Silent Mode Cafe
Welcome to Silent Mode Cafe, the podcast where we translate the digital realm into plain English. From data privacy and basic internet security to smart home gadgets and the latest AI developments, we serve up tech insights with a side of caffeine.
Silent Mode Cafe
Weekly Security Roundup - Privacy in Plain Language
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
We explore the latest security threats and patches while providing practical advice on keeping your digital life secure with our special guest Firas.
• Android releases patches for 120 flaws including two zero-day vulnerabilities
• Windows issues 80+ fixes during September's Patch Tuesday
• Plex streaming service requires users to reset passwords after data breach
• NPM supply chain attack targets crypto wallets with malicious code in JavaScript libraries
• OAuth token theft at Kiva puts business contacts at risk of phishing
• Facebook Cambridge Analytica settlement payments starting to arrive with scammers taking advantage
• Best practices include updating devices regularly, using two-factor authentication, and avoiding suspicious links
• Golden rule: never click links in messages - always go directly to official websites
Follow us on social media @SilentModeCafe for more privacy and security updates.
Welcome to Silent Mode Cafe
Speaker 1Welcome to Silent Mode Cafe , the podcast where we make privacy and security make sense . I'm Salah .
Speaker 2And I'm Vivek . We're here for people who use tech every day but don't want to obsess over every headline . Think of this as your weekly . You know reset , what to update , what to ignore and how to dodge scams .
Speaker 1Yeah , you know , we keep it real , scams . We keep it real , we try to keep it real . We're highly opinionated , so we will make fun of MI6 when they get hacked , as you think . But look , you'll leave . I think you'll leave knowing what's up with your phone . We have interesting updates your apps and your data , with enough clarity to explain it to your mom , to your co-workers . You'll have something to chat with your co-workers about tomorrow . Do people still go to work , vivek ? I don't know . Definitely not in tech , man . It's just remote work , business happening these days , and then we have a lot of updates . Matter of fact , vivek , what is going on today ? So before that , we have a guest who I see , yes , it's somewhere here .
Speaker 1here I am . So , um , look , I'm very excited about this because I'm hanging out with a very dear friend of mine , firas , and we tell him hey , we're getting ready to record a podcast , you're going to be on . So , firas , thanks for being on here . Thank you guys for having me . I'm really excited , love it . So , firas , you listen to our podcast . Oh , every week . Have you ever applied your stuff in your podcast ? Oh , every week . Have you ever applied your stuff in your podcast ? Oh , yeah .
Speaker 2What's your favorite ?
Speaker 1takeaway that you've used from the podcast . You know anything from learning about heavily encrypted chat applications in terms of oh , you got a story about that . What is that story ? What did you say ? You ended up having switched to it because you wanted to keep it private . What were you telling me ? You sometimes switch to secure apps for certain discussions . Absolutely .
Speaker 2Yeah Well , Firas is not going to give you the gory details about private conversations on chat .
Speaker 1I'm trying to get into a girlfriend's conversation , the first rule of security is there's the Emily quote .
Speaker 2Yes , emily , censored to be safe . So yeah , coming up today Firas welcome . You've known Firas for a long time , so welcome to the show thank you guys so something that's coming up today Android and Windows updates . It's Patch Tuesday . Yeah , it's Patch Tuesday , unlike Taco Tuesday , which is more fun . It's Patch Tuesday . Patch Tuesday , that's like Taco Tuesday , which is more fun .
Speaker 1It's Patch Tuesday . Patch Tuesday , that's fulfilling more annoying .
Speaker 2Oh yeah , more annoying , the Plex , the video streaming platform , is asking users to reset passwords , and then , from my perspective , from a developer perspective , there's a wild JavaScript attack aimed at crypto users and real money finally rolling out of Facebook's privacy stuff . So this crypto thing is really really interesting and how they've been able to attack it , and then we'll have a conversation about that . And then , of course , facebook writing checks .
Speaker 1Oh , that's right , Interesting , all right . Well , folks , look , these
Android & Windows Security Updates
Speaker 1next 10 minutes will be rapid fire . We're going to give you some updates . We are going to end each update when we talk about each one of these hacks or breaches , what you could do and what this means for you specifically . So stick around , let's get to started . Vivek .
