New Episode Alert (copy 79)

Weekly Blaze PodcastEpisode 97December 2 2019

PreventingPhone and Voice FraudThe Great Twitter Account PurgeAdobe Magento MarketplaceData Breach

Preventing Phone and Voicemail FraudPhone and voicemail fraud is on the rise so it's important to be aware of attacks like these, especially during the holidays where we see many more scams than any other time of year. Pretty much on a daily basis, odds are that you'll receive a fraud or scam phone call. So I wanted to provide my top tips for ensuring you don't become a victim.  My first tip is to never pick up a call from a number you don't recognize. Let the call go to voicemail as most of these attacks are automated and won't leave a voicemail anyway. For the ones that do leave you a voicemail, listen to these messages carefully. Many ones, like you hear from the IRS or some other government agency, are recorded with a computer voice that are very easy to make out as a scam. If you're not sure a voicemail is legitimate, go to the company's website to find the phone number so you can call to verify on your own. Never ever call the number back that's left in the voicemail. My next tip is about not giving away personal details unless you know who you're talking to. For example, someone may call you spoofing a number from someone you know and then proceed to ask you for passwords, your social security number, or other personal or work details all the while pretending to be someone you trust. This type of fraud may even use deepfake software to make a voicemail or their voice sound like someone you know. Make sure you ask questions like why they are calling, ask them a question that only the real person would know the answer to, and it's always a good idea to hang up and call or text your trusted friend to find out if it was really them calling you or not.

My last tip is on how to best prevent attacks like wire transfer or other "Business Email Compromise" (known as BEC scams) that have traditionally been targeting small to medium size businesses over email. BEC scams have now evolved to calling or leaving you an automated voice message. These types of BEC scams are using fairly complex social engineering techniques such as pretending to be a law firm that works with your company, auditor, or even someone higher up in the organization that you can actually verify in a corporate email directory or web site. In all of these BEC scams, the attacker will ask you to transfer money in some form or fashion, and there will always be a sense of urgency and sometimes even panic to get you to make a poor decision. To combat an attack like this, first make sure your company has a documented internal procedure for money and wire transfers. Good procedures will have some type of approval process outside of email and phone calls to eliminate this type of fraud in the first place. Lastly, just like all other forms of fraud, your first instinct is almost always the right instinct. So if you think a call is suspicious, it most likely is, so just hang up.Twitter Account PurgeTwitter recently announced that they will be deleting inactive accounts in order to free up usernames and to reduce the risk of old accounts being hacked. However, this move has been met with some criticism as people are concerned that the accounts of people that have died, over the past ten years or so, will be deleted with no way to have the tweets from their accounts saved. In a recent email to users Twitter said that they will start deleting older accounts that have not been logged into in the last six months, unless users login before December 11th. Now because of the huge backlash from users, Twitter posted an update late last week stating that they will hold off on deleting inactive accounts until they develop a way to memorialize inactive accounts of the deceased. Now this brings up an interesting topic from a security perspective regarding accounts that we've created so that people can't impersonate us or our businesses on social media. For many years as far as I can remember, the advice has always been to create "dummy" Twitter accounts with your real name, nick name and so on. That way, someone can't create an account to pretend they are you on Twitter. This is probably more important for businesses that need to protect their brand or for celebrities and politicians who are frequent targets of impersonation attacks. Still, this news (even though, for now, the great Twitter user purge may be delayed) means that if you have any fake accounts created in your name, for whatever purpose, you best be logging in to them soon or they may be gone forever.And now a word from our sponsor, Edgewise NetworksThe biggest problem in security that remains unsolved are flat networks in cloud and data centers, with unprotected attack paths that allow threats to move laterally to cause data breaches.But microsegmentation using network addresses is complicated and takes too much time.

But there’s a better approach… Edgewise “Zero Trust Auto-Segmentation."

Edgewise is impossibly simple microsegmentation … delivering results immediately, with a security outcome that’s provable.

At the core of Edgewise Auto-Segmentation is Zero Trust Identity, which allows workloads to communicate only after their software identity has been verified. Malicious or unapproved software is no longer allowed to communicate.

Identity-based protection provides more coverage with fewer policies to make Edgewise simple to deploy and manage. No changes to the application or the network are required. One solution protects virtual machines and containers, in the cloud and on premises.

To stop lateral threat movement and prevent breaches, visit edgewise.net for a demo and see results within minutes.

Adobe Magento Marketplace Data BreachLast week Adobe announced that their Magento Marketplace was the victim of a data breach. Magento is a large e-commerce content management system used by over 250,000 customers for software add-ons, extensions, and other third-party services. Many of these services are payment integrations and checkout applications that are used by many major websites. Adobe sent out an email to customers stating that a vulnerability was discovered on November 21st that had allowed an "unauthorized party" to access account information including names, email addresses, MageID, billing and shipping addresses, phone numbers, and some commercial information such as payment percentage amounts to developers. No passwords or payment data was compromised. In an odd blog posting about the breach Adobe stated only high-level details and nothing about how many accounts were affected, or how long the breach was going on before it was discovered. The post ends with a message about maintaining good security hygiene by keeping your Magento instance and extensions current and to refer to the Magento Security Center to help ensure the security of your Magento store. This isn't the first time Magento has had a security incident. Earlier in April a SQL Injection flaw was being exploited by attackers in Magento's e-commerce platform shortly after a public disclosure of the vulnerability by security researchers. In this instance Adobe had patches readily available just a week prior to reports of the flaw being exploited in the wild. This is yet, another example of making sure patches and updates for critical systems are updated on a frequent basis.

October Monthly ShowEpisode 93

Tom and Scott review the Firewalla home network device, talk about the 15 most dangerous (or scary) apps for kids that parents need to be aware of, and the rise of the Deepfake!

Watch this episode on our YouTube Channel!

Shared Security is now on GetVokl!

We live stream our monthly show on a new interactive video chat and streaming service called GetVokl!

Click here to subscribe to our channel

to get notified when we will be live and to watch previous episodes!

Thank you to our sponsor

Silent Pocket!

Take advantage of this exclusive offer and help support this podcast!

Visit

silent-pocket.com

to shop Silent Pocket's great line of privacy focused products.