- Shared Security Podcast
- Posts
- New Episode Alert EP104
New Episode Alert EP104
Details on the new critical Windows vulnerability! 🔥
Weekly Blaze PodcastEpisode 104January 20 2020
Critical Windows VulnerabilityDating App Security RiskApple iOS Privacy Features
Are you in the market for a high quality and stylish backpack, briefcase, clutch, or wallet? If so, make sure you buy something that has privacy built right into the product. And there is only one company that provides the best products on the market, and that's Silent Pocket. Visit their full line of patented faraday products at
and don't forget to use discount code "sharedsecurity" at checkout to take 15% off your order.
Major Windows flaw was discovered and reported by the NSA
Last Tuesday,
but this time there was news of one particular patch which fixes a very critical and exploitable Windows vulnerability. The vulnerability which is called a "CryptoAPI spoofing vulnerability" could allow a remote attacker to create spoofed code-signing certificates which could be used to "sign a malicious executable, making it appear the file was from a trusted, legitimate source." This means the user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider.” Microsoft also states that, “a successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software." This vulnerability is so serious that Microsoft is warning that attackers could easily reverse engineer the patch to create exploits immediately.
Most surprising about this particular vulnerability is that
and is the first time ever that the NSA has shared a vulnerability with Microsoft. It's also the first time that Microsoft has credited the NSA for finding a flaw in the Windows operating system. Of course there is speculation that the NSA may have known about this vulnerability for quite some time and may have even used this vulnerability to exploit targets in the recent past. There is no way of knowing this, however, you may remember that back in 2017
when they had accessed all of the NSA's top secret spying tools.
My take is that any disclosure of serious vulnerabilities by the NSA to the commercial sector is a good thing and is hopefully a trend that we'll continue to see. Regardless, if you are using Windows 10 or Windows Server versions 2016 and 2019 you need to patch immediately to update your systems. Check out our show notes for
on how to ensure you're patched for this latest exploit.
Windows 7 end of life announcement
In other Windows news,
. This means if you still have a system running Windows 7, you need to upgrade to Windows 10 as soon as possible. Why should you upgrade? Well the biggest reason is that so you can stay protected with the latest security updates from Microsoft because now Microsoft is under no obligation to issue any patches for Windows 7. Upgrading is especially important for organizations that still may have hundreds or more Windows 7 systems that are handling business data. So do yourself a favor, ditch Windows 7 and upgrade to Windows 10 as soon as you can.
Dating apps could pose a national security risk
If you happen to be single dating apps like Tinder, Hinge, and Grindr seem like a great way to meet that special someone, or perhaps that special someone right now. But did you realize that these apps collect much more personal data than you think? Not only that but did you know that these apps have recently been classified by US government officials as a national security risk in which app data could be used by foreign intelligence agencies. So why is the US government so concerned about dating apps? Well is all comes down to who actually owns the companies that make these apps. For example, Grindr is owned by a Chinese gaming company called "Kunlun Tech" and as many of you are aware, China is very much an authoritarian country, meaning, if China tells a business to hand over customer data, that business is going to do that or face arrests, fines, or worse. And app companies like Kunlun Tech don't even try to hide this fact as Grindr's privacy policy even states "it cannot guarantee the security of your personal data." And the data that is collected by Grindr is also quite personal and revealing such as preferred sexual positions, HIV status, profile pictures, race, and location data with time stamps of when the app was used. Some apps like Hinge actually collect information about a person's drug use. And requesting your data or having it removed from these apps is another challenge altogether. Privacy laws such as GDPR in Europe complicate the process when many of these companies are actually owned by US companies or others outside of Europe. As you know, only California has a privacy law (the CCPA) so the handling of your personal data may vary depending on the state you live in.
So if you're currently using one of these apps, should you continue to do so? If you care about your personal data, I would strongly suggest researching your particular apps privacy policy to see how they handle and remove your data. Perhaps it's best to say that you should use these apps "at your own risk". As if dating wasn't risky enough.
Apple’s new privacy features have further rattled the location-based ad market
In other privacy news,
. This update now shows pop up messages whenever an app is attempting to access a user's location. This recent change by Apple has made such an impact that ad companies, which make money off of collecting user locations, have reported that there is less location data coming in from apps. In one example, an ad company reported that three years ago opt-in rates to share location data was close to 100%. Now, that number has dropped to about 50% because people have a choice whether or not to share their location data. This change also impacts ad companies that are tracking foot traffic in stores through the use of Bluetooth beacons. This same change that Apple made, will also pop up a confirmation message whenever an app tries to access your Bluetooth wireless connection.
So does this mean that ad companies and marketers are soon to be out of business because of this recent decline in data? No, not by a long shot. First, they still have a ton of previous data which is repackaged and continuously sold because there is a huge demand of this type of data. In fact, because the amount of this data is becoming more limited, these companies will most likely start to charge a premium giving them even more profits. Look, your location data and anything else about you that may not seem that significant is worth money to ad and marketing companies. It's great that Apple is finally putting in better privacy controls to limit personal data but even with these controls, ad and marketing companies will still find ways to monetize every piece of data that they can get.
DecemberMonthly ShowEpisode 95In episode 95 of our monthly show we're joined by special guest Rebecca Herold, the "Privacy Professor". Rebecca is a well known expert in the privacy and cybersecurity community and gives us an update on what she's been working on, what her thoughts are on the current state of privacy regulations (CCPA, GLBA, etc), and what we may see in 2020 from a privacy perspective. We also talk about Rebecca's favorite books and her encounter with famed author Cliff Stoll who wrote "The Cuckoo's Egg".
Watch this episode on our YouTube Channel!
Top 10 Episodesin 2019We've had a fantastic year bringing you the latest cybersecurity and privacy topics and news. Thank you for being a listener and supporting the show!If you haven't listened to our most downloaded episodes from the year, here's your chance. Click the link below to listen to each episode and share with your friends!
Shared Security is now on GetVokl!
We live stream our monthly show on a new interactive video chat and streaming service called GetVokl!
to get notified when we will be live and to watch previous episodes!
Thank you to our sponsor
Silent Pocket!
Take advantage of this exclusive offer and help support this podcast!
Visit
to shop Silent Pocket's great line of privacy focused products.