A company uh executive. Uh I won’t mention any names had an outage in their email one day and the executive was so frustrated about this email outage on their local, you know, maybe it was an exchange server on online or something locally that provided email services that they took matters into their own hands and started forwarding. They created a rule in their inbox that said I want a backup for my email. So if I have to work, I can always get to my email. And so he forwarded every message from his company account to his personal Gmail account just forwarded it over. Now, the company account, email was very well protected as you would expect in a, you know, a large company. Uh However, the gmail account had a very basic password with no multi factor authentication and the password that he used there, he had used all over the online world, presumably because someone got hold of it from a breach, say at linkedin or Yahoo or one of these other locations. There’s billions of accounts flowing floating around on uh that of compromise websites where hackers pull down your user name, your email and your password, your favorite password.
And they tried multiple combinations and eventually got into his Google account so fast forward over the course of many months of monitoring his account. And he happened to be in finance and he was working on a deal to fund some um project and there was a wire transfer that got involved uh that was talked about in his email. So the hackers are sitting there watching the communications between company A and B and they’re saying, ok, it’s almost time for us to send this $100,000 wire. The tre podcast is owned and made possible by ethical marketing service. If your business is struggling with Google Facebook ads, maybe you’re frustrated, figuring it out or there’s a performance issue. Ethical marketing service has worked on hundreds of accounts and we can help in this area. We offer a 30 day money back guarantee if you would like to find out if we can help. It’s a free no salesy consultation call and the link is in the description, enjoy the episode. Thomas Green here with ethical marketing service on the episode. Today, we have Craig Taylor. Craig welcome Thomas.
Hey, thanks for having me. It’s great to be here. It is great to have you. Would you like to take a moment and tell the audience a bit about yourself and what you do? Sure. So, Craig Taylor, I’m a cybersecurity professional. I’ve been doing this for a long time. As we were just discussing, uh, 25 years, I started in cybersecurity before there was a world wide web. That’s how old I am and, uh, have had my CISSP, which is the de facto standard certification in cybersecurity for since 2001. I founded a company called Cyber Hoot. You see in the background here, uh, 10 years ago to help address what I’m now calling cyber literacy. We used to say cybersecurity skills and this and that. But the be easiest way, Thomas to understand what we do at Cyber Hoot and what everyone listening to this needs as a skill set in the 21st century is cyber literacy. We’re probably familiar with computer literacy. You can work a keyboard, you can type probably 10, you know, 60 words a minute and you can work a mouse and email and those sorts of things.
But can you do it securely confidently efficiently? Probably not if you don’t have cyber literacy skills, the ability to identify a social engineering attack through phishing or on your phone as a text message that’s called smashing things of that nature. And so I founded Cyber Hoot 10 years ago to address this lack of awareness. The good news is, is it’s not rocket science. We’re not teaching really complicated things but no one else out there. Not in your educational system, in the US or UK or anywhere else in the world seems to be focused on teaching these skills and yet we all need to use a computer and email to run our lives. Thank you for the introduction. Um, and, uh, you highlighted an area of, uh, shall we say lack of knowledge. So I’d like to explore that and that’s in relation to phones. Cos my perspective is all via the computer. Uh, and I, I’m interested to talk to you about both. But, um, the phone thing is, uh, is not something I know anything about actually the hacking of a phone.
Um But the, the thing I wanted to just uh clarify was your company. I perhaps wrongly assumed that you’re doing cybersecurity on behalf of companies and that sort of thing. But is it fair to say that you’re a, you’re an educational company rather than a service based company? Both? Actually, we have two arms. Our product offering is an educational subscription service that any company throughout the world can subscribe to. And we automatically deliver uh awareness training videos as well as um a much more positive outcome fishing test. Uh We can get into the fishing component later on the service side, we provide cybersecurity program development services. So we’ll go in and perform a risk assessment of a company and identify issues, risks and concerns around the data, the business processes, things that are of concern to protecting the company’s operations, their people and the uh the, the data that they um manage on behalf of their clients and so we have two arms.
One is the service offering that’s done under our virtual CSO services Chief Information Security Officer. The other is the product uh product arm, which is our staff platform. You can subscribe, sign up at cyber hoot.com/businesses and enroll and be up and running in minutes. It’s very, very simple. OK. Well, thank you for that. Um I wanted to ask you uh there’s a bunch of stories that I’m really interested in um, in hearing from you. Um But the, the most recent shall we say, um, experience I have with this is actually a cold call from someone who wanted to take uh remote access to my computer. So, um now I did because I’m aware of that. Uh Should we say those tactics? Um I did not buy into uh that particular phone call. But what are your thoughts on that strategy and how prevalent it is and what people should do? Well, uh you were, you were the recipient of a very common attack, all of these attacks, you know, there, let me back up and just say I study the attacks that occur on an annual basis in reports that are written by companies like Verizon.
They do a data breach report and they collect all of the breach data, all of the attack data and they sort of tease out the little commonalities of attacks and they do this over time. They’ve been doing it for 20 plus years. They looked at 2000 and eight’s report and they compared it to 2022. And the surprising thing was the attacks are the same, they’re more sophisticated now, they’re using better tools to perform the same attacks. They all boil down to this password hygiene and social engineering. The phone call you received is an example of a social engineering attack. Most commonly you receive those through phishing emails, but they can be over the telephone. They can call you sometimes um you’ll receive a text message that says here’s a an offer or something. You click the link in the text and your phone will go to it. We can talk about that as well. But in the case of these phone calls and they say, oh, we found most often actually what I’ve seen in, in the example you’re talking about remoting into your machine to help solve a problem is because you visited a website and a pop up comes and says Thomas, you have a virus that we’ve identified and you can’t proceed and it puts a big Unclos window on your um browser that says call this Microsoft hotline to get this virus removed and you call the number because it’s right there.
It’s easy. People are lazy, they don’t look it up on another browser or another computer on their phone. They call the Microsoft hotline that’s been so conveniently presented to you on your screen and they begin talking and then they get convinced. Oh yes, there is a virus on my machine. I will give you remote access. And then what happens is that it’s a hacker. It’s not Microsoft. They will jump into your machine and they will troll around looking for a critical and sensitive data. Perhaps you have a file that says passwords, that’s their favorite thing to grab. Or you might have a file that says tax return or you know, I don’t know if the UK has um social security numbers. I know in Canada we had si NS social insurance numbers. You must have something similar. Those are very sensitive because they control your identity and your identity can be stolen with things like your birthday and your social insurance number and uh address and those kinds of things. So they’re looking for this kind of stuff. Now, they don’t find anything useful. They can install something uh of a, a remote access Trojan so they can get back in at their leisure.
They could encrypt your hard drive with some form of a ransomware attack that then you have to pay uh some fee to have on, on uh d unencrypted. Um So those are all common attacks. Um, many times they’re not through a phone call to begin, they’re just you around randomly browsing the internet. Um, but sometimes they can, you can do that through the receipt of a phone call. Well, thank you for that. And, um, I know, you’ve mentioned the, the text message way of, uh, getting into someone’s phone. Are there any other ways? Because I am? Although I know a lot about the attacks for computers, I don’t know really anything about the phone. So, is that the only way that someone can take control of your phone? No, there are many ways. Um, in fact, we’ll start from the assumption, the following assumption any software ever written has had bugs, uh, bugs that could lead to the compromise of the device on which the software runs. Many times. We hear about that on a computer. It’s Microsoft’s patch Tuesday. You need to patch your computer because you could open a file and it could exploit something that that’s wrong with your computer.
The same principle applies to your phone. And so you will hear and we’ve seen a lot of these in recent months, quite honestly, with the release of new operating systems for I OS 17 just came out. And before that 16 and 15 and so on, there were remote access v vulnerabilities or abilities for a hacker to send you a file or send you a very specially crafted text message that if you opened it would exploit your device. The take home message of all of this is you need to keep your devices up to date, you need to patch them, you need to upgrade them. I had, um, a family member who loved her iphone, uh whatever version, it was five years old, it was version uh 14 of I OS. And she says I don’t wanna update because everything changes and then I have to learn all the new, you know, Whizz Bang features that I don’t know how to operate. I just wanna stay on this forever. And that’s, you know, and on the one hand, I understand the need and the desire to not have things changing constantly.
But on the other hand, that accumulates all kinds of vulnerabilities that hackers have identified, putting herself at risk in her data. So keep things patched. The other trick is to turn your services off that you’re not using, if there’s, if you’re not using Bluetooth, disable it, if you’re not using Wi Fi disable it, it might save you a little bit of a battery. But more importantly, there are attacks that can be performed in the background uh just by having those services enabled on your phone. So would you say it’s, it’s a fair, a fair um conclusion that the more software or apps that you have on your phone, the more probable it is that you’re gonna be hacked. I would put it a slightly different way. Thomas because those different software applications, yes, they can have bugs. And, but you know, in general, the hackers are targeting the operating system for the compromise of the device kind of bug where the applications play into a, a breach of your security is in the data they contain and the privileges that you enable for them.
For example, we might all have read an article or heard people say, oh, I was just talking to my wife or my son or daughter about X and I got an ad on my phone or in Facebook for this for why? And it was tied right to what I’ve just been speaking of and it happened so quickly. Well, if you’ve given microphone access to different applications, they could listen in the background and then present ads that are tied to the things they hear. Um That seems like an extreme thing, but I have read articles that show that has happened. Is it common today? No, many of these companies have been slapped on the wrist for doing so. But you have to always be aware of the in the uh privileges, the permissions you’re giving applications if they don’t need your location data, don’t allow an application to give, to have access to your location. If they don’t need to access the microphone or the camera or any of those things don’t enable those. The other thing to do is always make sure you’re using the App Store or the Play Store because Microsoft Google and Apple are trying very hard to weed out applications that are, you know, not legitimate.
They might be simply uh put to the App Store or the Google Play Store to collect data on you and it’s a ruse for what they claim to be doing. It might be, you know, some uh text documentation app and it’s really just trying to sort through your phone to find privileged information and put it to someone else to sell it to a bidder. So use reputable apps. Download them only from the uh recommended stores. Don’t go or route your phone or, or, um, you know what that means is, don’t try to break the operating system, security controls and then place on it, uh software from websites that aren’t in the app store or that sort of thing that can lead to other problems as well. And um just remember those permissions, that’s a big, big component of it. Thank you for that. Um I’d also like to follow up on uh based on what you’re saying uh about phones and then also computers. I’d like to know your thoughts on uh online banking and whether, well, what’s your approach to it in terms of everything, you know, how do you go about online banking?
So, online banking is actually safer than, than what you might first. Uh think simply because the banks have forced us into leveraging um what’s called multi factor authentication. So to identify ourselves to the bank, we have to give two different, two of three different identifiers. Multi factor is presenting to two of three unique identifiers for a person or an identity something, you know, which is typically a password, something you have, maybe it’s just a mobile device and it receives a text message, although that is in itself um sometimes uh uh not as strong as say, an authenticator app or something. You are uh a face or a voice identifier or a thumbprint. Uh You know, we unlock our phones with face ID. That’s something you are. And um when you reboot the phone, you have to provide a passcode, that’s something you know. So any two of those are pretty good for the average person to log into their bank and be who they say they are.
Now, I spent gosh, five or six hours this week on a security incident where an individual received an email, it was an invoice. They opened it, it queried for a password to their Microsoft account, which they, because they knew the individual on the other end and they sometimes interacted with invoices in this fashion, they provided their credentials and it was a ruse. It was an attack that stole her credentials as well as her multi factor session token. Now this is gonna sound complicated but there is a token that gets placed on your device when you’ve multi factor authenticated via something you are. No and and are, and they can steal that token and then use it to log into a multi factor protected account. In this case, it was an email and we spent a few hours trying to recover from that because there was some significant damage done. They scraped her inbox of 850 email addresses and then shot out messages to all of those individuals with a new invoice that did the same thing and perpetuated the, the attack.
But it was, it’s um we’ve blogged about it at Cyber Hoot. If you go to Cyber hoot.com/blog, search on evil proxy. Evil proxy is the attack malware that does this sophisticated attack. Remember I mentioned to you at the beginning, social engineering has not changed. It’s the same attack forms, getting someone to do something that they shouldn’t, which is put in a user name and a password on an email that they really shouldn’t be responding to is a social engineering attack. The sophistication now has improved to where they can steal these session tokens and uh bypass some of the multi factor. So those are those that, you know, there are really uh risky things along those lines. I haven’t seen that happen in the terms or in the um form of banking uh type compromises. I do my banking online, I find the convenience of it. Um Quite good. There are also protections in place with, you know, credit card transactions that uh if your if your card is stolen, um you know, you’re not held liable in most cases for the transactions that are done there.
So some of those online banking payment systems, uh there are new payment systems in the US called Venmo and Um, I’ve used uh, some other international payment systems. It’s very convenient and you know, the, the, the, the number of people that are attacked in those fashions aren’t as prevalent as the ones that are attacked with business, email compromise or ransomware through phishing attacks. It’s a lot lower commonality or frequency. Is it zero? Absolutely not. Are there risks? Yes. Uh Best, best advice is to stay aware of what those risks are always enable that multi factor. Most banks require it, they don’t give you an option. So you have to enable multi factor um and be suspicious. Learn about social engineering, learn about um password hygiene, adopt a password manager, for example, so that the banking password you use is only used for that one bank and use a different password completely unrelated for any other banking or any other website online.
Every account you have is a unique password. The only way I found to do that. And what most cyber professionals say is a password manager is the way to accomplish that password hygiene method. Well, it’s a nice segue into um what I really wanted to talk to you today, which is some of the, I don’t know if this is the right term, but some of the most crazy stories that you’ve experienced over your uh your career. So um in what comes to mind for you in terms of uh the most, the most crazy stories about uh either individuals or companies being hacked. Well, I have two that I could bring up. Uh One is an origin story for Cyber Hoot. Uh, 10 years ago, I was between jobs and uh consulting for a company as a S IO a virtual or fractional C IO. Um, and we had an incident that came up and we were scratching our heads on how this could possibly have happened. There was a new woman who had been hired right out of college. She had put on linkedin. Hey, I’m excited. I started at this company and she got an email from the president of the company saying, dear, um you know, employee, would you mind going out and buying 10 gift cards for me $100 a piece because it’s the end of quarter and we want to give them to our hardest working employees and I need your help.
She was in the hr department and so she dutifully did that and then, you know, the email back to her was that was fantastic. Thank you for buying the card, scratching the backs off, taking an image of them and sending it to me again from the president of the company. She was so excited for being such a doodle, you know, responsive uh employee. They kept doing this over and over again and over the course of maybe two weeks, she had maxed out her credit card account and bought over $24,000 of $100 gift cards and sent them to who she thought was the president before anyone in the company realized what was going on. Obviously, this was a classic gift cards. Um, scam where you get an email that says, hey, I’m in a meeting. But do you have a moment? I need you to do something for me and the person responds. And if you look at the email address, it looks almost perfectly, um, identical to what you would expect your president’s email to be.
But it might be off by one letter. They might have taken an I and made it an L or an O and made it A zero. It just is almost indecipherable different, but it’s not from the president. So that story got me really frustrated with the lack of simple knowledge around social engineering. I said, I’ve got to help these smaller companies with their cybersecurity literacy and I found it cyber. So that’s our, one of our origin stories. Another one that I had was um the story of $100,000 wire transfer that disappeared forever. A company uh executive uh I won’t mention any names, had an outage in their email one day. And the executive was so frustrated about this email outage on their local, you know, maybe it was an exchange server on online or something locally that provided email services that they took matters into their own hands and started forwarding. They created a rule in their inbox that said I want a backup for my email. So if I have to work, I can always get to my email.
And so he forwarded every message from his company account to his personal Gmail account just forwarded it over. Now, the company account email was very well protected as you would expect in a, you know, a large company. Uh However, the gmail account had a very basic password with no multi factor authentication and the password that he used there, he had used all over the online world, presumably because someone got hold of it from a breach, say at linkedin or Yahoo or one of these other locations. There’s billions of accounts flowing floating around on uh that of compromise websites where hackers hold down your user name, your email and your password, your favorite password. And they tried multiple combinations and eventually got into his Google account so fast forward over the course of many months of monitoring his account. And he happened to be in finance and he was working on a deal to fund some um project and there was a wire transfer that got involved uh that was talked about in his email.
So the hackers are sitting there watching the communications between company A and B and they’re saying, ok, it’s almost time for us to send this $100,000 wire. Well, at that moment, he takes over the hack takes over this account and interjects that we have a banking issue and there’s new wiring instructions and here they are. And in the exact tone and temper of the communications that have been going on because the hacker has been reading the email unbeknownst to anyone, they registered a domain to conclude all of these communications which was off by one letter. So if the company was Acme corp.com, the legitimate company, the registered domain, which was no more than two weeks old was Acme Corp where the O and Corp was a zero, for example, and started the communications that way so that you could eliminate this executive from the wiring transfer back and forth. Oh, why are you under audit? Why is the bank number changing? Because it is, I, I apologize. I know it’s inconvenient and you know, all the communication.
It’s social engineering at its finest. Finally, the $100,000 get sent a few weeks later. Both companies are wondering, where did the money go? Did you send it? Yes, we sent it. No, we didn’t get it. Why didn’t you get it traces turn up that it was sent to the wrong uh banking information and it was never recovered and you know, at $100,000 that sounds like an enormous amount of funds. But I have read about million dollar wire transfers, $700,000 wire transfers and $25,000 wire transfers. This is rampant. It. If you go to the FBI website, you can see that this um wire transfer fraud is one of the largest social engineering uh losses that companies face uh in, in um in their tracking of these kinds of uh breaches. So those are two examples of social engineering that leads to financial loss for companies. And it’s so easily addressed if you can educate people about the uh attacks that are out there, the social engineering attacks, for example, the wiring transfer, you never ever wire or change banking information without picking up the phone and speaking to the other party and saying, ok, I’m just confirming the numbers that you’ve given me to change the wiring instructions and they’ll either say yes, that’s the right number and yes, we need it and you know who you’re talking to or they’ll say, what are you talking about?
I have no idea what you’re talking. We’re not doing any change of wiring and then you’re onto the scheme. Well, thank you for that. Um I don’t know why this sort of occurs to me, but um the, the interesting thing about the second example you gave was that there’s a little bit of uh liability on both parts in the sense that there was the individual who forwarded their email to a unprotected gmail and then the company who paid the funds, um, they didn’t check that it was, as you say that it was genuine. So do, do you ever get involved in, you know where the, where the blame lies or is it just like a messy legal type scenario that happens? I don’t get directly involved. I make a write up of the incident and the facts of the case. And then uh insurance providers uh and legal oftentimes it does go to legal because of the amounts of these um sums most often in the past, I would say 15 to 5 years ago, it was a um claim on your cyber insurance.
However, most cyber insurance is calling out measures like social engineering training, fishing, testing, uh the testing and training and, and delivery of security systems within a company wherein you have to prove that you did all of these things in order to file a claim and be paid back if still an accident occurs. Um And so we’re seeing more claims being rejected because the companies are saying one thing on their cyber insurance application, but they’re not fulfilling those requirements uh as easy as they are. And the sad thing is, is, you know, if you were to lose $10,000 that could potentially pay for 10 years of cyber education and testing of your employees uh just with one incident. Um It’s so cheap to provide these, this awareness training. The the cost in terms of time is 5 to 7 minutes a month. Uh and the costs are not that great. Um So I don’t get involved in the legal ramifications of those events.
Typically, I have not had to testify in a court of law. I do write them up and I explain what happened and how they happened and what to do not to prevent, you know, to prevent them from occurring. But I let the insurance companies and lawyers uh fight those battles. And um the, the first example that you gave, which is the new, new employee. Uh Did she do, are you aware whether she kept her job, whether she was a, you know, whether she was blamed? What was the fallout of that? I believe that uh if memory serves me correctly, she was not able to keep her position for the long term. Um We might have been six months in there were other things but I, I can’t claim uh direct knowledge of that. I I wasn’t involved in, in that piece of it. Um The reality is though with social media as it is hackers are monitoring all of our social media public feeds uh and they are monitoring to take advantage of changes in situations, right? New employees who aren’t familiar with hr or leadership and are asked to do things need to be on the lookout for those um vultures that are circling overhead as hackers waiting to uh swoop down and take advantage of some new employees lack of awareness or knowledge.
Well, you make a good point about the uh the social media side of this conversation. Um Are you aware of the types of I don’t know, scams for lack of a better term around, um, the hacking of social media accounts. Well, then the most simplest terms, right? If you go on vacation and you publish their pic pictures from a remote location on social media about how exciting and great it is to be, you know, in the Caribbean or in, uh, the south of France, your house may be targeted for a physical theft, right? Because this is information that everyone wants to know no one’s home for two weeks. Great. Now I can do that. The other thing is, is that they will, there’s something that is a little bit more sophisticated in terms of social engineering attack, the the bulk of email. So I read this yesterday one point 2% of every email online is a malicious email of some kind or another. It’s an attack. Most of them are generic hackers can send out millions of messages to millions of recipients hoping that they get 1/10 of 1%.
So one out of 10,000 or one out of 100,000 will respond and it’s lucrative enough and financially beneficial that they can make a living doing that. But those are very blase generic phishing attempts. What really catches most people is when they have what’s known as a spear fishing attempt against them. So I’ll give you, for example, let’s say there’s a high level executive at a company and he has a dog and he’s complaining on social media that he just paid thousands of dollars to the veterinarian to s to solve a problem with his dog. And then he gets an email that says, here’s your invoice for the veterinary bill. We, we heard you complaining about it and we’ve reduced it. And so you just have to pay half of that fee. Here. Click here to proceed. Pops up a message that says, provide your credentials to log into your email account, whatever and it seems so legitimate because it’s based on real events that just happened that only the veterinarian in the, in the executive’s mind, only the veterinarian and I know about that.
They don’t realize that the whole world is reading their social media feed and so they fall victim to it and it’s called a spear phishing attack. It takes advantage of trusting relationships between say and maybe even they used a domain that was similar to the veterinarian e email address domain. They’ll register a domain on the very quickly to send these uh request. Maybe it just says pay half the bill and the bill is paid. There’s nothing more than just taking half of the veterinarian bill. So instead of $5000 is 2500 but it’s been paid to a hacker not to the actual veterinarian. There are many different versions of that. Uh So yeah, social media is um a gold mine for hackers who want to tailor their fishing attacks, we call it spear fishing because they’re targeting very individuals, not g, you know, multiple individuals. I’ve heard of, um, hosts go out, uh, of like, you know, I, I need help type thing. Uh, I ple please send funds.
Uh, and then family members end up sending those funds. Um, uh, but I wanted to, it’s a slight change of pace, uh, because, um, I, I don’t know why I’m just intrigued to know whether or not you’re, you’ve been hacked yourself. Uh, well, the answer to that is not that I’m aware of the FBI is fond of saying this quote. There are two kinds of companies in this world, those that know they’ve been hacked and those that don’t know they’ve been hacked, right? I’ve probably been hacked in, in minor ways. There’s been no financial fraud that I’m aware of in the US. We have credit agencies and we, I, we can lock our credit reports in the US across all of the credit agencies. I have written about this in article on our blog and that prevents anyone including myself from taking credit out in my name because in the US, you cannot give credit to someone without a credit score attached to it because you don’t know the measurement of risk for this person to pay back the funds. So if you lock your credit, it’s better than, you know, thousands of services that are out there that say we’ll monitor your credit.
And so if you’re hacked, we’ll tell you which is far too late. It’s like saying, I don’t need fire alarms or fire sprinklers in my house because I got a fire station next door, they’ll put out any fire it starts. Well, that’s too late. I’ve already got a fire. Why not prevent the fire from starting. So that’s what we do. But personally, I will tell you an example of a time I was socially engineered and fished. This is embarrassing. But hey, if it can happen to me, it can happen to anyone, right? I return from vacation and you know, when you return from vacation, you have an inbox with 200 plus messages, maybe more than that. And you’re reading through it. And I happened upon an email from a friend of mine who I hadn’t heard from him from a while and it was a linkedin um recommendation for me. And I was like, wow, that’s great. How did he, why would he take the time to write a recommendation for me? And in my, you know, self aggrandizing way I thought, oh yeah, I deserve this. So let me go read it. So I clicked the link in the email.
