New Episode Alert EP128

TikTok and your privacy 😬

July 06, 2020

Weekly Blaze PodcastEpisode 128July 6, 2020

New TikTok Privacy ConcernsmacOS RansomwareNew Research about Bad Passwords

It's a crazy world out there right now but one thing we can all agree on is that protecting our privacy is more important than ever. With the threat of hackers, governments, and others trying to access and use our private data, in this day and age, we need to be more proactive about our privacy. And a great way to start taking control of your data is by purchasing Silent Pocket's privacy starter kit. This starter kit includes a medium sized faraday sleeve for your smartphone, a flexible key fob guard, and privacy stickers for your laptop. Pick up your privacy starter kit today by visiting

and don't forget to take 15% off by using discount code "sharedsecurity".

Over 90% of individuals show risky behavior in handling potential phishing messages according to Click Armor's free

. This engaging coronavirus edition of CanIBePhished.com can help identify your teams total vulnerability to phishing attacks that exploit the pandemic situation. So test your own vulnerability to phishing attacks for free now at

.

Welcome to this week's edition of the Shared Security Weekly Blaze where I bring you the most important privacy and cybersecurity news in under 10 minutes. Before we get into this week's news, I want to remind you of two recent episodes that you should definitely check out. First is my interview with fellow podcaster Andy Murphy who hosts The Secure Dad Podcast. In this episode, Andy and I have a great conversation about family safety and security. Check out Andy's show as he's doing some great work over at The Secure Dad Podcast. I also recorded episode 101 of our June monthly show with co-host Scott Wright where we talk about the dangers of the EARN IT Act here in the United States, another facial recognition fail, and the announcement of Scott's new podcast adventure, Can I Be Phished. You can listen and watch these episodes on our YouTube channel or by visiting our website sharedsecurity.net. And now, on to the news.

TikTok Reverse Engineering Highlights Massive Privacy Problems

TikTok was in the news this past week and not for any particular viral video that has made TikTok one of the most popular social apps in recent years (and if you have kids in your house, you probably know what I'm talking about). But this time it was news about how

reverse engineered the TikTok app which revealed several concerning privacy issues. Highlights of these issues included how TikTok can collect your phone hardware data, determine which applications are installed on your device (including those previously deleted), IP address and network details, GPS location data, and TikTok can even determine if you've jailbroken or rooted your mobile device. And to make things worse, TikTok app developers put protections in place to prevent someone from reverse engineering or debugging their app and have used encryption on things like analytics requests which change encryption keys on every new update of the app. Worse yet,

showing how TikTok takes snapshots of the clipboard after a user enters just a single character on their device. The clipboard is where anything you happen to copy is temporarily stored on your device. This issue happened to be revealed when a user was testing out a beta version of iOS 14 which has new protections built in when an app tries to access your clipboard. It's also important to note that TikTok is owned by a Chinese company called ByteDance and there have been many concerns with the recent rise in popularity of this app that it may be part of a much larger data collection program by the Chinese government. And in related news, last week

due to concerns that these apps are apparently a threat to India's national security. This is the first time India has banned so many Chinese made apps due to these concerns.

Now, it's should be no surprise that many other mobile apps are probably doing many of the same data harvesting techniques that TikTok is. Even though I would suspect the fact that TikTok just so happens to be owned by a Chinese company, leads TikTok to have more scrutiny than other similar viral apps. All apps can and have the ability to collect this information but the good news is that Android and Apple iOS are getting a lot better with notifying you of at least some of this shady behavior. As always, it comes down to your own personal risk decision if you should be using an app like TikTok in the first place if you really care about your privacy. Now try telling that to your kids who may be using TikTok to create the next viral video.

A New Ransomware Targeting Apple macOS Users Through Pirated Apps

Ransomware is typically an attack that is traditionally focused on users of Microsoft Windows, mainly because most exploit kits are designed specifically for the Windows operating system. But this changed last week when news broke that

. This new variant called "EvilQuest" is spread through pirated, legitimate apps which upon installation will disguise itself as Apple's CrashReporter service or Google Software Update. As like most other types of ransomware, this one will of course encrypt your files but will also log your keystrokes, create a reverse shell, and steal any cryptocurrency wallets you happen to have stored on your Mac. The source of the malware seems to be from trojanized versions of popular Mac software including Little Snitch, Ableton Live, and DJ software called Mixed in Key 8. These trojanized versions are freely available on popular BitTorrent sites. As with any ransomware, if you happen to get infected, it's always advised to never pay the ransom and to always have backups of your data. That is, of course, backups that are not attached to your Mac. For Mac users, that means using an external hard drive for time machine backups and detaching the hard drive after a backup is completed. It's also important to know that to prevent getting infected with ransomware in the first place, you should probably not download pirated software off of BitTorrent sites in the first place. This is, of course, illegal and with most pirated software, like in this example, they will come installed with the added bonus of ransomware.

Looking for a VPN provider that's fast, reliable, and has your privacy in mind by never logging your web browsing activity? Then you need the VPN that I use, and that's Private Internet Access. And right now you can get a great deal and save 73% off a two-year plan for only $69.95. They will even throw in 2 months for free. And the best part? When you purchase your VPN subscription through our affiliate link, you help support this show. Visit

today to take advantage of this limited time offer from Private Internet Access.

One out of every 142 passwords is '123456'

Poor password choices is still one of the biggest problems we have in cybersecurity and unfortunately, that's a problem not going away anytime soon. So when I saw the following story about one of the largest password re-use studies ever done, I wasn't really shocked or surprised to see the results. So, hold on to your seat but did you know that one out of every 142 passwords is "123456". Now because you listen to this podcast I know you're not using a poor password like this but a Turkish university student

to find 7 million of those were the password of "123456". Proving that this poor password choice was the most commonly reused password for the past five years in a row. Other interesting data points from the research show that average password length was only 9 characters and 42% of all passwords were easy to guess and vulnerable to dictionary attacks.

This is great research and if you like to dig into data like this like I do, I'd encourage you to check out the researcher's GitHub page which we'll have linked in the show notes. All I'll say is that we need to promote the use of password managers as well as moving towards getting rid of passwords altogether with the help of new technology like Webauthn and FIDO2. If you're interested in learning more about how groups like the FIDO Alliance are helping rid the world of passwords, see our show notes to

.

JuneMonthly ShowEpisode 101Scott and Tom discuss the privacy concerns with the EARN IT Act, more stories of facial recognition fail, and Scott talks about his new podcast, Can I Be Phished?

Watch this episode on our YouTube Channel!

Thank you to our sponsor

Silent Pocket!

Take advantage of this exclusive offer and help support this podcast!

Visit

to shop Silent Pocket's great line of privacy focused products.