This is your Shared Security Weekly Blaze for April 15th 2019 with your host, Tom Eston. In this week’s episode: Amazon Echo’s recording controversy, a new mobile phone scam, and hotels leaking your private information.
Protect your digital privacy with Silent Pocket’s product line of patented Faraday bags, phone cases, and wallets which will make your devices untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order during checkout. Visit silentpocket.com today to take advantage of this exclusive offer.
Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”.
In late breaking news last week, it was reported by Bloomberg that Amazon employs thousands of workers to listen to what customers say to Amazon Echo devices. According to the report workers can listen to as many as 1,000 audio clips in 9 hour work shifts. Apparently, workers listen to audio clips that are “mundane” and even sometimes “possibly criminal”. Amazon responded to the report by saying that it only annotates “extremely small number of interactions from a random set of customers.” and that it uses “requests to Alexa to train our speech recognition and natural language understanding systems”. While Amazon employees don’t have access to names or addresses of customers, they do have access to the Amazon account number and device serial number. Amazon further clarified that no audio is stored unless the wake word is used to activate the Alexa-enabled device.
While you can go in to the Alexa app to view the privacy configuration of your Echo device and individually delete audio clips, there currently is no way to completely opt-out of recording all together. The only option available is to disable the use of recordings for the development of new features. However, its reported that Amazon may still have recordings analyzed by hand over an occasional review process.
A new scam, where someone calls asking for your mobile carrier’s verification code, has been making the rounds. The way it works is that you’ll receive an email which looks like it’s come from your mobile carrier, like Verizon, with the message saying that fraud has been found on your account and you need to call the number noted in the email immediately. If you call the number the scammer will say they need your verification PIN that you set up with them to verify your account. Once you do that, the scammer will reset your password and make themselves the “primary” account user. After that, the scammer will have full access to potentially buy devices at your carriers store as well as hijack your phone number to reset two-factor authentication on other critical accounts. In two recent cases that took place in Florida, scammers attempted to purchase several brand new phones from a Verizon store using this scam. Fortunately, police showed up at the store to arrest the perpetrators after being alerted by Verizon that something wasn’t quite right.
So what can you do to prevent becoming a victim of a scam like this? First, even with the threat of phishing and social engineering, you should always have a PIN, or also known as a “port validation” code set up through your mobile carrier. See our show notes for a great guide on how to do this as each company has a different procedure. Also note, you should ensure that this passcode or PIN is unique and different than any other passcode or PIN that may be in use with your mobile carrier. Lastly, if you receive an email or phone call from someone that says they are from your mobile carrier, hang up. You’re not going to be contacted over the phone like this and if you are concerned about fraud or to find out if a request is legitimate or not, it’s best to just give your mobile carrier a call yourself.
And now a word from our sponsor, Edgewise Networks.
Organizations’ internal networks are overly permissive and can’t distinguish trusted from untrusted applications. Attackers abuse this condition to move laterally through networks, bypassing address-based controls to spread malware. Edgewise abstracts security policies away from traditional network controls that rely on IP addresses, ports, and protocols and instead ties controls directly to applications and their data paths.
Edgewise allows organizations to analyze the network attack surface and segment workloads based on the software and how it’s communicating. Edgewise monitors applications and protects data paths using zero trust segmentation.
Visit edgewise.net to get your free month of visibility.
New research from Symantec shows that hotels are leaking detailed guest reservation data to different types of third-party advertisers, websites and data aggregators. Registration information can include everything from name, address, phone numbers, and even passport number and last four digits of credit card numbers. Symantec’s research data comes from more than 1,500 hotels in 54 countries in which 67% were leaking this data through the booking reservation code which is typically distributed through a link that allows anyone to view reservation data without logging in to a hotel account. The other problem here is that in these same emails, there is additional content that loads ads within these booking emails. This content was found to share the hotel booking code with more than 30 different third-parties which in many cases were transmitted over non-encrypted HTTP.
While there may be no indication that personal data was compromised here. It does show that hotel chains need to review the security of how a hotel booking number is used within these emails. And it also creates a very large problem for the hotel industry, specifically for hotel’s that may be operating in Europe or the State of California due to GDPR and the California Consumer Privacy Act. Unfortunately, this is yet, another example of third-party companies mishandling our private data.
That’s all for this week’s show. Be sure to follow the Shared Security Podcast on Facebook, Twitter and Instagram for the latest news and commentary. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or watch and subscribe on our YouTube channel. Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze.