Cybersecurity with Craig Petronella - CMMC, NIST, DFARS, HIPAA, GDPR, ISO27001
Cybersecurity with Craig Petronella - CMMC, NIST, DFARS, HIPAA, GDPR, ISO27001
Unmasking the Xenomorph: An In-Depth Discussion on Android Security and Cybersecurity
Do you know how to protect your device from the Xenomorph Banking Trojan? Join us as we dive into the murky waters of Android security threats with our enlightening guest, Blake Rea. We unmask the frightening reality of this new Trojan, aimed solely at Android users. With a chilling focus on over 35 financial institutions and some crypto wallets, the need to understand and shield ourselves from this threat is apparent. As we unravel the differences between Android and Apple devices' security, we investigate a compelling conversation around trust and privacy, scrutinizing the potential for hardware chips that spy on us.
With the advent of the Xenomorph Banking Trojan looming, we guide you through the labyrinth of secure banking and device protection. How safe is it to download apps from the Google Play Store? Can a password manager protect you from threats? We answer these questions and more, offering pearls of wisdom on everything from encrypted drives and strong passwords to limiting app permissions. We also dissect the critical role of reading the Terms & Conditions of software applications - an often neglected, yet vital protective measure.
Switching gears, we delve into the intriguing world of social engineering and its dramatic impact on businesses. We unravel how trust is manipulated and the crucial need for verifying information in online banking. We share indispensable tips on SIM swap attacks and much more!
Support the show - Call 877-468-2721 or visit https://petronellatech.com
Please visit YouTube and LinkedIn and be sure to like and subscribe!
NO INVESTMENT ADVICE - The Content is for informational purposes only, you should not construe any such information or other material as legal, tax, investment, financial, or other advice. Nothing contained on our Site or podcast constitutes a solicitation, recommendation, endorsement, or offer by PTG.
Support the Show
Please visit https://compliancearmor.com and https://petronellatech.com for the latest in Cybersecurity and Training and be sure to like, subscribe and visit all of our properties at:
- YouTube PetronellaTech
- YouTube Craig Petronella
- Podcasts
- Compliance Armor
- Blockchain Security
- Call 877-468-2721 or visit https://petronellatech.com
All right, welcome to another episode. We've got Blake Gray with us.
Blake Rea:Yeah, we're here again. We're showing up.
Craig Petronella:All right, we're back on track. Yeah yeah, one of the things we wanted to talk about today is the Xenomorph banking Trojan, which is specifically affecting Android users. Right yeah, that's correct. This new variant is targeting over 35 different financial banking institutions. Pretty nasty malware. Looks like it's supported by a nation state or I don't know about that.
Blake Rea:They also did say that it was also affecting certain crypto wallets, which was interesting to me.
Craig Petronella:Yeah, they're basically after credentials access, balance information, initiate transactions, obtain MFA tokens from authenticator apps and perform fund transfers.
Blake Rea:Hmm, interesting. It did say that it was only affecting Android 13. So I'm not an Android user, but I don't know where they are in terms of the Android updates. I mean, I always recommend people just update immediately. Check your phone every week at least for updates, but I'm curious to see where they are in the Android update pipeline.
Craig Petronella:Yeah, I think this goes back to one of my recommendations a long time ago is whenever doing banking or crypto transfers or something like that, make sure your device is security gardens. You want to make sure you're all updated and patched. Ideally, you do not want to use the same device that you have maybe a bazillion kids apps on that. You may not know the security of all those apps. So you want to try. I know it's hard, but try to use a more secure device that doesn't have much on it to do these things. Use a desktop. Make sure your OS is patched in your desktop. Whether you're a Mac or a Windows user, same applies, but it seems like Android's been really getting a lot of malware recently.
Blake Rea:Yeah, I mean, I've never really trusted Android personally. I don't know why, Maybe it's just a subconscious thing. As an Apple user, I've always known Apple devices to be pretty security focused. So they are on Android 14 now, so this is for people that are using last generation of Android operating systems. But yeah, so I've just never really been a big fan of Android and maybe I could be mistaken, but it just seems like they have more security issues than iOS devices.
