This is your Shared Security Weekly Blaze for February 18th 2019 with your host, Tom Eston. In this week’s episode: Preventing illegal robocalls, should you be scared of your laptop’s webcam, and recent hacks of popular dating apps.
Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order. Visit silent-pocket.com to take advantage of this exclusive offer.
Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”.
I’ll bet you’re like me and whenever I see a phone call from a number I don’t recognize I refuse to answer it due to the amount of robocalls, scams and fraud attempts that I’m always receiving. In a previous podcast we referenced a report from a company called First Orion, that said nearly half of the mobile phone calls received in 2019 will be scams. Well, it’s 2019 and I’m starting to believe that it may even be higher than 50%! It really seems like the problem is getting worse. However, in a new report released from the FCC on the frequency and prevention of illegal robocalls shows that there is some progress being made to prevent these calls and to hold scammers accountable for their actions. In regards to call-blocking services the FCC states that hundreds of these services are now available, many of them for free, and that there has been significant progress made towards caller ID authentication through a new standard being implemented by the major telecom companies called STIR/SHAKEN. Umm…interesting martini reference there guys. Apparently, this standard verifies that caller ID’s are accurate and not spoofed or modified. Caller ID authentication is supposed to be implemented by all major telecom companies in the US by the end of this year. From a enforcement perspective, the FCC notes that they have proposed or imposed fines of around $245 million dollars just in the last two years against people and companies that have been found guilty of illegal robocalling. While all of these efforts seem to be making some progress, will caller ID authentication really drop the number of these robocalls? Time will tell but in the meantime, it’s probably best to get yourself one of the many free robocall and scam call blocking apps that are available. Check out our show notes for a link to many different types of popular apps that are available right now for you to use.
And now a word from our sponsor, Edgewise Networks.
Organizations’ internal networks are overly permissive and can’t distinguish trusted from untrusted applications. Attackers abuse this condition to move laterally through networks, bypassing address-based controls to spread malware. Edgewise abstracts security policies away from traditional network controls that rely on IP addresses, ports, and protocols and instead ties controls directly to applications and their data paths.
Edgewise allows organizations to analyze the network attack surface and segment workloads based on the software and how it’s communicating. Edgewise monitors applications and protects data paths using zero trust segmentation.
Visit edgewise.net to get your free month of visibility.
I was intrigued by a story last week posted on ZDNet titled “Should you be scared of your laptop’s webcam” which talks about a recent Wall Street Journal story about a columnist who hired an ethical hacker to see if he could hack into the webcams of her two laptops and a baby monitor. This story was to see if you really need to put tape or purchase a cover for your webcam. By using a carefully crafted phishing email, with a link to a malicious file, the hacker was able to gain access to all her web cams and home network. But was it as easy as sending a simple phishing email? No, it actually wasn’t. The story pointed out that it took the columnist “performing some intentionally careless things for him to succeed”. So what careless things are we talking about? Well, the malicious file that was sent to the columnist via the phishing email was flagged by her operating system, anti-virus and even Microsoft Office. She had intentionally dismissed all the various warnings that were alerting her and even purposely disabled the various built in security controls within her operating system. By doing all of this it finally allowed the malicious document to be edited and therefore allowed the malware to execute. Now that was just on Windows but on her MacBook Air it took even more steps to gain access to the camera and it required more things to “disable” to get the exploit to work. Now this begs the question, if it was so difficult for this ethical hacker to break through all these layers of security (with the assistance of the “victim” (yes, that’s victim in quotes), do we need to worry about our webcams getting hijacked?
The answer is…well it depends on things like your personal threat model and how diligent you are about security awareness. It’s true, updated and fully patched and protected modern operating systems like Windows and Apple macOS are much more difficult to break into these days. And that’s the key. Keep all of your systems fully patched and updated and never disable the built in security controls in your operating system. Also, don’t forget to change default passwords of those cheap Internet of Things devices as well. So the point is, its typically the action of the victim, like disabling anti-virus or other security controls, and not keeping our systems updated which leaves us at the greatest risk.
Last week was Valentine’s day and unfortunately for some users of dating sites OkCupid and ‘Coffee Meets Bagel’ it wasn’t all love and romance. TechCrunch reported that multiple users of OkCupid had their accounts hacked and passwords changed without their knowledge. And popular dating app ‘Coffee Meets Bagel’ had 6.1 million user names, email address and other personal details exposed in a recent massive pool of compromised data that was found for sale on the Dark Web. Other data from this dump included user data from other well-known data breaches such as My Heritage and MyFitnessPal. Representatives from OkCupid have denied that there was a data breach but essentially blamed their own users for choosing poor passwords that may have been exposed in previous data breaches. According to the TechCrunch article a spokesperson for OkCupid said “All websites constantly experience account takeover attempts. There has been no increase in account takeovers on OkCupid.”
Account takeovers relate to the more recent attack trend called “credential stuffing” where attackers leverage the credentials found in large databases of past data breaches and utilize tools and scripts to see if username and password combinations work on various web sites. Ironically, OkCupid and many other dating apps don’t have the ability to enable two-factor authentication so if you happened to be using the same password across all of the apps you use, you may more easily become a victim of a credential stuffing attack. If you’re one of the millions of people that use these and other dating apps, take a minute to review how you’re choosing your passwords and be sure to enable two-factor authentication if it’s available. If you happen to be looking for love on one of these sites, the last thing you need is to find out is the “heartbreaking” news that your account and personal data was compromised.
That’s all for this week’s show. Be sure to follow the Shared Security Podcast on Facebook, Twitter and Instagram for the latest news and commentary. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or watch and subscribe on our YouTube channel. Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze.