“If our phone numbers or social security numbers were just a few digits longer, most of us would have trouble remembering them so they were designed with this in mind.”
Introduction
At Logmeonce, we’re focused on helping protect you against cybersecurity threats. We do this in many ways. First, we provide you with a suite of tools, including a password management tool, to help keep your passwords safe.
However, technology itself can’t solve all of our security woes (as we’ll soon discuss below). Education plays a big role in staying safe online. For this reason, from time to time, we bring in cybersecurity experts from around the world to help educate you, our blog readers, about the various ways you can protect yourself online.
Today, Logmeonce had the opportunity to chat with Scott Schober, the author of Hacked Again and President and CEO of Berkeley Varitronics Systems (BVS), a 48 year-old New Jersey-based privately held company and leading provider of advanced, world-class wireless test and security solutions. Scott is a highly sought after author and expert for live security events, media appearances and commentary on the topics of ransomware, wireless threats, drone surveillance and hacking, cybersecurity for consumers and small business.
We have an exciting interview planned for you today, so without further ado, let’s jump in!
The Interview
First of all, thank you for taking the time to chat with our cybersecurity blog readers today Scott. We really appreciate it. Let’s kick off the interview by having you tell us a little bit more about what inspired you to get involved in the cybersecurity space? What was it about this niche that pulled in you and never let you go?
Berkeley Varitronics Systems (BVS) is a 48 year old family business that was founded by my father, Gary Schober. We developed the first wireless test tools used to build out early cellular networks back in the mid 80s and have stayed in the wireless network space ever since. Since then, wireless cell phones have become an integral part of our modern lives. Over the past decade, modern smart phones have gained even more cameras, microphones, video and communications features all accomplished through a variety of wireless standards including 3G and 4G LTE, bluetooth and bluetooth low energy, Wi-Fi, and NFC. Just recently we’ve seen a major push towards 5G and ultra wideband technologies too. My company has developed over 200 unique wireless test and security tools so we’ve had a hand in all of these standards over the years. Since hackers and cyber criminals primarily set their sights on the weakest, easiest targets, wireless has become the natural intersection where BVS faces off with criminals.
The more time I have spent this past decade educating and presenting on security, the more I have become a target of cyber criminals. My company and myself have received multiple attacks to my credit card, debit card and online accounts. My company’s online store was hit with repeated DDoS (Distributed Denial of Service) attacks. Cyber criminals stole approximately $65,000 out of our company checking account. We got all of our money back but ordeal taught me a valuable lesson. No one is 100% safe from a determined hacker, but we can all take some basic steps to keep us safe. This led me to publish my first book ‘Hacked Again’ which essentially told my story in the hopes that others could avoid the mistakes and anguish I went through.
Let’s talk about your book Hacked Again. In the book you talk about many things, including but not limited to the importance of strong passwords, wireless threats, malware, ransomware and SPAM. However, in the book you also talk about about the dark web where people buy and sell login credentials. Can you tell us a little bit more about the dangers of this login credential marketplace? Where are hackers getting these login credentials to sell in the first place? How big of a market is the black market for login credentials?
The dark web is the Internet’s underbelly. The average user is never on the dark web so it can be a bit intimidating. In reality, it is a much smaller part of the larger surface web we use everyday, but the dark web allows cyber criminals to buy and sell illicit products on a multi-billion dollar marketplace with a high degree of anonymity.
After being victimized by cyber criminals, I learned all about markets for stolen personal information that exist all over the dark web. Taken alone, our email address or the last four digits of our social security number might not be that valuable, but when pieced together, they become a jigsaw puzzle that resembles our digital identity. Since criminals operate and communicate freely across the dark web, they often trade, buy and sell these pieces of data to each other. I have been working closely with an exciting company called Cyberlitica that provides dark web scans and alerts for users so I’ve seen the direct consequences of dark web transactions. Last year, I thought it was time to offer an all inclusive Cyber Security Survival Kit which provides cybersecurity education and alerts to its subscribers. It’s an easy way for consumers, business owners and even enterprise to simply run their daily business and stay ahead of cybercriminals without devoting too much time and resources to security.
From a buyers perspective how valuable can these credentials be? What are the most common systems they are looking to access?
Due to their anonymity in the dark web, cybercriminals can wait for the highest bidder without fear of being tracked or busted by authorities. Dark web users require Tor software which is open sourced and free and enables anonymous communication whether you are a good guy or a cybercriminal. Tor was initially developed by the U.S. Navy Research Laboratory in order to protect U.S. intelligence communications so it is global network that conceals every user’s location making surveillance extremely difficult. All traffic is encrypted as well as the payment methods used by cyber criminals including Bitcoin which is a digital currency with no centralized authority or bank. Cybercriminals can charge a premium for stolen credentials such as emails, phone numbers, passwords, social security numbers, credit cards, and any other pieces of the puzzle. Some sell this data for a quick score while others hold onto it and even horde it in the hopes that they will be able to combine their compromised data with stolen data from other sources in an effort to make a much bigger score.
