ep. 40 - John Sileo: Cyber Security, Identity Theft & Human Hacking Expert

Bio

John Sileo’s identity was stolen from his business and used to embezzle $300,000 from his clients. While the thief covered his crimes using Sileo’s identity, John and his business were held legally and financially responsible for the felonies committed. The breach destroyed John’s company and consumed two years of his life as he fought to stay out of jail.

In response, John made it his mission to help organizations and individual protect the data that underlies their wealth. Combining real-world experience with years of study, John became an award-winning author, trusted advisor and keynote speaker on identity theft, cyber security, online privacy and digital fraud.


Transcript

ep. 40 - John Sileo: Cyber Security, Identity Theft & Human Hacking Expert

Gail Davis: John Sileo specializes in the human element of cyber security, creating engagement around protecting your data. He covers a range of aspects about security, cyber, mobile, social engineering, [00:01:00] ID theft, online privacy and breach, without resorting to the techno babble or the death by PowerPoint.

Not only is he the author of four books on this topic, but he also has firsthand experience, losing his corporation and his identity. This helps him connect with and motivate anyone on this topic. Plus, his willingness to share his mistakes and lessons make him unique.

Let's welcome to the GDA podcast John Sileo.

Kyle Davis: Hey, John, [00:01:30] how are you?

John Sileo: I'm good. Thanks so much for having me.

Kyle Davis: Well, it's a real pleasure.

Gail Davis: It is. Well, John, where should we start?

I know your story is so powerful about what happened to you. Maybe that would be a great grounding for listeners to have to hear about the early experience of actually losing your identity.

John Sileo: Yeah. Well, I unfortunately learned it all the hard way. Like many of us, I didn't think identity theft or cyber [00:02:00] crime could happen to me.

It happened. In the first case, it was a garden variety. I lost my personal identity. At that point, I made a crucial decision to not do anything greater about it. I protected myself, but I didn't think about my corporation.

I had started this little software company that grew into a couple million dollar business. It was [inaudible 00:02:26]. We had ... It was still small, 15 employees. [00:02:30] I didn't build in the security that I would today and my identity was used inside of the business to embezzle from a majority of our clients.

I spent the next, gosh, two years fighting a criminal trial, losing my businesses, losing almost a half a million dollars. Pretty much everything but my family disappeared from my life.

It was [00:03:00] because I didn't pay attention. I thought somehow that my business was not going to be targeted. It culminated in hearing from my oldest daughter that ... She was only five ... That I was being an absent dad. It just stopped everything in my tracks and I decided, "Listen. There's a lot of businesses small and large out there that aren't paying attention to cyber crime and breach and they need [00:03:30] to." I try and provide that emotional aspect for them.

Kyle Davis: When, reflecting on that experience, hindsight always being 20/20, what were the three takeaways then be that ... These areas of improvement that if you just had the eye on the ball you would have maybe had prevented this.

John Sileo: Gosh. Probably the three biggest were this arrogance that we tend to have, which is, "This won't affect my [00:04:00] business. We've got an IT department for that. We've got technology for that." That arrogance. I wish I could go back and say, "Listen, I'm just going to be humble enough to say what if?"

After that, probably the ignorance. Not knowing what parts affected my company. Not thinking about putting individual employees on the corporate network with their own devices, their iPhones and Androids and so forth. Not [00:04:30] solving very simple, known vulnerabilities that every business has and, with a matter of small dollar amounts, can solve. They don't, because they just don't know that they're there. Nobody's showed them.

And probably the biggest thing for me was just the inaction. I guarantee you people listening to this have heard that they need to have a long and strong password, whether it's personal or professional, and [00:05:00] they just haven't done it. They're still using their dog's name or their high school sweetheart or whatever.

It's those type of things that we do not act on that really come back to bite the company.

Kyle Davis: As we mentioned, I did years in tech and did all that stuff, so when I approach cyber security and protecting myself, I have a baseline understanding of what needs to get accomplished.

I use a password protection, or generating, service so that I have [00:05:30] a long personal password that I know in the top of my head. I just type it in and then it auto completes all my passwords on everything else. I also use two factor authentication or 2FA.

What are people who don't know what I'm talking about missing out on those things? What can they do to help themselves become more aware of the potential pitfalls of not being in the right head space, so to speak?

John Sileo: There's a great example, right there. You just cut [00:06:00] right from the personal, which is ... We all think about this stuff as, "How does this affect me? How do I put on my oxygen mask?"

That's what the corporation needs to realize. We think about this in terms of as individuals, as human beings.

Two factor authentication is a great question. That's just a big, hairy term for that you have two different ways to login. Two passwords, of different types, to login.