Craig Petronella:Yeah, well, you know iOS has had some zero days recently, in the past few weeks too. So I mean, I feel like it's kind of pick your poison. You know, obviously nothing is foolproof, but I do think Apple is doing a pretty good job of privacy and security. I think that their job is a little easier because they're engineering the hardware and the software. You know I talked about this too, where Microsoft or Android, for example, you got all these different hardware manufacturers that have to make their hardware up to a certain standard. There might be some variances there. There might be some security flaws in the hardware itself that you may not know about. That can contribute to problems.
Craig Petronella:I know a long time ago there was I don't know if you remember this, blake there was speculation around computer hardware chips that, at the hardware level, could be spying on people. Do you remember Now? Yeah, I remember that, gosh, I'll have to dig it up and find it. But there's you know I've actually talked about this a long time ago as well where you know we trust, as consumers and people, especially brand names like household names like Google, right, and Apple. You know these companies use really large marketing budgets and branding campaigns, and you know. Most of us, I would say, probably trust these companies to use their products and services. And my point is that you don't know if you're not buying something like Apple, where Apple is manufacturing the hardware and the software. But even with Apple, you don't really know. You know they're off shoring the building. You don't really know, like, what happens at the factory level. Right, I mean, who knows what? You know what I mean, right? So my point is that we talk a lot about employee training and testing and drilling, and I'm not insinuating that something bad is happening. I'm just saying, like, how do we know, right? I mean, how do you know that in a factory you've got hundreds or maybe thousands of workers and robots and all sorts of stuff happening where they're putting these chips in these devices? How do you really know if a chip doesn't have some kind of backdoor in it? Right, you know.
Craig Petronella:So it's we talked about. You know the internet and TCP IP and and how. Tcp IP by nature is not really a great secure internet protocol tool for the internet, right? So we've put all these layers on top of it, like encryption and SSL certificates and all this stuff to kind of patch it up and bubblegum and duct tape it right, but it's not secure out of the gate and you know it goes back to the layers that we talked about. But what do you do if there's a chip in in something? That I mean that you don't know about? But right, I mean, I mean if you just take a minute to think about that, I mean there could be a chip inside of your iPhone or your Android device and how do you really know that there's not something happening?
Craig Petronella:You know, I know there's one product that came out from one of our partners where they they encrypt the keystrokes on the device. This is a desktop software application, but they also tell you when a certain application is listening to you through your microphone or trying to capture your screen. And I have to say you know, in evaluating their product, it's really alarming to see big brands like Adobe, microsoft just common names wanting access to your microphone or your camera. I mean like when you're looking at a PDF or like a Word document, like Like location settings too, like what's the point?
Craig Petronella:Yeah, but I mean like these, nobody really. I'm sure most I can't say nobody, but I would say most people don't really read the detailed terms and conditions of all the rights that these software programs can have. But I thought it was quite alarming to see that, hey, adobe wants to capture your screen and listen through your microphone when I'm looking at a PDF. You know like what. You know what I mean. I think that's pretty crazy.
Blake Rea:Yeah, and they, it seems like they all kind of spin it in the form of like hey, we want to better your user experience. Yeah, that's like okay, you know, I mean I get maybe to a degree like capturing the screen and saying like, oh okay, well, people are trying to click here for this tool or click there for that tool, or maybe they're getting stuck in certain parts of the user interface, right, Totally to a degree understandable. But I mean, is it really acceptable? You know, yeah, I don't know how I feel about that personally.
Craig Petronella:So yeah, I mean going back to this malware. I think maybe some of our listeners were like you know? Like what do we do? You know? Everything's kind of doom and gloom, right. I think the really the takeaway is that with a bank I mean as long as you have a certain amount of funds that don't exceed the $250,000 limit you're protected by FDIC insurance. So in the event that something happens bad, you've got that insurance lay. I'm not saying to bank on that, I'm not saying that, you know, maybe one day you'll get your money and hurry up and wait in line, kind of thing.
Craig Petronella:Obviously, you have to take your own security measures into place, but I think it goes back to making sure you're using a secure device, trying not to type in the URLs. You know, use a password manager, save your bank information. It would encrypted drive. Ideally, don't store it on your computer at all if you can, but as far as like the URL or the website of the bank, store that in the password manager and or your favorites, or you know, don't type it in because you can fat finger it. And that's what the hackers are banking on. They're trying to register these domains that are often fat fingered and that's how you get phishing or malware on your computer and then in turn deploy some type of bad software like this one here. But this one's pretty rampant on the Android devices. So maybe the you know, like you said, like you know, this is targeting the older version, so obviously it goes with.
Craig Petronella:Obviously make sure you update and patch your Android devices. But you know, again, it goes back to the layers that we talked about. So patching is a layer. You know your device, how to use that device, for who you're sharing it with, what other applications are on that device. Try to use a desktop or another device for your banking or other more sensitive tasks that you know. You take more care of and consideration around what software and applications are on that device, so that you're kind of, I guess, a bit more strict about what you put on there. You know what I mean. So you try to keep it more bare bones and you do your banking there.
Craig Petronella:I know some people are more extreme and go the opposite direction and they don't do online banking at all and I know there's a group of folks that do that. That's obviously it's a trade off, of convenience, right? But yeah, you know, maybe not enable certain things with your bank either. You know there's different software or access type tools that you can use to pay people easily. You know certain things that your account level you could disable. Obviously, use strong passwords that you're not reusing other places. Use multi factor authentication. Obviously there's layers at an endpoint level that you should have on your device itself. Like I was mentioning that software that I was testing. You know that encrypts your keystrokes, but not only encrypts your keystrokes but blocks your camera and your microphone and you know, have technology like XDR that if you were to click on a bad link and make a mistake, they would get contained. So there's different. You know layers that you could put in place to protect yourself, but yeah, this one's a particular nasty one.
Blake Rea:Yeah, one thing that I would also suggest too, that I didn't hear you touch I mean, you touched on it briefly, but just be very, very weird of what apps you're putting on your phone. And in this instance, you know they had an app, a malicious app, in the app store. The Google Play Store sorry, that kind of poses itself as a legitimate app. You know. So I know we've all seen it. When you're scrolling through social media and you see like an ad for like an interesting fun game or whatever, right, you know be very weary of what apps you download, right, and who those developers are. You know, because every app has a developer listed. So you know.
Blake Rea:Of course you can do a background, a little mini background check on those developers. Like you could type in the developer name and then type in like security or like exploits or like malware. You know like those two search terms should yield something, or hopefully nothing, right In the case. So don't go downloading a bunch of silly apps. I know a lot of developers in the past have. There was this one I think we talked about it on another podcast, not to go too far off track, but it was one of these like AI generator apps or something that was like making In several.
Craig Petronella:There was one that was back a long time ago that we talked about as a flashlight app a free flashlight app for your phone and it was plagued with malware on it. I mean years ago, when we published one, we, we did an experiment and published an app, or I think it was a digital magazine or something like that. Anyway, when we did the research around that, we found that there are so many malicious apps out there that it was pretty easy to get an app approved with not only Google, but with Apple too. So the point is that there are malicious apps on those stores and you need to do your part and investigate.
Craig Petronella:What are you putting on your phone or your device? Do you trust this vendor Cause? It's a risk question. And then you know, like Blake said, you need to patch and update these things too. So the more stuff, the more software, the more applications, the more things that you add to your device, the more your maintenance has to increase, because you need to patch those things, and not only the patching of the operating system, but all those applications that you have on your systems. You have to patch constantly and make sure, because all it takes is one of those to spy on you in the background and capture your keystrokes or your credentials, and that's how you get hacked.
Blake Rea:Yeah. And then also, I mean you can limit those apps that you do have on your phone, like for example again, you know I'm an iPhone user, but I can go in here and select the app that I want and turn off different permissions, like I can turn off access to a camera, access to a microphone or access to the location for that app. So if you ever have any doubts in your mind, you know go explore the security features and functions of your phone and make sure some of these apps that you're not so sure about, you know get them off your phone. If you feel like you need to, of course, and if you feel like you don't, or if you feel like you have some use for that application, you know go in and limit what data and what controls it has over your phone. What access permissions Super important, I would think.
Craig Petronella:I think those are great tips. I think, taking that a step further, it's almost like doing a self-assessment of your device or your phone or whatever you're using, and just a checkup. You know what apps are on here. Do I know and trust them? Have I done my own due diligence to investigate and evaluate a risk? But you know, the bottom line here is, if you've got hundreds of apps on your device, you just made your job 100 times harder because now you got to go through every single one.
Craig Petronella:So you may want to, if you. I mean, an extreme approach would be to start over and then just put back on what you really. You know, maybe use this is an excuse maybe you've got an old device and you want to upgrade, so maybe use that upgrade process of instead of migrating all of your stuff over. You start over. I've often said you know, sometimes starting over is better, because if you do the upgrade path and you dump all the stuff over from the old device, you're moving everything over, including anything that could be malicious as far as an app goes, or corruption or any kind of data that could have a problem in the future to slow your device down. So you know.
Craig Petronella:I know personally for me, whenever I upgrade or get it, I always start over fresh, and I know that's more work and annoying, but it also gives me the opportunity to go through everything and make sure do I really need this app? And, like I said before, I have other devices that I'll use for other things, so I won't do banking on certain things. So my point is that try to simplify your life and keep it simple. Right, the Kiss principle. It does have some validity.
Blake Rea:Yeah, also be careful too, because in some of these articles that we read kind of unrelated but more you know. Going back to your computer, right, like, be careful about Chrome extensions. You know Chrome extensions as well, you know. In this article that we read, they mentioned. You know. You know counterfeit, you know transactions and activity happening through Chrome extensions, you know. So just be careful out there. Obviously we say that every podcast, but you know, just know what you're doing on the internet. You know, and if you're not sure, like, it's okay to ask for help. You know, I think we've.
Craig Petronella:I want it located to not install, or proceed and click next when you don't fully understand what you're agreeing to either and you know, try to take a devil's advocate, trustless approach. You know what happens if this app can listen to me or turn on my camera? Am I in an environment at work where I'm talking about sensitive topics? That would be a problem if it were captured. Am I you know what I mean like? Know your surroundings, know your device and make decisions based on that too.
Blake Rea:Yeah, I also think there's some software out there too that has keyboard permissions. I don't think there's any app out there that should have any permissions over your keyboard that can log what you're typing and where you're typing.
Craig Petronella:Well, what's crazy is and I've talked about this before is for Apple. For example, you said you're an Apple user. You know I don't know if this is still true or not, but when I investigated it, the keyboard, the keystrokes that you type in on your iPhone to like text message somebody for something those keystrokes are stored in a plain text, unencrypted database.
Blake Rea:I'm not sure about that.
Craig Petronella:Yeah, it used to be true. I don't know, I'd have to investigate it again to see if it still is true, but the point was that there could be a malicious app on your phone, like the Flashlight app, that can then interact with that unencrypted password or unencrypted keyboard file database. That's how they get all of your information. Now, this would be simple for Apple, or maybe I'm oversimplifying, but the point is that in this context and in this case, I would want Apple to encrypt that database. I would want those keystrokes to be encrypted. Anyway, my point is that taking a trustless approach as the consumer, if that's important to you, that you don't want your keystrokes to be captured by some app that you're not aware of, well, consider adding in keystroke encryption to your device. Then what happens? There is again taking that trustless approach, even if this is no longer an issue. Let's say Apple patched it. Let's say Apple now encrypts their keyboard. I don't know if they do or not. I'd have to, like I said, but let's say they do.
Craig Petronella:You use that other layer? Well, what's that hurting? You're double-encrypting, okay. Well, what if there was some exploit or something that reversed it? At least? Again, it goes back to the layers If you did your part and you encrypted your information and then there was a breach or something happened, well then they got scrambled data so they didn't technically breach it. That's what I'm getting at as far as the layers go. The same thing like when you're using plaintext email or you're using Gmail or something and you don't have encryption. You could add for very inexpensive, sometimes free encryption on top of that to then add that extra layer of protection. There's things that we all can do, and that's my point. We should be doing or implementing as many layers as possible to protect ourselves. I think that's generally going to be a good thing and go in the right direction.
