12. Keystroke Loggers: Is Your Janitor The Problem?
Welcome everybody to another episode of unhacked. I'm dang. Check my math on this, guys. What, what episode are we on? 12?
Mario:I believe 12. Yeah.
Justin:Think so. Alright. Well, today ... I
Justin:had to actually check my math. Today, we're gonna talk about we're gonna mix things up a little bit. We're gonna start talking about specific types of breaches or, tools that are used in breaches or risks or whatever, and then we'll tie those to real world examples. So, today we're gonna talk about keystroke loggers. Before we get into the topic, let's do our quick introductions.
Justin:I'm Justin Shelley with Phoenix IT Advisors, formerly Master Computing. I do work in the Dallas, Texas area as well as Northern Nevada, so, little bit spread out there. And today, I'm broadcasting live from my hotel of all places, and I've got some construction work next door. That's great. So, hopefully, you can't hear that.
Justin:I've got my background blurred because you probably don't wanna see my hotel bed. So, that's me. And then, Mario, why don't you go ahead and introduce yourself followed by Brian?
Mario:Sure. Mario, Zaki with Mastech. We are located in the New Jersey and New York area.
Bryan:Brian Lachapelle with B4 Networks. We're located in Southern Ontario in beautiful, Fonthill, Ontario.
Justin:Guys, you can go to, so you don't have to remember this, go to www.unhacked.live That's our website, and all of our information is on there, a little profile on each of us, contact information, and even upcoming episodes. We've added that recently, so you can tell what we're gonna talk about next week and the week after that and the week after that.
Justin:So, alright. So today, we like I said, we're gonna talk about Keystroke Loggers and learn a little bit about that technology, how it's used, and how we can prevent it. Let's see. Guys, I'm gonna punt this over to you to talk about just kind of the a little bit technical, but not too technical of what a keystroke logger is, how it works, how they get installed. So why don't you guys wanna take the torch and get started?
Bryan:Yeah. I can I can dive I can dive in? So I'll just start real real high level. Essentially, Keystroke Logger is just, either a piece of hardware or a piece of software that will capture every single character you type into, your keyboard and or in in a case of software keylogger, it doesn't even have to be something you're typing. It could be something you're copying and pasting.
Bryan:So anything that is generating text, it'll even capture things like your backspace. And so if you type something and then erase it, they've caught it. So high level, that's what it is and how it could be used. I'll maybe pass that torch over to Mario.
Mario:Yeah. I mean, that's that's pretty much it. Like, it's pretty much what it's doing is everything that you're entering, no matter if it's email, passwords, surfing the web, think of it as like a copy going into Microsoft Word. So it's literally creating a a log of everything that you are typing and going into a Word document, the hacker or whoever gets it then can see exactly what they're doing. There's actually software out there that it's not only capturing key logs, but monitoring your computer, what website you're going to, your email and stuff like that.
Mario:And it's actually like we have customers that purchase this because they wanna monitor their employees. So key loggers can be used both maliciously, you know, by mal, you know, through malware and hackers, or it can be, you know, captured by employers for the, benefit of the company.
Justin:Fair enough. We've actually kinda got 3 categories of, what they're used for. Right? We've got legit slash legal use. We've got a little sketchy gray area, and then we've got just straight up asshole use.
Justin:You know? Like, don't do this. This is. Alright. So, let's let's go down this this list as far as legit uses.
Justin:Brian, you, do you have examples of where I mean, yeah, you could say employers. What else? Yeah.
Bryan:So so there's a couple of places where, employers might wanna use a Keystroke logger legitimately. Maybe they're they're going to be monitoring, you know, either servers or workstations where, they're looking for unapproved activity. So it could be anything from maybe they're not supposed to be going to a certain website and it'll capture them typing in that website or it could be looking for, credit card information that they shouldn't be accessing or or typing in. Anything that, is potentially words that they might not wanna have, maybe race rate racial slurs or or swearing if especially if they're they're dealing with employees that are front facing, and dealing with the general public. They're probably there should be no reason for those type of of activities.
Bryan:So they'll they could potentially utilize that. A couple other areas, they could use it legitimately, product development, collect feedback, or to enhance computer performance. So as an example, at a, a kiosk, they could potentially be, you know, recording information on what people are typing in. So they can, you know, get some feedback to understand what's being utilized for it. Assessments, inquire information about, you know, what kind of issues people are are are running into and how to effectively address them.
Bryan:I'm sure there's more, but maybe Mario can jump in here.
Mario:We're talking about legitimate reasons?
Justin:Yep.
Mario:Well, like, I actually have an example. So I did a some work for a church, and they had a treasurer that they needed to have him release the position. And he didn't wanna release it easily, even though it was a volunteer and he just he's been there for like 30 years. He's like, that's BS. Why why do you want me to leave?
