Lessons

Lesson Info

The Art of Digital Self Defense

I want to let you understand how hackers think, and if you understand how they think, then you can anticipate what it is that they're going to do, and most importantly, you can protect yourself. So you need to think like a bad guy to protect yourself from a bad guy, and for some of you, that will be very, very easy, to have that criminal mindset. For others of you, you'll have to work at it a little bit, but I'm happy to point you in the right direction. So let's go into the hacker mind, and the first thing you need to understand about hackers is this, hackers gonna hack. That's what they do, that's their fun. They do this for fun, they do this for enjoyment, they do this for the personal challenge of it, and of course they do it for financial means. And increasingly, this is a job for people, right? There are hundreds and hundreds of thousands of people around the world who get paid to be white hat hackers, meaning that they're hacking for good, or black hat hackers, meaning that they...

're hacking for criminal purposes, or gray hat hackers, who are doing something in between. So this is, you may go work at McDonald's or at Walmart, or in a doctor's office, or as a teacher, this is their full time job. This is what they do, and so, you just need to get into their mindset. Now I want to go ahead and set your expectations, there is no such thing as perfect security, right? You know, you can think you've got great security, think about again World War II, the Maginot Line. We're gonna build this big wall and huge defenses, and then people are just gonna walk around the other side, where there aren't big walls and defenses. The thing you need to understand about security generally, and in particular about cyber security is that with enough time, energy, effort, and resources, any security can be broken, any computer can be hacked. So there's not perfect security, but there's damn strong security, and taking all the steps that we've discussed this far, is gonna get you there. The trick is not to be the low hanging fruit, right? This can actually protect you quite a bit, as I mentioned previously, if you've got a great two or three deadbolt locks on your door and your back door is open, or your garage is open, or your window's open, that's obviously where the bad guys are going to go. And what you want to do is give the appearance of being a difficult target. I worked a lot of auto crime back in the day, these are not that hard to get off, but if somebody wants to do a burglary for a motor vehicle is walkin' down the street, then he'll say, meh too much trouble. There's another car, I'll just go break into that one. That's where you wanna be, and I'm reminded of the old joke, there's two hikers out in the wilderness of Alaska, and all of a sudden they see the bear, and one of them turns to the other and says, oh my god, it's a bear, we'll never outrun it, and his friend turns to him and says, I don't need to outrun the bear, I only need to outrun you, okay? And that's the trick here. You guys don't have to be perfect, you just need to be better than everybody else, which frankly is not that hard to do, and you can outrun the bear that is the hacker out there. And the reason why you want to do this, and to build up your own skill set, is because there's no such thing as a cyber cavalry. There's no troops that are coming to the rescue. Take it from somebody who's worked many, many years in law enforcement, if you dial and say, operator will say what's your emergency? You're like, I have ransomware on my computer, sir stay where you are, don't move, we're sending the SWAT team, they're en route to your house right now. This is not how that works, they're gonna hang up on you first. If you call back, they'll probably prosecute you for bothering them. So you need to learn how to do this, you need to do it yourself, and if you do that, then you can protect yourself. That's why I talked about cyber judo, you're on your own, there's a big, huge opponent out there, learn how they operate so that you can use their own weight against them. And that's why I again wanna mention, that there are so many good resources in this class, actionable tools as Lara was mentioning, particularly in the workbook, the resource guide, the infographics and the like, they'll give you specific things to think on. But today what I want you to focus on in this particular lesson is the human factor right? Most people when they think of hackers, they think, oh they broke into my computer. There are definitely lots of criminals that will try to subvert your technology, but there's a much greater number of hackers that are going to try to subvert you, your technology, the human technology. It's something called social engineering, and it's incredibly easy to do, we see it all the time. Remember earlier in another lesson, I mentioned the example of testyourpasswordstrength.com, I'm making that up, but basically, enter your Bank of America email address and your password, and we'll tell you how strong it is. That's a social engineering trick, right? They didn't infect your computer, they didn't put ransomware on it, they just tricked your mind, they hacked your mind if you will. So I talked about software firewalls, I talked about hardware firewalls, now it's time for the human firewall, right? This is you. This is where you get to step up. You are the most powerful tool in preventing cyber attacks, there's only one thing you need to do to become that human firewall, you need to turn this on, right? If you have one of these, I strongly suggest you use it, and it sounds like a joke, but if you've investigated some of the cases that I have, your mind would quite literally, would be blown at silly people tricks. And I think it was our 16th president who famously said, "Don't believe everything you read on the Internet." Right? Because it may not be true. It's easy to trick people. And just to underline this from a research perspective, back in 2014, IBM security research did a phenomenal study of again, millions and millions of data breaches, and here's what they learned. 