go to sections menu

The Technology podcast series presents podcast 35 of the Security Box, audio-centric applications like clubhouse from blog The Technology blog and podcast

This is for the technology blog and podcast Commentary, articles, and podcasts

header picture for Ingegno theme

You are here: podcast announcements > The Technology podcast series presents podcast 35 of the Security Box, audio-centric applications like clubhouse

Go to Homepage, contents or to navigation menu



The Technology podcast series presents podcast 35 of the Security Box, audio-centric applications like clubhouse

Welcome to the security box, podcast 35. The program I thoink was very interesting, and we covered everything I had on file.

I’m thinkking of changing the show notes for the RSS to have just the links to things, and the extended version for the blog as I have done it done a little bit differently.

The The RSS feed has the program and had it Wednesday.

Don’t want to deal with RSS? Here is the 91.31mb file for each of you to download.

Show notes


Welcome to the security box, podcast 35. We talk about Clubhouse, the security of audio apps like clubhouse and what experts are saying. We also have news, notes, questions, comments and more. Enjoy!

Topic: Apps like Club House and audio-centric apps and their security

Sex workers, for instance, have historically encountered abuse, harassment and employment discrimination in instances when aspects of their private lives
are made public. The issue is particularly acute on Clubhouse, where users must agree to share their list of contacts with the app in order to invite a
friend. Even users who declined to share their contacts with the app could have identifying information exposed in the event that one of their contacts
authorizes Clubhouse to access their information. 

The result has been to inadvertently out sex workers, and then make it difficult for affected parties to delete their account, and thus protect themselves, as Mashable reported. 

Is it necessary for apps like this to mass collect contact details of everyone on their phone? Linkedin, the work version of Facebook, collects contacts so if they do join, you’re notified. I don’t have a problem with this practice, but Facebook, Twitter and even Club House seem to collect data just because. Facebook has notified me of people joining, but I may have telephone numbers for doctors and the like that will become theirs. Google Voice and Hangouts utalize the contacts for me to use Google to call them, and I’ve not had a problem with me giving that permission. I believe Whats App even does this.

According to the article, researchers at Stanford University Agora Inc. transferred information of clubhouse users to servers in China. They are a Shanghai-based provider of engagement software. They apparently transmitted Clubhouse users’ ID numbers and chatroom ID details, though not their username, in plaintext. The discovery meant that Agora would have had access to some raw Clubhouse audio files, and as a China-based company could be required to provide that information to the communist government. 

I read clubhouse’s rules and how they intended recordings to be managed, and how the recording is during the time of the room’s creation and how it is deleted if nobody flags it as part of a review process for abuse.

There were other aspects talked about in this article that came to light, and will be addressed, according to clubhouse representatives.

In another article, Trend Micro talks about the security implications of apps like Clubhouse and the potential of information being stolen. Some of these applications can even be used for command and control servers, (C&C) for short. Trend Micro has information on sample attacks that can be used on apps like this.

The attack points are: Network Traffic Interception and Wiretapping, User Impersonation and Deepfake Voice, Opportunistic Recording, Harassment and Blackmailing, Underground Services, and Audio Covert Channels.

There are best practices Trend Micro recommends.

  • Join public rooms and speak as if in public. Users should only say things that they are comfortable sharing with the public, as there is a possibility
    that someone in the virtual room is recording (even if recording without written consent is against the Terms of Service of most, if not all, of these
    apps).
  • Do not trust someone by their name alone. These apps currently have no account-verification processes implemented; always double-check that the bio,
    username, and linked social media contacts are authentic.
  • Only grant the necessary permissions and share the needed data. For example, if users don’t want the apps to collect all data from their address book,
    they can deny the permission requested.

The article even has information here for providers to implement if they haven’t done so already. They include:

  • Do not store secrets (such as credentials and API keys) in the app. We have found cases of apps embedding  credentials in plain text right in the app
    manifest, which would allow any malicious actor to impersonate them on third-party services.
  • Offer encrypted private calls. While there are certainly some trade-offs between performance and encryption, state-of-the-art messaging apps support
    encrypted group conversations; their use case is different, but we believe that future audio-only social networks should offer a privacy level on par with
    their text-based equivalent. For example, Secure Realtime Transport Protocol (SRTP)
    should be used instead of RTP.
  • User account verification. None of the audio-only social networks currently support verified accounts like Twitter, Facebook or Instagram do, and we
    have  already seen fake accounts appearing on some of them. While waiting for account-verification features, we recommend users to manually check whether the account they’re interacting with is genuine (e.g., check the number of followers or connected social network accounts).
  • Real-time content analysis. All of the content-moderation challenges that traditional social networks face are harder on audio- or video-only social
    networks because it’s intrinsically harder to analyze audio (or video) than text (i.e., speech-to-text takes resources). On the one hand, there’s a clear
    privacy challenge that arises if these services implement content inspection (because it  means that they have a way to tap into the audio streams). However,
     content inspection offers some benefits, for instance, in prioritizing incidents.

What to read:

h2> News Notes

  • I’m being told that Philmore Productions plans to get rid of their privacy policy and terms of service, not like they were utalizing them anyway, but this could be big news if Philmore gets potentially litigated in the future.
  • Last podcast, I talked a little bit about an article that was part of this week in security news which I’m a bit behind on. Long story short, there are a lot of numbers in this article entitled 119,000 Threats Per Minute Detected in 2020 which wasquite interesting. Phishing is still the the main vector and the Pandemic isn’t helping much. Email threats which include Phishing are 91 percent of the threats according to the Trend Micro report. 14 million detected URL’s were detected with home networks the primary target, according to the article. There’s more to read, Sarah did a great job covering this for the Info Security Magazine.
  • As usual, Windows has their updates that came out, and we have the two articles from Krebs on Security and Trend Micro. According to Krebs on Security, there are over 82 flaws in Windows and supported software. 10 of these are critical, meaning that they can be exploited without you having to do much of anything. One of the biggest flaws is within IE 11 or older edge. Its got a CVE number, and as we know IE11 isn’t really being supported by web sites anymore, especially with sites possibly going to SSL version 1.2 like Live Wire did. Trend Micro says that there are close to 100, almost doubling the amount of patches from last month. Podcast 808 covered the exchange flaws and its big enough news that we really don’t know how many people are effected. Trend Micro says that 14 are critical and the rest are important. Both articles are worth the read.
  • How has Emotet been doing since we talked about its takedown? According to an article, it talks about the story of several members behind this botnet, but it does state there are members at large. that will more than likely go elsewhere because they’re funded and well funded at best. This is a Trend Micro article, Emotet One Month After the Takedown is the article, and it was a good one.
  • On the third of March, I read about an article where scammers took some control over a cloud security firm named Qualys. This article comes from Cyberscoop’s Sean Lyngaas. According to the article, Qualys CISO Ben Carr said the attackers had accessed files hosted on an Accellion server. . Mandiant has been hired in the case, and I’m sure that it’ll be a hot topic of late. Cloud security firm Qualys reportedly victimized by prolific scammers is the article.
  • Have you ever heard of ransomware hackers turning to virtual machines to do their dirty work? An article I read near the end of February was quite interesting, and you may find this of interest too. The article is quoted in saying:

    Ransomware gangs that target big corporations for extortion have long designed their code to execute on Microsoft Windows systems because of the popularity
    of the operating software.

    CrowdStrike is mentioned in here because the hypervisor computrer servers that organizations use are now being used to deploy their schemes. There’s plenty to read here, Ransomware hackers turn to virtual machine software to boost extortion schemes i what you need to read.

  • There are numerous articles in regards to the massive problem at Microsoft with their exchange server problems. Krebs on Security indicates, and I have heard this on podcasts, that this started as early as January 2021. All of the articles linked within this section were of value, and I don’t want to miss anything.
  • Thanks for listening, and make it a great day!


    Informazioni sull'articolo

    The Technology podcast series presents podcast 35 of the Security Box, audio-centric applications like clubhouse was released on March 19, 2021 at 11:01 am by tech in podcast announcements.
    Last modified: March 19, 2021.


    Comments (0)

    No comments yet.

    Leave a comment

    You must be logged in to post a comment.

    go to sections menu


    navigation menu

    go to sections menu