Talk With a Friendly Human
Matt: So, storing a password in a text file on their desktop is okay.
You're listening to the Cyber Secured Podcast, helping you become safer in every way.
Now, your hosts, Matt and Attila.
Attila: Hey guys, welcome to the Cyber Secured Podcast.
Attila: I'm your host, Attila,
Matt: and this is Matt.
Attila: All right.
Attila: Well, this is our next episode.
Attila: We're going to talk about a very interesting topic that no one likes to talk about, but we have to deal with on a pretty regular basis.
Attila: It involves a touchy subject.
Attila: So, who here has ever stored something in their email that they know that they shouldn't be storing in there?
Matt: Like a password.
Attila: Or someone emailed you, like, I don't know, their driver's license, or they say, Oh, here's a picture of my birth certificate.
Attila: And it kind of sucks because we can't seem to stop this behavior.
Attila: It happens everywhere.
Attila: There's HR companies that, you know, say, Oh, hey, you've hired a new employee.
Attila: No problem.
Attila: Just email over their, you know, their critical employee docs with their social security numbers on there.
Attila: We've had the, you know, insurance providers, same thing.
Attila: And, you know, the mentality is slowly starting to shift.
Attila: But the problem is that when these bad guys get into your inbox, first thing they do is download all those messages.
Attila: And what do you think they're looking for?
Attila: PII, personally identifiable information, stuff like that.
Attila: And that's what they can use to open up lines of credit.
Attila: If anyone has sent you their important information, you know, like say a copy of their passport, well now the bad guys have a copy of their passport, and they can go impersonate that person.
Attila: So it doesn't stop with you, it stops with anyone who's ever sent you anything.
Attila: And you know, you can go through and try to find those emails now before the bad guys do.
Attila: It's probably a good idea if you're listening to this, and this is starting to ring some bells.
Attila: But if not, you got to delete those emails and let people know not to send you that kind of stuff when they do, because they're going to keep doing it, and it's likely that they've done it multiple times.
Attila: We've seen this everything from new employees who are hiring their employee startup documentation to the HR manager for a company.
Attila: These are big companies, not immature, not poorly funded, like really smart, long-time companies that we see these kind of behaviors, and it can really bite you in the butt.
Matt: Well, I think the real issue, and I'm thinking about personal instances, is as the digital age progressed, we came from a time period of having literal file cabinets, some that could lock, and we would set up organization and systems around it, where if you received some important docs, you're bringing on new employees, you do what you would need with that paperwork, and then file it away into those secure filing cabinets.
Matt: But then, as we started moving into the digital age and receiving that information, for whatever reason, we never really thought through the process of what to do with, like, information is information, right?
Matt: You grab it and you got to store it somewhere.
Matt: And convenience is important when it comes to, you know, pivoting on your information and doing your job, and, you know, getting out to the right people.
Matt: So, yeah, I think it just kind of became a habit for a lot of people that didn't really have the know-how or the tools or the training to, you know, put it somewhere secure.
Attila: Yeah, and I think as human beings, we tend to replace one thing with the next.
Attila: So maybe someone has been in an HR director position, for example, has probably been there 25 years, and maybe they grew up with or maybe they cut their teeth in their craft doing fax machines, right?
Attila: And fax machines were, you know, they have their own problems, but they were considered a little bit more secure because once the fax went through, it was kind of gone forever.
Attila: And it did have to go into a filing cabinet, like you said.
Matt: I forgot who I was talking to.
Matt: Someone was just telling me they still rely on faxes.
Matt: Yeah, some industries really do.
Matt: It's how they confirm an actual thing with another company, which to me is just mind-boggling.
Matt: Like, are they staring at the fax machine and verifying the phone number that it's coming from?
Matt: Like, I mean, if it comes through in the middle of the night and it looks legitimate, is that their verification?
Attila: And you know what's the funniest is a lot of these fax to email services where you're just defeating the whole purpose of all together.
Attila: So, what's the point?
Attila: But you do have traditional mail, which even that, like mail theft is, we've had to deal with that firsthand.
Attila: I mean, that's not really that safe either.
Attila: So, when it comes right down to it, I think your gold standard is going to be encrypted email.
Attila: And that is something that you say those words, and all of a sudden the HR director's eyes start to glaze over, and anyone over age 40 suddenly starts to get nervous and sweat.
Attila: So, I'm not going to say...
Matt: But even that doesn't totally feel secure, because if it's encrypted, it's encrypted in transit, but then it still sits in the inbox, right?
Matt: Well, if anybody gets into the inbox, they can get...
Attila: Well, they can still download it.
Attila: So, there's all these other different ways they can still get those same files.
Attila: But everything, when it comes to security, is best effort.
Attila: But the problem really lies in, if you got your inbox, people sent you stuff, and you just forget about it, and it just sits there, and then some bad guy gets in your account, and they download all your messages, and it's from like five years ago.
Attila: I mean, social security numbers, blood types, this kind of stuff doesn't change that often, right?
Attila: Medical history.
Attila: So, you don't want to have that stuff sitting in your inbox.
Attila: It's just, you know, the human...
Attila: Remember, we keep talking about the human firewall as being the weakest problem.
Attila: This is why the RISCARA behavioral assessment was developed in the first place.
Attila: It's not because of, you know, we're trying to make a buck or something.
Attila: It's because there's a huge need for this.
Matt: Well, and the inherent belief that I think most people, you know, going into using computers understood or believed was that, you know, they have a password to their computer, so the computer is secure.
Matt: So storing a password in a text file on their desktop is okay.
Attila: Yeah.
Attila: Okay.
Attila: Yeah.
Attila: Or an Excel file.
Attila: I mean, and this is not like...
Matt: And we see it all the time.
Attila: All the time.
Attila: Like, today, there are lots of very highly successful, high-revenue companies that are out there, and they got an Excel file that everyone uses with all the usernames and passwords.
Matt: Well, and this goes to something we were talking about just before we started recording.
Matt: I was listening to another podcast, and they were talking about a crypto heist, and the guy that was stealing the crypto, you know, he's not super technical, but over time, he and the guys he was working with learned that people that were making a lot of money in crypto, who also didn't know where to put this important information, would typically store it all in Evernote.
Matt: So Evernote was a key place that they would try and break into, because if they identified that this person with this email had a lot of crypto, then very possibly, very likely, if they got into their Evernote account, then they could actually get the crypto keys and the wallet location and be able to break into their accounts to do their crypto.
Matt: And when I heard that, it triggered something in my memory, because I was doing the exact same thing when I was trading crypto.
Attila: Do tell.
Matt: It wasn't an Evernote.
Matt: I am an Apple person, so I was keeping it in my notes.
Attila: Ah.
Matt: And when I was learning crypto and trading and, you know, where to make money and how to do this and how to do that, and I started training my friends, I told them to do the same thing.
Attila: Put it in notes.
Matt: Yeah.
Matt: And, you know, one of the features back then that was new, it's not so new now, is you could actually lock notes.
Matt: So I started doing that, but, you know, someone gets your password to your iCloud account, they're in.
Matt: They're in.
Matt: Yeah.
Matt: And it's typically the same password.
Matt: The password I had at that time for my iCloud account was the same password I would use on my notes.
Matt: So, you know, kind of defeated the purpose.
Matt: So, I mean, what I'm ultimately getting at is where I store this kind of information now is password manager.
Attila: Well, and, you know, following that line of thinking with the crypto, so how do these bad guys know who to go after?
Attila: It's because they're breaking into the crypto exchanges and they're getting email addresses.
Matt: Well, and it's not even just that.
Matt: They're like, they're just going to the login page and then putting in email after email after email.
Matt: And then if it says, yeah, back then, it would say, this email doesn't exist.
Matt: Or it would say, this email exists, the password is wrong.
Matt: And then they would know, bingo, I've got an account.
Attila: Yeah.
Attila: In the phone world, that's called predictive dialing.
Attila: I wonder what it's called in the tech world.
Attila: It's probably like, RudeForce.
Attila: We'll have to put that, we'll have to do some research, put that in the show notes.
Attila: But yeah, so don't put your stuff.
Attila: So I guess the lesson is, don't store your important things inside of anything but a password manager or something like it.
Matt: Or something like it.
Matt: Yeah.
Matt: Now, I keep all my credit card information, I don't know if I should say this out loud.
Matt: I mean, no one has access to this except for me, but I keep my credit card information, my date of birth, my family's information, my mom's social, my wife's social, my grandmother's social.
Matt: All the important information for everybody that's important to me, and all the things that are important to me, is in my password manager, which is really nice and convenient because I have it on my phone, I have it in my browser.
Matt: If I'm out and I need my driver's license number, and I lost my driver's license or forgot it somewhere, it's right there in my password manager.
Matt: Same thing with my frequent flyer miles, everything.
Matt: But it's in a secure place.
Matt: That's the key thing.
Attila: Interesting since you mentioned password manager, because I was just reading about how Bitwarden identified a problem with doing it this way.
Attila: And it's common not just to Bitwarden, but to all password managers, is that there's this thing called two-factor, right?
Attila: And two-factor code means it's going to send you a digit somewhere that you need to enter when you get inside your password manager.
Matt: Right.
Attila: Now, if that somewhere is your email, and the password to your email is in your password manager, you're not only locked out of your email, but you're locked out of your password manager, and you're just screwed.
Matt: True story.
Matt: I saw it happen to someone, and it wasn't his email, it was his computer.
Matt: He had the password to his computer in his password manager.
Attila: Hold on, give some context, though.
Attila: Who was it?
Attila: It was a university professor, remember?
Matt: Yeah, yeah, yeah.
Attila: So it wasn't like a stupid person.
Matt: Right.
Attila: Let's just start there.
Matt: Yeah.
Matt: So yeah, he had the password to his computer in his password manager.
Matt: Yeah, and he called because he needed help getting back in, and I think what it was is his phone had taken a swim, and so he couldn't get in his phone any longer.
Matt: So he needed access to his password manager and his 2FA.
Matt: Everything was on his phone.
Matt: No longer had access.
Matt: And you want to be secure, but you also want to make sure that you have access to important things, like your computer.
Matt: So you want to know the password to your computer.
Matt: You want to know your password to your password manager, of course.
Matt: And then beyond that, yeah, you can start having different passwords for everything.
Matt: That's also another good and important point.
Matt: We've seen people that have taken our suggestion and used a password manager.
Matt: But then, when we go through and look at the scoring for how good their passwords are, it turns out that they're still using the same password for all their different things.
Matt: It's just in their password manager, which kind of defeats the purpose.
Attila: Yeah.
Attila: The human behavior is going to be your weakest point here.
Attila: And I don't know if all the password managers can do this.
Attila: I know Keeper can, which is kind of nice, where once the passwords are imported, it will show how many passwords are being reused and the overall complexity and security, like how strong they are in the first place.
Attila: So, that's a good point, Matt, is like how can we get people to use a unique password on every site, make sure that everything is two factor authenticated with an authenticator app, hopefully using a QR code, and not SMS, because a whole bucket of problems with that one.
Matt: I feel like we should back up a little bit and sort of simplify and explain a password manager for those who have never used one.
Matt: Because it sounds...
Attila: I'm getting too excited.
Matt: Yeah, no, it sounds complicated and probably feel intimidating conceptually, but a password manager is...
Attila: Hold on, hold on.
Attila: Let's distinguish, though.
Attila: Because everyone has seen, when you go to Google and you type in a password, it says like, hey, do you want to save this password inside of Chrome or Firefox, whatever?
Attila: How is that different from a password manager?
Matt: So yes, that is a password manager, and that was probably your browsers saving your passwords, was probably the first original password manager.
Matt: But the difference is, instead of generating a password for you, it would ask you, do you want to save the password that you would be using to log into a website or log into a service?
Matt: Right?
Matt: It's on you to come up with the uniqueness of the password.
Matt: Whereas a password manager generates a password for you.
Matt: Ideally, you don't actually know yourself.
Matt: I don't know the password to my bank accounts.
Matt: That's all my password manager.
Matt: Feels a little weird to say that.
Matt: Maybe it makes me feel a little vulnerable.
Matt: But yeah, the fact is, I don't know the password to most all my services.
Matt: And then the other difference is, and I learned this and picked this up when I was going after scammers.
Matt: I was doing scam baiting for a while, hacking into their systems, trying to take it out on the bad guys.
Matt: But it was really easy to pull the passwords from the browser.
Matt: When the browser is open, the browser is authenticated, you can run a little script in the background and just dump all that stuff.
Attila: So, that means that any bad guy who tricks me into clicking a link and getting access to my computer, the moment I bring up my web browser, they can download all my passwords that the browser has saved, and I am screwed.
Attila: Not good.
Attila: Not good.
Attila: A lot of nodding and head rubbing is going on right now.
Matt: Browser security is definitely a hot topic nowadays.
Matt: There's a lot of issues that have been popping up and things that Chrome, Google, and Microsoft have been trying to secure people's web adventures.
Matt: But yeah, password manager, it can save passwords for you and autofill for you.
Matt: But the key feature is that they generate unique passwords for each site and each service that you visit.
Matt: And then you ideally only have one main complex password manager that you use for getting into your password manager.
Attila: And then once you're in, it's stored in the cloud, it's synchronized with your phone, you don't have to remember different things.
