- Hello everyone
and thank you for joining us.
Tonight we're gonna learn that increased
reliance on the internet exposes us to threats
such as identity theft
and malware outbreaks
along with software and business attacks
which ultimately affect us all.
Tonight's speaker is William Ebersole
known by everyone as Billy.
I've known Billy for 15 years
and he has been a friend
to the Pennsylvania College of Technology
and has provided support
and guidance for our students.
Billy has been a special agent
along with the Federal Bureau of Investigation
for over 21 years.
He served in the Newark
and Philadelphia field offices
and has completed multiple overseas assignments.
Billy is a member of the Child Exploitation Task Force
for north central Pennsylvania.
He is also our local InfraGard coordinator
which is an FBI alliance
with academia
and private industry
designed to promote cybersecurity awareness.
Billy is a licensed attorney and CPA,
a certified fraud examiner,
and is now teaching at Penn College
as an adjunct instructor
in accounting department.
Billy frequently presents on behalf
of the FBI on topics such as
active shooter, weapons of mass destruction,
and cybersecurity.
Tonight's presentation will raise awareness
of the need to maintain sound cyber
security practices at home
and at work.
Let's welcome Billy.
(applause)
- Good evening everyone
and thank you.
Tonight we're gonna talk about cybersecurity.
And it's an important topic to me
for a variety of reasons.
Not just because of my position with the FBI
but also because I had my records
breached a couple years ago
through a hack on the office
of personnel management.
Now, before we get into the presentation proper,
I require because of my position to make
a couple disclaimers.
One of which is tonight we're gonna talk
about my opinions,
not the FBI's opinions
or the US government.
And number two,
tonight we're gonna talk about
a couple different hacks
from different countries.
And by no means do we mean to imply
that one particular country, ethnic group,
or religious group is responsible
solely for criminal activity.
It's something that affects us all
to include everyone here in the United States.
Now, we're gonna talk about why cybersecurity
is important.
We're gonna talk about the areas that we're vulnerable
and then we're gonna talk about
what we can do to protect ourselves.
And as we'll see,
it doesn't have to be a technical resolution.
In fact, I'm not a technical person.
We'll have a discussion about some behavior
modifications called cyber hygiene
and that'll help us be safe
in a computing environment.
Now, as I said a couple minutes ago,
my records were hacked.
It was personally identifiable information
that was compromised, PII.
And Professor Bock had talked about that
in her Colloquia
and how it's important.
When we talk about PII
we talk about our name,
our date of birth,
our social security number,
and other unique identifiers.
And we use this information
to file our taxes,
we use it to get loans,
we use it sometimes for healthcare treatment,
and we use it for travel.
And when that information gets compromised,
it could potentially affect us
in all of those arenas.
So, after my records were hacked,
I thought well let me embark
on some kind of journey
to figure out what I can do
to protect my records
and ultimately what I can do
to help protect the community
in my position with the Bureau.
Now, those of you who are in the 50 something
generation should remember that iconic
early 1980s movie called War Games.
And who could forget that digitized voice
that came across the screen
and said shall we play a game?
Now, that's Hollywood's depiction
from many years ago
of a hacker.
And within that depiction we have
a high school student who inadvertently
triggers some events that might lead
to global thermal nuclear war
between the US and Russia.
And he did it with only a few keystrokes.
And that's the representation of Hollywood
which is not accurate.
As I began my journey,
I found a very good book
called Cybersecurity
and Cyberwar
What Everyone Needs to Know
and it's by PW Singer
and Alan Friedman.
And that's gonna bring up some very important
points in our discussion tonight.
The most salient point that Singer
and Friedman brought up for me
was that safe computing is more about
a behavioral change than implementation
of new and sophisticated technology.
So, before we get into the presentation,
we have to kind of define a couple of items
that we think are important.
And the first one is the internet of things.
And that is the term that applies to the billions
of consumer devices that are hooked up to the internet.
For example, a security camera in your home
is hooked up to your smartphone.
Or perhaps your refrigerator has
a camera inside it
and while you're shopping you can check
on your smartphone to see what kind
of groceries you need
and what kind of groceries you
don't have in your refrigerator.
These consumer devices are built
with efficiency in mind.
They're not built with safety
and security in mind.
The more devices that we have hooked
up to the internet,
the more cybersecurity incidents we're gonna happen.
When you connect to the internet
we refer to that as an attack surface.
And everywhere that you have an attack surface
is somewhere a hacker can penetrate.
And so, we want to talk about minimizing
our attack surfaces out there.
Now, the internet of things has done
an awful lot of good
and I don't mean to cast aspersions on it.
It's done a tremendous amount of good
in the area of medical technology
and it helps our physicians
and other medical professionals
take care of us from a distance.
But there's been a lot of phobia
in that area
and that phobia hit a high point
back in 2007 when then vice president
Dick Cheney had the wifi on his pacemaker
turned off because he was afraid
a hacker could get in
and alter the pacing of his pacemaker
and potentially get patient information.
Now, thankfully the Food and Drug Administration,
the medical profession,
and private industry
has done a lot to help minimize that type
of risk in the medical area.
But there's another area with
the internet of things that I want to talk about.
And I think it's important to us
in the Marcellus Shale region.
And that is a SCADA system,
supervisory control and data acquisition system.
These are computers that form part
of what we call a cyber physical system.
And by that I mean,
you have a computer that controls
a physical process.
So, you will see SCADA systems
on nuclear plants,
on dams,
on the electric grid,
and even on pipelines.
Now, with regard to a SCADA system,
they're particularly vulnerable.
One of the reasons is,
many folks who implement them
in private industry don't change
the default passwords
that they get from the manufacturer.
That vulnerability is so notorious
that in January of 2016,
a team of Russian scientists published
the top 100 passwords for SCADA systems
on the internet in the hopes
of getting the manufacturers
and other members of private industry
to change those passwords.
Another reason these are more vulnerable
is because more often now
they're hooked up to the internet of things.
So that the remote pipelines can
transmit data to a host system
perhaps say down in Houston Texas.
And finally,
many of these systems are designed
to last for a long time.
And what happens when you have a particular
system for a long time?
You have to replace various component parts.
And unfortunately,
the component parts aren't always compatible.
They're not always from the same manufacturer.
So, what happens is,
the inability to do a blanket
or comprehensive patch or update
to the security of any particular system.
And we'll talk about pipelines a little
bit more in the presentation.
Now, I want to talk about the internet.
And frequently you will see the internet
depicted as an iceberg.
On the top, on the surface,
is what we call the surface web.
That's where we go.
We use Google and other types of search engines.
So, if we wanted to look up Penn College,
we can do a Google search for Penn College
and that web page's index
so that Google could pick it up.
Underneath the surface web,
it's estimated that the internet
is about 500 times as big.
Part of that is the deep web.
And there's not anything necessarily bad
about the deep web.
It's just set apart,
it's a little bit different to get to,
you use a different type of search engine.
And it's where academics
or private industry
or maybe even the government
store voluminous amounts of records.
A subset of the deep web
is called the dark web.
And for government agents,
that's where we have a concern.
It's estimated that about 80% of the traffic
going to the dark web
is comprised of pedophiles.
And that has our attention.
Now, the deep web
and the dark web are a little bit different.
You get to them in a different area.
But for tonight's discussion,
we'll consider it somewhat of a subset
of the deep web.
Now, we have Bitcoin
and there's been a lot about Bitcoin in the news.
It's a type of cyber or cryptocurrency.
And I wanted to explain that term
for a minute.
This may seem foreign
but Bitcoin and other cyber currencies are digital.
They don't have tangible form like a $5 bill
or a quarter.
It might seem odd to us
but we've been using that form of currency
for a long time.
If you go to a hotel
and you stay a couple nights,
you get hotel points.
And perhaps after a year or two
you might build enough nights
to get a free night's stay
at whatever chain you choose.
Those hotel points have some type of value
from an economic perspective
but they're not necessarily something
you would trade each
and every day in normal locations.
With regard to Bitcoins,
they're entirely digital.
And it's part of a process.
They're created through a mining process
in a volunteer network of computers
and they're being used more and more
somewhat here in the United States.
But by design,
they're made to be secret.
It's very difficult to detect
the origin and transactions
in Bitcoins cause they don't go through banks
like a normal financial transaction would.
And there's a reason why our folks
on the dark web will use cryptocurrency
like Bitcoins.
And this is an example of a ransomware message.
This is a message you might get
on your computer screen if you've been compromised.
And basically the attacker is telling you
if you don't pay us,
in this case $200,
we're gonna encrypt all your files
and you won't be able to decrypt them.
Now, it purports to be from the FBI
and it's telling you that we've identified
child pornography on your computer
as well as some other types of unpleasantries.
I can assure you, number one, the FBI,
if we suspect you have child porn
on your computer,
we won't be emailing you about it,
we will be showing up at your residence.
And number two,
if we suspect you have child porn,
we will not be asking you to pay
the paltry sum of $200.
There'll be much more significant consequences.
But this is a message you will see on your computer
screen if you're hacked.
And what the folks want to do
many times is have you pay in Bitcoin
because it's a little bit more difficult
to track the finances when the payment's
made in Bitcoin on the internet.
Not only are computers susceptible to ransomware
but also smartphones
and potentially smart TVs
which would be a very big tragedy
in my household.
Another thing we want to look at
is what's called advanced persistent threat.
Unlike what we saw in the movie War Games,
an APT is gonna be state sponsored
or state acknowledged, state supported.
Or it will be part of a very sophisticated
criminal ring.
Advanced persistent threats are not
your high school hackers.
They are folks who are focused.
They're not going into a system willy nilly
and trying to take all kinds of records.
They're going in for a very precise reason
and we'll talk in a minute.
I think a lot of that is financial in nature.
They are persistent which means they maintain
their presence in your system
for a long time.
We have seen APTs last in a system
for over four years.
They're motivation,
it could be the gathering of intelligence.
Not just say military intelligence
but from our perspective financial intelligence.
And finally,
are these folks sophisticated?
The folks who use the advanced
persistent threat malware?
Well sometimes they are but not always.
Time after time,
one of the most significant
and successful techniques is spearfishing.
And that's where you get that unsolicited email
which says perhaps you're getting some free software
or maybe the answers to your test,
or some free music
and all you gotta do is click
on this document.
And when you click on that document
a file begins to execute
and your computer is now compromised.
This is one of the single most successful
techniques in the hackers quiver.
And the reason why is because it works.
These folks are very good at crafting
the email and getting your attention
and not appearing to be hackers.
Now, we want to talk about the onion router.
As I said before,
the dark web is accessed a little bit differently
than you would do a Google search
or go to the deep web.
And one of the ways you can access it
is through the onion router.
And that's basically free software
that you can download from the Tor project
install it and you can go
and communicate through a volunteer network
of computers.
You're not gonna be communicating
through particularly like a server here
as we have in Penn College.
That communication that you will use is encrypted.
And it's encrypted like an onion.
There's multiple layers
and as the communication goes
from computer to computer to computer
it is slowly removed
hence the analogy towards an onion.
Now, Tor itself isn't all that bad.
It was developed by the United States Navy
and it was given an award a couple years ago
for outstanding free software
because it facilitated the communication
of over 20 million people who live
in repressive countries
and don't have access to the internet
like we have here in the United States.
But to a federal agent,
Tor suggests the presence
of something potentially nefarious.
Not always,
but sometimes it could lead,
for example,
to a pedophile.
It could lead,
for example,
to a person who's buying drugs
on the internet.
And one of the famous cases,
which was originally worked in this area,
was called silk road.
And the investigative task force
was down in Baltimore area.
Basically a young man put up
a marketplace on the dark web
and in about a year and a half
almost two years he serviced
over 100,000 customers.
Folks went there to buy drugs and poisons,
to get murder for hire,
they bought prepackaged malware
that they could use against someone.
And after a period of time,
the entire government at all levels
came together and took down the silk road.
Silk road was accessed using the Tor browser.
Now, when we talk about cyber crime,
we look at the computer in one of two manners.
Number one,
the computer is the instrument
of the attack.
Or number two,
the computer is the victim of the attack.
In recent memory,
our most significant cyber crime case was Target.
Over 100 million people had their personally
identifiable information compromised.
40 million debits and credit cards
were compromised.
Some incredible litigation
in a variety of venues.
What most folks didn't realize
is Target wasn't the initial point of compromise.
There was an HVAC company here in Pennsylvania
and unfortunately an employee
unwittingly opened up on a spearfishing email
and that released the virus.
This HVAC company was providing
climate control services for all
the stores nationwide.
And the attackers were able basically
to get into the Target system
through a back door.
Now, Target went out
and had Verizon the phone company do a study.
And Verizon does an awful lot
with data breach investigations.
And Verizon found a number of issues
but two of which are important tonight
because they come under the rubric
of cyber hygiene.
They found that Target was using
weak or default passwords.
And another issue they found
was that Target wasn't updating
their security software.
And we're gonna talk about the importance
of that in a minute.
But another researcher found that Target
put an awful lot of information online
to help the vendors
with the best of intentions.
But that the attackers were able
to use that information
and learn about Target's internal systems.
When we had the Colloquia,
The Good, the Bad, the Ugly Social Media,
one of the lessons that we learned
was sometimes we put too much information online.
So, as we talk about cybersecurity
and the need for passwords
and patching,
we also want to be very considerate
as to how much information we put online.
And remember that that stuff stays online forever.
Now, when we talk about terrorism
we talk about the use or threatened use
of force to advance some type of social, political,
or religious agenda.
Most folks,
when they talk about terrorism,
what comes to mind is some kind of violent action,
an explosion, a shooting, a sniper,
things along those lines.
In Bruce Willis' movie Live Free or Die Hard,
some of the opening scenes depicted
a terrorist group that wanted to eliminate
a particular victim so they rigged
the victim's computer
to blow up once log in credentials were entered
and ultimately the victim was killed.
Thankfully Singer and Friedman have pointed
out that no one has died from a terrorist
attack directly linked to a computer.
Now, Doctor Sinclair, in her Colloquia,
talked about social media
being used to facilitate propaganda
for terrorists groups.
I want to talk tonight about facilitation
and about planning as aspects of terrorism.
Ardit Ferizi is a very unfortunate case
and it's a very recent case.
At 21 years of age,
he hacked into a US base server.
It was for a retail outlet
and Ferizi got the personally identifiable information
of 1300 government employees.
Employees of both the civilian
and military side of the government.
Ferizi got this information,
he put it on the line
and he sent it to Junaid Hussain
who was an ISIS recruiter over
in the United Kingdom.
And basically they put it online
as a cyber hit list
or these are the targets that some
folks may want to take advantage of.
The personally identifiable information
was the government employee's name,
potentially addresses,
and other relevant data.
Fortunately, it was taken down
and Ferizi was arrested.
This past September,
very unfortunately,
Ferizi was given 20 years in jail
as a 21 year old man.
So, he has the best part of his life
he'll be spending behind bars
in a federal situation, a federal prison.
Hussain was subsequently killed
in an air strike.
Out of that investigation,
one of these postings was developed.
And it's public source information
and I wanted to bring it to our attention.
"We are in your emails
"and your computer systems
"watching and recording your every move.
"We have your names and addresses.
"We're in your emails
"and your social media account."
And, again, this is an admonishment
from a prior Colloquia,
The Good, the Bad, and the Ugly.
We are putting way too much information online.
In fact, in 2003 US forces were covered
in Al Qaeda training manual.
And within that training manual,
there were indications to new adherents
that 80% of what you will need
to effectuate an attack
you can find lawfully online.
You don't need to hack in to get it.
Now, another area that we want to talk about
is our infrastructure.
And this comes under the rubric
of terrorism and planning.
Singer and Friedman noted that between
2011 and 2013 there was a 1700% increase
in the scanning of the computer systems
associated with our critical infrastructure
like pipelines,
and the water companies,
and the electrical grid.
And the scanning is nothing more
than a digital attempt
to identify vulnerabilities
in someone else's system.
In the Marcellus Shale region,
we have 17 pipeline projects
that will be completed within
the next year or two.
Approximately 17 and a half billion
cubic feet of natural gas
will be moved every day
from this region
to local power plants,
to ships where it's gonna be taken overseas.
And a significant cyber attack
or an attack that will shut down
an entire company's traffic
will cost an approximate $8.5 million per day.
Now, I don't mean to imply
that what we have to worry about here
is a physical assault on the pipeline.
But about 50% of the cyber attacks
in the energy arena target the SCADA systems.
And what's significant about the SCADA systems?
Well, it could be a back door
into your information technology systems.
And that's where the attackers can get
what I call intellectual property.
The vendor list,
a significant process,
a customer list.
This is information that is very important
to our private industry counterparts.
I didn't want to cause too much unrest
when I talked about the pipelines
and I thought we would look at a rather
heinous example where some hackers hit
an electric grid.
This was in December of 2015.
In fact, it was December 23 of 2015.
Hackers hit three electric companies
in the Ukraine.
The result of the hack affected 225,000 people,
spread out over about two dozen substations.
So, basically over 200,000 people
were without power for a couple days.
What made this attack even more heinous
was the attackers followed up
with a second cyber attack.
And what they did was a distributed denial of service
attack on the electric companies phone system.
So, what that meant is they had a network
of computers sending meaningless data
to the phones for all the electric companies involved.
So, any time you called after your power went out,
you would get a busy signal.
And that caused a lot of anxiety.
But then again after two or three days
it was up and running.