It looked like a perfect linkedin email and I land on the linkedin login page and my password manager which sits in the background, monitoring the domains that I go to to put in the user name and the password to log me into linkedin, just sat there dumb as a post. It didn’t fill in the credentials. I no longer know my credentials. This was a saving grace because my password manager just randomly creates the passwords for me and sticks them in in their great big 20 character, jubbly, you know, very randomized strings of characters. I couldn’t tell you what my password was had. I known it. I might have fallen for typing it in manually because I would have blamed the password manager for not working. But I’m looking at it and I’m refreshing the page. I’m trying to figure out why it’s not logging in. And then I look at the domain name. I was on a server somewhere in Italy. It was the last domain was dot it, which is Italy. And I was like, oh, you gotta be kidding. I clicked on a phishing link, took me to a login at linkedin and I, I was only saved by my best practices of password manager hygiene, but, you know, I fell for it and, uh, if you’re not vigilant, I mean, you can fall for these things fairly quickly.
Well, um, you alluded to something earlier in your story about the unprotected gmail. Um I, uh they’ve introduced uh mandatory, I think, mandatory two step verification. So you log in, you have to get a text in order to log in. What do you think about the uh security of that? Because my uh cybersecurity excuse at the moment is that, um, because I have that, I don’t have to worry about, um, getting hacked because it has to go to a phone and I have to type the code in. Well, you might be right, but I don’t think that is actually the case. Um, two step verification or multi factor is good and it is appropriate. But in the latest, um, security recommendations, text based or S MS based multi factor has been deprecated. What that means is they would prefer you not use it. Most banks including some of my own banks still use it.
Is it good? It’s, it’s ok. Is it great? It is not because three or four different attacks can occur. The text messaging system is on a private network controlled by a lot of big uh communications companies, but it is not immune from hackers trolling about monitoring for these text messages going by. They’re not encrypted, it’s unencrypted data. Um You can have someone sitting in your neighborhood who has targeted you specifically uh and who has got a Wi Fi or a wireless scanner that can s slurp that data out that text message code out of the uh airwaves. Without your knowledge, they can call your um mobile carrier and convince the, you know, $12 an hour or maybe £6 an hour. Uh help desk person that you’ve got a new phone and you need to transfer this sim to my sim and then take over your phone number. So they get the text message, then you’re only as good as your password, which if you’re relying solely on text message, you might not be as careful with the unique passwords that you would be, ought to be using on every account.
So there are multiple ways to bypass S MS based text messaging. What’s the next level up is the authenticator app? You may have seen a QR code, you can scan it, puts it into an application like Google authenticator, Microsoft Authenticator, something else. And that has a random six digit code that rotates it never leaves your phone. So there’s nothing for someone out there to capture, to present and use that to get onto that multi factor or second factor. That’s still not the best method. The best is a hardware token. Um 25 years ago, I was using a little RS, a hardware device. It’s a secure ID token and it had a six digit code on the front of it. It wasn’t tied to a phone that maybe someone could hack into my phone to see the authentication message or the authenticator code or on my computer. If I had the indicator app on my computer, that could be a compromise device. A hardware token is awfully hard to compromise. I don’t know anyone that can take that duplicate it and then use it to bypass your multi factor. So the most secure second factor is that something you have, which is a hardware token.
So that’s the, that’s the best of the best. Well, thank you for that. So, uh, yeah, you, you’ve burst my bubble, but you’ve done me a favor at the same time. So I appreciate it. I don’t like walking around being wrong. So, uh, I appreciate your expertise. Um, I suppose the, the final question that I had in relation to, uh, protecting yourself is around, you’ve alluded to something already, which is uh people who use the same password on multiple services. So, um I think I know what your opinion is already or your uh expertise is, but at the same time, there are people undoubtedly that have that same password across the whole internet for everything. So, um if you were to speak directly to them, what would you say to them? I would say the following are known facts. 90 plus percent of breaches are tied back to human error that boils into two main flaws. Social engineering, which I’ve told you has remained constant over the last 25 years and password hygiene.
The only way to have strong password hygiene. And what I mean by that is every website, every service, every account you own has a unique long and strong password. And when I say long, I don’t mean 10 characters. Ok. In the not too distant past security researchers, including NIST, the US National Institute of Standards and Technology in 2003 said nine character complex passwords change them every 90 days. They’ve rescinded that because it caused everyone to cheat. They would write down their password, they would add a March April May, June extension to their password. When they had to change it each through every 90 days, they would put a prefix that’s predictable or a suffix on the password. It just caused everyone to cheat. Now, they recommend 12 or longer character passwords stored in a password manager that are randomly generated and inserted via that password manager, um, protected with multi factor authentication to unlock the password manager.
