Cybersecurity expert and author Scott Schober shares his personal story of being hacked, and how it set him on a mission to help prevent it from happening to others.
Dave Bittner: [00:00:01:02] Thanks again to all of our supporters on Patreon, the support we receive there helps us provide the daily news that you come to rely on. We hope you'll check it out at patreon.com/thecyberwire.
Dave Bittner: [00:00:14:08] Our podcast team is taking a break this week from the daily news but don't fret, you can get your daily dose of cyber security news at our website, thecyberwire.com. In the meantime we've got interviews for you this week, some interesting people we've talked to throughout the year so stay with us.
Dave Bittner: [00:00:34:09] And now a holiday message from our sponsor Nehemiah Security. Twas the night before the board meeting when all through HQ not a sea level was stirring, even finance was a snooze. Reports were all stacked in the boardroom with care in hopes that the members would not pull out their hair. The CISO however was pacing the ground mostly because he had no biometrics to sound and the head of IT in front of long log reviews, had just settled his brain after full backup number two. When out of the seam alarms started to fly, they looked at each other and did not know why. Away to the reports they flew like a flash to see which malware showed up as a hash. If only they knew where exploit-ables lay it could sort them and treat them in an intelligent way. Showing true business impact and real dollars lost, could cyber finally be a justifiable cost? With Nehemiah Security so ready to assist, converting cyber into dollars is impossible to resist. More rapid than eagles the RQ dashboard it came, instantly upping their cyber risk game. Now dollars, now cents, now recommendations on threats, on exploits, financial justifications. To the top of the budget the CISO's report flew, smart cyber investments, now everyone knew. To hear the rest of this story visit nehemiahsecurity.com.
Dave Bittner: [00:02:10:12] My guest today is Scott Shober, he's the President of Berkeley Varitronic Systems and author of the book Hacked Again. In the book he shares his own story of finding himself hacked and how that began an unintentional journey toward becoming an author and cyber security expert.
Scott Schober: [00:02:26:07] Well as a company we have for many years, and this really goes back to about mid to late eighties, developed wireless test equipment to build out the cellular networks, everything to do to make our cell phones work. So we understand a fair amount about cell phone technology and maybe more particular radio frequency, how signals propagate and in the process of all that we also learned a lot about the vulnerabilities and we started to sell more and more to law enforcement groups. We've sold cellular interceptors in the past to catch bad guys and drug dealers and things like that. So we've always had a criss-cross in that industry but more and more in probably the past five years, as we started to develop some of our tools the focus became more and more on security, security because our smartphones can do everything and they could be eavesdropping devices and can be used for spying of all types.
Scott Schober: [00:03:25:14] So in the process of all that I started sharing tips and how to stay safe and so on and so forth. Well the more I started educating people and sharing with different audiences the more I became a target, and as I became a target we started to receive various attacks on our business and myself personally and it kind of all started with a credit card, debit card, Twitter account compromised, repeated DDoS attacks to our website. The list goes on and on, but at one point we have sixty-five thousand dollars taken out of our checking account and it became a federal investigation and a big ordeal. And shortly after that point I realized obviously this is not coincidence when these things are happening to my business A-Z as well as myself personally, and I started sharing the story with a couple of people and after a while everyone said jeez, this is an interesting story, you learned a lot in the process, you really should share some of this with people. And in the end of it, it became an idea that turned into writing a little bit which turned into a book and I put it out there and got even more attention I guess as a result of it, even though that wasn't really my intent. The intent was really to educate people and share my story of what I learned with the mistakes I made in the process, so hopefully readers and the audience could learn how to stay safe from hackers because it seemed like the problem was getting worse not better.
Dave Bittner: [00:04:59:00] When you look back on those days when you got hacked and when you look at the security measures that you had in place, did you think they were adequate at the time? Was it something that you put a whole lot of thought into?
Scott Schober: [00:05:11:14] Yeah a great question and actually I'm probably like everybody else, I thought I'm not going be a target, I'm pretty safe, I'm careful. I wouldn't say I was paranoid back then, I am now paranoid in contrast but some of the areas I probably was a little lax in were certainly passwords and many people, and I preach this all the time now and yet if I look back in history I was guilty of this too. Using weak passwords, easy to remember, reusing the same password across multiple sites is a big no no. Was I guilty of that? Yeah I'll admit it I was. And some of those things I think played into making it easier to be a victim and by targeted by hackers so they're successful. So we all need to take caution and use long and strong passwords and yet we hear it every single day, but typically when I present at cyber security events or business seminars or wherever, I usually like to poll the audience and I find that a good percentage of people, and I would probably say maybe forty plus percent of the people, still are using weak passwords and reuse their passwords across multiple sites, which really is concerning to me and should concern everybody that's listening to just stop and take your time and create long and strong passwords. It would save yourself so much aggravation because I always relate that if you look at all the major breaches they all have one thing in common and it's over 80% of them, it's somehow a password was compromised. That means that's one thing in our control, we can create long and strong passwords that are hard to hack and the hackers will move on to the next victim.
Dave Bittner: [00:07:00:10] You mention in the book that there's a tendency, maybe even a natural tendency for people to not want to talk about, you know, what happened to them when they got hacked. But you say no we should really share these stories.
Scott Schober: [00:07:13:06] Yeah absolutely and I was no different. When this happened to me I was a little embarrassed and embarrassed from family, friends, work colleagues, business associates, general public. You don't want to tell people that you have weaknesses or that you let your guard down or you were even targeted. At one point I got a phone call, it was actually from the Associated Press and they got wind of my story and said, "do you mind if we talk to you a little bit about, you know, as a small business owner and some things about security." And I said "well okay" and then they brought up, "well we heard that you were compromised." And I said "jeez, I don't know if I want to delve into that and share my full story." And they said "well we really do want to hear it from you as a business owner because other business owners then can protect themselves so they don't go down that same path." And I said "jeez, you know what, if this is going to help one other business owner it's worth it because I don't want anybody to go through the aggravation that I went through." So that helped me at that moment in time during that interview I kind of clicked a switch and said, you know what, maybe it's my mission to share these things even though it's embarrassing as all means, it might help other people and they're gonna take active steps because I learned how to take active steps and be more proactive with my security posture. Other people can do the same without having to be embarrassed or intimidated or even spend a lot of money for that part. Just using best practices and commonsense can do a world of good fighting cyber crime.
Dave Bittner: [00:08:48:13] As we go through the book you really go through it and cover most of the threats that are out there. In your mind what are the top ones that people need to be wary of?
Scott Schober: [00:08:58:24] Well besides what I mentioned with passwords, I think one that comes up to me almost on a daily basis is just people are always asking me about hey is this email legitimate? Is this a phishing attack? How do I identify it? So there's a lot of simple things you can do out there just to identify if it is truly a phishing attack. And basically a phishing attack for those that are not familiar with it is where you're receiving an email and it's got an attachment in it that seems extremely credible, and you want to click on it because you think it's a document from a co-worker or somebody that you know, and since it's so convincing you don't even think twice. So I always question people, stop, analyze it, ask yourself is this person going to really send me this, am I expecting this. If you're unsure don't click, pick up the phone, send them a text, send them a separate email directly, whatever it is just to verify. Take a moment to make sure you're not making a mistake, because they look so convincing and I'll share a brief experience, this happened not too long ago, it's not in the book.
Scott Schober: [00:10:07:21] I was heading away for a vacation and I was just checking my email, closing down my computer, I disconnected from the Internet to be safe, because I'm again paranoid. But in the process of that I saw an email come up from my cable company and I read it and it says that I have to update my credentials on their website and I'm thinking well that's weird, I never go to their website. So I was about to click it and then I stopped and said, and somewhere in the message it said otherwise we're going to have to shut your cable off. And I said oh it'll be a mess to get that back going again and I said wait, this makes absolutely no sense. I don't pay my bill through their website, I don't log onto their website, why would I click on here. So I figure let me call their 1 800 customer support number and mention this, it looks like it might be a scam.
Scott Schober: [00:10:52:05] I get the customer support representative on the phone and I said "Miss, I received this email, it tells me to click, update my login information there or my cable will be terminated." I said "this makes absolutely no sense." And she goes "no no no sir that's a standard email, just make sure you click on there and follow the instructions and update your user name and your password, I just got off the phone with somebody saying the same thing." And I said "wait, stop, this is a scam." She goes "no it isn't sir, I just got off the phone with someone." I said "put your manager on." The manager comes on, I explain the whole thing and he goes "thank you sir we're going to have to talk to her and give her some more training about email phishing scams." [LAUGHS]
Scott Schober: [00:11:29:16] So here it was, I was paranoid, I almost clicked, I call the company itself and was about to, if I followed through and clicked and the average customer probably would do that because it sounded so convincing. She was just misinformed but you could see how you can go down the path and things sound too good to be true and seem like they're innocent and okay, you click on there and certainly what would have happened, more than likely I would have probably had malware downloaded on my system or ransomware or whoever, you know, who knows what could have happened there but fortunately I stopped. So half the time best practice is to stop and question things. Make a phone call, investigate it, take your time otherwise you could be the victim of ransomware or a specific malware that gets downloaded onto your computer.
Dave Bittner: [00:12:15:03] The book does a really good job of explaining all the different types of attacks and one of the things I like about it is it's really approachable even for people who may not know much about the security world. For those of us who are professionals, who are in the security world, what kind of take homes would they get from the book?
Scott Schober: [00:12:32:14] A great question. I try to balance that for somebody that's truly a novice to somebody that's really more maybe an IT professional. Somebody that has knowledge about cyber security. Those that have knowledge, I think what they'll probably find and I've heard a couple of people say this, yeah we know it, it won't happen to me, but again it's going to make you stop and hopefully back up and think a little bit deeper and analyze things. So again if you're creating what you think is a long and strong password, for example, even if you're a cyber security expert and think well this isn't going to happen to me, this is 12 characters, maybe you want to take the next step. Maybe you want to consider using a password manager or perhaps you want to test the validity and strength of your password. So it's hopefully pushing people even with expertise to go a little bit further and make sure that they're putting up their defenses, so that they're not going to be the victim of a cyber attack. And hopefully those that are savvy and do understand the world of cyber security and educate people, they might back up and think well you know what, if this happened to him maybe it can happen to me and I shouldn't be complacent. I shouldn't be in denial.
Scott Schober: [00:13:42:13] So a fair amount of this is psychological. We have to almost get into the hacker's mind and understand what is their intent. What's their motive. And when we can understand that we can then transition and say okay here's what I can do to make their job difficult. It's not going to be impossible because everything is hackable in my opinion. Nothing is 100% secure. We have to go in with that mindset so we can take steps, again whether we're novice or whether we're an expert, we have to take proactive steps to make their job harder. When we do that they will move onto the next target every single time, because generally as a statement hackers are lazy. They're looking for that low hung fruit, they want to move in, they want to get out and they want to cover their path and not be detected, so they can accumulate whatever they're accumulating or stealing.
Dave Bittner: [00:14:34:10] As you were making your way through the research process for the book did you come across anything that was particularly surprising?
Scott Schober: [00:14:41:07] I think thinking back as I was writing it and I was able to somewhat relate it to different things throughout my life, I was surprised at how many other people I talked to in the process that were going through similar pains, and I kind of thought at first well this is just happening to me. But I was sharing the story as I was writing it and then people would kind of comment back and say you know yeah I had my credit card compromised too, you know I had my debit card, what a pain it was to get the money back and the process. I asked the bank and they didn't provide information. So what I found was in my one story that I thought was very isolated and targeted, which it was, there are thousands of other stories of consumers and business owners and so on and so forth. So what I realized, I am not alone and there really is strength in sharing information and that's the number one thing that came out of this. The more I share the more people share their stories back. They share their tips, the products they use, what works and what doesn't work. And why is that such a valuable lesson, and I think I touch on this in the book, in the world of cyber thieves in the dark web, they share information often freely. Effective hacking campaigns, effective hacking tools, knowhow. That sharing of information empowers them to be very effective in hacking people and very successful. But yet on the surface level with consumers and small business owners, government agencies, you know, retail, everyone, we don't share enough information. One small business owner may be compromised and keeps that a secret, well the guy across the street may be suffering the same thing or may have those same vulnerabilities.
Scott Schober: [00:16:36:11] If we collectively as a community of good guys share this information, we come together, we will all be safer. So that was a great takeaway that as I got into the process, I again started out as an island but then I think I kind of opened up the floodgates, and literally today, I just got off a phone call before this, people are asking for advice. Asking questions. What product do I use? Would I be willing to try this and give them their feedback? I enjoy that. Hearing from different individuals, their experiences, good, bad and ugly keeps me safe and my business safer and hopefully I can share these things back with the greater community to keep everyone safer.
Dave Bittner: [00:17:18:03] Our thanks to Scott Schober for joining us. The title of the book is Hacked Again.
Dave Bittner: [00:17:24:12] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible. Especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you using artificial intelligence check out cylance.com
Dave Bittner: [00:17:37:07] The CyberWire podcast is proudly produced in Maryland out of the start up studios of DataTribe where they're co-building the next generation of cyber security teams and technology.
Dave Bittner: [00:17:46:23] Our show is produced by Pratt Street Media. Our Editor is John Petrik, Social Media Editor is Jennifer Eiben, Technical Editor is Chris Russell, Executive Editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening.
Copyright © 2019 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.
Nehemiah Security delivers a security risk assurance platform that is transforming how organizations secure technology so they can quantify their cyber risk in dollars and cents. Learn more at: nehemiahsecurity.com.