Category Archives: Podcast

Smashing Security podcast #190: Twitter hack arrests, email bad behaviour, and Fawkes vs facial recognition

Special guest Geoff White can’t resist using the podcast to promote his new book, “Crime Dot Com”, but other than that we also discuss the creepy (and apparently legal) way websites can find out your email and postal address even if you don’t give it to them, take a look at how the alleged Twitter hackers were identified, and learn about Fawkes – the technology fighting back at facial recognition.

“Don’t fire the CISO”, with Quentyn Taylor

For the latest episode of the Security Stories Podcast, I met someone who actually has the title ‘CISO Supremo’. It’s an award which recognizes the individuals and teams working hard to protect the United Kingdom from cybercrime.

Security Stories: Quentyn Taylor

Quentyn Taylor Security Storie

As well as being CISO Supremo, Quentyn Taylor is also the CISO for Canon Europe. Odds are that you might have had your hands on a Canon camera or a printer at one point in your life. If you’ve ever had a security related query about one of their products in Europe, it’s Quentyn’s team whom you would have spoken to.

That’s because they are a customer centric security team (as well as also protecting the internal aspects of the business). Hearing the story behind this was incredibly interesting.

It’s clear from the get go how passionate Quentyn is about the cybersecurity industry.  During the podcast we talk about having a degree vs. relevant experience , and how to overcome the “virtual hurdle” of working remotely. Like many of us, Quentyn is really missing those in person interactions with his team members. We also talk about data breaches, and why firing the CISO shouldn’t be the first resort.

We then end the interview as all interviews should: with a spot of cybersecurity cocktail making.

“T-shaped” people

One of the biggest things I took away from our chat, is the concept of “T-shaped” people. I hadn’t heard the term before, but apparently it’s fairly common in the recruitment and agile software world.

For anyone who doesn’t know, “T-shaped” people is a way of describing someone who is an expert in one particular field, but you also spend time acquiring different skills.  For example, a cybersecurity engineer who spends some time on the IT help desk, or even in the PR team, as some of Quentyn’s team do.

I really like that, because it means that it doesn’t matter what age you are, or what field you’re in. You can learn another skill, see the other side of the coin, and bring that knowledge back to your area of expertise.

It occurred to me that if more people did that i.e explore other departments in a business other than their own, we might see more harmonious communications between different teams.

And that applies to security as well. As Quentyn was saying, those of us in the cybersecurity industry often think that security is the most important thing in any business. Because we have a natural bias, and, well, we’ve seen things…

However, business decisions are made for various reasons at the time, and sometimes security is not the foundational factor behind those. Or, there’s a level of security risk that people are prepared to holster.

In those scenarios, the role of the cybersecurity team is to find a way to cushion the risk. Even if the simplest, or the fastest, solution isn’t a solution any more. We’ll find another way to support you.

On this Day: Mirai botnet

Security Stories on this day

Also in episode 10, we take the DeLorean for a short spin back to 2016. “On this Day” is a regular Security Stories feature, where we visit a significant cybersecurity event from the past, and this time, we explored the story behind the Mirai botnet.

After it first surfaced in August, Mirai came into the media’s attention a few weeks later when researcher Brian Krebs was targeted by a large DDoS attack.

In his debrief with Akamai (the CSO of which, Andy Ellis, we spoke to in the last episode), it was noted that rather than relying on DNS amplification to achieve such traffic, it seemed to have come from many different sources.

This suggested that an enormous number of devices were compromised, and soon enough the world started to hear and read the word “Mirai”.

You can listen to this podcast on Apple Podcasts, Spotify, Google Podcasts, or wherever you normally get your podcasts from! You can also listen right here and now:

Are you a security leader who would like to share their story on the podcast?
Please get in touch with me on LinkedIn and we’ll take it from there.

Security Stories podcast

On the Security Stories Podcast, we meet pioneers from across the world of cybersecurity, who then share their experiences with us.

The post “Don’t fire the CISO”, with Quentyn Taylor appeared first on Cisco Blogs.

Smashing Security podcast #189: DNA cock-up, Garmin hack, and virtual kidnappings

Why are students faking their own kidnappings? What’s the story behind Garmin’s ransomware attack? And a genetic genealogy website suffers a hack or two.

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Ray REDACTED.

