The Shared Security Weekly Blaze – Ultrasonic Hard Drive Attacks, Dangerous USB Devices, Email Fraudsters Arrested

Play episode

This is the Shared Security Weekly Blaze for June 18, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment SolutionsSilent Pocket and CISOBox.  This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here!

Help the podcast and leave us a review!  We would really appreciate you leaving a review in iTunes. Reviews really help move us up the podcast ratings list and are greatly appreciated!

Show Transcript
This is your Shared Security Weekly Blaze for June 18, 2018 with your host, Tom Eston. In this week’s episode: Ultrasonic Hard Drive Attacks, Dangerous USB Devices and Email Fraudsters Arrested.

The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details.

Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”.

Researchers from Princeton and Purdue University have shown how sonic and ultrasonic signals, which are not able to be heard by a human, can be used to physically damage computer hard drives by using the computer’s own speaker or by using a speaker that is near the device. In their research they demonstrated how this vulnerability could be leveraged to attack hard drives in CCTV (Closed-Circuit Television) systems as well as desktop and laptop computers. In their experiments, they were able to cause errors in just 5-8 seconds on hard drives from Seagate, Toshiba and Western Digital. In one particular experiment on a Dell XPS laptop, they were able to cause the laptop to freeze and crash within seconds after a malicious file was played over the laptop’s built in speaker. It’s crazy to think that an audio file can be a new attack vector that may start being leveraged by attackers.

The good news is that the researchers indicated that these vulnerabilities could be remediated through firmware updates provided by the hard drive manufactures, so not all is lost. I’m sure the threat of this happening to most people is very low, however, I suspect that a nation state or dedicated adversary could easily take this research and ‘weaponize’ it to target specific individuals in order to destroy incriminating information. Two groups most likely targeted could be journalists and human rights defenders.

Are you a CISO or Information Security Manager challenged with tracking and managing information security incidents within your organization? If you are, you need to take a look at CISOBox which is a software appliance built for NIST-compliant management of all types of information security incidents. CISOBox secures and protects sensitive incident data using technology accredited by US Federal Intelligence Agencies and gives your organization an efficient and streamlined process for incident handling. No matter if your business is large or small, we highly recommend the CISOBox solution as it’s extremely easy to use, scalable, and a secure way to implement incident handling within your organization. For more information on the CISOBox solution and to schedule a demo visit cisobox.com/sharedsecurity. That’s cisobox.com/sharedsecurity.

This week was a historic one for US President Donald Trump and North Korea’s leader Kim Jong-un as they met face to face in Singapore during their very first summit together. However, what happened behind the scenes may have been more interesting. You see, journalists attending the summit were given very special commemorative gift bags which had a guidebook, water bottle, a trial to a newspaper and a fan that plugs into a USB port on your computer. Wait, did you say USB fan that plugs into your computer? Now we all know that you shouldn’t plug random, untrusted USB devices into your computer right? Not to mention that these USB devices are from a foreign country and we’re talking about the United States and North Korea leadership all in the same area together…what could possibly go wrong? In the show notes we’ve linked to a funny but not so funny article showing the tweets that may security researchers posted about this mysterious USB fan. Even if you have nothing to do with this summit, the advice from us and other professionals is to never put a USB device from a conference or other non-trusted source like this in your computer.  There have been many reports of devices like these being infected with malware and given that this is a historic summit with probably spies all over the place, the risk of something nefarious being installed on these devices is definitely increased.  Stay safe and be aware of what you’re plugging into your computer!

I guess law enforcement finally got that Nigerian prince they were looking for because this past Monday the US Justice Department reported that 74 people (including 42 in the US and 29 in Nigeria, probably not princes) were arrested for participating and organizing business email compromise schemes (or known as BEC schemes) which were used to steal money from thousands of individuals and businesses.  In addition, authorities confiscated about $2.4 million and recovered about $14 million in fraudulent wire transfers. This was all part of something called “Operation Wire Wire” which was a six month investigation that involved many different US government agencies including the US Department of Homeland Security.

In a BEC scheme a fraudster will target specific individuals in an organization, such as finance or accounting employees, because they usually have access to make wire transfers. The fraudsters social engineer victims into giving them sensitive information or by pretending to be a trusted co-worker or manager asking for the victim to complete a urgent wire transfer. It’s reported that BEC scams cost victims more than $3.7 billion according to the Internet Crime Complaint Center.

We definitely have to give some kudos to the US Justice Department here. This is a positive change from the typical government surveillance news that we discuss on this podcast, right? These scams are so prevalent that I’ll bet you or someone you know has either been a target of a scam like this or even a victim. As we always say on the podcast, stay vigilant for scams like these and never respond to emails from that elusive Nigerian prince.

That’s a wrap for this week’s show. Please be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on iTunesGoogle Play, Stitcher, TuneIn, Spotify or iHeartRadio.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze.

More from this show

Leave us a Review

Signup for our Newsletter

Follow Us