This is the 47th episode of the Shared Security Podcast (formally the Social Media Security Podcast) sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston and Scott Wright recorded October 28, 2015. Below are the show notes, commentary, links to articles and news mentioned in the podcast:
Do you know which of these stars have the most celebrity impersonations?
I did a quick check of which celebrity had the most impersonators on each social networking site:
Facebook – Bradley Cooper
Twitter – Angelina Jolie and Channing Tatum
Google Plus – Angelina Jolie and Jared Leto
Instagram – Jennifer Lawrence and Angelina Jolie
Youtube – Jennifer Lawrence
LinkedIn – Brad Pitt
I also noted that there were less than 30 impersonators in total, for all the celebrities in the picture, on LinkedIn. What does this mean? It might mean scammers are less excited about using LinkedIn, but it could also mean that businesses don’t use LinkedIn so much for communicating with their followers. I think there’s just as much scamming going on by attackers who impersonate businesses in the more popular social networking applications. What I also think is interesting is how ZeroFox uses advanced tools to categorize the potential attackers and prioritize the risk from each impersonator, which involves separating the parodies from the real scammers.
– Scott
Our kids need to talk about it
This is a really an important and eye-opening article. It digs a little deeper into the frequent negative impacts that social media have on children and families.
It strikes me that both parents and teachers – those who see kids most often every day – really should receive some guidance for dealing with these issues, both in a preventative sense, and in a responsive attitude. You’re never going to be able to completely protect your kids from some of these effects. So, you will have to be able to recognize the signs, and try to act to limit the potential damage.
Knowledge of child psychology might help. But it’s also just letting your kids know that you’re trying to understand the pressures they are feeling, so you can help them through. I think discussing stories of incidents that may have happened to others (either in the news, or in your community) makes it easier for them to relate, and discuss their views.
As a parent of 3 kids, I think you also have to resist the urge to judge your child’s actions or feelings. They really can’t help the way they feel, and they are still immature, so they’re going to make mistakes. What you can do is help them have a healthy attitude and recognize the merits and impacts of the actions they might want to take. As the article hints at the end, you need to understand the environment your kids are in. So, as much as you may hate the idea of having a Facebook account, setting one up and using it (not to spy on your kids, but to experience what’s going on in today’s culture) can make it easier to see things from their point of view. It is a conflicting situation for parents, though, to rationalize whether you are really spying on your kids, simply intruding on their privacy, or looking out for their best interests.
– Scott
Europe’s highest court strikes down Safe Harbor data sharing between EU, US
This is huge news as this ruling will likely force Facebook, Twitter, Google to keep EU data in the EU. It is important that privacy laws be respected and enforced. And in this case, the CJEU seems to be doing a good job of overseeing the Safe Harbor agreement. This agreement basically says that, if the personal data of EU citizens is transferred to a country outside the EU, it must be protected to a certain standard. However, the case has brought to light that the standard for safe harbour does not really go as far as it needs to in order to properly protect the privacy rights of EU citizens. So, the conclusion is that companies like Facebook should not be allowed to move EU citizens’ data overseas, since privacy will not be upheld.
One instance they give, as an example of how the agreement is too weak, is the potential access rights that the US government has to all data held within the USA. But this is an argument that can be extended to the UK itself, given what is now publicly known about the UK government’s surveillance activities. In this sense, the EU citizens’ data may be no better protected inside the EU than outside.
So, it will take a long time to sort all the implications out. But, as the article states, it is likely that companies will start to segregate data geographically. I’m not sure how this will affect, for example, Facebook users, or even advertisers.
So, as always, don’t post sensitive information on social media sites if you are concerned about this. But you might also have to start wondering about the safety of cloud-based services such as Microsoft Office 365. What protection does your business have if you are storing data in these kinds of cloud-based services? Is “Safe-Harbor” really feasible, even if the vendors promise it?
– Scott
Consumers think IoT security is a piece of cake; IT pros have another name for it
“manufacturers don’t make consumers sufficiently aware of the types of information connected devices can collect.”
Not only do they not make them aware of the facts, they don’t have much interest in helping consumers understand the risks. That’s why we see blatant statements like Spotify’s privacy policy that is scary if you understand the risks of what they are doing, but they seem to be counting on people not really understanding or caring about the risks.
– Scott
Hackers Can Silently Control Siri From 16 Feet Away
This is really not a threat at all right now. There are a lot of caveats to this attack and I would just note that these types of hacks are always evolving.
– Tom
An elaborate combined phishing and phone social-engineering attack against 2-factor authenticated Gmail accounts
This kind of attack is not new, but with the increase in use of Gmail’s two-factor authentication, an attacker can gather the password and SMS second factor code in real time using a phishing scheme. It’s often primed by a social engineering phone call in which the attacker contacts the victim using an issue that the victim is likely to care about. The caller then says they will send a link with more information that can be found in a Google Drive shared document. When the user tries to access it, the fake site presents a real-looking login and two-factor form. Since it is all done in real-time, the caller can access the victim’s real Gmail if they act before the two-factor code expires.
The combination of phone and email gives people the impression that it’s not likely to be a scam. So, be careful about acting on hot button issues when you receive a call or email “out of the blue” that leads you to a Google drive or other similar login page.
– Scott
Please send any show feedback to feedback [aT] sharedsecurity.net or comment below. You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode. Be sure to visit our website, follow us on Twitter and like us on Facebook. Thanks for listening!