95% of all security incidents are as a result of human error. Any humans in the room? This impacts you, this is you. And so in order to help you slow down and deal with these threats, I offer you these three words, Stop, think, and click. Whenever you're doing stuff online, stop, stop. Think for a second about what you're going to do, and then, and only then, click, because once you've clicked, it's too late. Please repeat after me. Stop. Stop. Think. Think. Click. Click. Alright, stop, think, click, just remember those words, and you can avoid lots of silly incidents right? That you may do, people do silly stuff all the time, and for those of you who's natural inclination is to believe everybody all the time, ask for help from people that you trust, right? Go out there and get a little confidence boost in your common sense, 'cause you need it. And there's a great chasm between people who work in technology, particularly IT support, and the end user, right? You've all had to call the tech support guy or gal at work, and how do they usually make you feel on the phone, right? Like you're an idiot. They talk down to you, they treat you really, really poorly, and of course, they refer to you as user, right? No other industry, except for drug peddlers refer to their customers as users, but this is how the IT industry views you, you're a user, which means you're a pain in the butt to them. And when you call them and say, I have this big ransomware screen, you know, and I've been attacked. The first thing they're gonna do is blame you. In fact, they actually have a name for these types of technological security incidents that pop up, they refer to it as picnic, this is what they call, oh it's another picnic. What does picnic mean if you work in the IT help desk world? Problem in chair, not in computer. Okay? They're trying to tell you, it's not a technological problem, it is a human problem. And to prove again that people do silly, silly human tricks all the time, there was a study that showed that 7% of Americans post their social security number in their Facebook profile, right? Don't do that please. In fact, if you're going to do that, leave, leave now. Like I can't help you fix that. If you think that's a good idea, I don't know, I really don't know what to say. Don't do that. And we see examples of social engineering all over the place. There's a late night host who does a great bit where he stands on Hollywood Boulevard with a microphone, and he walks up to strangers and says, uh hi, we're doing a test on password security and we wanna let you know how strong yours is, what's your password? And like 10 out of 10 people of all ages, shapes, and sizes give up their password right there. One guy, one guy resists, like no, I can't tell you my password, and the female reporter says, well but we wanna let you know how strong it is, and he goes, oh okay. You know, as long as that's the reason, I'm happy to tell it to you. So focus on limiting how much information you're gonna put out there. Every bit of data that you share can and will be used against you, not in a court of law, but by hackers, keep that in mind. And today, we have a huge problem with oversharing, and you're leaving these digital breadcrumbs all of the world, and hackers are picking up everything that you're throwing down, and they're gonna use it against you. Now one of the most common types of social engineering attacks is the one that comes in over the phone, right? And you've probably seen these videos before, where somebody will call you up, maybe in the workplace. Hey, this is Fred from tech support, are you having trouble with your computer at work? Uh yeah, 'cause we all have trouble with our computers at work, and they never work. Oh great, good, yeah, we need to go ahead and reset your password C++, JavaScript, Bitcoin, Blockchain. Oh, okay, that sounds serious. Well what's your password again? What's your username? And just by trying to trick people, to engineer them socially, by making them feel bad, they're able to get people to give up data, right? Use common sense. We're getting huge numbers of telephone calls coming in, both on phones, and also in Facebook. People are getting telephone calls, hi this is the IRS and you owe us $50,000,0000, and you have to pay. One story broke recently, there's a lot of outsourced overseas call centers, in the Philippines and in India, and the FBI working with Interpol, a couple of months ago, took down one of these call centers and arrested 600 people. So this was a legitimate call center during the day, doing work for airlines and banks, but at nighttime, organized crime took over the call center, used all of the infrastructure, and these 600 people were pacing outbound calls, pretending to be from the IRS, and they were getting very, very threatening with people. You owe us, you have to pay us, blah, blah blah. If you don't pay us, we're gonna do all this bad stuff. And there's such obvious things of why you shouldn't believe it. First let's deal with caller ID. Just because it says your doctor on the phone, just because the caller ID says FBI, IRS, Wells Fargo, doesn't mean it's actually them. It's super easy to spoof a caller ID. Don't believe what you see showing up on your phone. If somebody calls you and pretends to be from your bank and asks you for your account number, get their name, get their phone number, get their extension. They almost certainly will hang up on you by then, because it's a scam call. If they do give you all that information, don't call them, okay? That's just for your own reference. If you get a suspicious call from somebody who says they're at the IRS, or they're at the Bank of America, go to the back of your credit card and look at the phone number, or go to the IRS official website, or her majesty's revenue, or whatever it might be, and call the legitimate 800 number and say, hey did you call me? And nine times out of 10, they'll say no, we didn't call you, which means that somebody was trying to scam you. One of the oldest scams out there is the old Nigerian scams right? It's like, oh I'm Chief Mohammed Abacha, and I wanna make you a billionaire, all you need to do is put up $300,000 cash up front, and I'll send you your million dollars. This has been going on since the days of postal mail, the 419, 419 is the Nigerian penal code section for fraud, so that's why these Nigerian scams, or West African frauds are called 419 scams. And then they went from paper to fax machines, and of course now, it's all email. And millions and millions of people fall for this every