With many people working and schooling from home this year, in-home security is more important than ever. But why? Check out this episode to learn more about cybersecurity for remote workforce and the current work-at-home movement. Get some advice from the guys about the what you can do. As always, please feel free to send comments, questions, and feedback to us via email at unsecurity@protonmail.com.
Protect Your Organization from Cybersecurity Threats
SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.
Podcast Transcription:
[00:00:22] Brad Nigh: hey there, thank you for tuning in to this episode of Unsecurity podcast. This is episode 108. The date is december 2nd 2020 and I’m your host Brad Nigh joining me as usual as my good friend and coworker Evan Francen. Good morning Evan.
[00:00:37] Evan Francen: Good morning Brad. Nice to have you back man.
[00:00:39] Brad Nigh: Yeah, yeah. So I’ll share a little bit with with everyone. What was, what happened? So I had labyrinthitis which is basically the labyrinth is the fluid sack in your inner ear affects balance. And when I had that uh sinus and ear infection in october apparently the viral infection got into that and it can just sit there and randomly strike. So On the 17th, about noon I was like, Hi, something’s wrong. Um and you know, mentioned it right before the show. My dog, my 14 year old was like came in the office and was like dad, you look awful. And uh About 2:00, uh my wife is the nurse ended up saying no, we’re not, I’m not taking to the urgent care. I’m calling 911. So when, when the nurse says I’m doing that, you don’t really argue. Um, but yeah, yeah, it was, I was pretty much completely out of it from about noon on the 17th through really the following Sunday. And then um that monday Tuesday Wednesday of last week and was like, you know, if you’re even on cruises, you know that first day where you just can I feel like off it and kind of you just stumble or you know, you feel the rocking of the boat. That’s basically how I felt All the time uh from the 17th or the 18th on on the medicine, if I was doing the medicine we wear off, like it was about a half hour window where it would kind of stop but wind down and then another half hour where would start to pick upstairs about an hour. I was basically unable to do anything.
[00:02:49] Evan Francen: Uh Man, so it’s called lab bronchitis,
[00:02:52] Brad Nigh: yep. Yeah, so it’s basically like uh for anyone who’s had vertigo and it’s bad on steroids and it sticks around for you know, one or two weeks and a full recovery can take two months. So even now I’ll be standing and all of a sudden just like I feel like I’m falling or lose my balance, I have to take a step to like uh recover I guess, I don’t know the right way to put it, but um or yeah, I’ll be walking them, just like I was joking to one of the neighbors to see me walking down the street and be like picking up the kids from the bus that Why is he drunk at 4:00 in the afternoon stumbling around,
[00:03:40] Evan Francen: Well 2020 man. You have populations drunk by afternoon.
[00:03:46] Brad Nigh: Yeah, I am so done with 2020
[00:03:49] Evan Francen: well and add labyrinth itis to your list. Yeah. So we’re not we’re not sharing video today because that’s another that’s another trigger, right?
[00:04:02] Brad Nigh: Yeah. Yeah. I found the last couple of days here that, but having the video on and try to watch that in the screens. The screens enough are like I was offline for basically like seven days except for just kind of texting people to give updates because I couldn’t watch tv I couldn’t look at like an ipad or the phone or anything. Uh I would put on shows and then put on my uh you know, hat pulled the bring down so I couldn’t really see anything. I just listen to things. So it was like movies that I’ve seen or shows that I’ve watched a bunch of times just to kind of get through the day because I couldn’t actually watch the screen.
[00:04:47] Evan Francen: Yeah. Uh huh I’m glad you’re back man and I’m glad that it sounds like things are going to eventually returned to normal. Things are better today last week. Uh I’d go solo on the show again. Which are, you know, it’s just I totally get it. It’s just awkward as hell because you know, I’m sitting here talking like yeah, having a conversation with myself.
[00:05:11] Brad Nigh: Yeah. Yeah. I would have loved to have been able to do that. Yeah. But uh the fun part of it was the treatment is you basically just treat and uh handle the dizziness so that you don’t feel like you’re gonna be violently ill all the time. And so it was like meh cuisine which is basically it’s a cousin of Dramamine for the emotion sickness stuff and Valium. So I just basically slept for the three or 4 days and then was pretty kind of cut the dosage down. But yeah, I didn’t care too much. It was a nice I guess you know if you’re gonna suffer through it at least be pretty chilled out
[00:06:05] Evan Francen: someone something through it. High man, why not?
[00:06:09] Brad Nigh: I would not wish that on anyone. It was yeah, it was not fun.
[00:06:15] Evan Francen: Well there’s probably some people I would maybe wish it on but Well that’s a whole nother that’s a whole nother show.
[00:06:21] Brad Nigh: Yeah that’s part of the uh security shit show.
[00:06:26] Evan Francen: Or maybe that’s part of CNN or Fox News. Yeah, there you go. Alright well anyway, it’s your show to lead uh fourth quarter man. So on top of all of that, fourth quarter is always crazy, you know, for people, for people who are you know security people or people especially in information security consulting. This is the craziest time of the year man. And so you’re having to deal with that and this Labyrinth itis thing man. How’s that? Gotta be nuts. Be backlogged right now.
[00:07:02] Brad Nigh: I signed on monday and had I don’t even I honestly don’t know the exact count. I had well over 100 emails to try and get through
[00:07:13] Evan Francen: from the that’s not that’s a weekend man. Yeah. Well not
[00:07:19] Brad Nigh: to mention you know a week and a half of work that I missed. Yeah it was uh you know we’ll get caught up at some point like in you know february march.
[00:07:32] Evan Francen: There you go. Well. And for people who who know me know that my son joe is also a penetration tester. Uh I like to think he’s a good one because he’s got I put pressure on him but you know I don’t know well that Oscar tell us But the uh I was talking to him this weekend. He came over for a little bit and uh just you know hey how you doing man busy? It’s like 100 100% capacity. Like I I have no time. I’m like well then what are you doing here? I didn’t say that. But now they’re uh what the team is working under um if you want to take on extra work you can get paid extra. Right?