Smashing Security podcast #188: Dinner with Elon Musk and Kris Jenner

Who stopped Twitter’s hackers from stealing more money? Why are Covid-19 researchers being told to ramp up their cybersecurity? How can you find out if your smartphone is infected with stalkerware? And who does Graham think he is turning down a celebrity dinner invite?

Find out in the latest “Smashing Security” podcast, with special guest Lisa Forte.

Unique Threats to Operational Technology and Cyber Physical Systems

In this latest episode of our Eye on Security podcast, I talk all about the world of operational technology (OT) and cyber physical systems with one of our foremost experts on the topic: Nathan Brubaker, Senior Manager of Analysis for Mandiant Threat Intelligence.

Nathan kicked off our chat by explaining what exactly we mean when we use the term ‘cyber physical.’ We then turned our attention to related threats. As it turns out, there are far less attempts by attackers to target these systems than one might believe. Nathan went on to discuss some of the fundamental differences between OT and information technology (IT) systems, and then explained how OT is becoming more similar to IT, which makes OT systems more vulnerable to compromise. Fortunately, even though OT security typically lags behind that of IT systems, it’s definitely moving in the right direction.

Listen to the podcast today, and check out the following blog posts referenced by Nathan during the episode:

Entertainment #FromHome: How to start your own podcast

Making Media #FromHome

How to start your own podcast

Start your own podcast? Why not? Instead of streaming someone else’s show, maybe it’s time to create one of your own. And a fine time to start a podcast it is. Podcasting once took a bit of effort to get into. The recording software, the hosting, and the equipment could end up costing a reasonable amount of money and took a certain degree of technical savvy to use. Yet like so many things on today’s internet, those barriers have dropped, particularly for folks who simply want to dive in and give it a try. With a pair of headsets, a built-in microphone, and some free software, you can start podcasting now with your computer or even your phone. So, if you’re ready to give it shot, let’s take a look at some of the resources available to you.

Coming up with an idea for your podcast

More so than choosing this software or that, the process really starts with a basic concept for your podcast. You’ll have a topic that you want to cover, a format such as a one-person show or a talk format where you have multiple hosts or guests, and a target length for your show. 

For example, let’s assume that you’re trying out podcasting as part of a little family project. Maybe you and your daughter want to talk about going on adventures like hiking, canoeing on lakes, and fishing. A great concept for you could be a 20-minute show about adventures kids and parents can take together. You can talk about how you decide on your adventures, plan for them, and tell some stories about your triumphs and pitfalls along the way. What does it feel like to catch your first bass, or how does it feel to set up your tent in a sudden downpour? People love hearing stories that’ll inspire them or make them laugh or, better yet, both. 

Another idea is to approach it like as a learning opportunity for your kids. Recently, I posted an article on project-based learning for kids at home. One of the suggestions was for kids to make a short podcast of their own to show what they’ve learned about after researching a that they’re interested in. What you learn here in this article could point the way for them to create their own show, whether with your help or independently. 

That’s just a few examples. And really, coming up with an idea for a podcast is a topic in and of itself. For more on that, check out this article on creating a podcast from National Public Radio. While written for students, it’s packed with plenty of solid advice for anyone who wants to get started in podcasting, plus several pro tips for making your show sound great.

What about podcasting equipment?

Chances are you already have the basics. If you have a set of headphones with a built-in microphone and a computer or phone you can attach them to, that’s a great start. Of course, people who invest more time and money into their podcasting pursuit will have things like a podcasting microphone mounted on a miniature boom arm, a “pop filter” that prevents you from popping your “P’s” in the microphone, and maybe even a small mixing board. But, for just getting started or just having some fun as a family, you really don’t need those things. 

Free podcasting software and hosting

What you will need is some software that lets you record your show and even do some basic editing too. Here are a few free options that’ll cover your recording and editing while giving you a place to post your shows too:

Anchor FM

Anchor gives you standard recording features, plus extra bells and whistles like importing voice messages from your phone, group chat, and transitions. As Anchor is part of streaming music provider Spotify, you can also import music into your podcast from there. And when you’re done recording, Anchor offers free hosting for creators. If you’re creating a multiple-host podcast, your co-host or guests can use the Anchor app on their phone and join in.