You had an audio podcast recently dedicated to the topic of passwords. In that podcast you say that the fact that “humans are creatures of habit” and doesn’t mesh well with our current password needs. What do you mean by this?
Humans are not too good at remembering long strings of random numbers and letters more than about 9 characters in length. If our phone numbers or social security numbers were just a few digits more, most of us would have trouble remembering them so they were designed with this in mind. Unfortunately, that average password that people use is even shorter than this making it easy to remember but also easy to hack. Cybercriminals have automated tools at their disposal allowing millions of combinations of words and numbers to be tried when hacking a password. This brute force method might seem archaic but is actually effective and with computing power increasing exponentially every year, a random 8 character password can be guessed in seconds whereas a randomized 15 character password can take months or years.
If passwords are compromised due to reuse, the hacker will then begin going down the logical path of checking which systems the password is reused on. In the same podcast on your site, you mention that something like 80% of people use the same password on multiple channels, making the danger of a hack even more dangerous. Generally speaking, from the hackers perspective, if they get access to a less valuable access point (for example your social media account), what will their next 3 most common steps be as they climb the ladder of system value?
When hackers get a password from your social media account such as Twitter, they are banking on the fact that you are part of the larger statistic and reuse that same password across multiple platforms. Hacking software will automatically go out to the top 1,000 web sites for banks, social media, stock portfolios, etc. and determine which sites you reused the same login credentials. Hackers really start at the top of the ladder (financial accounts) because once users become aware that someone has logged into their account, the clock starts ticking on just how long a hacker can freely access other accounts by that user using the same password before they are shut down, the password is changed or the login requires another factor to authenticate the user’s true identity.
In the majority of consumer password breaches, what are hackers main targets? Generally speaking, what are they after? What would make the hack “worth it” to them?
Consumer password breaches mostly focus on compromised credit cards. Compromised credit cards are typically sold in packages containing 10,000 cards. Like a free taste of illegal drugs before the deal goes down, hackers provide a few “fresh” compromised credit cards for thieves to test. These cards have not been used by any thieves yet so the real owners and issuing banks would have no reason to suspect they have been compromised. Since there are so many cards to be stolen, bought and sold on the dark web, the cost of each stolen credit card has dropped to only a few dollars a piece. We are also seeing hackers shift their criminal activity to ransomware which pays more than a one-off sale and can even lead to valuable re-occuring revenue for the hacker when victims play into their hands. Healthcare identity theft is also growing in popularity. Doctors and hospitals have made incredible medical advances but healthcare payment and data systems are still stuck in the 20th century and hackers are all too eager to exploit this weakness.
In your experience, what’s the most common initial entry point for consumer hackers? Why do you think this is?
I work with white hat hackers (hackers hired by a corporation to break into their own computer networks to expose vulnerabilities and shore them up) and they typically start by trying to penetrate the Wi-Fi network within an organization. This due to the fact that many Wi-Fi network passwords are weak or just set to default and also that most people do not realize that Wi-Fi networks can be used maneuver laterally throughout the entire company’s network full of internal IP, customer data and even financial account data.
What three cybersecurity changes do you see on the horizon that scare you most?
1) State sponsored cyber attacks target critical infrastructure using legacy software lacking adequate security protections. I am referring to infrastructure such as an electric grid or water treatment which are things that we take for granted but depend upon every day for basic survival. When such necessities are held hostage or cease to function for entire nations, we will enter WW3 fought in cyberspace but felt in the real world.
2) Artificial Intelligence (AI) is being touted as the next technology paradigm shift but not enough people are talking about AI uses as a weapon. Just as we can use AI to defend ourselves and our cybersecurity, others can use AI to attack our defenses. We need to be training AI models now to anticipate and withstand cyber attacks on a variety of fronts.
3) Smart homes, smart cars and smart cities all sound exciting but all are connected back to the Internet. As billions of Internet of Things (IoT) devices are connected to our lives, the attack surface for hackers grows exponentially. Many IoT devices we welcome into our lives are low cost and do not have basic cybersecurity protections baked in with no means to be updated when vulnerabilities are exposed.
What cybersecurity change do you see on the horizon that excites you most?
As much as I am worried about AI’s misuse and abuse, I am also optimistic about it becoming an integral part of many security solutions. There are currently not enough humans on the planet to look for every potential cyber breach and vulnerability, but when AI is properly trained and deployed throughout a network, it can do the job it takes a million humans a year to accomplish in only seconds. Of course like any technology, the value it offers must be weighed against the sacrifice we are willing to make in terms of our humanity and privacy.Thank you greatly for taking the time to chat with Logmeonce’s cybersecurity blog readers today Scott. We truly appreciate it. To our blog readers, if you’d like to learn more about Scott and the work he does you can follow him on Twitter or head over to his website here.