And thankfully our private industry counterparts
prepare for this type of activity each
and every day.
Now, when we talk about cyber espionage,
what we're talking about is using a computer
to unlawfully gain the intellectual property
of someone else.
Now, we talked about Verizon
and Verizon did a study of the 2015 hacks
and they published this study in 2016.
And what Verizon found was over 80%
of the confirmed attacks in 2015
had some type of financial
or economic espionage motive.
And they also found out that 83%
of the hacks in 2015 could have been prevented
by employing a patch which
was readily available at the time of the hack.
And about 60% of the attacks
involved a default, a weak, or stolen password.
Now, when we talk about hackers who are interested
in the energy arena,
what comes to mind is the night dragon malware.
And this is just a graphic representation.
But the night dragon was designed years ago
to penetrate financial institutions
and steal financial information.
But the developers of night dragon realized
it was like a Swiss army knife.
It had multiple uses,
it could work in multiple arenas.
The night dragon is a thief.
The night dragon is not a destroyer.
You deploy night dragon
to develop information
not to shut down someone's computer,
not to shut down their network,
and not to deface their website.
The night dragon is credited
with stealing billions of dollars
in intellectual property
from the Defense Department,
the defense industry,
IT industry,
and also the energy industry.
Now, we've talked about some of the threats.
Whether it's a crime,
a terrorist group,
or a spy.
And in particular,
I think the areas we want to be concerned about
are protecting our infrastructure
and also protecting our company's
intellectual property.
Because they work hard
and their efforts are certainly part
of our national security fabric.
I'm not a technical person.
But there are ways we're gonna talk about
called cyber hygiene that will help us
protect a wide variety of our resources
from some of the threats we talked about tonight.
Number one, passwords.
We want to have strong passwords.
And notice I didn't say long passwords.
Cause you know what happens when people
have long passwords?
They write 'em down.
And then they get the yellow sticky note syndrome.
That means they have a fabulous password
that's on a yellow sticky note
which is posted on their monitor
and everyone can see it.
So, you want to avoid the long passwords
but you want to have a strong password.
Which means you use uppercase, lowercase,
maybe a number or two,
and you also want to use a special sign
like a pound sign or a dollar sign.
And you want to change your passwords frequently.
The NSA recommends that we change passwords
about every 90 days
and that we don't use the same password
in a two year period
or a three year period of time.
Now, another thing you want to do with your network
is count your devices.
So, if you go home tonight
and you have your own little network,
and you know you have a laptop,
an iPad, a wireless computer,
you want to go in and check your network
to make sure that you just have three devices.
And that you don't have a neighbor
or someone driving by using your wifi.
If you have an extra device,
you have an extra attack surface.
And really this is an issue
for the least common denominator.
So, whichever device has the least security
that's the device that'll get compromised.
So, you would hope that your network
is secure but maybe that person
from the neighborhood who's invading
your network doesn't have the same level
of security as you do.
And another thing you want to do
is configure your devices.
So, when you buy that new router,
you come home,
you change the default password.
And make sure that you have a unique password
because these folks know the technology
and they know the manufacturing passwords
that are installed.
You also want to limit what you put
on the internet.
As I said a couple times,
and as was discussed in a prior Colloquia,
we want to make sure that what's out there
is an accurate representation
and cannot be used against us.
And, in particular,
social media.
Another thing we want to do is watch our children.
I am convinced that anyone under the age of 18
should not be alone with a computational device.
As Professor Bock said,
I'm part of the child exploitation task force.
We deal with online predators
and these subjects are as savvy
and as manipulative as any serial
killer I've ever come across.
They are master manipulators
of circumstance and people.
And we don't want our children exposed to that.
Another thing we want to do is update and patch.
And you see there a quick message on the screen
that it's time to update your phone.
That's a very frustrating message to get
especially when you're trying to dial
make a quick call
and get done with your business.
There is a reason why software manufacturers do patching.
When a software manufacturer identifies
what's called a zero day exploit,
where it's a defect in the software
that has not been known before,
the software manufacturer wants to protect you.
So, they develop a patch
and they get it out right away.
And the reason why they want it out right away,
is because the bad guys,
the hackers,
are looking for zero day exploits.
Which they will take advantage of
or they will sell on the dark web
to someone else to take advantage of.
And finally,
what we want to do is repeat.
We want to do all of these steps
over and over again.
Having a secure network tonight,
does not guarantee next month
that you'll have a secure network.