Spreaker

It may look like a typo, yet Spreaker is the name for this offering. Much akin to Anchor, it offers a combination of recording software and hosting capabilities so that you can add things like music and sound effects to your podcast. The app also supports Google Hangouts and Skype so that you can bring on a co-host or guest.

Podbean

A third popular option is Podbean. It also allows you to record and publish your podcast for free as part of a basic plan that offers 500 MB of storage space and 100GB of bandwidth per month (meaning, a 500 MB could be downloaded 200 times at no cost—where 500 MB is approximately 5 hours of showtime).

Free options for editing your podcast

If you already have a way of recording your podcast, such as with a simple audio recorder on your phone, computer, or laptop, you can drop those audio files into free audio editing software to edit your show together. 

These are more formally known as Digital Audio Workstations (DAWs). Depending on which one you select, these apps offer functionality similar to what the pros use to record and edit their audio. You’ll see things like multiple tracks where you can place people, music, and sound effects on their own timeline that you can mix together, different options for exporting your show to different file types, settings to sweeten sound quality, and much more. As you might imagine, audio editing and mixing is a pursuit unto itself, and you can really dive deep here if the podcasting bug bites you. Here’s a rundown of what’s out there:

GarageBand

Apple users will probably know this app. Garageband is available only on Mac and iOS devices (iPad and iPhone). It has all the watermarks of an Apple application, where it’s an app that looks good and simplifies an otherwise complicated process. Above, we mentioned multi-track recording. If you’re new to that, it can feel a little overwhelming at first, yet GarageBand color-codes its tracks and leans heavily on drag-and-drop editing. That lends itself to ease of use, exploration, and even a fair share of trial-and-error as you get comfortable with it. Plus, as its name would imply, GarageBand features a library of musical instruments. So when you get tired of podcasting, you can play around with it and drop some beats.

Audacity

Slightly further along the audio editing learning curve is Audacity, which is a free download for multiple platforms. Visually, it’s a contrast to GarageBand yet its functionality goes much deeper. One appealing aspect of Audacity is that it’s celebrating a 20-year run as open source software—meaning that it’s a community-supported effort. So if you’re dedicated to learning audio editing, there are numerous resources out there that can help you learn the Audacity interface and feel confident that you’re learning an audio app that’ll be around for some time.

Reaper Digital Audio Workstation

And of our three free options, Reaper is the most full-functioned editor, which you can download for a free 60-day trial. If you’re completely new to audio editing, you may want to start with one of the other options just to get familiar with the basics. Otherwise, if you’ve used some other simpler platforms before and feel ready to move up, Reaper is a fine choice. 

Your podcast and your privacy

Here’s the thing with dipping your toe into the world of podcasting: you don’t have to post your podcast for others to hear. As we talked about at the start of this article, this could just be an entertaining project or exploration for you and your family. You can hang on to your podcast and just share it with family at home, or you could send it to some friends and family for them to listen to it too. Regardless of what you decide to do with your podcast once you’ve recorded it, you’ll want to think about your privacy.

Online privacy isn’t a topic that’s discussed much in many “how-to start your own podcast” articles. Yet it’s a vital topic. (In fact, we discuss privacy all the time on our own Hackable? podcast.) Keep privacy in mind when you podcast. Just like anything else you post online, a picture, a status update, a blog, or what have you, you’re exposing yourself to the entire online world. When it comes to anything digital, what you say and what you share is forever. It can be copied, shared, disseminated, and even reconstructed in umpteen different ways. 

So the general rule with podcasting is much the same as everything else you do online: think before you post. 

Before you post, consider …

Just as you go back and look at what you’ve typed in that email or that status update, go back and review your show before you post or share it with others. Listen for things like:

  1. Have you overtly or inadvertently shared some information about yourself and your family—like birthdays, when you typically go on vacation, or other information that uniquely identifies you in a way? Hackers and crooks could find this useful when it comes to online identity theft or physical theft on your property.
  2. Are you keeping your family business and friendships private? “Sharenting” details about your children, good or bad, or talking about your relationships with others could lead to embarrassment or hurt feelings amongst family and friends.
  3. Can anything you’ve said be construed as hurtful, casting someone in a bad light, or simply mocking? Remove it from your podcast or simply don’t post it. You could be held legally responsible. Laws will vary across countries and locales, so make a point of understanding what they are with regards to defamation, libel, and slander in your area.

