ian Sutherland during this discussion. It’s a murder mystery with some good illustrations of plausible social engineering attacks, scenarios of interesting webcam risks and hacking tools used in interesting contexts. Here’s a link to the author’s webpage: http://ianhsutherland.com/. There’s also a free prequel to the novel at: http://ianhsutherland.com/social-engineer-sign-up/. Predicting the future of technology This is a good article for covering the range of technologies that could be affected by the next wave of SMART TECH. It also made me think of a book I recently read by Daniel Burris, called Flash Foresight. Burris is a great thinker and problem solver, who has a methodology for predicting technology evolution based on what he calls HARD TRENDS vs. SOFT TRENDS. If you’re interested in trying to predict or come up with the next successful technology in any of the areas mentioned in this article, or even if you just like to understand how technology is evolving, you should read Flash Foresight. It’s very interesting. – Scott A Teen Instagram Star Is Quitting Social Media And Revealing The Truth Behind Her “Perfect Photos” Can you really “quit” social media? This was an interesting article and sheds light on how people can be consumed with social media and the negative impact it can have on our lives. However, I find it ironic that she still uses social media (like Youtube and Vimeo videos) to start an entire new campaign against social media. Love it or hate it social media is part of our lives whether you like it or not. It comes down to responsible use and knowing when its consumed your life and has become an addiction (just like anything else in our life). Too much of anything can be a bad thing. – Tom What is Tor? With all the talk about encryption and Edward Snowden in the news I thought it would be helpful to give our listeners a quick overview of what the Tor Proxy (aka: The Onion Router) is and how it’s used.  Tor is used by people with good intentions to protect their privacy but is also used by criminals (such as the case of the infamous ‘Silk Road’).  Tor should also not be relied upon to be 100% anonymous on the Internet as it does have a few risks you should be aware of (especially if you’re running a Tor ‘exit node’).  For further reading check out this great article on Lifehacker about Tor.  If you’re feeling technically adventurous and want to play with Tor you can also build yourself a Tor enabled wifi network which I thought was a pretty cool project if you have a Raspberry Pi. Free eBook: Securing Your Network and Application Infrastructure Shared Security Podcast co-host Tom Eston was recently featured with several other security professionals in a free eBook titled “Securing Your Network and Application Infrastructure”. Check it out for lots of great advice and tips to secure your business. Please send any show feedback to feedback [aT] sharedsecurity.net or comment below. You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode. Be sure to visit our website, follow us on Twitter and like us on Facebook. Thanks for listening! The post The Shared Security Podcast Episode 48 – Password Manager Compromise, Fingerprint Insecurity, Quitting Social Media appeared first on Shared Security Podcast.

This is the 47th episode of the Shared Security Podcast (formally the Social Media Security Podcast) sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston and Scott Wright recorded October 28, 2015. Below are the show notes, commentary, links to articles and news mentioned in the podcast: Do you know which of these stars have the most celebrity impersonations? I did a quick check of which celebrity had the most impersonators on each social networking site: Facebook – Bradley Cooper Twitter – Angelina Jolie and Channing Tatum Google Plus – Angelina Jolie and Jared Leto Instagram – Jennifer Lawrence and Angelina Jolie Youtube – Jennifer Lawrence LinkedIn – Brad Pitt I also noted that there were less than 30 impersonators in total, for all the celebrities in the picture, on LinkedIn. What does this mean? It might mean scammers are less excited about using LinkedIn, but it could also mean that businesses don’t use LinkedIn so much for communicating with their followers. I think there’s just as much scamming going on by attackers who impersonate businesses in the more popular social networking applications. What I also think is interesting is how ZeroFox uses advanced tools to categorize the potential attackers and prioritize the risk from each impersonator, which involves separating the parodies from the real scammers. – Scott Our kids need to talk about it This is a really an important and eye-opening article. It digs a little deeper into the frequent negative impacts that social media have on children and families. It strikes me that both parents and teachers – those who see kids most often every day – really should receive some guidance for dealing with these issues, both in a preventative sense, and in a responsive attitude. You’re never going to be able to completely protect your kids from some of these effects. So, you will have to be able to recognize the signs, and try to act to limit the potential damage. Knowledge of child psychology might help. But it’s