Holiday Security Tips and Negronis with Reut Weitzman

Okay. Welcome to the Security Cocktail Hour. I'm Joe Patti. I'm Adam Roth.

I'm Root Weitzman.

Hi, Root. I know I'm going to keep saying it wrong. I'm sorry. And I hate to insult our guests. Root. Okay. Sorry.

Anyway.

Root. Thank you for joining us for our special holiday episode. Glad you could make it.

Thank you so much for having me on your podcast during this festive season.

Raju, why don't you introduce yourself? We've actually known each other for a while, though we haven't spoken for a bit.

Yeah, that's true. So we met over a project a few years back. I've been in the tech industry for over 20 years, 60 of them which have been focused on cybersecurity. I collaborated with various sectors, including governmental, defense, aerospace, retail, financial, professional services, and this is how we met. And so in those roles, I served as a cybersecurity expert and a trusted advisor for C-level and executives. with the primary goal to assist organizations in navigating the complexities of cybersecurity and defense against potential threats.

Now, you see, that's a great consultant answer. You know, I'd say you were telling me everything I was doing wrong, you know. We're actually great. We're really helpful. It is important to have a a good partner, another set of eyes and hands and preferably knowledgeable ones.

Well, you're lucky she didn't give you the list of everything you did right. That'd probably take a second, right?

Well, actually, it was kind of funny because I think you were on one of them where we do like our kind of annual assessment. You know, a lot of places you have to have a third party do an annual assessment. And I'd always call that my report card whenever it would come out. I'm like, oh, God, I hope we didn't miss anything or whatever.

You guys are actually pretty good.

Thank you.

Well, you did get a D from one of your cybersecurity engineers. Was that you? I'm not saying it was me. It might or might not be it.

You know what? I give myself credit for doing so well, despite this high level of support I got from my team. Yeah, sure. So what are we drinking today? Of course, we got to get to a little bit of business here.

Yeah, so Negroni is my top pick cocktail for spreading some holiday cheer. I see that you came ready.

I did, and I'm glad you picked this. I don't know if I've ever had one, but I'll be honest, I was hoping... Oh, it's red. Oh, that's great. Okay, that works. I was hoping for a red drink, because if someone said something like eggnog, I hate that stuff.

Oh, yeah, I hear you. I tried it once, and that was enough. That was enough?

Okay. Fair enough. Okay, well, cheers. Cheers.

I'll hide right now.

Okay, great. That's fine. Oh, that's pretty good. That's different. Wow, that's interesting.

Yeah, I don't know how you made it, but it's a blend of gin, vermouth and Campari, which I especially like. I like the bitterness.

Yeah, that's like a little more, I don't know. I think of that as being like more European. Whenever I go to Europe, they drink more of the bitter stuff. They're more into that than us Americans. But so worldly.

I learned something.

Adam, you learn anything?

I've learned. I had a drink in the Dominican Republic, just got back from there, so I've had a lot of drinking experience.

You're rubbing it in that you were just on vacation. Thanks so much.

Well, they say the Dominican water is beer, Presidente. So I had a lot of Dominican water. It was good. Some mojitos. So it's all good, Joe.

I know. So glad you made it back. All right. So let's talk a little security. It is the holidays. And during the holidays, unfortunately, besides all the joy and festivities and wonderful things. There are a lot of scams going on. This is the time when people know you're spending a lot of money and are trying to get your money. So we thought we were going to talk a little bit about that. And it might be a reminder for some people of some of the classics, but also talk a little bit about some of the, you know, some of the latest things.

If I can interject, I got that email from you about buying the gift cards for the rest of the employees. I bought them.

Right. And did you send them to Africa at that address I gave you? No, India. India. Okay. That makes sense.

It makes sense indeed.

Yes. Not that there's anything wrong with those places, but we certainly don't have any employees there or any employees at all.

That's true. No wonder I'm not getting paid. Yeah, really.

So, I mean, one of the things that when I was thinking about this jumped to mind immediately, and we've talked about it before, is just, you know, the typical scam emails, the phishing and everything. And, you know, guess some joke too, that with AI now in the past year, you know, the language has improved. They're able to translate them much better. It used to be you could tell by some, you know, strange, you know, words that it was a non-native speaker or something. Not so much anymore. You can't count on that.

Like color, C-O-L-O-U-R, and then you realize the person really is in Europe or someplace where the spelling is a derivative. Like if I got an email from you that said color, C-O-L-O-U-R, I would probably think it's not a real email.

Are you saying you can't trust the British?

No, I'm saying that you should be cognizant of the spelling and the usage of language depending on the region that you're getting the email from.

I suppose that's true. OK. So Ray, what are you all seeing here? Because you do consulting. You see a lot more than us. I know we've been very worried about that. Have you seen much of that happening lately? Yes. Are things getting harder to detect?

Yes. And like you said, we don't see the usual spelling mistakes or grammar mistakes that we used to see. It's not the plan. just translate that. I don't want to say which solution, but it's getting more and more sophisticated. Also, this year, we would see even more sophisticated phishing attacks using AI to actually increase the perceived legitimacy of the scans. And we see many of these, especially inside organizations, how attackers actually learn what's the common lingo and who would contact who. So in that effect, we see more and more. And now around the holidays, we can see many emails with urgency or scarcity urging people to quickly get the deal or buying from a new shop that has a bigger discount. And it's not the usual stores that the people would go to. So that's another thing to pay attention to. It's not the spelling and the grammar that we used to see, but it's more of the feel and the sense of those phishing emails. This is what we need to pay more attention to now.

Can I jump in on there? Go ahead. So what I see is like, look, it's Black Friday, it's Cyber Monday, and people are rushed to have this urgency to react. So if a threat actor is going to send an email, and we'll talk about the type of threat actors, But if a threat actor is going to send an email saying, are those headphones that you wanted? You know, maybe they really wanted headphones. Well, they're great. You know, Cyber Monday is coming up and you click the link. And then what I see a lot of is people like, oh, wow, use your Google account. So they think they're really syncing. They're really using like a single sign on. But what they're really doing is providing their credentials through to Gmail to the threat actor to get into their account. And that's the sense of urgency that I see. But then I wonder, Are these regular threat actors that are trying to get compensation or are they elevated more like state actors that use that cyber purchasing to get access to that domain, to that infrastructure in order to do more nefarious actions?

Yeah, that's an interesting angle. We don't see much of these disguised within phishing emails. Not much of state-level threat actors, but more monetarial stuff. Yeah.

Okay. Monetary stuff. You know, you did say something interesting that, uh, that kind of resonated with me a bit. You said that for the, like, you know, the internal emails, people going into the corporate stuff, they're starting to mimic better, like the conversations that people have and using a little inside knowledge. I guess that kind of begs the question, where are they getting it from? Is that stuff that they're able to get from an outside perspective, or is that a signal that maybe they're already in and you're in big trouble?

So I believe it's a mixture of both. People send emails out of the corporate all the time. So it's not just internal and we can access emails from our own devices. So it's also an open vector for, for a threat actors to, to actually be able to, to catch those emails. So it's, it's a mixture of both, I would say.

So there's a post in this and there's that pre thing, right? post um so pre sending phishing emails people were able to get the credentials but people also forget even if they get your credentials uh post the attack if you're using certain security features like multi-factor authentication or push apps at least if they get your credentials you can prevent that by having that second level of authentication people keep on forgetting that just because you've been compromised password wise doesn't mean you've already been fully compromised. So that's a good thing that people have to remember in these organizations and even personally, whether it's your bank account, your chase in the U.S. or if it's any of those type of things, the financial aspects of it. Plus, you know, if you're using, I don't know, Amazon, you know, or any of those other places that you're purchasing from, use MFA, validate where it's coming from and always, keep cognizant that somebody might be logging into your account.

Yeah, that's true. Multi-factor authentication is a game changer. It adds this extra layer of protection beyond just a password. Really, I'd encourage everyone to enable MFA wherever possible. It's simple and highly effective.

Okay, I'm going to hit you with a surprise now because we haven't talked about this before, but we're always talking about MFA, MFA, MFA. You got to have that. We said, don't use SMS, that's too old. Avoid if you can use the push apps, use your app, whatever. I love the hardware tokens, this stuff, but everyone hates them and they are kind of a pain. What do you think of those new pass keys coming out? Strangely, I haven't heard too much talk about it. I mean, it doesn't seem like they're blowing up. I mean, have you guys looked at it? No, the thing, it's like a Google thing or something or some standard, they call it passkeys. I think it basically takes a certificate or something, puts it in your browser. Oh, okay. It acts as a second factor. Have you been looking at that by any chance?

Not really. Organizations are not very eager to implement those. Mostly they would prefer authentication apps. I guess it makes people feel more safe maybe because they have it in their hand, like on your phone you have the authentication app so you can actually see it. So other than it's embedded in your browser and you don't really know what's going on behind the scenes, maybe it's something that will be implemented later on. But for now, I don't see organizations very quick to adopt that, not yet.

Yeah, I can see that too, because I think you're right. Even though I know it's there, it's nice to have the thing in your hand, something separate. And also I know that for the corporate environment, managing browsers is actually pretty difficult.

And then managing credentials in the browser, but we actually try to avoid it normally. So I can see that. Let's talk about physical security information management. Let's talk about PISM.

Oh my God, Adam's favorite subject.

So if you are in an organization, where you're in the office and you swiped in your access card, guess what? You're not going to be able to log into your browser from outside. It's going to know that you're inside. It's going to disable VPN. It's going to say, Hey, I know where you are. You can't be somewhere else. And that's another way for an organization to lower its risk.

Well, ideally, yes. And you know, like with identity management, we'd love to have the thing for years. I mean, I have where it's like, you're on vacation, and so you shouldn't be logging in for the office or things like that. But those things are really tough. I mean, I've- It's not as bad as it used to be. Well, actually, well, that's a question for a consultant who sees everything. That's true. Sorry. Are you seeing more implementations of that kind of stuff, particularly in- No. Really? No.

But, you know, we talk about protecting ourselves during the holidays and we talk about browsers and phishing and emails, but hacking is not limited. And when I say hacking, I know it's considered a bad word because there's also white hat hacking. Hacking doesn't always mean bad. But if you're going into a gas station and you're swiping your credit card and there's a skimmer there, you got to be careful. If you're going into it to get money out of a bank machine, make sure there's no cameras behind you or something that looks weird that's filming you. so they get your PIN number and your card number. We gotta be cognizant of things like Flipper Zero, where they do the close proximity scanning of your card. There's a lot of things out there that made things really easy. We talk about ScriptKitties, now hardware has made people ScriptKitties. We can get information very easily, so always keep possession of your credit card, look around you, make sure no one's scanning you. You know, someone doesn't bump into your bag and scans your card, even though multiple cards together don't allow it to be scanned. I mean, I'm still into physical security information management as well. I believe you gotta be very careful of how you handle your equipment, your phone. And I think Apple just implemented a thing now where you can do close scanning now and get someone's pictures. That happened, I think, today or yesterday.

Yeah, Adam, you're right. When it comes to physical security, once an attacker would have physical access, that's game over.

And so it's always been like that. We've said that I remember, you know, years ago saying like, oh, here's how you crack into the route or get here, whatever. But even in the office, you know, doing stuff is or if they someone gets hold of your phone there.

For example, if you're doing a purple team exercise and the purple or the red team doesn't know that you dropped a microphone in the room while they were talking. You know, you get that information right away. You know what the adversary is going to do.

Right.

That's true. Well, you know, talking about credit cards, I'll tell you, you know, I've always been paranoid about credit cards, I won't use a debit card, because I just worry someone's going to get it and clean out. Absolutely. So I really don't like those. But you know what I had what I do like, and I actually do like the technology behind it is the whole Apple Pay thing, Apple Pay, or I think Garmin got a Garmin. Yeah, when they don't actually, you know, send the credit card number, where it's really just a challenge or a hash or something or a one-time thing. I like that and I'll tell you, I especially like that. The place where I learned to truly love that was on the New York City subway, where especially if you have a watch, you don't have to take out your wallet or your phone or anything. You just swipe through and you're done.

I think that's fantastic.

Yeah, it's so much easier now.

And it's so much easier to compromise if I steal your phone or your watch.

Wow, not necessarily. Not if you have a passcode or the pinout. You know, you have the facial ID or something, right? And no one looks like you, Adam. We know that. You're completely unique.

Yeah, but there are people out there that don't set it appropriately. They time it out after an hour. I've seen that happen too. I mean, it was a big scam, right? At least in New York City, where kids will come up to you. Oh my God, I lost my cell phone. My mom doesn't know where I am. and then the 16-year-old takes their phone and starts zelling himself all your money. Gotta be careful. Oh, is that right? Yeah. Oh, that's why you shouldn't do that. Oh, I'm sorry, mister. I can't find my mother or I lost my phone. I need to call home. Can I use your phone a second? Sure. I just lost $2,000. What a terrible world.

