State of Cybercrime

Security Expert and "Hacked Again" Author Scott Schober" (Part 2)

Episode Summary

Scott Schober wears many hats. He's an inventor, software engineer, and runs his own wireless security company. He's also written "Hacked Again", which tells about his long running battle against cyber thieves. Scott has appeared on Bloomberg TV, Good Morning America, CNBC, and CNN. In the second part of our interview, Scott talks about the benefits of "layered security" and offers additional consumer security and privacy tips.

Episode Notes

Scott Schober wears many hats. He's an inventor, software engineer, and runs his own wireless security company. He's also written Hacked Again, which tells about his long running battle against cyber thieves. Scott has appeared on Bloomberg TV, Good Morning America, CNBC, and CNN.

We continue our discussion with Scott. In this segment, he talks about the importance of layers of security to reduce the risks of an attack. Scott also points out that we should be careful about revealing personal information online. It's a lesson he learned directly from legendary hacker Kevin Mitnick!

Transcript

Andy Green: So speaking of the attack that the Mirai...I'm not sure if I'm pronouncing that right...attack from last week, I was wondering if, can cell phones be hacked in a similar way to launch DDoS attacks? Or that hasn't happened yet? I was just wondering if...with your knowledge of the cellphone industry?

Scott Schober: Absolutely. I mean, to your point, can cell phones be attacked? Absolutely. That's actually where most of the hackers are starting to migrate their attacks toward a cell phone. And why is that, especially they're aiming at Android environment. Excuse me. It's open-source. Applications are not vetted as well. Everybody is prone to hacking and vulnerable. There are more Android users. You've got open-source, which is ideal for creating all kinds of malicious viruses, ransomware, DDoS, whatever you want to create and launch. So that's their preferred method, the easiest path to get it in there, but Apple certainly is not prone to that.

The other thing is that mobile phone users are not updating the security patches as often as they should. And that becomes problematic. It's not everybody, but a good portion of people are just complacent. And therefore hackers know that eventually, everybody's old Windows PC will be either abandoned or upgraded with more current stuff. So they'll target the guys that are still using old Windows XP machines where there's no security updates and they're extremely vulnerable, until that dries up. Then they're gonna start migrating over to mobile devices...tablets, mobile phones...and really heavily increase the hacks there. And then keep in mind why. Where are you banking? Traditionally everybody banked at a physical bank or from their computer. Now everybody's starting to do mobile banking from their device...their phone. So where are they gonna go if they want to compromise your credit card or your banking account? It's your mobile device. Perfect target.

Andy Green: Yeah. I think I was reading on your blog that, I think, your first preference is to pay cash as a consumer.

Scott Schober: Yes. Yes. Yep.

Andy Green: And then I think you mentioned using your iPhone next. Is that, did I get that right?

Scott Schober: Yeah, you could certainly..."Cash is king," I always say. And minimize. I do...I probably shouldn't say it...but I do have one credit card that I do use and monitor very carefully, that I try to use only at secure spots where I know. In other words, I don't go to any gas station to get gas and I don't use it for general things, eating out. As much as I can use cash, I will, to minimize my digital footprint and putting my credit out there too much. And I also watch closely, if I do hand somebody my credit card, I write on the back of it, "Must check ID." And people sometimes...not always...but they'll say, "Can I see your ID?" Hand them my license. "Thank you very much." Little things like that go a long way in preventing somebody, especially if you're handing your credit card to somebody that's about to swipe it through a little square and steal your card info. When they see that, they realize, "Oh, gosh, this guy must monitor his statement quickly. He's asking for ID. I'm not gonna try to take his card number here." So those little tips go a long, long way.

Andy Green: Interesting. Okay. So in the second half of the "Hacked Again" book, you give a lot of advice on, sort of, security measures that companies can take and it's a lot of tips that, you know, we recommend at Varonis. And that includes strong passwords. I think you mentioned strong authentication. Pen testing may have come up in the book as well. So have you implemented this at your company, some of these ideas?

Scott Schober: Yes, absolutely. And again, I think in the book I describe it as "layers of security," and I often relate that to something that we physically can all relate to, and that's our house. We don't have, typically, a single lock on our front door. We've got a deadbolt. We've got a camera. We've got alarm stickers, the whole gamut. The more we have our defenses up, the more likely that a physical thief will go next door or down the block to rob us. The same is true in cyber-security. Layered security, so not just when we have our login credentials. It's our user name and a password. It's a long and strong password, which most people are starting to get, although they're not all implementing. We never reuse the same password or parts of a password on multiple sites because password reuse is a huge problem still. More than half the people still reuse their password, even though they hear how bad it is because we're all lazy. And having that additional layer, multi-factor authentication or two-factor authentication. That additional layer of security, be it when you're logging into your Gmail account or whatever and have a text go your phone with a one-time code that will disappear. That's very valuable.

Messaging apps, since we deal a lot with the surveillance community and understanding how easy it is to look at content. For anything that is very secure, I will look at messaging apps. And what I look for in there is something like...The one I've been playing with and I have actually on my phone is Squealock. There, you do not have to provide your actual mobile phone number. Instead, you create a unique ID and you tell other people that you wanna text to and talk to, "Here's my ID." So nobody ever actually has your mobile phone number because once you give out your mobile phone number, you give away pieces of information about you. So I really strongly encourage people, think before they put too much information out. Before you give your phone number away. Before you give your Social Security number away if you're going to a doctor's office. Are you required to do that? The answer is no, you're not required to, and they cannot deny you treatment if you don't give them a Social Security number.

Andy Green: Interesting. Yeah.

Scott Schober: But yet everybody gives it.

Scott Schober: So think very carefully before you give away these little tidbits that add up to something very quickly, because that could be catastrophic. I was at an event speaking two weeks ago down in Virginia, Norfolk, cyber-security convention, and one of the keynotes, they invited me up and asked if I'd be willing to see how easy it is to perform identity theft and compromise information on myself. I was a little reluctant, but I said, "Okay, everything else is out there," and I know how easy it is to get somebody's stuff, so I was the guinea pig, and it was, Kevin Mitnick performed. This is the world's most famous hacker, so it made it very interesting.

Andy Green: Yes.

Scott Schober: And within 30 seconds and at the cost of $1, he pulled up my Social Security number.

Andy Green: Right. It's astonishing.

Scott Schober: Scary. Scary. Scary.

Andy Green: Yep, very scary. Yeah...

Scott Schober: And any hacker can do that. That's the part that is kinda depressing, I think. So even though you could be so careful, if somebody really wants anything bad enough, there is a way to do it. So you wanna just put up your best defenses to minimize and hopefully they move on to the next person.

Andy Green: Right. Yeah, I mean, we've seen hackers, or on the blog, we've written about how hackers are quite good at sort of doing initial hacks to get sort of basic information and then sort of build on that. They end up building really strong profiles. And we see some of this in the phishing attacks, where they seem to know a lot about you, and they make these phish mails quite clickable because it seems so personalized.

Scott Schober: It can be very convincing. Yes.

Andy Green: Very convincing. So there's a lot out there already on people. I was wondering, do you have any advice...? We're sort of pro-pen testing at Varonis. We just think it's very useful in terms of assessing real-world risks. Is that something...can you recommend that for small, medium businesses, or is that something that may be outside their comfort zone?

Scott Schober: No, I do have to say, on a case-by-case basis, I always ask business owners to do this first. I say, "Before you jump out and get vulnerability assessment or pen testing, both of which I do normally recommend, analyze what value you have within your walls of your company." Again, like you mentioned earlier, good point, are you storing customer information? Credit card information? Account numbers? Okay, then you have something very valuable, not necessarily just to your business, but to your customers. You need to make sure you protect that properly. So how do you protect that properly, is by knowing where your vulnerabilities are for a bad guy to get in. That is very, very important. What pen tests and vulnerability assessments reveal are things that your traditional IT staff will not know. Or in a very small business, they won't even think of these things. They don't think about maybe updating, you know, your security patches on WordPress for your website or, you know, other basic things. Having the world's most long and strong password for your wireless access point. "Well, it's only my employees use it." That's what they think. But guess what? A hacker pulls into your lot after hours and they're gonna try some automated software that's gonna try to socially pull off the internet everything and anything about you and your company in case part of that is part of your password. And guess what? They have a high success ratio with some of these automatic programs to guess passwords. That is very scary to me. Or they may use social engineering techniques to try to get some of that information out of a disgruntled employee or an innocent secretary or whatever...we've all heard these extreme stories...to get into your computer networks and place malware on there. So that's how you really find out. You get an honest appraisal of how secure your company is. Yeah, we did it here. I was honestly surprised when I thought, "Wow, we've got everything covered." And then I was like, "What? We never would have thought of that." So there are some gotchas that are revealed afterward. And you know what, if it's embarrassing, who cares? Fix it and secure it and that'll protect your company and your assets.

And again, you gotta think about IP. Some companies...our industry, we've got a lot of intellectual property here, that over 44 years as a company, that's our secret sauce. We don't want that ending up in other international markets where it could be used in a competitive area. So how do you protect that, is making sure your company is very, very secure. Not just physical security, because that is extremely important. That goes hand in hand. But even keeping your computer network secure. And from the top down, every employee in the organization realizes they're not part of the security problem. They're part of the security solution and they have a vested interest just to make sure that...yeah.

Andy Green: Yeah, no, absolutely. We're on the same page there. So do you have any other final advice for either consumers or businesses on security or credit cards or...?

Scott Schober: Again, I always like to make sure I resonate with people, people have the power to control their own life and still function and still have a relative level of security. They don't have to live in fear and be overly paranoid. Am I paranoid? Yes, because maybe an exceptional number of things keep happening to me and I keep seeing that I'm targeted. I had another email the other day from Anonymous and different threats and crazy things that keep unfolding. That makes you wonder and get scared. But do the things that are in your control. Don't put your head in the sand and get complacent, as most people tend to do. People say, "Well, just about everybody's been compromised. Why bother? It's a matter of time." Well, if you take that attitude, then you will be the next victim. But if you can make it really difficult for those cyber-hackers, at least with a clean conscience, you said, "I made them work at it," and hopefully they'll move on to the next target. And that's what my goal is, to really encourage people, don't give up. Keep trying, and even if it takes a little bit more time, take that time. It's well, well worth it. It's a good investment to protect yourself in the long run.

Andy Green: No, I absolutely agree. Things like two-factor authentication on, let's say, Gmail or some of your other accounts and longer passwords. Just make it a little bit harder so they'll then move on to the next one. Absolutely agree with you.

Scott Schober: Yeah, yeah. That's very true. Very true.

Andy Green: Okay. Thank you so much for your time.

Scott Schober: Oh, no, any time, any time. Thank you for the time. Really appreciate it and stay safe.