Again, stop and think before you post. Could this compromise you, your family, your friends, or someone else now or in the future? If so, and even if you’re uncertain of the answer, don’t post. 

Start your podcast!

These are just a few of the numerous, and often free, options that allow practically anyone to get started in podcasting, and there are plenty more. Just be sure as you’re surfing around for software, tutorials, and resources, use comprehensive security software to protect you from threats—particularly a browser advisor app that will steer you clear of malware, bad downloads, and suspicious links. Also, caveat emptor, buyer beware. When researching apps, always look at the reviews so that you can spot any issues before you download or use an app.

With that, I hope this inspires an interesting side project, or even a new pastime for you and your family. Get out there and have some fun!

Stay Updated 

To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

 

 

 

The post Entertainment #FromHome: How to start your own podcast appeared first on McAfee Blogs.

Cyber Security Roundup for April 2020

A roundup of UK focused Cyber and Information Security News, Blog Posts, Reports and general Threat Intelligence from the previous calendar month, March 2020.

The UK went into lockdown in March due to the coronavirus pandemic, these are unprecedented and uncertain times. Unfortunately, cybercriminals are taking full advantage of this situation, both UK citizens and 
businesses have been hit with a wave of COVID-19 themed phishing emails, and scam social media and text messages (smishing). Which prompted warnings by the UK National Cyber Security Centre and UK Banks, and a crackdown by the UK Government.
Convincing COVID-19 Scam Text Message (Smishing)

I have not had the opportunity to analyse a copy of the above scam text message (smishing), but it looks like the weblink displayed is not as it appears. My guess is the link is not part of the gov.uk domain, but the attacker has used an international domain name homograph attack, namely using foreign font characters to disguise the true address of a malicious website that is linked.

I was privileged to be on The Telegraph Coronavirus Podcast on 31st March, where I was asked about the security of video messaging apps, a transcript of what I advised is here. Further coronavirus cybersecurity advice was posted on my blog, on working from home securely and to provide awareness of coronavirus themed message scams.  It was also great to see the UK payment card contactless limit increased from £30 to £45 to help prevent coronavirus spread.

March threat intelligence reports shone a light to the scale of the cybercriminal shift towards exploiting COVID-19 crisis for financial gains. Check Point Global Threat Index reported a spike in the registration of coronavirus themed domains names, stating more than 50% of these new domains are likely to be malicious in nature. Proofpoint reports for more 80% of the threat landscape is using coronavirus themes in some way.  There has been a series of hacking attempts directly against the World Health Organisation (WHO), from DNS hijacking to spread a malicious COVID-19 app to a rather weird plot to spread malware through a dodgy anit-virus solution

Away from the deluge of coronavirus cybersecurity news and threats, Virgin Media were found to have left a database open, which held thousands of customer records exposed, and T-Mobile's email vendor was hacked, resulting in the breach of their customers and employees personal data.  

International hotel chain Marriot reported 5.2 million guest details were stolen after an unnamed app used by guests was hacked. According to Marriots online breach notification, stolen data included guest name, address, email address, phone number, loyalty account number and point balances, employer, gender, birthdays (day and month only), airline loyalty program information, and hotel preferences. It was only on 30th November 2018 Marriott disclosed a breach of 383 million guestsTony Pepper, CEO at Egress said “Marriott International admitted that it has suffered another data breach, affecting up to 5.2 million people. This follows the well-documented data breach highlighted in November 2018 where the records of approximately 339 million guests were exposed in a catastrophic cybersecurity incident. Having already received an intention to fine from the ICO to the tune of £99m for that, Marriott will be more than aware of its responsibility to ensure that the information it shares and stores is appropriately protected. Not only does this news raise further concerns for Marriott, but it also serves as a reminder to all organisations that they must constantly be working to enhance their data security systems and protocols to avoid similar breaches. It will be interesting to see if further action is taken by the ICO”

Five billion records were found to be exposed by UK security company Elasticsearch.  Researchers also found an Amazon Web Services open MongoDB database of eight million European Union citizen retail sales records was left exposed, which included personal and financial information.  And Let’s Encrypt revoked over 3 million TLS certificates due to a bug which certification rechecking

March was another busy month for security updates, patch Tuesday saw Microsoft release fixes for 116 vulnerabilities and there was an out-of-band Microsoft fix for 'EternallDarkness' bug on 10th March, but a zero-day exploited vulnerability in Windows remained unpatched by the Seattle based software giants.  Adobe released a raft of security patches, as did Apple (over 30 patches), Google, Cisco, DrayTek, VMware, and Drupal.