You can't trust anyone. Not random kids on the subway. You just can't trust them.

My God. So be careful who you interact with during the holidays, especially when you have so many people around you that can distract you. It's all about situational awareness.

Yeah. Well, you got to protect your stuff there. I mean, I also find myself believing on, I was never really into it, but more and more in the past few years, I've been using PayPal more and more because it is a bit more convenient when you're on the web, you don't have to go get your wallet. But also I'm like, the fewer people have your credit card number must be better. I mean, that's kind of the way I look at it, assuming, you know, that thing is secure.

It's risk versus rewards. If you use PayPal, it's great. Uh, it makes it easier just to, you know, log in. Oh, we remember your login because we've seen you here before. Um, but if you, if the money's transferred from your bank account, you can very easily lose your bank account. If it's transferred, if it's done to your credit card directly, it's okay. But here's the other issue. Um, I send, uh, a brand new TV and a TV is incredible. She's like, thank you for that 55 inch TV. But then the TV breaks. And then I go back to the person I bought the TV from or the organization, they go, oh, we can't help you. Then you can't dispute the credit card as easily. But if you use like American, if you use certain credit cards.

Oh, really? I didn't know that. If you're using like PayPal or one of those things, you can't dispute it like a credit card?

You can, but it's not as easy. PayPal is not as easy to dispute things with as some other major credit cards.

Oh, really? Wow. Well, you know, I bought a watch from a guy on 5th Avenue a couple of weeks ago and tried to dispute it and, you know, I just didn't get a lot of traction. I mean from a guy with like a little stand on the street, that kind of thing. And, you know, I've heard tourists say, God, that's so convenient. Like, you know, the store has a little stand outside and for a discount. That's amazing.

Rui, what's the top five things we need to look out for for this holiday? So let's look at it that way.

Yeah, so it would be mostly phishing emails, urging people to quickly get the best next deal. Also, we see a lot of shops that are not official. People are selling a lot of things online, influencers on social media and so on. So you also need to be a little bit more careful when it comes to that. Just make sure that there are reviews, that this is someone who's been active for a while and not just popped up. And what you guys talked about with PayPal and debit cards, that would also be something to use other than wire transfer, bank transfer. Don't do that with influencers or shops that you don't know.

Yeah, you know, you bring up something really good. I don't want to impinge anyone's, uh, you know, integrity or anything, but those so-called influencers, whatever, are not only selling the most reputable stuff, even if they might have a good channel or be popular with them, I'd be really, really careful because I've heard that they will, they will sell pretty much whatever they're paid to sell.

And they really don't check it out or vet it or anything. So I should know about a website called uncleadamsgreatdeals.com and put pictures of things I don't sell and get people to come to my site.

That's right. But remember us, we don't sell anything. And so, but we would ask that at no cost, if you're watching us on YouTube, please like, and subscribe and tell your friends or follow us on Spotify or other platforms, you know, like the way I work that in, we're getting better at this.

Yeah, maybe.

So what else have we got? What else should we be looking out for this year? I was thinking with a lot of people traveling, all the regular rules about protecting your laptop, being careful in hotel rooms would apply, and not trusting the public Wi-Fi, if you must use a VPN or just fall back to cellular. Well, you actually travel quite a bit.

Well, before you answer, that's exactly what I wanted to hone in on. Like if you're a person, like I just came back from the Dominican Republic. I might be familiar with the United States and the things I'm purchasing in New York, but when I go to other countries and a lot of people are traveling between now and the end of the year, how do I kind of know in another country or another place, whether something might be authentic, logging in with my password, my username, things like that.

You know, you can look for this secure website. Make sure that there is HTTPS in the URL to verify that the website is legit. Make sure that you shop where the locals do or look for reviews. Always look for reviews when you shop in a new online store.

Now, I've heard something interesting about reviews, and I don't know if this is true, but it's something I've kept an eye out for. You know, they say there are a lot of fake reviews, and I've heard people say that if you see something where the reviews are either, like, if they're a mix of absolutely glowing and wonderful five stars and absolutely terrible and like nothing in between that it's probably fake because that because the real ones are terrible and the You know the glowing ones are all the fake ones that they put in themselves That's not very scientific, but it's something I heard somewhere. But yeah, definitely. I try to stay with the reputable places That's a funny thing.

