This is the Shared Security Weekly Blaze for February 19, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions. This episode was hosted by Tom Eston.
This is your Shared Security Weekly Blaze for February 19th 2018…with your host…Tom Eston
In this week’s episode: Instagram Social Stalking, Cryptojacking, Equifax Breach Updates
Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”.
Ever get the feeling that a “social creeper” might be taking screen captures of your Instagram stories without your knowledge? Well this past week Instagram began testing a new feature in which a pop-up message will appear stating that “Next time you take a screenshot or screen recording, the person who posted the story will be able to see it.”. This message will automatically appear when someone takes a screen capture of a story you posted. People taking screen captures of your stories will also be identified in the “seen by” list which is shown to you when you view one of your stories. Interestingly enough, the direct messages feature within Instagram as well as Snapchat have had a similar feature for quite some time. It’s important to note that in regards to Instagram direct messages, users are only notified when a screen capture is taken of a picture or video that you sent them via a direct message.
There was no timeline given on when this notification feature will be added but I think this type of notification is a good thing from a privacy and awareness perspective. But, no matter what controls are put in place to bring awareness to “social creepers”, just be aware that any notification or other control won’t be able to prevent someone from using another camera to take a picture of their device with your photos or stories on the screen. Always be mindful of what you post on any social media app and know that everything, even what you send privately, may not be so private after all.
Over the last few weeks we’ve seen an increase in what are called “cryptojacking” attacks. A cryptojacking attack is where code within a website is used to hijack your web browser and the computing power of your device to silently mine cryptocurrency while you browse and use a website. With the recent rise in popularity of Bitcoin and other types of cryptocurrency’s, this attack is becoming much more popular.
In fact, just this past week, we saw thousands of websites across the world, including many government websites being use to mine cryptocurrency. In this case, a third-party plugin called BrowseAloud (which helps blind and disabled people use websites) was compromised which allowed malicious code to be embedded in every website that had the BrowseAloud plug-in installed. This is a similar attack that we see with ad networks being compromised and pushing malware to unsuspecting users of common web sites. However, some companies are taking a new approach of disclosing to website visitors that by accessing their site you are in fact mining cryptocurrency for them. The news site Salon is one such organization that announced last week that they’ve introduced a feature called “suppress ads” which allows users to quote “block ads by allowing Salon to use your unused computing power” end quote. This is a very ingenious way for companies to help pay for their services while reducing the barrage of ads that we all see when using the Internet because…everyone hates ads, right?
It’s interesting to note that this is not the first time an organization has tried to harvest users computing power. Last year, the infamous website “The Pirate Bay” used code within their website to hijack users computing power to mine cryptocurrency back in September. The Pirate Bay called this a “test” in that using this code in the future would be a great way to replace ads completely.
I think for most people, if a website disclosed to you that they are going to harvest your computer power to eliminate ads is really no big deal. However, if you’re concerned about having your web browser and computer power hijacked to mine cryptocurrency you can use a browser add-on like No Script or ensure your ad blocker within your browser is blocking known sites used to mine cryptocurrency such as Coinhive. From a privacy perspective, we always recommend the use of a browser add-on such as an ad blocker as well as the Privacy Badger add-on, which will block third-party advertising trackers. Check out the show notes for this episode on sharedsecurity.net for links to the browser add-on’s that we recommend installing.
Our final news item from the week is regarding new details that were released about the Equifax data breach and that it was far worse than we first thought. You may remember that back in September of last year that the personal information of 145 million people had been exposed through one of the largest data breaches in history. It’s more than likely, if you’ve ever had a credit check done in the United States, that you’re a victim of this breach. Last year Equifax stated that information compromised included names, social security numbers, birth dates, credit cards as well as driver’s license numbers. Now, new information was disclosed stating that during the initial investigation that tax id numbers, email addresses, phone numbers as well as expiration dates for credit cards and additional driver’s license data (apparently the state where a driver’s license was issued) have been compromised as well.
This breach and the poor communication and response from Equifax, highlights that we as consumers need to be proactive about protecting our personal information as best we can. This can be very difficult because we inherently trust third-party companies like Equifax to protect our private information. However, time and time again we see breaches like this and more of our information continues to be exposed making identity theft a real threat to all of us. So what can you do? Most importantly, put a security freeze on your credit file. Unfortunately, this is a painful process to do but is worthwhile in the long run. Be sure to check our show notes from this episode for a great article by Brian Krebs from Krebsonsecurity.com on how to go about putting a freeze on your credit.
That’s all for this week’s show. Be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram. You can also subscribe and listen to our podcast on iTunes, Android, Google Play, Stitcher and on your Amazon Echo device via TuneIn. We also love to hear feedback from our listeners! Let us know how you like this new weekly format by either commenting on our social media feeds or sending us an email at feedback[aT]sharedsecurity.net. Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze.