.png)
Privacy Please
Welcome to "Privacy Please," a podcast for anyone who wants to know more about data privacy and security. Join your hosts Cam and Gabe as they talk to experts, academics, authors, and activists to break down complex privacy topics in a way that's easy to understand.
In today's connected world, our personal information is constantly being collected, analyzed, and sometimes exploited. We believe everyone has a right to understand how their data is being used and what they can do to protect their privacy.
Please subscribe and help us reach more people!
Privacy Please
S6, E261 - The Red Line: Salt Typhoon, Temu Spyware & The 'Side Door' Attack
A week where the lawful intercept backdoor became the front door, a supply chain hop hit 200+ companies, a bargain app faced a malware lawsuit, and a university breach turned into a donor-targeting roadmap. We share simple moves to lower risk fast and set guardrails that actually hold.
• Salt Typhoon abusing CALEA at major US telecoms
• Negligence, unpatched routers and weak passwords
• Why SMS is transparent and how to switch to Signal
• Kill SMS 2FA and use authenticators or YubiKey
• Gainsight-to-Salesforce island hopping at scale
• Audit connected apps and revoke stale API keys
• Arizona AG lawsuit calling Timu malware
• Shop via browser sandbox and use masked payments
• UPenn donor data leak and Oracle exploit
• Whaling protections with voice verification and data scrubbing
• Practical recap: trust nothing, verify everything
Please follow us or subscribe on your podcast app, and watch the video on our YouTube or at theproblemlounge.com. If you have topics or guest ideas, we would love to hear from you
Alrighty then, ladies and gentlemen, welcome back to another episode of Privacy Please. I am your host, Cameron Ivey, and this week, I got some new uh new updates for you. The theme? The red line. Now, before we dig into today's episode, a quick reminder that we are building a community here dedicated to navigating these complex and digital issues. If you are listening on a podcast app, please take a second, go follow us, subscribe, please. It uh it does so much to help get us out to more listeners. And for the video version of this discussion, head on over to our YouTube channel or our website, the problemlounge.com, to find all our links. With that being said, let's get into it. We finally learn that Chinese hackers didn't just break into our phone networks, they turned our own law enforcement tools against us. We also have the Arizona Attorney General officially calling a popular shopping app malware, a supply chain attack that island hopped into 200 major companies and a university breach nightmare that just won't end. Trust absolutely nothing this week, people. Let's get into the chaos, shall we? Alright. First, we have to start with one of the most critical stories of the year. We've heard whispers about salt typhoon for weeks now, but on Tuesday, the Senate finally tore the lid off during a hearing, and it is worse than any of us thought. It's confirmed that this Chinese state-sponsored group successfully penetrated at least nine major US telecom providers. We're talking like all the big ones ATT, Verizon, Lumen, etc. They didn't just steal customer data, they accessed the CA LEA systems. That's the system telecom companies are legally required to build so police can conduct court-ordered wiretaps. The impact here, well, the hackers turned this system around and used it to track the real-time location of millions of Americans, record phone calls, and read text messages. They essentially used our own backdoor against us. Let's talk about the pizza moment here. If you want to know how this happened, it wasn't some mission impossible hacking, it was negligence. Investigators found routers that hadn't been patched in seven years. They found weak passwords protecting critical infrastructure. Deb Jordan, a former FCC official, dropped the mic during the hearing. She said, ordering a pizza sometimes requires two-factor authentication. Why are our providers not implementing these basic hygiene practices? Now, here's the part that should make you a little angry. A little bit. Despite losing our private calls to a foreign adversary, the telecom industry used the hearing to fight against new regulations. They argued that voluntary measures are enough. Think about that. If a bank lost all of your money, we'd regulate them. But when telecom loses the privacy of the entire nation, they want to self-regulate. So what can you actually do when a carrier is compromised? First of all, stop trusting SMS text messages. Salt Typhoon proved that SMS text messages are transparent to hackers. Move your sensitive chats to end-to-end encrypted apps, like Signal. Second, kill SMS two-factor. If your bank sends you a code via text, a hacker monitoring your line can see it. Switch to an authenticator app like Google or