“But the red team fascinated me. It was just simple stuff like putting up message boxes on our systems that said, “I like turtles” and using remote administration tools like Nuclear RAT or Poison Ivy, but not knowing anything about hacking I thought it was the coolest thing in the world. Like a future virtuoso hearing the sound of the cello for the first time, I realized that all I wanted to do was be able to do that.” Introduction At Logmeonce, we’re focused on helping protect you against cybersecurity threats. We do this in many ways. First, we provide you with a suite of tools, including a password management tool, to help keep your passwords safe.  However, technology itself can’t solve all of our security woes (as we’ll soon discuss below). Education plays a big role in staying safe online. For this reason, from time to time, we bring in cybersecurity experts from around the world to help educate you, our blog readers, about the various ways you can protect yourself online.  Today, Logmeonce had the opportunity to chat with Georgia Weidman, founder and CEO of Bulb Security. She is also a serial entrepreneur, penetration tester, security researcher, speaker, trainer, and author. She holds an MS in computer science as well as holding CISSP, CEH, and OSCP certifications. Her work in the field of smartphone exploitation has been featured internationally in print and on television. We have an exciting interview planned for you today, so without further ado, let’s jump in!   The Interview Hello and thank you for taking the time to chat with our blog audience today about your experience in the cybersecurity space. Can you begin by telling us a little bit more about your early days within the cybersecurity space? What was it about this niche that grabbed your attention and never let go?  I studied Math as an undergrad. I wanted to just be in a lab doing math problems all day, but quickly realized in graduate school that those kinds of positions were hard to come by. So, I switched to computer science in graduate school since it seemed like I could at least get a job in that. In graduate school, we competed in the Mid-Atlantic Collegiate Cyber Defense Competition. Don’t get me wrong, being on a student team getting pulverized by the professional attackers on the red team, yelled at by the mock CEO for services being down due to said red team, and having to figure out things like how to set up Active Directory on the fly made me want to vomit from the stress. But the red team fascinated me. It was just simple stuff like putting up message boxes on our systems that said, “I like turtles” and using remote administration tools like Nuclear RAT or Poison Ivy, but not knowing anything about hacking I thought it was the coolest thing in the world. Like a future virtuoso hearing the sound of the cello for the first time, I realized that all I wanted to do was be able to do that. It didn’t hurt that as a security researcher I could totally sit in a lab all day doing math-like problems. Your work in the realm of smartphone exploitation has been featured internationally in different media channels. You were also awarded a grant to continue your work within the field of mobile device security. What is it about mobile device security that you find so fascinating? Why is this an area of specific interest to you? There wasn’t any particular plan behind it. I did my first research project and presented at Shmoocon on SMS based botnets, before it became in vogue for attackers to do just that. Then the DARPA Cyber Fast Track program started and I was encouraged to apply. I needed some major research project and it occurred to me that mobile was just as vulnerable as anything else to phishing attacks, local privilege escalation attacks, and even remote code execution and client sides as any other platform. Yet it wasn’t, and still isn’t other than my products, being served by the security testing market. So, I proposed creating a tool for doing penetration testing for mobility and was accepted by DARPA. The rest, as they say, is history. So mobile became my niche. I often consider doing a research project on something completely different just to keep people guessing.  All of your hard work has paid off and resulted in you being able to release an open source project into the world called “Smartphone Pentest Framework” or SPF. Can you tell us a little bit more about what SPF is and how it contributes to the world of mobile security? Why did you decide to make it open source?  Well SPF was the result of my DARPA grant. The idea was to comprehensively be able to simulate the same attacks attackers use against mobile — from phishing to client sides to simulated malware and post exploitation. SPF has now been folded into Shevirah’s Dagah product line for enterprise security testing and monitoring. It’s not open source any more since my investors didn’t want it to be, but there is still a free edition with all of the features of SPF and more.  The free edition is aimed at students and security researchers wanting to test their personal device or do mobile security research as opposed to penetration testing a client or doing continuous monitoring of an enterprise with the professional and enterprise editions respectively. On the topic of mobile security, what three pieces of actionable advice would you give to smartphone users who have little understanding of complex security issues at play, but want to keep themselves protected the best they can? Take mobile phishing seriously. So many security awareness programs focus solely on email. People are learning not to click on suspicious links in emails, but you can be phished any way a link can be served to you. Mobile services

