Tech Friday with Dave Hatter - July 17th 2020 - SPONSORED BY INTRUST IT


  • Microsoft's July 2020 Patch Tuesday is a another whopper:
    • For the July 2020 Patch Tuesday Microsoft fixed 123 vulnerabilities in Microsoft products,18 classified Critical and 105 classified Important
    • This is the second-largest Patch Tuesday update ever
    • Microsoft indicated that users should install these security updates as soon as possible
    • One of the key vulnerabilities fixed is a17-year-old wormable DNS exploit that Check Point named "SigRed"
    • 3 critical vulnerabilities exist in Microsoft Edge and the VBScript engine that could allow remote code execution (RCE)
    • 4 critical vulnerabilities can be exploited by tricking a user into downloading specially crafted malicious files
    • View the full list here:https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/2020-Jul
    • Other recent updates include:
      • Apple iOS
      • Mozilla Firefox
      • Google Chrome
      • Google Android
  • New sextortion attack uses social engineering and doxing:
    • "Sextortion is a type of revenge porn that employs non-physical forms of coercion to extort sexual favors from the victim. Sextortion refers to the broad category of sexual exploitation in which abuse of power is the means of coercion, as well as to the category of sexual exploitation in which threatened release of sexual images or information is the means of coercion." - Wikipedia
    • "Doxing, or doxxing (from "dox", abbreviation of documents), is the Internet-based practice of researching and publicly broadcasting private or identifying information (especially personally identifying information) about an individual or organization. The methods employed to acquire this information include searching publicly available databases and social media websites (like Facebook), hacking, and social engineering. It is closely related to Internet vigilantism and hacktivism." - Wikipedia
    • "Social engineering, in the context of information security, is the psychological manipulation of people into performing actions or divulging confidential information. This differs from social engineering within the social sciences, which does not concern the divulging of confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access, it differs from a traditional "con" in that it is often one of many steps in a more complex fraud scheme." - Wikipedia
    • The SANS Internet Storm Center recently warned that cybercriminals are engaging victims online using social engineering tactics to collect information that ultimately leads to extortion
    • Cybercriminals often use dating and adult sites to slowly collect personal information about their victim
    • When enough information has been captured the attacker publishes those details in a public forum (doxing) and the victim is asked for a bitcoin payment to have the information removed
    • Because of the nature of the information collected, it can be far more effective than the original sextortion scams that relied on Phishing and limited information found from data breaches and OSINT
    • Cybercriminals are patient and will use social engineering to:
      • Establish credibility
      • Create a sense of comfort and familiarity
      • Attempt to form an emotional connection
      • Get the victim to pay
    • Be very wary of information that you share online
    • Understand the person on the other end of the Internet may not be who they claim
  • Phrases that incorrectly activate digital assistants:
    • As of 2019, there were more than 76 million "smart" speakers, aka "virtual assistants" in the US according to Consumer Intelligence Research Partners
    • There are well known instances of these and other devices listening when they shouldn't be listening
    • Virtual assistants like Siri and Alexa are designed to listen for a "wake phrase"
    • Many have questioned if the speakers are listening constantly
    • New research has shown that some "smart" speakers activate by mistake, as often as 19 times each day on average
    • For Google's Assistant the wake phrase is "OK Google", for Apple's Siri, it's "Hey Siri" and for Microsoft’s Cortana it's "Hey Cortana"
    • When the wake phrase is heard, the device pays attention to what follows
    • These devices can mishear things that trigger the device to listen. This has lead to these devices capturing everything from sex to crimes
    • Researchers at Northeastern University and Imperial College London have found that the accuracy of these devices for discerning the wake phrase is not very good
    • To simulate real-world conditions, researchers configured a variety of smart speakers and played 125 hours of audio from various TV shows
    • Researchers uncovered more than 1,000 word sequences, many from TV shows such as Game of Thrones, Modern Family, House of Cards, and news broadcasts that triggered the devices
    • Devices tested included Google Home Mini (1st Gen), Apple’s HomePod (1st Gen), Amazon’s second- and third-generation Echo Dot, and the Harman Kardon Invoke with Cortana
    • Recording was detected by capturing when lights activated, by monitoring the network traffic, and by checking cloud accounts for recordings
    • When devices wake up they record a portion of what’s heard and send it to the manufacturer. This means that fragments of potentially private conversations can end up in the company logs
    • The HomePod device was the worst for false activation
    • Additionally, when devices activated, it was for fairly long periods, some as long as 43 seconds!
    • Despite past incidents, no evidence was found that any of these device recorded constantly
    • As more folks are forced to work from home, concerns are being raised by cybersecurity and privacy about the compromise of sensitive information
    • Mishcon de Reya LLP and English law firm, told staff to mute or disable such devices when discussing client matters
    • Mishcon’s warning covers any kind of visual or voice enabled device including Ring doorbells, baby monitors and closed-circuit TVs, are also a concern
    • "“The devices are intentionally programmed in a somewhat forgiving manner, because they are supposed to be able to understand their humans" said researcher Dorothea Kolossa
    • "Therefore, they are more likely to start up once too often rather than not at all"- Kolossa
    • "Perhaps we’re being slightly paranoid but we need to have a lot of trust in these organizations and these devices" - Mishcon partner Joe Hancock
    • You can disable active listening on many of these devices and require a button click to activate the device
    • The best thing you can do is D2, disconnect and discard these Orwellian spy machines

55KRC · THE Talk Station in Cincinnati

Listen Now on iHeartRadio