Mario:And they were suspecting that he was doing some stuff, you know, so they called me in and they're like, Mario, he won't give us our passwords, and we don't want him to know that we are getting into the system. So they had me getting a little hardware key locker, that you get it online. It's not that expensive. You put it in, in it's literally like a USB. It just connects to the mouth, to the keyboard And we were able to put it in and then we will we were able to get a log of all the passwords that he was doing.
Mario:We didn't wanna go in there and just do like a a reset because then he would know that we reset it. So once we were able to get the passwords, we were then able to do it when he wasn't there and log in and see what exactly he was doing. So that's like a, like an example of a legitimate thing that, you know, it would be used for. You know, obviously real quick.
Justin:Yeah. Mario, okay. So I I actually just wrote this down to see if, to ask you guys if you'd ever actually used one. You have. And so my I haven't.
Justin:I'll be honest. I've never actually plugged one in and used it. Although after this, I think I'm gonna have to just for, fix. So in my mind, I'm I'm imagining logging every single keystroke, and that's gonna spit out a text file of nonsense. Like, does it have does the does it come with an application that tries to translate that into actual words?
Justin:Or is it just a long string of characters?
Mario:Essentially, I think it, from what I remember, is it paused or went to the next line after every, like, certain pause or something. But the first thing you'll see when, when you plug it in, they turn on the computer, the first thing you're gonna see is the password of the computer. So, you know, the first thing is the password of the computer. Then you may have to, you know, depending on the one that you have in, piece, piece it together. So, you know, if you see an email address, like they're typed, they've typed in an email address, chances are the very next thing is the password.
Mario:Right. You know, then you can start seeing like certain bits and pieces. We do have a couple of customers that do monitor employee activity. And that one shows you, you know, images and videos of the actual screen. So when you actually have the screen and you can match it and it'll tell you like, this is what was typed in at this time and stuff like that.
Mario:So it makes it a little easier.
Justin:Yeah. I, I've used I don't know if you're talking about the same product I've used, or I call it survey, lots of employees or whatever. Those are very handy tools. But again, these straight up hardware key loggers. I imagine and, you know, I'm dating myself, I guess, because these days, I probably upload it to, you know, an AI server of some sort that can just put it all into easy to read English.
Justin:I I don't know. The malware version, they've gotta be able to pull more information as well, what what applications they're using. But a straight up hardware c longer, probably would be a little bit hard to use if I had to.
Mario:You know, I'll date myself. A long time ago, I used to be a subcontractor for Circuit City. And it was in like, it's their equivalent of, like, Best Buy's Geek Squad.
Justin:I was gonna say you better for for our younger audience, you better tell them what Circuit City is.
Mario:It's like yeah. It used to be a computer store that is just, like, pretty much equivalent to, like, Best Buy now. And instead of having their own Geek Squad, they used to actually have technicians that they would dispatch, you know, in the area. And I they used to dispatch me to do some work. It was mostly for home users.
Mario:And I fixed some some person some lady's computer, and she asked me, she's like, hey, I wanna be able to log everything my husband's doing on his computer. Can you help me with that? And this this was a while ago. And, you know, key loggers have been around for a while. I I at the time, I told her, you know, I I don't have anything for you.
Mario:You know, maybe ask the the people at Circuit City, because I wasn't allowed to really sell to them or do anything outside, you know, my scope. But she did ask me. She was she had suspicion with her husband, and she wanted, her so she wanted the first she wanted passwords to his email and stuff like that. Oh, boy.
Justin:Oh, boy. Yikes. Run away. Run away. There's no way I'd touch that one.
Justin:Yeah. I had somebody at, in a back when I went to church. I had a church member want to spy on their teenage daughter. Wanted me to install something to to spy on her and to lock her out of everything and whatever else. I declined.
Bryan:Yeah. That falls a little bit on a gray zone. But, there might be some valid valid reasons to monitor, younger younger children, to make sure they're not going to wrong places. But easier there would probably just be putting the computer and or device in a public area so that Right. It's available.
Mario:And I think that's equivalent now to, like, parental control, like, on phones and stuff like that, you know, for if you have a daughter or something. I know when my daughter, if once she gets a phone, I'm probably gonna put every monitoring software I can on there myself, but but
Justin:Because all she's gonna do is Google how to bypass dad's security. And every security out there to to monitor and protect kids, unfortunately, has a way around it. So Yeah.
Bryan:When I know it.
Justin:Know that going into it, future dad.
Bryan:Yeah. My son is gonna be an IT guy, mostly because, he he's learning how to get around all the crazy things that
Justin:I do to try to stop him from going on the Internet
Bryan:in the middle of the night. And he I just unplugged his computer now. Good to be here.
Justin:Yeah. Good luck with that one. Yeah.
Mario:Nothing beats just taking the power cable. You know? That's still the most effective way you can.
Justin:I mean, they're gonna go buy a new power cable. I just I've seen that one play too. Hide the power cable. Oh, here's another one. You know?
Justin:Yeah. Add it up. So we'll we won't digress too much because I I could go on for a while about that. I've I've raised 4 children to adulthood, and, I have yet even in this industry and living and breathing, eating, sleeping this industry, I have not found a way to completely protect them, unfortunately. So No.
Justin:This is not a parenting advice show, Joe, but I I would call me offline, and we'll talk. So, let's get back to Keystroke Loggers. The so we've got a couple of real world experiences here. Brian, have you ever dealt with 1 personally?
Bryan:I have not personally dealt with 1. I've never used 1 or or or I mean, we I've used a software version, not hardware. You know, we've had, clients wanna monitor, activity on on on workstations to see if there was corporate espionage happening. And, it was sort of similar to what, Mario was talking about. It recorded key it had a Keystroke logger in it, but also recorded video and and and and, you know, communications that were happening, all legitimate, when it's done through, you know, for a for a business, where, is disclosed in advance that, you know, anything you do on company computers can and will be monitored.
Bryan:But to to see it out in a wild, I've I've seen, you know, articles and I've seen videos of of people using keyloggers, but never actually, experienced one directly myself.
Justin:Yeah. That's the same for me. I've I've used the software to I call it employee productivity software. That sounds much nicer than hey, we're watching every damn thing you do on your computer and docking your pay if you you know, whatever. There are there are good use cases for that.
Justin:But anyway, that said the the what we wanna talk about today is really the truly malicious use of keystroke loggers. And, you know, and as we were researching this topic, I wasn't super excited to find out that my, you know, the the company that got breached, which is LastPass, and one of the ones we're gonna talk about, is in fact a password management tool that I use. So that that can be maybe some fun conversation slash debate here in a minute. But first, I thought it was kind of interesting and almost comical that we had a student get arrested for using a key logger to change his grades. Did you guys see that one?
Bryan:I did see that article. Yep.
Justin:Okay. So tell me a little bit about it, Brian.
Bryan:Well, basically, what what they if if memory serves me right, essentially, what they were they did is they they, waited until the professor or the teacher was gone, slipped in a key logger between his keyboard and, and and his computer and, were able to capture his password, to effectively, go in later and change the grade that they were receiving. Obviously, 2 factor authentication was not used in this case. But, anyway, they were changing their grades, and they had changed dozens and dozens of grades to make them look better. And the only reason that they found out is that the teacher noticed that they had, like the grades were different than what they had originally entered in. And so they were they reported it and authorities were called in.
Bryan:That's as much as I can remember off the top of my head. But yeah, it was insane to see an article like that where it was used in an educational, setting.
Justin:Yeah. Yeah. Jail time. I don't know. Did you see that one too, Mario?
Justin:Do you do you know how much time you got? I did not.
Mario:I actually had it open. I didn't see how long they they got, but it's it's actually kinda crazy that it's it's how easy it is to actually get your hands on these things. That's
Justin:the problem. For sure. Yeah. Yeah. Well, and also real quick, I wanna make the point on on, like, the stuff like this.
Justin:These kids, I doubt that they consider themselves criminals when they're doing it, you know, that a lot of times this doesn't get thought through very well. I don't remember what I was researching a while back. It was several years ago. But I was kinda shocked to learn that it's it's a federal offense to without authorization access, anybody's technology network, whatever. And they use the extreme example of even going, like, sitting outside in the parking lot of a fast food restaurant that has, Wi Fi access for customers.
Justin:And you're not a customer and you use it, so you technically don't have their permission. I mean, just something as silly as that, is is criminal, criminal behavior. Yeah. So be careful. What might seem like a funny look what I did, could find you in jail.
Justin:So, changing grades, like, also
Bryan:I I did find some information on it, by the way. I just I I researched it real quick here. So they from what I from what I'm reading, the the per the student did not get charged. But they, they the the actions that, you know, the caused was the damages were over $5,000 And the reason they say that is because it actually cost the authority $67,500 to investigate
Justin:Oh, wow.
Bryan:To investigate why and how this had occurred. Right? So they had called in, the the the the legal, like, authorities, like like police or FBI or whatever it was. And if he would have been found guilty, he probably would have faced, you know, in a in a small case like this, but it's a student probably just community service, and probation. But, yeah, you're right.
Bryan:It's definitely a criminal offense. And in this case, it's cost the public a massive amount of money just for somebody trying to change their grades. Right?
Mario:Well, he
Bryan:just know when the student they they they
Justin:could it
Bryan:could have been, outside hacker. Right? So
Mario:It says he changed it over 90 times within the course of 21 months.
Justin:Could you imagine?
Mario:For him for him and his friends.
Bryan:It would have been easier for them to just do
Justin:the work to get back to school. Do your damn homework. Yeah. Jesus Christ. I but I think that of, like, so my my fam I used to live in a community where, the main industry was, blanking prisons, but they have correctional centers, right, correctional facility.
Justin:And I like to use that name because it's a comical misnomer, Correctional officers or, you know, that we don't really rehab these people. They don't generally come out and change their lives. I know this from, family members who have been locked up most of their life. Anyways, but, so I've got, I've got a cousin who's been on the inside of the system forever, and then I have several relatives who have been correctional officers at these facilities. And I'm fascinated at the raw talent that some of these people have, like, just real raw talent and skill, and it's tragic that, you know, they use it for, you know, something that's illegal, and then they end up locked up their whole lives.
Justin:So, yeah. God, kids, do your homework. Instead of doing all this work, this research, this effort to go in and change your grades, they test the amount, read a book. You know? I don't know.
Justin:So there's, there's my soapbox for the day. Any other thoughts on the grades? If not, we're gonna move on to LastPass. I'm not hearing anything. So, we'll we'll come back to whether one should or should not continue to use LastPass.
Justin:But let's talk about their breach. So I think, Brian, you started last time, Mario, I'll let you start this time. Tell us a little bit about how LastPass got hacked.
Mario:So it seemed and I'm not sure I'm I'm not sure how it hap exactly how they targeted it, but it seemed like a hacker targeted one of the DevOp engineers of, LastPass. Now LastPass had you know, as you guys know, it stores and encrypts users' passwords. So and there was a vault that everything is protected in, and only 4 people in this company had access or the keys to get into the vault, like virtual vault. And, they weren't sure how how the hacker got gained access to this highly encrypted, you know, lengthy password. And it seemed like he had malware that was sent to him on his home computer or that was installed on his home computer, through a program called Plex.
Mario:Now I used to use Plex, myself.
Justin:Allegedly. So let me just real quick say that, they won't confirm. Plex is basically denying that there's any evidence that they were the ones breached, but that is the assumption. So yeah. Yeah.
Mario:So I'm not sure exactly how they were able to get him to run this program or install it at home. You know, that's, you know, I'm not sure, but essentially they, he ran it at home, installed a key logger in the back end of this system or in the background. And that, that happens a lot with a lot of freeware, like a front, like a BS software. Sometimes they give you a software for free, but you have like, it installs like 8 other things in the background. So essentially this was one of them and he, they gained access to that password and was able to use it.
Bryan:So, by
Justin:the way, this is also known as shadow IT. Yes. Installing things that yeah. Go ahead.
Bryan:Yeah. Side note. Like, if if something is free, it it you're the product. Right? Like, you you are the one you're the product.
Bryan:And whether that is for legitimate purposes or for illegitimate purposes, there's no such thing as a free lunch. So if somebody is giving you free software, in most cases, you're the product and and or the victim. So
Justin:Yeah. Just be careful. Yeah. Yeah. It is you know, we'll we'll come back to how we prevent this kind of stuff.
Justin:But, you know, that's just kind of a spoiler alert. Shadow IT is a common problem, a common reason for this type of breach. So anyways, go ahead, Mario.
Mario:That's about it. So, I mean, it's it seemed like they were able to copy that password or log that password, and then they were able to then use it to get into the LastPass and hack them, which was sad because LastPass at that time, I believe was the leading, especially among managed service providers like us, the leading password management software. And since then, and I know myself, I've moved a lot of my customers away from there because of the breaches that they had. But, you know, and I know some people that have stuck with it and some that have actually moved on. So they're they're But the late then
Justin:the late then. Done. And actually, we can start with the, you know, the question of, is it even a good idea in the first place to have a password manager since it now becomes a single point of failure? If if somebody gets in, they now own you. Right?
Justin:If if somebody got a hold of my password manager, and they've got everything, they've got every login. So you've got that. And then, once a company gets breached, does that make them a risk in the future, or does do they learn their from their mistakes and actually become more hardened and a better option? So go. Like, I I want the I want some hair to fly and, like, let's let's Yeah.
Justin:Get in and wrestle on this one a little bit.
Bryan:I'll I'll tackle this one. I believe a 100% in password managers. If you don't use a password manager, it's highly likely you're going to reuse your passwords, which is is even worse, or come up with some form of pattern to your passwords, which is predictable, which also is is is even worse. I believe password managers, wholeheartedly, primarily because almost everything that I use the password manager with has 2 factor authentication anyway. And so it becomes less important that the password gets out.
Bryan:I mean, it it's still important. But with the the added of a 2 factor authentication, that just adds that extra level of security. And in most cases, password managers today, even the company that stores the password, this is where they've improved over time, The company that stores the passwords on your behalf are storing it with a hashed. It's essentially encrypted on their end and even they don't have access to it. For example, LastPass and 1Password and some of these other ones now, it's or stored at their end encrypted, and they don't have the password.
Bryan:They don't have the decryption keys. Only your password that you use to log in to the system and or your administrator, if you have an administrator, will have a, you know, a backup, decryption key, to decrypt the the the passwords in the first place. So a lot more secure than they were once upon a time, and I strongly suggest everybody get a password manager.