The average person out there who hasn't turned [00:06:30] that on for their banking is roughly 90% more likely to be hacked and have that account drained than the person who has two factor authentication, or a two step login process.

That's a great bridge between the personal world, "Listen, you can turn this on, on your Facebook account, your Gmail account, your bank account, your investment account" and the corporate world, which is, you know ...

If you go to Facebook or Google and you work there and you login, or Square, which we talked about earlier, you're [00:07:00] probably putting in a second factor of authentication. You're putting in a token that's on your keyring or a text that comes to your smart phone. That's just how you login.

That is a best practice for any organization. That literally could save hundreds of thousands, or millions, of dollars, just implementing that single piece of advice.

Kyle Davis: It's interesting because I look at it and to me, it's ten seconds of pain [00:07:30] to open up my Google Vault and go, "Okay, here's the password that I have for the next 30 seconds." Then my long password that I use. I use 1Password for all of my password storage stuff.

John Sileo: Yeah, so do I.

Kyle Davis: I use Gmail because it's the best. It's convenient. I have it on everything. I just don't understand people who use the base ... I have a MacBook. If you use the mailbox in here and people just steal your computer, it's not connected online, they can read all your emails. It's not connected.

[00:08:00] There's so many different things. If you just stuck with the cloud based service and two factor and doing the right things, you'll protect yourself from so much of this little frivolous little guys.

John Sileo: No question. Really, Kyle, it comes down to turning it on. I can't tell you how many of these things that we could talk about, whether it's two factor authentication, password protection, password managers, a firewall that's already in your home system or in your corporation, [00:08:30] remote tracking on your smart phone, in case you lose it, remote wiping.

Turning it on is one of the primary things that people ... They either don't know it's there or they just don't do it.

Gail Davis: You mentioned earlier, when you were talking about ignorance, something about not putting employees on the network with their own devices. Can you explain that?

John Sileo: Yeah. The average company thinks, "Okay, we've got this wifi network and [00:09:00] we want employees to have access to it. Maybe we don't want to buy all of the devices for them, so we're going to allow them to get free wifi", to login just like you would at a café, or maybe in your offices, but they let everybody login with their own devices.

Every time there's a device that isn't controlled or watched over on that network, it is open for loading malware down off of the internet [00:09:30] and onto all of the other devices. It's kind of a portal, or a doorway, into your network.

You have to think about this. Do I want to let my assistant onto this network with her smartphone so she can go on to Facebook, when the chances are very high she's going to click on something that downloads malware, maybe across the entire network.

Gail Davis: Got it.

Kyle Davis: And the easier way to solve that is to have two networks. A guest network and a ...

John Sileo: Totally. So simple. Right there, you split [00:10:00] the mission critical data, or the top secret, confidential type data, from the surfing habits, from Facebook, from shopping, Amazon, those type of things. You've gotten rid of the problem.

Kyle Davis: I know one of the things that was really impressed upon us, it doesn't matter what tech company that I worked at, was always being cognizant and aware of the websites that you're going to, because at the end of the day, it is a company computer.

Everybody's watching. You're not actually ... [00:10:30] You would die if you bought off of Amazon on a work computer. You would have to do it on your personal stuff. That way, you don't even invite those in.

Could you talk about some of the things that companies don't do when it comes to enforcing, or even putting out the word of these are the do's and the don'ts?

John Sileo: Yeah. I'll tell you that the primary thing that they do do is they make a policy. I'm talking now about a little bit larger corporation. They make a policy, but they do nothing to educate [00:11:00] people on why it matters to them, on this ownership level of things. That "listen, my job depends on it."

A good example is the Yahoo hack, the Democratic National Committee hack. Yahoo was roughly 1.5 billion consumer records. The DNC potentially changed the course of our election.

Those were all because of end users, you and I, not being properly trained on what [00:11:30] the policy was. Do I click on this? Do I not? If I'm suspicious, what do I do? What if the software says, "Hey, there's a red flag here"?

It's not actually that the technology and the policy doesn't exist. It's that the user education has been so bad and frankly, so god darn boring, that nobody remembers it.

That's the big distinction is, you better make this stuff memorable, because you're competing against 140 characters and short videos and a lot of things that take away attention. [00:12:00] You've got to get these basic reflexes through, in a really short, entertaining bit.

Kyle Davis: Let's talk about the DNC hack and how that went down.

I understand that there's, depending on the cyber company that you're talking to, there was a very technical way of going about it. Then there was some really rudimentary ways of hacking. I'll use the broad term of social engineering, but you'll hear terms like phishing and spear phishing.

Can you talk about these things that affect people [00:12:30] with regards to the social engineering space?

