The Shared Security Weekly Blaze – Dark Caracal, Meltdown and Spectre Debacle, Amazon Go

Play episode

This is the first episode of the Shared Security Weekly Blaze podcast. This episode was hosted by Tom Eston.

Every Monday we’ll be releasing a short podcast, in 15 minutes or less, covering the top 3 hot news topics happening in the security and privacy world. The idea is to give you fast and consumable security and privacy “news that you can use”. These weekly podcasts are in addition to our traditional monthly podcast which will continue to cover security and privacy topics in more detail.

In this week’s episode we talk about a new form of mobile malware called Dark Caracal, recent news about patching for the Meltdown and Spectre vulnerabilities and the launch of Amazon Go in downtown Seattle.

Show Transcript
This is your Shared Security Weekly Blaze for January 29th 2018 with your host, Tom Eston

In this week’s episode we’re going to talk about a new form of mobile malware called Dark Caracal, recent news about patching for the Meltdown and Spectre vulnerabilities and the launch of Amazon Go in downtown Seattle.

Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the first episode of the Shared Security Weekly Blaze where we update you on the top three security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news you can use”.

Our number three story for the week is about a new form of mobile malware that has been identified called Dark Caracal. The Electronic Frontier Foundation and security firm Lookout Security jointly announced research last week on what they are calling a new “malware espionage campaign” which has been targeting military personnel, activists, journalists and lawyers all across the world. The Dark Caracal malware campaign appears be traced back to the Lebanese government. The malware affects Android mobile devices primarily but other systems like Windows could be affected as well.

The Dark Caracal malware has the capability to install trojanized versions of popular secure messaging apps like Signal and WhatsApp as well as gain access to text messages, photos and data from other apps. This doesn’t mean that legitimate apps you may be using (like Signal) are infected with malware, it means that the malware can trick you into installing a fake version of that app. The Dark Caracal malware uses phishing and social engineering techniques through WhatsApp messages and Facebook Group posts to install the malware on the device.  EFF Director of Cybersecurity Eva Galperin said “This is a very large, global campaign, focused on mobile devices. Mobile is the future of spying, because phones are full of so much data about a person’s day-to-day life.” This is not the first case of a large global mobile malware campaign. The Pegasus mobile malware, which targets Apple iOS, has been used by nation states such as the United Arab Emirates and the Mexican government to target individuals since 2016. It’s important to note that anyone could be a target for mobile malware, you don’t necessarily have to be targeted by a nation state!

So what can you do to protect yourself? First and foremost be aware that phishing attacks typically start with emails, texts and social media posts and always try to elicit some type of urgent response or emotion from you to get you to click a link or provide sensitive information like passwords. Our advice? Think before you click! Check out previous episodes of the Shared Security Podcast where we talk about phishing and social engineering if you’re interested in learning more.

The number two story of the week is the Meltdown and Spectre vulnerability patching debacle. In fact it’s such a debacle that the creator of the Linux operating system,   Linus Torvalds, has said “All of this is pure garbage, The patches are COMPLETE AND UTTER GARBAGE. …They do things that do not make sense.”

If you’re not familiar with the Meltdown and Spectre vulnerabilities here’s the deal: Earlier this month security researchers discovered two critical vulnerabilities in modern computer processors (or CPUs). These vulnerabilities allow an attacker to access data on a computer system that would be very difficult to obtain such as passwords stored in your browser, photos, emails and even documents. The reason this problem is so big is that the vulnerability affects many different types of systems including personal computers, mobile devices as well as systems in the “cloud” and it applies to all these different types of devices manufactured within the last 20 years. The guidance from the processor manufactures like Intel has been to install patches that would be released by the different operating systems like Microsoft and Apple while they figure out how to fix these vulnerabilities in future processors.

But not so fast! Some of these patches have already been rolling out and have been causing lots of problems like the infamous “blue screen of death” on some Microsoft Windows systems. So now, Intel has come out to say stop installing patches because they are causing many more problems. Now the different computer vendors, such as Dell, HP and Lenovo are recalling their previously issued patches and have notified customers that their existing patches are defective. It’s literally a total mess out there folks. The best course of action is to hold off on installing patches until the computer vendors can come up with a revised plan. Stay tuned, I’m sure it’s going to continue to be a wild ride!

Our final news story of the week is last week’s launch of the very first Amazon Go grocery store in downtown Seattle. Amazon go is Amazon’s “grocery store experiment” which allows you to simply scan your Amazon Go app at the entrance, grab what you want off the shelves, put it in your bag and then walk out. No cashiers, no wait. Your receipt is then emailed to you shortly after leaving the store.

Sounds pretty cool, huh? Well what you may not realize is that there are potentially hundreds of cameras watching your every move in the store. Obviously, this goes beyond preventing shoplifting but is actually part of the tech that makes a store like this work. For example, how does Amazon know if I take an item off the shelf and return it back to where it was? What if I hand an item to another person I’m shopping with, do they get charged for it or do I? Well, shopping scenarios like these are all addressed with cutting edge surveillance technology that Amazon isn’t so keen to talk about. All that Amazon has said so far is that this technology is very similar to what’s being used in self-driving cars. Amazon states that its using things like sensor fusion and deep learning…basically AI technology. There’s not a lot of info about how all this technology is being used within a Amazon Go store and how data about you like video footage is being processed or stored.  The other day I did a little research on this and noted that the Amazon Go “Terms of use” only says is that they use “in-store technology” and “cloud computing” to determine the items you select. A quick review of the Amazon Privacy notice, on the other hand, has no details about what Amazon Go technology does with your information. All we can say for now is that it’s in the “cloud” along with everything else Amazon has about you.  Hey, Alexa…where does your data live? That’s what I thought.

That’s a wrap for this week. Be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook and Twitter and even on Instagram. You can also subscribe and listen to our podcast on iTunes, Google Play, Stitcher and even on your Amazon Echo device via TuneIn. We also love to hear feedback from our listeners! Let us know how you like this new weekly format by either commenting on our social media feeds or sending us an email at feedback [aT] sharedsecurity.net. Thanks for listening and see you next Monday for another episode of the Shared Security Weekly Blaze.

More from this show

Leave us a Review

Signup for our Newsletter

Follow Us