Justin:If you lose your password to your password manager, you're done. Yeah. They they can't they can't get it for you. You know, it's No. I'm I guess I don't know.
Justin:I haven't lost mine, so I can't say that there isn't a password reset. But I had an employee several years back who set up LastPass, forgot their password, And we couldn't get it. I get I don't remember the details of it. I just know, we had to start over creating a new account and and start from scratch. There was no getting that back.
Mario:We actually had a customer and I think that comes like 2 weeks ago. It says, hey, I went on vacation. I came back. I can't remember my my password. We use a program called Keeper.
Mario:And, you know, I don't know what the hell she was doing on vacation. Like how hard did she, you know, have to drink for her to
Justin:Pretty hard. Yeah.
Mario:But, we couldn't get her password, but and you can't reset it. You cannot reset your master password. But what I believe you can do is you can create another user and then you can transfer those passwords to the new user.
Justin:If you can use the new logo. But I've heard of you can log in. Yeah.
Mario:I think I can log in. It's like when you're, when you're deleting the old user, it asks you, do you want to transfer these passwords to another user and you can transfer it to another user? At least that's what Keeper helps you do.
Bryan:What, 1 passcode. So we use 1 password. What 1 password does is they, and they, they allow the administrator of the of the account, the the overall account, right, for all of the users to check a box that says and a super admin can reset passwords. And so, you know, we're able my account is able to well, not my account. The superuseradmin account because it's not mine, has the ability to reset somebody's master password, which would then let them get in.
Bryan:And it does that through a secondary encryption. And I don't know the exact details of of how the technology works, but it's still encrypted on the other end and only the person who has the password for the the the the super admin can decrypt that. So it's almost like it encrypts it with both, with both passwords.
Justin:Is that what you're talking about, Mario? Because I'm, like, I'm super skeptical that you could, without logging into a single user account, transfer that because that if if I can do it, then so could a criminal.
Mario:Well, you have to do it through the the admin account, like the like the MSP account.
Justin:That makes more sense. Okay. Yeah. Right. I'm tracking you now.
Justin:Okay.
Bryan:Which means, again, the super admin account should be highly protected with a outrageously long password, that, nobody can can breach with 2 backed authentication.
Justin:It is. Now the let me ask
Mario:you this and this I have not confirmed. Maybe you guys could confirm this for me. Because now I wanna combine our 2 topics, key loggers and 2 factor authentication. I was told that with if somebody if a hacker gains a password like that, that 6 digit code and then knows what the next 6 digit code is or at least knows the timing of the next 6 digit code, he can then backwards, engineer what the encryption key is. So for example, your patent, you know, you know, these codes, Okay.
Justin:In 30 seconds.
Mario:These codes in 30 seconds, if you know what the code, the the code is in 30 seconds, if he knows what one is and then the next one is, he then knows what essentially is that QR code. I heard that.
Justin:Essentially 17 more seconds. I'm gonna ask you to show me that screen again. Yeah. I remember we would screenshot of the first one. Yeah.
Mario:I mean, there there are numbers. I know. But essentially, it I heard that, you know, once those numbers reset, that like, he can predict what the next one is going to be. So Well, it's math.
Justin:So this is an interesting point because there is no such thing as a truly randomized computer generated number. It can't be done. The the computers can't do it. So they feed it, and then they run calculations on it. The typical seed is a a clock.
Justin:Right? Which is, I think, what you're talking about. They take the local time and they run some stupid algorithm on it and spit out a random number, and random is in their quotes, guys. Because computers can't randomly generate anything. So I assume that's what you're referring to or some version of that.
Justin:I'm sure that is true. And I would just say that generally speaking in the world of security, nothing's absolute. Nothing's perfect. Which is why we layer, which is why we stack and which is why we sit here and talk about it week after week and make adjustments to how we operate. Right.
Justin:2 factor authentication is a phenomenal tool, but it's not foolproof. In fact, in this one, the last pass, there was some version of bypassing 2FA in the breach. They got the keystroke logger on there, and they were able to somehow bypass and I don't have details on that, but they were able to bypass 2FA. So, you know, maybe it's what you're talking about. Maybe it's reverse engineering.
Justin:Yeah.
Mario:I believe they they're able to. If they have the if they if they're able to see the number at, like, say, 33:01 PM, you know, they know in a few minutes that that code is like, if it's entering again 5 minutes later, that that code is that's what the next code is.
Justin:Interesting. I I may have to research that. I don't I can't even speak intelligently to that. I haven't heard that.
Mario:But That's why I'm not sure either.
Bryan:Yeah.
Justin:The brains that create encryption and that crack encryption are different from the brain that I was gifted with. I will not sit here and tell you that I am a hacker, a white hat hacker, or anything else. I learn, I research, I study, and I protect. That that is what I'm good at. I'll never be the guy that's cracking code, though.
