This is the Shared Security Weekly Blaze for August 6, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions and Silent Pocket. This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here!
This is your Shared Security Weekly Blaze for August 6, 2018 with your host, Tom Eston. In this week’s episode: The Quiet Skies TSA surveillance program, SIM hijacking and the Reddit data breach and Sextortion scams.
The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details.
Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”.
If you like our weekly podcast we would really appreciate you leaving a five star review in iTunes. We’ll be sure to thank you on the show! Click the iTunes link in our show notes for this episode to leave us a review and thank you for your support!
Ever feel like you’re being followed when you’re at the airport or while on a flight recently? Well you may actually may have been followed as the Boston Globe reported last week that federal air marshals are following US citizens that are not suspected of a crime at airports and on airplanes. The previously unknown program called “Quiet Skies” has caused controversy within the Transportation Security Administration (aka: the TSA) as thousands of US citizens that are not on any watch list are being surveilled and observed to see if they violate 15 rules which are part of a checklist that air marshals need to follow. Characteristics that air marshals look for include things like: excessive fidgeting, wide-open staring eyes and even if the subject slept on the flight or went to the bathroom. According to the report, about 35 passengers are targeted every day and there are 2,000 to 3,000 federal air marshals that conduct this and other air marshal duties across airports in the United States.
What I find interesting is that federal air marshal’s themselves are questioning the need for the Quiet Skies program. One air marshal said to the Boston Globe “What we are doing [in Quiet Skies] is troubling and raising some serious questions as to the validity and legality of what we are doing and how we are doing it”. Groups such as the ACLU are now involved questioning if passenger’s constitutional rights are being violated by this program given that people’s race, religion or mental health may put someone under surveillance. Of course, the TSA declined to discuss the Quiet Skies program but noted that “federal air marshals leverage multiple internal and external intelligence sources in its deployment strategy”.
As many of you are hopefully aware, the TSA in the United States has come under much scrutiny over the last several years due to treatment of passengers during screening as well as the federal air marshal program itself. It should be interesting to see how this recent revelation about the previously secret “Quiet Skies” program puts more pressure on Congress to further scrutinize the activities of the TSA and the Department of Homeland Security.
Last Thursday, the popular news and social media site Reddit announced that they had a data breach. The data breach apparently happened in June and exposed some user data including current email addresses and a backup database which had usernames and hashed passwords from 2007. The attackers apparently targeted several Reddit employee accounts that were being used with Reddit’s cloud and source code providers. Reddit noted that while they did secure these employee accounts with SMS based two-factor authentication, the attackers were still able to compromise these accounts even with two-factor authentication enabled. It’s important to note that the attackers did not compromise further Reddit systems or user accounts.
This most recent data breach example further demonstrates that sites and services need to move away from using SMS based two-factor authentication and start using authenticator apps like Google Authenticator or provide methods to use a hardware token or solution such as a YubiKey. As we’ve mentioned before on the podcast, there has been an large increase in attacks targeting SMS two-factor authentication called SIM hijacking or also known as SIM port out scams.
SIM hijacking is where an attacker will either call your mobile phone company or show up at the mobile phone store, impersonating you in an attempt to request a new SIM card for your phone number. In some cases the attacker may also attempt to move your mobile number over to a new carrier. Once the attacker has control of your mobile number, they now have access to reset credentials or request SMS two-factor authentication codes for any sites that use a mobile phone number for access.
The way to help prevent this attack is to create a validation code with your mobile carrier. Depending on the mobile carrier you use this may be described as a “port validation” code but some carriers may call this a phone passcode or PIN. Once this code is enabled on your account, you’ll need to provide this to the mobile carrier in order to obtain a new SIM card or port your number to a new carrier. Our advice is to enable this feature with your mobile carrier to help prevent this attack from happening to you. You may have to research this process on your mobile carrier’s website as each company has a different procedure for enabling this feature. Also note, you should ensure that this passcode or PIN is unique and different than any other passcode or PIN that may be in use with your mobile carrier such as the password for accessing your account for online access. Lastly, the other option if you find a site that does not allow any other form of two-factor authentication besides SMS, is to set up a free virtual phone number through a service like Google Voice and use that number to receive SMS based text messages. Check out our show notes for a link to further reading about preventing SIM hijacking attacks.
The EFF released a really good guide last week regarding what to do if you’re the victim of a sextortion scam. A sextortion scam is when a scammer will send thousands of emails to victims noting that they have your password that can be used to blackmail you. The scammer will say they have a video of you watching adult videos and will send it to your email contacts you if you don’t pay a ransom in Bitcoin. The scam works because the password noted in the email may actually be a password that you’ve used or are currently using. The scammer does not get this password by hacking you or your accounts but rather through a previously disclosed data breach where your email address and password have been publicly disclosed. The scam email uses typical phishing tactics of a threat as well as the typical bad grammar which should indicate to you that this is a scam. Check out our show notes for the guide from the EFF about this scam as well as to view several email variations that might end up in your inbox. As always, be sure to use complex and unique passwords, utilize a password manager and always enable two-factor authentication on any online accounts that you use to prevent becoming a victim of a real attack.
That’s a wrap for this week’s show. Please be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on iTunes, Google Play, Stitcher, TuneIn, Spotify or iHeartRadio. Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze.