Other Tools and Tricks of the Trade
I wanna quickly review the tools that are available to you. Again, use the right tools, drop your risk by 85%. Small steps can make a big change. We talked about Dashlane and 1Password, I really like them. Check on your security status with them. You can go to the New York Times website, again, this is in the book to see how many you've been hacked. You can go to have I been pwned to see if your specific email address or account has leaked. There is the email address for it. To turn on two-factor authentication there's Turn On 2FA or twofactorauth.org. Use two-factor authentication, not as much with SMS or text messages, instead try using an encrypted app like Google's Authenticator. Use a biometric encryption on your phone when you can. If you're going to be plugging into a public network definitely use a USB condom or the PortaPow, as they're more precisely called to protect yourself from those risks. If you have to use an administrator account only use it when you know that you need...
to and be sure that it's necessary, encrypt all the data on your hard drive, use FileVault on Macs and BitLocker, Spirderoak for individual files in the cloud. If you go this website and use the code futurecrimes.com you get a discount. Signal and Telegram for encrypted chat, Proton for encrypted mail, EFF, great organization, highly recommend them, offers free HTTPS Everywhere to encrypt all of your browser traffic. When you need a VPN, NordVPN, TunnelBear, IPVanish are all well-regarded and recommended. If you do unfortunately get hacked with ransom ware nomoreransom.org may be able to help. Turn on automatic backups locally through Time Machine and in Windows, if you need the cloud service use IDrive or BackBlaze, this is a great extra, extra backup plan. Hover, don't click, it's okay to fudge when somebody asks you overly personal information. Cover your cameras, cover your cameras, cover your cameras. You can find things like this for sale on Amazon really cheap; that will give you enough stickers to cover all of your cameras. For your home devices and your smart things use a smart firewall like Cujo. That was a lot of stuff, okay, there's a lot of stuff. It's all in the Personalized Digital Protection Plan if you buy the course. Just to put things in perspective, yes ma'am.
Trying to get some questions in if we can, is that okay?
Fantastic. We have lots of questions from people watching online and we'll also see if anybody in the in-house audience has anything. Emily says, "Hi Mark, I have become aware that the latest viruses specifically infiltrate the computer's registry file, which protects the virus and enables it to survive the hard drive reformat. How can we check the registry to see if it's infected?"
That is a great question. I presume that person is on a Windows computer. That is more common there. That's really hard, there are some system administrator tools that will do that. If you believe the registry files are basically at the core of the computer and so if a registry file gets infected or if the firm ware at the boot sequence gets infected, even if you re-wipe your drive, because the boot sequence is infected, every time you boot that virus will be reinstalled back on your computer. That's like computer Ebola, it's really, really hard to get rid of and very, very consequential. In those cases I hope and pray that she has a backup and I would throw away that hard drive. I would just get rid of it and start from scratch and double check that that same bug doesn't exist on her backups and if it does, just keep on going back and back until she doesn't have that.
Also, Mary had said, "I, unfortunately, fell for a fake Dell scam on my computer and now should I wipe out the hard drive info or replace the hard drive and start fresh?"
I'm sorry, what kind of scam was it?
The fake Dell scam.
Spell that word.
Oh, so like the computer company, ya, you'll see lots of scams out there. Basically again, thinking like a hacker, hacker's gonna hack, they're gonna try to socially engineer you to go ahead and get you to believe that you're talking to a trusted party, so if you've got a Dell and you get the Dell scam, you may go ahead and click on it. How many of you have gotten phishing emails from banks where you don't have an account, right? That happens all the time because the hackers are doing a shotgun approach; maybe you do have a Wells Fargo account, so they're gonna go after you and try to infect it. If you have a Dell computer and you fall for the Dell hack there's a whole series of tools, you may wanna call Dell to see what they have, then maybe when you actually do need an anti-virus the safest bet is just to have your data backed up in all the different ways that we talked about and safely restore it, assuming that there are no viruses that you've backed up.
And somebody had asked, "Are connected portable hard drives for back up also vulnerable to hackers and ransom ware?"
Yes, and no, it depends on what you mean by vulnerable. If you're backing up an infected machine there is an excellent chance that you will back up the infection. That's the beauty of something like some of the tools that both Apple and IDrive and the others use, is that they do multiple backups in time, like sometimes at five minute intervals, sometimes at 24 hour intervals, so hopefully you can always go back to a clean version that is not infected. The good news about the portable USB hard drives is that they're not online, so if you go ahead and you copy that data and you store it in your safety deposit box or at your mom's house or at your son's or daughter's house then, because they're not connected, assuming that's a good backup, at a minimum, even if you've backed up a virus you should be able to still extract your data files. So even if the overall hard drive is infected, you still should be able, under most circumstances, to get your pictures, your photos, and your documents.
That perhaps links into one last question from online for the moment, "Is there a way to clean up past spyware and malware?"
There are tools out there, I think in my personal opinion, it requires a relative expert level of knowledge and use to do them. If you use something like Norton Utilities, or Symantec, or Anti-Virus, they have some very good and capable tools. The trick is they've said you have a virus. Now they say you don't have a virus. How do you actually know? What's the provable data point to show it to you, and because criminals have gone after these tools I get very concerned about them, so the best way to do it, and one of the reasons why some of these anti-virus tools are not number one on my list as they are for everybody else's and in fact, they're not even mentioned on my eight things to do is because it's not been proven that they will work long term particularly with this five percent detection rate, that's why the administrator accounts, the turn off, the updating your software, all of those things work so much better with much, much higher percentages of success.
Actually, one reoccurring question as well is people asking if there's anything that law enforcement can do to help victims of such crimes.
I would love it if it were true, having spent my career, I showed you the old black and white police car and the protect and serve, and one of the reasons why I got into this field of high-tech crime is that I saw law enforcement failing the public. We did a really good job most of the time in real world crime; sexual assaults, murders, burglaries, we knew how to do that, we had special crime scene tape that was yellow and we could put up and we could all stand in a circle and look really important while we were waiting for the coroner and things like that. We have systems in place on how to do that. When it comes time to digital crime we are so far behind and there's one thing that I say all the time when considering law enforcement, and that is this: The internet broke policing. Up until the internet almost all crime was local. You had your cop, you had your victim, you had your perpetrator, you had your judge, and you had your prosecutor, all in the same city or county. It was a lovely system, and it worked really well, but many of you, particularly those of you with legal backgrounds will know that international law is really, really slow moving, and the fact of the matter is, each nation has sovereignty, thanks to the Treaty of Westphalia, which means that even if you're in New York City and you're victimized in New York City, and you contact the New York City police department, and they do an investigation and your suspect, Igor, is living in Moscow or in Sao Paulo, the New York City police cannot make an arrest overseas. The FBI can't make an arrest overseas. If they try to use all of the legal tools at their hand, international subpoenas, and all these other documents to go ahead and try to get information from a foreign country, a) the foreign country's under no compunction to comply, and two) it can take years and years of paperwork, so I'm trying to get evidence from a server overseas, take me one or two years to get it. The bad guys can go ahead and change IP addresses in a second, so structurally, law enforcement, given the nature of international law, as much as they might want to help, have very, very limited resources. I think I wrote in Future Crimes that I believe that probably one out of every ten million cyber crimes is actually prosecuted, it's that rare. And they don't have the resources, because all of these investigations are super expensive, that's why prevention, prevention, prevention, it's great that we have treatment now if you've had a heart attack or if you've had a stroke, or you get diabetes, but the always-better answer is don't have a heart attack, don't have a stroke, and don't get diabetes, and the same is true here when it comes to your own personal cyber hygiene, and that's why I hope the tools that I've shared with you today and the research provided to help explain how effective these are will go a long way to protect people.
Just a few more great questions if you don't mind; Loraine said, "Is there any danger to unsubscribing from emails?" I know I love to purge from that list of emails that you just don't want to receive.
Right, there's a couple different ways you could do it, again, 90% of email is spam, maybe only 60% today. You have to look at the links, I would certainly hover over them. There are services that actually will do it for you, there are, believe it or not, Chrome and Gmail plugins that will analyze your inbox, go through them all and show you, "Oh, you're subscribed to 63 different newsletters. Would you like to unsubscribe from them?" There are tools like that, I have not validated them, I don't know them, I can't speak for them positively or negatively, they sound convenient, but they could be bad news, right? Cuz in order for them to unsubscribe you may have to give them access to your email account which sounds kinda dodgey to me, so you can investigate tools like that. If it's something that you know you subscribed to yourself and you want out of and the link is good and legit, I don't necessarily see a problem in doing that. You can also sometimes just call up the association or group on the phone and tell them you want out.
