A Little (Expert) Advice: How to Secure Your Privacy in a Digital World

Episode Resources:

• Resilience Cybersecurity & Data Privacy
• Best Small Business VPN Services – Resilience Cybersecurity & Data Privacy
• 10 Easy Ways to Immediately Boost Your Online Security – Resilience Cybersecurity & Data Privacy
• The Best Cloud Backup Services for Personal Data and Devices – Resilience Cybersecurity & Data Privacy
• The Best Password Managers for Individual and Family Use – Resilience Cybersecurity & Data Privacy
• Your Password Policy Makes You Vulnerable: How to Fix It – Resilience Cybersecurity & Data Privacy
• People Are Still Using the Dumbest Passwords Available – Gizmodo
• 10 ways to make the most of your password manager – PC World
• CISA Publishes Multi-Factor Authentication Guidelines to Tackle Phishing – infoSecurity Group
• Passwordless Logins vs Multi-Factor Authentication – How-To Geek
• Why you should review your credit report after a data breach – Dist://ed
• 6 Types of Social Engineering Attacks – Mitnick Security
• Banks Seek Guidance on Who’s Liable for Open Banking Data Fraud – Bloomberg Law
• Identity Thieves Bypassed Experian Security to View Credit Reports – Krebs on Security
• Don’t overlook the security risk posed by QR codes – tech radar
• 35 Times People Actually Read The Terms And Conditions And Found Something So Unexpected, They Just Had To Share It Online – BoredPanda

Episode Transcript

Brian: Hey, thanks for joining us here on the Fearless Paranoia podcast where we seek to demystify the world of cybersecurity. I’m Brian, the attorney. And I’m Ryan and I work on computers. And this is part two of our episode of how to keep yourself safe how to make yourself a little bit more safe and secure online. So protecting yourself protecting your identity. First one strong passwords, use a Password Manager.

Ryan: Yeah, this one’s a no brainer, as long as passwords are still part of the authentication mechanism that we use to protect our things. Passwords are easy to crack by their general nature as we develop them as humans, when they get to be complex enough where they’re not easy to hack by humans, they get to be impossible for us to remember. So that’s why having things like strong passwords that are tough to hack is important and having a good repository to store those passwords to recall them when you need them. And hopefully keep them in encrypted at rest while they’re sitting in there is a phenomenal tool. So please get into password managers, especially if you have a lot of passwords, it keeps you from just getting into bad password practices like reuse, or weak or anything else.

Brian: And I’ll put a link in the content, there’s a good discussion on available password managers and password policies in Resilience Cybersecurity, so to multifactor, or at least two factor authentication, I think a lot of people consider two-factor in multifactor, the same they’re not really but what’s the best use of this in your mind.

Ryan: But I mean, they really kind of are the same in the same way that you know, thumbs or fingers, but not all fingers and thumbs. And so, like realistically, multifactor authentication just means have more than one factor of authentication have to be more than just your username, password. And so, two factor satisfies that it is a form of multi factor. But multifactor can mean two or more different forms of authentication available as well. So to me, just multifactor is really the one that should be there, make sure you have something other than just the username or password protecting your stuff that’s really critical. multi factor authentication comes down to our current mechanisms are based off of three things. It’s what you know, what you have what you are. And those are the three different things used to identify a person what you know, in most cases tends to be username password combination that satisfies the knowledge base. On top of that you have to either prove then what you have or who you are or what you are, what you are is an easy one. That’s biometrics, we carry those with us that can be retina scan, that can be voice analysis, that can be fingerprint, and who even knows where else that can all go. They’re talking about behavioral analytics and things as multifactor. So, we’ll see where that goes. But what you are, is that the importance that can be so that’s definitely a good one to put on there. If you have any, like banking apps or anything that allow you to use fingerprint on your mobile phone, turn all that stuff on absolutely turn that on, it makes it a whole lot easier.

Brian: But as a second form of authentication, that’s actually one of the ways I’ve been resistant to it is that when they make that the sole basis of authentication into the app, I’m like, no, no,

Ryan: Well, and it should never be, you should always have multiple factors, multiple factors is the critical piece, it almost doesn’t even matter what those factors are. As a matter of fact, you could even go passwordless and get away from what you know and go to just what you have and what you are. So now you use a fingerprint and like a UV key or something to that satisfy the two different factors. Now you’ve gotten completely past or unless you’ve now proven that you are there by of nature, the fact that your fingerprint is present and a trusted tool that’s being used to access your key is present with you. So now you’ve activated the two necessary keys to get into that which, you know, again, provides that multiple factors.

Brian: Okay, so now we go from the basic and relatively self-explanatory to a much more complex level review online accounts and credit reports for changes. Now, I’m going to start with the legal side of that, for the most part, your bank accounts, your credit cards, you have 60 days to report fraud. And for the most part, as long as you’re in a traditional bank account, or using a regular credit card in the United States, they are going to be obligated under their fraud protection to cover your losses, but outside of 60 days, they are not obligated for anything. And here’s the real crux of it. If you have a bank account mailed to your house or emailed to your primary email address, the law assumes that you have read them. You don’t get to say but I didn’t see it. The law assumes you read them, check your accounts to make sure they’re accurate, right? What’s the issue with the credit reports?

Ryan: Yeah, this is a big one. One of the things you always do in cybersecurity is look for indicators of compromise. That’s one of the ways that businesses know to start an investigation, it’s one way to know that a user has identity issues. So, in this case, instead of getting like a password reset email, making it look like someone’s resetting your account, one of the indicators you’d find is by reviewing your credit report and looking for maybe purchases or accounts or changes to the report that are things that you can identify the trigger behind. You didn’t indicate it or you didn’t initiate the activity.

Brian: And make sure that those reports are accurate too. Because the bottom line is you may have a negative credit report or have dings on your credit that aren’t actually yours. And I’ve said it recently that LinkedIn issue is you’re not the customer of the credit reporting agencies, you’re the product. So, if they are incorrectly reporting your information as part of their product or their real customers, they have a potential legal issue. So, you need to get on that and report that

Brian:   You’re listening to the Fearless Paranoia podcast, we’re here to help make the complex language of cybersecurity understandable. So if there are topics or issues that you’d like Ryan and I to break down in an episode, send us an email at info@fearlessparanoia.com or reach out to us on Facebook or LinkedIn. For more information about today’s episode, be sure to check out Fearless Paranoia.com where you’ll find a full transcript as well as links to helpful resources and any research and reports discussed during this episode. While you’re there, check out our other posts and podcasts as well as additional helpful resources for learning about cybersecurity. Now, back to the show.

Brian: Okay, so we’re off the protecting your identity. But a lot of this kind of continues to changing your habits. This first one I’m going to phrase as be aware of the real threats and be a little scared of the real threats, not the ones that Hollywood kind of wants to make you obsessed with Ryan, what are the real threats?

Ryan: Yeah, Long gone are the days where someone’s going to come up to your face, try and lie to you by knocking on your door and see if they can scam you out of your money there. It’s much easier nowadays to sit and do it from behind a computer from halfway around the world where you can avoid things like jurisdiction and local laws, etc. Plus, you don’t have to avoid getting beat up at somebody’s door by trying to rob them right from halfway around the world. So what they do instead is they use the easiest way to impact somebody’s account and their items, they use social engineering, they’re gonna send you notifications that make it look like they’re not coming from them, they’re coming from a service you use, they’re coming from a loved one, they’re coming from a different source where you are going to be much more likely to trust that and interact with that to top that off, they count on that interaction. And they build tool sets to capture that interaction and use it as a way to exploit you to either take your data or to encourage you to provide them with your data or to somehow manipulate you into getting access to your account your data access to people that you know, etc. In any case, social engineering in all of its forms, text message, through email, through phone calls, through whatever are becoming one of the most prevalent and major threats that people have to deal with nowadays.

Brian: Well, that’s interesting, something you just pointed out there is that it just having someone call you and you not taking the bait on the phone is not necessarily a fruitless endeavor for criminal enterprises, who may be able to use a recording of that call to parse further information about you. So even staying on the phone and continuing to talk to someone who you know, no matter how smart you think you’re being to outsmart them to out with them, just staying on the phone with them is potentially adding more datasets to their arsenal.

Ryan: Well, and if you stay on the phone with me, you allow them to take advantage of the full social engineering tool set to try to further encourage you or further manipulate you. I mean, if they’ve got access to a domain of like Wells Fargo banking.com, which maybe Wells Fargo doesn’t own. Now, they can send you emails from Wells Fargo Bank, and they call up and say they’re from Wells Fargo, hey, I’m gonna send you this thing real quick. And all of a sudden, you actually get an email from Wells Fargo Bank and with the branding and stuff on it. Well, they’ve kept you on the phone long enough to keep carrying on the ruse now. And now they’ve actually provided you with something where you may have been a little paranoid right away. But now you’re thinking, Oh, no, this has got to be legitimate. Now, I mean, look, it’s branded, it’s a beautiful email and everything, like I can trust this and then bang, bang, bang, you log in. And next thing, you know, two hours later, your money’s floating around through the Central Bank of Mongolia or something, and…

Brian: it got sent there through legitimate access to your account.

Ryan: Oh, and then a lot of cases people will actually have authorized these transactions to which also takes away a lot of the legal liabilities of some of those rad protections, which means now the bank can come back to you. And even though it would be in their best interest to help you as one of their abusers or one of their consumers, they might legally not have to anymore, and that might actually differentiate between whether they’re going to put resources to helping you or the other guy.

Brian: Absolutely. So next on the list. And this is kind of a branch of that first one sharing on social media and making sure that you’re keeping what’s private, private. What do you mean by this?

Ryan: Well, social media is social media is such a problem, people. It’s a beautiful thing, right? It’s really great that people have got a tool where we can share all of this information, share all of the details of our lives with one another, we can share it at a moment’s notice. Everybody can be constantly in touch, you don’t have to drive up to a payphone like we did when we were younger, to like, go tell somebody what happened. You know, that day, a couple clicks on your phone, and bam, that information is out there. Problem is Once that information is out there, it’s always going to be out there. But then all of that information can also be used as well. There’s nothing stopping me from popping on random social media accounts and just grabbing copies of people’s vacation pictures them at the mall, taking a selfie, whatever else it might be getting the name of their pet, because people tend to make terrible passwords. And you know what? pet names, but it does make a great password, right? I mean, you want something that’s going to be easy to remember, well, if I can grab your pen name, that puts me a little bit closer to cracking your passwords, especially if I’ve got your LastPass Vault, I see that all of your passwords or pet names and now I’ve got a list of all the URLs that you go to Okay, cool. This just became a much more level one challenge rather than a level 100 challenge like it was a little bit ago.

Brian: Well one thing to add to that too is a recent article from Brian Krebs was talking about Experian who is required by law to give you a credit report every year there was a way to actually bypass the verification if you had certain information. You could bypass the requirements that you ask personal questions, but the problem is, is Even the personal questions are oftentimes information people have shared online. It’s which of these addresses have you lived at which of these types of cars Have you driven? I mean, who hasn’t taken a picture with their new car and more than 30 states in the US have a requirement that you have front and back license plates. So now you’re potentially putting the answer to a serious personal identity question online without even thinking about it.

Ryan: Yeah, yeah. Freeze your credit report if you’re not using it.

Brian: Yep. And even if you are.

Brian:   You’re listening to the Fearless Paranoia podcast. For more information on keeping yourself your family and your company protected against cyber threats, check out the Resilience Cybersecurity and Data Privacy blog. If you’re enjoying this podcast, please like and subscribe using any of your favorite podcast platforms. Also, please share this podcast with anyone you think would find it helpful or useful. We rely on listeners like you to help get the word out about this show, and we appreciate the support. Now, time for some more cybersecurity…

Brian: Don’t click on links that you’re not expecting this one is I think, is much more commonly taught in the business world. But this is definitely something that individuals need to be aware of.

Ryan: Holy crap, this one makes me want to pull my hair out sometimes links that you’re not expecting, I’m gonna even just tag on don’t scan QR codes, if you don’t know where they’re going. We’ll take that right into this one QR codes are to me, like one of the things that my existence, I can’t have those things and the fact that they’re showing up everywhere in media nowadays, with basically just saying, please scan me and people scan them and click that link without even a second thought.

Brian: when you go to a restaurant nowadays. And they’ve just got a piece of paper on the table that says scan this QR code and I’m sitting you’re like, give me a physical menu, because I don’t know if your server put this on the table. And even if your server did, I don’t know, if your server doesn’t have a side gig…

Ryan: What’s to stop me from replacing all those next time I walk into Shelley’s exact or putting a sticker over the top of them or here’s a good one threat actors nowadays are willing to pay lots of money to go out and actually form legitimate businesses to go and make legitimate purchases of offensive security tooling from big offensive security vendors that would otherwise not sell to obviously like a ransomware gang or anything like that, they’ll go through the effort to spend hundreds of 1000s of dollars to set up shell corporations to make these purchases, what’s to stop any one of them from spending a quarter million dollars to put out a Superbowl ad and putting a QR code like somebody did in the last one where all of a sudden that QR code was breaking that website because people were scanning it and accessing it. And there was no reason to know where that code was going, what it was going into. It was just a QR code.

Brian: And there’s a reasonable point to be made here that when you see a link in an email, when you’re sitting at your computer is one thing, but one of the things that was recently pointed out to me was that a lot of text messages now come with links. And a lot of those links are sent through link shortening…

Ryan: shortcodes system.

Brian: So instead of getting the full website, so you could type it out yourself. It’s an https colon slash slash WP dot whatever and bit.li dot whatever.

Ryan: Yeah, exactly.

Brian: In that case, is it your advice, basically, unless you know the sender, and we’re expecting the text, don’t click on it, or is it just flat out, don’t click on it.

Ryan: To be honest, in most of those cases, there’s another way of actually accessing that data, which is what I would prefer to go with, I’d never click on links and click on through text message, I rarely click on links that come through on my cell phone, because I can’t hover over it like I can on a machine to see where they’re targeted where they’re going first. And for the ones that I can’t do that I have a segregated machine that I send that stuff to you, if I even plan on trying to open that otherwise, I usually just delete it and move on to something else. But in most cases, if you know that someone’s sending you a link, and it’s gonna go to something on Amazon, just copy the description of what they’re sending you to go to Amazon search for it and find that yourself rather than trusting that this link is actually going to bring you where they’re telling you it’s going to.

Brian: The other thing that takes advantage of is the hackers know that people who are on their cell phones are naturally acting in a less defensive and more casual way than when they’re sitting at a computer. And so, you are by nature more vulnerable on your cell phone.

Ryan: Well, and you know, again, people have been under this false sense of security because cell phones have been a little bit lower of an attack surface for most threat actors than our business level machines like a laptop desktop, because first of all, those operating systems have just been around a lot longer. There’s more critical data on those types of devices. But less stuff like the Celebrite stuff coming out today, cell phones are going to be a major target in the next few years.

Brian: So, moving on to the next one. This one I thought was very good on tap your card instead of inserting or swiping where possible.

Ryan: You have scanners popping up everywhere, gas station pumps, ATMs, everything, it’s getting really easy. The chip was supposed to help protect us but you’re still scanning all that stuff through nowadays, you can actually just tap the chip which they’re still RFID readers, but they’re a lot less common and they’re much bulkier, typically than what those chip readers are the strip readers so skimmers are getting to be really small, they’re really easy to tuck in place Tapping will really help reduce a whole lot of that because again, it’s a much harder technology to just kind of slide out there in public without it being noticed.

Brian: And this last one I did appreciate this. As much as I absolutely hated myself read Terms and Conditions and Privacy policies. I’m as guilty as anybody but Ryan, why is it important?

Ryan: Oh man, I figured with you being an attorney and stuff I better at least mentioned this one because you know what if we’re going to talk about don’t click on links you’re not expecting don’t click OK. Yes, except whatever on the bottom of an agreement if you don’t know what the hell you’re agreeing to either that’s just common practice be because you know what the devil is always in the details somewhere, especially when you get to some of these larger organizations, they spent a lot of money really putting together those policies and those documents, and they’re very detailed on exactly what they’re going to do with your data. And if you take the time to read through that you might actually be astonished at a lot of the stuff that you see and a lot of the general what you would consider to be privacy level rights, freedoms and privileges, whatever you want to call it, that you are effectively handing over a lot of those instances for the sake of usability and effectiveness of whatever the service offering you’re signing up for is so take the time read through them. If nothing else, read through at least each one of them for each service you use once you don’t have to read through every time you install it necessarily maybe after that, but at least just get familiar with what the general concept is that they’re trying to cover in those documents that you’ll thank yourself later for doing so.

Brian: And also bear in mind that a lot of those sites, especially websites where it’s an option to accept or not, they are usually required to offer you the same service whether you accept or not. If you use iOS, you have a lot of privacy options that you should take advantage of don’t allow companies to get information that they have no business having they are required to provide you in most of these cases the exact same service if you say no as if you say yes, so make sure you know what you’re clicking on. Once again like to thank you for joining us here on the Fearless Paranoia podcast. We hope you’ve learned something new about how to protect yourself and keep your data safe online and remind you again that you can subscribe to the Fearless Paranoia podcast on any of your favorite podcasting apps. We would really appreciate that if you liked this episode, you and like our posts like the episode on the app or on any social media site. You see, as Ryan mentioned last week, we are slaves to the algorithm just like everybody else, and more help you give us the more people get to hear this podcast and see our posts when they’re shared. You can visit us at Fearless Paranoia.com Check out our new deals page. We have scrounged up some of the better deals online for safety and security software programs, systems, anything like that we’ll keep it as updated as we possibly can. You can also head on over to resilience cybersecurity.com to check out our list of best VPNs data backup and password managers for both individuals and for business. And that’s really all I’ve got. So for Ryan, I’m Brian and we’ll see you next time.

Ryan:    And I’m Ryan, cybersecurity specialist.

Brian:   This is season one, episode one, the inaugural episode: Ransomware 101. Today we are talking ransomware at a very basic level. In this episode we’re gonna discuss the essential principles of ransomware. What is it, at its core? We’ll discuss the general concept of what ransomware is, why it is so disruptive, and why it’s so effective. Just remember, this episode is not meant to be a deep dive into all the individual aspects of ransomware. This is a general survey of the subject to make sure that you’re familiar with ransomware in general. We will be bringing the deeper dive into various aspects of ransomware in later episodes. This, however, is ransomware 101.

But before we get there, we want to remind everybody that you can check out our other episodes on Fearless Paranoia.com. You can also subscribe to our podcast through any of your favorite podcast subscription services. For additional information on how you can keep you your business, your family and anyone else safe from cyberattacks, please visit our website at www.resiliencecybersecurity.com to get tips, hints and suggestions and plans and procedures and everything you could possibly imagine to help protect yourself from cyberattacks.

It’s a Saturday night and for reasons passing understanding I’m working it’s 8:30pm. I open my laptop, and knowing that I’ve got some work to do, I open up my Dropbox connection where I put some documents in the day before at work. As I opened the box, something catches my eye. But not enough for me to think too much about it. The files that were there, they’re all their regular files, but they’re not quite the same. And I as glancing through, I can’t really figure out what’s different. I also noticed that the icons don’t seem to be loading properly. But that could just be my computer being my computer. I double click on a Word file that contains something I was working on. That’s when it’s confirmed that something’s wrong. Instead of one box opening two boxes open right off the bat, not a good sign. The first box opens up and it’s a bunch of gibberish, symbols, letters, any kind of order. And I’m really puzzled for a second. But then I see behind that document, the corner of the second document is open. That one doesn’t have symbols that one doesn’t have jumbled, jumbled language. It has text in bright colored font, they have my data locked up. And I can contact them at this email address to arrange to make a payment to unlock it. I’ve been hit by ransomware.

The story I’ve just told you actually happened. Fortunately, it was from back in the days when before ransomware became quite as insidious as it is now and we were able to resolve it with limited business interruption issues and other costs. In fact, the costs of reclaiming our system, clearing it up and everything, actually ended up being less than our insurance deductible. That’s something that doesn’t really happen anymore.

So what is ransomware? I think most people who follow the news or anything, read anything about computers, anything about business, anything about security these days, knows or has an idea of what ransomware is. But getting an understanding full technical definition requires expertise that exceeds most people and requires time that most people don’t have. Fortunately, we’ve got them both. And Ryan, the cybersecurity and IT specialist. So Ryan, walk us through what is ransomware?

Ryan:    That’s a fantastic question, Brian. I’m protecting against the defending against ransomware really starts from the core of just understanding what it is and how it works. And so what is ransomware? It’s software. This is a piece of code that somebody’s written, that encrypts data enacting very, very standard, very widely used encryption tools that are being used with custom algorithms, and makes it unusable to anybody other than the generator of that software to create a ransom-able environment or ransom-able situation where they can hold data of yours hostage and offer it back to you for what they consider to be a very reasonable cost. It’s no different than old fashioned kidnapping or theft for ransom or anything to that effect. The main difference here is these are things that are not happening in your front yard. These are things that are happening from people halfway around the globe, over the internet, you know, a tool that we all use every single day.

