CyberWire Daily - "Hacked Again" author Scott Schober
Episode Date: December 27, 2017Cybersecurity expert and author Scott Schober shares his personal story of being hacked, and how it set him on a mission to help prevent it from happening to others. Learn more about your ad choices. ...Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Our podcast team is taking a break this week from the daily news.
But don't fret.
You can get your daily dose of cybersecurity news at our website, thecyberwire.com.
In the meantime, we've got interviews for you this week, some interesting people we've talked to throughout the year.
So stay with us.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies, like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation
to evidence collection across 30 frameworks like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home.
Black Cloak's award-winning digital executive protection platform secures their personal
devices, home networks, and connected lives. Because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
My guest today is Scott Schober.
He's the president of Berkeley Veritronic Systems and author of the book Hacked Again.
In the book, he shares his own story of finding himself hacked
and how that began an unintentional journey toward becoming an author and cybersecurity expert.
Well, as a company, we have for many years, and this really goes back to about mid to late 80s,
developed wireless test equipment to build out the cellular networks,
everything to do to make our cell phones
work. So we understand a fair amount about cell phone technology and maybe more particular radio
frequency, how signals propagate. And in the process of all that, we also learn a lot about
the vulnerabilities. And we started to sell more and more to law enforcement groups. We've sold
cellular interceptors in the past to catch bad guys and drug dealers and things like that. So
we've always had a crisscross in that industry. But more and more in probably the past five years,
as we started to develop some of our tools, the focus became more and more on security. Security
because our smartphones can
do everything and they could be eavesdropping devices and can be used for spying of all types.
So in the process of all that, I started sharing tips and how to stay safe and so on and so forth.
Well, the more I started educating people and sharing with different audiences, the more I became a target.
And as I became a target, we started to receive various attacks on our business and myself personally.
And it kind of all started with a credit card, a debit card, our Twitter account compromised,
repeated DDoS attacks to our website.
The list goes on and on. But at one point,
we had $65,000 taken out of our checking account, and it became a federal investigation and a big ordeal. And shortly after that point, I realized, obviously, this is not coincidence when these
things are happening to my business, A to Z, as well as myself personally. And I started
sharing the story with a couple people. And after a while, everyone said, geez, this is an interesting
story. You learned a lot in the process. You really should share some of this with people.
And in the end of it, it became an idea that turned into writing a little bit, which turned
into a book. And I put it out there and got even more attention, I guess, as a result of it, even though that wasn't really my intent.
Intent was really to educate people and share my story of what I learned with the mistakes I made in the process.
So hopefully readers and the audience could learn how to stay safe from hackers because it seemed like the problem was getting worse, not better.
learn how to stay safe from hackers because it seemed like the problem was getting worse,
not better. When you look back on those days when you got hacked, when you look at the security measures that you had in place, did you think they were adequate at the time? Was it something
that you put a whole lot of thought into? Yeah, great question. And actually, I'm probably like
everybody else. I thought, I'm not going to be a target. I'm pretty safe. I'm
careful. I wouldn't say I was paranoid back then. I am now paranoid in contrast, but some of the
areas I probably was a little lax in were certainly passwords and many people. And I preach this all
the time now. And yet, if I look back in history, I was guilty of this too.
Using weak passwords, easy to remember.
Reusing the same password across multiple sites is a big no-no.
Was I guilty of that?
Yeah, I'll admit it, I was.
And some of those things, I think, played into making it easier to be a victim and be
targeted by hackers so they're successful.
So we all need to take caution and use long and strong passwords.
And yet we hear it every single day.
But typically when I present at cybersecurity events or business seminars or wherever,
I usually like to poll the audience.
And I find that a good percentage of people, and I would probably say maybe 40 plus percent of the people
still are using weak passwords and reuse their passwords across multiple sites, which
really is concerning to me and should concern everybody that's listening to just stop and take
your time and create long and strong passwords. You would save yourself so much aggravation. Because I always
relate that if you look at all the major breaches, they all have one thing in common, and it's over
80% of them, it's somehow a password was compromised. That means that's one thing in our
control. We can create long and strong passwords that are hard to hack, and the hackers will move
on to the next victim.
You mention in the book that there's a tendency, maybe even a natural tendency, for people to not want to talk about what happened to them when they got hacked.
But you say, no, we should really share these stories.
Yeah, absolutely. And I was no different.
When this happened to me, I was a little embarrassed and embarrassed from
family, friends, work colleagues, business associates, general public. You don't want to
tell people that you have weaknesses or that you let your guard down or you were even targeted.
At one point, I got a phone call. It was actually from the Associated Press and they got wind of my story and said, do you mind if we talk to you a little bit about, you know, as a small business owner and some things about security? And I said, well, we really do want to hear it from you
as a business owner, because other business owners then can protect themselves so they don't go down
that same path. And I said, geez, you know what, if this is going to help one other business owner,
it's worth it, because I don't want anybody to go through the aggravation that I went through. So
that helped me at that moment in time during that interview, I kind of clicked the switch and said, you know what,
maybe it's my mission to share these things, even though it's embarrassing as all means.
It might help other people and they're going to take active steps because I learned how to take
active steps and be more proactive with my security posture. Other people can do the same
without having to be embarrassed or intimidated or even
spend a lot of money for that part. Just using best practices and common sense can do a world
of goods fighting cybercrime. As we go through the book, I mean, you really go through it and
cover most of the threats that are out there. In your mind, what are the top ones that people need
to be wary of? Well, besides what I mentioned with passwords, I think one that comes up to me almost on a daily basis is just people always asking me about, hey, is this email legitimate?
Is this a phishing attack?
How do I identify it?
So there's a lot of simple things you can do out there just to identify if it is truly a phishing attack.
And basically a phishing attack, for those that are not familiar with it, is where you're receiving an email and it's got an attachment in it that seems extremely credible.
And you want to click on it because you think it's a document from a co-worker or somebody that you know.
And since it's so convincing, you don't even think twice.
So I always caution people, stop, analyze it, ask yourself, is this person going to really send me
this? Am I expecting this? If you're unsure, don't click, pick up the phone, send them a text,
send them a separate email directly, whatever it is, just to verify, take a moment to make sure you're not making a
mistake because they look so convincing. And I'll share a brief experience. This happened not too
long ago. It's not in the book, but I was heading away for vacation and I was just checking my email,
closing down my computer. I removed, disconnected from the internet to be safe because I'm again,
paranoid. But in the process of that, I saw an email come up from my cable company.
And I read it, and it says that I have to update my credentials on their website.
And I'm thinking, well, that's weird.
I never go to their website.
So I was about to click it, and then I stopped and said,
and somewhere in the message it said,
otherwise we're going to have to shut your cable off.
And I said, oh, it'll be a mess to get that back going again.
And I said, wait, this makes absolutely no sense. I don't pay my bill through their website.
I don't log on to their website. Why would I click on here? So I figured, let me
call their 1-800 customer support number and mention this. It looks like it might be a
scam. I get the customer support representative on the phone. I said, miss,
I said, I received this email. It tells me to click, update my login information
there or my cable will be terminated. I said, this received this email. It tells me to click, update my login information there, or my cable will be terminated.
I said, this makes absolutely no sense.
And she goes, oh, no, no, sir.
That's a standard email.
Just make sure you click on there and follow the instructions and update your username
and your password.
I just got off the phone with somebody saying the same thing.
And I said, wait, stop.
I said, this is a scam.
She goes, no, it isn't, sir.
I just got off the phone with someone.
I said, put your manager on. The manager comes on. I explain the whole thing. He goes, thank you, sir. We're going to have to talk to her and give her some more training about email phishing scams.
And it was about, if I followed through and clicked, and the average customer probably would do that because it sounded so convincing.
She was just misinformed.
But you could see how you can go down the path and things sound too good to be true and seem like they're innocent and okay.
You click on there, and certainly what would have happened, more than likely, I would have probably had malware downloaded on my system or ransomware or whoever.
