13. Passwords Are a Huge PITA! Let's Fix That
Alright, guys. Let's jump into this. Welcome everybody to episode 13 of unhacked. I feel like we're getting old. Episode 13.
Justin:You know, I was, I was filling out this little launcher podcast thing, and it it makes you write a description for the podcast. I thought, yeah, that's a great idea. What the hell is unhacked? Because I've kind of been all over the map with it. So I'm gonna read what I have right now, but subject to, updates.
Justin:When Russian hackers break into your business' computers, what will they find and how much will it cost you? How long will it take you to recover? Can you recover? Here's the sad truth. 97% of these breaches could have been prevented with basic security measures.
Justin:That's the pushback I always get. I don't have money. I don't have budget. I don't have time. We're just talking about the basics.
Justin:But once you get hit, you cannot get unhacked. So there's the title of the podcast. This is a weekly cybersecurity podcast for small and midsize business owners and leaders, executives. If you're in charge, if you're gonna be on the hook when something bad happens, this podcast is for you. And we're gonna help you sort through the ridiculous overwhelming, pile of recommendations, costs, time sucks and everything else.
Justin:If you followed every security practice that was out there, you're done. Right? You're out of business because you don't have time or money to do anything else. So we're gonna help you sort through all that and look for the stuff that gives you the best ROI. So that said, for the listening audience, guys, if you wanna get involved and participate a little bit better, go to our website, unhacked.
Justin:Live. From there, we've got social media links. We have Facebook group we just started. We've got a a YouTube channel, and you can watch live. You can interact.
Justin:You can chat with us, between sessions or even while we're recording live. So, and also see upcoming episodes, topics, and and whatever. So, today well, while I introduce today's episode, I just have to say that, one of our top fans, again, among the 1,000 and thousands of our listeners, one of our top fans asked me this morning. She's like, hey, Justin. What's the topic of your podcast this morning?
Justin:And I said, passwords. And she's like, oh my god. I'm not listening to that one. I use the same password everywhere. I don't wanna hear it.
Justin:And she walked away. Like, alright. So I I don't know. Hopefully, that's not a standard response. Hopefully, people do listen because, this is probably not when you introduce a subject.
Justin:We're gonna talk about passwords. Guys, do you guys get excited? Do you ever think, hey. This is gonna be great fun? Because I don't.
Bryan:I think the question's maybe a little because it's probably the easiest thing somebody can do, and has probably one of the greatest
Mario:to talk about passwords because I know it's not going to be just, like, a quick conversation. People are always gonna act surprised, like, really? You were able to see all the passwords that we were saving? I'm like, yeah. It's only, like, 3 different passwords, and you have you use it, like, 930 times, you know?
Bryan:Oh, yeah.
Justin:So I I ran a scan, one of the scans that we always promote that we do for free. I did one for a prospect, and, I pulled up the report, and I'm like, these are all the passwords I found on your computer. These are all the passwords I found on the dark web. Are any of these still in use? Yeah.
Justin:All of them. So, Yeah. Probably is one of the best things, most important things that we can do with the biggest bang for your buck. Alright. Let's do some quick introductions.
Justin:Brian, let the audience know who you are, where you're from, what do you do, I don't know, your favorite pastime, something personal about yourself.
Bryan:Yeah. Sure. So Brian Lachepout with B4 Networks in beautiful Ontario, Canada, down in the Niagara Falls region. President and CEO of B4 Networks. We provide computer support services to our local businesses.
Bryan:And, something may be personal about me is that, I'm a a champion of improvements. So just micro improvements every day, how to get better, how we can improve our community, and our clients.
Justin:Is that like the Darren Hardy, what does he call that? No? Okay.
Bryan:No. It just it's just more personal. Okay. My personal He
Justin:wrote a book though.
Bryan:Why and yeah. I'm sure. Probably. Yeah. Just I've adopted that as our personal why and a why for our organization and
Justin:I love that.
Bryan:I
Justin:mean, it's one of mine too. Like, that's what I try to do with my quarterly meetings with my clients is let's look for one place that we can improve just a tiny bit. Keep doing it over and over. So I love that. Absolutely love that.
Justin:Real quick, Brian and I met, I don't think we've introduced this, maybe we have, but, you and I met damn near 10 years ago. 10 years ago, actually. Exactly 10 years ago. 2015. In in Nashville, in a peer, I guess, marketing group, but it's evolved into way more than marketing.
Bryan:Mhmm.
Justin:And and we've been, we've been friends ever since. So I've watched you, Brian, grow from relatively small to
Bryan:3 employees.
Justin:Very impressive. Yeah. 3 employees to how many now? 20 something?
Bryan:22.
Justin:Very impressive. So love it.
Mario:Are you trying to say that we're not friends just
Justin:I'm not there yet. I haven't done your introduction yet, Mario. Jesus Christ. Calm down. We're all pretty here, guys.
Bryan:Mario. Yeah. Hey now.
Justin:No no digs at at me. Mario, same thing. Who are you? Where are you from? What do you do?
Justin:Something personal, something interesting about yourself.
Mario:So my name is Mario Ocasio of MasTec. We are located in New Jersey right outside of, New York City. I was actually there this morning. We've been in business this coming June will be our 20 year anniversary. Out of that 20 years, I was, you know, 15 of it.
Mario:It was just me. And with the emergence of cyber cyber, attacks and stuff like that, we are now much bigger. We're, 11 employees now. So, we're getting there and, you know, every day I'm learning something new. And, you know, I can't say I'm proving as much as Brian, is.
Justin:Nobody is.
Mario:You know, but, every day we do learn I do learn something new, and I try to pass it on to my employees and and my customers as well.
Justin:Well, I've got to say, Mario, if you were a a solo entrepreneur, a one man band as it's called in the IT world for 15 damn years, like, you deserve a trophy or an award or, like, if I'm in your shoes, I'm gonna submit my name to a competition of IT companies and see if I could maybe be the best in the group. Have you ever thought about doing something like that?
Mario:It it's crossed my mind before. You know, I I did get a little push, you know, from a group that I'm in weekly. They did force me to to do it even though I want I didn't wanna write the essay, you know, but they forced me to do it.
Justin:Alright. Stupid inside joke guys, Mario. So Mario and I have been friends not quite as long as Brian, but, we all go back to Nashville and other places and hang out, and we we try to get a little bit smarter, drink a couple of beers together, and share insight in the industry. These guys here, the the 3 of us are, I mean, we're we're a solid group of friends. But one thing I will say about this group is none of us are standing like how did the guy put it one time?
Justin:You don't let moss grow on your feet. Right? Right? We're constantly working, improving, because in the world of cybersecurity, if you're not doing that, good luck. Right?
Justin:So, Mario, how long have you been in our group? Has it been 3 years?
Mario:About a, about a 2 years.
Justin:2 years. Way off. Way off. Okay.
Mario:Well But but the thing is, when I joined you guys, it you know, I was pretty much, I think, 3 employees. It was just me, one other tech, and, like, an admin.
Justin:And now you're 11. Yeah. You
Mario:know, now I'm 11, and you you know and then, honestly, it has, you know, a lot to do with you guys, so I appreciate it.
Justin:That's a great group to be involved in. My story is a little bit different. So, I've been doing IT, I say IT because it wasn't called IT when I started doing it. It was called computer repair or fix it shop or something like that. Started in 1997.
Justin:Actually, I my passion for technology was born when I was, I think, 12 years old. My dad brought home an Apple 2e. Have you guys ever heard of this device?
Mario:Oh, yeah.
Justin:Okay. Well, I I don't know how many what percentage of our audience does, but let's just say I'm dating myself. That's an old machine, dates back to the eighties. Got into computer repair as an adult and, quickly realized I needed a criminal justice degree, which I, earned from the University of Hard Knocks. I have that framed and hanging on my wall right now.
Justin:I have been involved in one breach, with a client that was very devastating, and that was my turning point in the world of technology. That's where I went from the mindset of a computer repair guy to, oh, shit. We're fighting Russian crime rings, organized crime rings. Right. And this is serious business.
Justin:So that's that's how this, I guess, movement of mine was born where security is my number one focus. I won't say it's my passion. Passion is business. Passion is, growth, profitability, productivity, but this is what will keep me up at night if I don't pay attention to it the most. So, alright.
Justin:There we go, guys. That is those are your, your hosts. And now if I can only figure out how to work my computer, I'll pull up my notes and we'll continue on. Alright. Here we go.
Bryan:Justin went from a, computer repair guy to an IT specialist to a crime fighter. I love that progression.
Justin:Pretty much. Yeah. Yeah. Anyways, okay. Let's, let's talk about let's talk about passwords.
Justin:And apparently, this is one of the most exciting subjects available to the lay computer user.
Bryan:Please, no.
Justin:That you you know, these are always interesting to me. I don't think I've ever done one of these podcasts where I prep for it and we present and you you guys, we all talk about this and we, throw shit around and we banter. I always come away a little bit smarter. So that's actually one of the selfish reasons I do this podcast. But today in the world of passwords, I'm like, I know everything.
Justin:I don't need to worry about this. I I can come, I can show up, throw up, and create a great episode. But then as we're going through these my shit. Here's another angle that I hadn't really considered, and I hate that and I love that. And the one that really stuck out to me was Ticketmaster.
Justin:Don't like using names, but I'm pulling this off of a news article. Somebody else put their name on it. So here's what Ticketmaster did, guys. This is new and and ballsy. They hired somebody from one of their competitors.
Justin:That employee brought over a list of passwords, an internal document, and shared it with Ticketmaster. Yeah. It was, like and it got shared throughout, you know, some of the their leadership meetings or whatever. And they took that information and used it to illegally access and spy on their competitor. That blows my mind.
Justin:This is a big name. This is a federal crime. This is not a small thing. And I, you know, we we talk about fighting crime in Russia, but Jesus Christ, this is a company that we trust and know and do business with, And and that's the type of behavior. I was horrified.
Justin:I'm not gonna lie. And now I'm thinking, okay, great. So not only do we have to protect against criminals, we've gotta educate our clients on basic ethics. Like, that's not what I'm doing. I'm not your mother.
Justin:Yeah. So, anyways, I I guess I have to add that into the list. It'll go on my, internal policies or whatever. So, do you guys have any thoughts on on the Ticketmaster breach? Anything that came to your mind there?
Justin:Not breach. I I I have to back up. It's not a breach. This is criminal behavior. Thoughts?
Mario:Oh, well, I Sorry. Go ahead, Mark. Sorry. I mean, the one thing that I noticed is is, again, coming back to basics, it's 2 factor authentication. I mean, the without having that in place, like, it's tough now.
Mario:For 99% of your your things online, you know, there's you have your username, you have password, and you have 2FA. Username is usually either admin or your email address. Password, it's not that hard to to crack, and we'll talk about that. Your last line of defense is really 2 factor authentication. So if you don't have 2 factor authentication, then you're going to get, it's a matter of time when that password gets breached.
Bryan:Right.
Mario:You know, especially if you're using it multiple times, or if it's a relative's name, your dog's name, you know, with a date of birth, it's come on guys. I mean, these guys, the, these hackers are not like the, this third, they're not in this third world country, you know, working off like a 20 year old machine. You know, they, they have the best stuff, probably better than what we have here, you know, to, to try to get as much information as, as they can.
Justin:Right.
Mario:And that was what happened here. It's just no 2FA.
Justin:Yeah.
Bryan:This, the story, of Ticketmaster actually brings to mind something that actually happened to me recently. Not a breach, not a not a not not criminal behavior, but just goes to point out how passwords, can be, compromised in odd ways. We had taken on a re a new client about, I wanna say about 4 or 5 years ago. And as part of taking on a new client, we always want to, move their their domain name, whatever their website is at, over to our management. And so we had reached out to the customer and they told us a couple things about where they are.
Bryan:They they couldn't figure it out. So we did a little bit of searching on their domain, figured out who who had it registered,
Justin:for
Bryan:for a bit. They they they they obviously had some security precautions or procedures. Anyway, in the end, they gave us access. They reset the password, send it to us. And when we logged in, it turned out it was the previous MSP's entire list of clients and out of their domains.
Bryan:And so, of course, I'm an ethical person, so I hopped on the phone immediately with them and said, hey, guys. Like, the the domain company gave us access to this. Here's the login. Here's the password. Change it immediately.
Bryan:We're we're you know, obviously, I don't want anything to do Yeah. With with that. Right? And and, of course, they were, like, yeah. We we we realized that it happened.
Bryan:And, you know, we were about to reach out. It was like, yep. Nope. Want nothing to do that. Anyway, the point being is that somebody at that domain company, and I'm not mentioning names, they did something that, you know, they should not have.
Bryan:And had 2FA been enabled, and we'll dive into that how the precaution or the procedures we could use to protect against things but that that would have been a non issue completely.
Justin:So you're talking about the registrar did this? The registrar messed up?
Bryan:Yep.
Justin:Okay. So guys, a registrar is where you go to register a domain name. So GoDaddy is an example. Network Solutions used to be the big name. There again, I'm dating myself because they're kinda nonexistent.
Justin:Are they? Do you guys ever use NetSol anymore?
Mario:Yeah. Yeah. Not that they're. As much.
Justin:But they're not very they used to be the name, you know, and now GoDaddy took that from them, handily. Anyways, so that's a big Yeah.
Bryan:It was a it was a
Justin:big script.
Bryan:Again, won't mention names because
Justin:Right.
Bryan:A, I don't remember, and b, I would never do that anyway.
Justin:Right. Right. Damn. Okay. That that's a big one.
Justin:Yeah.
Bryan:Just thought, like, I I don't know. Just it came to mind when we were talking about this. So
Justin:Yeah. Well, you know, here's another interesting thing about the Ticketmaster situation is, exiting employees. How in the hell did this guy walk away with a list of internal passwords?
Bryan:Right.
Justin:A, those shouldn't be documented. I've got I've got scans running on my clients regularly right now, you know, and, I just got one popped up for 2 different workstations in one of my clients. The scan picked up a a spreadsheet with passwords, you know, like Yeah. That's where they're storing passwords. I'm like
Bryan:Oh, but they locked the password sheet spreadsheet with password.
Justin:Right. Justin. Right.
Bryan:That's secure.
Justin:That's secure. That works. Yep. Also, another
Bryan:another way
Justin:to do it This
Bryan:is not awkward.
Justin:Write your passwords on the bottom of your keyboard or something. That's a because nobody checks there. So No. Life Hacks by Justin Shelley. Follow me for more advice.
Bryan:Yeah.
Justin:So, yeah, I I like, we've gotta be careful what information we're letting our employees have access to in the first place. And then when they leave, you gotta get that back. Then there has to be a procedure in place to, you know, to know what they had access to and how to revoke that access. So again, this one kinda floored me. I it just it, not something I think about when I think about passwords.
Justin:I think about password management tools. I think about 2 factor authentication. I think about rotating passwords, you know, the the normal blahdy blahdy blah that we always hear. But damn. Okay.
Justin:Alright. Let's move on. Let's let Ticketmaster rest for a minute, because they've received a severe enough beating for the moment. And I think, Brian, you wanted to talk about New York City?
Bryan:Yeah. It was a it was a, I I don't remember the exact year, but I remember reading about this. So I looked it up a little bit and, essential it's gonna be a very short conversation because there's not a whole lot of information about it. But, there's New York City law department. They had, an attacker basically had access or got access to an employee's stolen passwords.
Bryan:So here's the here's the kicker. They had put out a policy years before indicating that they had to have 2 factor authentication enabled, and they they complied quote unquote with that requirement and attested that they had 2 factor authentication across their entire, employee base, and surprise surprise, they did not. And so the, attacker got access through that employee's account, and the damages were essentially that the attorneys attorneys for the New York City law department were unable to basically access any electronic files for weeks weeks after the incident causing huge amounts of delays, and cases that attorneys were working on. They weren't even able to basically prepare depositions or answer complaints or submit briefs. So it it was, it made the news, like, quite quite extensively back then.
Bryan:And it sort of like anything else, cybersecurity, they they tend to, you know, fall off of people's radar but I I felt like that one is a pretty, important one to bring up because, you know, this is a one person having access to something. And we'll talk about, I'm sure, later on in the podcast about, you know, how to limit the the damage even if a password does get, breached, through, least privilege, but I'll I think I'll I'll end it there for now.
Justin:Well, okay. So let me dig into that, though. 2 factor authentication, they were required to have it. They said they had it. They didn't have it.
Justin:Did it ever get to the like, in the weeds about how that happened? Who was responsible? How I mean, was it was it something malicious that disabled it? Was it just somebody didn't do their job?
Bryan:Somebody didn't do their job. Somebody who who, I mean, here listen. When you have something like 2 factor authentication being a mandatory thing, it's not a set it and forget it. I mean, you can you can configure most systems to require it. But in a lot of cases, they can be disabled on an individual case by case basis.
Bryan:For example, if you're resetting someone's password, or if they they got locked out and they need to to to gain access to it again, there's a mechanism in the back end for us to take off 2 factor authentication Right.
Justin:Of
Bryan:that account temporarily. Maybe that's what happened but it it was not a a, an attacker that that removed 2 factor authentication in this particular case. It was just never either never turned on in the first place or had been temporarily disabled and and maybe forgotten about.
Justin:So one of the things I like to tell people is that if security isn't a giant pain in your ass, you're doing it wrong. And one of the things that I have seen is that, I mean, 2 fact 2 factor authentication is a pain in the ass. I hate it. I can pull up my phone and show you like I have dozens and dozens of, you know, apps set up on my MFA, authenticator. I hate it with a passion.
Justin:And if I hate it, and I live in this world and I know the ramifications of it, our end users hate it even 10 times more. And not only that, but they hate us for making them do it. Right? Yeah. So it's not really that far that much of a stretch to think that somebody had a legitimate reason.
Justin:They were they were angry, they were emotional, whatever. They had to have 2FA turned off for a period of time, and then maybe they forgot to turn it back on. I have run into that before. Yeah. But it does, I wish we knew, but I can I can, theorize or maybe just illustrate, you know, one of the the human brain is wired with 2 very specific flaws that hackers love to breach, and one of them is that we like to avoid conflict, and the other one is that we are wired to help people?
Justin:Yes. So you've got some poor lowly help desk person who gets a call from, you know, whatever lawyer who has to get into his shit and he's gotta get it right now because there's whatever he's prepping for and this is a big case and it's, like, get me into my stuff right now or I'm gonna have your job or whatever. Right? So that you've got to avoid conflict and trying to help both of these. You're you're you're hacking this dude's brain, whoever disabled MFA.
Justin:Now, again, I don't know that that's what happened, but it certainly could be. It's very similar to what happened at the MGM in Vegas. Right? It was it was that type of an attack. So maybe, maybe not, but it is it does illustrate the importance of constantly reviewing, you know, having our internal standards, constantly reviewing them, constantly double checking, because, yeah, I've got policies that say you have to have 2FA as well, and I have found them turned off, and I don't know how they got turned off.
Bryan:Yeah.
Justin:Right? I don't know. So we have to constantly be reviewing that stuff, so.
Mario:And like what we were talking earlier, like, it it doesn't really like, we you know, the IT people, like, your MSP, they don't really want to force this upon you. You know? Like, it's just Oh. Their job. You know?
Mario:When when we have customers that say, really, do I need to change my password every 90 days? Do I need to change it every 6 months? Do I can I really not reuse it again? You know, like, it's we're like, we're doing this because of what that this is what you're paying us for. You're paying us to be secure.
Mario:You know, you're not paying us for saying, oh, yeah, no problem. Let's make a password 123, you know?
Bryan:Yeah. Yeah. That's one thing I learned a long time ago. I I can I will never be a yes person? You know, if I go to a a hospital and say, well, do you really need to use antiseptic?
Bryan:The doctor's not gonna say, ah, well, for you, Brian, no. We won't because no. They're just
Justin:And I don't wanna pay for that antiseptic.
Bryan:Yeah. Yeah.
Justin:Or or,
Bryan:you know, I, I'm I'm going to my accountant and Do I really have to claim all this income? They're not gonna say no. And if they do, they're unethical and they'll probably go to jail because they're professionals and they have an association. It's the same thing for me. I I won't I won't I refuse.
Bryan:And we don't have an association, f y I. So I don't know if we're gonna dive into that, but
Justin:Well, I mean, if if you put, like, bring this home to us because I'm talking about the lowly technician, but, you know, when I've got a client who's writing the check, and it's a sizable check, and I need that money, and they come to me and start bitching about this stuff, I mean, sometimes it's hard to sell a password manager. This is why this is why I'm actually excited about this episode is because I've been trying to pitch password managers to my clients. Adoption rate is abysmal.
Bryan:It is.
Justin:There's there's a financial cost to it, and then there's, you know, the the learning curve. You've gotta get it set up. You've gotta get it configured. You've gotta get all your passwords into it. It's kind of a pain in the ass.
Justin:And It
Mario:was worth
Justin:it when they
Bryan:set up though.
Justin:Oh, I I I can't live without it. Oh, no. But getting somebody to adopt it when they are used to opening up a spreadsheet with I'm not kidding. I've seen spreadsheets with, like, dozens of pages and thousands of passwords that they just have to do a control f to find it in the first place. Like, oh my god.
Justin:And they'll print that thing off and hand it to me and say, hey, I need you to do x y z. I'm just like, Jesus Christ.
Bryan:Please don't have to. Going around? How many copies are out there?
Justin:It's crazy.
Mario:So funny story for you. So my wife refuses on using a password manager, and it took me a very long time to convince her to at least use a more advanced password setup than whatever she was using. She can't remember any of it. Every time she needs to log in to something, she always has to do forgot password. Oh, yeah.
Mario:And she puts it in and then ends up having to reset it every single time she wants to log in to even her her Apple Itunes, you know? Yep. So
Justin:I I
Mario:just looked at her mind.
Justin:It's one of my clients. Because I I swear to god, I've got a client exactly like that reset every single time they need to get into something. And then I go set up I did. I I shit you not. I wouldn't set up personally.
Justin:I personally owner to owner. Right? Business owner to business owner. I sat down, set the thing up, and I I still get calls all the time about lost passwords, forgotten passwords. So adoption rate is a trick.
Justin:And and, again, you know, none of this stuff is easy, but we really are trying to filter through the noise and and recommend the stuff that's gonna give you the biggest bang for your buck, and password managers is one I cannot recommend enough. So alright. Let's stop beating that horse for a minute. And, Mario, I think you've got a breach you wanted to talk about.
Mario:Yeah. So I wanted to talk about, Verkada. Now, Verkada is not really a well known name like, New York City or Ticketmaster, but they are a high end security surveillance company. And they are in places like Tesla facilities, jails, Equinox gyms and stuff like that. Their cameras are not cheap.
Mario:And the beauty of them is that they record right to the cloud. You don't need a box. You just need internet for these cameras. They actually sent me like, I think it was like a $5,000 camera to demo. And the day it landed on my, my desk, I actually want to go and I typed in their name to, like, go to my lock to a login so I can set up an account and all this stuff came up about how a day or 2 prior they were breached.
Mario:Yeah. Now they were breached just by basic, you know, bad password management. And what ended up happening is these hackers gained access to over 5,000 secondurity cameras, and some access door controls, for companies like I said, Tesla, Equinox and stuff like that.
Justin:So they could remotely open the door?
Mario:Yeah. To
Justin:I'm just
Mario:And, and the thing is, is I remember they were uploading images of, or videos of jail cells to Tesla facility. Like there are certain warehouse areas in Teslas. I remember seeing pictures clientele. But I'm like, if I can get these clientele support one of these things in, one of these cameras in, or several of these cameras in, and they get breached like this, it would look bad upon, you know, myself. But, you know, reading about it, I I they say that, you know, it was literally just an admin, you know, an admin password that was leaked online because of a misconfigured server.
Mario:And it literally gave them access to the, you know, to the whole kingdom. And, I, I, you know, it's And like I said, these are high end names, like Tesla, Equinox, and government offices and hospitals, schools. You you know, if it's a school, you don't want your kid, you know, a video of your kid to be posted online, you know, Speaker one (1:2):
Bryan:So Mario, quick question for you. Did you, did you install
Mario:that's They lost they lost a potential customer
Bryan:And not just 1.
Mario:Because Yeah. But by then, the damage was stopped. Done. You
Bryan:know? So I I often wonder about things like that because, obviously, there's a reputational damage of of a breach. Right? There's the there's a legal implications of a breach, but then there's the reputational damage of a breach. And in most cases, it's really hard to come back from that.
Bryan:And sometimes I wonder though if those companies who got breached, if if they aren't the ones that you want to go with because now they've experienced it. Right? Now they know what it's like. And and you know how they say, like, you you typically being is, you know, if you do get a breach, they're they're not gonna be blaming the attackers. They're gonna be blaming you as an organization.
Bryan:So, you know, when we're talking about cyber security, we're we're really talking about your reputation.
Justin:You know, and and this is a good point because, you know, again, with the theme of a podcast, we're trying to sort through the the overwhelming, recommendations, the cost, the everything involved in cybersecurity. There is a cost associated with it, but when we're out trying to promote something and somebody's complaining about $6 a month for a password manager or whatever, you have to put that against the cost of a breach. And when we talk about the cost of a breach, we typically cost about talk about the hard costs. But it's hard to individual employees or the the leadership team or whatever. I mean, those those costs aren't quantifiable, but they are devastating.
Justin:You know, we're talking you're talking about a $5,000 camera and, okay, they lost one sale to you, but it doesn't take that many sales with a company selling high end products to really do some damage. So, yes, we wanna minimize the cost and effort in in preventing these breaches. Like we always say, you can't come back from it. You can't get unhacked. So you you've gotta do your due diligence.
Justin:You have to. Yeah. So okay. High horse, you know, jumped off of that. Thank you.
Justin:What what else did you needed to discuss on, Verkada? Am I saying that right? I have never heard of these guys, by the way.
Mario:Yeah. Yeah. Verkada. Oh,
Justin:I did have a question. I'm I'm assuming this was some sort of a ransomware, like, an extortion. Did they were they asking for money? They're uploading clips that they found, and they're showing the world, hey, we got them. What were they asking for?
Mario:You know what it is? I I didn't see anything about what they were actually asking for because I know within 6 hours, they were able to get them out. So I think it was and this is one of those rare things where they weren't able to actually encrypt, any information or they may have caused some damage to video, like recordings. But it's not you know, with video cameras, it's a little different than, like, a, a QuickBooks file or an Excel file and stuff like that. I mean, worst comes to worst, you just lose everything that you had prior, and then you start, you know, recording forward.
Justin:Yeah. I mean, if I'm a bad guy though, and I get in there and and take that, I've got access to their video. First thing I'm gonna do is show them the video internally and say, hey, I need about a, you know, 2, 3, 4, $100,000,000, whatever it is, because I also know how much is in their bank accounts if I breached their their system. I need that money, or I'm going to take these videos, and I'm going to damage your reputation. I'm gonna show the world just Yep.
Justin:You know, like so I I'm curious. I'd love to know the outcome there if if there was at least an attempt at extortion, which I expect there was, or if this was just, like, some poor bastard who's, like, I don't know. He this is his first hacking job, and he's, just totally fucked it up. You know? Like, what what went wrong that that, there wasn't an extortion element of this because there usually is.
Justin:But and maybe there was, and we just don't know about it anyways. Random. Random.
Mario:Yeah. I'm sure there's probably something.
Justin:Random musings of Justin's brain. Alright. What else? Brian, you had just some I think just some general things you wanted to talk about as far as, storing passwords and browsers and Yeah. Stuff like that.
Justin:Do you wanna take it?