Brian:   So the concept it means it’s taking something hostage, and it’s the idea and I think, I mean, it’s been around forever, but the idea that something is worth more to you to get back than it may be worth on the open market. The idea of, even if your computer systems were full of personal information that might be sold on the dark web, that data is not that expensive on the dark web, but you were willing to pay a lot more to make sure it comes back or to use it yourself, then it then has actual intrinsic value.

Ryan:    Yeah, that’s great. You actually touched on a couple of really important points there, too. The first one is that the data is important to the generator, the owner of the data, and life is just not as easy to continue on with without having it back. Whether that’s a detriment to your business, this is core critical data that you don’t have backed up somewhere else. It’s data that is not recoverable easily. And so it’s, it’s got a certain level of value attached to it. Some of that data has just value purely to its owner. Some of that data is very valuable to a whole variety of people based on the nature of it. So not only do you have a situation where as your data gets into a situation where it’s been encrypted by ransomware, and it’s being held hostage, that data, again could just be valuable to you enough for you to offer a payment back to these criminals to get access back to your data. It could also be valuable to them from an extortion standpoint of what happens if we dump this data, are you going to be willing to pay us a little extra not just to get access back to it, but to keep us from publicizing the state out on the internet so that everybody else can have a copy of it too. And that’s been that’s been something much more prevalent and the ransom attacks popping up in the in recent times is that there’s almost a two-stage piece behind that ransomware attack where they attempt to profit twice from it. And again, it’s good from a business standpoint, but it’s, it’s terrible for the rest of us that are on the receiving end of those types of malicious attacks.

Brian:   You’re listening to the Fearless Paranoia podcast for more information on keeping yourself your family and your company protected against cyber threats, check out the Resilience Cybersecurity and Data Privacy blog. If you’re enjoying this podcast, please like and subscribe using any of your favorite podcast platforms.

Brian:   Yeah, I’ve been amazed recently how it does seem like ransomware while certainly was you know, when this stuff first became popular it was an effective term; extortionware almost seems like it’s the better term for the modern version, because ransomware evokes the concept of “we’re holding this until you pay us to get it back”; extortionware it is a much. I mean, and that is a a version of extortion. You know, kidnap and Ransom situation is one type of extortion, we are going to illegally get money from you, based on you either doing something or not doing something. We’re going to leverage you to pay by taking something valuable of yours and returning it back. But the whole concept of extortion, there is this idea that you can be compelled to do something not just based on the proposition of getting something back, but on a whole variety of levers. And I think, and we’ll talk about I definitely want to talk about this in greater detail, in a later episode, this concept you touched on as the what I’ve been seeing referred to as double and triple extortion, where the people doing the extortion actually leverage different ways of getting you to pay, one of which is not even approaching you with the ransom, but approaching your customers and letting your customers know that, you know, they have your data. And there’s the actual data about the customers. And I think one of the more famous examples of that recently was, I think, a Scandinavia, essentially a large psychiatric organization where they took people’s patient notes and contacted the patients that said, if you’re, you know, if your psychiatric doc doesn’t pay up this ransom, we’re releasing your psychiatric notes.

Ryan:    Yeah, it’s definitely taken a few different iterations. And it continues to find ways to become not just more effective, the malware families and especially the ransomware itself, but just the entire method of distributing it and how they’re utilizing it to draw maximum income capabilities out of the whole process has really kind of gone through, again, a whole series of evolutions, and I don’t see any of that stopping. A lot of it follows very standard criminal methodologies of just finding, you know, low hanging fruit, easy opportunities. And a lot of these ransomware attacks really kind of focus on, you know, those easily exploitable people. So again, folks like ones with medical issues where something is, you know, that’s really personal information, or going into a business and stealing source code from a software developer. That’s your bread and butter. Those are your trade secrets. That could be something as simple as a customer database where maybe it’s not critical to your business, but it’s certainly going to be critical to everybody who does business with you, which can turn into, you know, a major business impact later on if that data were to get out. And so it’s a constantly changing field. And it’s one that’s one that’s just going to keep getting more and more devious, which is why it’s more important than ever now that we put in to effect at the personal professional levels everywhere we can basic internet hygiene practices to stay safe from some of these because a lot of these attacks are taking advantage of and exploiting overlooked updates, overlooked resources, very well known exploitable holes that could be, they can be closed pretty easily with basic hygiene practices, basic updating and patching. And there’s a lot of just general hygiene practices that can really prevent, I’d say, I’d say a good majority I’d even go so far as to guess probably 90% of a lot of these are really avoidable incidents.

Brian:   You’re listening to the Fearless Paranoia podcast, we’re here to help make the complex language of cybersecurity understandable. So if there are topics or issues that you’d like Ryan and I to break down in an episode, send us an email at info@fearlessparanoia.com or reach out to us on Facebook or Twitter. For more information about today’s episode, be sure to check out Fearless Paranoia.com We’ll find a post for this episode containing links to all the sources research information that we have cited to you. And also check out our older posts and podcasts as well as additional helpful resources for learning about cybersecurity. Now, back to the show.

Brian:   Let me ask you real quick cuz I think that, you know, a lot of people who watch you know, any TV program that deals with computer issues, and usually deals with very poorly among most people, I think is this idea that encryption can somehow be cracked. I think in reality, cracking encryption really means having the password, having the key that unlocks the whole thing. And we’re definitely going to have an entire episode on just helping people understand the basics of what encryption is and how it actually works. But when we’re talking about encryption, you’re not cracking any of this stuff, unless you know the code, right?

Ryan:    So yes and no. in some instances, some of the less mature ransomware gangs have used very weak ciphers and some of their ransomware code that they’ve done, they’re developed and in some of those cases, and it’s been relatively trivial for some expert researchers to reverse engineer what was used. And so yes, some encryption, and in theory, all encryption really can be cracked, as long as you have enough time and enough resources to do all of the testing and all of the brute forcing. And part of the biggest problem is a lot of these lot of these encryption ciphers nowadays, even with extremely powerful supercomputers or distributed computing, or even if you were to find a way to wrangle the power of like an extremely sophisticated botnet, something where you’ve got a lot of computing resources to crack away at this, and we’re still talking years, decades, potentially centuries, in some cases, to crack some of these with current technology. So again, are they crackable? Yes, is the likelihood that they’re going to be cracked with any sort of, you know, in any sort of short timeframe or with any ease, it’s pretty, pretty safe to say no, in most of those cases, theoretically…

Brian:   it’s uncrackable. Practically speaking.

Ryan: In most cases, where the ransomware tools do get reverse engineered and do get cracked, a lot of times, it’s either because they’re using an extremely old piece of tooling in the ransomware. Or it’s because the ransomware gang itself has had some of their code repository or places where they’re holding some of those secrets, some of those passphrases keys actually gets compromised. And what they’re doing to other people actually happens back to them as their source code, their internal tools are taken by security researchers and then distributed on the internet, saying, Hey, here’s a tool to help you decrypt all of these things, because we broke into their infrastructure, you start to get into some interesting legal issues from that side, too. But again, it does happen from time to time that some of these things do get reverse engineered or do get broken, but it’s not something that one would ever want to count upon. The better approach is to certainly put plans in place to protect yourself from it. And to make sure that in the case that it does happen, you’re not counting on either having to pay a ransom or find a key to get back into it, that you’ve got a secondary plan in place to make sure that you can continue enforcing business continuity around the issue instead.

Brian:   So what is ransomware then fit in in the overall concept or context of a business getting hacked?

Ryan:    So the ransomware again, ransomware very rarely ever, the first stage of compromise ransomware is usually one of the end stages of compromise. That’s kind of the end goal is to apply the ransomware apply the ransom and collect and then finish whatever the business relationship is there, if you can call it a…

Brian:   Business relationship gets business conducted at the end of this meeting, the your signature, or your brains will be on this contract. Yeah.

Ryan:    And effectively, I mean, it is it is business. I mean, it’s a billion-dollar industry, you know, so rants Software is a huge business nowadays. It’s a legitimate business and most of our minds, but it is what it is.

Brian:   And so it’s this combination of really strong encryption and these ransomware groups knowledge of where to look for critical information, and most importantly, what constitutes critical information for businesses, health care, so facilities, even individuals that makes ransomware so disruptive to our modern economy system way of doing things. Absolutely. Well, in a nutshell, there it is. Ransomware 101. Want to thank you for joining us today. Look forward to seeing you again in the future. Don’t forget to subscribe to our podcast, you can do so through your favorite subscription service or on our website. Also, if you have a specific cybersecurity topic you’d like to hear Ryan and I address in our podcast, you can go ahead and send us a message on the Fearless Paranoia website at Fearless paranoia.com We hope to see you again next time. This is Brian and Ryan Fearless Paranoia signing off.