Okay, and Gary says, "Should you use a private or incognito window in your web browsing?"
You can, most of the browsers, Firefox, Chrome, and the others, have something called incognito mode or private mode, which are meant to shield and secure you by sharing less information with the websites that you're visiting. If you just use your straight browser from your home network and go to CNN, CNN can tell a ton of information about you, what type of computer you're using, what browser you're using, what version of the software you are, what your IP address is, who your ISP is, etc. by reading the cookies on your hard drive they know the 3,500 sites that you visited before them, they'll know the site that you go to after them. Privacy mode or incognito modes are supposed to protect against some of that stuff. In the same way that a piece of cardboard could protect you from a bullet, if it was a really, really thick piece of cardboard, it's possible that incognito mode could reduce slightly some of those risks. I don't put my faith in it, no serious security researcher does. Instead, by going ahead and using either different software or using a virtual private network; there is another tool out there called DuckDuckGo, which is search engine and some other browsers that you can use which have higher privacy and search features, but the best way to protect yourself rather than incognito mode or privacy mode is to actually use that VPN and to clear out your cookies and cache and all that stuff.
Okay, Rick also said, "For those who have already been compromised, including fingerprints" we'd mentioned obviously earlier on in the class about fingerprints, "are there suggestions for what you could do if that information has already been compromised".
Yes, get new fingers. (laughs) Highly recommended. No, that's the problem with biometrics. If your credit card is hacked you can change your credit card, if your social security is hacked, theoretically, after a lot of work, you could get a new social security number, you could reset a new password, you can't get new fingers, you can't get a new iris, you can't get a new face, except in Beverly Hills, and other such places where there are plastic surgeons that will do that for you. You're kind of screwed, and we've had a lot of biometric data leak recently. I believe it was in the Philippines, they had a national voting election that had biometric data leak. In Israel there is a data base available on the dark web, the Israeli's, as part of their national identity cards have fingerprints and other biometric data, that data was hacked by a disgruntled employee and is now all available on the dark web. This is why, by the way, if you're asked to give your fingerprint somewhere, ask a lot of questions. In New York I know that there's a very, very large hospital there that the only way for you to log in as a patient is with your finger. I don't go there. There's a gym in the United States called 24 Hour Fitness. They want you to log in with your fingerprint. I don't want the guy who cleans the showers and rack the weights to be in charge of my biometric security, so I do my gym-ination elsewhere rather than going there. It's up to you to put a limit to that. The fact of the matter is hackers gonna hack, and companies are gonna take every single last scrap of data that you're willing to give up, knowingly or unknowingly, whether it's the information that you speak, your biometrics, and the next one that's coming down the pike is genetics, okay? I could do a whole hour chat on genetic privacy and some of these tools like 23andMe, and Ancestry.com and their terms of service, so that will be the next battle and frontier. Step one is to guard assiduously what you can, and then there are companies and individuals that you can reach out that can try to take down some of your exposed data from the dark web, and they will do that, but it's very, very difficult.
Last one from me, "How much more effective is a hard ware firewall for my home network other than a software firewall?"
It depends, for example, what versions of Window are you using? There are third party software firewalls, like from Norton and Symantec and those types of companies, so the variety and quality varies enormously, but within cyber security and security in general there's this concept of defense-in-depth, which means that you don't count upon just one thing. If you think about a car, for example, that's security-in-depth. There's a speedometer, and they limit how fast the car can go, and then there are seat belts, and then if the seat belts don't work we've got airbags, and if the airbags don't work then we've got the crumple-resistant metal frame and the concept of security-in-depth, or safely-in-depth is absolutely something that you should do, and I really appreciate the question because it gives me the opportunity to make this point: All of the security tricks that you learn today, all of the tools that you now have at your disposal, are cumulative, so it's not just that you're getting 85% better over here, and 95% better over here, and 35% over there, but each one of those steps adds up and gives you defense-in-depth, so the fact that you're downloading carefully and using a VPN, and updating your software, and not using an administrator account, that's defense-in-depth. Again, with enough resources, energy, and time, anybody can break into your computer, but once you've done that your side of the street is clean. You can go on and focus on baking, or going to the gym, or going out for a run, or playing with your kids. Get this done, be over with it, and move on with your life.
