You’re listening to the Shared Security Podcast, exploring the trust you put in people, apps, and technology…with your host, Tom Eston.
In episode 91 for October 21st 2019: Pitney Bowes becomes the latest ransomware victim, what are the top technology fears, and the latest on the vulnerability that allows a Samsung Galaxy S10 to be unlocked with anyone’s fingerprint.
Smart phones and other mobile devices have truly become integrated with our daily lives. So much in fact, these devices are causing a new type of stress injury called “text neck”. Text neck is a stress injury which causes pain in your neck caused by excessive use or texting on a mobile device over a long period of time. This condition is increasingly concerning given that all of us seem to be looking down at our devices every minute of every day. Just take a look around you whenever you’re out in public. Our mobile devices have truly become a “pain in our neck”. So if you want an easy way to prevent this condition, try taking more breaks away from your device and simply just put your device down so you are less tempted to use it. And if you want an easy way to get off the grid for a while, put it in a Silent Pocket faraday bag. The nice thing about this solution is that you don’t even have to power off your device! Check out Silent Pocket’s full line of faraday bags and wallets at silentpocket.com and recieve 15% off your order during checkout using discount code “sharedsecurity”.
Welcome to the Shared Security Weekly Blaze Podcast where we update you on this week’s most important cybersecurity and privacy news. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”.
Last week shipping and postage provider Pitney Bowes, which serves 90% of businesses in the Fortune 500, was the victim of a ransomware attack preventing customers from adding postage to packages and may have even impacted some mail delivery at the US Postal Service. In a statement the company said quote “Pitney Bowes was affected by a malware attack that encrypted information on some systems and disrupted customer access to some of our services. At this time, the company has seen no evidence that customer or employee data has been improperly accessed.” end quote
Pitney Bowes is most known for its postage meters which can automate the painful process of putting postage on envelopes and packages. Some customers took to Twitter during the outage showing postage meters and associated software with errors and confusing messages about “system faults”. Apparently the meters would still work up until you had to refill funds in order to print out more postage. Check out our show notes for a link to the latest updates from Pitney Bowes on the status of their systems. In related news, late last week business credit rating agency Moody’s issued a “credit negative” event note regarding the ransomware attack meaning the credit agency is cautiously watching the incident but has yet to issue a ratings downgrade. Rating’s agencies like Moody’s are commonly referenced by investors and negative ratings can make it more difficult for a company to raise money and can drive the stock value down. This news is pretty significant in that ratings agencies are now monitoring companies for data breaches and other cybersecurity incidents and issuing ratings adjustments based on the impact of the incident. Just last May, Moody’s downgraded Equifax’s outlook to negative because of the massive data breach that we all know and love. And ironically, Equifax’s outlook remains negative for the foreseeable future.
Ransomware attacks like these are continuing to rise, mostly because a lot of companies are paying the ransom because they feel they are left with no other option. The more companies pay, the more incentive there is for attackers to continue finding victims. The advice from law enforcement and the cybersecurity community is to never pay the ransom because there is no guarantee that you will get your data back. Rather, contact law enforcement or a third-party cybersecurity professional to help get your data back in other ways. For example, there is a site run by a security researcher called “ID Ransomware” which (as of this podcast recording) can decrypt 771 different types of ransomware by uploading the ransom note or sample encrypted file. This is a free service by the way and you have a much better chance of getting your data back by using a free service like this than ever paying the ransom.
A recent survey of about 1,000 Americans from security solutions company Cove revealed people’s modern day safety and cybersecurity fears by gender, generation, and political party. Some of the most interesting findings say that four in five parents said that they were worried about raising their kids in today’s world which included things like talking to strangers online, cyberbullying, and sharing personal information online. These things even ranked higher than parents’ concerns about mass shootings. Surprisingly, social media was seen as the most harmful of modern technology when it comes to safety, while security cameras were considered the most helpful. Voice enabled assistants like Amazon Echo’s, Google Home, and Siri ranked second in terms of being harmful for safety, followed by autonomous cars, facial recognition, wearable technology (like Fitbits, and Apple Watches) and last was security cameras. Not surprising is that data breaches is the largest technology fear followed by election hacking. From a privacy perspective only 3% of those surveyed were worried about their personal information being sold to advertisers.
One of the most interesting results of the survey was that Generation Z, which are the demographic of individuals born in the mid-1990’s to early 2000’s and known as the most tech-savvy generation, didn’t really have safety concerns with technology but rather almost half reported that their biggest fear was walking in public alone at night. It seems that some traditional fears are still very valid in a world filled with technology.
And now a word from our sponsor, Edgewise Networks.
The biggest problem in security that remains unsolved is unprotected attack paths that allow threats to compromise vulnerable targets in the cloud and data center.
But traditional microsegmentation is too complex and time consuming, and offers limited value that’s hard to measure.
But there’s a better approach… Edgewise “Zero Trust Auto-Segmentation.”
Edgewise is impossibly simple microsegmentation … delivering results immediately, with a security outcome that’s provable, and management that’s zero touch.
At the core of Edgewise Auto-Segmentation is Zero Trust Identity, which automatically builds unique identities for all communicating software and devices by combining cryptographic properties of the workload with risk classifications.
Edgewise protects any application, in any environment, without any architectural changes. Edgewise provides measurable improvement by quantifying attack path risk reduction and demonstrates isolation between critical services—so that your applications can’t be breached.
Visit edgewise.net to find out more about how Edgewise can help stop data breaches.
In late breaking news last week a British couple discovered a serious flaw in Samsung’s popular Galaxy S10 smart phone which could be unlocked by using anyone’s fingerprint. According to reports from several British news outlets a cheap screen protector is all that’s needed to bypass Samsung’s most advanced authentication system which back when the phone was launched in March was touted by Samsung as “revolutionary”. The technology sends ultrasounds to detect 3D ridges of fingerprints and apparently some screen protectors leave a small air gap between the phone and the user’s finger. In a statement to BBC news, Samsung says that they are aware of the issue and will soon issue a software patch. In the meantime, South Korean bank KaKao Bank has told their customers to turn off fingerprint scanning completely until a patch is issued.
This is the first major authentication related issue that I’ve heard of for Samsung in recent years. Typically, we’ve seen many passcode bypass and other fun tricks with Apple iOS devices. In fact we just talked about one back in September on the podcast which would allow you bypass the passcode to view the contacts on someone’s device. This recent news though goes to show you that these types of vulnerabilities happen to other manufactures besides Apple. So now it’s time for Samsung to share the love of fixing a very significant security and privacy vulnerability.
That’s a wrap for this week’s show. Visit our website, SharedSecurity.net for previous episodes, links to our social media feeds, our YouTube channel, and to sign-up for our email newsletter. First time listener to the podcast? Please subscribe where ever you like to listen to podcasts and if you like this episode please it share with friends and colleagues. Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze.
