Shared Security Podcast

This is the 46th episode of the Shared Security Podcast (formally the Social Media Security Podcast) sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston and Scott Wright recorded October 7, 2015. Below are the show notes, commentary, links to articles and news mentioned in the podcast: Scott gives an overview of the BSides Ottawa Security Conference If you’re in the Information Security industry I highly recommend you attend a local BSides conference. Always great content and networking opportunities! -Tom Everyone you know will be able to rate you on the terrifying ‘Yelp for people’ — whether you want them to or not Yelp for people? What could possibly go wrong? What are the ramifications when we start “rating” everyone we know or encounter? In a recent twist everything available about the Peeple app has been removed (social media, website, etc) by the founders most likely because of the firestorm of news media and privacy concerns. While the Peeple app looks like it may not happen..I’m sure there are other similar apps that will pop up and try something similar in the near future. -Tom The Power of Privacy Video Series by The Guardian The first episode takes a very thought provoking look at the digital shadows you leave and how someone can find personal and private information about you on the Internet…highly recommended! Episode 2 was recently released and talks about how easy it is to get hacked through phishing and common social engineering techniques. – Tom Anatomy of an enterprise social cyber attack  This is some interesting ZeroFOX research on customer scams, specifically one called “hashtag hijacking”. I’ve heard of several cases in the news about this type of attach using social engineering and social media as attack vectors. Check out this great infographic to learn more. -Tom Thousands of ‘directly hackable’ hospital devices exposed online This research was released at the DerbyCon security conference last month. I found it fascinating that now MRI and other critical medical equipment can be found using the search tool Shodan outside of the firewall of some major healthcare providers. Most likely this happens because of poor network segmentation as well as separate Internet connections outside of the healthcare provider. To top that off many of these devices are configured with default credentials and/or weak passwords (some running vulnerable Windows XP and older systems too). The researchers built a honeypot defibrillator machine to prove their points which “attracted a whopping 55,416 successful SSH and web logins and some 299 malware payloads”. Medical devices (pretty much in the same category of IoT) which lack any security is very scary, especially the potential impact to human life if these devices are compromised! -Tom The Social Network Where Doctors Swap Gross Pics of Patients HIPAA nightmare? Apparently doctors, nurses and other healthcare staff have been uploading patient pictures to a app/social network called “Figure 1” (aka: Instagram for doctors). While the founders intentions seem good (as in a good way for doctors to get second opinions or to treat patients better) there is definitely a cause for privacy concern. The founders apparently have monitoring, oversight and remove any metadata from each picture but as this app’s user base grows it will be harder to oversee this type of information, even with automation built in. In addition, the app founders said that they don’t have a plan yet to make money so time will tell if this even sticks around. -Tom Netflix shows you how to make your own “IoT switch”. Turn on Netflix. Dim the Lights. Kick Back and Relax. Netflix continues to innovate with unique ways to watch their programming…even to get you to build your own IoT device (I’m soon sure to be available for purchase). -Tom Our friendly PSA: Please stop posting those Facebook privacy notices Posting those Facebook “privacy notices” on your status does nothing as you’ve agreed to hand over everything you post to Facebook according to their terms of service. You agreed to this when you created your Facebook account. Don’t like it? Stop using Facebook and delete your account. See Snopes for more information about this hoax. -Tom Please send any show feedback to feedback [aT] sharedsecurity.net or comment below. You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode. Be sure to visit our website, follow us on Twitter and like us on Facebook. Thanks for listening! The post The Shared Security Podcast Episode 46 – Peeple App, Medical Devices Exposed, Instagram for Doctors appeared first on Shared Security Podcast.

This is the 45th episode of the Shared Security Podcast (formally the Social Media Security Podcast) sponsored by the Streetwise Security Zone. This episode was hosted by Tom Eston and Scott Wright recorded September 24, 2015. Below are the show notes, commentary, links to articles and news mentioned in the podcast: How The Internet of Things Could Revolutionize Our Lives, Work The above article does a good job of painting a Utopian future, with your office doors opening and computers logging you in with appropriate privileges “without having to manually tap into 10 different interfaces every day.” You may also enjoy dreaming of entering a restaurant where the menu is customized to your social preference, saving you the hassle of actually having to turn multiple pages. This may be a good thing, or it may just be a sign that we are getting lazy. Did you ever see the Disney movie “Wall-E”, where all the humans looked like the Michelin man, and floated around on hovering chairs? Isn’t it just a little bit sad that we are getting so excited about not having to move any muscles to get our jobs done? Not only does this image of the future seem a little unhealthy, but I just can’t help but think about all the potential vulnerabilities in all the interfaces between these devices and systems that have to work with each other to accomplish these feats. I think this is especially true, in light of the point raised in the article about the lack of standardization between devices that I think will almost always exist. – Scott A Smartwatch Could Reveal What You’re Typing by How Your Hand Moves This is one of those articles that pops up every year or so that describes how somebody has demonstrated a way to capture keystrokes or other personal movements of individuals through vibrations, light rays, electromagnetic variations, etc. It’s just a reminder that when we adopt a new form factor or a whole new device, somebody is going to try to find a way to spy on your actions when using it. In most cases, these demonstrations are done in very controlled environments, and can be very hard to reproduce. In other, more successful cases, the researchers probably end up getting bought out or employed by large and powerful organizations, never to be heard from again… ;o) – Scott Top 10 Implantable Wearables Soon To Be In Your Body Is there such a thing as being too close to technology? It will be interesting to see how far people are willing to go to be connected. This article discuses a number of ways I which scientists (or franken-scientists) are experimenting with implanting everything from phones to speakers to video displays in peoples’ bodies. I think it’s more likely that many of us will accept some of the new medical applications of implantable technologies. Sensors for real-time monitoring of sugar levels, cholesterol and other undesirables could be really valuable. Of course, the swallowable pill for colonoscopies is the one many of my friends are waiting for… There may even be devices you can take as pills that will monitor and dispense therapeutic chemicals that make you feel full, or even contraceptives. It’s also possible that with the right materials and smart functionality, entire organs could be replaced. Maybe this is how we evolve into Cyborgs… My security and privacy concerns around these devices are along the lines of them being hijacked by attackers, which could literally be fatal in some cases. But you also have to worry a little about how those devices could be detected and matched to your identity for tracking purposes. – Scott You Can’t Do Squat About Spotify’s Eerie New Privacy Policy It’s not just Google, Linked In and Facebook who want to know everything about you. Spotify is seriously trying to get in on the act. Did you know that Spotify’s privacy policy is hoping you might break the law, while their fine print is saying you agree to do the due diligence? Spotify’s privacy policy apparently wants you to implicitly accept how they use information about your phone’s contacts, even when they know it may not be legal for you to share it with Spotify without their permission? They literally expect you to seek every contact’s permission to let Spotify use their contact information for its vague purposes, before you use Spotify on your phone. Unfortunately, as the article points out, it is becoming the norm for businesses to try to monetize the personal information they have about you. – Scott Self-driving cars can be hacked using a laser pointer Before you get in that self-driving car… The next wave in vehicle technology, if you haven’t been paying attention to it, is the self-driving vehicle. Google has been test-driving self-driving vehicles for a number of years now, with some success. I think there are some great benefits to be had from automating vehicles, especially in environmental and safety areas. Think of the gas that can be saved if the optimal acceleration and routing is used every day by all (or most) vehicles on the road. And automated safeguards are very likely to save a lot of lives where human error is often the cause. However, we have to keep in mind all the bad things that can happen when a computer can completely control a car. In this article, a simple laser pointer can be used to cause the Laser-based ranging and imaging systems on self-driving cars to believe there are objects where they aren’t. This kind of attack has to be considered, and in general, any malicious action from an outsider has to be considered by the cars’ control systems. They have to do more complex checks for “reasonability” of their sensor inputs. So, I’m glad we have hackers actively researching the latest vehicle automation technologies. This way, we have a chance of having vehicles come off the production lines with security built in. I’m not so naïve as to think they will be totally safe. There are some real risks that need to be thought out, and some won’t be resolved before we’re driving them (I mean, they’re driving us). Things like legal liability when a vehicle makes a decision that directly ends up injuring or killing people. – Scott Check out our friends over at ZeroFOX ZeroFOX provides detection and defense for social media security threats.  We hope to have the team at ZeroFOX share more of their research and technology with us in future episodes. – Tom Please send any show feedback to feedback [aT] sharedsecurity.net or comment below. You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode. Be sure to visit our website, follow us on Twitter and like us on Facebook. Thanks for listening! The post The Shared Security Podcast Episode 45 – Implantable Wearables, Spotify Privacy, Hacking Self-Driving Cars appeared first on Shared Security Podcast.

This is the 44th episode of the Shared Security Podcast (formally the Social Media Security Podcast) sponsored by the Streetwise Security Zone. This episode was hosted by Tom Eston and Scott Wright recorded September 2, 2015. Below are the show notes, links to articles and news mentioned in the podcast: Facebook urged to tighten privacy settings after harvest of user data Make an Apple Watch Door Unlocker Severe weaknesses in Android handsets could leak user fingerprints Big Android makers will now push monthly security updates How I Hacked the Amazon WiFi Button to track Baby Data Oracle security chief to customers: Stop checking our code for vulnerabilities Please send any show feedback to feedback [aT] sharedsecurity.net or comment below. You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode. Be sure to visit our website, follow us on Twitter and like us on Facebook. Thanks for listening! The post The Shared Security Podcast Episode 44 – Facebook Data, Apple Watch, Android, Amazon Dash Buttons appeared first on Shared Security Podcast.

This is the 43rd episode of the Shared Security Podcast (formally the Social Media Security Podcast) sponsored by the Streetwise Security Zone.  This episode was hosted by Tom Eston and Scott Wright recorded August 6, 2015.  Below are the show notes, links to articles and news mentioned in the podcast: Car hack reveals peril on the road to Internet of Things (IoT) Smart watches and activity monitors usually connect to the cloud, sometimes without good security Really great article from Venture Beat about IoT risks Good research and whitepaper from Veracode about several popular IoT devices being sold and the security risks Scott talks about a recent Facebook scam that he received which was really hard to tell if it was legit or not Tom talks about Vizio SmartTV’s and how they know everything that you watch. Make sure you read those privacy policies! Please send any show feedback to feedback [aT] sharedsecurity.net or comment below.  You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode. Be sure to visit our website, follow us on Twitter and like us on Facebook. Thanks for listening! The post The Shared Security Podcast Episode 43 – Car Hacking, IoT Risks, Facebook Scams, SmartTV Privacy appeared first on Shared Security Podcast.

Podcast Update: The new website for the Shared Security Podcast will hopefully be live for the next episode! We hope you enjoy the new topics and format! This is the 42nd episode of the Shared Security Podcast sponsored by the Streetwise Security Zone.  This episode was hosted by Tom Eston and Scott Wright recorded June 3, 2015.  Below are the show notes, links to articles and news mentioned in the podcast: Marauder’s Map plugin for Chrome allows geolocation of messenger communications for friends or people in a message thread Facebook check-up feature being tested which is a new tool that might help users understand and select privacy settings that make sense to them How social networks make it easy for adopted children to find their birth parents, not always with desirable or expected results. The focus is on a young girl who grew up believing her birth mother was like a Disney princess, and understandably wanted to connect with her. This story shows it isn’t always a good decision, and highlights the need for honesty with young adopted children regarding their past. Risky mobile apps that parents need to know about. How new smart key fobs are making it easy for thieves to break into cars with a $17 gadget you can buy online. Some people are starting to put their key fobs in the freezer to shield them from the radio signals used by thieves. Please send any show feedback to feedback [aT] sharedsecurity.net or comment below.  You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode. Thanks for listening! The post The Shared Security Podcast 42 – Car Theft, Risky Apps, Facebook Security Checkup appeared first on Shared Security Podcast.

This is the 41st episode of the Social Media Security Podcast sponsored by the Streetwise Security Zone.  This episode was hosted by Tom Eston and Scott Wright recorded April 29, 2015.  Below are the show notes, links to articles and news mentioned in the podcast: Important Podcast Update! While we haven’t finalized the details we’re hoping to rename the podcast as “Shared Security”. We have been discussing the fact that the privacy and security topics we’ve been covering are really spreading to more than just social media. Now, we see the important stories as being ones that relate to who and what we trust as connected individuals and businesses. So, we’ve decided that it might be time to rename the podcast to be more inclusive of important security stories beyond just social media, and we’ve decided on a new name for the program… “Shared Security” We think Shared Security brings to mind not only social media, but mobile technology, cloud technology, and as I’m sure you’ve heard by now, The Internet of Things (IoT). So our new podcast, Shared Security, will try to bring you timely stories, news and tips for living securely in a connected world. The name also brings to mind the fact that we will increasingly need to share our thoughts on what the risks are and how to deal with them. You can expect the same level of insight and practical guidance, just on a broader scope. We haven’t yet figured out how we will officially change the program name people see on iTunes or the feed for RSS. So for the moment, the feed and official title will be the same…Social Media Security. However, with this episode we’re going to try to cover a broader range of stories, when appropriate. Stay tuned for additional rebranding changes as we roll them out. As always, we’d like to hear your thoughts! Scott and Tom Recent Facebook and Instagram vulnerabilities Security for the Internet of Things will get really, really bad before it gets good Samsung TV’s are listening to you Trend Micro and Ponemon released a study on personal information, privacy and the connected world. In this report, they mention that Gartner predicts 25 billion connected devices by 2020 – I think that’s a low estimate- The report breaks down the value of certain types of personal information to attackers, like your health condition (for an American it’s $82.90 per record) Discussion about The 2015 Verizon Data Breach Incident Report Commentary on the risks from Internet of Things Please send any show feedback to feedback [aT] socialmediasecurity.com or comment below.  You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode.  Don’t forget  to subscribe to the podcast in iTunes, follow us on Twitter and like us on Facebook.  Thanks for listening! The post Social Media Security Podcast 41 – Podcast Updates, Internet of Things, TV Privacy appeared first on Shared Security Podcast.

This is the 40th episode of the Social Media Security Podcast sponsored by the Streetwise Security Zone.  This episode was hosted by Tom Eston and Scott Wright recorded February 25, 2015.  Below are the show notes, links to articles and news mentioned in the podcast: Facebook’s new ThreatExchange Fitbit data used in a court case Echosec is a web application that lets you search a geographical locale for posts on Twitter, Instagram and Flickr Some new Facebook security tips and tricks A very special interview with somebody who experienced a scam attempt on Facebook. Great advice on how to defend against these types of scams! Please send any show feedback to feedback [aT] socialmediasecurity.com or comment below.  You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode.  Don’t forget  to subscribe to the podcast in iTunes, follow us on Twitter and like us on Facebook.  Thanks for listening! The post Social Media Security Podcast 40 – ThreatExchange, Echosec, Facebook Scams appeared first on Shared Security Podcast.

This is the 39th episode of the Social Media Security Podcast sponsored by SecureState and the Streetwise Security Zone.  This episode was hosted by Tom Eston, Scott Wright recorded December 12, 2014.  Below are the show notes, links to articles and news mentioned in the podcast: “Snapcash” has been announced by the creators of Snapchat. Can Snapchat gain enough consumer confidence to break into the payments field? Yik Yak is a social app for browsing anonymous chats in your locale and it’s gaining popularity with teens and causing some problems for schools. Yik Yak is also not as private or anonymous as you think as a new security vulnerability was just disclosed! How to opt out of Twitter’s new app tracking feature Facebook’s updated Privacy Policy? Not much new, but policies have been reworded to be somewhat less onerous to read Facebook At Work – Will it work? Scott and Tom share our opinions on the big Sony Pictures security breach Scott shares some best practices on how to secure your LinkedIn account. Tom shares some good tips to make your LinkedIn account more private. Here are a few of the tips we discussed: 1) Turn on HTTPS for all sessions: – Check the “Secure Connections” box in the security settings page 2) Turn on Two-Step Verification – The security settings page will tell you whether or not two-step verification is already set up – You can turn it on, and provide a mobile phone where SMS messages will be sent Both are accessible by doing the following while logged in to your LinkedIn account on the Web: a) Hover the mouse cursor over your profile picture b) Click on the Account tab in the bottom left of the page c) Click on “Manage Security Settings” Please send any show feedback to feedback [aT] socialmediasecurity.com or comment below.  You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode.  Don’t forget  to subscribe to the podcast in iTunes, follow us on Twitter and like us on Facebook.  Thanks for listening!   The post Social Media Security Podcast 39 – Snapcash, Yik Yak, LinkedIn Security and Privacy Tips appeared first on Shared Security Podcast.

This is the 38th episode of the Social Media Security Podcast sponsored by SecureState and the Streetwise Security Zone.  This episode was hosted by Tom Eston, Scott Wright recorded October 21, 2014.  Below are the show notes, links to articles and news mentioned in the podcast: An enterprise level story about how hard it is to block specific sites, and what can be done about it Twitter’s former security head condemns Whisper’s privacy flaws Twitter sues the US Government over national security data Twitter quickly withholds tweets for Turkey’s ‘national security’ Twitter ‘news’ spreads faster than Ebola Snapchat third party service hacked Facebook Fake Likes Exposed Please send any show feedback to feedback [aT] socialmediasecurity.com or comment below.  You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode.  Don’t forget  to subscribe to the podcast in iTunes, follow us on Twitter and like us on Facebook.  Thanks for listening! The post Social Media Security Podcast 38 – Corporate Policy, Whisper Privacy Flaws, Snapchat Hack appeared first on Shared Security Podcast.

This is the 37th episode of the Social Media Security Podcast sponsored by SecureState and the Streetwise Security Zone.  This episode was hosted by Tom Eston, Scott Wright and special guest Kevin Johnson recorded September 19th 2014.  Below are the show notes, links to articles and news mentioned in the podcast: Special Topic! Managing Your Digital Footprint (thanks to Chris John Riley for the idea!) Personal objectives for using social media Types of footprints you might have (likes, comments, photos, tags, etc.) Ways you can be exposed, and how to find them (Google search, Facebook search, Linkedin Search, etc.) Ways to manage exposure going forward This site has a good, short set of tips to review: http://krishnade.com/digital-footprint/ LinkedIn address book guessing… http://omnifeed.com/article/www.komonews.com/news/local/LinkedIn-flaw-helps-hackers-discover-email-addresses-275537041.html The LinkedIn LION – Are You Exposing Yourself to the Hyenas? https://www.linkedin.com/today/post/article/20140812143638-171396975-the-linkedin-lion-are-you-exposing-yourself-to-the-hyenas Please send any show feedback to feedback [aT] socialmediasecurity.com or comment below.  You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode.  Don’t forget  to subscribe to the podcast in iTunes, follow us on Twitter and like us on Facebook.  Thanks for listening! The post Social Media Security Podcast 37 – Special Guest Kevin Johnson (@Secureideas), Managing Your Digital Footprint appeared first on Shared Security Podcast.