Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:06):
Welcome to Virginia Focus. I'm Rebecca Hughes of the Virginia
News Network. A new study shows one in ten college
students have electronic devices that are infected with malware, and
the nearly eight and ten are still reusing already breached passwords.
The report used recaptured breach and malware data from the
past twelve months for faculty, staff and students from the
(00:28):
top fifty US institutions of higher education, and the report
was filed and released by Spycloud. On this episode, we're
talking to Chief product Officer Damon Flury to learn more.
Speaker 2 (00:40):
Welcome to the show, mister Floury. I'm so glad to
have you on. I can't wait to hear more about
today's topic.
Speaker 3 (00:46):
Thanks us glad to be here.
Speaker 2 (00:48):
So today we're talking about cybersecurity, and of course that
is on everybody's mind, I think, and there's a new
report out. Why don't we start by you just telling
us what prompted this report to be created and a
little bit about it.
Speaker 3 (01:04):
Sure. Absolutely, So we're here at spy Cloud.
Speaker 4 (01:07):
We focus on understanding what criminals are doing and how
they're sharing information with each other through what we call
the criminal underground. And we track that information. We collect
that information, and we give our customers ways to make
sure it cannot be used against them. This new report
is focused on specifically universities and the top fifty universities
(01:28):
and how all the data that criminals have stolen from
other companies through third party breaches we call it, or
through affected computers through malware, how all that collected data
that's been stolen can be used specifically to do damage
to the university or to students that might be a
(01:50):
part of those universities.
Speaker 2 (01:53):
Okay, and why do you think that they are one
of the biggest targets.
Speaker 4 (01:59):
Well, I don't know that I would say they are
the biggest target, but they're one of the biggest because
they have such a massive collection of students that are
susceptible to having their information stolen.
Speaker 3 (02:13):
And they're from an Internet perspective, they're kind of.
Speaker 4 (02:16):
Like the wild West, and that they you know, it's
almost like having your own Internet within a university. So
it's easy for criminals to gain access to their systems
or to their data, and then to gain access to
the universities themselves.
Speaker 3 (02:30):
And the university is like a city.
Speaker 4 (02:32):
They have everything that then an impacter might want from
financial resources to intellectual property that could be stolen and
resold to systems they could ransom that they could then
extort money from.
Speaker 3 (02:45):
And so they are massive target because.
Speaker 4 (02:48):
Of the scale of what they are and also because
they have such a huge population of users that can
often be compromised.
Speaker 2 (02:58):
Okay, well that's really interesting. So did anything in particular
stand out as particularly of note.
Speaker 4 (03:08):
Yeah, So in the report we talked a little bit
about how, you know, we just we just looked at
the last twelve months of all the data we found
members of the dark matt the cyber criminals sharing about
those top fifty universities, and we saw six million different
sets of credentials that were being traded online and five
(03:28):
point eight million of those passwords were in plain text.
And so those are things that you could log directly
into those students or faculty members accounts with those user
names and passwords. We also saw that students in general
had a lot of malware on their computers and that
the bad guys had access to the data on those computers.
(03:49):
About one out of every ten student students had malware
on their computer. Those are very susceptible systems and the
data on those systems has all been stolen, and it's
being traded on the darknet.
Speaker 3 (04:03):
All of those things create problems for the university and
managing the security of their systems.
Speaker 2 (04:09):
Yikes, that sounds terrifying.
Speaker 3 (04:12):
Yeah it is.
Speaker 2 (04:13):
Do you think part of that maybe because we're dealing
with brand new adults? And I say that only because
I have three children in my own and you know,
I had to constantly have conversations with them about, you know,
online activity. You don't want to do this because while
you think it's harmless and this, there's also this other
(04:34):
component that you haven't given any thought to. Do you
think that plays a role in it?
Speaker 3 (04:39):
One hundred percent? Of course it does. And you know,
I think we.
Speaker 4 (04:42):
Have new adults, but they're also using systems that they
bring on their own, and even if the university wanted
to force them to have security software, it can't in
most cases. And so, you know, there's so many things
that we do within when we work within a company
that the company steps to protect us from the things
that criminals might do to our computers, and students just
(05:05):
don't have most of that, So they're left to buy
their own security software to protect their computers, and then
they're left to their own good hygiene, in which case
they most most of them haven't been trained in the
way that a company or a university might train their faculty,
so they're more susceptible.
Speaker 3 (05:23):
But I'll also say, you know, I have children in
my own.
Speaker 4 (05:25):
I have college aged children in my own, and they
do things that the bad actors, the criminals know of,
and they specifically put malware. It's, for example, in video games,
if I'm playing Fortnite and I want to go get
a new skin or a mod for Fortnite, the malware vendors,
the malware criminals, they put malware into those packages.
Speaker 3 (05:49):
So when I go get.
Speaker 4 (05:49):
A new skin for my Fortnite character, I will install
that package and I'll pick up malware right away. And
so they're specifically targeting students really unique ways that's unique
to what they think students are doing.
Speaker 3 (06:04):
And that's just one example. There's dozens of examples like this.
Speaker 2 (06:08):
Wow, that's crazy, because my kids do play Fortnite and
they are always talking about all the cool new skins
and is there a way to protect yourself? I mean,
how do we as consumers recognize that this particular person
may be a nefarious you know, selling something that could
(06:29):
end up being nefarious on our own computer if it
looks as legit as everybody else's.
Speaker 3 (06:36):
Yeah, I mean to be honest.
Speaker 4 (06:39):
You could look for the telltale signs, like when we
all take training with our companies, say, we look for
weird spellings and weird things that don't quite add up.
But the criminals are getting quite good at this, and
it's almost impossible to do that one hundred percent of
the time. So you really should take steps like installing
security software from a major security vendor, a reputable vendor.
(07:03):
But the other things you can do are protect the
things that matter. Don't play those video games, and install
those packages on the system where you do your banking from,
or where you access your work system or your university
system from, or if you're technically able, you could use
virtual machines in which you could play these types of games,
(07:24):
so that everything is segmented, so if you do accidentally
install bad software, then it's not going to steal your
parents' tax information or you log into your mutual fund
accounts or to your bank accounts. Keep separate the things
that truly matter from the things that are a little.
Speaker 3 (07:42):
More a little more flexible and a little more risky.
Speaker 2 (07:45):
Okay, So I worked in ninety in the early two thousands,
late nineties, and so I'm familiar with a lot of
what you're saying. But just to clarify, are you talking
like if I put a partition on my hard drive
and use a different opper system in that partition or
something like that. When you say a virtual machine, or
is there another way to do that.
Speaker 4 (08:06):
Well, there are other ways to do that, and that's
probably a little too technical for a lot of individuals
that are out there. You know what I end up
doing in my home with my college students and my
high school kids is I have different computers that are
for gaming, and then we'll use a separate computer that
is for accessing a more confidential information. There are other
(08:29):
systems as referencing, where you can run an emulation.
Speaker 3 (08:33):
It's called a virtual machine. You can run an emulation of.
Speaker 4 (08:36):
Windows within your Windows, and it's really hard for the
criminals if they infect that environment to get to.
Speaker 3 (08:42):
Your normal, your normal offering system.
Speaker 4 (08:45):
And there are various gaming systems that you can log
into that provide your virtual machines as well to play.
Speaker 3 (08:52):
Those types of games.
Speaker 4 (08:53):
It's just a different way to keep everything separated, the
things that matter from the things that.
Speaker 3 (08:58):
Are a little riskier.
Speaker 4 (08:59):
And you're active coivities, but you can take more steps,
I mean, installing multi factor authentication on the accounts that matter,
all of your financial applications, you know, those things.
Speaker 3 (09:09):
Matter just as much.
Speaker 2 (09:11):
Okay, I like that now as a person Again, if
they're just listening in and maybe they're not super tech savvy,
when you say get a reputable you know, malware software
or virus software, where's the best place for people to
go to find out which companies are the reputable ones
(09:33):
and the best performing ones so to speak.
Speaker 4 (09:38):
Yeah, so we try not to get specific recommendations, but
I think you know, a great idea is to talk
to talk.
Speaker 3 (09:46):
To your employer, you know, assuming you're.
Speaker 4 (09:49):
Working for a company that has computers, and look at
the types of software that you that you see installed there.
So all the major vendors, you know, the Cisco, the
Palo Alto networks, that crowd strikes, they all have really
great software, and there's there's dozens others that you know,
(10:09):
if you look through the news or you know through
the media, for who are the major security vendors. Those
are great places to start.
Speaker 2 (10:17):
Great and so my next question would be if you
unfortunately find that your system is already compromised, then what's
the next step.
Speaker 4 (10:28):
Yeah, I see, that's a that's a very challenging problem
because the first thing you want to do is make
sure you remove that software that that compromise. And one
way that you can do that is to completely reinstall
the computer. That's often what I do with my children's
gaming computers, and you know, you make sure you remove
that malware. The other thing that you can do is
(10:50):
you can some of those software packages, many of them
have the ability to remove the malware, so if they
can detect it and remove it, that's an easy way
to do so without without having to reinstall your computer.
But the other thing you need to realize that many
people don't seem to don't seem to always understand upfront,
is that the part of the problem is the malware
(11:13):
that when it was installed, the first thing it did
was steal all of the all of the information you
had on that computer. And so you do need to
remove the malware so they no longer have control of
the computer. But then you need to think about all
the different systems you logged into from that computer. They
likely have your user names and your passwords to all
(11:35):
of those systems, and you need to log into your
especially your financially oriented accounts, and change those passwords and
make sure that nothing suspicious has happened in those accounts
if they're financial, Has any money been moved around without
your knowledge?
Speaker 3 (11:52):
Check the account details.
Speaker 4 (11:55):
To see if anybody has changed email address or a
password that account without your knowledge, because that information has
been taken up and is now being marketed in massive
groups to other people, other criminals, and so getting making
sure you maintain control of the types of things that
(12:15):
were on that computer is important.
Speaker 2 (12:18):
Wow. Okay, So let's talk them in and about spy Cloud,
the company you work for, and what you do for them,
because a lot of people may not know that.
Speaker 3 (12:30):
Yeah, absolutely so, Spycloud, we have researchers that really are
watching and interacting with criminals all the time, and our
job is to find all the information that they've been
stealing and gain access to it basically by tricking them
out of that data. And so we have built probably
the world's largest data lake of data that has been
(12:53):
taken by criminals and is now being traded or sold online,
and then we make that information available to companies that
can use it to in an automated way, make sure
that a criminal can't use it to get into the
company's identity system or into any of their computers, and
(13:13):
to protect them from the next attack because a lot
of times this information is used to gain access to
a company, so they can then deploy ransomware or they
can steal something that's very sensitive to that company.
Speaker 2 (13:26):
Oh wow, okay, so that was going to be part
of my question when you were explaining is as a
company who you know, does what you do? You're saying
that you guys stay in business by selling basically help
to the companies who may or may not have been affected.
Speaker 3 (13:42):
Correct, exactly.
Speaker 4 (13:44):
So it's a subscription service and it's you know, it's
not just help, it's it's software products that they deploy
in their environment like they would sell, like they would
deploy a firewall, and it gives them the tools to
make sure that they're protected against this information that has
leaked out from either from their employees or from often
(14:06):
from some other computer that some other company that had
a massive list of information. As if you've been watching
the news Lately, there's been a very significant breach from
the National Public Data Organization. That information is now being
sold and traded online and in many ways being used
to try to do damage to companies or to individuals,
(14:29):
or to access companies as.
Speaker 2 (14:30):
A result, that's so terrifying. As a chief product officer,
what does that mean? Like, what's your background and how
did you end up in this position?
Speaker 3 (14:44):
Well, I've taken a little bit of a meandering path
to get here.
