It's five o'clock somewhere, time for the security cocktail hour. I'm Joe, representing North Jersey. And I'm Adam, representing Staten Island. All right. How's Staten Island doing today? You got any wildlife out there?
We have some wild rain, but no wildlife. We did have a turkey walking down the street the other day. He was pretty much owning the street.
Yeah, well, he probably figures he's safe for a few months. Well, I thought he was a threat actor. But was that thing, you know, whether you have some equipment strapped to him, you think he was like trying to scan your neighborhood or something?
I don't know. Turkeys can be very devious. They can carry a wide variety of equipment. You will never know. They're pretty big.
Well, we got the rubber ducky. Maybe it was like the iron turkey or something. Who knows? It's quite possible. Okay. Getting down to it. Today, we're talking about passwords. And, you know, it's kind of funny because just this morning, I didn't even tell you this. I got an email that said like, you know, this is your password reset email from one of my accounts. And it ends up I did not request it unless I was drinking last night and even drinking so much that I don't even remember drinking. I did not request a password reset for this account. So that's very apropos, as we say. So I went into the account that this thing was for, and I logged in. So with my regular passwords, I'm like, OK, well, it means it didn't get compromised. And then I said, OK, so what do you got to do? You got to be good professionals, stay with best practices. So I changed the password anyway. And I was not so worried about my email account, because obviously, I guess that simple password reset thing Didn't work, but this is a teachable moment. This illustrates a few things. First of all, the people will try to break into your account, and you better have something besides a password protecting it. I mean, I consider that weak. They got part of the way there. Also, kind of important to keep your email account secure or whatever else you're using as your backup for passwords.
I think in a perfect world, it'd be nice that only the password resets can come from. And I know our IP addresses are dynamic and they're not static. But it would be nice if we can only do password resets based on our certain geographical area or maybe. So for example, if I'm in Staten Island, you know, somebody can't reset my password. unless they're in Staten Island, possibly, or within New York City. I mean, the sheer fact that somebody from another country, maybe India or Russia or China is resetting my password is not a good thing. I usually find that, yeah, threat actors don't usually reside in the same borough or the same city as you, but it is always possible, right? But it does mitigate the risk.
Yeah, well, it sounds like it was a pretty unsophisticated And, you know, I mean, they could. And I think, hopefully, you know, the sites also have some kind of, you know, some kind of risk, you know, quantification or whatever, giving things a score to say, hey, this looks dodgy. Accept it, don't accept it. I don't know. You know, that's part of the problem. It's impossible to know what they're doing or what they're not doing. And another key thing was, I was not worried about the email getting broken into because I'm worried about that, except I do have 2FA on that email account. That's important. We'll talk about that later probably, but it's, you know, if you're going to have something like, you know, password resets by email account, which just about everyone does, you got to make sure you got 2FA on those. or hardware token, or you are going to be in a world of hurt.
I think it's very similar to the people that call me almost every day that my student loan requires support. And when I really pissed them off and I say things I shouldn't be saying, they lock out my account. So anybody can lock out your account, three, five attempts. If they know the URL and they know your username and password, and they most likely have gotten it from one of those compromise lists. So they figured they can try you know, engaging you. If you're part of a list, you're going to get calls. If you're part of a list, you're going to get emails. How do you get off that list?
You know, that's interesting. I wonder if they used an old password too, if that could come from a, from a compromise. You see, that is part of the problem that you don't have visibility into the stuff. You can't find out. I mean, there's no way to call them and say, Hey, let's do a little analysis here. Like, good luck. Even, even in the professional world, you know, in corporate, it's like, good luck. They'll just say, Hey, did you get broken into? No. Good. Go away. Don't worry.
So that's funny, right? You know, they have like Tinder and all those other websites. Maybe we can do like meet the hacker.com and then you can get matched up with your hacker and you can ask them questions and see if you're a good match.
Yeah, there you go. Except then people start scamming that, you know. In fact, when I got the password reset email, I mean, I checked it out really, really carefully. Because I'm just like, you know, I figured that that could be phishing too. That could be the attack right there. Could have been phony. Who the hell knows?
Oh, man, the threat actors today, they're, they're, they're very sophisticated, but, you know, hacking as a service, you know, compromising as a service. There's so many different products out there. You can probably log into and get access to and just, you know, be a kind of like a script kitty in a way and. You know, you could probably even go onto the site and pick a list. Which list do you want to use? Oh, two cents per username. And you just spam everybody. You don't even have to provide the list anymore. I mean, I haven't gone on one of those sites, but I would imagine you can even, it's like a one-stop shop, right? Who do you want to scam? How much do you want to pay? And then you have to probably pay back. I think you have to pay, you know, a certain percentage back to the people hosting the site. And you could probably use PayPal or Zelle or something else. I wouldn't be surprised.
What all the cool criminals use. It's so commercial credit. If you use like PayPal, unless using a stolen PayPal account, that gives you some, some respect.
It's, it's, it's so mainstream today. I wouldn't be surprised. I mean, I don't want to sit there and slander PayPal. Cause I might say they do it on purpose, but I'm seeing that there's so many threat actors out there. They probably created an account or a Zelle and say, send me the money. You know, how would PayPal know? How would Zelle know?
Well, look, they got some ways of looking at things. I mean, they got things that they check, they do their due diligence, and they do have systems that, you know, are kind of behavioral that they might even have machine learning and AI. It's so exciting. But, you know, at the end of the day, for everything, here's lesson one. For every countermeasure, There is a way around it. They find a way to attack everything. And none of them are 100%. You know, the days of us being able to say, hey, we blocked this. It's like, well, typically now you didn't block it completely. And even if you did, there are 500 other ways into something.
That's what the bad guys do. I think what you're saying is I should set up a module or chat GPT. to answer these scammers and then kind of weed them out and see whether or not my emails and my texts and my, you know, different forms of communication are legitimate. I mean, ChatGPT should be able to handle that, right?
Oh, yeah, I can do anything. In fact, they're probably using ChatGPT too. So you'll just like have it talking to each other.
It'll be like a round robin conversation. Well, I'm talking to myself. Did you know that?
Yeah. But that's a whole other discussion, the chat GPT and how to trick it into doing bad things, which is pretty easy. But we're here to talk about passwords today. Yes, we are. And I guess a few minutes into this, we already got passwords just suck. I mean, they're terrible. I mean, I've... I have gone for a long time under the assumption that you have a password. It doesn't matter how well you try to protect it. You can do a lot of things. And the thinking has changed on what a good password is lately. Years ago, it used to be, it's like, oh, you need a long, complex password with all these different characters. Mix your case and all that nonsense. You know, which was definitely better than using like, you know, sex and love as a password or whatever. But a couple of years ago, it changed, and this changed, and I said, no, now we've got to do different things. Now, password complexity is important. Make your passwords long. Don't change them unless you know they're compromised. No more of the 60, 90-day rotation, whatever. So they change all these rules, now there's the new thinking on passwords, and you know what? It doesn't matter. If you've got passwords, they will get compromised. They will get stolen.
Well, I mean, like, you know?
It seems inevitable.
It does seem inevitable, but there's two, there's two different, you know, theories of thought of how that password is going to compromise, right? It's either going to be one, a dictionary attack, and you know, that, that can really, well, actually three ways. One, a dictionary attack. Two, you've been socially engineered into giving your password. Or three, somebody really wants you and they're, they're not, you know, fishing. They're not even spearfishing. They're whaling and they're going after you and they're going to try to find a way to get your password, and they might even try to use some, you know, cloud-based, you know, password brute force cracker, or try to get some of your information, or get your tables, or extract your password data, and try to see if they can crack it off-site. So this way, they can utilize multiple CPUs.
I don't know, is password cracking even a thing anymore? Because it seems like bad guys, they just started stealing them. They're just like, you know, let's steal it. Let's, you know, let's find a way. Let's, you know, they just go and like something gets cracked, you know, there's some big compromise and they put it out on the dark web and sell it. And, you know, sometimes they're hashes, but, you know, sometimes they can be more wrong passwords and they put it out there and, you know, and then, you know, you gotta hope that, if you get in one of those, which we all have, and you have whether you know it or not, that you're not using that password everywhere, which is a whole other thing. But at the same time, that's what a lot of phishing is about, about stealing passwords, or just tricking someone to log in for you, right?