So, you want to make sure
you update your patch,
you change your passwords,
and you follow good computational practices.
Now, I did a little research quick
to find the top passwords for 2016.
With the idea we want to avoid all
of those in 2017.
Because they're already well known
in the hacking community.
And I put a couple of these here tonight
to talk about 'em real quick.
Number one, password.
Or any logical combination thereof,
like password1234, password6789.
Definitely one you want to avoid.
Number two, 123456,
or any logical combination thereof, like 654321.
Another one, letmein.
Way overused in 2016.
My personal favorite,
trustno1.
And finally, gwerty.
Anybody know where that password comes from?
(inaudible)
The text on the top part
of the keyboard with your left hand.
Now, Singer and Friedman talked about
the value of information sharing.
In 2008, there was a study where a number
of IT security firms came in
and looked at a number of banks.
In particular, the bank's exposure
to spearfishing emails.
And at the end of the study,
the IT firms concluded that if they were able
to share all of their information
with all of the banks,
they would have collectively saved about $330 million.
And that is just in the arena
of dealing with spearfishing emails.
Now, here at Penn College,
we host InfraGard
which is our form,
on the federal government level,
of sharing information.
We have manufacturers,
we have healthcare,
all the aspects of private industry,
the banking industry,
and also the government.
And we are having a security seminar June 2
here at the student servicing center.
And I would encourage all of you
if you have information
or you want to learn about this arena,
to come out on June 2
where will openly discuss issues.
A lot of times folks are a little bit
concerned about sharing security issues
with the government
because they don't want to get into trouble.
But this forum here
which is facilitated by Penn College,
is very useful
and it's a non-judgemental forum.
And it's also a great way
to meet a potential new employer.
Now training is another thing
that Friedman and Singer brought out.
And I've been very lucky over the past several years
not only to be part of the accounting department,
but also to be part of the IT department
on their advisory board.
We have a wonderful information security
assurance program and our students
are graduating getting tremendous jobs.
They're some of the best equipped
in the arena
and that is something for this school
to be very proud of.
It is projected by the year 2020
that we will need 1.4 million students
who are technically competent
in the arena of cybersecurity.
However, only about 400,000 of those graduates
will meet that standard.
And what does that say to me?
Well, the rest of us,
we need to engage in a little bit of cross training.
So, whatever our major is,
whatever our background is,
whether we're in school or out of school,
we need to learn some of the basics
about cyber hygiene.
Protecting our passwords,
updating our passwords,
and making sure that we employ those patches.
Now, as I transition into the next part
of the presentation,
I just wanted to let you know my references here
are posted they're part of the PowerPoint.
It was a very interesting study
for me to engage in
and if any of you especially the students
want to follow this type of academic pursuit,
certainly feel free to access these resources.
(applause)
- On the subject of password requirements,
do you feel that websites that require certain
links or certain characters in their passwords
are causing more of a problem with security
since they're expecting those characters
for those websites' passwords?
- Well, that's kind of a broad question.
We'd have to look at the individual websites
and don't forget in my capacity
I can't say what's a good practice
or not a good practice per say officially.
But I think it's up to the individual website
and how they implement that protocol.
- Can you speak specifically to a cyber hygiene
in light of the current precedence
on leaks of domestic intelligence programs?
- Well, I don't know that both would be related.
Cyber hygiene is going to prevent someone
from accessing your information.
When you're talking about that other area
with leaks and all of that,
that's a little bit far afield because
you're talking about an intent.
And that becomes a crime.
And in addition to that,
if there's something that's pending investigation,
or prosecution I wouldn't be able to talk about it.
But I see the cyber hygiene as something
that we can all use to protect ourselves.
When it comes to the leaks,
that's another arena because you stepped
over a criminal line there.
- You talked about like a joint effort
to close down the silk road.
And you also talked about the protection
of children over the internet
which I completely agree with.
Current statistics show like over 52%
of men currently watch pornography.
Why hasn't there been like a co-joint effort
to at least a percentage of pornography websites
by the US government?
- Well, the US government would investigate
acts of a criminal nature.
And pornography is not considered a crime
in and of itself.
The depiction of minors in bondage,
being tortured,
in sexually explicit positions,
being raped,
that is considered a crime in this country
and that's where our resources are directed.
- A pattern that I've noticed
is that a lot of people with social media
are putting updates as to what they're doing
every three to five minutes it seems like.
And generally speaking I'm always trying
to tell friends of mine that they need
to stop doing that.
