- Shared Security Podcast
- Posts
- New Episode Alert EP147
New Episode Alert EP147
What will Biden do for privacy and cybersecurity?
In episode 147 for November 16th 2020: The latest about source code stolen from US government agencies and private companies, three actively exploited iOS zero-days in the wild and new App Store privacy labels, and what a Biden administration could mean for privacy and cybersecurity.
It's time to up your privacy game with Silent Pocket's product line of patented Faraday bags, phone cases, and wallets which will make your devices untrackable, unhackable and undetectable. Visit
today and be sure to use discount code "sharedsecurity" to receive 10% off of your order during checkout.
It's been a crazy and busy couple of weeks for all of us here at the Shared Security Show! Just as a reminder, be sure to
which we just finished in October and my two interviews with our friends over at StartPage.com.
all about StartPage.com which is known as the world's most private search engine, and in
about the differences in privacy mindset between Europe and the United States. Check out all of these episodes wherever you like to listen to podcasts or on our YouTube channel! And now, on to the news.
FBI: Hackers stole source code from US government agencies and private companies
Back on November 7th the FBI
noting that threat actors are using misconfigured SonarQube applications to access and steal source code repositories from US government agencies and private businesses. The FBI stated that this has been going on since April of this year. SonarQube is a static code analysis security software that companies use to find security vulnerabilities in their applications. SonarQube apps are installed on web servers which are connected to source code repositories like GitHub. But what happened here is that the FBI found that some SonarQube instances on the Internet used default port settings and admin credentials running on the affected organizations’ networks.
So how easy is this attack to pull off? Well attackers simply scan the Internet for SonarQube instances exposed to the Internet for default port 9000 and a publicly accessible IP address. The attacker then uses default administrator credentials (in this case the username of "admin" and the password of "admin") to access exposed SonarQube instances which contain source code and scan results showing vulnerabilities. Note that this is not the first time that details have been shared about mis-configured SonarQube instances. Security researchers have been warning about the dangers of leaving SonarQube applications exposed online with default credentials since as far back as May 2018. In regards to fixing this issue?
that companies can do to protect their SonarQube servers, starting with changing the default configuration and credentials and putting the application behind a firewall so that it's not accessible to anyone on the Internet.
Update Your iOS Devices Now — 3 Actively Exploited 0-Days Discovered
Own an Apple iOS or macOS device including an Apple Watch? Then you better
to the latest version of iOS to patch three zero-day vulnerabilities that are now being actively exploited. The vulnerabilities, disclosed and reported to Apple by Google's Project Zero security team, were found in the FontParser component and the kernel, allowing attackers to remotely execute code and run malicious programs. As you may be aware, zero-days like these are frequently used by nation states and others to target high-profile individuals. However, that doesn't mean that all of us normal people are not targets. Zero-days can always be abused in situations where the exploit code is made available to the public or potentially sold to criminals in the hacker underground. That's why it's so important to always keep your devices updated so you don't happen to become the next unwanted victim of a zero-day attack.
Apple will require apps to add privacy ‘nutrition labels’ starting December 8th
And in other Apple news,
. These labels will give you a better idea of what an app does with your data. App developers are now required to "self-report" this information for each app that is approved for download in the App Store, otherwise, their app will be rejected and will not be available for download.
What could a Biden administration mean for privacy, cybersecurity?
I think if you're like me, you're probably glad that this election (at least the voting part, not the counting controversy part) is finally over! So you may be wondering
? Well I spent some time researching this and here's what I found. First, a federal privacy law will most likely start to take shape since there has been some progress in the last 18 months with lawmakers from both political parties working on draft proposals. Most privacy experts agree that the Biden administration will continue to facilitate these discussions. And two weeks ago, California voters approved Proposition 24, which paves the way for a stricter California Privacy Rights Act, which may also help energize a federal response.
From an international perspective we should see more cooperation from European allies in regards to a new version of Privacy Shield which governs international data transfers of European data. As for domestically, there could also be changes to the FTC and FCC in regards to privacy and possibly reviving the Obama-era effort to implement net neutrality rules.
As for cybersecurity, this will still remain a huge priority for the Biden administration since it’s continuing to be a major national security issue with constant threats and attacks from Russia, China, and Iran and of course the election interference and disinformation campaigns we all know and love.
One thing to keep in mind, privacy and cybersecurity will not be at the top of the Biden priority list given the concern about the pandemic and all the other major issues facing this country. So starting with the new administration in January, don't expect much to change until COVID-19 is under control.
Watch this episode on our YouTube Channel!
OctoberMonthly ShowEpisode 105In our October monthly show we finish our three part series on targeted attacks. In this episode we discuss the exploit and malware analysis with special guest Tyler Hudak, Incident Response Practice Lead at TrustedSec. Be sure to watch the YouTube edition of this episode to see a demo of several tools and techniques used in professional malware analysis!
Watch this episode on our YouTube Channel!
Please support our sponsors!
Take advantage of this exclusive offer and help support this podcast!
Visit
to shop Silent Pocket's great line of privacy focused products.