Well, it depends, right? Is it somebody just looking to make some extra bucks, and they're doing a wide net, and they're just sending emails and hoping that you do it, and maybe get ransomware? and get your passwords to get that data? Or is it a targeted attack by a nation state or criminal threat actor who wants to get access to merger and acquisition data or financial data that's going to help them make more money in the end? And if they are at that level, they're probably using They have a big budget to accomplish their task, because the greater payout is getting that merger and acquisition data, getting that financial data, or they've been paid by somebody who's competing against them. So it really depends.
Well, you kind of got both. I mean, you got the stuff to cast the wide net, just the commodity, phishing, whatever, where they're going out, trying to steal passwords so they can get into something, trying to steal credentials. So they get in and, you know, and then they take what they got and, you know, post it on the dark web, try to sell it, find a buyer, whatever. And that stuff is pretty cheap. But then you do have the higher end stuff where it's really targeted and the stuff has gotten, you know, we've, you and I have even seen it ridiculously targeted and, oh yeah, you know. You know, let's just go to a company's public website or on LinkedIn, whatever, get some information and say, hey, here's someone who might be interesting. Here are some of the people they work with. And now also with, I think one of the scariest things with chat GPT is that when it comes to, it can write phishing emails and bullying. I've seen it done. It's easy to get it to. write a phishing email, even though it's say it, even though they say it won't write a phishing email, it's easy to get it to do it. You just say, write an email to this person from this person about this and it works. And the scary thing is that it does it in like perfect English. You can't even tell it's not a native speaker anymore. That's really nasty.
So, I look at it this way, right? We're talking about user passwords and user accounts, but what if it's an IOT device? What if it's a camera, a surveillance camera sitting in an office and you have access to it through another portal, but then people are using the default password and username. and then you get into that camera from another site and then you traverse onto the rest of the network and exploring. And then most of these cameras are kind of Linux, right? And then you're using the tools built into that small Linux, uh, um, separation to, uh, try to hack and crack other passwords and usernames on, on, on the, uh, on the network. So if you're really good and you can get access to one of these IOTs or these HILOs or something that has Linux tools built into it, you're living off the land. And that's a fun thing to do.
Oh, yeah. Well, that's a scary thing. You know, I don't think a lot of people, you know, people realize it's like, you know, a lot of people go to password managers because It's kind of funny to, to explain it. And I think a lot of people who aren't in the business don't, don't realize it, but you know, it's like, okay, you got your personal stuff and you know, years ago you used to have a stack of post-its and then you went to a little notebook with everything. Now you're using a password manager. You're proud of yourself and you got, you know, a couple hundred passwords or whatever. It's like the, the corporations, it's like, yes, they have things. It's called a privileged access management, where it's basically like a big, You know, it's professional grade. It does all sorts of things to keep them safe. But there are still thousands of passwords. Everything has multiple passwords on it. And keeping track of all those, you know, just imagine, you know, security is often not about all this whiz bang stuff. It's just about managing and keeping track of stuff. You know, even a small organization has thousands of passwords. of credentials. And unfortunately, you know, people get lazy, or policies have gaps in them. And, you know, it ends up they are reusing passwords, and maybe the policy isn't being said everywhere, because, you know, we can say, oh, we have this iron policy that says, you know, you got to use, you got to change the password when something's new, and you need to do all this, and it's got to be a certain strength, and you got to follow these rules. You know, that's a piece of paper. And, you know, people really underestimate the difficulty of enforcing that. You know, it's easy when you've got the stuff that the privileged access management system supports, when it's Windows, even when it's Linux, when it's, you know, firewalls and this and that. You know, those things all work with it. But the IoT device, the Internet of Things, you know, the camera, the wacky thing, or the other thing that someone goes and buys or they say they need, you know, eating sensor, the crap like that. It's like, who knows if it's built with it? Especially if you're in a smaller industry, when it comes to software, it's like, they don't, you know, they don't integrate big enterprise stuff. Big, big problem. That's that causes a lot of headaches.
So you're going to get me on a rant, right?
So please, that's what this is all about.
So some people, they get very upset when you use password managers. What happens if the password manager gets compromised? But you can't, even if you use your same username and password on every site, how do you manage those devices and enterprise organizations, especially globally? And what the issue really is, is that if you use a password manager. you have to be careful. If you have multiple passwords and usernames not in a password manager, you have to be careful. If you store it locally and somebody compromises your machine, they have all your passwords. If you use it in the cloud, somebody is able to find a vulnerability that compromises passwords and usernames, you're screwed. I mean, I guess the good news is if you use a password manager to get compromised, You might be able to move to a new password manager because a lot of them allow you to export to other password managers. But here's where it gets really complicated. If you work in an enterprise organization. and you need to reset your password, it's usually self-help, especially a global organization. So if a threat actor gets access to your machine, they're going to use their self-help to reset the password and most likely be able to change that password. Now, lastly, what about the Macs? I know you love Macs, but Macs are not enterprise machines. And when you want to manage a Mac and you want to use it in a Windows environment, it's not easy, especially when you have all these different tablets and Phones and when you have phones, you have to use an MDM and then you have to manage the software separately and the passwords are managed separately. And then you have to integrate it. I mean, we can sit here all day long talking about the complexities of this. Now, one last thing before we go on, what happens when you hire that company to come in? and do that pen test, and they search every single machine and share, and they find that password put on a notepad on the desktop, which they will always find. What do we do then?
Okay, that was a good rant. You are the ray of sunshine. Thank you, George. That's why we say you might need a drink for this. Well, here's the thing. You ranted now. Now I'm going to pontificate. Basically, and I even tell my kids this with everything, what you've got to do is you've got to do the best you can, basically. And believe me, you can do a bad job and make things trivial. But you know, whenever it comes to security things, but especially passwords, you've got to do the best you can. You've got to use a good password manager, whether it's your yourself personally and use something like LastPass or Bitware or whatever the hell you use it. It doesn't matter. You got to use it, learn to use it correctly. And, or if you're doing, uh, you know, enterprise stuff, whether you've got CyberArk or whatever the hell the other ones are, using that, you got to do the best you can. You got to use it correctly, but recognize that It's not perfect. It's all still software, or even if you're using hardware-based stuff, which is a whole other discussion. It's going to have vulnerabilities. It's going to have, you know, difficulties. People are going to use it wrong. You're going to make mistakes configuring it. One of the problems in security is that the stuff is too damn complicated. Even for experts, you know, there are going to be issues. And it doesn't matter if it's on premise or in the cloud or where it is, you know, you're going to have vulnerabilities. You're going to have mistakes. You're going to have things that don't support it where you just can't do it. Or you got to kludge it. or hack it or whatever to get something working. And, you know, so you got all that to deal with. And then you got the human nature, where as long as you got passwords, people will write them down. People will find a way to copy, paste them, write it down. It is truly You know, we, I mean, you know, we've spent, you know, years and many tens or hundreds of thousands of dollars building systems to protect these things. And it is actually astonishing the lengths people will go to to get around them and write down a password and put it where someone can get it.
Well, let's be honest, right? You don't have to write it down to get it, right? And I'm not talking about using telepathy. You know, a good social engineer can really create that sense of urgency and find somebody who's going to give a password to give you access. And that's where multifactor authentication comes in, right? Though, here's again where the other issue is, right? That great threat actor, that great social engineer calls up and says, Oh, I've worked for this person. I need you to do this right away. And by the way, when we do the password reset, you're going to get a pop up that you need to accept in order for us to continue our conversation. People are really good. If you are an expert at your trade. I mean, you can get somebody to not only give you the password, but probably end up getting you a meal delivered to your house, you know, seamless or something like that. This is how good people are today, right?
Yeah, well, that's it. Multi-factor is better and stronger, and you should be using it everywhere you can. But it's funny, just when we thought we had found the invincible solution to this, You know, the bad guys, they're incredibly clever people, the way they figured out how to get around it. You know, you've got phishing attacks, you know, phishing sites that will steal it, and they've got it automated, you know, or like it goes, you know, they grab your password, they grab your, you know, your short-use token or whatever, a time-limited thing, the code, and it'll instantly go in and use it and log in. It is just out of hand, and like you say, the social engineering, all that SIM swapping stuff, please don't use text for texting for your second factor anymore. Don't do that. Use the app on your cell phone. Don't give up on that stuff.
Do you recall when we were dealing with a Purple Team issue where somebody went in to a certain site and turned, changed the SMS texting to a number they owned in order to get access. So that's the issue with SMS, right? If you have access to the portal, you can change the phone. And what we have also seen is people that do these incident response, PRPL team engagements, they sometimes bring their own foreign phones and certain websites can't accommodate these foreign phones in the correct way and allows them to get a little bit more access than they should. So, it's really amazing. If you have text messaging and that's your method of authentication, well, I don't necessarily think it's a good thing at all. You might as well almost not have it. No, it's not.
I was going to say it's not, and that's been out of style for a long time. That's been a recommendation.
Oh, of course. It's still around.
Yeah, it's still around because it's easy and everyone can use it. But I'm here to tell all of you. Don't do it. Don't check the SMS option. And that brings up another thing, which is, you know, if you give people options, well, options for anything, but particularly like with multi-factor, if you can say, oh, so you can get your second thing, you can use the app on your phone, or you can use SMS, or you can use email or something, people will pick the worst one. because it's the easiest. Do not give people choices, and please don't pick the easy one. I mean, do you remember? I don't know if we were still working together, but do you remember when I made a big deal and we were putting in this big system, like, we gotta have two-factor. We absolutely gotta have this. I'm gonna have a heart attack every night if we don't have two-factor. So one of the compromises that you make, because you always have compromises, is, well, we gotta give people a choice. And then so one of the choices was one that I guess I didn't think about it enough. Was you can have, besides text, besides the app, you can have the system call the person, make a phone call.
Oh, yeah, yeah.
An AI or whatever will give them the code. It ended up, I thought to myself, who the hell is going to use this? That's ridiculous. It ends up, it was ridiculously popular. And for the life of me, I'm like, why in the world would anyone want that? I mean, was it just not secure? It was just bizarre.
So, so here, so here, check out this, right? If you send somebody an email and you say, click this link and they click it, you can force them to forward their phone calls to you or to them. So you don't even have to come up with some crazy thing. All you need to do is get somebody to click a link that will change their call forwarding to another number and they no longer get the calls. It's really a great idea to, I mean, it's a simple attack. It's not complicated. And I've seen other things done where people turn around and do a man in the middle of attack with these phone calls. So basically what you do is you send somebody a link and you tell them it's whatever it is, it's a bank, and they click it. And when you call in, they're using maybe asterisk that PBX open source. And at the same time you're calling in, it initiates a call to your bank. It's grabbing all your PIN and information, and now they have access to everything. So why not set it up, say, hey, this is our firm. It calls the number, you'll put the information in, and then you get their information by simulating a conversation between you and your organization. Pretty cool.
difference and you know the crazy thing to to keep in mind is that we talk about some of these things i don't like some press people say i could do this i could figure this out i could do this uh... but the funny thing though is that a lot of these things like most of these things i'm they're not theoretical and they're not just being done it is not just some big idea you know the biggest issue in this on an industrial scale but i think a lot of on security may be a lot of security people don't don't understand you know he's he's got to get developers take a call centers they have people it's it's it's unbelievable and they're constantly tweaking and getting better and better at it and that's it so you know you're you're going up against some pros show show some respect no love but you know respect that they're smart was for the smarts after their ethics uh... so you gotta take this stuff seriously and be careful it's like You think you're safe. You're not safe. You're under attack.
Well, you know, and it's funny. It's funny. You're bringing that up. Right? So 1 of the. Better social engineers in this world was Frank Abigail Abigail Abigail. I think it's Abigail. And he did all that.
Catch me if you can guy, right?
Yes, yes. And he did all that. So it's funny, right? We're talking about forged checks. And we're talking about how he, you know, socially engineered people to cash in checks about $2.5 million. But then the guy ended up working for or with the FBI. And then he became this password or get rid of a password expert. So, he knows about social engineering. He's done it. He's lived it. And his goal was to get rid of passwords. And whether you're considering biometrics, which is also hard, right? For many reasons, right? Whether we go back to the COVID times, or we discussed that you don't want people to have your genetic information possibly, because they can grab it. You know, biometrics is a good way to force the person to be in there. Or you can also think of like, you know, these push apps that not only require you to accept the access, but asks you a number or a color or a dog. Consider it a push app with capture, if you want to call it that.
Yeah, well, I would say these days that the state of the art is is basically two things. First will be with um you absolutely need two-factor authentication for anything important but but also in particular for anything on the internet. Anything that's exposed to the internet you know you don't want to use a username and password anymore. I mean if it's something trivial you know if it's your If it's your New York Times account or something stupid like that, who cares? You got to protect things according to the threat. But for the stuff that's important, especially your bank, your email, because it's used to get other things and verify stuff, your phone, really anything you're paying for, seriously paying for, your Amazon or whatever other detail sites you use, you want to use two-factor. And really the state of the art, I think, these days and people probably say, no, no, no. What about this? Whatever. Well, it's my opinion is like you said, the push app where you get the app on your phone and it doesn't just say approve this. Cause there are ways around that. People just bomb you with approvals. They approve, approve open. You're in the middle of doing something, but you know where there's a number and you got to say, you know, does your screen say this number or into the number? or whatever.
Unless the threat actor is giving you the number on the other side, you're not going to know it, so you can't push it, right?
Yeah, that's a good thing. And they're tied together in complicated cryptographic ways, but that's strong. So go for that if you can. And like Microsoft, probably a lot of people use Office 365. That's a really good thing to use. But the other thing that that I love, that is my favorite thing, my favorite type of authentication, I'm in security and I have one, is a hardware token, a YubiKey or whatever else. I think those are great and they're really hard to beat. Legend has it, I don't know if it's true, but legend has it that once Google started using them, they never had a successful phishing attack. I don't usually believe absolutes, but they're a good thing to use. Where you get a little thing, you've got to plug it into your machine, or you've got to hold it next to your phone, and it recognizes you. And that's got, again, strong cryptography and a mechanism where nothing can get in between you and there. They're hard to steal. And you know, you know, you're talking to the right place and it's gotta be you. That's pretty strong.
I want to bring up two points.
That is my current favorite. That's what I've been using.
And you brought up two. So I want to go back to the past to something you said, and then I want to go forward to the future. Go back to the past. Yeah. Well, I have a time machine. Hold on. Okay. So back to the past. In the past. We're talking about, yeah, you know, my times account is not trivial, but here's where the issue is. The issue is somebody uses that password with their. Their times account and again, I'm not saying times doesn't have it, but they don't turn on multifactor authentication. But then they use the same password with another site that has multifactor authentication. So, now the site that gets compromised has no MFA. They get the password and then they use that password, maybe on another site and then exercise. What we know as a 0 day, right? Zero days, everything has a zero day. Everything has a zero day, whether you found it or not, everything has it. There's always a vulnerability somewhere.
Well, remember too, it's like that gets back to don't reuse your passwords. Cause again, you think, Oh, someone might get it. It's a little thing here, not, you know, industrial scale and people have this stuff scripted and everything that they can, you know, they, they figure that you have accounts. You know, in a lot of places, when they see your email address, they're going to go log into a bunch of different places, and they're going to use every password, you know, that they find that's associated with you, and they'll get a hit eventually. Be careful with that. But again, the real answer, get rid of passwords, or at least couplet-like. With a security token, I love the security token. There are only two problems with them that I can see. The first is you don't want to lose it, so I just have two. It's a little bit of a pain in the ass sometimes to set up both for an account, but you do that. The other thing is, though, there's not enough support for it. Like, so few sites support it. I just wish it was everywhere, and it's not, and that's really, really disappointing.
So few sites probably use it because the investment is enormous and they know that majority of the people are not gonna really use them. Let's be honest, right? Nobody says, I'm going out of my way to go buy a YubiKey or some kind of Certificate, um, usb and then the problem ends up being is. Okay, I'm using it on my laptop and I know they're capable of using them on the phones. So phones, the. but are people really gonna plug it into their phone? And they're gonna remember to take it from their laptop to their phone. Are they gonna implement it that way? And then another point that you also brought up, some people, what they use is they use Microsoft Outlook or any of those desktop applications for calendars and emails, but they don't set up a separate password for that. So you need application passwords in addition to your other passwords to also manage and mitigate risk.