Justin:So
Bryan:And and I think we've mentioned it a couple of times throughout different episodes, but at the end of the day, it's just being the the not being the low hanging fruit. So as much as we can put it in place, if somebody is absolutely 100% dedicated in breaking the your account and your systems, they probably will at some point or another. But most hacks occur, because you're the low hanging fruit and, they're able to breach you easier than they can breach somebody else.
Mario:Yeah. Yeah. Unfortunately, we have every week, we always talk about what you can do to prevent something like this. It is very, very hard to prevent a hardware keylogger because if somebody puts that little piece behind your computer
Justin:Yeah.
Mario:You know, unless you're checking every morning, it's very hard to prevent to prevent that. So, you know, the way to do this, lock your door, you know, stuff
Bryan:like that. Security essentially. Physical. Yeah. Right.
Justin:You know, and physical security is one that we don't talk a lot about in the world of cybersecurity. But it is a key component. It's a it's an important part. You know? Mhmm.
Justin:We will probably talk with our clients about securing their IT room, their server room, if they still have servers, physically securing those. But how often do we have conversations about physically securing workstations, you know, and and keyboards, you know, because some of these Keystroke loggers are embedded in the keyboard itself. So you just, hey, I gotta I gotta swap this keyboard for, you know. And and somehow or sometimes how they reach physical security is they will come in posing as a vendor of some sort. Yeah.
Justin:ISP is a perfect one. Your Internet provider shows up and says, hey. I gotta look at your router. And then they go back there and, you know, snap a picture of the stupid password they print right on the goddamn router that, Internet companies like to give you. You know, I've I've heard of that happening.
Justin:But, yeah, they could come in as a janitor. Right? And, did we already talk about the janitor? Was that before we started recording or afterwards?
Mario:That was before I started we started Alright. I better
Justin:you better do that one.
Mario:So I actually sat in a meeting. And now this was on a cost we didn't actually earn them as a customer. It was somebody we sat down with. He was telling us about a breach that actually happened to them. I think at that point, it was like a couple years prior, where the cleaning lady was paid by somebody to go in there and change, I think she changed the hardware, like the keyboard, or she put something on the computer and then gave them gave hackers or whoever paid her access to gain that top person's computer.
Mario:And then they were they were breached through there. It took them a very long time to realize what it was. And I think it was because they decided to, they were, weren't sure what was happening. They actually got rid of all their computers. They got brand new computers over.
Mario:And that's during that process is how they discovered, like there was something there.
Bryan:Yeah. I heard a story once upon a time where, I won't get into specifics, but, the son of a very high influential person at a company, was compromised themselves. They were doing something they really ought not to on their computer and they were blackmailed into, essentially at on their father's computer, install a, a key logger. And, so physical security would have been the only way to prevent even against your own internal family. Right?
Bryan:Like, it's amazing at what people can do when they really, really wanna get in into somewhere, which reminds me, there's there was a
Justin:story about, you know, you can pretty much get in anywhere if you have
Bryan:a clipboard and a reflective jacket. And there's actually there's actually, like, YouTube videos that you could see of people doing just that. They just throw a reflective jacket on, bring a keyboard or a clipboard, and you just, like, walk in at pretty much any business and say, hey. Yeah. We're here to do x y z, and the people just let them in.
Bryan:And and then from there, they can do whatever they want. They can, you know, slap a key logger on any piece of hardware. And and I'm amazed at how many people don't lock their server rooms. Oh, we trust all our employees. Sure you do.
Bryan:Right? Like, it it doesn't take much to bribe somebody to to to install something anywhere. And physical security
Justin:trust all your employees. I'm sorry. That's a bad strategy. Every good employee verify. Well, yeah.
Justin:But I mean, it you don't know who's gonna turn and for what reasons.
Mario:Well, that's why, like cards, like like, like, to like cards to log into a computer is getting very popular. Facial recognition, like with my tablet, I just click it and it recognizes my face. You know, you'd think that that's like, you know, not secure, but it's actually probably one of the most secure methods than putting in a password or a pin. Yeah. You know, facial recognition and stuff like that, you know, for your phone as well, getting through that way is very secure.
Justin:Yeah. Great stuff. I still don't know that I have an answer for, you know, how to prevent the janitor from throwing a hardware keystroke logger on your workstation when they're there by themselves at night. So that, I don't like that one. I don't even like talking about stuff like that that I don't have an answer for, but I don't.
Justin:Yeah.
Bryan:Short of instructing everybody to take a look at everything, you know, on their computer or Yeah. Computers behind lock and key, at the desk. Right? But, like, who's gonna do that?
Justin:Right. Be careful when you select your vendors for sure. But like I said, every everybody can be compromised depending on, you know, whether they have dirt on them or they pay them enough. You can get people to turn. So, but it is at least something worth, you know, having on the table that you you talk about is physical security and vendor security.
Justin:How do you vet your vendors and, you know, That's kind of a dark note to end on. I don't like that. Let's talk about things we can do, what we've learned here that we can do to prevent, mitigate or, you know, prevent some of this or most of this. In the last pass scenario, one of the things I picked up on immediately is, well, number 1 Shadow IT, like we talked about, the guy had stuff. This is a computer in his home that he's using, like, for like, Jesus Christ.
Justin:If you're at home and you're a main developer, and you're working for somebody like LastPass, you know, a big security company, I mean, I cannot imagine why you would put anything on your computer other than what you needed to do your your software development.
Bryan:Yeah. You should only be working from a company issued a company issued workstation
Justin:or laptop. Right. With no no applications on it whatsoever outside of what you need. And and then, man, you better be on a VPN, and you better have, like, I I don't know, key card access to your own bedroom. I don't know.
Justin:But, like, you know, this this is risky, this work from home movement. And it it's interesting that that starts to get, walked back a little bit where I'm seeing more and more companies saying, you know, come back to the office. And a lot of people complaining about it. But if you are gonna work from home, security better be higher on your list of priorities than it was when everybody was in the office. Yeah.
Justin:Garmin Garmin was breached that way when, you know, the great big Garmin breach couple years ago, it was the COVID work from home movement that that got them. You know? Somebody on a home computer had VPN access right back into the corporate. So every every security thing, you know, protection that they put in place at the headquarters, you send people home, they use their home computer and you poke a hole right through everything with their VPN and boom, you know? Yep.
Bryan:Yep. As far as software keyloggers for months. Yeah. As as far as software keyloggers, a a good way to make sure that those don't come in is preventing anyone from being able to install applications on on a workstation and or using, Zero Trust, software, meaning that any application that runs has to be already, a piece of software that is trusted by the computer. Otherwise, it just kills the process.
Bryan:That would get rid of software key loggers. Hardware ones are a little bit more difficult, because you actually there's you know, the information coming right out of your keyboard. I could see down the road there being some sort of authentication happening between, a keyboard and a computer, down the road, but but that's just not the case right now. Anything can impersonate a keyboard. And so yeah.
Mario:And also, a lot of things too is if you're running like a legitimate, like, security tools on the on the computer, like set like we, you know, set in a one or anything like that, it will most likely detect a lot of the software, KeyLogic because essentially it's malware, so it's gonna detect that stuff. So you wanna make sure that you're running, like, security on your your computers and your your network.
Justin:Yeah. And then we're gonna, you know, come back to this every single time is get a third party assessment. You know, I've got I've got we we do this podcast. I run, promotions elsewhere. I'm I'm constantly pounding, you know, beating the strum of these assessments.
Justin:And it it just it shocks me how many times people will look me in the eye and say, no. We got it covered. We're good. I mean, this is my world, and I don't I don't trust myself. You know?
Bryan:So fun fun thing. I I just I I had a feeling this existed. So I just I researched it just now. There's literally a keyboard you can buy that, you need a piece of software at a computer that will, send encrypted keys strokes to the computer and the software will decrypt it. So a hardware key logger would not be able to intercept any of
Justin:the communications. So as long
Bryan:as you're using the the keyboard that is, designed for it. How much? I don't know. And and I don't know how practical it is, but I could see that becoming the standard down the road, where the the keyboard is is especially in public places where where you're not locking down the rooms where key computers are being utilized. I could even when they are, I could see that becoming the standard very soon where where people can't use keyloggers because, the keyboards are, customized per computer.
Bryan:And, there's an encryption between the 2.
Justin:So the new memory is
Mario:Yeah. Actually, I think as a matter of fact, I think when I had to get that key logger for my church, I think I actually got it from Amazon. Like it's very easy to get this. I mean, I I just looked on Amazon. I don't see anymore, but, I know that there's this big thing now is this what's called the mouse, jiggler.
Justin:Mhmm.
Mario:That's a little USB that you put into the computer. And for people working from home is that it doesn't make the user go idle, you know, because that's how you can, you know, owners tend to tell if a user is working or not, if they're going idle, like in Microsoft Teams or not. So this little USB will go into the computer and it's like $6 and it literally move your mouse every couple seconds so you don't ever look idle and they think that you're being productive.
Justin:Yeah.
Bryan:It's a game. It's crazy.
Justin:Now we're back to, like, just just do your work. You know what I mean?
Mario:Do your homework work. There is no easy way.
Justin:If you're drawing a paycheck, I mean, provide a service. Anyways, no more soapbox stuff for me though. Too much of that as it is. So, yeah, I mean, it's there are some protocols here. Like, I'm not I'm not saying I'm there yet, Brian, but I I that's an interesting thing that you just found.
Justin:I love that every time I do one of these, record one of these podcasts as I learn something. And that just might have to meet my internal set of standards that I at least bring awareness to, you know, securing keyboard. Who thought? Right? Who who who knew this?
