This is the Shared Security Weekly Blaze for August 27, 2018 sponsored by Security Perspectives – Your Source for Tailored Security Awareness Training and Assessment Solutions and Silent Pocket. This episode was hosted by Tom Eston. Listen to this episode and previous ones direct via your web browser by clicking here!
This is your Shared Security Weekly Blaze for August 27th 2018 with your host, Tom Eston. In this week’s episode: New TSA Body Scanners, Back to School Cybersecurity, and Instagram Hacking.
The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable, and undetectable. Visit silent-pocket.com for more details.
Hi everyone, this is Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”.
The city of Los Angeles California in partnership with the US Transportation and Security Administration jointly announced that the city of Los Angeles is purchasing body scanners that will be used to screen metro riders. This new body scanning technology will be used to help detect weapon and explosive device security threats on one of the largest public transportation systems in the US. The Los Angeles metro system is also the first transportation agency in the nation to purchase such equipment. The technology is similar to what is used at airports, called millimeter wave technology, but does not emit radiation and no anatomical body images are displayed. What makes this type of scanner technology different is that these work off of your body heat and can detect objects that are hidden when heat waves are blocked. The other big difference is that metro passengers just need to walk by the scanners and not stop to line up like you normally would going through airport security. The other advantage is that the devices are portable, meaning, they can be moved to a different area of a public transportation system if needed.
This news reminded of a scene from the 1990 movie “Total Recall” with actor Arnold Schwarzenegger. There was a scene where passengers in the movie walked through a security system that was essentially an “x-ray” of their body. Skeletons of passenger bodies were displayed as security personnel observed passengers to detect weapons that might be coming into the transportation system. Back in 1990, most people watching that scene must have felt a little uneasy and concerned about the privacy ramifications of such invasive security technology. Funny that this was just a pipe dream back in 1990, but now, very much a reality 28 years later. Given the security climate since 9/11, this technology shouldn’t really be a surprise anyone. Come full circle, privacy concerns are still very real today. In fact, there have been many cases of the TSA screening passengers inappropriately and abusing technology like this by violating passengers privacy all in the name of “keeping us all safer”. Let’s hope that when this new scanning technology rolls out across the US, and I would assume across most of the world, we continue to hold the people in charge of these systems accountable to ensure our privacy while balancing the needs of security.
It’s that time again as school is starting back up for most students and we begin the yearly tradition of getting kids ready and prepared for school. With the new school year being top of mind for many of us, it’s a great time to think about the how our schools are protecting student data from attackers looking to compromise and steal confidential student information. As of this podcast recoding, according to the K-12 Cybersecurity Resource Center, there have been 356 cybersecurity related incidents targeting K-12 schools since January 2016. Many of these incidents being ransomware attacks. Surprisingly, in 2016 it was noted by the US Department of Education that 60 percent of K-12 schools that were victims of ransomware attacks actually paid their attackers to get stolen student data back. There has also been other disturbing stories like one recent incident in the Tulsa Oklahoma Public School district where confidential student records were found in a dumpster. But it’s not only the outside attackers and careless school personnel you have to worry about, it’s also the students themselves. There has been a sharp increase in recent years where students are hacking into their school networks and applications in order to change grades and attendance records.
Based on these recent statistics and news stories you may be curious to know what the schools your kids go to, or the ones in your area, are doing to protect student data? Well, depending on the school system and the school itself, there may not be much being done. I highly recommend watching this interesting YouTube interview from the Archer News Network about what teachers, students and cybersecurity professionals are saying about this topic. This interview, available in our show notes, shows that most school districts do not have the funding or expertise to properly protect school networks and systems from a cyberattack. But it gets even more basic than that. There is an overall lack of security awareness of teachers, students and school administrators which has led to a huge problem given that there are so many different types of cybersecurity threats to schools. It’s really a human problem, more so than it is a technology problem. I recall many years ago when my daughter was given her first user name and password to access one of the systems that she required for gaining access to class material and homework assignments. The password given to her was “password123” and there was no option to allow my daughter to change it. There was also no education given to her about basic password security. Thankfully, I’m her father so we had a learning opportunity which was a good thing to happen! Now this was about five years ago or so but do you think anything has changed? I’d be willing to bet that the many of the hacks that we see schools falling victim to are because of things like, easy to guess passwords and the lack of vary basic security awareness.
So what can we do about improving the cybersecurity of our schools? First, we need to ask our schools what are they doing about this problem and what controls and practices do they have in place to help prevent a cyberattack from occurring. For example, you can ask questions to see if they are monitoring for attacks, are they following any government cybersecurity standards, how are they educating teachers and students on cybersecurity basics, and do they have an incident response plan. So if there ever was a ransomware infection, data breach or student hacking incident how is the school going to react and respond and of course notify parents and authorities. There is no simple answer to solve any of these problems in our schools but what we can do is ask questions and begin to drive these important conversations that need to start happening with school boards and administrators.
Over the last week there has been a rise in Instagram accounts that are being hacked, despite users using complex, non-guessable passwords and even two-factor authentication on their accounts. Apparently this started happening since the beginning of August and it’s unknown how attackers have been compromising accounts with no acknowledgement from Facebook which happens to own Instagram. News site Mashable posted an article last week stating that about 275 people have contacted them about their accounts being hacked and noted that several users said their accounts were locked out with no warning, even with two-factor authentication enabled. Many of the Instagram accounts being compromised are ones that are considered “high value”. High value Instagram accounts are ones with thousands of followers, are used by celebrities or accounts that have three-letter or less account names. Many have speculated that the cause may be SIM Hijacking, which is one of the most popular ways to compromise Instagram accounts right now. However, others have speculated that traditional phishing attacks for Instagram credentials, an undisclosed vulnerability in the Instagram app or backend services, or even exploiting the ancient SS7 network protocol that’s still being used by telecommunications companies around the world to send text messages. SS7 (which stands for Signaling System Number 7) has several known vulnerabilities and can allow an attacker to hijack communications, track the real-time location of someone and has been used in the past to redirect SMS based two-factor authentication for banking logins.
Unfortunately for users of Instagram, Instagram has yet to deploy an alternative to SMS based two-factor authentication which we all know by now is considered insecure. However, sources say that a more secure way of two-factor authentication is currently being developed by Instagram and is in the process of being tested. To top this all off, Instagram support hasn’t been very helpful either for users that have had their accounts compromised. This of course is unfortunate given that many people make their living off of Instagram or rely on it for their business. My take is that a lot of times, you could do everything right from a security perspective and still have your account compromised. Just like we see with all the massive data breaches that happen on a weekly basis, we often have no control over our information because we trust that someone else is properly securing it for us. One suggestion I have is to be more aware of who we give our data to and perhaps, not sign up for a particular service if we’re really concerned that someone else may not protect our private data the way we expect. As we like to say on the podcast, we all need to make better risk decisions because nobody else can make them for you.
That’s a wrap for this week’s show. Be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or on our YouTube channel. Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze.