This is your Shared Security Weekly Blaze for April 8th 2019 with your host, Tom Eston. In this week’s episode: Facebook’s very bad week, Stalkerware on the rise, and tax season scams.
Protect your digital privacy with Silent Pocket’s product line of patented Faraday bags, phone cases, and wallets which will make your devices untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order during checkout. Visit silentpocket.com today to take advantage of this exclusive offer.
Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”.
I know you’ll be shocked to hear this but Facebook had yet another painful week of data breaches and controversy. First was the announcement that over 540 million Facebook user records and associated data was found unsecured on two Amazon AWS servers discovered earlier in the year by cybersecurity firm, UpGuard. The first server, belonging to a company called Cultura Colectiva, which is a Mexico based media platform, had the majority of the exposed data containing usernames, Facebook IDs, comments, likes, and other data that may have been used for social media analytics. The second server had data from a Facebook game called “At the Pool” which had details such as Facebook ID, friends list, likes, photos, groups, checkins, user interests, and of course 22,000 passwords. The passwords were apparently only for the game account and not the Facebook login, however, we all know that most people reuse passwords across the same sites and services that they use. Both servers are now locked down after quite the ordeal noted by UpGuard in their incident report which we’ll have linked in our show notes. This particular breach shows one of the many problems that Facebook has had with all the data that third-party app developers have been collecting over the years. Just like the Cambridge Analytica scandal, it’s nearly impossible for Facebook to oversee and regulate the security of user data that leaves the Facebook Platform.
The second Facebook story that made the news last week was how Facebook is asking some new users to provide the password to their email account. Apparently, if you happen to use an email account from some email service providers like Yandex and GMX, you’ll be prompted to enter your email account password to confirm your email address. Once you do that, a pop-up appears stating that Facebook is importing your email contacts without any authorization by the user to do so. According to the report from Business Insider, Facebook stated that this “feature” is being discontinued but in the meantime, it’s set off groups like the Electronic Frontier Foundation which said that this “feature” is indistinguishable to a phishing attack which will also ask you to enter in passwords to verify who you say you are.
According to anti-virus company Kaspersky over 58,000 Android users had “stalkerware” installed on their phones last year. 35,000 out of this number had no idea that they had stalkerware installed on their device until they installed Kaspersky’s mobile antivirus product.
Stalkerware or also known as spouseware or legal spyware, is sold by various companies under the guise of an easy way to monitor your child’s activities or tracking employee device usage. In reality, most of these apps are being used maliciously and having these apps installed means that someone has had physical access to your device as the majority of these apps require someone to install the application manually, mostly because these apps require the device to be “jailbroken” or “rooted” so that the app can be installed. Last year, on episode 40 of the Weekly Blaze, we recorded an entire podcast about stalkerapps and spyware I encourage you to check out. This episode goes into more detail on how these apps work and what to look for if you suspect one of these apps are installed on your mobile device or laptop.
In related news, Kaspersky has said that they will now start alerting Android users, that have their antivirus product, whenever a stalkerware app is installed on a user’s device. This push by Kaspersky was initiated by Eva Galperin head of the Electronic Frontier Foundation’s Threat Lab in which she’s spearheading a push in the cybersecurity industry to finally take the threat of stalkerware seriously. In her list of demands she’s asking antivirus companies to start detecting and alerting on these types of apps, asking Apple to allow antivirus apps in their app store (Apple currently does not allow this), have Apple alert and detect when an Apple device is jailbroken or rooted, and to have more state and federal officials start filing charges against executives of stalkerware companies for hacking.
My take is that it’s great to see at least one antivirus company doing something about the threat of stalkerware and with the EFF and people like Eva Galperin, perhaps we’ll see positive changes in the months to come.
And now a word from our sponsor, Edgewise Networks.
Organizations’ internal networks are overly permissive and can’t distinguish trusted from untrusted applications. Attackers abuse this condition to move laterally through networks, bypassing address-based controls to spread malware. Edgewise abstracts security policies away from traditional network controls that rely on IP addresses, ports, and protocols and instead ties controls directly to applications and their data paths.
Edgewise allows organizations to analyze the network attack surface and segment workloads based on the software and how it’s communicating. Edgewise monitors applications and protects data paths using zero trust segmentation.
Visit edgewise.net to get your free month of visibility.
Guess what season it is? It may be Spring in the United States but it’s also tax season which means it’s time to be aware of common phishing and scam tactics that may target you while you file your taxes. In fact, it’s so bad this year that the IRS recently released their “dirty dozen” in which they’ve detailed the top tax fraud scams of the year. Check our show notes for a link to the full list but it should be no surprise that phishing scams come in at number one. Things to lookout for include emails posing as the IRS promising a big refund, or threatening you with arrest if you don’t reply or submit personal or sensitive details about yourself or your finances. In one recent variation, a scammer has already stolen personal data and filed a tax return on the victim’s behalf. The scammer then uses the victims own bank account to direct deposit their tax refund and attempt to reclaim the funds by posing as the IRS or someone from a collection agency.
Keep in mind, it’s not just your email that these scams can originate from. Many of these tax scams also come through phone calls or voicemail’s. Phone scams are number two in the IRS’s “dirty dozen” this year. These calls will typically ask for personal information or to convince you to make a tax payment or threaten you with arrest just like similar IRS phishing emails. In some calls the scammer can change the caller ID to indicate the IRS is calling or from another number in your same prefix. Note that the IRS will never email or call you about owing taxes or about a potential refund, or threaten to arrest you. Stay vigilant and be more aware of phishing and phone scams this tax season and please let your elderly friends, parents or relatives know about these scams as well. Unfortunately, the elderly are common targets for these types of attacks.
That’s all for this week’s show. Be sure to follow the Shared Security Podcast on Facebook, Twitter and Instagram for the latest news and commentary. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or watch and subscribe on our YouTube channel. Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze.