New Episode Alert EP135

Your digital privacy is more important than ever, which is why I use and recommend a Silent Pocket faraday sleeve for my smartphone when I want to get off the grid. Check out their full product line of privacy gear at slientpocket.com and take 15% off your order by using discount code sharedsecurity at checkout.

Picking Locks with Audio TechnologyThere was a fascinating story this week about how security researchers have discovered that the sound of a key being inserted into a physical lock gives attackers all they need to make a working copy of that key. And while this sounds like something out of a James Bond or Hollywood movie, researchers say that they have proven that the audible, metallic clicks that a key makes as it penetrates a lock can be deciphered by advanced signal processing software to reveal the exact shape of those little key ridges on the shaft of a key. Once this determination is made, a working copy of the key can then be 3D printed. The discovery and the technique named "SpiKey" was made by Soundarya Ramesh and her team at the National University of Singapore.  So you may be asking yourself, how would an attacker get the audio of a key being inserted into a lock? Well the researchers developed a few scenarios. First, someone could walk by a victim opening a lock while their phone is recording. Another method would be to install malware on the victims smartphone or smartwatch to record and send the audio to the attacker. Third, a IoT device like a surveillance camera or Amazon Echo could be hacked to record the audio. And lastly, use a long distance microphone that could be hidden to record the audio while a key is inserted into a lock. Now this research only applies to pin-tumbler locks, which are known as Yale or Schlage keys, which have a possibility of around 330,000 possible key shapes. Using the SpiKey technique, researchers were able to reduce the number of possible key shapes to only 3! So what kind of defenses would be available for an attack like this? Well researchers have suggested that you could insert your key more quietly and slowly, smooth out the key ridges so that the click noise is reduced and that's about it. So should we all be worried that popular pin-tumbler locks are now insecure? Many experts say, not so fast. Because the research was limited and done in more of an experiment or lab setting, its hard to determine if this would be an actual technique that would be used by criminals. Some experts argue that you would really need some advanced microphone equipment other than a smartphone for this to be successful. There's also the high probability that other outside noise or the jangling of a key ring may hinder the recording, or the fact that you may need to capture multiple recordings to be successful make this an attack pretty low risk.  Also, most thieves use techniques that are not that sophisticated anyway. According to statistics, 95% of all home invasions are usually just kicking down a door or breaking a window. And don't forget that most break-ins are crimes of opportunity, meaning, many people are not locking doors to begin with and most thieves are not going to be pulling off any type of Oceans 11, highly technical theft to begin with.Carnival Cruise Line Operator Discloses Potential Data BreachThe world's largest cruise ship operator, Carnival Corporation, disclosed on Thursday last week that they were the victim of a ransomware attack. In an 8-K filing with the US Securities and Exchange Commission, Carnival said that the attack took place on August 15th. Carnival said the attackers quote accessed and encrypted a portion of one brand's information technology systems and that the intruders also downloaded files from the company's network. Carnival also revealed that it expects that the attackers gained access to some guest and employees personal data. However, Carnival also mentioned in the filing that even though they predict some potential lawsuits, Carnival stated that it does not expect the incident to have a material impact on its business, operations or financial results. No further details about the attack were disclosed. Given that the coronavirus has pretty much devastated the cruise line business and, well, the entire travel industry across the world, a ransomware attack is the last thing a company like Carnival needs right now. But this isn't the first time that Carnival has had a security breach during this pandemic. Back in March of this year Carnival disclosed that an attacker had gained access to their internal network from April to July of last year where more customer and employee personal data was compromised.Social media data broker exposes nearly 235 million profiles scraped from Instagram, TikTok, and YoutubeSecurity researchers from Comparitech said that a social media data broker called Social Data exposed nearly 235 million profiles which were scraped from Instagram, TikTok and YouTube. Profile data included names, contact and personal info, images, and statistics about followers. Note that all of this data was scraped from publicly available social media profiles. Comparitech research showed that most of this data came from a company now out of business called Deep Social. Comparitech reached out to Deep Social who forwarded the issue to a new company called Social Data, who acknowledged the issue, and in about three hours the servers housing the data were no longer accessible. Social Data stated that this was all publicly available information to anyone on the Internet, stating that no one was hacked, but also gave no reason to why this large amount of profile data was exposed in an open database. It's also unknown if this data was accessed by anyone malicious or not. Exposed databases like these are frequently harvested by spammers, and used by attackers in phishing campaigns. Web scraping is a popular automated technique used to gather information off of websites and social networks. The big issue here is that web scraping violates the terms of service for social networks like Facebook, TikTok, and Instagram. In fact, Deep Social themselves were banned by Facebook and Instagram from their marketing APIs in 2018 because of web scraping activities. So what can we learn from this and other incidents which expose our public profile data? First, be careful what you put in your public social media profiles. That includes your email, real name, phone number, hobbies, or other details that could be used in a phishing or social engineering attack. Always remember to consider everything you post as public information and think about how it could be used against you.

Watch this episode on our YouTube Channel!

JulyMonthly ShowEpisode 102In episode 102 of our July monthly show Scott and Tom walk-through the recommended privacy settings for Amazon Echo and Google Home smart speakers. If you own one or several of these devices, this is one episode you don't want to miss!

Watch this episode on our YouTube Channel!

Please support our sponsors!

Take advantage of this exclusive offer and help support this podcast!

Visit

silent-pocket.com

to shop Silent Pocket's great line of privacy focused products.