All password managers encrypt that data with military grade encryption standards. But as I said earlier, every software ever written has had bugs in it. You have to keep your password managers patched. You have to be aware of what listening to what’s going on in the industry. A password manager is a necessary evil in our opinions. As cybersecurity professionals. It’s not perfect, but it is far better than anything else anyone has been able to accomplish on their own. I have 400 different accounts in my password manager. I don’t know but two passwords, the master password to unlock my computer in the morning when I boot it up and the master password to unlock my password manager. Those are the two that I know they are pass phrases that are 20 plus characters long and from there I can go about my day, I’ve taught many, many people to use password managers from my Children to grandparents. And it is possible and they love it once they get good at it because it is secure.
It is efficient and it takes away. My, my mother had this notebook with scratches and chicken scratches and scribbled out pages and rec copied pages and it was, she couldn’t find this and that and the other thing. And, um, she’s now using a password manager to run her, um, online life. Do you have any concerns at all about, um, the password manager getting hacked or is it? Absolutely. Absolutely. Uh, we’ve blogged about this. In fact, there is one that, uh, one vendor I won’t mention that has had some issues and we’ve moved people away from that vendor. But there are things that most, um, application developers need to do in order to secure their application and primarily that is having a pen test and some vulnerability scans and some third party assessments of what you’ve built, right? If I build something or let’s say, I write an article, I think that article is the greatest thing since sliced bread. And it says exactly what I wanted to say. I’ll come back the next day and read it and say, what was I thinking? Software is the same way you can write software and find, you know, you think it does exactly what you thought it should do.
But there are bugs laden in it. So you have to have other people, other firms, other automated processes come in and audit what you do. Especially in the cybersecurity realm to validate that there aren’t bugs in it. You need to have a bug bounty program in your soft as a password manager to reward individuals who report to you bugs they found in your application. Those are mitigating controls to the risk of bugs in a password manager. But every other alternative to a password manager is worse. People will reuse passwords that have been breached and exposed online and they will come back, hackers will use those to exploit it in your life. So at the end of the day, it is a necessary evil to adopt and learn a password manager. It is important for you to learn social engineering, you know, that this occurs and it can occur in multiple facets over the phone, in text messaging in email, most primarily to enable multi factor authentication on all of your critical accounts.
Banking, email, those kinds of things. Those are measures that we all take to protect ourselves and, and by and large. That’s a pretty good mitigation of the risk. Does that help? It’s a great answer. And, um, I really appreciate the value today because uh I think uh if people are, if people listen, then they’re, you know, they’re so much further ahead than they otherwise would be. So I appreciate it a lot. Uh, is there anything that I should have asked you today? Um No, but I will, I think you did a great job of, of covering the, the foundational topics. What I would also tell you though. Thomas is my company, Cyber Hoot is free for cyber literacy training for individuals. So if you’re listening to this and say, you know, I really should bone up on my own. Cyber literacy. Go to Cyber hoot.com. I think it’s slash individuals and you can register and take six videos that we talk about. The things we’re talking about today in very basic terms with a little quiz at the and we give you an interactive fishing exercise that teaches you how to spot and avoid fishing activities and this is 100% free.
It’s cybersecurity Awareness Month in the United States. I I think it may be in England as well. I know it is in, in Australia and um any company that signs up gets 60 days free. Uh Right now in our platform to educate and create cyber literacy and their employees. Normally it’s 30 days, we’re doubling it for the awareness month. But uh the time to start your cyber literacy journey is now you don’t want to be reacting to an incident and then decide it’s time to do this because you’ve already lost potentially thousands of dollars in downtime and reputation and all kinds of bad things that can occur. Um Be proactive about this and learn your cyber literacy, teach your employees cyber literacy because no one else is gonna do it. You have to do it for yourself and just a reminder of where people should go. Uh If they wanna connect with you Cyber hoot.com and uh you know, I’m on linkedin and I’m on uh different social media platforms, but you can email me um sales at Cyber hoot.com and we will get back to you or uh that, yeah, those are two methods support uh at Cyber hoot.com sales at Cyber hoot.com.
Great. Thank you for that. And uh thank you for being a great guest today. My pleasure, Thomas. Thank you for your time. Great questions. I hope we’ve uh educated a few of your listeners. That would be great.