Bryan:Sure. So there's there's different things about passwords. So we've we've talked a little bit about, you know, reusing passwords and and and, you know, we haven't gotten to it yet, but the complexity of a password and why that's important, which I'm I'm sure we'll touch on shortly. But, one of the things I wanted to address is how passwords are how are how are criminals getting the passwords. And there's a couple different ways that we can get it.
Bryan:I'll mention a couple and I'm sure Justin and Mario will probably hop in here. But a couple a couple ways they primarily get it is, 1, the dark web. So for those who don't know what the dark web is, it's just a really, a place where the criminal underground goes, online to, exchange information. And, I won't dive into it too much, but point being is not somewhere where, typical people go. And they'll after a breach, after criminals breach cyber criminals breach into networks, they'll often put it up for sale there so other people can carry on And do whatever they're gonna do so it's almost like, you know crime as a service.
Bryan:I I did the first part I've I've breached and got a bunch of passwords, and now I'm gonna put them up on the dark web, and people are gonna buy it, and then they're gonna do their part and right? And we all make money. And so for people who love reusing passwords, when you get a breach, and I've mentioned this at many conferences and many many speaking engagements. If you reuse your passwords, in most cases, your login name at almost every single website you visit is your email address.
Justin:Right.
Bryan:And if you're using the same password on that website that you do for your email address, they now have password to your email too and What can you do with the password to an email pretty much reset everything? Everything. Password there is. Yeah. Right?
Bryan:So, that's one way that they they can get, access to, you know, your passwords is by breaching into your email by using, your password that that may have gotten compromised somewhere else because people love reusing passwords. And the other way that that people can get passwords is,
Justin:like our our number one fan that I mentioned earlier.
Bryan:Yeah. Yeah. And the other way criminals get passwords is actually, a lot of us well, not me not me and probably hopefully not my peers here, but a lot of a lot of people love to save passwords in Google Chrome and and and, Edge or Internet Explorer, and they they love using the password manager that's built into those just, there's a feature here in the password manager to import all the passwords from Chrome. And within seconds, it had every single password that I entered into Chrome imported into into the password manager, and I thought, If it was able to import those passwords without me authenticating or doing anything, pretty much anything that gets access to your computer can also do the same. And and now we've obviously we know a lot more about password management and whatnot.
Bryan:There's tools that we run on our clients' computer systems that actually scan that, grab those passwords that are in their their, Google Chrome and their their their Internet Explorer, which we disable, by the way, now by default for most of our clients. And and we show them, like, here's your passwords. Right? Like, obfuscated, of course, start out some of the passwords and say, like, you know and and some of these passwords are breached on the dark web because we we could backward search those as well. So that that's another way.
Bryan:Don't use the browser password manager. They're they're notoriously weak. Apple does have slightly better, if you're using the Apple, password manager on the device like a mobile phone. Those ones are for the most part, as far as I know, secure but I still prefer a password manager that I can use across all all of the, the
Mario:third party. They're secure, but it's a pain in the butt to export. You can't export it. Yeah.
Bryan:So those are those are a few areas that I know of that people at least people get passwords, and and I think we talked about spreadsheets as well, but maybe Justin and Mario have other other things that they know of that maybe
Justin:Well, I'll I'll piggyback off of that, and you kind of alluded to it, but I wanna directly call this out that that vulnerability assessment that we offer for free will go in and search for these and, you know, this is one of the things I like to tell somebody. Well, and I think I opened with it. When they hack your computers, what are they going to find? We can show you that.
Bryan:Right.
Justin:And once we have that information, then we can go to work remediating it because, you know or or at least mitigating some of these risks. But, when we don't even know they're there, that's where the real problem is because Yeah. I mean, listen, you can click any link. You can go to a website. I don't know that everybody knows this.
Justin:You can visit an infected website, completely out of your control, but you go to their website, it can download malware right onto your computer. So they it could, in theory, down you visit a website, a reputable site, it downloads the thing, it pulls all your password, and it exfiltrates them. It uploads them to their servers. You don't have to do anything. You don't have to even be aware that you were breached.
Justin:That can happen behind the scenes. It can happen instantly.
Bryan:Yep. And then 2 weeks later, somebody's in your email and you're going, how did I get breached? I don't remember doing anything.
Justin:Right. And it's not necessarily just passwords that you stored intentionally because some of this stuff is stored in memory or it's stored in, you know, little cache files or whatever else. There's so many places that this stuff can get stored and that can be accessed by the criminals. So,
Mario:yeah. Be one click
Justin:and the viewing of that site download stuff to your computer. Right? All the all the images, all the text, everything you're looking at, you didn't click to bring that onto your computer, and you can bring malicious code down as well in that process just viewing an infected site. So, yeah. Yeah.
Justin:And the These scans are critical.
Mario:The one thing I I do wanna add is, like, there we, you know, we're mentioning some of these simpler things. There's obviously a lot more things that they can do, like, force, you know, password, you know, force attacks and stuff like that, spray attacks, or they're trying multiple passwords. But ideally, what you're trying to do is you're trying to just, like, if these guys wanna get in, they'll probably get in. But you wanna delay them. If they feel like if you could delay them for like a few minutes, you don't have something simple.
Mario:Or if they do get in, they see 2FA and they just move on. You want them to just kind of get the, you know, frustrated for a minute, 10 minutes, 5 minutes, or whatever, and just move on. That's, you know, that's the, you know, the whole thing is that you're trying to not only be secure, but if they can get in, they have to have work for, you know. Yeah.
Justin:Don't be low hanging fruit. You know, we we talk about that frequently. So, okay, we can steal passwords. We can, for the bad guys, you know, they can, employees can give them to us. That's a great, great employee.
Justin:I'm sure he got a bonus for that. The bad guys can steal them off the or buy them off the dark web. They can break into our computers and steal them off of our, you know, our our local hard drives history, whatever else. And then, you know, what's actually probably becoming a little less common is the the real hacking of a password. And Brian, you talk about that a fair amount.