Speaker 4 (14:48):
You know. I've been working in security industry creating security
products for twenty five years, and probably one of my
most most insightful roles was over the last five years,
I spent time in a security services company and I
spent a lot of time doing incident response for large
organizations such as major hospitals, major universities, and so when
(15:10):
they were ransomed or when they saw a very significant
cyber attack, they called myself and my team and we
came in and helped them through those times and helped
them get the bad guys out, understood what the bad
guys were doing, and then helped them to restore their
systems as quickly as we possibly could so they could
(15:31):
in the hospital's case, maintain patient care in a university's case,
continue on with the business or the university.
Speaker 3 (15:37):
And so that was such for me.
Speaker 4 (15:39):
It was such an aligning time to understand the damage
that these attacks can do and the way in which
these attackers were using information to gain.
Speaker 3 (15:49):
Access to these types of companies.
Speaker 4 (15:52):
And so to me, it's very exciting to be able
to work with an organization like Spycloud where we are
tracking specific what the bad guys are doing and then
giving companies the tools to make sure that that information cannot.
Speaker 3 (16:06):
Be used against them.
Speaker 2 (16:08):
So, in other words, if I were to try to,
you know, say it and layman terms, I guess you're
like an Internet detective.
Speaker 3 (16:18):
Yes, we'd like to figure ourselves that way.
Speaker 2 (16:20):
Sure, So is it a very reactive kind of thing
what you do, or is there a way to be
proactive and to try to get ahead of them or
I mean, obviously you would have to kind of think
in a deviant manner, but is there a way to
get ahead of the bad guys?
Speaker 3 (16:42):
Absolutely?
Speaker 4 (16:42):
And so we like to think of this as you know,
what we are doing is discovering the first crime in
a series of crimes that just get successively worse, and
so that you know that the criminals are stealing data
not just because it's foreign or because they can make.
Speaker 3 (16:59):
A couple of dolls.
Speaker 4 (17:00):
They're stealing it because some of that data leads them
to a ransom where they can make a million dollars
right or to some other type of account where they
can drain a lot of money out of those accounts.
So to us, we are trying to stop this cycle
of crime. So it is reactive to that very first
malware event or that very first breach, but it's it's
(17:23):
proactive to all of the other events that are even
more damaging to people for the companies.
Speaker 2 (17:29):
Okay, so let me ask you this. Is it almost
like when law enforcement has to deal with like gangs.
I mean, do you have you identified specific groups of
people or people from particular countries or anything like that.
(17:50):
Have you been able to narrow the scope of who's
doing this? I guess is my question.
Speaker 3 (17:56):
Yeah.
Speaker 4 (17:56):
So, our research team and our investigations team all the
time is working on understanding who the actors are behind
these crimes and who the actors are that are using
this data. That's not something that we include in our products,
and our products we're giving people the ability to stop
that data from being used against them. But we have
(18:17):
very close relationships with law enforcement agencies, and our goal
is to stop the crime from happening. And so we
all the time, you know, take the information that we
have that we can connect back to you likely who
the bad guys are, and then use that same information
to help law enforcement understand where they are and what
(18:40):
they can do to stop them. And so we're proud
that we have helped in many, many cases. We can
actually talk about specifically how many, but our data has
really helped to stop a lot of crime. Unfortunate realities,
we just can't get ahead of all of it, but
we certainly, you know, this kind of information, the tracking
that we can do does help to stop criminal gangs.
Speaker 3 (19:02):
In criminal rings.
Speaker 2 (19:03):
Oh yeah, for sure. Have you encountered anything in doing
this work that the crime itself or the way they
did it stood out as unusual compared to the typical ways.
Speaker 3 (19:18):
I think of a couple of examples here.
Speaker 4 (19:22):
We have a very unique level of insight because we
also see not just information about identities, but we often
see information about malware infections.
Speaker 3 (19:32):
And I mentioned earlier how.
