Tech Friday with Dave Hatter - April 10th 2020 - SPONSORED BY INTRUST IT


  • The irony of Zoom's latest hire:
    • Zoom, a very popular "free" video conferencing tool, has come under increasing fire for a litany of privacy and security issues
    • Some researchers have called Zoom "a privacy disaster" and "fundamentally corrupt". One said "Zoom is malware"
    • I like to think of it as the dumpster fire of the Internet
    • Sadly, a large number of security and privacy issues have surfaced, as have some dubious practices including:
      • Zoom falsely claimed to be using end-to-end encryption. Zoom recently confirmed on their blog that end-to-end encryption was not currently possible on the platform after being outed
      • Attackers can use the Zoom Windows client's group chat feature to share links which expose the Windows credentials of anyone who clicks it
      • The Zoom Mac client has flaws that could be used to hijack a Zoom user’s Mac computer to access the camera and microphone
      • Motherboard outed the fact that Zoom was sending data from iOS app to Facebook, even if the user does not have a Facebook account.This has stopped
      • Motherboard has also reported that Zoom was sharing the email address and photos of at least thousands of Zoom users who signed up with an email address sharing the same domain
      • The FBI recently announced it was investigating "Zoom-bombing", an attack in which hackers infiltrate video meetings
      • Consumer Reports found Zoom’s privacy policy allowed the company to use video and other user content for advertising and other business purposes. Zoom has since revised its privacy policy to block that
    • Zoom has been fixing issues and their CEO froze new feature development for 90 days to address issues
    • They are now facing a class-action lawsuit that alleges the company made “materially false and misleading statements” that overstated its privacy and security measures, and it claims that Zoom didn’t disclose its lack of end-to-end encryption
    • In some delicious irony, Zoom hired Alex Stamos, former CISO of another Internet privacy and security dumpster fire, Facebook, to help fix their issues
    • Remember, if you're not paying with money, you're paying with data. You're the product, not the customer
    • There are many good Zoom alternatives:https://www.theverge.com/2020/4/1/21202945/zoom-alternative-conference-video-free-app-skype-slack-hangouts-jitsi
    • I use and recommend Microsoft Teams and/or WebEx.
    • If you MUST use Zoom, there are some good tips in this article to secure it:https://www.usatoday.com/story/tech/2020/04/01/zoom-demand-zooms-but-problems-coronavirus-drives-stay-home-video-chats-zoom-has-issues-beyond-deman/5102150002
  • SIM swapping can lead to hijacked Venmo and PayPal accounts:
    •  Hackers are performing SIM-swap attacks to take control of victim's phones and then using the phone to take control of their accounts
    •  "A subscriber identity module or subscriber identification module (SIM), widely known as a SIM card, is an integrated circuit that is intended to securely store the international mobile subscriber identity (IMSI) number and its related key, which are used to identify and authenticate subscribers on mobile telephony devices (such as mobile phones and computers). It is also possible to store contact information on many SIM cards. SIM cards are always used on GSM phones; for CDMA phones, they are only needed for newer LTE-capable handsets. SIM cards can also be used in satellite phones, smart watches, computers, or cameras." - Wikipedia
    • Most mobile phone shops can issue a new SIM chip and activate it
    • If you've upgraded a phone, you may have experienced "SIM Swapping", which occurs when your old phone goes dead and a new phone is activated
    • For a stolen phone, a SIM swap is great because you can quickly disable the SIM in the stolen phone
    • However, if the criminal is the one initiating the swap, this is major problem because your phone goes dead and they are using your account
    • This swap would give a criminal access to all inbound calls and messages, at least for a short time
    • Hackers use personal information that can be found online (OSINT) or purchased on the dark web to convince your cell carrier to transfer (port) your number to a new device in the attacker's possession
    • Once the hacker has control of your phone number and account, they break into all connected accounts typically starting with with your email account
    • The hacker changes your credentials so that you can't regain control and can then plow though any cloud-based information looking for things of value
    • Victims of this attack have had their bank accounts drained, and its difficult to regain control of these accounts or to get stolen money back
    • In many cases, only a small amount of information is required to perform a SIM-swap. For example, AT&T's documentation states that you only need the information found on a cell phone bill to initiate a transfer. T-Mobile is similar
    • In August 2018, T-Mobile had the billing information of 2.5 million customers stolen.These accounts are ripe for a SIM-swap attack
    • Princeton University researchers identified 17 major companies including Amazon, Paypal, Venmo, Adobe, eBay, Snapchat, and Yahoo that allowed users to reset their passwords via text message
    • Many of these companies have corrected this issue
    • Paypal and Venmo (owned by Paypal) have not addressed this issue and considering that they allow users to exchange money and are linked to bank accounts or credit cards, this is very dangerous
    • What can you do?
      • Contact your carrier about any SIM-swap protection they may offer
      • Disconnect accounts from your phone. Ensure that each account requires that you must enter a user name and password and use a VoIP number—such as Google Voice or Skype
      • Use a secure password manager like LastPass or Roboform. At Intrust, we recommend and use LastPass
      • Use a strong, unique password for each account
      • Use Multi-Factor/Two-Factor authentication wherever possible and use an authenticator app rather than text for MFA
      • Don't store banking information on your device
      • If you suddenly lose cell service and access to your accounts, contact your carrier immediately
  • Will privacy be a permanent casualty of the COVID-19 pandemic?
    • As more people are forced to work from home, they are also often being forced to rely on "free" technologies that capture enormous amounts of information
    • This includes children who are also being forced to use these technologies to stay connected to school
    • It can be hard to stop using a service after using it for some time because all your important data is there. For tech companies, this highly desired state is called "lock-in"
    • And some of these vendors make it difficult to understand what data is collected, how it might be used or to opt-out
    • In regards to these new home bound users, the Times said "They shouldn’t have to sacrifice their privacy to use them." I concur
    • "This is not business as usual, though. Americans aren’t willingly surrendering their online identities during this pandemic — many are being compelled to do so by their schools, family or work. Just as a swath of manufacturers are switching their production lines to ventilator and mask production for the greater good, corporations that normally view every new registered user as a data point to exploit need to take a pause on profiting from online data harvesting." - NY Times
    • The NY Times does a nice job of summarizing the issues here:https://www.nytimes.com/2020/04/07/opinion/digital-privacy-coronavirus.html

55KRC · THE Talk Station in Cincinnati

Listen Now on iHeartRadio