Justin:I think didn't you see a demonstration or something recently where where they discussed how quickly a password can be actually hacked?
Bryan:Yeah. I took a cyber security course, at the beginning of this week, and and I do this regularly just to learn more about it. I went to a conference last week or 2 weeks ago, called Write A Boom that basically, instructs us on, you know, things that to look for after a breach, but also how to protect them. And, one of the exercises we did in the class was, you know, how to, essentially crack a password and so they they had a list of a bunch of different accounts, so we we pretended we had a Windows account for example a Windows, server or desktop where there was a bunch of accounts with passwords and, and then we used it essentially a list of passwords that were common, and we were able to within about 30 seconds, we were able to get at the passwords of some of these some of these accounts. I won't dive into the details of exactly how it was done, but know that within, you know, within literally 20, 30 seconds, 5 of the accounts we had we had hacked and broken to.
Bryan:Now this was all, like, you know, phony and it was all,
Justin:it's staged but it's still pretty accurate. Yeah.
Bryan:But it was very, very accurate and and, just reinforced for me just how important these passwords and setting up proper security and 2FA and long passwords and things like that.
Justin:Okay. So long passwords. And and I apologize. I might have missed it if you said in the beginning, but when they were doing this, how long were the passwords that they were doing this?
Bryan:About 8 to 10 characters.
Justin:So yeah. And I think the the common recommendation, 8 used to be the number. Yeah. And it's not anymore. I won't do a password less than 15.
Bryan:Yeah. So I I posted a, a chart, for all of you. They'll see here for like the my peers here, but, essentially an 8 character, lowercase only, password will instantly be breached. If it has at least one upper character, you know, letter in there, 22 minutes, a letter and a number, 1 hour and a letter number and a symbol, 1 hour or 8 hours, and that's for 8 characters. And so none of those are are are good enough anymore if it's, if you're using the uppercase numbers, symbols, and everything up to 15000000000 years.
Bryan:So I think you're pretty safe there, Justin.
Justin:Yeah. Randomized complex passwords is still the best recommendation, assuming that they haven't been breached and sold on the dark web. Right. And I still come back to password managers because we as humans cannot do that. We can't create and remember that many passwords, and you can't do it just once.
Justin:You better, goddamn, better be doing a different password on every site. Right? Like
Bryan:Which is where the password manager comes in.
Justin:Yeah.
Mario:And the password manager will create the password for you using Correct. Uppercase, lowercase Yeah. Special characters. You know, you can set how long you want it. Like, I think mine default is, like, 20 and, you know, all you don't even need to even look at the password.
Mario:All you have to do is click on generate and then click on save and it saves it right onto the website. Or when you're creating an account, it pops up like, hey, do you want me to create a password for it? And you click on yes. It enter it injects it right into the website and it saves it automatically. You will never actually, because you look at the password.
Mario:It's just a bunch of letters, numbers, and characters. Yeah.
Justin:Right.
Bryan:And and and there is new technology out as well. I don't know if we were planning on talking about it, but I figured I would. Google, Apple, and Microsoft got together and and established a standard. And then there may have been other companies involved, but those are 3 I remember. Well, passkeys, and that's a newer technology that's slowly worming its way through, all the different places.
Bryan:So if you see that terminology, passkeys, it's essentially a password solution. And and now, instead of remembering a a long password or having to do anything like that, your, your password manager actually stores essentially what I would consider a certificate or, you know, a long string of characters that even you don't know and even, you know, a criminal. And then you require, like, some sort of authentication like a fingerprint or something to be able to send that those credentials over to the website. And I won't get into all the details, but it's it password list essentially is is coming, and it's called passkey. So if you see that anywhere on a website, you may wanna consider switching to that technology over a password.
Mario:Yeah. Essentially, you'll just get like a pop up on your cell phone, you know, and it'll show you like the location that's trying to log in. And, you know, obviously if it's you, you click yes. And it just logs you in. If it's no don't click it, you know, but, you know, if it's you, you just click on it and and you're in, there's no passwords.
Bryan:For the past keys, it it doesn't do that. You have to be the one who's initiating the the connection for it to send the key. It's not a push technology. So
Mario:Oh, okay. Yep.
Justin:Alright, guys. Well, I just wanna point out, Brian, I think it was you, as we were prepping, we hadn't even hit live yet. And you're like, this is gonna be a short one. We don't have very much to talk about. It's gonna be like 10 minutes, but those are great.
Justin:Yeah. So we're we're now 45 minutes in, 46 minutes in. I I I hope it wasn't too boring for those who hate the topic of passwords, but let's go ahead and wrap up. You know, just if again, simplifying, cut through the noise. Passwords are a giant pain in the ass, and they don't always work right.
Justin:That said, this is the world we live in. Even though new stuff's coming today, we still have to use and manage multiple complex passwords. So, you know, if we're talking about how how do passwords get breached, we've we've hit that. It's usually, an employee who stole them and handed them off to your to your competitor, or it's some malicious criminal. I guess that's the same thing in this case.
Justin:But, how we know about it is we've got a scan. We have to be, you know, we have to be informed. And this is I love this topic because it's kinda what we're preaching every week is let us come run this free scan for you. It's it's painless. It's simple.
Justin:It's free, and all you do is walk away with free information. Do what you want with that information later. I suggest you hire us to fix this stuff, but at least know about it. Right? So, we run dark web scans.
Justin:We run scans on your local computers, and we give you that information. So now once we have that information, my number one recommendation comes back to password managers. And at 2FA, it kinda goes without being said, hopefully, but not really. So those are the answers. Do you guys have anything else that you picked up from our recording today?
