New Episode Alert EP110 (copy 01)

Weekly Blaze PodcastEpisode 111March 9 2020

IoT Device AttacksThe FCC Fines Mobile CarriersLet's Encrypt HTTPS Certificate Bug

Take our 2020 listener survey and get entered into our drawing for a $25 Amazon gift card! We'll have the survey open until March 14th so visit

sharedsecurity.net/survey

to provide your feedback about the show. And thank you for your feedback, we really appreciate it. I also want to give a huge thank you to our sponsor, Silent Pocket, for supporting our show over the last several years. Check out all of their privacy focused products at

silentpocket.com

and make sure you use discount code "sharedsecurity" to take 15% off your order.

Attacks targeting IoT devices increased last year

Cybersecurity company

F-Secure recently released their "H2 2019 Attack Landscape" report

which shows that while the impact of ransomware attacks continue to have a devastating impact, the majority of the billons attacks tracked by F-Secure actually target devices that don't have keyboards like Wi-Fi routers, web cameras, and other Internet of Things devices.  F-Secure stated in their report that they've seen a significant increase in attack traffic to their "honeypot" or decoy servers specifically targeting ports on these devices that provide remote access or have known vulnerabilities. The next step in these attacks, of course, is to try common default passwords in order to login to the device. And as you may have guessed, these passwords have never been changed by the device owners. So what were some of the most common passwords that were found?  12345, default, password, "root", and of course "admin". Now once an attacker is able to login to the device, the majority of these devices are then used for botnets which are typically found in Distributed Denial of Service (or DDoS) attacks on websites and other systems.

So what is the lesson for all of us? Well, change those default passwords on any of your Internet of Things devices, if you can. That's right, unfortunately some of these cheap web cams and other devices you get off of Amazon don't give you the ability to change default passwords. Even worse, some of these devices can punch a hole through your router's firewall leaving default ports and services wide open to the entire Internet! Check out our show notes for a

quick test that you can run

to see if you have any devices running at home that may be exposed to the Internet, and for

a link to an article with some basic rules

for securing your Internet of Things devices.

The FCC fines wireless companies for selling users' location data

The FCC recently issued massive fines against T-Mobile, AT&T, Verizon, and Sprint that total more than $200 million dollars for selling customer location data to third-party data aggregators

. You may remember that back in 2018 a company called "Securus" had sold law enforcement agencies access to the locations of people's cellphones without any oversight or warrant. Further investigation from several journalists revealed that many other similar companies were also selling location data that they had purchased from the major mobile carriers. And while the carriers all said that they would stop selling location data, many of them were caught still sending customer data to these third-parties. So several years later, the FCC finally does something about it and now proposes individual fines for each carrier based on the amount of time that the carriers sold access to customer data, and the number of third-party companies which they sold the data to. FCC Chairman Ajit Pai said in a statement quote “The FCC has long had clear rules on the books requiring all phone companies to protect their customers’ personal information, and since 2007, these companies have been on notice that they must take reasonable precautions to safeguard this data and that the FCC will take strong enforcement action if they don’t.” end quote Of course, the carriers can dispute these fines, in which they all have said that they "take the privacy and security of our customers' data very seriously" but you know as well as I do, that a statement like that is probably too little, too late.

In other mobile carrier news, if you happen to be a T-Mobile customer, you need to be aware of a new data breach of T-Mobile customer data. T-Mobile last week stated that their internal security team discovered that an attack took place against their email vendor which exposed the personal data of T-Mobile customers and employees. Information accessed may have included customer names and addresses, phone numbers, account numbers, rate plans and features, and billing information. Thankfully, financial information (including credit cards) and Social Security numbers were not impacted. No other details were provided including how many customers happened to be affected by this breach but if you were, you should have received an email notification from T-Mobile. For more information check out our show notes for a

link to the data breach disclosure posted on the T-Mobile website

.

Let’s Encrypt discovers CAA bug, must revoke customer certificates

So what happens when an HTTPS certificate provider makes a coding error when issuing certificates that are used to secure over 3 million websites? Well,

you revoke them

and make all of those 3 million certificates invalid! And that's exactly what happened last week to free HTTPS certificate provider Let's Encrypt. It also means a lot of work for you or your organization if you maintain a website that has a Let's Encrypt certificate that was recently issued. If you're not aware, HTTPS certificates, or known as TLS or SSL certificates, are what provide secure communications over the Internet. So for example, when you visit your online bank you (hopefully) should see a "lock" in your browser window which states that you have a secured connection to your online bank. HTTPS certificates make this all happen and if there is an issue with a certificate for a particular site, your browser will tell you that the site is not safe to browse to because of a certificate issue. In the case of the Let's Encrypt certificate bug, if customers do not renew these certificates within a certain time period, visitors to their website will see security warnings noting that the site is not secure.  Originally, this deadline was set to March 4th, which was only thirty-six hours after the initial announcement about the bug. However, Let's Encrypt

has changed this requirement in the best interest of "Internet health"

. The bug itself was in Let's Encrypts Certificate Authority code, which allowed some domains to go unchecked for what is called CAA (which stands for Certificate Authority Authorization) which has to do with DNS record compliance. Although the vast majority of the certificates revoked posed no security risk, they were not issued in full compliance with security standards. Check out our show notes

for more details on the Let's Encrypt bug and what you should do if you believe your website or organizations website may be affected.

FebruaryMonthly ShowEpisode 97In episode 97 of our monthly show we discuss how Chinese hackers caused the Equifax data breach, new coronavirus phishing attacks to be aware of, and how to stay (almost) anonymous online.

Watch this episode on our YouTube Channel!

Thank you to our sponsor

Silent Pocket!

Take advantage of this exclusive offer and help support this podcast!

Visit

silent-pocket.com

to shop Silent Pocket's great line of privacy focused products.