NSA Get Out of Our Phones – WSWiR Episode 140

According to the news cyber criminals, nation states, and even our own employees are attacking our digital networks. In fact there’s so much information security news each day, it’s hard to keep up. If you find yourself falling behind, perhaps my weekly summary video can help.

Today’s episode covers, nation-state malware, booby-trapped popular web sites, dangerous pre-loaded software, and more. Press play below to get the scoop, and feel free to browse the references for other stories.

(Episode Runtime: 10:30)

Direct YouTube Link: https://www.youtube.com/watch?v=HOWUsT2cWgo



— Corey Nachreiner, CISSP (@SecAdept)

NSA SIM Heist – Daily Security Byte EP.28

Wow! The NSA and GCHQ are at it again, this time stealing the keys to our mobile SIM cards. Even if they say they don’t do blanket surveillance, they have the means to. See the video to learn what this is about.

(Episode Runtime: 2:41)

Direct YouTube Link: https://www.youtube.com/watch?v=n14u03lDZtk


— Corey Nachreiner, CISSP (@SecAdept)

Lenovo Superfish Breaks HTTPS – Daily Security Byte EP.27

Not only does Lenovo ship with adware on their laptops, but this “Superfish” program breaks the sanctity of your HTTPS, allowing attackers to man-in-the-middle your “secure” web connections. Watch today’s video to learn what to do.

(Episode Runtime: 2:15)

Direct YouTube Link: https://www.youtube.com/watch?v=d0Fdo9bCeBw


— Corey Nachreiner, CISSP (@SecAdept)

Web Security PSA – Daily Security Byte EP.26

Two more popular and legitimate web sites were hijacked to serve malware. Learn which sites to avoid and how to protect yourself from drive-by downloads in today’s daily video.

(Episode Runtime: 2:31)

Direct YouTube Link: https://www.youtube.com/watch?v=DenX9ZJTH-k


— Corey Nachreiner, CISSP (@SecAdept)

Tax Time Security Woes – WSWiR Episode 139

There’s tons of security news each week. If you can’t keep up, I try to summarize the most important stuff for you in my weekly video.

This week’s show covers a researcher leaking 10M credentials, Forbes’ website getting hacked, a TurboTax security scare, and much more. Watch the video for all the details, or check out the Reference section for other interesting stories.

(Episode Runtime: 9:50)

Direct YouTube Link: https://www.youtube.com/watch?v=mTycl-zSbVA



— Corey Nachreiner, CISSP (@SecAdept)

The Hazards of Using Public WiFi Access Points

Editor’s note: I’m excited to share a cool new security site with you. Pulitzer prize winning journalist,  Byron Acohido, has launched a fresh site dedicated to keeping consumers and businesses informed about emerging information security (infosec) and privacy issues.

I first met Byron while he was doing a USA Today story on Java’s security risk, and I’m excited to see him and his team focus full time on infosec. Go check out the new site, Third Certainty, and sign up for the free weekly newsletter for regular updates.

Meanwhile, I recently did an interview with him about the dangers of public WiFi. Check out the article, in full, below. — Corey Nachreiner, CISSP (@SecAdept)

The hazards of using public WiFi access points

By Byron Acohido, ThirdCertainty

Free WiFi access points (APs) are a great convenience for consumers and can be a productivity booster for business travelers. But they also present ripe opportunities for hackers. ThirdCertainty asked Corey Nachreiner, WatchGuard Technologies’ director of security strategy, to outline this exposure.

3C: What risks do consumers and business travelers take when using WiFi services in public venues such as airports, hotels and coffee shops?

Nachreiner: The exposure is potentially huge. It’s natural for people to congregate and wait in places like airports and hotels and use public WiFi access. So these are ideal locations for attackers to set up faked WiFi APs.

This is possible because SSIDs (wireless networks) used in these locations are widely trusted; names like AT&T Wi-Fi, XFINITY WiFi, Boingo Wi-Fi and Free WiFi. And, it is easy for an attacker to broadcast a faked AP using these familiar names to entice victims to connect via the attacker’s AP. Furthermore, if your computer has connected to the legit access point in the past, it may automatically connect to the faked one.

Best practices: 4 steps to using public-access WiFi safely

3C: So if I connect to the Internet via a faked WiFi connection do I still get on the web?

Nachreiner: Yes, but now the attacker can see what you’re doing, infect your computer and set up man-in-the-middle attacks that can steal your account credentials and work files.

3C: Does part of this have to do with the venues – the hotels and book shops – not bothering to lock down the free WiFi access?

Nachreiner: Yes. Eighty percent hospitality WiFi networks don’t require a unique password, and 50 percent do not secure or monitor their networks. I can share many stories about how easy it is to set up a faked AP in public areas and watch people join.

3C: This exposure has been out there since WiFi started going public more than a decade ago. So how intensively have the bad guys been exploiting this?

Nachreiner: Bad guys are definitely exploiting this. I’m a fairly regular business traveler. I’ve found suspicious and very likely malicious APs on two out of 10 trips. l’ve been on hotel networks where my security tools show other guests on the network trying to connect to my shares.

Whether they were just curious guests or malicious attackers is hard to say. But hotel networks are the perfect place for attackers to find victims.

3C: Right, that’s what happened in the so-called DarkHotel attack.

Nachreiner: Exactly, one of our partners, Kaspersky, discovered attackers targeting the third party WiFi vendor of a specific hotel. They were seeking intelligence on certain guests they knew would be staying at the hotel. They used the compromised wireless network to infect the computers of their targeted victims.

This was a very sophisticated attack and not the norm. That said, it’s more common to find basic criminals putting up faked hotel network connections to steal information from guests opportunistically.

3C’s  newsletter:Free subscription to fresh analysis of emerging exposures

More on emerging best practices

3 steps for figuring out if your business is secure

5 steps to secure cyrtography keys, digital certificates

6 steps for stopping hacks via a contractor or supplier


Get every new post delivered to your Inbox.

Join 7,851 other followers