 back to the cyber underground Dave Stevens back with you here after a week off it's so good to be back in house this is a cyber underground where our mission is to dig deep and see how cyber security touches all of us in our everyday lives and with us here today all the guys that saved my life but one of them last week Andrew the security guy let's have everybody thank you sir alright he's somebody driving the ship you guys did a great job last week also with us Jeff Mulford president of the ISC squared where do you see ISC to ISC squared Hawaii chapter good thank you thank you have you back today we're gonna be ramping up social media again how to keep yourself safe some of the settings the tips and tricks and things that are set by default to be wide open they're gonna really catch you by surprise so we'll go over Facebook Twitter and LinkedIn and if this is successful get some good feedback we'll do it again we'll do part three because this is probably one of the biggest security holes we have in our culture right now right I think you know the very first thing you do when you want to find out about somebody is just go check social media right straight away for them and see if they're there that's right open source intelligence it's a common enemy for all of us sure I hadn't seen my sister in a couple years I went back home to see her and I was telling her oh I saw you bought a couple of horses down in Brazil you've got this new dental equipment yeah and their eyes are getting out of the stuff it's all out there thank you so much we're back in it let's take a couple of quick minutes here to talk about the cyber security conferences the industry standard conferences on cybersecurity infosec not a lot of stuff happening a lot of summer conferences happen because you know there's a lot of academics like me that they go into summer when is that why they want smart people there I was wondering about it if I'm smart we're in trouble if I'm I better not be the best we can offer because we're hoes no what we have shaka Khan is our version here in Hawaii shaka comes coming up Monday through Thursday you guys been asked yeah yeah so what did you think of it I think it's great that's a lot of different things two years ago we learned about the guys that actually had the jeep were there doing their presentation talking about how they did it how they got grants to be able to buy the vehicles and how they ended up basically taking all the parts out of the vehicle and putting them on one of those four-wheel sport things because they just had to zip tie everything around this is classic if I was jeep I'd be doing the big face palm oh my gosh lock-picking I don't believe I incorporated that in my car like elevator security you know basically don't ever climb out of the top panel because there's stuff up there they can really hurt you it's also really technical to the lot of developers talking about vulnerabilities they discovered and things like that but it's a lot of fun and as with all conferences a lot of times when you're at work you tend to get blinders on and you get to a conference and you start talking to all these people and you realize wow you know we're all facing the same challenges in the world's bigger than you might have thought exactly yeah so that's that's a big benefit of the conference so did you go to the trainings or just the just I couldn't get my boss to give me that always expense honey yeah yeah and justifying it you know system engineer yeah I can justify a couple of days but the similar in-depth training now they started about $1,600 for the cheap ones and they go up from there and then of course this summer we're going out to Black Hat Def Con that's big show broadcasting of the July 7th show July 7th 28th sorry July 28th from the floor of Caesar's Palace where Def Con is held Def Con's the offensive security conference I'm gonna change my ticket and just stay another day I wish you would I forgot about that I'll check that would be great yeah so I got the whole rig we're gonna all the parts are on order we're gonna set studio we got a media pass with Def Con did you so Def Con and Black Hat are two I would say diametrically opposed but maybe theologically opposed so Black Hat usually runs first and back-to-back at a different hotel but sharing the same end beginning date is Def Con and the Black Hat is the more formal info sec defensive security blue team this is how we want to defend here's what's coming up next here's the latest malware conference a lot of trainings but FBI CIA NSA everybody goes there right that is a very formal very you know there's a business hall like it's a very vendor it's a vendor family conference yes Def Con on the other hand is the Wild West it's organized barely managed chaos but it's an offensive security deal have you been this and I've not been you never take your phone never take anything like that I got well first of all it's kind of like a comic con for the cyber guys and people show up in costume Sonic the Hedgehog was there last year as well as I think Sailor Moon I don't know why but they dress up to go to this event and there's the same thing as a shotgun on the offer some training the social engineering village so all their little workshops that you're free to go to a couple villages and the social engineering one was fascinating as I sat there it took 28 minutes for this young lady to socially engineer a hack into Deloitte and Touche on a Saturday afternoon awesome wow right I mean just a phone and a laptop and she's in in 28 minutes and that's Deloitte and Touche come on yeah she was so good I learned how to pick locks there and now I incorporated lock picking into my ethical hacking class for physical security which is a lot of fun but two very different conferences so we're gonna do the funky one that Friday falls on the second day of DEF CON 4 p.m. Nevada time which is pretty much just ramping up for them so there's workshops and training then there's these little villages and then there's social activities that run till 2 a.m. 3 a.m. sometimes all night they have movie night they have dances they have and drinking contest I mean just weird out of nowhere it's Vegas it is Vegas baby and we've added the element of now the Vegas is is legal pot legal right all that for the recreational you can't smoke it or you're not supposed to take edibles on the strip I see but there's no restrictions on doing it and then coming to the conference I see so this is gonna be a little crazy than we've seen before so that's coming up so I'll be out there on July 24th going through