John Sileo: You bet. You do have to build on them like a pyramid, like you just did.

You've got to know social engineering first. That's just a term for manipulation. It's using our human behaviors against us. They know how we're going to react, so they socially engineer, they change the situation, so that we give the information necessary.

First of all, you've got to know how to detect it. [00:13:00] What are the red flags? What trips me off that say, "Hang on, this could be fraud"? What do you do immediately when you detect it? There's very specific ways that you have to treat your brain chemistry. You have to slow the interaction down. You have to ask the right questions.

Then you can move on to the actual case, so, like you said, phishing. Well, phishing is just one of those emails that you get, or now you can get texts or phone calls, that tell you, "Click on this link and you'll get something free, or [00:13:30] you'll get to see a high school classmate that you haven't seen in a long time," whatever the scam is.

All they want you to do is one of two things. Download malware, which is the bad stuff, or upload your login credentials, which is your user name and password for the company, the bank, whatever they're trying to get into.

That phishing has gone to a different level, which is spear phishing, because they can now go onto your Facebook profile and see, [00:14:00] "Well, I see that Kyle vacationed here and that he works here and this is the time that he went out to this restaurant."

Now they've got a level of trust. Sending you an email that you act on gets really easy with that level of trust.

You've got to build that up from that manipulation and social engineering reaction before you can teach somebody how to detect phishing and certainly how to detect spear phishing.

Kyle Davis: When you look at a larger corporation, maybe a medium size, [00:14:30] a couple hundred people or larger, do you start having outside companies, such as yours, and other people, that go in and maybe even red team? I know that's a term to say, "Try to break in, whether it's through social engineering, physical break or a technical hack."

And from there, then build the protocols from which you teach?

John Sileo: Yeah. In my case, we don't do the consulting side. I keynote and that's it. [00:15:00] I work really hard to stay independent of making money off of all of the assessment side and the software side, which is a huge industry.

Some of what I have to say is, "Hey, you don't need all of that." Some of it is, "You need this and that, but keep your money when it comes to that."

But, yes, the basic process, when you would go into a company, if I were advising a company, would be, you've got to do that external security audit. You've got to have somebody from the outside, not [00:15:30] your employee, who has every incentive to make it look like things are just fine and buttoned up.

You have somebody come in and do a penetration test of, "Listen, you've got these weaknesses. You've got three out of ten weaknesses. Let's solve those. We don't have to boil the ocean. We don't have to solve everything, but we want to take a look at these three areas first, because on a heat map, they're your hottest areas. They're the ones you've got to act on first."

Kyle Davis: I know I'm driving this conversation, largely because I have [00:16:00] an understanding of this, but when people or a company are first hearing about having a red team come in and pen test, or penetration test, all of their security parameters, what's the resistance from it at the beginning? What are the value adds in the long term? They seem obvious, but ...

John Sileo: Okay. You've kind of uncovered the reason that I'm often at a conference prior to the red [00:16:30] team coming in. The business owners need to know, at an executive level, why they would want that, what it entails, what questions they should ask.

If you're going into an average corporation and saying, "Hey, you've got to send in these ethical, white hat hackers", which you're calling a red team. You say that to them, they'll ignore you, because they don't know why. They haven't gotten the why of security.

When I'm up there on stage, [00:17:00] or on TV, or whatever, I'm trying to move them to a level of awareness that says, "Oh, I get why we're going to spend 5% of our capital expenditures on security. I get why we're going to do a red team. I get why this stuff is so critical to our infrastructure."

If you don't walk through in that order, if you don't buy in first, it doesn't matter what you tell them. They just don't listen.

Kyle Davis: Then [00:17:30] when you look at small companies that are just ... They look at the cost, whether it be an actual capital cost or a time cost, switching from something like Outlook over to G Suite ...

From a security standpoint, it's obvious to me why I would do it, but the capital and resources, not just in money, but in time, and everything else, in training, seems so large.

Why would it be important [00:18:00] for that?

John Sileo: One of the early things that you have to do is have somebody help you with, "What is the budget for this?"

For those smaller businesses, my recommendation is 20% of their IT budget should go towards securing it. If you're going to buy the car, make sure you spend the money on the seat belts and the air bags.

Really, for smaller businesses, this is considerably harder. I'm telling you, there's probably ... Let's just take a [00:18:30] business of 20 people. You could probably, for $3,000, have a security assessment and a majority of the remediation, the fixes, excuse me, done for that company. The second year that you do it, you're probably spending half that, or a third of that.

Is it an investment? Yes, but think of my company. I had a two million dollar software company that, [00:19:00] quite literally, a $600 piece of equipment, or piece of consulting, would have completely solved.

I lost upwards of a half a million dollars on something that I could have protected with 600. It's like insurance, only in many ways, it's a better ROI than insurance.

I understand the hesitancy, when we have so much, as entrepreneurs and smaller businesses, [00:19:30] not to think about this, but I'm telling you, I see the wreckage that comes after it happens. When it's too late. When you're spending roughly $200 a record.

If you have a thousand records, you're spending 200 times that just to begin the recovery. I'm telling you, the ten grand, or fifteen grand, that you might have spent securing yourself, is nothing compared to that.

Kyle Davis: When people are thinking about that ... They have [00:20:00] a company that's been in business however long. They have all these records of what I like to call PII, or personal identifying information. How important is it to protect their clients' PII at the end of the day?

John Sileo: Unless you want to end up on the front page of the newspaper as a data breach, which I get a list of every day, businesses small and large ... If you don't want it to destroy your reputation, like it did in my business [00:20:30] ... It almost doesn't matter if it's five records or 500,000, when you're in the news, the damage is so significant, the numbers are exponential.

Kyle Davis: When you look at companies, let's say, like Target, that ... Their hack happened at the point of sale. There's a lot of things that happened that maybe really wasn't their fault, but at the end of the day, the onus was on them. It ruins the brand for a period of time.

Luckily, Target's a big [00:21:00] enough company where they can survive something like that, but a little guy, like you're mentioning, it's really hard to weather that kind of storm.

John Sileo: Yeah, it is. I think the statistic, and this is probably two years old, is that 60% of companies that have the major breach, small companies, so under 100 people, are out of business within 18 months, due to the breach.

You're right. Target can absorb it. Yahoo ... Well, think of Yahoo. That's a great example. [00:21:30] Guess how much the breach cost them in their sale to Verizon. It cost them 500 million dollars.

Because of the breach, Verizon brought their bid down for that company by the 500 million dollars. That was, in that case, [inaudible 00:21:47] several hundred dollar solution that could have stopped that.

Kyle Davis: Yeah. To me, I'll all about redundancy security. I'd rather go into something over prepared [00:22:00] and be ready for something. At the same point in time, I want to be agile. I think that's the unique environment. You have people who are used to being agile, but they don't think about the security, or they have people that overthink the security and they're not agile. It's finding that happy medium.

John Sileo: It is. In some cases, you already made the point that, with cloud services that have higher level of protections, if you implement them correctly, you can actually be more agile.

Dropbox is a good example. Remote [00:22:30] email is a good example. You can be more agile and safer, but you have to think about it and you have to act on it.

Gail Davis: You know, we've talked a lot about security for small, medium, large businesses. Let's shift a little bit to personal. I know you've had an experience with your own personal identity being stolen. What are some takeaways that individuals, my mom, your sister, that individuals need to think of?

John Sileo: A simple one that [00:23:00] I often do in my presentations is hacking a smart phone. That is a super power micro computer that happens to fit in your pocket and make calls.

If you have no passcode at all, you're at huge risk. If you have a four digit passcode, I can hack it. In most cases, I'll be able to hack a four digit passcode live, there, with you standing there. Those passcodes are super important.

Good example. [00:23:30] If you have no passcode on your phone and, let's say, you leave it for 30 seconds at Starbucks while you go get another coffee or in your car and it gets taken, a smart thief, a cyber thief knows that they can do a down swipe on the phone, no passcode.

They type in the word "bank" into the search toolbar. It brings up every email, every app, every website you've ever visited that has to do with banking. They know where you bank now. They surfed it out, right [00:24:00] on the phone. They clicked the "forgot my password" button. It sends a new password, of course, to that little computer that we call a phone. They reset it. They hand it back in at Starbucks. They walk out the door, empty your bank account.

Our white hat hackers that we utilize can do that in about a minute and a half. All because you don't have four digits, or preferably six digits, on that phone. Super simple, but you gotta turn it on. You can't use that thing while driving anyway, so turn on the passcodes.

[00:24:30] That's a good example of something that's really powerful and really easy. 60% of Americans just don't turn it on.

Gail Davis: I just grabbed my phone. So, it stops the functionality of being able to do a quick swipe.

John Sileo: Yeah, it stops the functionality of doing anything on that phone. You can't search it. I can't surf as you, I can't call as you.

Think about it. If I got your phone, Gail Davis, with your contacts in it, [00:25:00] and you don't have a password on it, think about the damage I could do with your customers, your family, getting into your emails, banking, doing password resets. It's endless.

Kyle Davis: One of the things that I personally do, on all of my banking apps and my credit card apps, is, I've switched everything, because I have an iPhone, I've switched everything to touch ID.

While I have the touch ID on my phone and that's my primary way of logging in, unless for some reason, my fingers are wet or whatever, to get into my banking app, [00:25:30] you have to use touch ID, regardless. It won't allow you to get in there.

One of the things that I've implemented and ... The one thing that I do like about the Outlook app for the iPhone is that you can use touch ID. When someone gets into my phone, you better have my thumbs with me, or you're not going to be able to get into it.

John Sileo: Always keep your thumbs.

People ask about biometrics a ton. Obviously, your thumbprint is a password that you leave every time you pick up a [00:26:00] glass or a phone or whatever. Apple has done it in such a way that that particular key, that password, never leaves that phone.

It's a really smart, safe way to do it. You got at the key point there, Kyle, which is, it's so convenient that you use it. And, man, when we can get security to be convenient and not painless and easier than what you used to know, then its functionality goes way up. That's exactly what that using the thumbprint to [00:26:30] get into your bank account or Amazon or your mail has done.

Kyle Davis: I'm saying this as I also have the new MacBook Pro that also has the new touch ID bar and that, too, has my touch ID. If you want to log in to my computer, good luck, you need my finger. Whatever.

I mention all this and ... My mom was flipping with her phone and I was flipping on my phone. I'm more security conscious than probably most people when it comes to my technical security, but [00:27:00] I've changed it so that you can't pull down the drop down. You can't see anything. All you get is the notification and the notification doesn't even say anything. It just says, "You have an email" or "You have a text message."

John Sileo: Kyle, you are a perfect example of what most of the rest of the world is not like.

Gail Davis: I know, I'm like, we have to wrap this up and he has to fix my phone.

John Sileo: Yep, you're an outlier who has done the things you need to do. The problem here is you are one out [00:27:30] of hundreds, or thousands, that have taken those steps. That's why you're safer and that's why you probably won't get hacked.

Kyle Davis: Probably, but the odds are I might. I will say, and I want to give credit where credit is due.

I worked for Square, mentioned this hundreds of times on this podcast. It was part of the training that we had there. With being a credit card processing company, it being a tech company, the amount of training that we got on security and security related issues [00:28:00] was immense, intense, but at the same point in time, very easy to digest.

It took somebody who, like myself, is non-technical ... It was very easy for me to understand it, it was very easy for the technical Ruby on Rails coders to all get, and everybody in between.

John Sileo: So important. You gotta bring it down to the level of all of us, not just the most technical of us. That's a key differentiator for a company [00:28:30] that figures out, "Listen, it's not just security awareness training, it's about us as individuals, as people. Make it engaging for us."

Gail Davis: We've talked a lot about technology. I don't know if you're still doing this, John, but I remember you used to do something with an audience member and their handbag during your presentation. I can't remember exactly what it was.

John Sileo: In many different ways throughout my presentations, I will socially engineer, because that's the primary [00:29:00] base of the pyramid. I will take information away from them. Sometimes it's a purse. Sometimes I hack a smart phone. Sometimes it's a laptop.

What I'm doing is actually showing them that despite basic trainings, they're still vulnerable. I might go out and get the same person's, in the case you saw, handbag two, three, four times and while doing that, might hack something out of their phone, might take other information.

[00:29:30] It's all in fun. We're doing it with a lot of laughter, but the point is pretty seriously taken, which is, you've got to be aggressive about this stuff. You really do need a reflex and a response that is automatic. You can't think or they're going to already have your data.

What that's part of is, "Hey, let's laugh in the presentation but let's also start to build this ... " It's called the hogwash reflex, where you think, "Listen, this person's full of bull. I need to not [00:30:00] give them my data."

It's pretty powerful, in a cultural sense, within an organization.

Kyle Davis: One of the funny things that you're actually reminding me of right now, and this is a funny Square story, but ... We were told in our training that, you know ... Set up the hot keys on your computer so that the moment you step away from your desk, it immediately goes to sleep, yet it requires a password just immediately.

It's a MacBook thing, but you basically throw the cursor in the corner and it puts it to sleep. When you come back, you have to put a password in.

[00:30:30] If you didn't do that, we would do something called "pony-ing", where we would get the Ginuwine song "Ride It, My Pony" from "Magic Mike" fame and then we would send an email to everybody in the company.

First time, joke's on you. Second time, we need to talk.

That was the funny thing that we did there, but it kept people on their toes, because we were dealing with people's sensitive information.

John Sileo: Yeah, and that cultural aspect of it, which [00:31:00] is, when you're self policing and when people care enough to do that and do it in a way that they will never, ever forget, then it's self generating.

It's not about reading some boring policy guide. It's about, "Listen, if I walk away from this computer and haven't put the password protection screen saver on, I'm going to pay for it in an embarrassing way."

That's just ... Man, when we see that inside of a company, it's [00:31:30] just joy to our hearts because it just builds on itself.

Kyle Davis: I agree.

Go ahead.

Gail Davis: Oh, I was just going to say, shifting topics, back to the personal. I know earlier you mentioned your daughter. I'm sure there's a lot of people out there that have children that are involved with social media and computers.

What tips do you have for protecting children's identity? I think that's something that I'm sure a lot of parents worry about.

John Sileo: You know, I wish that I weren't going to say the most [00:32:00] basic things that many people have heard, but, unfortunately, they've never had the conversation with their kids or looked at it, but number one is, you have to discuss what's happening out there to kids who put out too much.

My recommendation is when your child is first going on social media, and that's hard if they're already there, that you actually walk through the privacy and the security settings with them. You talk about the scenarios. You have to do a little bit of reading.

[00:32:30] There's a great organization, I think it's called Common Sense Media, based in the Palo Alto area, that goes through how you have these conversations, what you talk about.

It's really not about putting down hard and fast rules with your kids. We've never seen that work.

It's more about, "Hey, let's have a conversation. What are you sharing? Why would you put up your real birthdate? Why would you put up a real location? Here's what can happen."

Just educating [00:33:00] kids, small pieces at a time, of building their profile, what they share, what they don't share, and who can see it.

Kyle Davis: Something that I learned ... You mentioned sharing locations. This is something that I learned from my mildly famous friends that I have out in New York City.

They don't even post their location, or the check in status that you'd see on Facebook or Twitter or anything else, they don't do that until they've long left the place. It's just something simple.

John Sileo: Super tip. It's the same thing for vacation. Why would you post [00:33:30] your vacation pictures from your vacation when it lets everybody know that you're out of town and a perfect time to rob your house?

Kyle Davis: It's why I don't have a vacation email response.

John Sileo: Yeah, that's right. There are so many little tips like that. Those little 30 second bits ... We try and give people, whether it's through our videos or newsletters or whatever ...

What a lot of corporations try and do is pack it all in at once. Yet, you [00:34:00] just gave a tip on this show that, "Oh, you mean, no autoresponder because people know I'm traveling" or "People know I'm out of my house".

Okay, that took you 10 seconds to deliver and is incredibly valuable. It doesn't have to take long, but you gotta break it down into the bite sized bits.

Kyle Davis: I can't tell you how many out of office replies I would get when I was doing software sales. Some of the stuff that we were doing, with the later tech companies, is we were using mail merge software where I could send out 500 emails at a time. [00:34:30] I'm getting CEO's, CMO's, telling me that they're at a vacation, where they're at and when they'll be back.

If I was an enterprising criminal, I could use that information to do some pretty damaging stuff.

John Sileo: You could. In fact, one of the big things that's going on that I'm talking about constantly now to corporations is the whole business email compromise, or otherwise known as whaling, corporate account takeover, all kinds of names.

It's essentially where they know the CEO is out. They get [00:35:00] in touch with or take over the CEO's account or CFO's email account. They email to the assistant, have them wire transfer funds. It all look totally legitimate.

They know that the CEO's traveling in China, or whatever, so they can use language that creates trust. Actually, a fellow Palo Alto company ... I think that's where Square is, it's out in Silicon Valley, isn't it?

Kyle Davis: San Francisco.

John Sileo: San Francisco.

Kyle Davis: 1455 Market Street. Boom.

John Sileo: Boom. [00:35:30] Right there. You should get a little bonus for that.

Kyle Davis: My stock's doing pretty good, so don't worry about it.

John Sileo: Well, one of your neighbors just wire transferred 47 million dollars in one of those scams.

Kyle Davis: Oh, who would that be? Can we say?

John Sileo: It's gone forever.

Kyle Davis: It's gone.

Gail Davis: Wow.

Kyle Davis: It was interesting. When you live out there, you know ... My mom can attest to [00:36:00] this. When you go to a bar in San Francisco, because it is the tech space ... There's basically five groups of people. I'm generalizing, but you have the locals, the hipsters, the tech crowd, finance and then tourists. That's just generally speaking, for San Francisco.

One of the funny things that happens ... When you go to a bar in San Francisco and you meet somebody and you're having a great time, within the first five [00:36:30] minutes, somebody says, "So what do you do?"

If you say something like, "I work in tech," the second question is, "What company?" and if you're a competitor, you stop talking. It's boom, like, "Hey, I'd love to talk to you, but I can't talk to you."

That's programmed into everybody.

John Sileo: Yeah, it is. That's one of the basic espionage techniques. For example, you just asked me a question that I had to do a little research on while you were talking there, which is, is this a public thing? Am I outing [00:37:00] a company that I know about behind the scenes or not?

No, there's plenty of articles on it. The company that you asked that I avoided the question is called Ubiquiti. That momentary pause of, okay, you find out, am I talking to a competitor? Am I talking to somebody who has an interest in my information.

That reflex is exactly what you have to build in.

Gail Davis: I like that.

Kyle Davis: Yeah, and it's quick, too. It's [00:37:30] the quick and dirty ... Is this somebody ... Even in working in the tech space, if you find out somebody ... If they're related to tech, let's say it's a VC investor or anything else, it's shh, pack it up and shut up. Move on. Keep quiet. That conversation never happened.

John Sileo: Yeah.

Gail Davis: I want to talk about security and online shopping. Online shopping is something I sort of avoided in the beginning, but then I got into how convenient [00:38:00] it is. It feels like, at first I was hesitant, I'm going to type in this credit card number and this expiration date, and now I find myself doing it all the time. I don't even have a clue of how many different places I've typed that information in.

Are there tips there? Are there things to avoid? Is that just the way the world works?

John Sileo: First, let me say that I'm a huge fan of online shopping. I think it's convenient. I think it saves me gas. I think I get better prices that way. There's just a few [00:38:30] things that you need to do. Something that we should talk about offline is, I've got a little three tip video series on just this that I'm happy to share with your podcast guests if you'd like to.

Some of the basics are this. If you've got a strong user name and password, preferably not your email as your user name and 15 to 20 character alphanumeric password to log in to the account. You're using a credit card, not a debit [00:39:00] card, because you've got all kinds of protections on that credit card. I don't even mind if you store that.

Let's say you're shopping at Amazon. You know it's a reputable site. That's really important, that you're shopping on reputable sites that you've heard of. Storing that information in there ... That credit card company gives you all kinds of liability coverage and they will change out that card if it's tampered with, but you gotta monitor your accounts.

Gail Davis: Sure.

John Sileo: You gotta take a look. I do that with account alerts. I don't count on myself looking [00:39:30] at a statement once a month. I get an alert the second that I spend on my credit card because I've set it up that way. I get it on my phone. I go in, I get a Starbucks, I get a text within 30 seconds that says, "Hey, you just spent 15 bucks on a latte" and boom, you're done. If it wasn't you, you shut it down.

Kyle Davis: Yeah, one of the things ... Go ahead, go ahead.

John Sileo: I was just going to say, using the technology to your advantage is great. You're not going to get around not shopping online. [00:40:00] You just have to use it wisely. Set up the two factor authentication. Set up password protection. You're going to be good.

Kyle Davis: Yeah, one of the things that I immediately did with my iPhone and I will ... I'm an iPhone snob, so I'll stick with it, because I know what I know. One of the things that I have it set up is, every single one of my credit cards, the moment that it's swiped, or it's rung up, I get immediate notification, I get an email notification, I get ... It's redundant, but it's like three or four different notifications all hit me at the same time. I'm like, okay. I know what this three dollar charge [00:40:30] was.

Gail Davis: You're not buying the $15 lattes like John.

Kyle Davis: No, no.

Gail Davis: You'll make it big one day.

Kyle Davis: One day, one day, the $15 lattes.

Even just having something like you mentioned, having a long password, whether it be 15 to 20 characters, people don't think about, like, "Oh my gosh, that's so long". Getting a solution like 1Password or any of the other password managing software solutions, it can allow you to do some really interesting things.

My personal password is a sentence from a book that I picked at random. I'm a history major, so [00:41:00] good luck figuring out that book. I type it in every single day. It's literally a long sentence. That's my password. It generates these tokens.

I guess, actually, you know what? How about you explain how these password management software works and why it can simplify your life.

John Sileo: These are great. 1Password, LastPass, Dashlane, those are some of the big names. All it is, is you're putting all of your passwords behind a single super long, super [00:41:30] hard to crack password. You would think, "Well, god, that's not safe, because somebody's going to get in and have access then to all of my passwords."

The problem is, the average person either makes their password the same for every site, or slightly different, they do a variation, or they store it in an Excel spreadsheet or the contacts on their phone, so they're doing something that's patently unsafe anyway.

When you put it behind a long and strong password, like your historical book [00:42:00] that you quoted out of, you make it exceptionally difficult for anybody other than like the Chinese government and our lovely NSA to hack into that thing.

That added level of encryption, that's called, that's just coding the stuff behind a password, that is really a great, very convenient thing.