Bryan:Well, just to wanna add about the the vulnerability scanning even if you've had one done recently or or you know, 6 months ago, vulnerability scans the the security is always changing. Threats are always changing. Everything's changing constantly. And so having a vulnerability scan done on a regular basis, is is recommended. So if you've had one done, you know, recently or last year or half a year ago, get it done again.
Bryan:It doesn't cost you anything for for having one of us do it and it will just give you that peace of mind knowing hey, I've gotten a new relatively new, vulnerability scan that I can now remediate anything new that's come up that's changed in the industry since the last time I got one done. And if you partner with one of us, then you can have that scan ongoing, you know, through part of our services. So
Mario:Question. I'll I'll I'll contact this one. Sorry. I was saying that you get a notification every month. If, if something new pops up on the dark web, you'll be notified.
Mario:I'll let you know, like, listen, this username, this password was found on the dark web And we can't do anything about the dark web. We can't go out there and clean it up, but we can make you aware of it. So you go in there and you change that password.
Justin:Yep. Yeah. Yeah. Question, I'm gonna I'm gonna throw this one to you, Mario. Have you ever run one of these scans and had it come back with nothing interesting?
Mario:No. Not one time. Never. Not one not one time.
Justin:Okay. Listen, Justin. We run this
Bryan:on our own network on a regular basis. And, and because, like I said, things change on a regular basis. Right? So the the scans will come up with something all the time. Like it might be something immaterial or so insignificant, but it's like, yep.
Bryan:Okay. Let's let's patch that.
Justin:But it might be something serious.
Bryan:Yeah. In most cases, when it's somebody we we work with that, that's a prospect, it it it's always finding stuff. Always. Yeah. Yeah.
Bryan:Significant. Very serious things.
Mario:Yeah. And it's a lot of the scan is more to make you aware, like, this is stuff on your network. Like, I'll give you an example. It will tell you if any of your computers have, remote desktop, protocol avail like, open on, on your network. And this is something typically used for people like are using like a VPN connection to remote onto their computer.
Mario:In most cases, this is needed if they're using a VPN connection, but if they're not, you want to turn it off because there's no need to have it on, You know, so even they may find some stuff that you're aware of, but it also may find stuff that you weren't aware of. Right.
Justin:Right. Yeah. Yeah. You gotta do it. Gotta do the scans.
Justin:We do them internally. We offer them out to the the public at large. I've I've even I I hesitate to say this because these are not designed for, like, single computers or or even I mean, generally speaking, we're targeting clients that have, you know, 10, 20 plus workstations. It is where we do our best work. It's where these scans do the best work, but I've run them on individual computers and pull down a ton of information that was critical.
Justin:I'm like, you we we gotta work on this right now. Yeah. And whether that's friends or family or, you know, my some of my smaller clients, It it's just yeah. It it's gotta be done. Gotta have this information if you're gonna fix it.
Justin:To do that, to schedule one of these, all 3 of us are are available to do that. We cover, you know, the the northeast parts of Canada, Texas, Nevada. But if you're outside of our area, get a hold of us anyways, any of us, it doesn't matter, and we can put you in contact with one of our partners who does the same thing. We're we're all members of a network of IT companies nationwide. I think there's roughly a 1,000 IT companies part of this network.
Justin:So, we we can definitely help you out. Don't hesitate to reach out because you're not in one of our service areas. Great. To book that call, just go to unhacked.live. Don't go to.com.
Justin:That website was like $1,000,000 or something, so I didn't buy it. Unhacked.live. And not only can you book the the vulnerability assessment that we constantly tell you about, but you can, gain access to our social media channels. We have a Facebook group that we just launched. We have a YouTube channel where you can watch our gorgeous faces as we, record these things.
Justin:Please don't, just do audio. And then also the oh oh, we we have our episodes on there. I keep forgetting that. Currently out of date, which I'm going to fix as soon as we're off of this one. I haven't updated it.
Justin:But what what we'd love to have is some feedback. So if you go on and you see an upcoming topic that you're interested in, jump on our Facebook group and and tell us what you wanna talk about, what, what questions you may have. All those links are on unhacked.live. Last thing I'll say is if you find any value in this, please share it. Help us spread the word.
Justin:We do not pay to advertise this. We're all basically donating our time to be here. Help us spread the word. Help us, drive this message and protect people. So, that's all I've got to say.
Justin:I'm gonna shut up. Mario and Brian, I'm gonna give you in that order a few minutes to just final thoughts, key takeaways, or just simply say goodbye if you've said all you need to say. Mario, you take it away.
Mario:Yeah. I mean, I I have a lot of fun on here in, you know, even some topics that you our fans may think it's boring. It's kinda interesting to us. You know, only we us 3 can sit there and talk about past service for almost an hour. But
Justin:It's only gonna be, like, 10 or 15 minutes. I promise.
Mario:And, you know, but, you know, yes, let us know if there's anything else that you guys wanna discuss or if you wanna hop on and, you know, talk about something else, you know, we'll we'll, you know, give us, let us know. But, I appreciate everybody's time out there. Once again, you know, Mario, Zac, you with mass tech IT.
Justin:Alright, Brian.
Bryan:Well, the only thing I'm gonna add is, listen, cybersecurity is a journey. It does not have to be done all at once. It does not have to be something that is dreadful. If you start the journey today and we get 1% better every day, you will make a difference and you will not be that low hanging fruit. So go unleash your 1% better every day and continuous improvement and, and start the journey today.
Justin:God, I love that. That is a beautiful sign off. 1% better week after week, guys. That's what we're here for. So alright.
Justin:With that, take care. We will see you all next week. Thanks for joining us. Bye, guys. Bye.