Shared Security

In this episode we debunk the fearmongering surrounding "juice jacking," a cyber attack where attackers steal data from devices that are charging via USB ports. Next, we dive into a case where a photographer tried to get his photos removed from an AI dataset, only to receive an invoice instead of having his photos taken down. Finally, we examine the security risks of using Google Authenticator's cloud sync feature for two-factor authentication. We explain why this feature may not provide adequate protection and offer recommendations for more secure alternatives.

In this episode we speak with Kai Roer, a renowned author, security culture coach, and CEO of Praxis Security Labs. Kai shares his career journey in cybersecurity and emphasizes the importance of building a strong security culture within organizations. He identifies the biggest impediments to a good security culture and offers actionable steps that organizations can take to improve their culture. Kai also discusses some of the biggest surprises he's encountered in his work and provides insights for security awareness professionals and executives to learn about the most critical aspects of security culture. Finally, Kai shares his vision for the future of cybersecurity and his current projects.

Is Arkansas taking the right step to protect children online? A new law passed in the state makes it illegal for minors to use social media without their parent or guardian's consent. Over 60 Android apps on the Google Play Store with more than 100 million downloads have been infiltrated by the new "Tekya" malware. The malware can commit ad fraud and steal Facebook credentials. Criminals are stealing keyless cars in under two minutes with a previously unknown method involving intercepting the signal between the car key and the car.

Law enforcement agencies across 17 countries have cracked down on Genesis Market, one of the largest criminal marketplaces, resulting in the arrests of 120 people globally. Popular family safety app, Life360, has been used by sex traffickers to monitor and control their victims, highlighting the increasing use of GPS technology by criminals. A recent news report reveals that groups of Tesla employees shared highly invasive videos and images recorded by customers’ car cameras, including embarrassing and vulnerable situations. The leaked footage was shared via an internal messaging system, potentially compromising customer privacy.

Clearview AI provided police with 30 billion scraped images from Facebook, raising concerns over privacy and the potential misuse of facial recognition technology. A victim of a phone hack shares their story of how their credit card was stolen, highlighting the vulnerability of personal information and the chain of events that happen when someone's identity is stolen. Our discussion about an open letter calling for the regulation of AI development due to potential dangers and misuse has become a source of controversy within the tech community. We also discuss an extreme proposal of using the threat of nuclear war to prevent the rise of artificial intelligence.

The CEO of TikTok was criticized by Congress for his "worthless" assurances regarding the app's privacy and security. But what is the real motivation for Congress attempting to ban TikTok? Should we be concerned that AI language models like ChatGPT are a privacy nightmare? Not just for businesses but for anyone using it? Researchers have found a way to use inaudible ultrasonic waves to attack smartphones, smart speakers, and other devices by taking control of their voice assistants, opening browser windows, and performing other malicious actions. Is this the next generation of attacks we need to be worried about?

In this episode we discuss Google's discovery of 18 zero-day vulnerabilities in Samsung's Exynos chipsets. We examine an AI-assisted social engineering campaign that combines emerging technologies with classic techniques. Finally, we look at a new method of ATM fraud where thieves use glue to disable card readers and trick customers into using the tap function on their debit cards.

On this episode, Tom Eston discusses empathy in cybersecurity with Andra Zaharia, host of the Cyber Empathy Podcast. We talk about finding her passion for contributing to the industry and the importance of empathy in cybersecurity. We cover how empathy relates to cybersecurity in the industry, the importance of being empathetic in our roles as cybersecurity professionals, and why the phrase "users are the weakest link in security" is nothing more than victim blaming. We also discuss the long term implications of new technology and how we can help educate people on how to build and use technology with kindness and how even impacting one person can make a difference.

What you need to know about Biden's new National Cybersecurity Strategy, which aims to provide a framework of what the current administration wants the US federal government, critical infrastructure organizations, and private companies to do to work together to improve national cybersecurity. BetterHelp, a direct-to-consumer mental health app, has been asked to pay $7.8m by the Federal Trade Commission (FTC) for allegedly passing on users' mental health information to Facebook, Snapchat and others. Fast food chain Chick-fil-A has confirmed a credential stuffing attack that allowed cybercriminals (who apparently really love chicken sandwiches) to access 71,473 customer accounts and sell access to them online.

Popular password manager LastPass suffered a second attack that lasted for over two months. Now new and disturbing information is being released about the attack. Scott discusses the benefits and challenges of using gamification in security awareness training, emphasizing the importance of individual learning before employing it at the business process level. Signal, a very popular encrypted messaging app, warns it may leave the UK if new online safety legislation weakens its end-to-end encryption, sparking controversy and debate over privacy concerns.

Twitter is phasing out its free text message two-factor authentication (2FA) and putting the feature behind a paywall, prompting security experts to advise Twitter users to switch to other authentication methods. How data brokers are selling sensitive mental health data for a few hundred dollars with little attempt to hide identifying information such as names and addresses. A new report highlights how some firms are offering the data for as low as $275 for information on 5,000 people, and Congress has yet to pass significant legislation on data brokers. Meta (formerly Facebook) has launched a new program called Meta Verified which aims to unify verification across all of the company's platforms. Users can pay a monthly fee to verify their presence on Facebook and Instagram by submitting their government ID.

Reddit announced that it was the victim of a phishing attack aimed at its employees, resulting in unauthorized access to internal documents, code, and some unspecified business systems. Advice on managing device location-tracking settings to ensure you're not sharing your location inadvertently. The case of former Ubiquiti employee, Nickolas Sharp, who pled guilty to multiple felony charges after orchestrating a security breach, stealing data, and extorting almost $2m worth of cryptocurrency from his company. Plus, our thoughts about UFO's and Chinese spy balloons!

In this episode host Tom Eston sits down with Kathleen Smith, Chief Outreach Officer at ClearedJobs.net, to discuss the current state of the job market in the cybersecurity industry. With a recent surge in layoffs, Kathleen provides advice for those who were recently let go and discusses how the economic situation has affected recruiters. She also shares her predictions for changes in the recruitment process and offers advice for job seekers. Finally, Kathleen shares more about her role at Cleared Jobs and how listeners can get in touch.

The attacks on password managers and their users continue as Bitwarden and 1Password users have reported seeing paid ads for phishing sites in Google search results for the official login page of the password management vendors. Not only that, a new vulnerability in the popular open-source password management software KeePass has also been reported. Three health tracking apps available on Google Play (Lucky Step, WalkingJoy, Lucky Habit: health tracker) have been downloaded on over 20 million devices, but a recent report shows that the rewards for using the apps are impossible or only partially available after watching tons of ads. A bug in Meta's Accounts Center feature allowed hackers to bypass two-factor authentication (2FA) by brute force guessing a six-digit authentication code.

A hacker discovered a copy of the US No Fly List, which contains the names of people banned from traveling in or out of the US on commercial flights, on an unsecured Jenkins server connected to a commercial airline. Will AI-powered phishing become a threat for organizations? Scientists from Carnegie Mellon University have developed a way to sense humans through walls using a deep neural network called DensePose that maps Wi-Fi signals to UV coordinates.