Speaker 2Cool , and if you have questions or tips , hit us up on X . That's Island World Cafe . We're also on all social media channels Instagram , youtube , et cetera and you know we're always looking for your commentary . Keeps us moving and always looking for your commentary . It keeps us moving .
Speaker 1And today we have live commentary .
Speaker 2And today we have live commentary , yes , so let's begin . First thing , android patches 120 flaws , including two zero-day flaws , so Android's been on a roll . Every week they've been patching . So Google's September Android update fixed 120 bucks , including two zero-day flaws .
Speaker 1That means attackers were already using that before the fix even dropped you know this is interesting , um , because apple has one way you can download apps . Uh , and that's who ? Uh , the app store . But if you've sideloaded apps or tap on random links , or know that you've accidentally tapped on random links , those flaws are a big deal . You're basically walking around with a sign that says open for a tap and you're going to end up on somebody's wall of sheep , to just use a DEF CON term there . You know , until your phone updates .
Speaker 2So what do you do now ? So you go update your Android phone . If you've got an older device stuck on an old patch , use a browser with strong security and turn off install unknown apps in your settings .
Speaker 1Yeah , I think everyone should get familiar . Let me check so for us . Do you know where your web browser settings are on your phone ? Oh yeah , okay . So look , this is common knowledge . Just go into your , your , your uh settings . Go into your browser , um , and just turn off . Scroll through , get familiar with it , you know . Just make these things regular . Look , delete apps you're not using . Delete apps you've downloaded once to try Clean up your screen . Try to keep it to a minimum amount of apps on your phone at any given time . For that this week , 80 plus fixes and confusion about zero days . I have no idea what confusion about zero days . It's kind of blown my mind that so many Last time we did our update we talked about was it an Apple zero day ? No , not an .
Speaker 2Apple no , it was Windows , it was .
Speaker 1Windows zero day . So now there's confusion about zero days . Microsoft dropped 80 patches today , so I was making Vivek wait like what ? 10-15 minutes until my last . Okay , maybe it wasn't that long . There may have been a couple of bio breaks or coffee breaks that happened then , but it took a while .
Speaker 2Either way , it did . It did take a while .
Speaker 1Yeah .
Speaker 2Yeah , I think we're continuously seeing this issue with Windows and zero-day patches coming along . So if you're still clicking , remind me later on that Windows update . Please don't Home PCs are the easiest targets for ransomware if they're outdated , so whenever you see that pop up on Windows , just please update it . I know it's painful , but it's better to be safe than sorry .
Speaker 1Does anyone know for us where do you still use Windows ?
Speaker 2Or do you still use Windows ? I think that's the pertinent question .
Speaker 1You know I'm primarily Apple products . I use Safari on my iPhone . Sometimes I'll download a different server on my MacBook .
Speaker 2It's a little bit out of touch , so I'll see if Safari's working and Chrome . Usually it's the fastest .
Speaker 1I'm telling you , Windows is becoming less and less of a consumer product . I mean , I have a Windows machine because I do like the flexibility of my Windows machine .
Speaker 2And gaming and .
Speaker 1I'm gaming on it . I mean , this is a gaming laptop I'm using , but I've been hacked . Well , I don't know if I should call it hacked . Well , yeah , I've been hacked . I've somehow received a virus , a link , yeah , and it's actually forever anyway . So what else is going on ?
Speaker 2Plex , the streaming service
Plex Password Reset Requirements
Speaker 2, has told users to reset their passwords . Now , yeah , it got hit hackers . Hackers got access to email addresses , usernames and hash passwords , which is extremely simple to reverse engineering .
Speaker 1So look , the good news here is that no credit cards were logged in . Login tokens could have been reused , could be reused , so people might have access to your account . So if you use the same password elsewhere , such as your email or your bank account , what should they do with it ?
Speaker 2So reset your Plex password , make it unique , turn on good old two-factor authentication and sign out all connected devices from your Plex account man , this is just like the Windows patch it's boring to fix , it's easy to fix , it's laborious sometimes to fix .