[00:08:16] Brad Nigh: You’re kind of like a little bit of a bit program where if you’re going to work nights and weekends to take on the extra work we’ll get a little little bonus to you for giving up your personal time.
[00:08:30] Evan Francen: So like that and you make it so then it’s not mandatory you know and you know, if I want a little extra few extra bucks for christmas, you know, I can, I can do that.
[00:08:39] Brad Nigh: Yeah, yeah and you know Oscar has been fantastic with managing that team to and making sure like, hey, there’s no pressure if you, if you have something to do, don’t worry about it, if you want to take it on, let me know and we’ll, you know, we can schedule something. But yeah, yeah and then uh yeah, I think the text services, the pin testing team is kind of pretty much booked through like mid january at this point. There about six weeks out I think. And then I know consulting team was at 92% capacity across all of the analysts through at least through the end of the year. That was Prior, it was 16 November. So it’s been two weeks, I’m not sure exactly where they’re at at this point.
[00:09:33] Evan Francen: Yeah, all the, yeah, like I said, man, it’s that time of year, it’s the same way every year.
[00:09:41] Brad Nigh: It’s well this year has been interesting in that, you know, with covid and everything shutting down, you know, for kind of like april may june, we were like nobody wanted to do anything because they were trying to figure out how to work remotely and just keep afloat right. And then all of a sudden it was like okay now go everyone at the same time, we need our stuff that we didn’t do three months ago on top of our standard like you for everybody freaking out to get stuff done at the end of the year. So it’s been uh been an interesting interesting year. Yeah,
[00:10:27] Evan Francen: let’s get it will keep your body of trouble. You gotta keep him busy. It’s better to be busier than it is to be not busy. Uh True.
[00:10:36] Brad Nigh: Although I won’t lie. Uh you know, not, not how I wanted to keep get some time off,
[00:10:44] Evan Francen: but you know, I don’t know, man. All drugged up chilling out. I don’t know.
[00:10:51] Brad Nigh: Yeah, no, it wasn’t not cool.
[00:10:56] Evan Francen: Well, the uh and there’s been a lot of stuff going on. So last week was thanksgiving. It seems like, you know, by really fast, we didn’t do the security show last week because it was thanksgiving um that there’s 1000 things going on, you know, and in my world it seems like, you know, between development stuff and you know, last I guess just yesterday wrote uh I don’t know if you saw it. The holiday shopping safety checklist. Mm Just see that.
[00:11:33] Brad Nigh: No,
[00:11:35] Evan Francen: it’s probably the best piece of work I’ve ever done. All
[00:11:39] Brad Nigh: right. I’m gonna Okay right now
[00:11:41] Evan Francen: over talking. Love it. Uh a few weeks. About a month. I think I’ll be heading down to uh heading out of town again to write another book United and get a chance to finish our book. No, I really even get started much because of Covid this week, this year. Um So, you know, there will be we’ll talk more about that. I think in future shows about what the book is. And I think it’s going to be really helpful to people. It will be sort of a handbook on how to do virtual chief information security officer work. I think it’ll be fun.
[00:12:20] Brad Nigh: Yeah. And you know what’s interesting? I think it will also be good not just virtual but just for CSOS in general. Right? People that want to run their own program or are trying to run their own program, but yeah, it will be primarily focused on the virtual piece. Yeah. But yeah, I’m gonna send you a picture. I speaking of thanksgiving and I smoked turkey. Uh So I was very glad I was feeling well enough to do that. So I did this that part
[00:12:56] Evan Francen: uh gets rolling. It’s a rolling papers for a turkey.
[00:13:01] Brad Nigh: Mhm. I did the uh did the dispatch coughing where you cut the backbone out and what? So it’s there was so good.
[00:13:14] Evan Francen: Yeah. All right, well, uh we’re back to information security at home. Right? Yeah.
[00:13:22] Brad Nigh: Yeah. We were planning on doing this last week, but like it says in the notes 2020 won’t stop 2020. So talking about, you know, kind of what we do um Why is this a big deal? And and you know, how can normal people or what can other people do to protect themselves?
[00:13:48] Evan Francen: Yeah, well it’s uh that’s the thing man? I mean at home nobody is responsible for your information security more than you are. Right, Right. Nobody can stop you from clicking links unless you’re going to stop yourself from clinics, nobody’s going to keep your kids safe, you know more than you should write as much as I’d love to help you more. I can’t. Right, everyone did you try to keep my kids safe?
[00:14:19] Brad Nigh: And we’ve said it, I mean how many times, you know what, what if you see people clicking links at work, you know, they’re doing it at home so we want to get good, you know what they do at home and what they do at work are going to be the same. That’s why it’s so important for training awareness and trying to help people because you know, if there if they lose their their bank account gets trained, do you think that’s going to affect their work? Oh yeah,
[00:14:48] Evan Francen: exactly. Well, so what are some of the things now, you and I are security people, we do this stuff, you know, for a living and I think what makes that different, you know, it’s just like a there’s one of two ways to go about it, you know, I think of some of my friends who are auto mechanics and some of them have the worst running cars on the road because they don’t care. I know that if it breaks down, I can just fix it,
[00:15:18] Brad Nigh: it’s like the is it the cobbler shoes, right? It’s always the you you always have the worst of whatever you’re doing.
[00:15:27] Evan Francen: Yeah, so I think some of us, you know in this industry, you know the way we secure ourselves at home, it’s whatever than others of us I think are a little more paranoid and probably can we go too far?
[00:15:41] Brad Nigh: I’m probably more on the the maybe that that called paranoid, but definitely on the that side of it versus the
[00:15:52] Evan Francen: Yeah, I think having kids makes a big difference to write uh or having you know family at home because I might trust myself pretty well, but you know my six year old daughter, I kind of want to protect her, I kind of want to do whatever I can to make sure that she’s safe, right? Mhm.
[00:16:14] Brad Nigh: Yeah. Yeah, so you know, I think we’re looking at it immediately, what are some of the like really call it, I guess quick winds that people could do. Um and I think the most obvious one to me is just make sure you change the default passwords on your wifi or your router, like you haven’t done that start there. Yeah, don’t worry about anything else, just start with that. Mhm.
[00:16:45] Evan Francen: And defaults always make it, yeah, make it too easy for you know, the bad guys to get in, wow, I think it’s a great start and I think it’s, you know, have a discussion with your family a lot of times you don’t even talk about this stuff. You know, you don’t, you don’t sit around the dinner table and talk about, hey tell me about your passwords. You you’re keeping those was legit but if you don’t have to, you know, obviously say that I was joking but just talk about, you know, what do you do online? Talk to your daughter, talk to your son. I talked to your wife. You know you me you may find that I don’t know she’s shopping. Yeah, I mean I don’t know there’s all kinds of things that could be happening but it’s it’s just this conversation we just have this ignorance about us. Sometimes we’re, you know, I don’t know, especially this time of year, right? You’re gonna be flooding in probably some new IOT devices. Maybe a new Tv. That’s uh you know it’s gonna be a smart Tv because they don’t make dumb ones anymore. You know do a little research before you start plugging things in. But I agree with you man, the biggest thing is update and uh change defaults, keep things, you know, patched.
[00:18:10] Brad Nigh: Yeah well that’s a good point updating, you know, making sure that you do apply security patches when they become available. Um although unfortunately with IOT you just don’t see that very often.
[00:18:27] Evan Francen: No, no when it’s funny this last was last week, the Senate, I think just past the uh the first um federal legislation on IOT security um it needs to be signed by the president before it becomes law. But it’s that’s kind of exciting. I okay I O. X. T. Alliance I think lead kind of the charge on that. Yeah. Nice. Could expect I would expect IOT to get better in time but between now and then you’re gonna have to suffer through some of this stuff.
[00:19:07] Brad Nigh: Yeah I think understanding. Well yeah yeah it’s gonna be it’s gonna be interesting for a while. Um I think looking at I would personally look at what the companies update policy is or what they what do they say before I buy something um you know like I do have the Arlo system and and they’re actually pretty good about pushing out updates to their app and firmware for the the cameras themselves. To me that’s important, right? I don’t have, my dishwasher is not online, it has a wifi connection if I wanted it, I don’t do it. They don’t have good update. So it doesn’t get to go online.
[00:20:02] Evan Francen: Right?
[00:20:03] Brad Nigh: And what’s crazy is why does your dishwasher need to be home?
[00:20:08] Evan Francen: Why? No. Well they call this, you know smart homes. Right? And really if you’re not configuring your things well if you’re not if you don’t want to use the stuff your smart home is actually really stupid. You have a stupid home. You know because I mean just think about this every time I plug something into the, my home network and it calls somewhere, right, It goes out into the ether or the internet somewhere that’s you’ve got another connection into your home. And it’s not like your, you know, your old school physical connections where you knew who was in your home, you knew what was in your home at any given time with this transition to everything being digital now, you have no idea who’s in your house every day. You know, you think physical, but the digital can cause you just as much damage if not more, you know, if an attacker’s, if an attacker has got control over my dishwasher or my washing machine or my garage door or my home security system or my camera surveillance, you know, there’s all sorts of things that they can do with that. People are just kind of oblivious to this, they get a cool new gadget, blinky light thing that I can, you mean I can watch what’s going on in my home, on my iphone. This is super cool. Yeah, but it’s default passwords and so is the attacker, the Attackers looking at the same thing, you are including your including you making love to your wife or your daughter. Uh, you know, playing it’s a lot more dangerous than people think it is.
[00:21:49] Brad Nigh: Yeah, no, absolutely. If you, and like you said, people don’t consider that, you know, it’s if you don’t change those things and you put those cameras in your house, you know, personally, all mine are outside. So it’s all what would be considered public anyway. Right. I’m not gonna put anything inside the house where I wouldn’t want somebody to see it. Right.
[00:22:16] Evan Francen: Well, there’s that and I’m sure you’ve secured your Arlo, you know, uh, video better than others, you know, some the uh because even then Attackers can watch your comes your comings and goings. Right. And then uh, right now, I know they’re going to steal something. No, not now.
[00:22:38] Brad Nigh: Yeah,
[00:22:40] Evan Francen: eventually
[00:22:41] Brad Nigh: at some point. Yeah. No, I I agree. You know. But I think also if you think about it is, you know that risk assessment, right. If somebody is going to hack my cameras to see if I’m coming or going it’s going to be easier for them to just break a window to get in, you know? So, there is some level of like, yeah, of course I changed all the default passwords. It’s I I don’t even know the password I use, you know, last pass for it. I have no idea what the actual password to log in To that is. It’s 20 something character. Random generated password. All right. Right. You know, there’s there’s some level of making sure you do those basics of, you know, changing the default. And then at that point it’s like, well, you know, if they, if they have that, I’m probably I’m pretty well screwed at that point anyway.
[00:23:40] Evan Francen: Well right. And I’m talking like, you know, your everyday user. I I had to have, you know zero concern really about, you know, your own security or her mind because I do understand much of the risk. I don’t plug things into my home network unless I understand what the hell it is, how I’m going to secure it. It’s what it’s talking to, what’s talking to it, you know? But most people don’t do this stuff. Most people don’t think the way we do and it’s not because of lack of intelligence or anything like that. It’s just we do this for a living
[00:24:15] Brad Nigh: well and yeah, the same thing like people that think of C. P. A. S. Right? They do their taxes a certain way and they know all the things you and I are like, okay, sounds good to me, right? It’s it’s the same kind of concept
[00:24:33] Evan Francen: across. But yeah. But the sad thing is is now. Yeah, I agree. But C. P. A. Is like a specialized skill and so is some of the deeper information security stuff. But I’m talking to basic security stuff, you know what I mean?
[00:24:50] Brad Nigh: I think? But I guess how many people don’t even think about balancing, you know every week or every month validating and looking at their accounts and making sure that hey somebody hasn’t gotten one of my cards in chart fraudulently charged things, you know? So I think there is a kind of a linear or a linear. There is a comparison between the two of just the basis of finance. The C. P. A. And then basically in Passaic and what we do.
[00:25:25] Evan Francen: Yeah. I mean I see the comparisons in terms of that stuff but the thing that actually pisses me off and it sort of breaks my heart is uh My taxes don’t lead to my Children being propositioned by some 45 year old in Philadelphia. You know. Very true. My taxes don’t don’t uh late to privacy violations and things that I can never really get back right if you and some people may not care. But you know, let’s say I have a camera surveillance thing in my uh you know upstairs hallway and my my wife comes out of the bathroom naked, somebody else sees my wife naked. Some people may not care about that but you can’t you’re not. Yeah it’s like that is gone now. Whatever privacy you had for that, it’s not there anymore,
[00:26:21] Brad Nigh: Right? No that’s that’s a good point. And you know, I think
[00:26:27] Evan Francen: one of the things I don’t want people to do man is I don’t want people to minimize this. I don’t want people to think, you know, whatever it’s somebody else’s job. No it’s not. It’s not your I. S. P. S. Job. It’s not your it’s not it’s not your kids job. It’s it’s nobody’s job, yours, nobody else should log into your router, make sure your passwords are changed you know? And if you feel like tinkering around a little bit with the settings, go ahead and do that. But at a minimum like dead the password like I don’t know who’s your who’s your I. S. P.
[00:27:03] Brad Nigh: Uh Mediacom don’t. Yeah sure. Uh Yeah thank this. Mediacom
[00:27:11] Evan Francen: mind here is uh shoot names escaping me now. Yeah. Who’s the big shoot? That’s fine.
[00:27:21] Brad Nigh: So like neither of us actually know what who he is.
[00:27:27] Evan Francen: Right? But here’s the thing about Centurylink, Centurylink when they install your router uh they put your password for your router thicker underneath it. So for people who are listening who don’t know how to change your password or even log into your password, you know, log into your router. Look there right? Typically there’s a sticker that says an I. P. Address right? It’s a it’s a four octet numbers. Right? So it’s a number dot number dot number I don’t know I lost count of how many numbers and dots that was. And then there’s a password, their rights, open a browser, type in that address. You’ll get a prompt, your username is probably going to be admin and your password is gonna be whatever the hell they put it at.
[00:28:13] Brad Nigh: Yeah. Mhm.
[00:28:15] Evan Francen: Yeah log in. Change it yeah
[00:28:19] Brad Nigh: and change it to something not not just change it but make it secure. Right. Right.
[00:28:25] Evan Francen: Right. And that’s the beginning so and then if you’re even a little bit more paranoid, like some of us uh central bank still has access to my router, you know what I mean? Even if I change the default password, they have a back door into my router. They do that for support purposes for people who you know, call them and nothing’s working whatever. Uh if you I would suggest change, you know, just getting rid of their router and putting yours on your own in. I don’t like I don’t like people having backdoors to my stuff and maybe you don’t mind because you trust, you know Centurylink, but I dont central link
[00:29:13] Brad Nigh: If you also if you look at it, if you lease their router, I mean you’re paying typically what $10 a month for that and you can get a personal your own for less than it would have cost you for one year of leasing. You know, they’re 92, you know, $150, whatever that is. And honestly this is gonna last you you know, I’m the one I’ve got this lasted. Yeah, Well four plus years at this point
[00:29:47] Evan Francen: Yeah, I’d say like 400, there’s no moving parts,
[00:29:50] Brad Nigh: right.
[00:29:52] Evan Francen: Things that don’t have moving parts last long, long, long time. Mhm. But so okay, so the first thing to do, number one change your default or change the password on whatever. Yeah,
[00:30:09] Brad Nigh: whatever your internet facing devices, change your password.
[00:30:13] Evan Francen: Right? And if you don’t know what your internet facing devices if you got DSL follow the phone line you know into a box that you don’t recognize that your
[00:30:23] Brad Nigh: router
[00:30:26] Evan Francen: yep. You know the same thing with co ax on your you know Mediacom?
[00:30:30] Brad Nigh: Yeah I mean think of it typically like they’re mostly black and a size of a book.
[00:30:39] Evan Francen: Yeah
[00:30:41] Brad Nigh: you know figure out where you’re at and you know if you buy if you’ve gotten your own and you’re not using the cable companies or your internet providers just do a google search for whatever device name it is default password. And I mean that’s the easiest thing just to get into them.
[00:31:03] Evan Francen: Yeah another thing you can do is you know if you if you don’t feel comfortable with this stuff ask ask a friend ask uh call Mediacom call Centurylink Call your I. S. P. And asked and asked them for help too.
[00:31:19] Brad Nigh: Read
[00:31:20] Evan Francen: Write because this is just step number one of many many many more steps to come. And I know people can complain that it’s so confusing and everything else like that. And I’m one of those hard love kind of people on this. You brought it on yourself, you keep plugging stuff into your network, you have this lust for technology yet you have you don’t know how to use it right? So if you feel overwhelmed by all the security stuff that you need to secure your home a lot of that falls on you a lot of it also falls on the vendor, that’s a whole other issue, man, I mean we’re vendors just continue to make crappy products from a security perspective, but You know, I mean, I think most people, but 90, of people have no idea what’s even on their home network, they think they do, but they don’t.
[00:32:09] Brad Nigh: Yeah, which is why would I want to argue with you? But no, you’re probably right and that’s scary.
[00:32:17] Evan Francen: It’s right. Well because I don’t, I mean I was just uh I am, there’s all kinds of tools you can use to find out what’s on your home network because the next thing after you sort of secure the router is to try to figure out what’s behind the router in your house. Right, right. I mean what things in your house are calling out to the internet, Don’t worry about who they’re, what, what these devices are talking to you right now, just figure out what the devices are.
[00:32:47] Brad Nigh: Yeah,
[00:32:49] Evan Francen: and you know, I use uh you know, and map, which you know, it’s free if you feel comfortable using in map, uh you know, just google and man find it, download it uh and run it, see what you got, you’ll probably have a whole bunch of devices that will come up with these funky looking numbers, right, exa decimal things because they couldn’t resolve itself to, you know, a manufacturer id, but at least, you know, and now you can go on a hunt, which is sort of fun if you make a game out of it. Yeah and I use
[00:33:30] Brad Nigh: but it. Yeah. Yeah
[00:33:34] Evan Francen: help you. And I have a little, we have a custom config kind of on our our home networks. So it’s uh I actually have more than one and you have more than one network to uh to find stuff on because we segment our network. But What would you say, 99% of people don’t do that. Yeah. Yeah.
[00:33:58] Brad Nigh: Well you know you think about it and a lot of our listeners are you know in this insecurity or I. T. And they’re like well but I do it but you think of the fact that there’s what you know probably You know that still leaves 300 million people that are doing it.
[00:34:26] Evan Francen: Well that’s one of the chant, that’s one of that. And that’s a whole other topic to is us, us, security people and its people. Yes we actually expect. I think sometimes other people to think like we do other people, other people to look at the world the same way. It’s like no they don’t and they never will.
[00:34:47] Brad Nigh: Yeah. Yeah there’s I think there is that assumption. Uh well everyone thinks this way because I do it I think you know I’ve been talking to somebody um gosh I can’t remember who it was, it was for work, right? A potential client. They were asking about some of the resources on the website and they mentioned the CSP, they said well there was something like training where I just have to buy the book. We’re talking about it. And I was like even if you don’t want to take the exam and you don’t want to buy the book, just listen to the recordings, it will change how you think about things. And I think you know there’s gotta be a better way for that information. That is I mean let’s be honest it’s painful sometimes but how do we get that too? The vast majority so that they start thinking of these things in a way that yeah they’re, they’re gonna be more secure and reduce that risk.
[00:35:57] Evan Francen: I wonder, I think we expect them one. We talk with our own clan a lot more than we talked to them. You know I don’t sit down with my friend. You use bobby as an example. My buddy bobby, he’s an ironworker awesome dude. I don’t sit down with him and talk talk to him very about, hey man, tell me about your passwords on your iphone you know let’s talk about you know, good cyber hygiene. You look at me like what the hell are you talking about
[00:36:28] Brad Nigh: shit. Yeah
[00:36:29] Evan Francen: because I actually have done that because I’m weird but we talked to are like you and I talk about security all the time just about every time we get together. We, you know we’re talking about either barbecue or you know family stuff, things that we enjoy, you know, it’ll lead to some security conversation at some point and then but we speak and we speak that language fluently when I go talk to bobby, I can’t use the same language.
[00:36:59] Brad Nigh: No. Yeah. And I think part of the issue is, well yeah, people that do speak this language just assume or look down on people that don’t speak it and that’s a huge issue
[00:37:16] Evan Francen: because it is man, it’s so dangerous.
[00:37:19] Brad Nigh: We we need we need those people to be aware of these things because I mean realistically it just makes our jobs easier. Yeah,
[00:37:30] Evan Francen: well there’s that isn’t aren’t these the people that we serve that we’re trying to protect. I’m not trying to protect me, I’m pretty well protected. I got my shit, excuse my language, I got my stuff together. Well who I’m trying to protect is my body bobby,
[00:37:49] Brad Nigh: right? Yeah.
[00:37:53] Evan Francen: And so if I want to try to protect my body bobby, well then I better learn to either speak his language or translate my language into his language. Something that will resonate because you know people, it’s just the problem just continues to get worse. We just keep especially, you know this christmas, I don’t know how many IOT things and cool blinky light things will be plugged into people’s homes, you know this holiday season but it’s going to be a lot
[00:38:22] Brad Nigh: Yeah, well and you know, coming from a business perspective with everyone being remote for who knows, you know, probably another 3-6 months at least if if people even go back, what does that mean? Right, would have if they’re plugging all these things into their home network and then connecting to a VPN into your corporate network, you’re, you’re exposed to everything they’ve got plugged in, you have a vested interest in making sure they know and have right, have good hygiene at home security husband.
[00:39:02] Evan Francen: Well it’s funny man because you know, I talked to some people and they’re like, oh we got, you know, XC endpoint protection in place or whatever the hell they got. I’m like, okay soul. Do you, I mean, do we not know? Do we, do we forget some people never knew, but did we forget how Attackers actually work? You know, they compromise the system, they elevate their privileges, they plan to back doors, they can come back later. Then they pivot, they pivot and they pivot until they find what it is they’re looking for. Now that sometimes can be a lot of those steps can be automated. Sometimes it’s a manual process so they may not waste their time, but if I find out that, you know joe blow is the ceo of big huge company and joe blow is working at home and I just do a couple of little google and google searches and find out where joe blow lives and find job blows home network. Yeah, I mean what a great opportunity for me to use joe blow’s home network, you know, you say uh vulnerable Arlo or vulnerable, vulnerable whatever. Yeah, probably dryer
[00:40:12] Brad Nigh: online with a back door into the right,
[00:40:18] Evan Francen: right. And there’s enough return on my investment as an attacker that I might spend a little extra time trying to figure out how I’m going to compromise, endpoint protection or compromise, you know? Well something a miS configuration potentially on the VPN think
[00:40:39] Brad Nigh: about this. I mean how many companies are letting people use their personal devices that they have no control over at all to view to connect in. Right. You know, you know, we’re talking with people. Yeah, yeah, we have to let them use their own, we can’t afford to buy laptops for everyone. Okay, so what controls you have in place? What do you do you make recommendations for a good endpoint protection for those users that are using their own? You know? How do you ensure they’re getting patched and what do you have in place to make sure that what that traffic coming in, you know, is legitimate and you’re not getting, you know, imitate trip pot and all the the fun stuff coming in,
[00:41:29] Evan Francen: you know? Yeah, it’s uh, it’s crazy how, you know, we’ve created so many just really convenient or play grounds everywhere. You know, I was talking to a friend of mine about schools, you know, in remote learning, schools were already pretty poor at security information, security. Uh and that was when they only had a few limited networks that they needed to protect. Right? It was the physical boundaries were pretty well defined. It was, you know, the campus, well then you go to remote learning and you’re 34 campus networks now have exploded into a few 1000 networks that you need to be cognizant enough may be responsible for to some extent.
[00:42:20] Brad Nigh: Yeah. And you know, I will so I do have some sort of a little bit of a vested interest because I do Bc sell for school district and I will say it’s not that they don’t want to do the right thing. There’s so many constraints from, you know, manpower and and budgetary issues are not funded. They it’s not that they don’t want to, they don’t have the resources to do it. And now, like you said, they’re going from trying to protect one to, you know, thousands and they were already not, they already didn’t have the resources to protect a couple. How do you expect them to do?
[00:43:04] Evan Francen: Well, it does a lot of this stuff doesn’t take funding. You know, how about, you know, using some creativity, you know, like um make a community effort, you know, to secure things like uh you know, you have communities in that community service with those community education things that they do uh or make it make it mandatory if you want a school issued laptop to get to me, you need to do an S to me or something right? Start this education process because now the educated now you need to educate the parents more too right? So you can use something free like an S to me and say, hey everybody do this, take this and you know maybe hold maybe start doing information security, cybersecurity is part of a curriculum.
[00:44:05] Brad Nigh: Well yeah, that would be very helpful I think if it’s and not wait until like high school right? Because you do see some of that where they do so start doing some um cyber security stuff in high school, but start in kindergarten right? Like start as soon as they have access to a device I know you know my youngest is in kindergarten and now he has his own ipad for school work, well they should be teaching them and providing like some guidance around that from from like you’re giving them access to basically everything
[00:44:49] Evan Francen: right? I love the so a couple of people, you know just a shout out real quick, even though we’re not at shout out yet, but Rachel Arnold is a great advocate for you know us getting off our island, you know the information security people getting off our island right? And uh I like that piece and then uh when you were mentioning you know putting electronics in the hands of somebody who is not trained or doesn’t understand the danger in it. Like, like you said like a, like a Kindergartner, hey, here’s an iphone danger, you know, and I think of the picture of chris roberts in one of our shows where he held up a phone in one hand and a pistol on the other hand. I said which of these is more dangerous?
[00:45:36] Brad Nigh: Oh the, well the phone just because it’s so much more prevalent.
[00:45:41] Evan Francen: Well yeah, and it’s stealthy and I mean there’s all kinds of things and so, uh, but people need to start thinking about that. Thinking that this is a life skill, right? You it and no matter how much I want you to learn these life skills, you have to want to, if you don’t want to, it doesn’t matter what I say. Yeah, I can, I can preach to the wind all day long. Try to figure out what language is going to resonate with. You. Try try try to get through to you. But if you don’t want to learn this, you’re never gonna learn this and you do so at your own peril.
[00:46:18] Brad Nigh: Okay. Yeah.
[00:46:22] Evan Francen: Because we could hold the, we could hold these vendors accountable for making better devices if we actually knew the danger when we do. But if people knew the danger you wouldn’t buy your Tesla that was connected to the internet. Well maybe Tesla you would because they actually take security seriously, but some of these things that we allow in our own cars.
[00:46:41] Brad Nigh: Yeah. Well, you know, they’re, they’re them proof of concepts of these cars that have, um, whatever the,
[00:46:51] Evan Francen: uh, the autonomous driver think
[00:46:53] Brad Nigh: well the, yeah, they have the cellular, uh, connection where they can be taken over and turned off or just, you know, disabled while in operation. I mean there are stories of hey, this, we’ve proven we can do it
[00:47:10] Evan Francen: right. So bringing this back to home network stuff because I’d like to do next week two is, let’s get, we’ll go a little deeper. You know, I think, uh, today if you, here’s, here’s a, here’s a challenge for people. Uh, if you haven’t logged into your powder at home and I say router, I use that generically because there’s actually some firewall functionality there when I’m going to go into that configuration and other things that you can do with that router. All we’re asking right now today is for you to go into your router and change your password
[00:47:48] Brad Nigh: and you know, simple. If you can change the user name, change that as well.
[00:47:55] Evan Francen: Sure. But just do the password,
[00:47:58] Brad Nigh: password would be the best for now. Yeah, absolutely.
[00:48:01] Evan Francen: Yeah. And if you haven’t done that, do it and if you have done that, show somebody show somebody else. Yeah. You know, we’ve got, we’ve got friends, You know, I’m gonna go talk to my buddy actually, this is what I’m gonna do, but I’ve never asked, I’ll be about this. So I’m gonna go to bobby and say, hey tell me have you ever changed your broader passion? I already know what his answer is gonna be. It’s gonna be like, I have no idea what the hell you’re talking
[00:48:31] Brad Nigh: about. Yeah. Yeah. I mean here’s what what’s interesting is I just pulled up my just the wifi networks on, you know, on the my laptop and I can see neighbors, printers unsecured. I can print anything I wanted to their printer and they, I know all of our neighbors have young kids, you could put some stuff that they wouldn’t want to see.
[00:49:05] Evan Francen: It’s funny you mention that because well I want to get there on this journey that we take. I want to get their uh to that stuff too because I was running kismet on my raspberry pi here because that’s weird. People do uh I think I had 41,000 networks that had found in my small town within Uh I think it was maybe five days. Mhm. 41,000 and a lot of, a lot of that was beginning, right? So it was, you know, systems looking for networks to connect to okay, you know, people driving in their cars with their phones that have, you know, that turned on. I would see that just right. I would also see every bluetooth if I’ve configured to kiss me at the right way. I would see every bluetooth that would never come into range because that also uses a beacon ng a free access point. Yeah. Um so the number when I turned that off because it is, it is kind of a resource hog if I’m using raspberry pi for other stuff. Uh but we can show that to, you know, and I had pie hole, I think there’s another thing that we can show people.
[00:50:20] Brad Nigh: Yeah, it’s funny, I was thinking about this and we were talking about you know potentially showing some stuff and I was like I can’t because my work laptop is on its own network that can’t access the router or the firewall or any of the other tools, those are all set to a IP and Mac address on my home desktop that has its own nick. So if I’m going to manage it, I have to switch my network connection physically to go over to do it, you know? So clearly I’m a bit of a nerd on that stuff. Um So I was trying to figure out how how I could show some of it but people have to talk through some talk through it more than anything.
[00:51:16] Evan Francen: Well I can show mine too. Yeah, start with, I mean it sounds really basic and it sounds like, well that’s it just go change my router password. Yeah, do that now and we’ll talk about after that, you know the things behind your router, you know, I would like next week let’s talk about how to find all the crap on your network.
[00:51:39] Brad Nigh: Yeah, I like that and you know, I think the two things that we all that I tell every customer, everybody I talk to here is the two things you can do. They’re going to have the biggest impact on reducing your risk, change default passwords and use multifactor everywhere. You can just do those two things and that. But you know, that’s the easiest way. I mean it’s not hard to do those, you know, google Microsoft, they make they uh those apps they’re free, they’re easy to use. I get this. Okay, well now I have to put in a have to open my phone and put in a, you know, open it up and understand what the pin is to log into my bank. Well, yeah, but the alternative is you have no money
[00:52:35] Evan Francen: while you know, but a lot of the people that we’re talking to about that they have no idea what you just said.
[00:52:42] Brad Nigh: Well and true and and obviously I would translate that right. I wouldn’t use exactly those that were the way I just explained it here with.
[00:52:53] Evan Francen: No, I know I get you to man because but because it is really basic and I think it’s just some of our frustrations, this is really simple to do and then and I’m not saying you’re doing it. I’m saying I know I have a tendency to do it and I think others in our industry, do you know how simple and easy this is to do so I get so frustrated that you haven’t done it.
[00:53:14] Brad Nigh: Yeah. Well yeah and it, I think that’s kind of the pit a pitfall or whatever the trap we fall into is you get so frustrated and then you talk down to people because you’re like, oh my God, how are you not doing this? And then they let you out, right? They tune me out as soon as you approach in my way.
[00:53:39] Evan Francen: Or if you if you think are reflective, you’ll realize that they don’t understand what I’m saying because I’m not speaking their language has nothing to do with intelligence. It would be like if somebody was yelling at me in mandarin chinese.
[00:53:56] Brad Nigh: Yeah, that’s a great comparison. I
[00:54:00] Evan Francen: agree. I would have no idea what the hell they’re talking about and this person might be the dumbest mandarin chinese speaker that ever lived and I maybe like whatever, I don’t get what you’re saying, you know, I think that it’s so much of it is like that, trying to figure out like what’s the language and that you will understand and I’m gonna and that’s why and that’s why I am actually going to do that this week. Just talked to my buddy bobby. I know he doesn’t speak geek natively.
[00:54:35] Brad Nigh: Yeah, okay, well you know it’s so easy to do. I I do try to make a very concerted effort to not do that to people outside. You know, our group as it were the tribe and and speak in ways that they can understand. And it’s so easy. Even then I got told the story on here before, but when we moved into the current house, we’re talking to the neighbors and they were like, so what do you do? And I was like, well, you know, we’re information security. He’s the usa we do this. Although he’s like, okay, but I’m a salesman. I I don’t understand anything. You just said it was like, oh my gosh, you’re right. I am so sorry. So I went back and said, you know, explained it and he was like, oh, okay, that makes sense. But it’s so easy to just like slide back even when you’re trying. You know, I do try to make a an effort to not alienate others because I do know, we need Everybody’s buying to secure things. You know, we’ve there’s about 800,000 security professionals out of 300 plus million people that are probably on on the internet or you know, online in some fact fashion. At this point, we can’t do it alone.
[00:56:00] Evan Francen: Mhm. Right. And this is truly, I mean, people, you know, I don’t want to get all, I don’t want to freak anybody out. But this is a national security issue. You know if I mean think about it if I’m An adversary on the other side of the planet and I can compromise 50% of all those in the United States, that’s a pretty good asset on my side. You know, in well, if
[00:56:27] Brad Nigh: for nothing else to do DDOS attacks, right? Even if you’re not gonna gonna actually compromise that those devices and what they’re doing, just the fact that you have control and can just beat us whatever, Right? I think about the amazon outage earlier. What was that last week?
[00:56:52] Evan Francen: Like?
[00:56:55] Brad Nigh: think about how what the impact was. Now, imagine that if their entire thing went down because 50 million homes were compromised and all those compromised devices started just detoxing. There’s no way they could handle that
[00:57:16] Evan Francen: now. All right. Well, so next week, so that’s that’s it. The challenge for people, listeners change the default password on your honor. If you’ve already done that, help somebody else do it. Yeah, that’s a take away anybody, pick somebody, pick your mom, pick uh friends, whatever. And you don’t have to go there physically to do it. You can certainly show them on a zoom call zoom was free, I think for 50 minutes or some 30 minutes, there’s all kinds of ways that you can do it. Uh be creative trying to reach out and get somebody to help, you know, help somebody. That’s it this week. Right. And then maybe next week we’ll show you okay if you did that now, the next thing I find all the crap on your under network, right?
[00:58:03] Brad Nigh: Yeah.
[00:58:04] Evan Francen: And you and I you and I can maybe hopefully you’re laboratory services feeling better than and we can, you know, show a couple tools, simple free tools that you can use. I was thinking, is there are there instructions, I wonder if there are instructions for changing the default password on my router, you
[00:58:26] Brad Nigh: know? So that’s one of my uh Rocks for probably it will probably, I mean it’s going to be Q1 at this point but is to do some research and find the top five or top 10. What are the most common sp routers and putting together easy to understand instructions the screenshots of, hey, do this, do this, do this. Here’s how you do it. So because uh there aren’t really good uh resources out there and doing those uh parent uh sessions were teaching me hey how do you watch what your kids are doing this? That’s been almost unanimous like that. That’s a top request. I don’t know how to do it. I can’t find how to do it. How do I do it? You know, what should I do? So, you know, I think looking from our standpoint, well, we’re definitely gonna be putting some of those things together here over the next couple of months to Mhm. Try and help people uh secure that personal networks.
[00:59:42] Evan Francen: Absolutely. I just found the instructions for how to change mine. Yes, essentially, I just put that in the chat but I’ll make that available to because I think a lot of people, you know, some people might be listening to and I don’t even know how to do this. Well if you haven’t changed anything else on your home network, the instructions from Centurylink are pretty straightforward. You just open, the browser would go to http Now. That’s right. No. S 1,921,680. Bring up a login. Admin will be your username password will be taped on the bottom of thing in my job. Yeah, and then just follow these instructions so I’ll provide that after after this too.
[01:00:30] Brad Nigh: Yeah, that’s good, you know, and that’s the thing is is putting those resources together and making it so that yep it is accessible for people. Uh huh.
[01:00:46] Evan Francen: Mhm. All right. Do we have to do self time for news?
[01:00:50] Brad Nigh: Uh Probably not, we could just talk through real quick. So the first one was go Daddy’s employees were used in attacks on multiple Cryptocurrency services was Krebs. Uh It was a phishing attack on Godaddy employees. Whoops It was pretty interesting read on that one.
[01:01:10] Evan Francen: Um Yeah,
[01:01:13] Brad Nigh: The next one was the worst passwords of 2020 and that was with uh oh who was it was uh
[01:01:23] Evan Francen: oh secure world expo
[01:01:25] Brad Nigh: Yeah, North Pass password manager released the worst the list of the worst passwords of 2020. Um There was some new ones that I was surprised to see uh number 10 was Sina which is Portuguese for password and I haven’t seen that one on there before but that’s actually a really it was a pretty funny read. I was like oh come on stop.
[01:01:50] Evan Francen: I thought million to. Is that that’s a new one on the list to just just million in the number two. Mhm.
[01:01:58] Brad Nigh: Yeah. Picture one. I was interesting that that’s number three.
[01:02:04] Evan Francen: Yeah. Where did that come from?
[01:02:06] Brad Nigh: I have no idea that there’s a lot of
[01:02:10] Evan Francen: engineering. Yeah. Yeah interesting man. Sorry? Yeah.
[01:02:15] Brad Nigh: No. Yeah it was uh there was a lot of like face falling as I was reading through that one.
[01:02:22] Evan Francen: Yeah so when you change your default password on your router, do not choose one of these
[01:02:30] Brad Nigh: races please. Yeah. Yeah. Um And then the last one was again from secure world uh was California proved strongest consumer privacy law in the world. It’s a it will be interesting to see what that actually end up doing for people, how that’s enforced. And
[01:02:56] Evan Francen: we’ll have to talk talk about that. I think we could do a whole show on C. P. R. A. Yeah
[01:03:02] Brad Nigh: but
[01:03:02] Evan Francen: I think they can
[01:03:04] Brad Nigh: it’s a good I think it’s a good step you know I haven’t read through the entire law but I like the fact that it’s you know focusing on giving you no more kids privacy. Uh you know, things like that.
[01:03:20] Evan Francen: Well but my biggest frustration and I’m tired of state laws. I’m tired of state laws that should be regulated federally, there should be a federal, yeah, California is over already. So damn regulated and they got such a bad name for it. There should be a federal thing, Man ticks me off.
[01:03:44] Brad Nigh: I believe it well and honestly it was federal would be so much easier for everyone. You have 12 following that. What is that? They’re like 38 ish state privacy laws that are all different.
[01:03:59] Evan Francen: Yeah, Yeah, I don’t know. Well, it makes you wonder, I mean, what the hell are our legislators so busy doing? They’re busy politicking and not work, not governing, it’s just it’s so frustrating, yeah, learn how to govern for crying out loud.
[01:04:18] Brad Nigh: Yeah, yeah, okay, so yeah, these are, these are the news stories uh That’s it for this episode, Episode 108. It’s just crazy that we’re at that number. Thank you Evan who you got shot out for today
[01:04:36] Evan Francen: Already said one Rachel Arnold Shout out to her because she’s a good advocate for trying to us to speak normal people language and we should all speak normal people language by the way because we’re all supposed to be somewhat normal, not that we’re not exceptionally that, you know, to just in general, so I think I’m gonna do Rachel Arnold and uh Andrea Hatcher remember? Andrew Hatcher from way back when yeah, one of our episodes when we did uh women, the women and security series, She invited me to speak to her group a while back and gave me Sent me a Penn State Lyons hat and a Penn State shirt that my 16 year old daughter is stolen for me already. That’s awesome. Yeah so shout out to Andrea she is going to be so any listening. Uh we’re trying to I know if our secure is trying to reach out to her to figure out you know she’s going to be a superstar in this industry, so watch out for her, it’s gonna be awesome.
[01:05:46] Brad Nigh: Yeah. Um Yeah I was really impressed with her. Uh So you know I’ll give one to uh uh Pinky one of our employees, he stepped up and was able to help out with a really a large national retailer while I was out and help answer some questions for him. Uh so uh shout out to him for helping cover for me while I was unable literally unable to work. So
[01:06:22] Evan Francen: yeah he’s that old team is awesome man. But yeah, I think he’s great.
[01:06:26] Brad Nigh: So All right well thank you to all our listeners, you can send us things by email at insecurity at proton mail dot com. If you’re the social type socialize with us on twitter, I’m @BradNigh and Evan is @EvanFrancen and the podcast is @UnsecurityP. He and he followed me man. I almost made it through the whole thing without stumbling, be sure to call security studio @StudioSecurity and FRSecure @FRSecure for more things we do when we do what we do. That’s it. And we will talk to you all again next week,