Is there any advice that you have that
I could offer to them to try
and convince them to stop giving so much information?
- With regard to social media,
you have to remember,
number one it's out there
and it's gonna be out there forever.
Even if you think it's deleted.
Number two,
all of us will go on to apply for jobs.
And more and more not just in the government
but private industry
is looking into social media
before they hire someone
or before they promote someone
to a key position.
So, you want to make sure
that you present the most professional
image of yourself on social media.
I know Congress is looking to pass legislation
for any federal agent who keeps
a security clearance every five years you have
to turn over your social media
log in credentials
and our security squad will take
a look at it to make sure that
you've engaged in proper activity.
So, I would say from an economic standpoint,
you want to make sure you're
a viable candidate for employment.
Cause it's a tough market.
Don't let something crazy on social media
knock you out of the picture.
- Sidebar, in addition you also want
to take a close look at the privacy policies
of that site.
And check through what you want released
to the public.
So, that's something else you can do
and also it's good to try to educate your friends
cause that's another job we want you to do
is share this information
to your friends and family.
- So, there are children who have grown up
their entire life being online.
So, it's just kind of accepted
for them to do whatever.
Do you think schools should have a more active
role in telling them how much
it will impact them later on in life?
- Yeah, I think schools should.
And I can tell you,
I had an eye opener about a month ago
with my son.
We were talking to him about internet safety
and I think it was in the context of Minecraft
or something like that,
and he told my wife,
I'm not putting my date of birth in there,
I'm changing it by a year
and a month.
And this is someone in elementary school.
So, I think our schools are realizing
the importance of that.
And giving the kids some of the tools
they need to stay safe.
- What would be your response
to someone who says I have nothing
to hide and therefore they don't
use strong cyber hygiene?
- Well, that would be a mistake.
And it's also job security for myself
and Professor Bock.
It's not what you want to hide,
it's what you want to protect.
So, if they get ahold of your name,
your date of birth,
and your social security number,
they're gonna go out
and take out credit cards in your name.
They're gonna take out student loans in your name.
They're gonna travel in your name.
They may commit a crime in your name
and then the local police department
issues an arrest warrant in your name.
And if you get caught running through
a traffic light or a stop sign
it will take someone like me
a day or two to straighten out
what should be in your name
and what should be in the criminal's name.
And that typically is a day or two
while someone's in jail.
So, I would say even if you don't think
you have anything to lose,
your credit, your credit score is invaluable.
Protect it.
- So, I wanted to ask since you were talking
about the dark net and everything,
and you were discussing about how silk road
was closed down.
But there have been many reiterations
of silk road ever since the main one was shut down
and there's also tons of other illicit
marketplaces on the dark net,
such as assassinations, drugs,
child pornography, things like that.
Basically what I wanted to ask is
do you think it's at all possible
that all of this could be eradicated?
Or will there always be something
of this type existing online
just because of the anonymity provided
by Tor and just how difficult
it is to track these individuals down?
- I don't think we'll ever eradicate it all.
I think we can give best efforts
and typically law enforcement resources
are directed at the worst offenders.
And with silk road,
the founder was Ross Ulbricht
who had some connection to this area years ago.
But there was some murder for hire
allegations that surfaced rather quickly
and that's what caught
the government's attention very quickly.
So, certain websites
and certain marketplaces will garner
the government's attention
a whole lot quicker than others.
- Alright, so you talk a lot about
our government doing things for this and that.
What are other large countries
and states doing to help with this?
And is there any enemy states that
we're working against on this topic?
- Well, that's a very good question
and we do have quite a few partnerships out there.
The United Kingdom is a tremendous ally.
I have worked personally with various
governments over in Eastern Europe
because a lot of that comes
from that particular region.
If you look online
and you Google search the term hackerville
that will take you to a very specific
town in Romania where they just
do incredible amounts of targeting
in particular US interests.
We do get cooperation from a wide variety
of governments and that's consistent
with any other criminal enforcement.
Whether it's drugs, terrorism,
or the hacking,
it's dependent on a government by government basis.
And yes, some do cooperate more than others.
- You talk a little about the dark web
and policing things on there
and I understand a little of the operations
involved in that are involving multiple countries
and things that are pretty much globally illegal
but what do you do about things are legal
in other countries?
For instance,
where it's hosted but not in America?
- Well, you're gonna be judged by the laws
of this country if you are in this country
and you're engaging in activities that will
not be legal in this country.
For example,
we will have folks that travel
to certain countries
to engage in with sex with minors overseas.
