Firewalls Don't Stop Dragons Podcast

Every January, we celebrate privacy with Data Privacy Week. It has rightly expanded from Data Privacy Day. And of course every day should be data privacy day. In the news: The FBI shuts down a major ransomware group; new Windows malware steals passwords and other data; new Android malware can completely take over your device; a dangerous "malvertising" campaign mimics popular software to steal info; the previously-secret "no fly" list was leaked online; tens of thousands of PayPal accounts hacked via credential stuffing; T-Mobile admits to over 37M customer records stolen; and Twitter GodMode is back (or rather never really went away). I'll answer a Dear Carey question about Plain, the service that allows financial tech aggregators to access your account information and my Tip of the Week will explain Apple's new Advanced Data Protection feature. Article Links [NPR] FBI says it 'hacked the hackers' to shut down major ransomware group https://www.npr.org/2023/01/26/1151696092/fbi-says-it-hacked-the-h

Our email addresses and cell phone numbers have become highly valuable identifiers for marketers. Like government-issued IDs, your email address and phone number are directly associated with your identity and you will probably have them for life. This makes them ideal for tracking you across websites and accounts. It's no wonder that you are asked to provide this information all the time, for the simplest things. So why not throw them off your trail by having multiple email addresses and phone numbers? It's not as hard as you think, and it's getting easier all the time. This is a privacy concept called aliasing and we'll delve into all the details with the CEO and founder of SimpleLogin, Son Nguyen Kim. Interview Notes SimpleLogin: https://simplelogin.io/  Proton & SimpleLogin: https://proton.me/support/create-simplelogin-account-proton-account  Data Privacy Week: https://firewallsdontstopdragons.com/data-privacy-day-checklist/  Fastmail Masked Email: https://www.fastmail.help/hc/en-us/article

It’s that time of year again! Time to put the past behind us and look forward to a brand new year, full of possibilities and hope! In today's show I'll throw out several tips for improving your privacy and security that you might want to put on your to-do list for 2023. I've also got a minor LastPass update and some thoughts on how we might make managing passwords easier and more robust. I'll answer a listener question on tracking in beta software. And then I'll cover several news stores: A government watchdog cracks many accounts in a federal agency with a cheap password cracking rig; NortonLifeLock is warning several users that hackers may have breached their accounts; Russian hackers suspected in Royal Mail attack; Iran's citizens being targeted with spyware in VPN apps; Windows 7 is finally totally dead; identity thieves find authentication bypass to access Experian credit reports; robot vacuum cleaner captured compromising pictures that ended up on social media; even the FBI is recommending ad blocke

Facebook stock is down 65%, they just paid $725M to settle the Cambridge Analytica lawsuit, and they've just been fined over $400M by the EU. But that's not the worst part (for Meta). The EU and its General Data Protection Regulation (GDPR) is basically saying that its entire business model - surveillance capitalism - is wrong and must stop. That's the same business model used by Google, too. It really seems that the tide is finally turning in favor of user privacy as more nails are hammered into the coffin of behavior-based advertising. In other news: the first LastPass class actions lawsuit has been filed over the recently announced data breach; WhatsApp adds a feature to bypass internet censorship by repressive regimes; Pornhub is now requiring viewers from Louisiana to verifying the age via ID; data from up to 400M Twitter accounts is up for sale; a military device containing information including biometric scans of over 2000 people was bought on eBay for $68; Mom and daughter kicked out of Rockettes s

Right before Christmas, LastPass dropped a bombshell report explaining that bad actors appeared to have made copies of LastPass users' encrypted password vaults. The information was a little short on key details, probably indicating that the investigation is ongoing and we will learn more in the coming weeks. However, we have already learned enough to know that the data breach did leak some important metadata contained in people's password vaults and that any users who had less-than-secure master passwords should be worried that the encrypted contents may now be vulnerable to disclosure. That is about as bad as it gets. Today I will speak with a cybersecurity and authentication expert from CISA about this breach: what we know, what we don't know, what we should learn from the incident, and (most importantly) what LastPass users should do about this. Bob Lord is a Senior Technical Advisor for the Cybersecurity and Infrastructure Security Agency (CISA) and former Chief Information Security Officer (CISO) for