Attila: I did notice though that the phones like to...
Attila: There seems to be some competition amongst password managers.
Matt: Oh yeah, I mean they're kind of the hot topic now.
Matt: And we've mentioned both Bitwarden and Keeper, and to be honest, people ask all the time which one is the best one.
Matt: They all have their features, they all have their quirks, they're all good as long as you use them properly.
Matt: I mean, maybe with the exception of LastPass.
Matt: They had a little bit of a breach issue.
Attila: One, two or three?
Matt: Yeah, so we stay away from them.
Matt: But most password managers use double encryption type of system.
Matt: So what that means is that like with Bitwarden, your passwords may be on their server, but it's encrypted through the password that you're using.
Matt: So if they had a dump, if they had a leak.
Attila: Which they have.
Matt: I mean, most companies have had.
Matt: The ability for the bad guys to get to your passwords, to your vault, lies solely on how complicated your password is.
Matt: So if your password to your password manager is very simple.
Matt: They're in.
Matt: But that's true regardless of if there's a leak or not, because they can do the same thing that they did with some of these crypto guys.
Matt: They can go to these different cloud websites that do password managing and trying to brute force your account.
Matt: So I guess that kind of leads to a suggestion for passwords.
Matt: Try to make them at least like 20 characters.
Matt: I always suggest doing three words with a dash in between.
Matt: That's the default for bit wording phrases is three words, dash and a number.
Matt: And at least one capital letter in there.
Matt: That right away makes it much harder to guess.
Matt: And if you could throw in a foreign word in the middle of those words, even better.
Attila: Yeah.
Attila: The FBI's recommendation is to always use a long password.
Attila: Just the password length itself is what seems to be your best defense.
Attila: It's not always the complexity of a short password, right?
Attila: And it's also important to note that password managers are not just for passwords.
Attila: So you can store all kinds of documents in there and credit card numbers and birth certificates, that kind of thing.
Matt: Flare mile numbers.
Matt: Like all that stuff goes in there.
Matt: I mean, that's exactly what I do.
Matt: And it has just been so convenient in my life now, just being able to have that on hand no matter where I'm at, no matter what browser I'm in.
Attila: Well, also think about it this way, when it comes to succession, succession, we all have to kind of talk about the human thing that no one wants to talk about, which is people die.
Attila: And we have to deal with that too sometimes.
Attila: And when the head of a law office dies, and we have to go there and try to figure out his passwords and everything else, I mean, it's a complete puzzle fest for a long time.
Attila: And these things happen.
Attila: So if everything is in a password manager, and the master password is written down somewhere in the store to save, when you go, it's real easy for someone to pick up the pieces and keep the business going, and keep the life going.
Matt: On that note, in another experience I had helping another business, when I was trying to help him with his password manager set up, it turned out they had passwords in multiple notebooks, and multiple notepads, and multiple note apps.
Matt: So his passwords were at least in three or four different places, and most of them were outdated.
Matt: Yeah, so yeah, to Attila's point, it really makes a huge difference, if you can keep it all in one place, and keep it up to date too, ideally.
Attila: Right, and sometimes it takes a little bit of a wake up call for folks to get...
Matt: Yeah, he had had a breach.
Matt: He had a $500,000 bank account breach.
Matt: Wow.
Matt: Yeah, and that was his wake up call.
Attila: Half a million bucks.
Attila: Yeah.
Attila: Pretty, pretty expensive, considering maybe just, you know, you could do all this in an afternoon, right?
Attila: Well, maybe that's optimistic.
Attila: Over the course of a few afternoons, you can probably get your digital life a little bit more organized.
Attila: And, you know, when it really comes down to it, it's not the tool, it's the person.
Matt: Right.
Matt: It's the habits.
Attila: It's the habits, it's the behaviors, and that's what's going to give your, you know, you, that's what's going to make you resilient to the threats that are coming.
Attila: I think we can all agree that it's not a matter of if, but when a breach occurs at your company, to your digital life, and your ability to weather the storm is going to come down to what habits you insert today, and to securing your digital assets there.
Attila: I like it.
Attila: That's my ending.
Attila: I'm going to go with it.
Matt: Sounds good.
Matt: I like it.
Matt: Stay safe out there, everyone.
Matt: Make sure you keep your passwords in a safe place.
Attila: And especially not in your email.
Attila: So, I'm Attila.
Matt: I'm Matt.
Attila: Stay safe out there.
This episode was brought to you by Cypac.
to learn more about keeping your business safe from threat, crime, and disaster, visit Cypac.com.