That is specifically illegal,
Congress has passed statues
and it is enforced.
So, even though you haven't committed
the conduct here,
Congress has realized your activity
is extremely problematic
and they will not tolerate it.
So, there might be specific statutes
that address a variety of concerns.
But also we're gonna be looking
at what you're doing on US soil, as well.
- In the context of default passwords
and usernames from vendors,
do you think vendors are doing enough
to inform users that they have to change
their usernames and passwords?
Or do you feel like they're actually
educating their users enough
or do you think that falls onto the consumer?
- I think there should be more vendor education.
I think Professor Bock agrees.
- We were just,
when he showed that 10 top passwords,
if you were just to go home
and Google default passwords,
nothing fancy,
you'll see lists of default passwords
for all types of devices
that are used in networking,
home devices, routers, switches.
So, they're out there
and there's no big secret.
So, it's a good question.
- Any other questions?
- How do you feel about Anonymous?
- How do I feel about Anonymous?
It's job security for me
and many of my coworkers.
I do not agree with any vigilante.
At the time where we distrust our government
and we take law enforcement action into our own hands
we get a corrupted result.
So, I would disagree with vigilantism.
- Thanks, Billy.
Appreciate the time.
Want to offer another idea with regards
to cyber hygiene.
We can take the time and the effort
to put in good strong passwords
but we don't aways know what the websites'
and the different locations that we're going to
actually or how they use that material.
So, one of the things that I've gotten
in the habit of doing
is I use a neutral password
that I know is a temporary password
and I will immediately request a return on
my forgot my account.
And I see if they send it back
to me in clear text.
Because if they're sending my password
back to me in clear text,
they're probably abusing
the rest of my private information, as well.
And I don't walk away from those sites,
I run.
So, take a look at how you have
to reset a password
and that will often give you
an idea of how that website
is manipulating your own data
or their data that they're using.
- Very good.
- In terms of the OPM breach,
I had my PII compromised, as well.
Have we seen the,
it was supposed Chinese hack,
have we seen them use any
of the PII gathered in that breach?
- Thankfully I have not seen it.
There are some movements where
they've allegedly arrested some.
I'm not familiar with that aspect of the case.
But when you compromise that volume
of data the next logical question becomes
how do you use it?
How do you exploit it?
Are you capable of exploiting it?
So, I think there might be some success
with the exploitation
but the follow up
and the ability to use it
in a logical manner might be
hampered somewhat there.
That's my own suspicion.
- They offer a little identity theft
protection on the back end.
Still offer that I know of.
So, but you should be vigilant, too,
and check your credit scores
and some other things
that you can see in the background
to see if things have changed.
- So, I'm not sure if this is directly connected
but what are your thoughts on SJ Res 34?
The bill signed today by Trump
allowing ISPs,
they no longer need consent to sell consumer data
or browser history.
- That would be a little bit frustrating.
I was not aware that passed.
But it would be frustrating
and it may be in contravention
of other federal statutes,
like Gramm-Leach-Bliley
where financial institutions have
to have your permission to do it.
So, we'll see how far that goes.
- Just to touch up on that, too,
because I was reading about this
this morning.
I think the issue for Congress
with that was their argument was that FCC
overstepped their authority when they
tried to institute the rules.
So, that Congress' argument was that that
has to happen through Congress.
- Separation of powers argument.
- Yep.
- So, it's great to have difficult passwords
and numerous passwords
but there's so many websites out there
nowadays it's hard to remember those.
So, I've started using a password manager.
What are your thoughts on that?
Cause while it uses a very strong password
to access the manager,
and they're stored supposedly securely,
it does put all your eggs in one basket.
- It does seem like a very good idea.
It's recommended by a wide variety of folks.
It's something I may implement
on my end, as well.
- So, following up with Brad there,
and using a password locker,
I've came into the use of,
I have one or two or three very secure passwords
and then I add in kind of an encrypted
form of the website that I'm on.
So, for example,
for Facebook,
I might take out all the vowels
and use my secure password.
- Not anymore.
- That wasn't what I use,
but that was just an example.
Would you condone that type
of password protection?
- That sounds pretty good.
But one thing I'll tell you watch
is make sure you're not mixing.
So, if you have passwords for work
keep them separate for personal passwords.
So that if you have a compromise at work
your personal info is not compromised.
So, just near the (inaudible),
keep 'em separate.
- Again, I'd like to give Billy
a round of applause
for a wonderful job.
(applause)
No comments:
Post a Comment