Stay safe, safe home and watch for the scams.

BLOG
NEWS
    VULNERABILITIES AND SECURITY UPDATES
      AWARENESS, EDUCATION AND THREAT INTELLIGENCE

      How Safe are Video Messaging Apps such as Zoom?

      I was privileged to be part of The Telegraph Coronavirus Podcast today, where I was asked about the security of video messaging apps.



      'How safe are video messaging apps such as Zoom, and what should users bear in mind when using them?'

      My reply...
      Video messaging apps are an essential communication tool for at home and within businesses, especially during the COVID-19 lockdown period. They are generally safe to use but there are a few security risks which users should be aware of.

      Our increased use of video messaging apps has not gone unnoticed by cybercriminals, who are seeking to exploit the increase of use by sending phishing emails, social media scam messages and even scam text messages, with fake invitations to video messaging app meetings.

      Typically, these scam messages will entice you into either opening a malicious attachment or click a web link which directs to a malicious website. The ultimate aim of these cyberattacks is to deliver malicious software, such as ransomware which locks your PC and demands a ransom payment to unlock, scam a payment, or steal your personal information which can be resold to other cybercriminals on the dark web.

      So, never open an attachment or click on any links within any unexpected or suspicious emails, social media messages and text messages.

      The next piece of advice is to ensure your video messaging app is always kept up-to-date. Luckily most modern smartphones and computer operating systems will automatically update your apps, but it is always worth double-checking and not to suppress any app updates from occurring, as often the app updates are fixing security flaws.

      And finally, on home computers and laptops, when not using video messaging apps, either cover your webcam with a piece of tape or face your webcam towards a wall or ceiling, just in case your computer is covertly compromised and a malicious actor gains access to your computer's webcam.


      Additional
      One tip I didn't have time to say on the podcast, is always ensure your video chats are set to private, using a strong password to prevent ZoomBombingRecent reportshave shown a series of “Zoombombing” incidents lately, where unwanted guests have joined in on open calls. 

      Bharat Mistry, Principal Security Strategist at Trend Micro on Zoom advises “Although not alone in being targeted, Zoom has been the subject of some of the highest-profile incidents so far this year. Fortunately, there are things you can do to keep your business safe.

      It’s all about taking advantage of unsecure settings in the app, (and possibly using brute-force tools to crack meeting IDs). With access to a meeting, hackers could harvest highly sensitive and/or market-critical corporate information, or even spread malware via a file transfer feature.

      Hackers know users are looking en masse for ways to communicate during government lockdowns. By creating legitimate-looking Zoom links and websites, they could steal financial details, spread malware or harvest Zoom ID numbers, allowing them to infiltrate virtual meetings. One vendor discovered 2,000 new domains had been registered in March alone, over two-thirds of the total for the year so far.

      Risk mitigation:
      The good news is that there are several things you can do to mitigate the security risks associated with Zoom. The most basic are: 
      • Ensure Zoom is always on the latest software version
      • Build awareness of Zoom phishing scams into user training programmes. Users should only download the Zoom client from a trusted site and check for anything suspicious in the meeting URL when joining a meeting
      • Ensure all home workers have anti-malware including phishing detection installed from a reputable vendor
      Organisational preparedness:
      Next, it’s important to revisit those administrative settings in the app, to reduce the opportunities for hackers and Zoombombers. Fortunately, automatically generated passwords are now switched on by default, and the use of personal meeting IDs are switched off, meaning Zoom will create a random, one-off ID for each meeting. These setting should be kept as is. But organisations can do more, including:
      • Ensure you also generate a meeting ID automatically for recurring meetings
      • Set screen-sharing to “host only” to prevent uninvited guests from sharing disruptive content
      • Don’t share any meeting IDs online
      • Disable “file transfers” to mitigate risk of malware
      • Make sure that only authenticated users can join meetings
      • Lock the meeting once it’s started to prevent anyone new joining
      • Use waiting room feature, so the host can only allow attendees from a pre-assigned register
      • Play a sound when someone enters or leaves the room
      • Allow host to put attendees on hold, temporarily removing them from a meeting if necessary”