the end of the DEF CON conference on July 30th we'll broadcast live on the 28th so our students will be there also the cyber underground will be interviewing the cyber security students that just got their associates in IT and their cyber security certificates of achievement and one at least one of them that just got their certified ethical hacking test done I'm loving it so yeah we're gonna be there everyone tune in if you can't make it and then watch this in cyber who you happen in cyber who we don't have any details yet okay that just just talked to Reynolds this morning so we'll get some more information about cyber who you but they said the Reynolds said he wanted to put some cyber who you people on the show so we'll definitely get some cyber who young folks on the show to tell us that effort in here in the islands which is gonna be they're ramping back up they're gonna do some cyber security camps this summer and next summer and they handle the cyber Patriots which is the high school cyber security training which I really love that we're getting into the kids lives 9th to 12th grade I think we should get in sooner probably gonna have to I think because kids at what 10 years old are holding a smart phone and they need to know this is not just as magical ubiquitous ones like Harry Potter carries around so it is in their hands it is in there because perfectly into our segue into today's topic you know we talked about social media the top three that I want to talk about today of course Facebook Twitter and LinkedIn and for a number of reasons not just the settings that you can get you to bite you in the butt by leaving them default wide open or setting them the long way but also the information you post that is still publicly available let me give you an example here's a little trick that Facebook pulled and I'm at the same time discussed it and in admiration of the trickiness of it it was brilliant so if you guys know how to do any web programming if a website a domain name that you go to like Amazon dot com if you're on their website on your browser Amazon has permission by default and what programming language to write cookies to your machine has an identifier just a serial number so they know you were there what your username is IP address some basic information it's not it's relatively innocuous for for you to do shopping on the web and things like that however if I go to a website that can write a cookie to my my my computer if I have in my coding if I've made this web page and I framed out that means I am doing a sub host of another domain on my page I'm putting their content on my page that little frame is their domain and now my page because I have their domain now has permission to write cookies to my hard drive if you ever see a website that says log in with Facebook or post their share to Facebook right that's their button coming from their site therefore they have permission to write to your hard drive now here's how they've been using it I didn't know this this is the trickiest good job and I'm disgusted at the same time they can track logged off users and what sites you're visiting well so now they know Facebook because they've got the cookie that you left behind any place their button appears you now have said hey Facebook I'm browsing this website and here's the pages I'm visiting and they know you yeah even though you're logged off this partnership through Facebook now so this tracking stuff happens all the time I don't think people actually realize this is going on and there is no setting in Facebook to turn this off yeah they have control yeah you've consented through their terms of their agreements terms of use right to this to this tracking these there's no off the grid on the web so you're so you know the user habits are valuable and that's definitely what I know about right there and they're reselling that information they're building the profile of your you and what you do with that information data harvesting yeah I don't think people stop to think that when they're using a free service there's there's no free lunch that's right most people don't stop to think whatever you're putting out there somebody's figure out a way to make money from it sure the privacy is out the window you can't take stuff back once you put it out there all these things that you know some of us take the granted a lot of people just don't consider right so that's a good point so as soon as you put them something on a website no matter what it is even if you say I'd like this private can be indexed by people who don't care if that's the setting it's this private they can still see that so Google might pay attention to the no robots tag in HTML but nefarious people wouldn't they'll just keep on digging yeah and that's where we get the deep web the people said please don't index me but people do anyway and now we have the deep web indexes of people's you know military records or County Courthouse your divorce records or or something else that you get arrested or parking ticket they know it's all it's public information and it's part of the deep web now and so people don't really realize hey my sister about some horses they know I told my my my sister stop checking in when you're on vacation hey here we are Barcelona yeah you're not at home you're not at the picture includes her her husband my father my mother my nephew nobody's home and now we know you're out of the country so I didn't do all kinds of stuff and like we talked about last time because we're good people we don't think like the hackers so she put on there that she bought horses in Brazil that's a perfect spearfishing opportunity somebody can figure out a way to leverage that little bit of information get her to click on the link and boom and machines toast right we have more horses for sale or hey are these the horses you bought before click on this picture and it's not acting right is can you recommend somebody or here's who I use click yeah okay we're gonna we're gonna take a little break pay some bills we'll be right back after one minute you can be the greatest you can be the best you can be the king come down your chest you can be the world every other Tuesday at 4 p.m. and with the show's host Martin Despeng we discuss architecture here in the Hawaiian Islands and how it not only affects the way we live but other aspects of our life not only here in Hawaii but internationally as well so join us for human-humane architecture every other Tuesday at 4 p.m. on think tech hello welcome back to the cyber underground hope you enjoyed the break let's get into this now we're gonna examine some of the settings that could get you into trouble on Facebook Twitter and LinkedIn let's start with Andrew and LinkedIn LinkedIn the happy home of all the business it's gotten so much worse you know you know a few years ago you remember it was quite I think fairly well respected and then and nowadays you still see people posting their meals and you know it's getting this Facebooky feel right the one thing you talked about is people posting more personal information than perhaps they should people I think sharing some of the their hours that they're available things I get that really don't want the world to know when you should be in your office because you're not someplace else that they could rob like your home things like that so what about your skill sets when you list your skill sets sure you're working at a company and you administer Windows 2000 server and you administer you know the newest outlook and one of the other thing I think people don't don't take advantage of it and I mean there's some marketing folks that would perhaps disagree if you're trying to build a personal brand or something but I don't like people that leave their connections open right so when they if I connected them and I can go see all the people that they're connected to that's people who use that as a male so if I connect to you I can see everyone you're connected to and their profile and their information but you but you should turn that off as well as my point that's the same and a lot of people leave that wide open so that you go into the privacy settings of their account and start reading those things yeah what other things actually do exactly and you know you want to turn it off you should I think also turn you can you can not have changes that you make to your page publish automatically but you have to turn that off it's on by default as well that default you're telling everybody this is everything I'm doing yeah you can also you can now I use that I pay like five bucks I pay for the next version up which allows me to move stealthily so people don't actually see when I'm looking at stuff on LinkedIn either so you're the anonymous here I'm the you know there's there's that piece as well so there's there's and there's another thing there's two factor authentication they were flinted today so I do recommend that you turn that on let's talk about that for a second so what is two factor authentication yes so you can use your authenticator so anytime that you need to log in there'll be a code on your phone that you can then it'll ask you to enter so that that way and it's the phone that you've registered so it knows that should be your phone anyway now somebody you should have it in your hand if somebody took it from you then they could obviously try to get into your account they could figure out your password and then they would have that code but I get one more letter protection and keep someone from stealing your profile right you don't want someone to become you on LinkedIn and then start saying things or or you know maybe attacking other people from your profile or disparaging them or just don't tell them what people could put up we're disparaging you or disparaging you fool yourself right yeah people like wow she's really gone downhill of yourself esteem lately man and for us security professionals if that happens to us it's just pretty much telling the world don't hurt this guy yeah the reputation for reputation yeah that's something you can't get back no and pick a strong password anyway use like Dashlane and go up there and just bang one out a while bang the ones you're using out and see it'll tell you how many days it takes a computer to hack it you know get once you have about 12 or 16 letters that thing will say 39,000 years or something that's what that's the kind of passwords you want to use and most people are going to press phrase yeah and yeah make up a phrase or some time Mary had a little lamb yeah and replace some of the characters with specials you know and at science number underscore whatever like that and even a blank space counts yes and a lot of what a lot of logins will allow you to use spaces so that's a good idea yes it's a good idea try try what you're using on the Dashlane it's free just go to Dashlane and go when you can type in these passwords and test them for strength you gotta be careful about some of those sites that aren't hosted by reputable companies they're looking to build what's called rainbow tables right so you're putting your password and they're hashing it by MD5 SHE1 all these has been hashing algorithms and they're making a table so if somebody only has the hash of your password that they've hacked now they can compare it to the password that produced a hash and that's well now I have you think Dashlane selling that I'm thinking that they probably hope not it's free they're making money somehow yeah yeah hopefully it's just PR yeah any other recommendations on that's what I got for now okay throwing some foreign language words oh that's a great one because if they're gonna use us an English dictionary and you're throwing French and Spanish words and they're now they gotta load up some different dictionaries and who's gonna think of that except people watching this at my suggestion yeah don't make it too hard though so you have to write it down on a post it don't stick it to your editor and if you if you have on there that you have French as a second language dude in German okay let's talk about Twitter okay let's talk about Twitter I don't tweet personally because we need 144 actually I do have an account I set it up a couple years ago somebody started following me within the first hour and it scared the I didn't find a lot of things in there but for privacy settings there's public and private tweets I think we know that our commander-in-chief is probably public tweeting but if people are following you can't set the setting to private so that only people that you've accepted will be able to see your tweets probably not a bad idea can you block people that are harassing you thank you yes yes you can a couple of things I found out if you make your tweets public if you have any pending follow requests the people aren't gonna have you can't accept them automatically they're gonna have to ask to follow you afresh but the other thing is if you protect your tweets and then later say oh you know what I want to make them public again all your protected tweets become public it goes back to actively exactly wow again these are things that most people are going to think about and I think about that later on but all of a sudden how did that get out there all that changed it I made and I was also reading that Twitter just recently changed some of their policies they used to keep stuff for 10 days now they keep it for 30 days they share a lot of the information they're collecting again free stuff but you can opt out of that sharing with Twitter you have to know who they're sharing with and contact them to opt out because again that's another one of these defaults if you look at your credit card agreements all those types of things it says sure you can opt out but by default you're opting in just by agreeing to our terms of service contract so it's like the advertisements on TV about the prescription drugs don't take this if you know you're allergic to it or the ingredients in it like there's an ingredients list on the drug how are you supposed to know if you're allergic to it I found out recently that I'm allergic to that particular drug I got the highs for three days oh that's now you know now you're opting in and who who reads all that verbiage that's it's designed so they spend a little bit of that so try to be as aware as you can opt out when you can so that you're not sharing your information I've always believed in privacy I try to be as private as I can it's difficult I understand the the desire and the benefits for people especially families doing Facebook and things like that because they can stay in touch catch up on the news like I learned about my sister earlier just try to try to don't necessarily think like a hacker but understand that that thing is free when somebody's making money it from you so it's public and it's forever yes and I was gonna say you can apply to have your account verified too so that they know that that's really you yeah and I also do that with LinkedIn I meant to bring it up there are fraudulent LinkedIn accounts out there where people advertise that there's someone and it's it's an account that's been created by someone else and they're trying to join to you to get information from you so I forgot about that little piece and that happens all the time in Facebook it's not a thing saying there's a thing on Facebook saying if you want discount insurance here's here's how you can get in this person and the company said hey no no no we have nothing to do with that we're working with Facebook to get to get to get off that just just literally happen this week very clever well let's talk about Facebook for a while and I was telling you guys my my sister goes places on vacation and decides to check in and checking in geo tags you at the location wherever you are using your phone's geo coordinates and you know she'll take a picture hey we're checking in we're we're out of state or out of country and here's my husband and my father and my mom and my son and now we know two households are completely empty I told don't check in until you post it after you come back hey we were in you know Canada or something you know here's British Columbia look how beautiful it is here's a picture of us by the way we're home now yeah we're no longer out there don't rant Facebook is famous for ranting and if you've got your settings wrong that's forever it will be indexed and it can be used against you and employment exactly people will use that against you when you apply for a job hey we like you but we understand that you know you went off on the side Angus maybe completely unimprovable man we're not happy to hear that let's talk about a couple of privacy settings they can think you get you by the fall there's two settings who can see my stuff and who can contact me by the fall are set to everyone which means anyone on the web doesn't have to be a Facebook member just contact you so you register with email you give them your phone number for two like factor authentication this means both of those are searchable so what a researcher did a security researcher I just read about this there's an application program interface or API for Facebook and he used that and generated random phone numbers to search Facebook for all these people that have that set to everyone oh and every time I got a phone number like tens of thousands of miles with their first last name their address where they were in all the public information that's available he got that back and just by generating random phone numbers so get a set that to now there's friends friends of friends and everyone everyone is the public yeah friends and friends of friends means anybody that's a friend of you that one yeah you don't want that one either you want me only so you just look at yourself Andrew only that's just you can be a legend in your own who can look me up is said by default to everyone everyone yeah so everyone if you said everyone they can they can see all your contacts all your information and everything you post it but that's that's not a good one available who can add things to my timeline and who can see things on my time my timeline is the sequential order of things that you've been posting some people tag you in Barcelona that's right it's not good I saw true he's in St. Petersburg it's beautiful day that's perfect permanent I would recommend you do the two factor authentication they have that there and there's several ways you can do two factor there's also you can get a list of reactivation codes permanent codes that are associated only the account you store them some process write them up physically in a wallet or notebook and then if you're stuck somewhere and you can't log in your account you don't have to go through all the the hoops you just have that code and you can reaccess your account from another device that's that's okay that's your social media you're probably gonna live so I would also on both Twitter and LinkedIn do this you get unrecognized login alerts so this is the first time you've logged in from this device yeah and then they tell you where it's from so if you get an alert in a central Montana wait I don't know anyone in Missoula and I've never been there so I better log myself out change my password and change some settings yeah LinkedIn you can actually go in and see what where you how many sessions are lobbying and where I forgot about that so we're gonna have to wrap this up we're out of time what we have to do social media part 3 we're gonna have to come back thanks guys for joining me this is like good show and I hope to have you both on really soon don't forget to join us on the 28th hope you can make it okay and hope you can make it so it's good okay all right guys okay everybody stay safe