All our devices and apps use the internet these days. But what are they doing on the internet, exactly? Who are they talking to? You'd be surprised. But there are tools which will not only let you see what they're up to, but also let you have fine-grain control over what communications you want to allow. But just the mere fact that they're sending and receiving data to and from multiple sources can be revealing, too. While VPN's are good for adding a layer of security, they're really not great at adding privacy - despite having "private" in the name. Thankfully, there's a new service that can help there, too. We'll be discussing network privacy and how we can improve it with the CEO of Safing, Raphael Fiedler. Raphael Fiedler is the CEO of Safing, a speaker on topics about privacy, and a regular co-host on an InfoSec podcast. Interview Notes Safing.io, Portmaster, Safing Privacy Network (SPN): https://safing.io/  Securitized podcast: https://www.securityzed.com/  The Hut Six Story: Breaking th

The year is almost over and as we head into the holiday season I wanted to reminisce with some of my favorite snippets from the last year! Unlike in previous 'best of' shows, I've actually included some new snippets from my private podcast, to give you a little taste of the bonus content that I create for my patrons! The links in the show notes will take you to the full episodes, including all the relevant 'further information' links associated with them. Happy holidays, everyone!! Article Links Ep267: Luck Favors the Prepared https://podcast.firewallsdontstopdragons.com/2022/04/11/luck-favors-the-prepared/  Ep279: Necessary Chaos: https://podcast.firewallsdontstopdragons.com/2022/07/04/necessary-chaos/  Ep272: Tomatoes & Telegraphs: https://podcast.firewallsdontstopdragons.com/2022/05/23/tomatoes-telegraphs/  Ep275: Cryptocurrency 101: https://podcast.firewallsdontstopdragons.com/2022/06/06/cryptocurrency-101/  Ep283: No Place Left to Hide: https://podcast.firewallsdontstopdragons.com/

Today when computer systems fail, they can cause real, physical harm. In just the last few years, we've seen cyber attacks interfere with our food supply, tamper with city water supplies, and disrupt gas pipelines. While cheap consumer electronics often have poor security, medical devices like insulin pumps and pacemakers are also vulnerable to attack - and the consequences of failure can be lethal. The free market doesn't reward better security. Regulations are weak or nonexistent, regulators are understaffed and underfunded. Targeted organizations lack sufficient funding, training and personnel to prepare and respond. They need help. I Am the Cavalry aims to engage technologists and hackers to ride to the rescue. Joshua Corman is VP of Cyber Safety Strategy at Claroty, Founder of I am The Cavalry, and formerly served as Chief Strategist for CISA regarding COVID, healthcare, and public safety. Interview Links I Am The Cavalry: https://iamthecavalry.org/  BSides 2022 Cavalry presentation: https:

Tis the season for giving... and unfortunately, also for taking. Scammers tend to be extremely active during the holiday season. We're buying lots of stuff online, having lots of packages delivered. We're away from our homes for extended periods of time. We're giving money to charities. We're firing up new tech toys. The bad guys know this and are happy to take advantage of our chaotic holiday schedule and unusual levels of spending and giving. I'll give you some top tips to avoid being a victim this holiday season. In other news: the SFPD wants to arm its law enforcement robots; the TSA is expanding the use of facial recognition at airports; Microsoft warns of malware coming from Google Ads; a new study shows that computer repair shops may be accessing your personal data; WhatsApp data breach affects nearly 500M users; Twitter data breach was far worse than reported; Meta shuts down covert US propaganda operation; US watchdog raises warning for offshore oil and gas rig security; a new malware campaign byp

I can't believe I've been doing this for 300 weeks - almost 6 years now! And returning for his 3rd "podcentennial" episode is world-renowned security guru Bruce Schneier! Today we'll discuss hacking - not just in the realm of computers, but in legal, political, social and economic spaces. And then we'll talk about how artificial intelligence and computer automation are starting to play a significant role in hacking all of these realms. Computers and AI expand the scope, scale and speed of hacking and we're honestly not prepared for it. To celebrate the 300th episode and the coming release of the 5th edition of my book, today I'm kicking off a big giveaway with lots of prizes and a killer promotion for patrons on Patreon! (See below for links.) Bruce Schneier is an internationally renowned technologist and security guru. He is the author of over one dozen books, including his latest, A Hacker’s Mind, due out in February, I believe. He has testified before Congress and has served on several government com