“The (educational) information delivered to end users needs to be simple and easy to follow without complex language, jargon or acronyms.” Introduction At Logmeonce, we’re focused on helping protect you against cybersecurity threats. We do this in many ways. First, we provide you with a suite of tools, including a password management tool, to help keep your passwords safe.  However, technology itself can’t solve all of our security woes (as we’ll soon discuss below). Education plays a big role in staying safe online. For this reason, from time to time, we bring in cybersecurity experts from around the world to help educate you, our blog readers, about the various ways you can protect yourself online.  Today, Logmeonce had the opportunity to chat with Lisa Ventura,  an award-winning Cyber Security consultant and is the CEO and Founder of the UK Cyber Security Association (UKCSA), a membership association that is dedicated to individuals and companies who actively work in cyber security in the UK. She has over 10 years’ experience in the cyber security industry and is passionate about raising awareness of being more cyber aware in business to help prevent cyber-attacks and cyber fraud. We have an exciting interview planned for you today, so without further ado, let’s jump in!   The Interview Hi Lisa and thank you for taking the time to speak with our blog readers today about your experience in the cyber security space. You’ve been involved in cyber security since 2009. Can you kick off the interview by telling us a little bit more about how you got into the cyber security space? What was it about the industry that pulled you in and never let you go? In 2009 my ex-husband founded a cyber security software development company called Titania Ltd from our home office. I joined to help him develop it and at the time it was just the two of us from home (although he was still working full-time employed as an ethical hacker when he founded the company). We soon moved into offices and employed our first members of staff, and the company grew quickly. I loved all aspects of cyber security, especially the psychology of hacking, the mind of a hacker and of raising awareness of the importance of cyber security, especially within businesses of all sizes. When my ex-husband and I separated and divorced in 2012 I knew I wanted to stay in the industry. After a short contract at a locally based charity to get me back on my feet again I joined BT and worked on their Assure Cyber product. After that I undertook a wide variety of cyber security contracting work and founded the UK Cyber Security Association. Can you tell us a little bit more about what a typical day looks like for you as a cyber security specialist? I’m sure it always changes, but for those thinking about getting into this field, who might want to learn more about what a typical day looks like, how would you describe that to them? I am currently undertaking some work for Pinsent Mason’s solicitors as a cyber security awareness consultant, as well as running the UK Cyber Security Association. No two days are the same, but some of the tasks that I would undertake in a day includes working on crunching data following phishing email simulation exercises, putting together powerpoint decks on things such as ransomware, phishing, identity badge security for the senior partners at Pinsent Masons, updating the UK Cyber Security Website with the latest data breaches and threat reports and updating the UK Cyber Security Association’s social media channels with any cyber security breaking news that would be of interest to our audience. In addition, I will work on sending email bulletins out to our members, organising events, webinars and liaising with our event partners. You’re a leader when it comes to inspiring other women to get involved in the cybersecurity space. You even wrote a book on the topic. On your website you mention “few women pursue careers in cybersecurity, but those who do are shattering the glass ceiling and contributing to the safety and security of the internet, the CNI and our day to day lives.” Why do you think it is that few women pursue careers in cyber security? I think that women today might be interested in cyber security as a career path but might be put off entering it as it is still a male dominated profession. They may also think they lack the relevant skills and qualifications to enter the industry, but transferable experience also counts for a lot. Unfortunately, I have been subjected to bullying in the industry, and interestingly I’ve been bullied by other women in the industry, not by men. This can be soul destroying but I am determined to not let it affect me and to continue to work towards my goals. I have also observed that many trade shows and exhibitions are aimed mainly at men and aren’t very welcoming to women. For example, I attended Infosec last June for the first time in a few years. When I was walking past the exhibitor booths on the second day, I noticed that some of them were handing out bottles of beer – at 10.00am in the morning! What’s more, those serving the beer bottles were only giving them to men who were walking past the stands in question and the staff on the stands were deliberately pulling the men in to talk to them, but not women. I called this #BeerBias. Much more needs to be done to change the perception of cyber security being a male dominated profession. You have a focus on data/analytics, software, artificial intelligence and machine learning as they relate to cyber security. How are these technologies (for example AI) impacting the password security landscape? I think these technologies are making an impact but there is still a long way to go before they completely replace traditional password methods. For example,