YubiKey immediately. It bypasses the phone network entirely. Moving on to the corporate world, if you work in sales or customer success, listen up. We have a massive supply chain attack unraveling. Hackers compromised a company called GainSite. GainSite is a tool that plugs directly into Salesforce. We're all pretty familiar with Salesforce. Yes, moving on. It has deep privileged access. Now, the attack is basically made by breaking into GainSight. Hackers use that connection to Island hop into the Salesforce instances of over 200 major companies. Now, here's where it gets a little juicy. This is the nightmare scenario we always talk about. These companies locked their front doors, but they gave the key to the side door or the back door to a third-party vendor. Surprise. Look, if you run if you run a business and you're listening to this, you need to audit your connected apps. Go into your settings and look for old vendors you don't use anymore that still have API access. Revoke them immediately. Treat those connectors like keys to your front door. If you change the locks, you have to get the keys back. Next up, a story for anyone who loves a bargain, I would say. The Attorney General of Arizona, Chris Mays, dropped a bombshell lawsuit this week against Timu. You know, Timu. Can we still joke about Timu after something like this? I think so, absolutely, yes. So, anyways, the accusation is that she isn't just saying they have bad privacy policies, she is effectively calling the app malware. So the claims are that the lawsuit alleges the app is designed to bypass your phone security settings. It accuses Timu of accessing your microphone, camera, and the location, even when you think you've restricted it. That's a big red flag. Huge. The AG said it can detect everywhere you go, to the doctor's office, to a public library. The scope of this invasion of privacy is endless. So here's a few tips. Delete that app now. Number one. But if you must shop there for cheap stuff, use the browser instead. Don't use the app. Don't install the app. Use the website on your browser. Something safe like Safari or DuckDuckGo or the Duck Duck One, I think it's DuckDuckGo. We're not sponsored, but uh you know. We're here. So what it does is it sandboxes Timu so it can't touch your other apps or contacts. Also, use a burner card. Never give them your real debit card number. Use a service like privacy.com or Apple Pay to mask your financial info. And finally, we have an update on the nightmare at the University of Pennsylvania. And folks, it's a double whammy. That's with a big H. A whammy. So a few weeks ago, UPenn got hit by a phishing attack that exposed their donor database. Donor database. This leaked wealth screenings. These are estimates of donors' net worth, property values, and even demographic info like religion. The new breach, as if that wasn't enough, UPen confirmed this week they were hit again, this time by a vulnerability in Oracle E business suite. So here's the reality, guys, and gals. Attackers now have a roadmap of high net worth targets. They know who you are, how much you're worth, and likely your email address. Ooh, everybody has everybody's email address today. But here's some tips. So if you are rich as all, and you're listening to this podcast, hey, thanks for your time. And donations are welcome. Seriously. Anything to help. So, anyways, tips. This creates a specific threat called whaling. So fishing, fishing that targets wealthy individuals, not just elderly. If you are a high net worth individual listening, or you know someone, tell your family, office, or bank that no wire transfer leaves the account without verbal voice confirmation from you. No emails, no text, scrub your data. Use a data removal service like DeleteMe or Optory, not sponsored again, but just thank one couple that just popped off my head. If hackers know you're rich, you want to make sure it is hard it is as hard as possible for them to find your home address and cell phone um and cell phone number online or whatever. So to recap, the phone company hasn't patched its router since 2018. Your shopping app might be malware, and your vendor just let hackers into your Salesforce. Trust nothing, verify absolutely everything. Um real quick uh episode. This this was just uh um a fun one for me, but if you guys have topics, anything you want me to cover, any stories you want me to dig into, would love to hear from you, any guest ideas. Um, we're hoping to have so many big things coming to you in 2026. So, again, I know there's a lot of podcasts out there. Thank you so much for listening to this one. Seriously, it means a lot. I've been doing this for a long time and I really enjoy this, so I hope you do too. Um, so again, thank you for listening to Privacy Please, and please stay safe out there and have a wonderful holiday season, everyone. We'll see you guys in the next one. Cameron Ivey. Over now.