Who knows what could have happened there. But fortunately, I stopped. So half the time, best practice is to stop and question things,
make a phone call, investigate it, take your time. Otherwise, you could be the victim of ransomware or a specific malware that gets downloaded onto your computer.
The book does a really good job of explaining all the different types of attacks. and one of the things I like about it is it's really approachable,
even for people who may not know much about the security world.
For those of us who are professionals, who are in the security world,
what kind of take-homes would they get from the book?
Great question.
I try to balance that from somebody that's truly a novice
to somebody that's really more maybe an IT professional,
somebody that has knowledge about cybersecurity.
Those that have knowledge, I think what they'll probably find, and I've heard a couple people say this,
yeah, we know it, it won't happen to me.
But again, it's going to make you stop and hopefully back up and think a little bit deeper and analyze things.
So again, if you're creating what you think is a long and strong password, for example,
even if you're a cybersecurity expert and think, well, this ain't going to happen to
me, this is 12 characters, maybe you want to take the next step.
Maybe you want to consider using a password manager, or perhaps you want to test the validity
and strength of your password.
So it's hopefully pushing people, even with expertise,
to go a little bit further and make sure that they're putting up their defenses so that they're
not going to be the victim of a cyber attack. And hopefully those that are savvy and do understand
the world of cybersecurity and educate people, they might back up and think, well, you know what,
if this happened to him, maybe it can happen to me and I shouldn't
be complacent. I shouldn't be in denial. So a fair amount of this is psychological. We have to almost
get into the hacker's mind and understand what is their intent, what's their motive.
And when we can understand that, we can then transition and say, okay, here's what I could
do to make their job difficult. It's not going to be
impossible because everything is hackable in my opinion. Nothing is 100% secure. We have to go
in with that mindset so we can take steps. Again, whether we're novice or whether we're an expert,
we have to take proactive steps to make their job harder. When we do that, they will move on to the
next target every single
time. Because generally, as a statement, hackers are lazy. They're looking for that low-hung fruit.
They want to move in, they want to get out, and they want to cover their path and not be detected
so they can accumulate whatever they're accumulating or stealing. As you were making your
way through the research process for the book, did you come across anything that was particularly surprising?
I think thinking back as I was writing it and I was able to somewhat relate it to different things throughout my life,
I was surprised at how many other people I talked to in the process that were going through similar pains.
And I kind of thought at
first, well, this is just happening to me. But I was sharing the story as I was writing it. And
then people would kind of comment back and say, you know, yeah, I had my credit card compromised
too. You know, I had my debit card. What a pain it was to get the money back in the process. And
I asked the bank and they didn't provide
information. So what I found was in my one story that I thought was very isolated and targeted,
which it was, there are thousands of other stories of consumers and business owners and so on and so
forth. So what I realized, I am not alone. And there really is strength in sharing information. And that's the
number one thing that came out of this. The more I share, the more people share their stories back.
They share their tips, the products they use, what works and what doesn't work. And why is that such
a valuable lesson? And I think I touch on this in the book in in the world of of cyber thieves in the dark web they share
information often freely effective hacking campaigns effective hacking tools know-how
that sharing of information empowers them to be very effective at hacking people and very
successful but yet on the on the surface level with consumers
and small business owners government agencies real you know retail everyone
we don't share enough information one small business owner may be compromised
and keeps that a secret well the guy across the street may be suffering the
same thing or may have those same vulnerabilities if we collectively as a
community of good guys share this information,
we come together, we will all be safer. So that was a great takeaway that as I got into the process,
I again started out as an island, but then I think I kind of opened up the floodgates of,
and I get literally today, I just got off a phone call before this. People were asking for advice,
asking questions.
What product do I use?
Would I be willing to try this and give them their feedback?
I enjoy that.
Hearing from different individuals their experiences, good, bad, and ugly, keeps me safer, my business safer,
and hopefully I can share these things back with the greater community to keep everyone safer.
Our thanks to Scott Schober for joining us.
The title of the book is Hacked Again.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses
that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.