You brought up because the two or three times that me or my family my family or I have gave bad reviews and Vendors have come back to us and said, hey, I'll give you $50 right now to take that review down. I'll send you the money in advance. Just take it down. So there are vendors out there that will buy your negative review and do it. The more reputable, and this was reputable sites, the more reputable, those are vendors and reputable sites, overall sites themselves, at least you can see verified purchases, but that's not, that's not, across the whole entire industry. Verified purchases are really important.

But what does that mean when they say verified purchase? I mean, I know what it's supposed to be, but can you really rely on that? I don't know.

Well, unless they bought the item. So let's talk about a well-known worldwide site that sells a lot of merchandise. You can buy something from that site. And when you buy it, they know you bought it. So when you leave the review, that site knows that you actually purchased it. Now I've heard stories where people give reviews and then they return the item later on and they still get to give a good review. For the most part, the verified purchases are somewhat good. But the bad news is that a lot of these big sites do allow, I shouldn't say they do allow, they don't always enforce people that sell counterfeit merchandise. So that's another thing you gotta be aware of. Is the merchandise you're buying from, even though they're a reputable big name online seller, is that merchandise really reputable? Is it a legitimate store? So if you're buying Rolex from a very big site, there's a chance, even though it's a reputable seller, or have vendors on there, that Rolex might be a Frolex.

Well, I think that unless you're buying a Rolex on the street, I would be very wary of buying it from any sites other than the very most reputable ones, put it that way. You got to use a little discretion there too.

But I am open to somebody sending me a Rolex for the holidays of our active listeners.

You want a Rolex? I'll send you a Rolex. I know exactly where I'm going to get it from. I'll pick it up this week when I see you in the city, okay? I'll give it to you right there.

So, what other tips do you have for us?

So, I would want to recommend again, considering your passwords. I know it's something that people are always talking about and everyone thinks, okay, that's So it goes without saying, but no. People need to remember that passwords are the first step. If you don't have a strong and unique one that is more than 12 characters, it would be easy to crack. I would recommend, you know, even choosing something like a passphrase or a password with three random words. Just make sure that it's complex, uppercase, letters. symbols and so on. And then you have to think of a good solution, how to remember all of these.

Password managers are great.

Password manager, yes. We haven't done, we've talked about this, we haven't done a deep dive into password manager, but I do say, please use one. Yes. Auto-generate your passwords, save them, make sure you have a unique one, just do that. And I also want to say that, you know, this time of year, particularly, you know, say between, It's actually a good time to do a little housekeeping. And if you're like, I haven't quite gotten around to changing all those passwords or using a password manager or starting. You know, if you got some time on your hands, that's that's not a bad thing to do. And it doesn't require any physical labor or going out in the cold. At least it's cold here in the New York area where we are. I know it's yeah, it's a lot more comfortable by you. But, you know, us, we've got to deal with the cold.

So I followed Rui's recommendation. My password is big enough. It's Christmas 2023 exclamation. And of course, I substituted some of the letters with numbers. And then for other sites, I use Hanukkah 2023 exclamation exclamation. So I'm good. I'm set. My passwords are secure.

Yeah. As long as you're avoiding password reuse, you're good. And thank you for sharing.

Okay, great. All right. Well, we got some, we went through some tips here and you know, the biggest tip is also. you know, be careful and please be aware. And these things can be a little bit inconvenient, but they can save you a lot of time in the future because no one wants to get all their money stolen or their identity or anything, especially around the holidays. It's supposed to be a joyful time and happy and you're supposed to enjoy spending your money, not lose all your money.

And there's a good chance you're going to get the money back if you have the right financial organizations, but the amount of work it goes to restore your credit and get your money back, it can be months at a time or even longer. So be very careful, you know, how you spend your money, where you spend your money. And if you have any questions, feel free to reach out to us and we'll ask our panel of experts and see if we can get you some help.

And so that brings us to the last call, as we say. Were you at any final parting thoughts for us?

Well, I think awareness is the key, so make sure not to do anything hasty. Check the websites that you're shopping on and stay secure.

Okay, great. All right. Well, thanks so much for joining us. Oh, wait a minute. I forgot my hat. Here we go. As our final hour, do you think? There we go.

Start over.

Yeah, let's start over now. We're not starting over, but there we go. How's that, Adam?

It would cover my boldness. So I guess it would be a good thing.

Well, then it's even more useful for you. Put it that way.

Yes, sir.

All right. All right. Thanks. Always great talking to you.

Thank you for having me. It's been a great reunion.

All right. Take it easy.