New Episode Alert EP112

Weekly Blaze PodcastEpisode 112March 16 2020

The COVID-19Cybersecurity ImpactHacking the HackersWhisper App Data Leak

Thank you to everyone that took our listener survey! Your feedback is greatly appreciated! We'll be discussing the results of the survey on our next monthly show currently scheduled for March 19th.

Clean your smartphone and do it often!

It goes without saying, your smartphone is probably one of the biggest carriers of germs that we use every day. And with the coronavirus, it goes without saying, you need to be cleaning your smartphone much more frequently. I mean, when was the last time you cleaned your smartphone? You could easily do this with soap and water but a bit of rubbing alcohol on a paper towel works great too and also won't damage your screen. And to help prevent using a contaminated smartphone in the first place, think about picking up a Silent Pocket faraday sleeve to protect your phone when you're not using it. A faraday sleeve also has the privacy benefit of taking yourself completely off the grid. Pick one up today at

silentpocket.com

and don't forget to use discount code "sharedsecurity" to take 15% off your order.

The Impact of COVID-19 on Cybersecurity

The coronavirus, or also known as COVID-19, has turned into a global pandemic according to the World Health Organization last week and the entire world seems to be in quarantine and lock down mode. Everything is canceled, and for good reason as social distancing is meant to help stop the spread of the virus. But unfortunately, there seems to be a lot of misinformation, bad advice, and even a run on toilet paper and bottled water here in the US. It's like we all threw common sense out the window and started to prepare for a hurricane instead of a virus outbreak. So I'll say this, only trust valid sources like the World Health Organization or the CDC for accurate information about the coronavirus and how to protect yourself. So be on the lookout for phishing attacks looking to trick you into clicking on links or handing over personal information due to the concern about COVID-19. And the best advice from health professionals is still to stay at home if you're sick, wash your hands, and don't touch your face.

But what about COVID-19's impact on cybersecurity? It's definitely a huge impact and it's not just

conferences

and other cybersecurity events being canceled. It comes down to something called business continuity. Let me explain. So there is this tenant of information security (or nowadays what we call cybersecurity) which is called the "CIA Triad" and that is Confidentiality, Integrity, and Availability. Availability is about keeping websites, back-end systems, networks, and other IT related systems functioning, especially now, in times of a crisis. Now this tenant is not only about keeping systems up and running but it also means keeping these systems secure. So for example, with everyone in the corporate world working from home because of COVID-19, now would not be the best time to update or replace the corporate firewall or make changes to the VPN that your entire company uses to access internal resources. With everyone working from home, that alone puts a huge stress on networks and corporate systems so organizations hopefully have prepared for this in their business continuity plans.

And speaking of working from home, for most organizations, cybersecurity practices shouldn't change much as long as remote workers have been considered in current IT and cybersecurity policies. For example, is all work for your company being done on a corporate provided laptop that is encrypted and managed by the IT department? And do you have a policy against using personally owned systems for company business? How about how confidential documents on paper are being stored and destroyed? Are your employees printing sensitive documents and do they have access to a shredder like they might have back in the office? Like I said, these are just a few examples of cybersecurity considerations but all of this really starts with creating a remote work policy. If you or your organization is looking for some advice on how to create a basic policy for remote employees, check out our show notes for links to resources about creating

remote work policies

as well as advice on

business continuity

.

My last thought on this is that cyber-attacks won't be going down because of COVID-19, in fact, they will only increase as

attackers will now try to take advantage

of organizations, and individuals, that have not thought about business continuity or were too caught up in the COVID-19 panic. Speaking of…don't panic! Overreacting about COVID-19 won't help you, your families, or your organization.

Hackers are targeting other hackers by infecting their tools with malware

As the old saying goes, there is no honor among thieves, and that is true even in the criminal hacker underground. And a story about

a new malware campaign reported by TechCrunch last week

suggests that hackers are now targets of other hackers who are infecting and repackaging hacking tools with malware. Researchers from security firm Cybereason, who conducted a year-long campaign, found that hackers are taking existing hacking tools and putting in trojanized malware so that when these tools are installed, complete remote access would be given to the other hacker so that they can either steal compromised data, or worse, gain complete access to the hackers system. Specifically, one tool in particular called SQLi Dumper, which is used to perform SQL injection attacks and data dumps, had a trojanized "key generator" program bundled with the software. Key generator software (or known as "keygen" in the hacker community) are programs that provide illegal license keys for commercial software. Keygen programs are often part of what is called "cracked" software which is the popular (and illegal) practice of pirating commercial software for free. These cracked programs are typically bundled or found as separate downloads on many different hacker forums, blogs, and file sharing services like BitTorrent. One of the Cybereason researchers, Amit Serper, was quoted in the TechCrunch article saying quote "If hackers are targeting you or your business and they are using these trojanized tools it means that whoever is hacking the hackers will have access to your assets as well" end quote. What's more scary is that penetration testers or other security researchers could also be using these same cracked tools for legitimate, authorized testing which could give hackers access to corporate networks or other systems. As a penetration tester myself, I would hope that professionals like these are getting their tools from legitimate sources and paying for them. If you're interested in hearing more about this research and ongoing investigation, check out our show notes for a

link to the Cybereason site for more details

.

Whisper, an anonymous secret-sharing app, failed to keep messages or profiles private

I love these stories of apps that say that you can post sensitive messages, stay anonymous, or have your identity hidden so you can share secrets with others, and they end up with either a gaping security hole or vulnerability that exposes all the information about who is using their service, their physical location, and even in some cases, the secret messages themselves. Well

that's what happened recently to super-secret message sharing app, Whisper, when researchers found an entire database, with no credentials or password protection, wide open to the public

. And apparently 900 million records were found going back to 2012 when the app was first launched. While these records did not contain user names, they did include nicknames, ages, ethnicities, genders, hometowns, group memberships and location data tied to posts. Location data actually included coordinates which, well would point back to someone's house or school. Whisper did fix the issue with the exposed database once they were alerted and have also notified federal law enforcement agencies. This is actually not the first time that Whisper has had a privacy and security issue. Back in 2014, The Guardian revealed that users locations were being tracked despite changing the app setting to disable location monitoring. The lesson for all of us? You probably shouldn't trust any app that says you can post secrets anonymously and to trust their service to actually do so. Like in this case, it wasn't even the app itself that had a vulnerability, but rather an outside database of app data that wasn't even tied to the application itself. So you might want to take the most secure approach with your secrets, and just keep them to yourself.

FebruaryMonthly ShowEpisode 97In episode 97 of our monthly show we discuss how Chinese hackers caused the Equifax data breach, new coronavirus phishing attacks to be aware of, and how to stay (almost) anonymous online.

Watch this episode on our YouTube Channel!

Thank you to our sponsor

Silent Pocket!

Take advantage of this exclusive offer and help support this podcast!

Visit

silent-pocket.com

to shop Silent Pocket's great line of privacy focused products.