also just letting your kids know that you’re trying to understand the pressures they are feeling, so you can help them through. I think discussing stories of incidents that may have happened to others (either in the news, or in your community) makes it easier for them to relate, and discuss their views. As a parent of 3 kids, I think you also have to resist the urge to judge your child’s actions or feelings. They really can’t help the way they feel, and they are still immature, so they’re going to make mistakes. What you can do is help them have a healthy attitude and recognize the merits and impacts of the actions they might want to take. As the article hints at the end, you need to understand the environment your kids are in. So, as much as you may hate the idea of having a Facebook account, setting one up and using it (not to spy on your kids, but to experience what’s going on in today’s culture) can make it easier to see things from their point of view. It is a conflicting situation for parents, though, to rationalize whether you are really spying on your kids, simply intruding on their privacy, or looking out for their best interests. – Scott Europe’s highest court strikes down Safe Harbor data sharing between EU, US This is huge news as this ruling will likely force Facebook, Twitter, Google to keep EU data in the EU. It is important that privacy laws be respected and enforced. And in this case, the CJEU seems to be doing a good job of overseeing the Safe Harbor agreement. This agreement basically says that, if the personal data of EU citizens is transferred to a country outside the EU, it must be protected to a certain standard. However, the case has brought to light that the standard for safe harbour does not really go as far as it needs to in order to properly protect the privacy rights of EU citizens. So, the conclusion is that companies like Facebook should not be allowed to move EU citizens’ data overseas, since privacy will not be upheld. One instance they give, as an example of how the agreement is too weak, is the potential access rights that the US government has to all data held within the USA. But this is an argument that can be extended to the UK itself, given what is now publicly known about the UK government’s surveillance activities. In this sense, the EU citizens’ data may be no better protected inside the EU than outside. So, it will take a long time to sort all the implications out. But, as the article states, it is likely that companies will start to segregate data geographically. I’m not sure how this will affect, for example, Facebook users, or even advertisers. So, as always, don’t post sensitive information on social media sites if you are concerned about this. But you might also have to start wondering about the safety of cloud-based services such as Microsoft Office 365. What protection does your business have if you are storing data in these kinds of cloud-based services? Is “Safe-Harbor” really feasible, even if the vendors promise it? – Scott Consumers think IoT security is a piece of cake; IT pros have another name for it “manufacturers don’t make consumers sufficiently aware of the types of information connected devices can collect.” Not only do they not make them aware of the facts, they don’t have much interest in helping consumers understand the risks. That’s why we see blatant statements like Spotify’s privacy policy that is scary if you understand the risks of what they are doing, but they seem to be counting on people not really understanding or caring about the risks. – Scott Hackers Can Silently Control Siri From 16 Feet Away This is really not a threat at all right now.  There are a lot of caveats to this attack and I would just note that these types of hacks are always evolving. – Tom An elaborate combined phishing and phone social-engineering attack against 2-factor authenticated Gmail accounts This kind of attack is not new, but with the increase in use of Gmail’s two-factor authentication, an attacker can gather the password and SMS second factor code in real time using a phishing scheme. It’s often primed by a social engineering phone call in which the attacker contacts the victim using an issue that the victim is likely to care about. The caller then says they will send a link with more information that can be found in a Google Drive shared document. When the user tries to access it, the fake site presents a real-looking login and two-factor form. Since it is all done in real-time, the caller can access the victim’s real Gmail if they act before the two-factor code expires. The combination of phone and email gives people the impression that it’s not likely to be a scam. So, be careful about acting on hot button issues when you receive a call or email “out of the blue” that leads you to a Google drive or other similar login page. – Scott Please send any show feedback to feedback [aT] sharedsecurity.net or comment below. You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode. Be sure to visit our website, follow us on Twitter and like us on Facebook. Thanks for listening! The post The Shared Security Podcast Episode 47 – Celebrity Impersonations, Social Media and Kids, EU Safe Harbor appeared first on Shared Security Podcast.