Great, thank you very much. That's definitely answered lots of the questions that we've had coming in online. I'll let you continue (laughs)
I shall continue. One thing I didn't really talk very much about was my book. We've probably shared a few hours together today and I really appreciate all of you who have shown up here in-studio and those of you who are showing up online, and I mean that quite sincerely, but one thing I realized when my book came out, it was a couple hundred pages, and they created an audio version of the book, and when I did part of the audio narration and then a real professional voice-over dude did the other 20 chapters or so, when you added it all up, the book was 22 hours. In this book is 22 hours of information about cyber risk. If it's interesting for you, you can pick it up on Amazon or Barnes & Noble for about 10 bucks, but there's a lot more information then I'll ever have time to get to in a class like this in that book.
For those at home, if you're looking for the book, this is what it looks like. As Marc had mentioned earlier it's translated into how many different languages?
20 or so, yes.
20 plus languages, with different covers I'm sure, so this is the one you're looking for in the store if you would like to grab a copy. Also, just wanted to ask you how people could find information about you online, if they want to follow you on social media or get in contact.
Well, I'm not online, it's too dangerous, (class laughs) I don't do any of that. No, joking aside, professionally I am online. First here at Creative Live we now have this great class, and come back and visit it, and enjoy it and all of the resources that we've made available for you. I do most of my communication on Twitter, so I'm @FutureCrimes, follow me, lots of people do, that's a great place to get late-breaking news of amazing new threats that are fairly mind-blowing and should really help you understand the rapidly-evolving nature of the threats. You can go to my personal website marcgoodman.com, Marc with a 'C', goodman.com, and you'll see lots of information there about my speaking gigs and the various events that I'm gonna be appearing at, and also lots of interviews and good information on how to protect yourself, so @FutureCrimes, marcgoodman.com, via the book, and of course, Creative Live.
Yes, and just to take a little bit of a closer look at the extra content that we're giving with this course as well, we can get into that a bit for the infographics and other information.
Absolutely, and I'm really, really quite excited about what we're able to create together, myself working with Creative Live, because this information works, it's really, really cool and it will make a difference. I just wanted to end with a few final thoughts, the first and most important is one of perspective. Today we spent an awful lot of time talking about technology is bad, technology is evil, you can be hacked, this can be hacked, that can be hacked, criminals are gonna do this, governments are gonna do that. A little perspective is in order. Let's talk about technology broadly. Fire is a technology, it was the first technology. You could use a fire to heat up your cave, you could use it to cook your food, or you could use it to burn down the village next to yours. Man's tools, mankind, humankind's tools have changed and evolved, but they can always be used for good, and they can always be used for ill, but I wanted to enlarge our perspective for a moment and just say, let's not lose as a result of this class the amazing positive things that are coming into our lives as a result of technology, right? Technology's going to bring a billion people out of poverty in the coming decade. It's going to radically extend human life, it's going to reduce infant mortality by 90%. Technology is awesome, I love technology. But there are risks and I want you to be aware of them, and I want you to be armed to be able to protect yourselves, your family, and your money, and after this class I think that you now are. I personally wanted again say thank you, I wanted to congratulate you, you stuck it out, you made it, everybody survived, which I'm really, really glad to see. You did a good job, you asked really, really good questions, both the audience here as well as the online audience. Thank you for all of those great questions. You vastly increased your cyber security IQ as a result of this, and in effect, you have now reached cyber security enlightenment or nirvana, so take some peace in that, and think about that. You also have become somewhat of a guru. Think of all the new things that you've learned today. Think about how many of the things you didn't know. Now think about all the other people in your life who don't know this. You have a responsibility; go out there and help them. Go help somebody, go teach friends, and families, and coworkers. If you're a parent share this information with your children. If you're a child share this information with your parents and your grandparents, seniors face so many online scams out there because they didn't grow up with many of these technologies. Help them, share it, know in yourself that you can do this. You have all the tools you need now to do it. (speaking in foreign language) Yes, you could do this too, everybody can do it. You've got this, you've got this. I have faith in you, I know you can do it, now all you need to do is go make it happen. It's up to you. I've shared the knowledge, it's up to you to implement it, and with that I'll say thank you all very much. It's been my honor to be here with you today, thank you.