Speaker 4 (19:35):
One of the sets of information we gather is coming
when a criminal launches malware on a person's computer and
then all of that data is stolen, and so we
have scenarios where that happens specifically to criminals because they're
dealing with malware all the time, they accidentally run their
(19:57):
own malware and other criminals still all of their data,
and so in doing so, we start to gain a
lot of really interesting insights to the criminal specific activities
because when we happen to come across those specific data elements,
we can see a fraudster that might have one hundred
(20:18):
accounts to Amazon or to another retailer site. Well, that's
not a typical customer, right, and that lends insight to
us that that individual itself is probably a criminal, and
then we're able to track the specific activities based on
the other information that criminals stole from a criminal and
(20:38):
then help us to paint a bigger picture of who
that individual is and then see their activities through the
criminal underground as well. It's really useful in referring to
law enforcement, of course to help make sure we're responding,
but it's also useful and understanding the next attacks and
then how that can impact our customers.
Speaker 2 (20:58):
That sounds actually fascinating, like a really intricate puzzle, you
know what I'm saying.
Speaker 4 (21:04):
Yeah, absolutely, And there's a lot of challenges in understanding it,
but the insights that we gain through this type of
analysis and in helping our customers and individuals be protected,
it's really enlightening. And just understanding how the criminal mind
is shifting by looking at some of the things that
they're doing, it's been really enlightening, really interesting.
Speaker 2 (21:25):
Yeah, that sounds really really fascinating. If somebody's listening to
this and they're like, I think I would enjoy doing
that as a career, what do you recommend for them?
Speaker 3 (21:37):
Yeah, so you know that side of our business, I
would recommend that you just start getting involved in communities
that are interested in what we call cyber threat intelligence.
Speaker 4 (21:48):
You can certainly look at jobs on spike cloud dot com,
but there are thousands of jobs that are in this
cyber threat intelligence space and you just start to take
an interest in it. Be careful because if you start
to interact with the criminal underground, you need to take
a lot of protections to make sure you don't danger
yourself or your computers, or or you know you're you're
(22:10):
interacting with real criminals. But that's certainly you know, starting
to become involved in cyber threat and tel communities is
a good start. There are a handful of universities that
have programs that are also.
Speaker 3 (22:21):
Interesting to look into.
Speaker 4 (22:22):
And again you're looking for cybersecurity intelligence type roles.
Speaker 2 (22:26):
Okay, Now, when you got started, did you think you
would end up here?
Speaker 3 (22:32):
No, like many you know, like many young people when
they start.
Speaker 4 (22:36):
You know, I wanted to be an architect when I started,
and you know, that didn't work out, so I went
into high tech and building computer systems. But you know,
I was just attracted to the hardest problems I could find,
and solving problems that help people, you know, is always
something that's been close to me. And so you know,
this is a place where there's so much need and
so many problems that we can solve to help protect
(22:59):
people as well as their companies. That it's just something
that you know, I've tried to keep in my path.
Speaker 2 (23:05):
Yeah. I love that. So why don't we talk about
some of the products that your company offers, just so
people are familiar with some of the stuff that's out there.
Speaker 3 (23:13):
Yeah.
Speaker 4 (23:14):
Absolutely, So, you know, Spike Cloud, we take this information
that we're able to find, and then we create products
around keeping it from impacting businesses. So we have products
that work directly with enterprises. Enterprise companies as are larger
companies or medium sized companies that can use that can
(23:34):
install software that integrates directly into their computer systems, into
their identity systems. We call it to see whence one
of their employees has used an email address of the
companies and has used a password that is also being
used within the company, and can automatically reset those passwords
(23:55):
and make sure that the bad guys cannot use that
information against them. There are also new attack patterns that
are out there where the criminals are stealing enough information
to bypass some of the identity tools, to bypass a password,
or to bypass multi factor authentication. And so when we
(24:15):
see that happening to a company, we have other tools
that allow us to tell the company how to resolve
that specific issue. It's called security session hijacking, and this
is the thing that we see criminals doing. As a
result of all of the great things companies have done
to protect themselves by implementing multi factor authentication, there's a
(24:38):
new way to hijack an authenticated session and spy Cloud
offers tools to see that happening and to make sure
that you stop it before the criminals can do it.
Speaker 3 (24:49):
So those are two ways. We also offer tools where
we work with.
Speaker 4 (24:55):
Companies that provide Internet facing applications. If you ever had
an application on your computer warn you that there's your
password is traded on the criminal underground or on the
dark net, there's a very high probability that spy Cloud
data that's been integrated into that application to help that
company understand that your account is at risk because you're
(25:16):
using an unsafe password.
