9 - Cybersecurity, Cyber Literacy, and Rickrolls with Craig Taylor - Revelizations

Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:09):
This episode of Revelizations is brought to you by Saul Tacans' Roof Repair.
Ho! Ho! Ho! Merry Christmas to all and to all a good night!
Well, there he goes again, off to disappear for another year, leaving behind more than
just presents.

(00:29):
Each year, homeowners of the world wake up to the wake of Santa's destruction.
You'd think a person who eats exclusively a high-fat and sugar diet would know better
to use a roof as their landing strip.
Maybe try the front door before scraping off and damaging expensive roof material.
With the damage already done, Saul Tacans' Roof Repair is the only company I trust for all

(00:52):
my roof repair needs.
Saul Tacans' Roof Repair works fast to fix your damaged roof, guaranteeing that you will
be able to blow the roof off your home at your next upcoming New Year's Eve party.
Haha, yeah, it'll help you fix those damages too.
Now, instead of worrying who to call to fix your hoof and metal sleigh damaged roof, all

(01:14):
you have to worry about is taking down your Christmas decorations in a timely manner before
your homeowners association president, Dominick, finds you again.
Saul Tacans' Roof Repair, cleaning up after Santa since 1948.

(01:46):
Hi everyone and welcome to Revelizations.
I'm your host, Brian James.
On today's episode, we're going to be learning about cybersecurity with Craig Taylor.
Since 2001, he has been a certified information systems security professional.
He is also a 25-year veteran of cybersecurity.
In 2014, he co-founded a cybersecurity training company, CyberHoot, to help individuals and

(02:11):
businesses learn cyber literacy.
During his career, Craig has led cybersecurity organizations in web hosting, finance, and
manufacturing.
Additionally, Craig leads a cybersecurity consulting company delivering virtual chief
information security services to more than 30 companies across many different industries.

(02:32):
I hope you enjoyed today's episode with Craig Taylor as much as I did.
Thanks for listening everyone.
Hi everybody, welcome to another episode of Revelizations.
I'm your host, Brian James, and with us today, we're going to talk about all things cybersecurity

(02:57):
is Craig Taylor.
Hi, Craig.
How are you doing today?
I'm great.
Hi, Brian.
How are you doing?
I'm doing great.
First thing, first question, if you could tell us a little bit about yourself and you
don't have to tell us too much, just a few credit cards, last four digits of your social,
all those good things, the street that you grew up on, just, you know, just keep it brief,

(03:18):
keep it light.
Okay.
Yeah.
So my social, if you want, is on the NPD breach.
You can go look up Craig Taylor and you'll see it on the, there's an NPD breach website
you can find published to the internet that tells you all of these details, where I lived
in the last three homes, where my ex-wife lived.
They think I live there, but I don't, and other things.

(03:41):
So yeah, all this information is out there already, so I don't have to actually share
it with you, Brian.
It's already out there and we'll get into hopefully a little bit later in our conversation
things people can do to protect themselves from that data being used to take advantage
of your credit or take out credit in your name, things of that nature.
We'll get into all those things down the road, but in all seriousness, Craig Taylor, I'm

(04:05):
a Rotarian here in Portsmouth, New Hampshire.
I was born and raised in Canada, though I've lived more years now in the United States
than I have in my home country of Canada.
I've been doing cybersecurity for 30 years.
I'm a competent toast master, so that just means I can do public speaking.
I had my CISSP, which is the standard security certification back in 2001.

(04:30):
And so I was like 23,000 in was my certification number.
Now there's closing in on a million.
So I was very early on in that area and I've spent a lot of my professional life working
in Fortune 500 companies until 10 years ago, I founded my own cyber literacy company called

(04:50):
CyberHoot, which teaches individuals for free and companies for a fee cyber literacy skills.
How do you protect yourself online from phishing attacks and all kinds of different social
engineering methods and why password hygiene matters and all the different things that
relate to that.
We'll hopefully get into some of those things.

(05:11):
So that's me in a nutshell.
Hopefully that answers you to the level you are seeking.
Yeah, it definitely does.
I like to ask a open ended question, even though it's sometimes like, I don't know what information
they want.
But yeah, that's great.
I just like to see what information people are going to get, like what's important to
them to kind of showcase who they are.
And you had a lot in there.

(05:33):
Data breaches is really, it's kind of scary because when I get mail from Amazon, I'll
go ahead and I'll remove my name and my address, just thinking like, you know, it's like an
extra little thing of security, you know, because I don't know who's going through the
trash and who wants to find my address and my name.
But it's just like, you think you're going through and being safe and taking these extra

(05:57):
precautions when, like you said, this data is already out there.
And for anyone who more than likely has malicious intent, they already know where to find everything
about you.
Just about.
Yes, that is correct.
It's like when you were saying that, I was just like, I don't know, it was like spooky,
like a little thing went up my spine and it's like, oh man, like I can't believe.

(06:20):
Because I think you want to believe that, like, if you do everything right or like within
what you think is right, and we'll definitely dive into strategies that we can use to make
sure that we are doing things right, that the companies are going to take care of you
too.
But the companies either, you know, through negligence or just they didn't even know they

(06:46):
were vulnerable.
All this data comes out.
I mean, this could be something like where you order your pizza from, like they can have
a data breach.
And a lot of times they do try to like the hackers will try and attack like these lower
level companies.
But it's still rich with credit card information, name, address, everything that they need to

(07:08):
take your identity and take money from you.
Well fortunately, Brian, I'll correct one thing you just said, like a pizza company.
In many cases, these smaller companies are outsourcing their credit card processing to
major vendors.
So they don't actually manage the credit card unless you tell it to them over the phone,

(07:28):
right?
I've ordered Chinese food and given them the credit card over the phone.
Well, that's a different story.
They actually could write it down and collect all these things in a database and then they
could be breached and hackers could get that data.
But it's more likely that it's pretty innocuous because they're going to just use it on the
credit card machine that is from Elevon or one of these third party payment processors.

(07:49):
They have the data and they have to be PCI compliant and they have to prove their compliance
to the auditors and the regulators.
And it's a much better story in PCI.
If there's an area of cyber literacy, cybersecurity out there that is well regulated and very
much in favor of the end user, your and my personal protection, it's credit cards.

(08:14):
Somebody steals your credit card, you're not liable for it.
Somebody charges it, you're not liable.
You just place a call to your bank and they'll refund the money immediately and you're not
out.
A debit card, a little bit less, right?
If you're using a debit card, you have some liability potentially.
The money can disappear.
It often does get put back in your account if you report fraud on a debit card theft,

(08:37):
but it takes longer.
They have to do research on it because the money has physically left your account and
gone somewhere else.
On a credit card, it's kind of credit, right?
It's not left you yet.
So there's a lot more protections there.
But a lot of these small companies that collect random bits of information about us, you know,
they're pretty small.
They're not likely to be targeted.

(08:57):
When you get into that latest breach by NPD, the National Public Data Breach, they were
a data broker.
They collected all kinds of personal information on you, myself, to the tune of three, almost
three billion records.
And it had social security numbers tied to addresses and first and last name and dates

(09:20):
of birth and financial information and marital status and email addresses.
They had a lot of information.
They were in the business of selling that data to third parties.
It could be a credit card company that wanted to offer you a credit card.
It could have been a bank that you're trying to get a loan and they want to do some background
check on you.

(09:40):
That's less likely to be the case.
They're more on the marketing and sales side.
But they were breached.
And when I checked my data on that, there's a website.
We can put it in the show notes, I think.
But if you were to where you can find this link to check your own personal records that
were part of that NPD breach is going to cyberhoot.com forward slash.

(10:04):
C-Y-B-R-A-R-Y, that stands for Cybersecurity Library, forward slash identity dash theft.
And we can put it in the show notes, but that will have an updated article where we've kept
updating what we've learned and know about that NPD breach.
But one place is a free public service website where you can put in your first name, last

(10:27):
name, date of birth, and I think one other piece of information to see what was in the
NPD breach that pertains to you.
I learned incidentally that there's multiple Craig Taylors in New Hampshire where I live.
There's at least three of us.
I've had that happen because you go to a gym and you try to log in and it's like,

(10:49):
you're not that Craig Taylor, you're a different Craig Taylor, what have you.
But the reality is there's quite a bit of stuff there.
My social security number, it'll show you your redacted social with the last two digits
of your social security number showing.
And it was mine.
So, you know, anyone out there listening to this, you got two of my seven,
nine-digit social, right, numbers, so you only have to guess seven more.

(11:12):
But you could find it in the actual breach data.
Now, what I've done and what I recommend anyone listening to this to do to protect themselves
is freeze your credit.
In order for any company out there to issue a credit card or a line of credit or a HELOC
or a car loan or anything, they can't do it for you without your credit score.

(11:35):
And that's only possible if they can ask a credit agency out there,
what is Craig Taylor's credit score?
And they need certain bits of information, which are part of the breach, right?
Your date of birth, full name, address, and a few other bits of information.
But it's all there.
So someone could maliciously take out a credit card in your name or a loan or any of this stuff

(11:55):
and would be given it if that credit score was available to the hacker.
But when you freeze your credit, you're saying no one gets it, not even you.
So when you go to buy a car, you have to ask the car company,
hey, where do you check my credit to get my credit rating and score
so you can decide what interest rate to charge me, right?

(12:16):
The better my credit score, the lower the interest rate within a few points.
And whether you qualify or not,
you ask the company, well, we use Experian or we use Equifax or we use TransUnion.
Those are the big three.
But there's another one called InnoVis, four big ones that most people should freeze their credit at.
There are links in that article I just shared with everybody

(12:38):
to go to the freeze my credit link and you can freeze it.
But what we did when we researched this four years ago during a different credit breach,
not the NPD breach, but it was either at Equifax,
or it might have been Citibank had a breach, there's been all kinds of breaches in the past.
We actually looked into these credit agencies and we found out that there's a primary credit agency

(13:00):
market of those big four, Experian, Equifax, TransUnion, and InnoVis.
Those four are really the big players in the industry, but there's secondary markets.
There's a Credco credit agency.
There's a few others that are listed in that article that you could freeze your credit at.
Unfortunately, it's not always very easy on the secondary market to freeze your credit.

(13:23):
If one company had to write them a letter, who's going to do that?
Probably nobody.
But likewise, you're not going to be able to get credit out of them very easily.
So freezing your credit really protects you when your data is already out there from having your
credit impacted by hackers taking out credit in your name.
Does that make sense, Brian?

(13:44):
Yeah, that makes a lot of sense.
If you freeze your credit, how easy is it to unfreeze it?
Well, in the big four, they have a link on their website that says unfreeze my credit.
It's even fancier than that.
In some cases, you can go to Experian.
My daughter and I bought a car one time and I co-signed for her.

(14:07):
For them to validate we were a good credit risk, they said,
we're going to need to go to Experian.
I went to Experian and I unfroze my credit for one day.
But not only that, I said, I'm going to make this up.
Ford credit can ask for my credit, nobody else, for this one day.

(14:28):
They went, they pulled it, they got it because they were who they say they were,
who I authorized, and it was automatically frozen the next day.
So it's gotten much better than it used to be, say, eight or nine years ago.
You couldn't unfreeze it easily, you couldn't freeze it easily.
It's much easier these days.
You'll find that, you know, it's somewhat painful because

(14:50):
why do I have to protect myself from these people monetizing my data?
Well, that's the world we live in.
Congress and the governments of the world have said,
you know, this credit helps us grow the economies and make jobs
and pay everybody a reasonable salary.
So if we froze everybody's credit, it would really be a drag on the economy

(15:12):
and we wouldn't be able to grow as much.
And we would have, you know, could be recessionary.
It could push us towards recessions and things of that nature.
So there's some really good reasons why we have to have this liquidity
and these credit scores out there and that sort of thing.
But at the end of the day, you can protect yourself by freezing it
as a manual step.
And that's the message I would share.

(15:33):
That's great, because like you're saying,
three billion people's information was leaked at NPD.
And like, you know, who's going to NPD
and voluntarily entering their information?
That's not what it is.
Someone is like they're collecting it.
They're collecting it to sell.

(15:53):
And it's not three.
I want to just be clear.
It's not three different three billion different people.
It's more like eight hundred million people with ten records for the same person.
I had ten records of different addresses.
Okay.
So just think of it as lines of a spreadsheet.
They had a huge spreadsheet with eight hundred three,

(16:14):
almost three billion rows in it.
But the same person is listed ten times, twenty times, thirty times.
Okay.
So it's a little bit less than that.
But almost every U.S. person was in it.
There was some argument that there were a lot of Canadians in there,
but that hasn't borne out as far as I know.
Europeans, UK, not so much.
It was really this company was focused on the U.S.

(16:35):
But don't let that fool you.
If you're in the EU or if you're in Canada,
there have been other breaches that you're part of.
So your data is out there.
Don't kid yourself.
Yeah.
That's what's kind of crazy about it is like it's not if this happens, it's inevitable.
It's already happened, but it'll continue to happen as well.
So what can you do as a consumer to make sure that you're protected

(16:57):
to kind of the most that you can control it?
Because again, it's like no, not no one gave their information to NPD,
but they were just collecting your information
because there's a lot of money to be made in that marketing part of the economy.

(17:18):
Something that Steve Gibson in his podcast, Security Now, said is that
if you're a teenager and you haven't been given credit yet,
and so there's nothing really in the credit rules of the world
or companies of the world selling the data brokers who have collected your data,
you can sign up for services like delete me.com.
And I've done that to remove your data from these companies collecting it.

(17:42):
They handle the whole process.
They'll file a request to remove your data and it works.
It takes that data out of their hands so that if they're breached down the road,
you're not part of that public collective data breach.
And that might be a useful thing for younger people listening to us today.
Maybe you haven't got a lot of records out there.

(18:03):
You're in your 20s and you might sign up for a service like that.
It's not cheap and there are competing services, probably just as good.
I did some homework and that was recommended by that podcast.
So I thought, hey, that's a good thing.
Let me sign up for that.
So I registered for delete me and I keep getting email notifications.
We've removed you from here.
We've removed you from there.

(18:24):
So if those companies are breached down the road,
my data is not going to be part of it.
That's another mechanism, but it's costly.
It's not free.
The credit freezes are all free.
It's a legislative requirement that you can freeze your credit for free in the US.
Yeah.
So you can kind of just figure out what are you willing to invest to keep yourself safe online?

(18:47):
And I think we've been talking about it.
So what is hacking?
That's data breach and that's no fault of your own.
But how can I accidentally give someone my information and not even realize that?
What is hacking and how do we?
So I think we might ask that question a little differently.

(19:09):
What are the kinds of hackers that are out there and what are their specific motivations?
Because I think if you boil it all down, there's essentially five or six flavors of hackers in this
world and each of them has somewhat different goals and objectives.
And so if you're an individual with some of the data that type of hacker is after,

(19:35):
that's what you need to defend against.
If you don't have any of the sensitive data they want,
then you're probably not going to be attacked by that group.
So let me back it up a little bit and say,
let's answer the question, Brian, of what kinds of hackers are out there.
And there's really five or six different kinds.
There's a script kitty is a common term.
You might have seen a movie from the 80s called, what's the name of that movie?

(19:57):
But it had script kitties who couldn't hack on their own.
They couldn't write their own code, but they borrowed other people's hacking materials
or malware or bought it on the dark web, which you can do today.
And they use it to try and break into companies only for bragging rights.
They're not trying to be malicious.

(20:19):
They're not trying to destroy things.
They're trying to maybe download the space shuttle schematics from NASA.
Or in the classic case, it was simple.
Like in a historical sense, there was a Kevin Mitnick who went to work for
KnowBefore as a consultant.
Well, way, way back, he discovered that a whistle could be blown into an old payphone

(20:41):
and it would allow you to make phone calls.
That's called freaking, I think is what it was called.
But those are really just to gain credibility with your peers.
And so it's not really a danger to you and I as individuals, those people.
They might be trying to find information about us to embarrass us if it's in your peer group.
But really, they're not up to too much trouble.

(21:03):
And they're not something that I worry about as a professional consultant in cybersecurity.
However, the next group, Organized Crime, they're buying and paying hackers to hack for them.
Because they've recognized that it's easier to do online hacking and

(21:25):
collect money from their exploits and from their breaches through ransomware
and business email compromise and a variety of other financial mechanisms
than it is to do physical breaches, right?
Think of all the cell phones in the world and the video cameras that can record people
stealing from a bank or robbing or doing any kind of physical breach of a company.

(21:47):
It's a lot harder to get away with those kinds of breaches today
because of all the world we live in.
But doing it online, you can hide your tracks much more easily.
And to a larger extent, we've seen an enormous growth over the last few years
in Organized Crime targeting individuals and companies with ransoms, with extortion campaigns.

(22:08):
I think I don't know too many people that haven't gotten the email that says,
I know what you're doing with your webcam.
I can break into your computer and I can take screenshots from your webcam
of what you're doing and you've been visiting pornography sites or what have you.
And that's not typically possible without some pretty advanced malware that you may...

(22:29):
It's unlikely that most people listening to this would be a victim of.
Those are more extortion attempts that are meant to try and get you to pay a ransom
without any backing up, without any truth to the matter that
they can't break into your video camera.
In most cases, you can close your privacy guide on your video cameras when you're not using it.

(22:54):
That's a good practice no matter what the case.
With that attack, the extortion, I've heard some pretty sad stories about
they'll... The people who will do those kind of attacks will seek out people who are in
honor cultures.

(23:14):
They'll say, hey, you've been looking at pornography and I'm going to show it to your family.
And then people... And whether it's true or not, like you're saying,
they probably don't have that information. But whether it's true or not, people have
taken their own lives as a result of stuff like that.
So just knowing that, okay, this is unlikely that this person knows this, is going to share

(23:37):
it with everyone. They're just trying to get money.
But just how vile an attack like that is that you're just out for your own good
and you don't care about the repercussions of it.
It's really crazy because you probably don't think anything of it.
It's just like, okay, I'm going to cast a net out.
I have all these people's emails.

(23:58):
I'm going to send them the same email and then I'm going to get a few hits.
But out of those few hits, who knows how that's impacting the person's life.
There was a classic movie that just came out recently called The Beekeeper.
And it has a very similar extortion attempt where people were convincing
these organized phone call centers were calling people and convincing them to grant access to

(24:23):
their computer and that they had a problem with their bank account or this or that.
And once they granted access to the computer, there was an ability to transfer funds from
different online accounts to the hacker.
The Beekeeper kind of puts it in much better perspective and explains it a little better.
But the reality is this stuff does happen.
And in the case of the Beekeeper, I don't want to spoil it for anybody, but the person was

(24:47):
very devastated by their mistake when they granted access to these hackers out there.
So the point being organized crime is another group that are turning their hacking skills or
hiring hackers to work for them to make money through their attacks.
And they're targeting individuals through extortion.
They're targeting businesses through ransomware.

(25:09):
They're stealing, breaking into email accounts to do business email compromise and send
attacks to other people who might trust your email account if it's been breached.
Very common in financial organizations where the finance person, if that account can be
breached, malicious invoices are sent out to anyone that's ever paid an invoice to that

(25:31):
individual or that company.
And it works because there's a trust relationship that's being exploited.
Another group of hackers that are out there are nation states.
And that's something that none of us can really defend against.
If someone in a nation state, if you become a person of interest and a nation state wants
to attack you, there's almost nothing you can do to protect yourself.
Fortunately, there's a very, very, very tiny number of people that fall into that category.

(25:55):
But it's why the president uses a special cell phone that has been hardened and protected
in all kinds of interesting ways.
I don't know if they still use BlackBerry's for that.
But BlackBerry's used to have really, really good protection and encryption algorithms
in it for that.
I don't think it's still true.
But the president's not walking around with an iPhone like you and I have.
They have really top-notch security for those things, for those reasons.

(26:20):
Hacktivists is a fourth group.
Hacktivists are hacking companies more so than individuals for a social or some cause
of some kind.
If you're a logging company, for example, some people have a bee in their bonnet about
old growth harvesting.
And if your company harvests old growth, it doesn't matter how environmentally friendly

(26:43):
you do it and how you replant the forest afterwards.
Someone's going to be upset about harvesting old growth forest.
And they may attack your company trying to embarrass you and steal data about how you're
doing it illegally or this or that to further a social cause or a social wrong that they
view you doing.
Fisheries, another example, mining, another example, all these different areas where

(27:07):
a group of hackers have said, hey, you're not doing the planet a good service here.
And we want to try and take you down for harming the planet in some way.
There's some social goal associated with it.
And it could be outside of resources.
It could be the way you treat your clients or your employees or the way if you're an
investment firm, you're stealing money from the wrong people or what have you.

(27:31):
But hacktivists have a social cause and a goal there.
So that's the other group that we talk about.
The last group is really insiders who make mistakes.
You have employees.
If you're an employee of a company, you can accidentally.
This happened in China last year.
Someone posted a problem that they were having on a database into a social forum, public
forum, and they worked at the Chinese police entity.

(27:59):
I don't know what it was called.
But in that database snippet that they said, I can't get this working was the password
to the database administrator account in the database.
They just published it as part of the code.
I'm having trouble fixing this.
Who can help me?
And someone made a mistake.
Now, almost every person in that database, there was 800 million records became exposed

(28:21):
online because someone saw the username and the password, tried it, logged in and got
the data out of the database before they pulled it from that website where they were getting
help.
So internal users, insiders within your company can make simple mistakes.
And exposed data.
You asked about how does this happen?
Well, some companies make these mistakes by accident.
It's certainly not malicious in nature.

(28:44):
Then there are other insiders who are like, nobody pays me enough to do this job.
I'm going to go sell this data to that broker and get a bunch of money because I deserve
it.
They're not paying me enough and they're treating me like crap.
And so you have both malicious insiders and you have accidental insiders.
So those are the gamut of different types of hacking and data exposure that goes on

(29:06):
online and the methods and not the methods, but the perpetrators of it.
Script kiddies and organized crime and hacktivists and insiders and nation states.
They all have different goals.
The nation state wants to help their country get ahead in the world, steal data that they
could have or IP intellectual property that they could put to use in their country without

(29:29):
having to do the R&D, the research and development and all the expenses that go with that.
They're just going to take the IP and then rebuild it themselves.
So that happens a lot.
But how does it affect the everyday person?
Well, most of those aren't going to apply to you.
The only one really is the hacker who wants to make money off of you and I.
And they do that through the credit that we started out talking about.

(29:50):
They do that by extorting us to pay ransoms because maybe we watched porn and we don't
know that they can't access our camera or video camera and we feel like it would be
the end of our lives if somebody published that stuff.
Just understand and research any of those extortion attempts online.
There's a website called snoops that can tell you if these scams are legit or if they're

(30:16):
just made up, right?
The most classic case is I'm a Nigerian prince who inherited oil and I want to send money to you,
but I need your help to get it out of the country.
It's complete scam.
I'm waiting for my return.
I've sent money so many times and nothing back yet, but any day now.
So a newer scam along those lines, and I know it was one of your questions that you

(30:40):
sent to me was deepfakes.
How are deepfakes affecting us now?
So on an individual basis, deepfakes are having a big impact, particularly on our parents,
yours and my parents, who aren't as technologically savvy.
Our kids are all probably on TikTok and making different videos and social media sites where

(31:02):
a hacker can take the voice and the facial profile of an individual and stick it into
an AI generated deepfake and then make it say whatever they want.
And then they can call my parents who are elderly and say, you know, we've kidnapped
Craig, and unless you pay a ransom to me, we're going to kill him.

(31:22):
And they said, well, I don't believe that.
Let me talk to Craig.
And they said, well, you can't talk to Craig, but I have Craig and he'll shout out some
answers to you and they can have the deepfake sound like Craig because they've recorded
my voice off of the social media sites.
They could even do video if they were really advanced and they had enough horsepower in
their AI engines, but that's reserved for probably political agendas in the upcoming

(31:47):
election.
That's another story we can talk about.
But it sounds very believable and it's almost real time where they can ask a question and
the deepfake can respond in my voice.
And so elderly people are paying, you know, ransoms, five thousand, ten thousand dollars,
taking it out of a bank.

(32:08):
Most banks are wise to this and they'll quiz you and interrogate you why you're taking
so much cash out of your bank, out of the blue.
And they almost won't give it to you anymore because there's so many more often than not,
it's a scam that somebody's being taken advantage of.
The hackers are getting better at saying, if you say anything, we're going to cut a
finger off per hour until you pay this or we're going to do something nasty.

(32:30):
And it's making it be very, very difficult on and very emotionally traumatizing of the
people who are victims of this.
There's lots of examples.
If you Google this in the news articles, you can hear, you know, local news have covered
these topics in recent years in the last year or two.
That's another area of, you know, extortion that's happening.

(32:51):
Yeah.
And I know there's there's levels of protection.
I know some people are hearing these stories and they're coming up with strategies on what
to do.
It's like, hey, if, you know, for whatever reason you ever hear my voice or you don't
hear my voice and someone's saying they kidnapped me and then you hear me, let's have a password.

(33:13):
Let's make sure like I have a word that you know.
So like this is legit or this is just you can hang up the phone or you laugh or, you
know, if you're having a slow day at work, just go ahead, keep talking with them and
just see where the conversation goes.
But what else can we do?
Because like that's that's the scary stuff.
That's like you said, like the deep fakes are just starting right now.

(33:37):
And so like it's going to get more advanced because this technology is is there's so much
money to be made, right?
That the incentive is payment incentivizes more people to get into it.
Yeah, absolutely true.
It was an interesting statistic the other day I heard about.
I read about and I haven't validated this, but I believe it to be true.

(33:58):
The third largest economy in the world last year after the US and China was cyber crime
ahead of the fourth largest economy, which is a country of some kind, probably India.
But cyber crime generates more profits for the hackers than than only most countries
of the world only second to China and the United States.

(34:21):
Yeah, but check that up.
It's it's projected nine and a half trillion this year and then 10 trillion next year.
It's unbelievable.
So it's working and it's only working because people don't know how to protect themselves,
right?
Personally and professionally.
So you mentioned a password.
Yes, I have a password with my two kids.
And if someone were to try and extort money from kidnapping my kids and they couldn't

(34:43):
they wouldn't get the password out of my children.
I'm not going to give them the time of day.
That's just not going to work.
So you do need to take these kind of extraordinary measures and establish these sort of fail
safes with your family members, with your parents, elderly parents.
They probably wouldn't.
My parents wouldn't remember the password.
They'd be like, they'd say, he's had a good life.

(35:11):
How much do you want?
Yeah, I don't think so.
Yeah, I don't think so.
You can have them.
So so that's obviously extreme.
So like, how can we protect ourselves from more benign attacks?
You were mentioning phishing attacks.
I know you sent me.

(35:34):
It sounded like Dr. Seuss is making up these words.
But for phishing attacks and like a subcategory, vishing, smishing, quishing.
It just yeah, Dr. Seuss.
Yeah, so those are all different variants of the same thing.
It's social engineering delivered through some medium, right?
A QR code.
If you go to pay for a parking at any parking lot around the country,

(35:58):
sometimes they're putting up signs that says scan this QR code to pay for parking,
making it easy, right?
There's usually an app associated with it, so it's less likely to be a ruse.
But if it's just enter your credit information on this QR,
because you scan the QR code and there's no app, you're probably under attack.

(36:19):
A hacker can print their own QR code on a sticky and slap it on that
kiosk sign and you're scanning the hacker's QR code, not the actual original QR code that
ties to pay mobile or whatever the case is.
That's called quishing, QR code phishing.
That's what that is.

(36:40):
Vishing, V-I-S-H-I-N-G is just voicemail social engineering attack,
like phishing over the phone.
So if you work at a company, you could get a phone call that says,
hey, it's John in support.
We're having problems with your computer.
I need you to give me your password so I can check something out on your laptop.
No, you don't.
That's not ever happening that way.

(37:00):
You should never be answering those kinds of questions.
And who are you?
Let me call you back at the support.
I have the support number, John.
I'm going to call you back right away.
No, no, no, don't hang up.
It's too urgent.
Like they'll try to keep you on the phone.
You're being vished, V-voicemail or voice-based phishing attack.
Phishing, of course, P-H-I-S-H-I-N-G is email in your inbox,

(37:21):
trying to get you to click on a link,
provide credentials so that the hackers can log into that account
or use that to log into other accounts.
Smishing is S-M-I-S-H-I-N-G for SMS text-based phishing.
We've all got that text message like,
hey, you've won a prize.
Click here to accept it.
Or we can't deliver your parcel until you complete this form

(37:43):
and the form has your credit card and wants sensitive information about you.
No, it's all fake.
None of that happens in the real world.
You should not ever be giving out information over the phone,
over an SMS message, over an email or the QR code.
Be careful with QR codes.
Those are all just different forms of social engineering

(38:04):
where someone is trying to extort you for money or information.
So yeah, I actually get, I think I'm up to three of those.
Smishing, I text every day now.
And it's so annoying because I'm putting my information out there for job resumes.

(38:25):
And it's such a bummer that people are using that to steal my information,
steal my phone number.
And then now I've won a lot of money that I just I haven't picked up yet.
My cloud storage that I don't have, it's full.
And so they're canceling it.
It's just all these things.
So what I always wonder, because I know for certain attacks,

(38:51):
that if you just click a link, it's kind of game over.
Now they have access to it.
So if I were to scan a QR code that was fake that someone put up,
or if I accidentally click on one of these links,
it sounds so unnatural, a smishing link.
Am I compromised at that point?

(39:17):
It's unlikely on your phone that you're compromised.
Apple and Android are doing very well at patching those holes fairly quickly.
Yes, you might be in the first three or 4,000 people in the first week where
a hacker found a zero day in an iOS application and were able to exploit you.
But more often than not, those links are really trying to steal credentials.

(39:39):
They'll bring you on a landing page that looks like your Dropbox login
or your Adobe login.
And you're going to give your credentials to the fake website.
Now, if you're in a password manager, the password managers are smarter than you and I.
They won't fill in the credentials because they look at the domain name and say,
well, that's not Adobe and that's not Dropbox.
So I don't know what to put in the password field
because I don't know what domain you're on.

(40:01):
I don't have a record for this LinkedIn login page on a server in Italy.
It doesn't make any sense.
So password manager, another great opportunity for people to adopt, learn,
and put all your passwords in them because you can have unique long
and strong passwords everywhere you go.
And it actually helps protect you from divulging this information

(40:23):
in phishing attacks that you click on.
But you mentioned something really important, Brian, and that is this.
Just clicking a link in a phishing email can compromise your computer.
Now we're not talking about a cell phone.
I'm talking in your inbox on a computer, you're reading your email on Google.
There are now, there is now some really advanced malware

(40:46):
that when you click the link to go to whatever website you were thinking you were going,
the malware proxies you through what's called an evil proxy.
It's a piece of malware that lives on a website out there.
And you may end up at the website you thought you were going to,
let's say it's a Dropbox login,
but you've been proxied through another malicious computer somewhere online.

(41:06):
And that computer has reached into your computer, your own computer,
and interrogated your current active tokens.
What's a token?
When you log into Google to read your email,
there's a post-authentication token shared with your computer.
It lives in your browser.
And it says, every time I want to read an email at Google,
provide this token to say, I'm already authenticated.

(41:28):
I've given my username and password and my multi-factor authentication has been successful.
So I have this authentication token that says,
I'm good to go to read any email, send any email, do anything I want in Gmail.
And it prevents you having to re-authenticate all the time in your inbox.
Well, a hacker can reach in and say, give me that token
because you're currently logged into your email.

(41:50):
So there's an active token.
And they will then use that to bypass the username, password, and multi-factor authentication.
So they can get right into your email account.
And they'll still pass you on to Dropbox.
And you might not be the wiser for a period of time
until you see some strange emails being sent out of your inbox, right?
Like, what's going on here?

(42:10):
This doesn't make sense.
Or someone calls you and says, do you know what you just sent me?
You sent me this malicious link.
I don't think, I think you've been compromised.
If you're logged into your bank at the same time, they can steal the banking token, right?
Now, they might not be able to send money anywhere here or there or add different payees
because banks usually re-authenticate for any time you create a new payment method

(42:31):
or a new authorization or any of that stuff.
But they might try.
I've been on a couple of security incidents where people have clicked on links in email
and then had these tokens stolen and the hacker's in the account
and they had to shut it down.
The bank called them, et cetera, et cetera.
So it's called evil proxy.
We have a blog article on that too.
If you go to cybered.com slash blog, you can search on any of hundreds and hundreds of topics.

(42:54):
One is evil proxy, evil hyphen proxy.
And you'll see this new attack by just clicking on a malicious link in an email.
You could be putting yourself at risk.
So yeah, there's so much good information there.
I think so to kind of summarize what you're saying a little bit with,

(43:16):
if you're uncertain, just push back a little bit.
A lot of people don't want resistance or they'll fold under pressure.
If someone's calling you and saying they need some sort of information,
say, okay, well, I'll call you back and I'll use your number.
And then if there's any sort of pushback, then it's more than likely a scam.
Or if you're out there and you're scanning QR code and it doesn't take you to an app,

(43:40):
you might not want to use that QR code.
If there's any suspicious, not even suspicious, just links in your email,
is there any way to run email links through some sort of like online software that?
Well, it's a common sense filter that you would need.

(44:03):
What we do at my company.
So 10 years ago, I founded CyberHoot to teach these cyber literacy skills we're
talking about to individuals and to companies.
And by the way, we give it away for free.
If you want to get six videos on the foundational skills of cyber literacy
and a phishing exercise that will teach you how to spot different pieces of the phishing

(44:24):
puzzle in an email like the sender, the subject, the greeting, emotionality and language quality
links to external websites, attachments.
If you know what to look for in those six or seven pieces of an email,
you can put together all those puzzle pieces into a crystal clear picture
that allows you to say this is a phishing email.
This is a legitimate email.

(44:45):
And to know the honest to God truth between the two.
And we teach that through this free service, CyberHoot.com forward slash individuals.
So anybody can go there for free today and register.
But if the hope is, of course, that you'll bring it to your company and they'll sign
up and pay for us, pay for the service because we're in business to make money as well.

(45:06):
But for any phishing email, for you to understand if it's an attack or not,
the very first thing you do is ask, does this make any sense?
Never, ever react to an email.
Hackers and social psychologists have learned and cybersecurity researchers know
people make more mistakes when they react to things.
So the emails that come in hot and they're like, you got to act now or your life's going

(45:30):
to be over and there's all these problems that are going to occur and your accounts
will be frozen and your money will be lost and the package will go back to the vendor and
well, you didn't order anything.
So why are you worried about a package you didn't order?
You don't have an account in that bank.
So why do you care about money being lost?
Like a lot of it doesn't make any sense.
And if you just took a moment to think about it, you wouldn't make sense.

(45:54):
But more than that, it'll say, hey, this is Bank of America.
And if you hover over the sender, it says XYZ.com domain.
It's nothing to do with Bank of America.
Someone's email account was compromised out there.
They called themselves Bank of America and then they sent you an email saying,
you are going to lose this money in your bank account.
But you hover over the sender and you'll learn if it doesn't match the domain and

(46:19):
you're if you're not sure, go Google the domain and you'll see that Bank of America is B of A
or B of America dot com.
And it's not some other crazy named site.
So checking the sender and all the links, never ever click on a link that you're
not sure you should or that you haven't inspected to see that it matches exactly.

(46:40):
And oftentimes it's better just don't click on the links to external websites,
go to Google, bring up the vendor's page and go there manually to log into your
account to see if anything that's in this email makes sense.
But most often you can identify whether it's a malicious attack email or not by
following the training we teach you at cyber who dot com.

(47:03):
Yeah, it's funny that you say with like go hover over the link.
Uh, this generation probably after me is probably one of the most skeptical of links.
Have you ever heard of being Rick rolled?
Yes.
Yes.
We used to do that to people that we didn't like.
We'd say, oh, this is your bonus for the quarter.

(47:24):
And then it's, you know, right over to Rick Astley.
Yeah.
And so it's just like this very harmless for whatever internet fad that is probably still
going strong, but they would say like, hey, I have this information that you need.
And then like, they'll send out a link and people will click on it and it'll take to
a YouTube video of Rick Astley.
I'm never going to give you up.
And it's like, oh my gosh, I got Rick rolled.

(47:45):
And it's, it's so funny.
So it's like this, this upcoming generation has definitely been
just prepared for, for links that aren't what they say they are.
Just be a little bit more skeptical.
Yeah.
This is great that like you're in this and you're doing your part.
I'm glad there's people out there like you that are, they're pushing back and,
and making a business to help people and to protect themselves.

(48:10):
So to be mindful of your time, I'm going to go ahead and ask you one more question.
And there, there is no wrong answers to this.
It's just something I'm always curious about, curious about when I, when I meet people.
And now I kind of have a more comfortable platform to where I can ask this question.

(48:31):
It's like, uh, this is too weird.
I'm not going to answer this.
But I'm dancing around this question a lot.
I shouldn't qualify it as much as I do, but it's kind of in a human nature to say,
why are we here?
Like, what are we doing in this big existential like human race?
Like, what are we doing?
Why are we here?
And so I kind of narrow it down a little bit more.

(48:52):
And I just say, like, why are, why are you here?
Like, what's your purpose?
Okay.
What do you feel?
Good answer.
Good question.
I'm going to give it some thought, but I have a pretty quick pat answer and it's this.
I can't hear it on my end, but I know your reaction.
I know what it is.
Oh, it's Rick rolled.
I Rick rolled you.
I'm so sorry.

(49:13):
I thought you could fit.
That's a good microphone that covered that out.
That's amazing.
Okay.
So that didn't work, but interesting.
Good question.
Maybe you can add the song in the background to that.
I'll see what I can do.
But, you know, I'll tell you a story about the genesis of CyberHoot that kind of helps

(49:34):
me answer that because I am where I should be right now at this moment in time.
I'm the CEO of a company that is making the world a better place by leveraging
the best skills that I have to bring to the table, to the world.
30 years ago, I graduated with a psychology degree.
I studied what motivates people.

(49:57):
I studied operant conditioning that teaches rats how to do a maze by rewarding them with
treats as opposed to operant conditioning is broken into two things.
Positive reinforcement, negative reinforcement.
Positive reinforcement is a treat when you do a behavior that we want to encourage.

(50:19):
Negative reinforcement is like a shock collar on a dog,
stops the dog from crossing that line boundary of your property because
we don't want them to leave the property because they could get hurt.
But they know not to go there because I'll get shocked.
They don't know why.
They don't do something because it's rewarding.
But when I take my dog to the to the dog park to train him to do different skills

(50:41):
and I reward them with treats, he loves it.
He doesn't want to be shocked.
He wants to be rewarded.
Well, in CyberHoot, we teach cyber literacy skills and in particular fishing
through positive reinforcement.
We're the only vendor in the planet doing that.
And I only know this because I've studied operant conditioning 30 years ago in my
psychology degree.
We use a positive reinforcement method to teach the skills of identifying the

(51:05):
components of an email that you need to be aware of to spot when you're under attack.
The rest of the world and industry and companies use negative reinforcement training.
They send fake messages to your inbox.
And if you click, you fail the test and you're assigned to remediation class where you have
to go watch 30 minutes of videos to say, no, I promise I'll never click on things I

(51:28):
shouldn't in them ever again.
But it doesn't teach you the skills you need.
You don't know why you can't click on things.
You don't know how to tell when it's OK to click and when it's not OK to click.
You just don't never go near the property line and never click on any links.
And that's a real problem in this industry.
So 10 years ago, I founded CyberHoot to say, let me take my cybersecurity knowledge.

(51:52):
Let me take my psychology knowledge.
And, oh, by the way, I forgot to tell you, Brian, I was enrolled in teachers college
to teach people 20 years ago when I kids were little because I want I like to teach.
I like to share what I know and give you like hacks on life to avoid the problems that I've
learned the painful way, the hard way, or others have learned the hard way.

(52:14):
And that to me is my calling is to teach people shortcuts to learning the critical skills they
need to make their lives better.
But I didn't go through with teachers college because they don't get paid a living wage.
It's a tragedy that our teachers teaching our kids are not paid more.
I went into cybersecurity and that's where I've been for 30 years.

(52:37):
So when you combine my love of teaching, cybersecurity, psychology, I've created
these skills and this positive educational method of teaching cyber literacy.
This is a very long winded way of saying, how do I know I'm in the right place?
What is important to me is making the world a better place to help people protect themselves

(52:59):
from harm that no one else is teaching them.
You can graduate from any Ivy League school or any school and have zero cyber literacy training.
You might have computer literacy training, right?
How do you operate a keyboard, a mouse, a calendar, email?
You can do all those things, but you can't do it safely and securely and confidently.
That's what we're stepping in to fill that gap.

(53:21):
And we're doing it through my company.
So I'm really excited to be here talking to you today about ways individuals can help
protect themselves because the skills you learn both at CyberHoot and in the fishing
testing and the awareness training and all the different other, there's a bunch of other
topics you need to learn about like USB sticks.
Never take a USB stick you find in the parking lot or elevator or front office and put it

(53:46):
into your computer because that's a recipe for disaster.
We've got a video that trains you why that's bad and what can happen and that you should
never do that.
Give it to your IT person instead.
They'll return it to the proper person or validate that it's a hacker attack.
That's why I'm here.
That's my calling in life is to help.
We want to train a billion people on cyber literacy skills because I don't think it's

(54:09):
right that the third largest economy of the world is cyber crime that is paid for on the backs of
our parents and companies and individuals who through no fault of their own have never been
taught how to avoid these mistakes and are being extorted out of their money.
To me, that's a suit.
That's a terrible crime.
And I'm trying to help solve that.

(54:31):
And I think we're doing it in a way that is positive and enjoyable for a lot of people.
Yeah, that's great to fill a knowledge gap and to leave a mark that's beneficial to help people
live a better life by not having to deal with someone trying to take advantage of it.
Or being able to brush it off and not give it so much attention.

(54:53):
Some people sweat over these emails.
They're like, do I do it?
Don't I do it?
John, what should I do?
I'm not sure what to do.
And they waste.
It's so inefficient.
There's such a lost time.
So we're giving you the skills to quickly and efficiently say,
this is an official delete.
Move on with your day and not even waste your time, let alone your money.

(55:14):
So that's my reason for being.
And I'm making a living salary.
We're working.
We're making a profit at Cyberhoot and it's helping me
have a life and be able to do other pursuits.
So it's a win-win-win for everybody.
That's great, Craig.
And I just want to say thank you so much for doing that,
for taking this time to talk with me.

(55:35):
If people want to learn more about you, learn more about CyberHoot, where can they do that?
They can go to CyberHoot.com.
They can go read a blog or sign up for a newsletter at our website,
which is a great way to stay on top of these emerging issues.
We try to cover new threats that come out, new attacks that are out there.
You can sign up for free at CyberHoot.com slash individuals for yourself or other family members.

(56:00):
And we give you some free training at no cost.
Any company that signs up with us is going to get free,
30 days free to evaluate what we do.
We'll onboard you for free.
Yeah, it's a win-win for everybody that takes the time to address this cyber literacy gap
in employees, in themselves.
And it can't hurt.

(56:21):
It's only going to help you live a life online in the 21st century,
where everything is connected.
The internet is foundational to almost every job that's out there, email and communications.
You kind of have to have these skills.
And I'd love to see more schools start teaching these skills.
So I don't have to.

(56:41):
But until then, it's going to be up to us.
Well, yeah, I'm glad that you're up to the task in doing that.
I'll be sure to include some of those links as well in the show notes.
And so people can get in contact with you.
But thanks so much, Craig.
I really appreciate you saying and talking to me.
This was a lot of fun and it was very informative.
Thanks, Brian.

(57:01):
Attention, injured parties of Santa Claus.

(57:28):
A proposed settlement has been reached in the class action lawsuit,
Russo Kaiser Lerner and Ekpoudia v. Santa Claus.
Case number 2:024-SC-01225.
Are you or someone you know a good boy or girl
who has wrongfully delivered a lump of coal for Christmas?

(57:49):
You may be entitled to back presents or financial compensation.
Whether Santa didn't check his naughty or nice list,
the legally mandated minimum amount of two times,
whether it was a simple clerical error,
or you were especially good this year and deserve more presents.
His withholding adds up to a potentially large payday for you.

(58:10):
At Russo Kaiser Lerner and Ekpoudia Group,
we devote our practice entirely to yuletide and improprieties
specializing in Saint Nick negligent case law.
That means you won't find us distracted with chasing ambulances
or putting real criminals behind bars.
Please, don't wait.

(58:30):
Contact us at 833-325-3529
for a free legal consultation and financial information packet.
That's 833-325-3529 or 833-FAKE LAW.
Don't wait.
Let Russo Kaiser Lerner and Ekpoudia Group
turn your lump of coal into a lump sum of money.

(58:53):
Call today.
833-FAKE LAW.

All Episodes

9 - Cybersecurity, Cyber Literacy, and Rickrolls with Craig Taylor

Episode Transcript

Popular Podcasts

Are You A Charlotte?

Dateline NBC

Stuff You Should Know

.css-15opob5{left:0;position:absolute;top:0.8rem;} All Episodes

.css-14f5ked{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:2;overflow:hidden;}9 - Cybersecurity, Cyber Literacy, and Rickrolls with Craig Taylor