Speaker 1but folks look , my neighbor recently had a windows issue , um , and I was trying to diagnose what that issue was . It turns out they have , um , some viruses on their machines , right on their machine , excuse me , um , and the . The problem with it is it had corrupted the bios . So I have to do a biosOS update . But my neighbor , she was good enough to have BitLocker on there . So it turned into an issue for me , because now I have to have access to her Microsoft account to unlock BitLocker and then for some reason the laptop would not accept the new firmware BIOS firmware update . So I'm still working , I'll give you guys an update , but regardless , my point there being is that we had a hard time remembering all these passwords and we're like , well , use a password again . Yeah , maybe their machine is outdated .
Speaker 2Yeah , maybe she has an older version . That's why there isn't a BIOS update . That's right .
Speaker 1That's right , that's exactly where it was . But regardless , look , update , constantly , update your systems right , and you only reset your password through your password app or the official site , and in this case , it would be Flex .
Speaker 2Yes , correct .
Speaker 1So Vivid um vivid . Yes , a mass npm supply chain effect
NPM Attack Targeting Crypto Wallets
Speaker 1. This is what I , for us , do . You know what npm means . Not my problem , not my problem , that's an mp , then I have no idea .
Speaker 2Still not his problem .
Speaker 1Still not his problem .
Speaker 2What is NPM ?
Speaker 1Tell me what this is .
Speaker 2I have no idea , so it's essentially like a default package manager which installs libraries and modules to JavaScript . So , it's used to . Essentially any apps that are built using JavaScript need libraries , and NPM is the package manager that packages it all together . So I mean we use it every time . Anyone who uses JavaScript uses it every day , installs NPM libraries , patches and so forth .
Speaker 1So the supply chain attack is embedded into the code used by crypto wallets .
Speaker 2So what happened was , according to what the article says , that attackers snuck in malicious code into 18 NPM packages . I see Used billions of times . So imagine if you have libraries that you're compiling your code with . Yeah , and it's got malicious code into it .
Speaker 1So this is like a Trojan horse . The bad actors hid themselves in code yes , and as soon as the app creators , the crypto app creators , downloaded that code to use it , the bad actors again were Trojan Horse . That code and therefore , there was a bad backdoor .
Speaker 2So they targeted in-browser crypto wallets , which a lot of people use . So if your wallet is connected and your favorite site used one of those packages , your crypto might be at risk .
Speaker 1So tell me more about this . I hear CryptoX is freaking out over this .
Speaker 2Yeah , cryptox is freaking out over this because a lot of the packages that they use to compile and create their websites like strip and cns for module right that's that has this malicious code . So imagine if you have a website with a trojan horse and someone connects to it through their in browser crypto wallet , then there's a potential that your crypto would get stolen .
Speaker 2So um , so it's a pretty well-built scam so , yeah , and now devs are just freaking out and they're scanning everything right now . It's pretty significant , at least in the crypto world . Yeah , um , so there is . Do you want to talk about , potentially , what the best move might be for this ? I ?
Speaker 1don't know . I think what I would do is stop . I mean I would reset my . I don't even know what users should do on those apps . Like , definitely , so delete itself from the app itself . But if your access has been so the thing is is they didn't really explain what the backdoor is .
Speaker 2No , they haven't explained it in the sense that they can just get access to your crypto wallet and then take crypto out of your wallet and put it in theirs . So I think some of the best moves is , instead of using in-browser crypto wallets , use hardware wallets . That's one , and then I'm so confused . And then go through your browser and delete any sketchy extensions or ones that you don't have .
Speaker 1So again enter your browser , reset default .
Speaker 2Use hardware wallets , because they'll be in cooperation .
Speaker 1Could one put emails ?
Speaker 2and transfer everything to the new wallet you could yes , that's probably not a bad idea .
Speaker 1But the problem is we don't know yet who's used strip and see . So is core module , so I guess you could probably look this up . That's what I'm saying . This is so . I mean as complex as it is . I feel like the entire situation is complex .
Speaker 2Yeah , it's still developing .
Speaker 1I think this is the fear that most people have with cryptos .
Speaker 2With crypto . Yes , stuff getting stolen and no oversight , right , no oversight . See , none of that stuff . Yeah .
Speaker 1So , folks , in the old day , when crypto first came out , you actually got a physical key . Do you remember that with Bitcoin , you actually got a physical key ? Do you remember that with bitcoin , you actually got your your crypto um coin and the coin was also digital and if , as long as no one had access to that coin , that coin was yours to use in any way ? You want um . Now there's no coin anymore . It's all managed by um . Almost like money is through crypto wallets . You can buy and trade access to it , but the real access is happening in the crypto wallet . It's interesting . We should do more on this topic . Let's move on . What else do you have for us ?