Oh yeah, well, you know, it's, you need multiple things, but you know, as far as the convenience of it goes, I mean, you know, they're not that inconvenient. I mean, to be honest, I mean, I walk around, like I said, you need a couple of them. You know, you keep one on your key chain, so you got it with your keys when you go out. And you don't plug it into your phone, you get the kind that's like NFC, so it just, you know, gets close and it works. I mean, that's, yeah, you got to pull your keys out of your pocket, but it's not a big deal. And you keep a spare on your desk too. I mean, Joe, you're safe in a safe place.
I'll tell you why.
Oh, gee, I know you're right. And I spent money.
I don't have keys anymore. There's no keys to my house.
Oh, oh, oh, that's right. You got that crazy. You know, I don't go for that stuff.
So I don't have a key chain except for the car. And then actually I put my my fob in a Faraday pouch because I know that these people are walking around the neighborhoods and shooting little, you know, parabolic mics into the houses to replay the signals on the cars and take the car. So I have a Faraday pouch for that. But again, I don't have keys. And I think keys are also a vulnerability, physical keys as well. I mean, anybody can hack a lock. And can somebody get a password to my door? Yes. But my cameras and my other intrusion, hopefully we'll catch them. Again, we mitigate risk. We don't prevent things from happening. We mitigate them. So you can carry your You'll be key chain, cause I don't have one, but you know what? I can probably slip it into my wallet, right? They have those thin ones too.
I was going to say, if you don't have keys, you can just put it in your pocket too. That works.
That works. But that allowed me to get into that. Yeah. I wanted to OG you, which I did and I felt better about it. Even though we're very, very close in age, I'm just going to OG you.
You know what, my car doesn't even start with a button. You got to like turn the key. That's how OG I am.
Oh, when I took an OG, I had to get into the front of the car and then turn the crank. I made that up. I made that up. I made that up.
Yeah, do you walk in front of it with like a red lantern or something?
I can go even more OG than that. I can say, you know, I use my password manager on my YubiKey while it being pulled in a horse-drawn carriage.
Well, you know, you are correct. You know, for personal use, there is a little bit of overhead with that. And I kind of think that's why people look out to the phones with the push apps, because the phone just, you already have it. You don't have to buy anything. It's pretty easy to manage. So, I mean, if you must, if that's the best you can do, it's better. It's better than texting and certainly don't use just the password, but basically do everything you can to get rid of passwords, or at least to not use just the password. That is my message.
So you brought up a good point here, right? The phones. You know, there's two flavors of phones, you know, you're either a, an iPhone or Apple person, or you're probably an Android person. If you have other phones. Oh my God. I don't even want to get into that, but let's say you are no windows phone in my drawer.
Yeah. Okay.
I have a, I have a, remember the iPax and all those other phones. I don't know if you remember those iPax, it was HP and then it was bought, whatever.
Oh, like IPAQ?
Yeah, IPAQ. I think I might have had one of those. That's what I'm using today. That's what you're using. No, I'm kidding. So, you know, I'm not an iPhone person, but I'm always amazed. And this is another topic for a conversation on another podcast, but if you have a non well-known password or pin or something on your iPhone, the chances of anybody getting into it unless they're contacting the Israelis or getting so bright to hack at or find a way to compromise it, it's very hard. So I'll give credit to Apple and say their phones are pretty secure for most human beings. You really need heavy duty equipment to get into most of them or you just need to know their password, right? So I'm really impressed how well-structured those phones are. And it's a good thing, right? And it's a bad thing, right? And I don't want to get into the philosophical discussions of, you know, if a terrorist uses a phone, you know, should you have their password or access to their accounts? That's another whole podcast.
Well, look, here's another reason why passwords suck. You mentioned the phones and yeah, you know, on security and all that iphone and android that's a whole other subject and how security each of them s but there was an article couple weeks pretty recently in the wall street or if it was a wall street journal it was the times about how people were breaking in breaking into phones and the easiest way they were breaking it was uh... i think they were just watching people put in their pen just watching them you know, then grabbing the phone, whatever, picking their pocket or whatever, and then being able to get in like that. And you know what? That is like the oldest school thing in the world, just looking over someone's shoulder, you know, to get their password or whatever. I mean, that's from like 30 plus years ago. That's just amazing. You see, that is, Not the sin, the, I don't know, the lingering festering evil of passwords that on these super advanced, super secure devices, we put a password on them and they're still subject to a 20, 30 year old attack. You know, it's just insane. Don't do it. Use the biometrics for God's sake. At least you got to get, you know, drunk and have someone stick your finger on the thing or put it in your face or something to unlock it.
So, I think about 15 years ago. Yeah, and it's funny you bring that up, right? 15 years ago. When I did the CSSP test, maybe even a bit longer. Yeah, I guess emoji. And then we're talking about, you know, you know, now it's called freaking or basically looking at the emanations of the signals coming from a CRT and there's so many. supposedly these tricks and techniques of listening or watching signals emanate, like if you're pushing your buttons on your phone, there might be oscillating tones that you can hear from a distance and know, I'm not talking about DTMF, I'm talking about you push a button and now it's creating these waves that you can see from a distance and like, oh, that was a four, that was a three, that was a seven. But yeah, people are doing that. Even in ATMs at banks, Um, people are putting in like hidden cameras and they see your, they hope to see your card number and they hope to see your, your, um, your, uh, your, your, your numbers. But, you know, thankfully, you know, we have more sophisticated cards today that have smart cards with certificates. I know they call it my fair for the access cards to buildings, but you know, if the person gets ahold of the card and then sees your pin number. or they wait for you outside. If they've gotten the pin, they can just walk right into the ATM and take money. I mean, they can also put a gun to you and say, give me your money and put your card in, but you know.
Well, that's always, that's my favorite cryptographic attack. Remember Schneier's book, what was it, Applied Cryptography? I think he called that the rubber hose attack or something.
Yeah, yeah. But what I'm getting at is that there's so many ways to circumvent and socially engineer and use like these old school attacks, you know, oh, you see the pin number. Okay. Maybe I can get the person's card. You know, when they walk out of the ATM and they walk back in and out, they have their pin. They don't have to even give it to me. I don't have to even threaten them. I just take the card from them. Well, I guess you're threatening them if you're taking the card from them, but you don't have to even worry about getting the pin. You just saw it on a hidden camera that was placed on the wall behind there as a fake security camera.
No, it's true. I mean, look, there's a way around everything. I guess a lot of the messages, you know, yeah, there are these things that can be done. You got to be careful. You need to understand what you're using, understand what the threats are, and for God's sake, at least don't make it easy, the bad guys. You know, using passwords, frankly, is making it easy. using bad passwords or reusing passwords or writing them on a spreadsheet, that's making it extremely easy. At least make it harder.
Well, you mean when people connected external keyboard and they go to hack five and they put that in between the keyboard and the computer and you don't have any USB detection for your endpoints and it doesn't know that somebody put something in between? Oh yeah.
Well, look, I mean, you got to be realistic about the threats too. Like that, you know, sitting here in my office, I'm not tremendously worried about that. I wish I was important enough that someone would be sneaking in or that I had a house full of servants, you know, I got to worry about. So I don't worry about that so much here. When you're traveling, going to a hotel, that's a different story. Then maybe you should be thinking about it a little bit.
Cool.
Cool. All right. We have spent a bunch of time trashing passwords. I hope we have helped all of you hate them as much as we do and give you some tips on how to deal with them. We'll probably have some more rants. We'd love to hear your thoughts on it. So Adam, last call here at the cocktail hour. Any other thoughts?
I have no other thoughts. I have no other thoughts. I have a lot of thoughts, but I don't think you want me to rant on for another two hours.
Yeah, you know, maybe we can do an extended session one day of just, you know, a continual rant. But for now, yeah, that's, that's, you know, that's a big topic. You could talk about this for days and then you'd really want to start drinking till you pass out. But for now, I think that's all we got.
Yeah, thank you. I'm looking forward to our next podcast. That's right. All right. We'll see everyone.
Bye.
Bye.