- Shared Security Podcast
- Posts
- New Episode Alert (copy 78)
New Episode Alert (copy 78)
Check out the new format of our newsletter! 🔥
Weekly Blaze PodcastEpisode 96November 25 2019
Disney+ Hacked AccountsBlack Friday ScamsAndroid Camera Exploits
Hello!We're trying something different for our email subscribers starting with this edition of the newsletter! Below you'll find the transcript of the weekly show with links to articles and other topics. We hope you find this useful to quickly reference what was discussed on the show each week!Thieves using Wifi and Bluetooth Scanners for Smash-n-Grab Robberies
In the news this week I read an article about how thieves are walking through parking lots using cheap Wifi and Bluetooth scanners to determine if someone has a smartphone, laptop, or other expensive wireless device located in their car. Once a car is identified, a smash-n-grab robbery takes place by breaking the car window and looting though the car for electronics. So this means, even if you have your smartphone out of sight in a glove compartment, a thief can still find it because of the wireless beacons always being sent out from the device. This is definitely concerning as thefts have already been taking place in major cities like San Francisco. Of course the most sound advice is to never leave valuable wireless electronics in your car, but if you do, make sure you keep your devices out of sight and protect it with a Silent Pocket faraday bag. A faraday bag blocks all wireless signal keeping your device completely off the grid and unable to be identified. And because you listen to this podcast you can receive 15% off your order right now at silentpocket.com using discount code "sharedsecurity" at checkout.Thousands of Disney+ Accounts Hacked
The launch of the new Disney+ video streaming service has really taken off over the last few weeks and it's so popular it's become a target for attackers looking to hijack user accounts and sell them on hacking forums and dark web marketplaces. Recent statistics show that 10 million people signed up for the service within the first 24 hours of the launch. 10 million people to target is very attractive to attackers looking to make a quick buck. Prices for hacked Disney+ accounts look to go for about $3 per account to as much as $11. This news is not that surprising because other video streaming accounts like Netflix and Hulu have suffered from the same issues. The biggest way that your Disney+ or other video streaming account gets hacked is because of an attack called credential stuffing. This is where attackers use automated scripts to randomly try user name and password combinations from lists of credentials from previous data breaches. If you happen to use the same password for each site and service, you can easily become a victim to this attack. The other way your account can be hacked is if there is malware or a keylogger installed on your PC or Mac. Malware like this will typically monitor for usage of one of these video streaming services and send your credentials within seconds to the attacker. Once the attacker logs into your account they will change the password and the email address so that you can't get back in to your own account.
One of the defenses that I see lacking on all of these video streaming services, like Disney+, is the option to enable two-factor authentication on your account. That way, there is at least another layer of security that an attacker needs to go through. The best defense for all of us though, while we wait for video streaming apps to support two-factor authentication, it to use a unique and complex password for each site and service that we use. And if you want to make managing your passwords easier, use one of the many different password managers that are available. I recommend KeePass as it's free and very easy to use. Check out our show notes for links to KeePass and other popular password managers.Black Friday and Cyber Monday Scams
Tis the season for Black Friday and Cyber Monday shopping! And that means it's also time to be aware of common scams to be on the lookout for this holiday shopping season. Like every year, the common theme applies. Scammers use social engineering techniques to convince you to click on a link or giveaway personal details because of a deal or price on a hot product that may seem just too good to pass up. This means, be wary of any emails, phone calls, text messages, and even pop-up ads on the web asking you to click a link or open up an attachment. Another popular scam to look out for is noticing if your password is no longer working on a site or app that you quite frequently use. While we all fat finger a password now and then, if your password is not working and you're unable to reset it there is a good chance that your account was hacked. In this case, contact the site or app's customer support right away so that they can re-enable a hijacked account. There is also a scam with gift cards that many don't know about which made the news last year. Ever notice with some gift cards that there is an area to scratch off which will show an activation PIN? Well apparently scammers are going into retail stores, scratching off the material to reveal the PIN and then scanning the card's serial number on a handheld reader. The scammer then puts a new scratch off decal on top of the old one to make it look like the card wasn't tampered with. Scammers will then monitor the gift card accounts online until they are activated at the register. After the card is activated the card's data is encoded on a blank card to purchase products which are sold online or through a classified ad. My advice is to always check the back of any gift card you may be purchasing to see if it was tampered with or only purchase gift cards that are close to the register. Better yet, only purchase gift cards online. And lastly, be safe this holiday shopping season by making sure you think, before you click.
And now a word from our sponsor, Edgewise Networks
The biggest problem in security that remains unsolved are flat networks in cloud and data centers, with unprotected attack paths that allow threats to move laterally to cause data breaches.But microsegmentation using network addresses is complicated and takes too much time.
But there’s a better approach… Edgewise “Zero Trust Auto-Segmentation."
Edgewise is impossibly simple microsegmentation … delivering results immediately, with a security outcome that’s provable.
At the core of Edgewise Auto-Segmentation is Zero Trust Identity, which allows workloads to communicate only after their software identity has been verified. Malicious or unapproved software is no longer allowed to communicate.
Identity-based protection provides more coverage with fewer policies to make Edgewise simple to deploy and manage. No changes to the application or the network are required. One solution protects virtual machines and containers, in the cloud and on premises.
To stop lateral threat movement and prevent breaches, visit edgewise.net for a demo and see results within minutes.New Camera App Vulnerabilities found affecting Google and Samsung Smartphones
Google and Samsung disclosed several serious security vulnerabilities last week which could allow an attacker access to the camera app on Google Pixel and Samsung smartphones. This vulnerability would allow an attacker to remotely take pictures, record video, spy on conversations, access your location data, and more. Researchers from security firm Checkmarx, who discovered the vulnerabilities said that "After a detailed analysis of the Google Camera app, our team found that by manipulating specific actions and intents, an attacker can control the app to take photos and/or record videos through a rogue application that has no permissions to do so." The researchers demonstrated this attack by creating a seemingly innocent weather app which did not require any special permissions except basic storage access. This permissions request alone would not normally cause concern especially since we're all trained to click on all the prompts so that we can just get the app installed. The app did more than tell the weather though, it could create a persistent command and control connection to a remote server which could issue commands to record video, take pictures, monitor conversations, and much more. All of this could also be done even when the app was closed and without the user knowing anything was being recorded.
The good news is that both Google and Samsung have fixed the vulnerability before the Checkmarx disclosure was made to the public last week. If you happen to have a Google Pixel or Samsung smartphone, make sure you download the latest version of the Google Camera app from the Play Store and ensure that your Android operating system is up to date.
October Monthly ShowEpisode 93
Tom and Scott review the Firewalla home network device, talk about the 15 most dangerous (or scary) apps for kids that parents need to be aware of, and the rise of the Deepfake!
Watch this episode on our YouTube Channel!
Shared Security is now on GetVokl!
We live stream our monthly show on a new interactive video chat and streaming service called GetVokl!
to get notified when we will be live and to watch previous episodes!
Thank you to our sponsor
Silent Pocket!
Take advantage of this exclusive offer and help support this podcast!
Visit
to shop Silent Pocket's great line of privacy focused products.