The upside is, you go on a website, you don't have to type your password in if you've got your fingerprints set up. You just push [00:42:30] a button and you're in. Or, if not, you type in a single password that you have to remember that you do change regularly. You're into those accounts and not having to worry about remembering hundreds of different long and strong alpha numeric passwords.

Kyle Davis: I'm on a website right now, looking at the 25 most common passwords.

* Number one, 123456.
* Number two, 123456789.
* Number three, qwerty.
* Number four, 12345678.
* Five, 111111.

John Sileo: [00:43:00] Something like 90% of Americans use one of 10,000 passwords. When you take that list from 1 to 10,000 and it takes a computer roughly a second to guess a billion passwords.

That's why ... In a minute, I don't have the math in front of me, but the minute you go to like a 15 character, it takes so many years that there's just not a way for it to [00:43:30] be brute force attacked like that. They might get it out of you by asking, by social engineering you, but they're not going to crack it.

Kyle Davis: That's the whole gist of it, is if people just took the extra step to lock the door. Think about hotels. Hotels, for instance, you have two locks. You have the deadbolt on there and then you have whatever that little slider lock is that's at the top that you put the key chain in.

If you use both of those, you're far more protected than just relying on the auto [00:44:00] lock that happens when you dip your card in.

John Sileo: Absolutely. Turning on that second layer, whether it's a laptop where, okay, you've got a password, but guess what? You don't leave it in the hotel room or if you do, you put it in the safe and you call housekeeping and you say, "I'm going to be in my room all day," and you put the privacy sign on the door.

Boom. You've just layered from nothing, up to two layers, three layers, four layers. When you move from that first layer to the second layer, your risk goes down to about less than a percent.

Gail Davis: [00:44:30] I'm just sitting here thinking of how many times I've left my computer plugged in in a hotel room. Bad move, right?

John Sileo: Yeah, unfortunately, particularly because of undocumented workers who are looking for new identities and because that's where a majority of corporate espionage happens, is at conferences, leaving that computer there is wide open.

Probably at ever conference I go to and speak at during the year, when I talk [00:45:00] to their onsite security, there is a laptop or device theft every day inside of there. Generally, it's inside of the conferences, as opposed to the rooms, but inside the rooms as well.

Kyle Davis: This happens, by the way, not just to regular companies. Just a couple weeks ago, the Secret Service out in New York City, one of the Secret Service members left their laptop in their car and it was a moment of opportunity, or crime of opportunity, and someone broke in and stole the laptop.

Now you have an encrypted [00:45:30] laptop that has all the secrets of the president's movements for some time to come and somebody has it. Then, the Secret Service has to change everything about it. Also, the pins that they wear, on their lapel pins, were stolen as well, too.

John Sileo: Or, if they're ... Now this is at the corporate side. If they had mobile device management software on it, which gosh, I hope they did, they can wipe that computer. They can know if anybody has logged in, turned it on. Generally, they can know where it is if the wifi is on.

There are other answers to get [00:46:00] that thing cleaned off, but again, you have to set it up by default. It doesn't just exists and is there when it's already stolen.

Kyle Davis: I could give people a lesson, but I don't want to. I'm going to leave John to give people lessons.

That being said, I know that we mentioned that you have a couple of books. I mean, you have four. Could you briefly talk about those and then we'll wrap this bad boy up?

John Sileo: You bet. Probably the most applicable one for what we've been talking [00:46:30] about today is called "Privacy Means Profit". It's a John Wiley & Sons book. It goes through ... What it does is, it bridges the personal and the professional.

It will talk about your mobile phone as an individual and then it will talk about, "Hey, here's the corporate solutions", like we just did with mobile device management. It's good for all readers at all levels.

That's probably the most important one for this group.

Kyle Davis: Very well, then. We'll make sure that we have a link [00:47:00] to that and also the other books that you have available on ...

Gail Davis: And maybe the videos he mentioned.

Kyle Davis: Yes and we'll be sure to email and we'll get the links to videos. We'll take care of everything here.

Okay, cool. Well, look, if you guys want to book John Sileo for your next event, you can do so by contacting GDA Speakers at 214-420-1999 or by visiting gdaspeakers.com.

If you'd like to read the transcript for today's podcast, you can do so by going to gdapodcast.com where we will have those three tips and videos for online shopping [00:47:30] and also links to the books like "Privacy Means Profit" and everything else.

That being said, thanks, John.

Gail Davis: Thank you, John, it was great talking to you.

John Sileo: Really nice to talk to you and I hope we do it again.

Gail Davis: Thanks

Kyle Davis: Look forward to it.

Creative Commons License
ep. 40 - John Sileo: Cyber Security, Identity Theft & Human Hacking Expert by GDA Podcast is licensed under a Creative Commons Attribution 4.0 International License.

Comment