CYBER SERIES | Not everything is what it appears – finding a secure connection

News

We continue our special series on all things cyber, a term that we hear all the time here in this area, but do you really know what it means? Do you know all of its applications? Everything from personal data breaches, to public Wi-Fi safety, computer and online security, things that we wonder about all the time. We’ll get the answers to those issues and a lot more today on this special edition of The Means Report, the second installment of our cyber series. Sarah Rees and Nicole Cliff had been kind enough to come back. They’re from the Georgia Cyber Center right here in Augusta and thank you all so much for explaining cyber to us and to the audience, we appreciate it.

Sarah Rees: Absolutely.

Nicole Cliff: Thank you for having us Brad.

Brad Means: You know, one of the first responses I got after y’all’s last appearance was from a viewer who said thank you for putting complicated things into lay terms, which was our entire mission so thank y’all for that.

Sarah Rees: Yes, absolutely.

Nicole Cliff: Yes, that’s great. Very great news.

Brad Means: So last time we broke down just the general fundamentals, if you will, of cyber. What it is, the fact that there are bad people out there trying to do us wrong via the information super highway, via all things cyber and digital. So let’s get more personal today, starting with ways to protect our personal information. Sarah, you can kick it off. Let’s say somebody takes our banking information, maybe a debit card number, maybe a credit card number, maybe they look over our shoulder at the store, and we learned that that’s happened, they’re trying to use it. What are some moves we can make then?

Sarah Rees: Right, that’s a great question because it happens to so many people. I would say probably you have a lot of viewers right now that are thinking yes, that’s happened to me at least once. It’s happened to me, so I think it’s a great question. I think that one thing that we have to put into perspective is it actually matters if we’re talking about a debit card or credit card, because it’s different in how those types of things are treated. With credit cards, actually, it’s a lot easier for a consumer to dispute a charge, and they’re going to be able to get that investigation complete and they’re not gonna be liable.

Brad Means: Good.

Sarah Rees: With a debit card, there’s a lot more onus on that user. So if you notice that there is something on your bank statement for your checking account, where your debit card may have been compromised, that’s something you have to act very quickly on, and that’s because if you report too late, for example 60 days. At 60 days, you could be found liable for all those charges.

Brad Means: You know, this gives me an opportunity to slip something in. I wondered if I would ever get to do it. It’s not really identity theft, but it goes to what you were saying about pay attention to your statements, to your accounts. My Xfinity account included some charges for a cable box that I haven’t had in my house for years. I can’t get a refund because I never noticed I was getting charged for it. It was my bad apparently. But you need to pay attention to the fine print, even. What about when it comes to protecting your identity, Nicole, when it comes to freezing your accounts, which I don’t really understand, freezing an account until you’re ready to use it? Will you kind of walk us through that?

Nicole Cliff: Sure, so the credit companies offer a feature called a security freeze. And with a security freeze, basically, you call the company or notify the company that you want to place a freeze on your account until you want to use your credit, which at that time, if you want to obtain new credit, you would call the company and say, unlock the freeze.

Brad Means: Okay, use your overall credit and not like freeze this card until I swipe it again.

Nicole Cliff: Right, this prevents someone from obtaining new credit in your name.

Brad Means: And how reliable is that? Is there a way, it doesn’t sound like there’s a way that someone could get around that.

Nicole Cliff: I mean it’s working, which is why the federal law passed last year September of 2018 that said the credit companies can no longer charge you for that service, because the charge was discouraging users and consumers from using that feature. So if the freeze is on and there’s no charge for me to actually invoke or implement the freeze, then I benefit from that. The other thing that we’re saying in the space is definitely to protect your online identity in regard to cyber criminals using or obtaining credit in your name is the United States postal service offers a feature called informed delivery service. And basically you can go online and register, create an account username and password, and with this, you can get gray scale images of the mail that’s going to be delivered to your house in your email. So you could get pictures that show what’s going to be delivered to your mailbox. Well, the secret service actually notified users to say we’re seeing this feature talked about in the cyber criminal forums.

Brad Means: Are you talking about those codes? They sort of look like a UPC symbol like you’d see at the grocery store that you see on the envelopes that come in your mailbox? Is that how the USPS is digitizing our mail?

Nicole Cliff: Well, they’re actually taking a picture, just a picture of the mail and scanning those images in. And so this is only a feature that consumers can use right now, it’s not offered to businesses. But what’s happening is the bad guys are creating that account in your name, you’re unaware of it, and they’re able to see, they’re able to obtain credit in your name and then see when that credit card is going to be delivered to your physical address.

Brad Means: And they show up and swipe it.

Nicole Cliff: And they show up and swipe it.

Brad Means: Listen, I’ll say this about the United States postal service, and they’re great people over there, but it seems really easy to do stuff online with them, especially, have you ever had your mail held?

Nicole Cliff: Absolutely.

Brad Means: Doesn’t seem like there’s a lot of authentication going on there. You sort of enter your name and address and then it’s done. I didn’t know people could see images of your mail if they hack you and take it.

Nicole Cliff: Right, it’s a new feature that the post office is offering. And again, the bad guys know about it, so it’s very important that consumers know that this is a service that the postal service offers, so you need to go create your account and have that monitored so the bad guys can’t do it in your name.

Brad Means: Well, I want to what we need to know when it comes to creating accounts and just a little bit of, especially, what passwords we should all be using, but first, let me just talk about Wi-Fi. Either one of you can answer this. Sarah, I think I had in mind that you might, but what do you think about public Wi-Fi? It seems so wonderful, but I’ve heard it’s dangerous.

Sarah Rees: It really is. Public Wi-Fi is one of those things that, really, was a lot bigger when not everyone had a cell phone with a data plan. Nowadays, we all have data, but I think that there’s still a lot of consumers out there that feel like, you know, if free Wi-Fi is available, why use my data? Why rack up charges, right? So they use it. But the problem with Public Wi-Fi is, even if you have to put in a password, maybe you have to go to the counter or maybe you check into a hotel and they give you a password, even if you have to do that, because that’s a public place, there could be anyone set up there with a device that is spoofing an SSID, and an SSID is that’s the name of your Wi-Fi. Like when you’re at your house and you set it up and you say, oh, this is Brad’s house, right? That’s the SSID is what you’re naming that Wi-Fi that anyone can go to a public location and set up something that says Starbucks Wi-Fi or Marriott Wi-Fi.

Nicole Cliff: Or FBI surveillance.

Sarah Reese: Which is why mine is named.

Brad Means: Is it really?

Sarah Rees: It really is.

Brad Means: Wait, so when you see that list of networks that are available, some can be made up.

Sarah Rees: Absolutely.

Brad Means: And some can be called Starbucks or Marriott and you’ll think it’s legit.

Sarah Rees: Absolutely.

Brad Means: How in the world do you not check that on your drop down list of networks? How do you sense that’s its fake?

Sarah Rees: You don’t, and that’s why it’s such a huge danger. You really have no recourse except to not connect in a public place on public Wi-Fi because you really can’t verify, by any means, the authenticity of who that is.

Brad Means: I hate that you’re saying this because in a hotel for instance, it’s difficult to watch any videos.

Sarah Rees: Yes.

Brad Means: To stream anything.

Sarah Rees: Yeah.

Brad Means: Without it.

Sarah Rees: Well, so there is something consumers can do. Using a VPN service is really your best option. You can use a VPN service at a hotel.

Brad Means: What’s that?

Sarah Rees: At a Starbucks. So VPN is a virtual private network. And basically what this means is the user usually has some sort of a client application, just some software that you install. It might go through a web portal, but it’s basically something that allows you to connect securely to a known server who will then encrypt and they basically proxy all of your traffic. So the idea is that even if you were on a bad guys access point, he set up a Starbucks Wi-Fi network and you got on that, everything that you’re doing would connect to this VPN service and be encrypted so that person wouldn’t have the opportunity to eavesdrop on your traffic.

Brad Means: Where do I get VPN service?

Sarah Rees: Well, there’s a lot of things available online. And you know, I wouldn’t ever recommend just one over another, but I would say that consumers need to be careful about free VPN services because sometimes, and especially with technology, you get what you pay for. So free services, although there are some good ones, many of them don’t really offer the same type of strong protections and encryption mechanisms and assurances of your privacy that you might get with a paid service, but again, there are plenty out there and there are some that are very, very affordable. So if you do find yourself staying in hotels a lot because you travel for work or maybe you’re going on vacation, it might be something to think about having, just temporarily.

Brad Means: I want to get our break in now so that we can continue to talk freely right up until the end of the broadcast. So we’ll do that. We’ll continue to talk about all things cyber, especially your personal interaction with all things digital. What can you do to protect yourself? Sarah and Nicole will walk us through all of that and maybe you’ll walk away a lot smarter when it comes to your devices, in and out of your home, on the Means Report.

Part 2

Brad Means: Welcome back to The Means Report. Sarah Rees and Nicole Cliff from the Georgia Cyber Center here to explain better ways for us to relate to our device, our computers, our smartphones, in and out of our homes. And just to wrap up what we were talking about before the break, Sarah, this VPN service, that’s for use outside of your house or your office, right?

Sarah Rees: Right, absolutely.

Brad Means: Okay, got it. I’ll look into signing up for it for sure. What’s a Wi-Fi? I think it’s called a Wi-Fi pineapple.

Sarah Rees: So it’s a delicious drink.

Brad Means: It sounds good.

Sarah Rees: It’s not actually a tech, it’s a cocktail.

Brad Means: It’s not a tech, a cocktail. But what does it, how do we know if a bad guy’s using it?

Sarah Rees: So a Wi-Fi pineapple is one of those commercial devices that anyone, even a novice, can just buy online and use to set up a captive portal, for example, which is basically, you know, when you go to the airport and you sign into the Wi-Fi that they have there and they ask you to accept terms of service or maybe you’re at your hotel and they say what’s your room number and your name? A captive portal is something like that where you actually have to go in and provide some information, authenticate yourself in a very loose manner. So Wi-Fi pineapple can actually monitor traffic, capture all of the SSID’s, all those network names, in an area and it can then emulate networks. It’s very cheap to buy and so that’s why you have to think about if this device that can do all of these high tech things very simply, and actually replicate a portal you know, once it’s seen it and replicate a network once it’s seen it, if that can be purchased online for I think $90 is what the, you know, mid-range Wi-Fi, pineapple costs. If a novice can pick that up for $90 and take it to Starbucks, it’s really something we have to understand makes public Wi-Fi just something we should be wary of.

Brad Means: I wanted to go back to the Starbucks and hotel examples that can people, if you do log on to their fake Starbucks network and start surfing, can they see what you’re doing? Can they watch you in real time? Oh, he’s on the, you know, the ESPN website. I see what he’s doing. Can that happen?

 Sarah Rees: Yeah.

Nicole Cliff: If you are not connected via https.

Brad Means: Yeah.

Nicole Cliff: Then the session is sent in clear text.

Brad Means: So explain that to us, Nicole, you see in the address bar the http or https, what is the difference?

Nicole Cliff: Https, the s basically designates security of the session.

Brad Means: Alright.

Nicole Cliff: So one thing I teach my kids to look for when they are shopping online is do you see the padlock? If you don’t see the padlock in the browser bar, then that means you’re connected insecurely. And if you actually click on that padlock, it offers information about the certificate. So if I use myself, for example, I have a driver’s license. In order to get that driver’s license, I have to go to the DMV and produce some documents that say you are this person. That circumvents me impersonating someone. So a website has to do something that is like that. They have to present a digital certificate to the browser in order to prove their authenticity. And if there’s anything that’s wrong in that session so the web browser makes us a series of checks and if there’s anything that’s wrong in that session, the browser will come back and say I can’t guarantee that you’re connecting to this site securely.

Brad Means: It will tell you right then.

Nicole Cliff: It will and so users have to pay attention to those messages and know that if the browser is saying I can’t validate that you’re connecting securely and I can’t validate that this server is who they say they are. So it’s not the authentic Gmail server for instance.

Brad Means: That’s a good idea, click on that padlock. When I see that padlock or the s after http, I’ll usually enter anything without fear at that point. Is that wise, is that okay?

Nicole Cliff: If you have the https, yes. You have some level of security and assurance that your information is being sent privately and securely. One thing you have to pay attention to, Brad, is that our one feature that you should know about is most web browsers allow you to have a plugin called https, htt, can’t talk.

Brad Means: No, It’s a lot.

Nicole Cliff: Https everywhere. And this is a feature that says if the web browser offers a security service, automatically connect.

Brad Means: Please go to that.

Nicole Cliff: Yes.

Brad Means: You download that, you don’t have to buy it.

Nicole Cliff: Yes, it’s a plugin.

Brad Means: It’s a plug in that’s free.

Nicole Cliff: Yes.

Brad Means: A plug in means something, it doesn’t mean something you physically plug in.

Nicole Cliff: No, it’s a piece of software that adds into your browser’s functionality.

Brad Means: Okay, yeah. I do want to make this as easy to understand as possible. Sarah what do you have to add?

Sarah Rees: I just wanted to add, so Nicole is absolutely right. That s means that your session is secure, but I also want to stress that consumers should be aware that just because you’re connecting to a server through a secure connection doesn’t mean that that’s a good guy. So what I mean by that is, you know, we’ve been saying for years, look for the s, it means that you’re secure. But if I’m talking to you encrypted and it’s secure, but you’re a bad guy, we still have a problem. So really, you absolutely should look for that padlock, look for s, make sure that your URL is correct as well. So Bank of America, american.com. See, it’s not quite right, it’s not bank of America. So verify your URL as well, that’s a very important component. Know the server that you’re talking to, know what you’re trying to get to.

Brad Means: Yeah, it sounds like it’s kind of a pain, but I mean just that little variation in spelling can be the difference. I want to talk about single factor in multi-factor authentication when it comes to user names and passwords and access to websites. Nicole, first of all, let’s start with you about the username, password deal. Your more of a fan of a super complicated password, aren’t you? Because I always liked to just do you know, B Means, one, two, three, ABC and that’s not smart.

Nicole Cliff: Right, username password combinations are very easily exploited. Why are we still using them is the question? And the answer to that question is because they’re very easy to implement. They’re very cheap. We have to make sure we’re using complex passwords if we’re going to use them at all.

Brad Means: And how do we ever remember those? The more complex, the more likely you are to never remembered them the next time we go back to that site.

Nicole Cliff: Yes, I have the same problems. That’s why use applications that remember the password for me. So there’s one that is referred to as LastPass and it’s basically a password vault where inside the application itself, it has a password generator that automatically generates complex passwords and I can open the application and it has the website for the username password that I’ve stored and I basically just click that link and it will use the stored username and password with the complex password that the password generator has created and I don’t have to remember that, it does all the heavy lifting for me.

Brad Means: You just need your password to get into LastPass.

Nicole Cliff: Yes.

Brad Means: Alright, and then that it, it does the rest.

Nicole Cliff: Exactly. The last pass has a vault password that you use to open the vault, if you will.

Brad Means: Let me ask you this, real quick, I don’t want to run out of time, but I’ve always wondered if you think of a password say your password is one, two, three desk, how is anyone ever going to guess that that word is desk? You know, that sounds really basic, it’s not complicated like you just advocated, how would they ever guess that my password with one, two, three desk?

Nicole Cliff: Well, basically they created these tables that every word that’s in the dictionary, they’ve translated that into what it looks like in a hash and they do comparisons. And you have to understand that this is software that’s actually making these comparisons. This isn’t you know, a human trying to break into the industry.

Brad Means: That’s my mistake.

Nicole Cliff: So they use special algorithms that basically go through and look at the comparison of if the word baseball is in the dictionary, then they look at that the comparison of that to its hash and they know that you have baseball as part of your password just because of the hash that represents the same value.

Brad Means: Oh my good, we could do a whole show on that.

Nicole Cliff: It’s very complex. I didn’t know how far I want to go down that road.

Brad Means: No and I don’t want to run out of time as I mentioned, but I would love to see how letters are translated into hashes and how those were viewed by computers. That single factor authentication, username, password. You like multifactor in some cases. Please tell me about that.

Sarah Rees: Yeah, multi-factor is the best way to go if you have the option and a lot of your larger places like your banks, right? They’re going to offer that. Gmail offers that, your Google account offers multifactor authentication. But the idea behind that is, you know, for someone to break in, in order to make that harder, they need more than just your password. So when we talk about multifactor authentication, it means that to authenticate as Brad Means, you need more than just Brad Means and a password. You need something else. That’s that other factor. So when we talk about factors, you have something you are, something you know, or something you have. So something you have could be a like a smart card with the chip, kinda like our credit cards? A smart card that holds information, certificates, something to authenticate who you are. It could be an RFID badge, right? So it’s something you have. Something you know, that’s the password piece. So if passwords or something you know, and that’s one factor, we need to add something. So something you have could be potentially something or something that you are. For example, a retina scan or a fingerprint. Those are biometrics, so that’s something about what you are, right? So having multifactor authentication is always preferable.

Brad Means: Do you think that’s where things are going and where they already are in some circumstances, we’re heading toward multi-factor?

Sarah Rees: Yes, absolutely, yes. Like I said, banking for example, that’s a great example. And Google, Google offers multi-factor authentication. Anytime you sign into your Gmail, for example, you have to provide a password, but if you’ve enabled multi-factor authentication it’s going to send an SMS, a text message to you, and you have to enter that code. So that’s that other piece. Now that’s dependent on something you have, having your cell phone. But it is important to understand that, while it is absolutely better and much stronger, if an adversary is persistent enough or they’re dedicated enough or they’re smart enough and they really want to get in, there are ways to spoof SMS text messages, there are ways to redirect them, so we shouldn’t consider that the end all of good security.

Brad Means: I’m not a gigantic corporation, this is my last question. I’m just the common man. Do adversaries care about me? Do they really want to hack into John Q. Public’s bank account or are they focused on bigger things?

Brad Means:  You know, I think a lot of the things that we see that are more consumer oriented adversaries targeting individuals, those are generally more social engineering in how they start. They’re not going to expend a lot of technical effort, they’re going to do things like call your house. True story, my husband’s aunt called me ’cause she knows I work in cyber and computer, she called me months ago and said I think I’m infected with virus. She had received a call from someone on the phone that said hey, your computer’s infected, I’m from Microsoft, you need to go in and look at this and look at this and download something. And she was a little shook up about it and I talked her down and I said no, you did the right thing ’cause she told me that she refused to download anything or, but that happens frequently. I’ve received those calls I know she’s received those calls.

Brad Means: Everyone’s vulnerable.

Sarah Rees: Yeah, so you know, it started with those old, you remember the Nigerian Prince scams, it started with that, but it’s escalated. And so the phone calls I’ve seen a lot of that being something that consumers are a little bit more, it’s a scare tactic.

Brad Means: Sarah Rees, Nicole Cliff, thank you for your expertise.

Copyright 2019 Nexstar Broadcasting, Inc. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.