Speaker 2 (25:18):
Oh wow, okay, So mostly your business focuses on business
to business help, is there similar things like that out
for consumers, because I mean, as a consumer myself, it's
kind of terrifying to think that criminals are even able
to get past the biggest businesses with the most money
for their security. Like, how in the world am I
(25:40):
supposed to keep myself? You know what I'm saying. Yeah,
it's like terrifying.
Speaker 3 (25:46):
It is.
Speaker 4 (25:47):
I agree, as a human, as an American citizen, we're
all on this same spot. And so the installing security
software from companies like we talked about earlier, is a
is a good first step. The other thing that people
just need to start being aware that every time they
have information out there they need, and every time they
(26:09):
have sensitive accounts that are really important to their way
of life, they need to take steps to make sure
they turn on many protections because you cannot keep everything safe.
I can tell you as a cybersecurity professional for many
years now, there is no way to fully protect yourself
and every time we come up with a great solution,
the criminals are working against us to come up with
(26:32):
another way to gain access to that information, and so
installing security packages absolutely helps. Taking efforts to make sure
that your most sensitive accounts and information you've turned on
multi factor, you don't access it from risky computers, you
have security software installed.
Speaker 3 (26:52):
Those are some of the best things that you can do.
Speaker 4 (26:55):
You can also gain an understanding of what's going on
the criminal underground, and that's a venture to you. At
spy Cloud, we have a website that you can go
to you called check your Exposure dot com, and that
will give you a list of all the places your
email address has shown up and breaches or in malware.
(27:17):
But you'll still have the task of going to change
those passwords and to making sure that those accounts are secure.
Speaker 2 (27:24):
Oh wow, so what was that website again?
Speaker 3 (27:27):
Check your exposure dot com.
Speaker 2 (27:30):
Okay, so that would be very useful to everybody. Yeah,
I'll have to do that myself for sure. I think
we're coming close to the end of our time. But
I always like to ask this question. You are the expert,
and I am just curious. Is there anything the audience
needs to know about today's topic that I just did
not know to ask you about?
Speaker 3 (27:48):
Head question? Now, I think we covered all the high points.
Speaker 4 (27:52):
I mean, I think really just raising awareness that there
is this criminal ecosystem that is really about taking in
for they can gather from anybody. I think a lot
of individuals kind of start to they want to think
that they are not going to be susceptible to this
kind of attack. I don't have enough money, or don't
(28:14):
I don't have access to anything important, and then I
will never be a target of the attack. Things have
just gotten to the point where we are all targets
of opportunistic attacks. They will install malware everything everywhere that
they can, and they and that anything that is useful
to you in your life is of interest to an
(28:35):
actor in some way, whether it's your own small bank
account or a large bank account, whether it's any type
of access to your company or access to a university system.
Speaker 3 (28:45):
Any kind of access that is something.
Speaker 4 (28:47):
That an actor can take, a bad actor or criminal
can take and use it to get a foothold within
that organization and then try to make take a path
to another.
Speaker 3 (28:58):
Prize which they can then use.
Speaker 4 (29:00):
So we all just need to understand that this community
exists and that as people that want to use the Internet,
we have a responsibility to be as careful as we can,
to pay attention when things happen, to do our best
to take action to stop these criminals from.
Speaker 3 (29:16):
Be able to profit.
Speaker 2 (29:17):
I love that. I think we're all a little better
prepared now after you've been on the show today, and
I really appreciate it. I cannot tell you how much.
Speaker 3 (29:28):
Thank you so much, Rebecca.
Speaker 4 (29:29):
I really appreciate the time to talk to you, and
it's been great to share the message.
Speaker 2 (29:35):
I hope you've enjoyed today's show. Thanks for tuning into
the show on your favorite local radio station. You can
now listen to this show or past shows through the
iheartapp or on iHeart dot com. Just search for Virginia
Focus under Podcasts. I'm Rebecca Hughes with the Virginia News Network,
and I'll be here next week on Virginia Focus.