“If our phone numbers or social security numbers were just a few digits longer, most of us would have trouble remembering them so they were designed with this in mind.” Introduction At Logmeonce, we’re focused on helping protect you against cybersecurity threats. We do this in many ways. First, we provide you with a suite of tools, including a password management tool, to help keep your passwords safe.  However, technology itself can’t solve all of our security woes (as we’ll soon discuss below). Education plays a big role in staying safe online. For this reason, from time to time, we bring in cybersecurity experts from around the world to help educate you, our blog readers, about the various ways you can protect yourself online.  Today, Logmeonce had the opportunity to chat with Scott Schober, the author of Hacked Again and President and CEO of Berkeley Varitronics Systems (BVS), a 48 year-old New Jersey-based privately held company and leading provider of advanced, world-class wireless test and security solutions. Scott is a highly sought after author and expert for live security events, media appearances and commentary on the topics of ransomware, wireless threats, drone surveillance and hacking, cybersecurity for consumers and small business. We have an exciting interview planned for you today, so without further ado, let’s jump in!   The Interview First of all, thank you for taking the time to chat with our cybersecurity blog readers today Scott. We really appreciate it. Let’s kick off the interview by having you tell us a little bit more about what inspired you to get involved in the cybersecurity space? What was it about this niche that pulled in you and never let you go? Berkeley Varitronics Systems (BVS) is a 48 year old family business that was founded by my father, Gary Schober. We developed the first wireless test tools used to build out early cellular networks back in the mid 80s and have stayed in the wireless network space ever since. Since then, wireless cell phones have become an integral part of our modern lives. Over the past decade, modern smart phones have gained even more cameras, microphones, video and communications features all accomplished through a variety of wireless standards including 3G and 4G LTE, bluetooth and bluetooth low energy, Wi-Fi, and NFC. Just recently we’ve seen a major push towards 5G and ultra wideband technologies too. My company has developed over 200 unique wireless test and security tools so we’ve had a hand in all of these standards over the years. Since hackers and cyber criminals primarily set their sights on the weakest, easiest targets, wireless has become the natural intersection where BVS faces off with criminals. The more time I have spent this past decade educating and presenting on security, the more I have become a target of cyber criminals. My company and myself have received multiple attacks to my credit card, debit card and online accounts. My company’s online store was hit with repeated DDoS (Distributed Denial of Service) attacks. Cyber criminals stole approximately $65,000 out of our company checking account. We got all of our money back but ordeal taught me a valuable lesson. No one is 100% safe from a determined hacker, but we can all take some basic steps to keep us safe. This led me to publish my first book ‘Hacked Again’ which essentially told my story in the hopes that others could avoid the mistakes and anguish I went through. Let’s talk about your book Hacked Again. In the book you talk about many things, including but not limited to the importance of strong passwords, wireless threats, malware, ransomware and SPAM. However, in the book you also talk about about the dark web where people buy and sell login credentials. Can you tell us a little bit more about the dangers of this login credential marketplace? Where are hackers getting these login credentials to sell in the first place? How big of a market is the black market for login credentials? The dark web is the Internet’s underbelly. The average user is never on the dark web so it can be a bit intimidating. In reality, it is a much smaller part of the larger surface web we use everyday, but the dark web allows cyber criminals to buy and sell illicit products on a multi-billion dollar marketplace with a high degree of anonymity. After being victimized by cyber criminals, I learned all about markets for stolen personal information that exist all over the dark web. Taken alone, our email address or the last four digits of our social security number might not be that valuable, but when pieced together, they become a jigsaw puzzle that resembles our digital identity. Since criminals operate and communicate freely across the dark web, they often trade, buy and sell these pieces of data to each other. I have been working closely with an exciting company called Cyberlitica that provides dark web scans and alerts for users so I’ve seen the direct consequences of dark web transactions. Last year, I thought it was time to offer an all inclusive Cyber Security Survival Kit which provides cybersecurity education and alerts to its subscribers. It’s an easy way for consumers, business owners and even enterprise to simply run their daily business and stay ahead of cybercriminals without devoting too much time and resources to security. From a buyers perspective how valuable can these credentials be? What are the most common systems they are looking to access?  Due to their anonymity in the dark web, cybercriminals can wait for the highest bidder without fear of being tracked or busted by authorities. Dark web users require Tor software which is open sourced and free and enables anonymous communication whether you are a good guy or a cybercriminal. Tor was initially developed by the U.S. Navy Research Laboratory in order to protect U.S. intelligence communications so it is global network that conceals every user’s location making surveillance extremely difficult. All traffic is