Justin:That's what we'd be talking about is encrypted keyboards, Yeah. Out loud. But I
Bryan:I Technology would be easy to implement. I can't I can't like, if they standardize it across the board, it'd be dirt simple. I mean, it would be a pain in the butt having to, program each computer to work with a unique keyboard. But
Justin:yeah,
Bryan:it would be it's it's a technology so readily available now that
Justin:If nothing else on your key players, like you again, I'm just like I'm I'm blown away by a developer who has that kind of access on that critical of a system, not being locked down better. That's that's shocking to me. So, yeah, if nothing else, my conversation with my clients will say, okay. Here's who are your key players? Your finance people, your every executive, you know, at least those people probably are gonna get encrypted keyboards moving forward.
Justin:So I'll have to do a little more research there and and, you know, update my internal standards. And that is the game. Right? Every every, use every few minutes, it seems we're reevaluating.
Mario:So customers are gonna look at us and laugh in our faces. Like, you want me to encrypt the keyboards?
Justin:Yeah. You guys are
Mario:a bunch of crazy people.
Justin:Yeah. And that's, that's exactly why we do this, right? Yeah. Because the general population doesn't know. And hell, I didn't know this before we started, researching.
Justin:And, I would have never thought that an encrypted keyboard would be the answer to anything.
Bryan:Yeah. But I guess it would all depend on the situation. You know, if you have got a bank a bank, then that might be a good thing to put in place. Right? Encrypted keyboards.
Bryan:But if you're working at, you know, a gas station, maybe not that important. Right? So it's a situational thing. Maybe not all the employees, you know, have to have that, but maybe your your finance and your executives, you know, any any organizations dealing with 1,000,000 of dollars, you know, what's what's that, you know, cheap keyboard that that does encryption cost in relation to the the potential potential damage?
Justin:Well, I think yeah. I think it comes down to, a, what does the individual have access to? And, b, how big of a target do they have on their back? Yeah. Right.
Justin:So if you have access to the vault for LastPass, let's go ahead and take some extra precautions. And if you're the CEO of a large organization, you know, you always have a target. So these are the people that we need to go above and beyond. But, yeah, for the everyday user, probably not so much. So, I don't know, guys.
Justin:This was an interesting one. I'm I'm kind of ready to wind it down, but I've, I'm not gonna lie. I've got some things to think about. Yeah. I'm just saying, it's the good and the bad of doing this.
Justin:It's it's kind of nice to not think about this stuff, and not be scared all the time. But, damn, there's there's a lot there's a lot to think about. So, that said, and and, you know, it to some extent, you guys were all kind of auditing ourselves as we record these and research them. But then we also all pay for and use utilize a third party service to audit ourselves, our work, and to look over our back. So that is our ongoing offer to the community at large.
Justin:You you cannot sit here and say I'm protected. I've got to handle. You just, I I mean, there are cases. Sure. But, like, for the most part, 90% of the population, 99% of the population, if you're comfortable with security, you're the biggest risk.
Justin:You're now the low hanging fruit. If you're comfortable, if you're sleeping at night, you're I've got a handle. I don't need this assessment. I'm good. Okay.
Justin:Best of luck to you. I'll see you at, doing your meeting.
Bryan:The next news article.
Justin:Yeah. So, jump on our website, guys, unhacked.live. There is a section, I think I called it free assessment. I actually forgot what I named it. I'm gonna take a look real quick.
Justin:Free assessment. Alright. There's a tab right at the top, free assessment. There's another tab for people, and you can see a little bio and links to all our social media for the 3 of us. So jump on there, reach out, and, we'll we'll put another set of eyes on it for you.
Justin:Mario, any final thoughts?
Mario:No. Just, you know, next week we're are we going live? Are we recording live?
Justin:That's planned. Yep.
Mario:Cool. Excellent. Alright. Cool. And we're talking about passwords and how to handle them.
Justin:K. So we've kind of already spoiler alerted the hell out of that one, but, yeah, we are we are are
Bryan:sick enough.
Mario:Well, are we are we I
Justin:don't need him. I mean, the episode today, we talked a lot about passwords. Thanks, Mario. There's there's still a lot to say about passwords that we did not get into. Here's a teaser because, Brian, I think it was you, said if you've got the master admin, you know, super duper access to a password manager for your entire team, you better have a really long password.
Justin:And it needs to be complex. It needs to be unhackable, I think, is what you said. Or,
Bryan:And it better not be your own account you're using every day.
Justin:Yeah. So so we'll break that down. How do you do that? Right? How do you how do you make your password unhackable?
Justin:Next week, tune in and and we will we will try to do that one live. I, I'm saying that cautiously optimistic, but I think we can pull it off. So alright.
Bryan:Every day, and that's the best we can ask for.
Justin:I love it. Alright. On Hack. Live, guys, reach out to us. Get your, free vulnerability assessment scheduled and be 1% better.
Justin:Alright. Take care. See you guys next week.
Mario:Bye, guys. Bye bye.