 Last session of the day and we are going to go out with Ben Rich and John and Adam here Three security experts who prove to us that any security expert has a last name that ends with an R So that's good to know You guys want to give us like It's with an R sound You guys want to give us a 15 30 second bio Sure, so I'm rich. I work for jet pack Primarily on rewind and ball press which are two of automatic security focused products Got a lot of experience Scaling media companies also handling security performance everything I'm John. I work for Bluehost. I'm on a team that Primarily our job is to contribute to core in the community repressed core Before that I was at Boston University. So both both areas I've had to Security is always in the forefront and making sure our code is secure because As a hosting company in the university, we're always targets for security breaches. We always have to make sure we had all that coming My name is Adam Warner. I'm the community manager for site lock a company that provides cloud-based website security services I am a long-time wordpress user since 2005 I am not a developer and I'm not a designer and I'm not a security expert in terms of code But I try to spread the good word of security awareness and best practices for protecting your site or your online business And as we're going along if you have any questions you can text them to me And I will pass them on to the panel So to kick things off It's a lot of people recognize that One of the biggest potential vulnerabilities on any site is between the keyboard and the chair How do you What are some ways that you found success in Educating users on being Less vulnerable Well, so that's that's kind of where I come in because I'm I don't like I said, I don't write code So I don't come to website security from that side, but I come to it From the side of educating and users The importance of website security So one of one of the things I do to relate the importance of security for your site to people is to put it in terms that they can understand And what that usually means is anyone who has a website typically Has a passion or a business and that's the purpose of their site. So when we talk about website security to them We we we put it in terms of protecting your passion or your business, right? and And and from where I come from it's all about educating people about security and in my my talk earlier That was kind of the theme throughout because a lot of people when you talk to someone the average business owner Or maybe the non-technical person they hear website security and they go Either one of two things my catalog isn't important enough to protect. Why would anybody want to hack it or? Security is way too technical it's over my head. I don't want to hear anything about it So if you if you kind of communicate the the basic reasons why websites get hacked It's a lot easier for them to process the importance of And I think from a different perspective Like a developer perspective someone that's writing code for your website Following best practices knowing about different like current exploits that are going on and how they're being mitigated and Prevented for the future and just just following WordPress does when they do a security release and other open-source projects when they do a security release they Detail what it is and why it happened and how to prevent it So these things are very important to kind of have your thumb on the pulse of what's going on there And it's also an education thing a Lot of people I have some friends where they use they say they use the same password for everything But they don't really understand why that's bad Or it might just be their dog's name and their birthday and they may not understand why that's bad so a lot of it is just They don't understand how someone would go about trying to exploit something So maybe if you explain to them well with a computer that would take three seconds to get into your website And maybe show them a little demonstration And then it might click and then they might have that That more secure mindset in the future Sure. Yeah, so I'm an old-school code hacker, right? This this social engineering thing is actually a little bit above my head But it's it's the new scary thing right like there are not a lot of kids in their basements You know writing programs that are as dangerous as social engineering has become Responding to the wrong email clicking the wrong button These are the things that really get you in trouble now And I think the solution starts here in this room right now right spreading awareness Explaining to you why password security is important and why social engineering is something you should recognize and have training on Yeah, and and Click bait and fake news and getting people to share things that aren't true and people just don't read They just see that headline and and so just a more Intuitive mindset of asking why you're asking who and what where this is coming from and just a simple follow-up Or a simple Google search and a lot of time disprove a lot of this stuff or prove prove it Yeah, so that that's just a very It's always why and how come and then just being analytical and more intuitive and questioning things is Another way You know and when you were at VU How prevalent did you see? Fishing and spearfishing attacks internally we got a lot of different emails So it was everything from hey, there's new HR training to Sign up for discounted health insurance as an employee We got some really strange ones The most popular one was probably take this survey like we're trying to get information So a lot of times in slag. It was made to look like it was an internal survey. Yep. It was basically like hey We're looking to get employee feedback So I wasn't uncommon probably once a month there would be someone posting in slack Hey, did anybody else get this? Is this legit? And then someone would follow up with people in the other departments that would have issued these research initiatives to To say that when we had an email to forward them to as well and a lot of times they would confirm or deny the legitimacy of it No, it Had automatic a few years ago. I think that might have been before you join rich one of the projects of the week a group of automatic employees tried to fish the rest of the company and Get them to enter their wordpress.com password and they were able to successfully get credentials for more than 50% of the company And these are, you know tech savvy people Including a number of members of like the executive team Yeah, I think when you when you talk about security one of the most important places to start is that awareness, right? And so I tell this story walking through the city of Chicago after seeing a Concert coming from the Chicago theater With my wife and getting that uneasy feeling, you know, your intuition my hair is on the back of your neck And I look behind and there's a guy About a half a block away. And so I get that easy uneasy feeling. I moved to the other side of the road He moves to the other side of the road. We moved to the other side of the road He moves back so I was like, hey honey, why don't we duck into this bar and get a drink and I didn't tell her anything That was going on and we walked in there and and I'm not exaggerating. He walked by and went like this Just stared right at us as we were as he was walking by talk about a creepy feeling But you relate that to website security and in your daily interactions, right? So It's good to be paranoid every day and aware of security Issues every day, but you have to really try and find that balance so you're not walking around, you know peeking around Corners so things like You know we're talking website security, but things like personal Identity security if you go to an ATM You might want to look at where your card goes in there's a video on YouTube look for ATM Vienna And you will see it's one of the green covers and a guy goes up there He notices little beads of blue on the edge of the green cover shakes it and it's a it's a card skinner So it's stuff like that every day that you can Train yourself to be aware of and then relate that obviously To your side as well They started putting the stickers over the If you're interested there's a great episode of the podcast reply all Got what kind of idiot gets fished? and in working on the story I think Most of the members of the team were fished while working on a story about fishing and looking at it every day so That's a helpful exercise to like maybe you work with a couple executives and a member of the security team if you have that and You know try to fish everyone in this in the department and Make it so you can't see their password, but you would know that they put their password in and Just as an educational thing like sometimes it takes that to kind of wake up and Realize what you've done. What have I done? And I think there are some companies that you can hire to try and fish your team as well You know Yeah, make sure they're not the fishers So you so you talk about awareness and in your daily life and then kind of the second baseline for me is Password security that we kind of just talked about it and secure and unique passwords for every single That you have from your home Wi-Fi To your local machine to every internet site having unique and strong passwords for for every login and then Of course, how do you keep track of that to define unique and long? Yeah, and for those of you that saw my talk earlier At Mogulam where I previously worked I decrypted everyone's passwords to prove a point. I guess who's got decrypted also I thought it was good. It wasn't good like Consider what unique and long meets and consider purchasing a password manager or something Xkcd comic that talks about password strength and bits of entropy and how I You know as you every time you add a character it becomes Significantly Takes significantly more effort. There was a Yeah, I saw something a little while ago, and I'll try to find it and I'll post it on Twitter but it was a Data set where they analyzed I think they took all the all the publicly released password hacks that were available and they analyzed all the passwords and They posted some graphs and some heat maps as to what What was going on and the heat maps made it very clear that when a password requires capital letter 70% of people whatever the number was had it the first letter. They needed a special character It was almost always at the end Yeah, the numbers they had a chart of the the number frequency in In it and it basically indicated that it was like birthdays or Birth years or anniversaries and it was like it was interesting how it faded off and you could very clearly see like what Patterns were in people's passwords So just being aware of those things and knowing like what common human behavioral elements are that People just are comfortable with and they just they that's how they think but being secure is sometimes Reversing that or doing the unexpected in order to be more secure I just wrote up there. It's have I been pwned or Dot com for such passwords if you put a password in there that you've used in the past It'll tell you if it's appeared in any data breaches And your email to they'll tell you if your email appears anywhere. So like I think I'm trying to think when I know so I don't say I think LinkedIn had some data hacked a while ago But it will say who's email Like the emails that were hacked, but it'll also tell you what data was hacked your birthday your your friend list or your your password And then you can make more informed changes When your privacy levels in your passwords and stuff It always jumps out as a red flag Setting a password somewhere and they have Limitations on length or what carries you can you know you should be hashing passwords and if you are the none of that should matter So it's kind of a scary Scary thing when you see that it was a In wordpress is everybody familiar with the password strength meter So that that was one of the first things I brought up to add to wordpress, but that's a Dropbox library and it was a A library that they built in Javascript to Calculate the strength based on different factors and it's called ZXC Bn. It's basically just the bottom of the keyboard to end but It it talks about that and it takes several popular websites including some banks and some big financial companies and it talks about the limitations and characters and how that affects the entropy of the password and how secure it is and It's very limiting and like like an eight to ten eight to twelve character password can still be cracked usually in Like an hour at the most even if you're using good practices and your password So those limits are yeah, they're always alarming. It's like what all my money's in here and I can only put a six character password Yeah, that's what we get in such a frenzy when we're told You know you go to log in your bank or whatever it's We're in such a work. We're rushing. We're in such a frenzy that we just throw our birthday in there and we're like, oh, I'll go back later, but but we don't and The implications of that are far-reaching because all of these services are connected Yes, I was gonna say I think it comes back to again human behavior You put in what you're used to because you remember it, but things are getting like the new iOS you can have On most apps, there's a button you click it and it uses it pulls up your password manager and you can put it in and so When you enter I use one pass So it's hooked up to my iPhone and if I'm on my computer, you know, and I put in a password it syncs over in my iCloud and I can put in as long a password as I want because it's gonna help me as long as I log in Whatever means it will it will let me just paste it in there Automatically one password in iOS 12 is awesome. It's it's super sweet and not everything sports it yet And I always I'm like, oh, how did I live without this before but no, it's a solution to one of the biggest frustrations that That's basically to prevent brute force hacking so that's basically they set up a computer and they just try every single password that it can And eventually it's gonna get it. It might take millions of years. It might take ten seconds, you know So it's it's that makes it harder to get around that but then they also introduces a user frustration like Oh, I really just can't remember and you know And it doesn't tell you the password requirements either so you don't know like oh this one requires a capital So my dog's name is capitalized and all it needs numbers. I put his birthday, you know, whatever So you don't know that and so sometimes you just forget but yeah, that's That's hard to get around that's probably ways Well, that's where that's where you jump off of passwords and you get into Two-factor and multi-factor authentication, right? So you've all Tried to log in somewhere And you have to first to have a code that's sent to your phone so you can enter the code and get to the login screen That's two-factor multi-factor Is the same but you have a phone And then some other method that you have to verify to now Who knows in the future? Maybe, you know, we've got fingerprint already on our laptops and our phones There's nothing that says in the future there might not be a DNA-based Security For any kind of devices or even our vehicles or homes or who knows, you know That's the kind of stuff. I'm I'm I like to read about and I'm interested in because at some point passwords are going to be cracked and it won't matter if it's 64 length password at some point the computing power is just going to be there, right? So Yeah, so I think nowadays, right like brute-forcing Your financial institutions password At with you as a specific target. Sure might be tricky might be doable might not But when you look at the entire scope of all these millions of users at this financial institution and you go Download that data. They're gonna have hits. They're gonna get in to some people's accounts Now if you've used that password somewhere else, it's a good chance. That's how they get into your specific account If you have practiced good password security and they're using a long unique password for every different thing They're not getting into your bank. Not that way That's one of the nice things that one password does as well as they they compare Your data against the hape I've got in the database. So it'll show you This this password was exposed in a breach or is Vulnerable and sometimes it's just they take the email and the password there and they hit every single site in their list They might get in a couple. They might not And sometimes like the data that's published to educate people They use it against people. So maybe they hit the bank and they try The bank might not lock out different username attempts. It might not use IP address or machine So they might hit every single possible username with the top three passwords in the world and They might hit some they might not but if they get into one and there's a couple thousand dollars in there This is like ten minutes script that they wrote to go through this database of Possibilities sometimes it's more than worth it. Yeah, I'll share a stat that some of you may have heard earlier, but Hackers will tell you even hackers that aren't world-class best in the world hackers If they're targeting somebody they will compromise them 100% of the time if you become a target, you're gonna get owned like it's that simple whether you're a business or a person They love to brag hackers love to brag. You should well, that's how the majority of them get caught So there are a number of them out there, I would say that the the the the most popular ones are Security I think security and word fence So in my opinion any security plug-in. Oh, I'm sorry and The jetpack Has the brute force And also scanner don't they? They're all good right they all do good things and what you're seeing with those Solutions are immediate feedback on kind of the security the baseline security health of your website So I wouldn't recommend one over the other I would just look at The specific features and benefits of each one and then make that decision Just you know based on your personal preference, but I would also argue that In addition to plug-in based security you would also want to look for something that's cloud-based as well So whether that's a scanner or a web application firewall The web application firewalls in my opinion are Probably the number two most important thing or number one most important thing that you could do to help secure any website And for those of you that don't know what a web application firewall is It's basically a hardware and software solution that sits between someone requesting Data from your host and it's designed to automatically block Excuse me malicious scripts because that's the majority of the hacking that happened. It's all automated bots So the so a web application firewall one Automatically stops malicious scripts because it identifies them before it even gets to your web server before it has a chance to look for Weak passwords or look for outdated software But then if you do experience a D-DOS or some kind of a brute force attack Usually the web application firewall will recognize that as well because those are kind of AI based So they should be able to recognize that sort of thing. I would add one thing to that. I Don't know the advantages and disadvantages of all the different products But whichever one you do select make sure they have good support So that if you do have an issue you can talk to a human and they can help you work through it Because unless you're a dev or an engineer like you might get stuck and be in a worse situation Right. Just knowing you've been hacked or knowing there's this attack going on Doesn't really help you solve the problem And if you don't have the level of confidence to get through that definitely make sure you have good support on the other end And to add to that too Don't go crazy. Don't I'm gonna have the most secure site I'm gonna put all of them on and activate them all at once and I won't always work But the right plug-in will also be different for every site You might sure be for some reason very susceptible to brute force attacks, you know Someone else might be very susceptible to DDoS attacks where someone requests your site a millions of millions of time a minute And it just brings your server down So the needs are gonna be different from a bank to you know your blog that you write about political things or whatever your content is But yeah, it's it's that you might be able to use some in tandem But it's usually better to pick the one that best suits your needs and use that on the the wide area Concept one thing I like to recommend is cloud flare So cloud flare has that concept, but it does it on the DNS level. So it intercepts part of the like earlier in the request It's also similar to how Jetpack does it and protects against the brute force is it kind of crowdsources the data So if your site gets attacked and it's this bot and it gets identified as malicious And you're also on cloud flare and then it goes and attacks him. It already knows that that's a bad person So it's like by crowdsourcing the data. It makes it more powerful much better to Protect power of many Who's got the next question? I think we have about eight minutes I Wish that everybody used a VPN And that's a virtual private network So when you're connecting to the university Wi-Fi or in the coffee shop You activate VPN on your laptop or your phone and it encrypts the data That's going between your device and the Wi-Fi because Wi-Fi road Wi-Fi's and Wi-Fi sniffing is a thing search Betsy Davies And she's an 11 year old girl whose dad showed her a YouTube video and she went to the coffee shop Set up a fake Wi-Fi signal and then started sniffing everybody's traffic Looking at the data on their devices It's a real thing and just be aware to if you go to Starbucks. It's like Google Starbucks, but it's not Google Starbucks plus Or it's you know, it's not really USM it's not USM Guest with two S's That kind of awareness. I think I have two one is on us as web industry people versus HTTPS So having an SSL certificate on your site is free now There's really no reason why you shouldn't have it at Bluehost. We it doesn't matter We automatically provision you with a let's let's encrypt SSL certificate and it renews every three months and it just is there for you But it's still something that's not not widely adopt adopted by many sites And so basically what that will do is it will protect your traffic with your users From being intercepted between their computer and your server So it's just it's a very easy thing to get set up a lot of times You can just reach out to your host support and ask them to configure it for you and they handle it There are very expensive ones but they basically They vouch and they audit the server a bit more to make sure that it actually is secure But a general free one is more than good to at least get you started on that and the other one would just be higher higher requirements for passwords or Maybe you have a bunch of developers on your repositories and your organization Your organization on GitHub can require two-factor authentication for all your your members So taking that initiative and and increasing your security in your organization and lead by example is another one And yet just like I said before I'm just helping to educate people and opening their eyes and trying to get them to realize Why it's important for them to for this to be important That's all very very sound technical advice and I completely agree But my number one thing would be Awareness right like ask the question am I secure have this conversation with somebody else? Have this conversation with the people in your family you know We're starting to see how Deeply embedded security is into our lives. I mean people's financial lives get ruined You know their reputations get ruined and this is only going to get far worse if we don't start spreading awareness So that's my tip Adam do you still see VPNs as being as valuable as they were say five years ago with The sort of wider proliferation of SSL search So I know like personally I don't use a VPN as often as I did because The fact that almost every site has SSL. Yeah, well, I do think it's still as important Just because of that simple fact of it's it's not just it's not just the sites you're visiting, right? It's the it's the data that's floating through the air And in terms of connecting to a Wi-Fi signal, I think that's where it's important. Yeah comes in right But you're right. It's it's there's there's probably a good a good debate there Whether it is as important as it as it used to be but for me it is. Yeah, I think it is because A lot of times now you're not just Protecting yourself from hackers, but you're also protecting yourself from people that don't maliciously have malicious intent So maybe your internet service provider has server logs of you as a customer what sites you start visit you start visiting So maybe you go to something very controversial and then somebody gets a hold of that list and you might have been just Researching something but then all of a sudden you're associated with this website and that's that's now dangerous And you might not be able to trust these big corporations, and I'm not trying to be conspiracy theory Make you all scared, but it's something you should think about and we all know it happens It happens and it's happened in history and it happens in other countries that are less Politically free than we are you know and there's oppression. So it's it's something to think about and It's it's a healthy discussion to have and but a VPN would In most cases prevent your internet service provider from going knowing what you're going to Internet law is still very much the Wild West like We don't know what's gonna happen And and you don't know who works at the company. Maybe the company is very good, but they might just get this one I kind of a bad example, but with the whole The guy that Edward Snowden like he worked in government and he saw something and he blew a whistle and it was a good whistleblow, but You know who's to say it's a good whistleblow, maybe someone thinks they're doing good But they're actually doing harm by exposing certain things and So it might not just be a company. It might also be one person acting with data. They have that Is is indicative of something you do Do you have a VPN solution you like I like tunnel bear? It's tunnel bear. Yeah, it's a side from having a super cute mask It's that they have a dress. Yeah, they had like a lot. They have a free free level But then the pay level I think starts at 90 bucks a month or something. Is it too late to stop using one? if you haven't in the past No, no, it's never too late Start now start today I like to The answer to that question from me is two things There's no such thing as 100% security in life or on the internet. There just isn't there never will be So in my mind, it's about reducing that attack radius, right? So when you're using a password manager You're reducing that attack radius, but there's still that chance that that password manager Service will get hacked Potentially yeah Last pass has been hacked before but the hack didn't because because they're a security company and they put a bunch of different layers of Protection in the the people who hacked last pass didn't get access to the actual user names and passwords And I'd rather entrust all of that stuff to a company that is that's their core business, right? Instead of my notepad in my drawer. That is also why enabling two-factor Authentication everywhere that you can is very important Good question because that is that's it always comes down to that And I know I know one password your your fault is encrypted locally So it's synced in their servers between devices, but they don't have access to the data in your in your fault because That's the one password you have to remember and that one can be really secure and really long But it's the one that you have to remember One password. Yeah Yeah, I think in the other part of that too is that Hackers want the easy wins. They don't want to spend their time on the on the passwords I'm going to take down three days to crack most of the time if it takes more than like 20 30 seconds They're not interested they want to move on and it's about getting as many people as they can as easy as they can And so being proactive and 2fa Having a long password secure password. That's hard to crack These are just things you can do to kind of get them to move along Right. Well, thank you guys very much for your time and expertise today And look forward to seeing everyone at the party in 20 minutes, right?