year. The other most common type of scam out there is something called phishing. And if you don't know what phishing is, let me tell you this, you really don't wanna feed the phish, in this case spelt phish, 'cause that's the hacker way. What is a phishing email? It's something that shows up in your inbox, it could also be a text message, it could also be a Facebook message that shows up, and it'll pretend to look like it's from a legitimate company, and they're gonna go ahead and say to you, hey, there's a problem with your account and we need you to fix it, and click here, and enter in all your information, and it'll fix everything. But if you know where to look, there's a ton of clues about a phishing email. Now many years ago, these were written in really, really bad English, so they were easier to spot, but the bad guys are getting much better. But let's look at a few examples. The email address, if you look at it, comes from management@mazoncanada.ca, the A is obviously missing here. It's not being addressed to Kyle, or Aaron, or Sarah, or Joe, it's addressed to Dear Client, very, very generic, that's another clue. Then they want you to do something, and they always want you to click on a link, either to infect your computer, or to get you to go ahead and enter your personal information. One of the best ways to know where you're actually going is to hover over this, and rather than it being Amazon.com, you'll see that in fact, the link takes you here, and I'll show you more clarity what that looks like. So this is clearly a phishing email. Another one might be from your bank. Oh, we're from customer service, super generic, sign into online banking, and its like, blah, blah, blah, your big bank, but then if you hover over it, you see it's not your big bank, it's at securityinfos.com. And some more examples, look at this, you'll see a link really quickly, citibanks.com, right? It'll be plural. Or one of the other tricks that they'll frequently use is they'll put a zero instead of an O to trick you. And these arrive in your mailbox all of the time. If you get an email, a text, a status update, some sort of Facebook message that tells you click here to do something, almost never do it, right? I know that sounds crazy, and it sounds crazy because we are all so dependent on these links and documents in our world, but your default setting should be not to click until you stop, think, and then click about it. And be really suspicious of things that are like your invoice is overdue, right? They're gonna use tactics to socially engineer you, to make it sound really critical. Basically, phishing emails will often scream at you. If you don't do what we say, your account's gonna be closed, your credit report will be screwed up, immediate action required, create urgency now. Your package will be returned to FedEx unless you click here to track your package. As I mentioned previously, the tactic they against us is hover, don't click. If you take your little mouse and put it over a link that looks like it's from Bank of America, the link will change colors, and you'll see the actual link here. So hover, don't click, that's a great way to sort of anticipate what these scam emails are all about and to look at their addresses. An other thing to keep in mind, the amount and volume of email has grown over the years, and at it's height, 90% of email a few yeas ago was spam. Nine out of ten messages sent are spam. Today, the spam filters are getting a little bit better, it's down to about 60% of total volume. That still means that there's a better than 50/50 chance that all the email that is arriving in your inbox is bogus, treat it as such. And as I said, people are now reaching out on social media and other types of links and text messages, so don't fall for it. When in doubt, throw it out. That's the simple trick for all of these things. And again, slow it down, because speed is your enemy here, before you click or give away any information. And I want you guys to think again, this is where you need to use that brain thing that I was talking about, that many of you are equipped with. You need to own your personal data, there's no limit to how much data big companies want on you, governments may want on you, hackers may want on you. You don't have to say yes. If you try to set up a new account and it's like, oh free solitaire, have your username, email address, mother's maiden name for my solitaire? Blood type, sexual partners, how much do you make, favorite child, right? You don't have to say yes. You don't have to answer these. Clearly we are living in the era of fake news, and at the same time, we're living in the world of total data surveillance. Any truthful answer that you give to those questions, like for your free solitaire game, will be shared amongst hundreds, if not thousands of big data brokers, and you never know when it's gonna end up, which means that data can and will be used against you in the future. So I am personally going to give you permission to fudge. Take the politician's approach to things. If somebody goes ahead and asks you for information that you don't think they should have, don't answer it, make up an answer, give them an answer that would be unanticipated. If they ask you what middle school did you go to, put in Josephine. If they ask you what year you were born, put in Philadelphia, plus a whole bunch of other stuff, right? In other words, your answers should not make any sense, they're only for the purposes of authenticating that one site, and all of these additional information questions, if you have to answer them, can all be tracked in an app like Dashlane, so you can refer to them later and don't forget what you made up for each site, because you may need that. But again, you don't have to answer, you can fudge. Just because they ask it for your solitaire game, you don't have to give the information. So, let's take a second to review this section. Hackers are gonna hack, you should anticipate that. You are your own best self defense, think about passwords, downloads and admin. If you've got great password management, watching what you're downloading, and you're only using an admin account that will help you. Stop, think and click, and back-up, back-up, back-up. All these things are gonna give you that 80% better, more secure life, 85%, 99%, depending on the circumstances.