Black Friday is just around the corner, which marks the unofficial launch of the holiday shopping season. As you're considering what gifts to give to your loved ones this year, I want to make sure you're thinking about the privacy and security aspects. To that end, I have updated my annual Best and Worst Gift Guide and I will go over the highlights in this episode for my Tip of the Week. But I also have a special new gift idea this year: security and privacy coupons that you can download and give to your loved ones! In the news: USPS tells customers to avoid using the big blue mailboxes for gifts and important letters during the holiday season; Google pays nearly $400M fine to 40 states who sued over location tracking; Medibank refuses to pay ransom for data and criminals are starting to leak sensitive medical records online; TransUnion reports a data breach; FBI director warns that TikTok is a national security risk; Lenovo laptops are exposed to UEFI malware risks (update now); a mysterious company with

Connected computers have changed the world perhaps more than any other single invention. The impacts of nearly instant global communication and effectively infinite, perfect storage of information are at once undeniable and difficult to fully comprehend. And yet, technologists, bureaucrats and corporate leaders make decisions on a daily basis that should be considering the repercussions. Just because you can do something doesn't mean you should. Today, we'll discuss the digitization of the world and some of the more important impacts it has had and is having on society with the authors of the book Blown to Bits: Your Life, Liberty, and Happiness After the Digital Explosion. Harry Lewis, former Dean of Harvard College, is Gordon McKay Professor of Computer Science at Harvard. Ken Ledeen is the Chairman and Chief Executive Officer at Nevo Technologies, Inc., a software development and information technology consulting firm located in Cambridge, Massachusetts. Wendy Seltzer is Strategy Lead and Counsel to the

QR codes are not inherently dangerous. They're effectively links we can click in the real world using the camera app on our phone. Like hyperlinks on a web page, QR code "links" can take you to good websites or bad websites. They can also disguise their ultimate destination by using URL shortening services like bitly or owly. But now "free" QR code generator websites - that is, sites that will let you create one of these QR codes by entering the HTTP link you want it to take people to - are using these redirects to basically hold your QR code for ransom. The QR codes they give you use the redirect links to insert themselves into the middle - and after some time, they will stop working until you subscribe and pay them money. If you've already printed these codes on hundreds of business cards or dozens of plaques for your restaurant, they they've really got you over a barrel. I'll help you avoid these scams. In other news: Microsort warns that attackers are quickly leveraging newly reported zero-days; some C

It's easy to tell people to use this or that privacy tool, but this always assumes that you trust the service that is providing that tool. How can mere mortals ever hope to obtain sufficient knowledge of the inner workings of these products and service providers that would allow them to make an informed decision? Today, I'll ask Adrianus Warmenhoven from Nord VPN that question, along with questions about normalizing surveillance and what privacy really means in our digital internet society. Adrianus Warmenhoven is a Defensive Strategist and Threat Intelligence Manager at NordVPN. He is responsible for getting the most relevant IOCs (Indicators of Compromise), malware samples and their indicators and generally mapping out the threat landscape for the company’s customers. Interview Links Nord VPN: https://nordvpn.com/The Follower: https://driesdepoorter.be/thefollower/ Five-Eyes Countries: https://en.wikipedia.org/wiki/Five_Eyes Electronic Frontier Foundation: https://www.eff.org/ Mozilla Foundation: h

This is going to sound bonkers, even though you're used to so many things tracking you... web pages, emails, and apps... but I'm here to tell you that while you're watching your TV, your TV is also watching you. Or I guess more accurately, your TV is watching what you're watching. Even if you're not using the built-in smart apps, if you're just piping pixels in from an external box, your TV can recognize the movies and shows being displayed. And it's taking meticulous taking notes and selling that data. It's called Automatic Content Recognition and "post-purchase monetization". It's sorta like the Shazam music recognition app, but for TV shows and movies. I'll tell you what you can do to stop it. In other news: a tricky new ransomware campaign is targeting home Windows users; Signal is removing support for SMS text messaging; Toyota user app data was exposed for years; the White House unveiled a new cybersecurity rating system for consumer products; Apple privacy is better than most, but still falls short;