OAuth Token Theft and Facebook Settlement
Speaker 2There's a protocol where Kiva , which also got compromised attackers , access business contacts through a stolen OAuth token . It appears to be a plugin into Salesforce , so it's part of a broader token theft campaign tied to AI chat integrations .
Speaker 1So , even though the platform data wasn't touched , attackers could use the stolen information to craft super convincing phishing emails that look like they're calling from you , Like you can just request credit card information whatever you want from a friend through the phishing email .
Speaker 2As always we say treat anything unexpected like it's fake . Don't reply to random support texts or emails . Go directly to the company site or app to check .
Speaker 1This is reminiscent of the situation that the government was hit by not too long ago , where the hackers got the bad actors , got access to a lot of the DMV contacts and they were contacting people telling them your registrations have clicked this link .
Speaker 2Yeah , that was two weeks ago .
Speaker 1Yeah , so people don't click on links that come through text . Please don't , even if it's from me . Maybe , especially if it's from me , I don't know .
Speaker 2So those weren't my moms .
Speaker 1So , look , as always , all your accounts should have two factors and if you have two factor , uh , you're better off . Tokens your you know , tokens are always uh , getting targeted now , and that means your identity is always being stolen , um and at risk , so protect yourself .
Speaker 2Yeah , and then , last but not the least , facebook is writing checks . Remember the $725 million settlement from Meta over Cambridge Analytica ?
Speaker 1mess , that was years ago .
Speaker 2That was years ago , yeah , so the payments are finally hitting people's accounts .
Speaker 1Oh , my gosh , yeah . So look what this means is again , watch what you click on , because now scammers are taking advantage of this . They're going to contact you as though they are a company associated with a Facebook settlement and they're going to ask for very confidential information so they can transfer a payment to you . So they're going to ask for your bank information and to help to verify your payment . And please don't get scammed . Take advantage of the settlement , but please don't get scammed , be careful .
Speaker 2So if you filed yeah , if you filed check your official settlement site . Don't click on links from random messages , even if they look real , but just go to the official site .
Speaker 1All right , all right . So for us , here's what you do this week . Um , you're going to update your android and windows devices if you have it it doesn't use any to reset flex password and use two-factor authentication . You're going to stick to hardware wallets or , for crypto , what's your safest bet ? You're going to watch out for support scams coming from SaaS vendors , like your Box account , and you're going to double check anything claiming that they're going to send you money and don't trust them . Double check and I'll send it to you first . Send it to me first .
Speaker 2Essentially , don't be online . Be safe , don't be online . Don't be online , Don't click on anything . Close your doors , hide under a table , hide under a rock , and make sure you have two-factor authentication . That's right . Yeah , that's the update right yeah well , we're excited to have Firas with us yeah , that was nice so , firas , I mean yeah , go ahead no , I said , do we have any golden rules from you ?
Speaker 2oh , golden rule is if a message says update
Golden Rules for Online Safety
Speaker 2your login or verify two-factor authentication , please don't tap on the link . Go to the site yourself . So this habit alone blocks a whole wave of scams .
Speaker 1Always go to the site Always go to the site If . Dmv says hey , we got something for you . Go to the DMV site directly Facebook site to reset your password .
Speaker 2Whatever you're doing , microsoft , go to the site . Please don't get in trouble .
Speaker 1So , for us . Thanks for being here , man .
Speaker 2Thank you guys . Thank you so much for having me . Great to see everything up close , see how the sausage gets made and see how the accounts get protected . That's awesome . Did you say sausage gets made and see how the accounts get protected ? That's awesome . Did you say sausage gets made ? I got to go . You got to get the $1.50 from Cosmo .
Speaker 1Oh my god , I'm hungry now . Chicken bake time Cool . Alright , folks Thanks for tuning in to Silent Mode Cafe . Again , like Vivek said up front , follow us on at Silent Mode Cafe . Again , like Vivek said up front , follow us on at Silent Mode Cafe . Subscribe on all the venues . We're on YouTube . We're on all the podcast channels . If you have them , just log in , follow us and we'd highly appreciate that . Thank you Till next time . Bye .