We talk a lot about security and privacy on my show, but we don't talk enough about these subjects in relation to students and schools. Schools are tragically underfunded and can't afford to hire cybersecurity experts, let alone privacy experts. Students are minors who lack the legal rights and life experience to push back against horrific privacy invasions brought on by remote learning and in-home test proctoring. The laws in the US are woefully outdated and we too often assume that what is legal is the same as what is right and just. Today, I'll discuss these challenges and ethical dilemmas with Doug Levin. Doug Levin is co-founder and national director of the K12 Security Information eXchange (K12 SIX), a national non-profit dedicated solely to helping schools protect themselves from emerging cybersecurity threats. Interview Links: K12 SIX: https://www.k12six.org/Annual “State of K-12 Cybersecurity Report’: https://www.k12six.org/the-report K-12 Essentials Series: https://www.k12six.org/essentials

Cold hard cash is becoming more and more rare these days. People just don't carry it around much any more. So how do you split a bill at a restaurant or buy from a street vendor? Many people today use mobile payment apps like Venmo, Apple Pay, PayPal, the Cash App, or a service promoted by many US banks called Zelle. While convenient, are these payment systems safe? Most of them actually are pretty secure (though some of them are not very private, like Venmo). But because most of these apps draw directly from your bank account, if you send money to the wrong person, either by mistake or because you were scammed, that money is pretty much gone. Ironically, this is very much like physical cash. Specifically, protections many people assume they have against fraudulent bank transactions don't really apply. You explicitly made the transfer and therefore many banks will not reimburse you for the loss. In other news: Optus confirms massive data breach; Optus breach triggers privacy regulation review in Australia;

Cybersecurity is the only technical, professional occupation I know of where practitioners routinely sharpen their skills through open competitions. The contests are based on the classic capture the flag game - except the flags are all virtual and capturing them involves hacking computers. Also unlike most other technical careers, cybersecurity is a high-paying profession that doesn't require a university degree or formal training. There are literally hundreds of thousands of unfilled cybersecurity jobs right now. You can also just dabble in cybersecurity, making money from bug bounty programs. Or you can just hack for the fun of it - in a completely safe and legal environment. Jordan will tell you all about it in today's show! Jordan Wiens has been a reverse engineer, vulnerability researcher, network security engineer, three-time DEF CON CTF winner, even a technical magazine writer but now he's mostly a has-been CTF player who loves to talk about them. He has been the CTF expert for the first three years

Apple just released a major update to its iPhone operating system, iOS 16. This release has some really important security and privacy features, including Passkeys, Lockdown Mode and Safety Check. I’ll give you an overview of these features. In other news: D-Link routers have a major vulnerability that’s being actively exploited; Uber was completely pwned by a cocky 18-year old hacker; Morgan Stanley was fined $35 million for failing to delete user data from hundreds of hard drives before reselling them; Chrome and Edge may be sending your form data back to Google and Microsoft; a new voice AI tool lets you change your voice to sound like someone else; health apps are sharing your personal data and HIPAA isn’t helping; the US military is using yet another data broker to buy incredibly detailed information on almost all internet users; US border agents can search your phone and even copy your phone’s data, and may save that info for 15 years; your car is coughing up tons of personal and auto data to dozens

You may not be into cryptocurrency, but a recent incident involving a so-called "cryptocurrency mixer" has some important implications for privacy and free speech. Today we'll examine the relative anonymity of cryptocurrency transactions, tools that can be used to enhance that anonymity, and why the code that created these tools - and the services that might host them - must be protected under the First Amendment. Along the way, we'll explore the limits of free speech in the US and some interesting attempts to capture those rights. Kurt Opsahl is the Deputy Executive Director and General Counsel of the Electronic Frontier Foundation, the leading nonprofit defending digital privacy, free speech, and innovation. Interview Links Coin Center article on Tornado Cash: https://www.coincenter.org/analysis-what-is-and-what-is-not-a-sanctionable-entity-in-the-tornado-cash-case/ Electronic Frontier Foundation: https://www.eff.org/ Code, Speech, and the Tornado Cash Mixer https://www.eff.org/deeplinks/2022/08/co