Blake Rea:Yeah, there's no simple approach to security. There's no one shoe fits. There's always constant assessments that have to happen. Evaluations, Obviously, it comes back to the human principle. Are you doing enough? We've talked before about a lot of the hacks and exposures happened from a human element. Ironically, I don't know. We talked about the last podcast, Caesars MGM. Did you hear about how that actually happened? They actually found out how it happened. Go ahead. The kids that were hacking them were apparently super young. They were anywhere from 16 to 20-year-old kids. What they did was they went on an info website and they found an executive. They also went to one of the help desks, or they called the help desk and said hey, my name is executive, I'm locked out of my account, Like will you reset my email password or reset my password or whatever. It was that simple.
Craig Petronella:So social engineering at its best.
Blake Rea:Right, yeah, it was that simple. There's nothing sophisticated about 20-year-old kids calling to help desks for this casino and chitting the password. So, yeah, I mean people like to be trustworthy. It's a character trait that people like to possess. People like to be trustworthy. People like to take things at face value, because some people they ignore the bad things that go on in this world because they live in a bubble, I guess is the easy way to say it. But people like to be trustworthy, people like to feel like they're being honest to people and they feel like they get back what they give out in the world. It's pretty common, but so somebody just in their mind, trying to do the right thing help this executive out ended up being the wrong thing.
Craig Petronella:Yeah. So it goes back to what I've said before many, many, many times. If you're in that position, you're that help desk agent. Just pick up the phone and call the executive.
Blake Rea:Yeah, call, or just have policies in place that you know. Okay, I'll reset your password. It has to go back to your email, right, yeah?
Craig Petronella:But it goes back to what's the saying Trust, don't trust, verify. So never assume that this person on the other end of the phone is who they say they are. Verify it. How do you get them to prove they're who they are? I have said with your cell phone providers everyone listening should have a pin number with their mobile carrier to prevent SIM swap attacks. Sim swap attacks are still commonplace now. Don't use your phone number to get one-time pins to certain things. Now, I know in certain situations it's unavoidable.
Craig Petronella:It's kind of comical to me where banks often are the ones that you think of a bank or at least for me, you think of a bank as bank encryption or bank grade security. You think banks should have the best right, right, but in working with banks I'm no blank, in working with banks. I'm reminding him of a story, of a test we did. Oh God, it's not true. It's just don't assume again that your bank has got the best security, because they don't. I'm not going to call out a single bank, but I'm just saying that again, don't trust that your provider, your company, your vendor is providing you and protecting everything. Verify it, get them to prove it and do your own part. Like I said when I was going with this little tangent was that certain websites, certain banks they force you to use the text SMS, unencrypted, one-time password to your phone. They don't use a more secure authenticator app, for example. So I get it. I know that you have to use it in certain situations, but try to limit it. If you have the option to not use text for one-time pins, use the software that's much more secure and add additional pins and security with your mobile provider to prevent a SIM swap attack.
Craig Petronella:Because now, with banks and crypto and everything else, we do so much on our mobile devices, we depend so much on our mobile phone number. You've got to do what you can to protect it. Because, just like with that story that Blake shared, it's often the same story with the SIM swap. Oh, I'm in a bad spot, I lost my phone, I need you to send me a new SIM or help me move my phone. And that's how SIM swap attacks happen the hackers. They persuade in social engineer, the rapid, the mobile carrier, to do something with the phone number and then, guess what? They just activated the hacker's phone and now they have access to all your pins. So then they go a step further and then they keep going through the layers. So just try to be smart and implement as many layers as you can.
Blake Rea:Yeah, the human element is really important to any attempted breach. I remember one. There was one that was going on Facebook and me personally. I know this is probably the worst thing to say publicly, but I like to mess with people who try and mess with me. So somebody had sent me a message saying oh, I'm locked out of. I need help resetting my password. It was like a Facebook message or something, something silly. I need help resetting my password. I'm like I don't know you. How am I going to help you with such a password? Oh, facebook told me to contact you.
Blake Rea:They gave me a little list of pictures of people to click and you were one of them. It's like oh, ok. And then they're like can you provide me the six digit code that just went to your phone? And I mean pretty much the whole time. I mean I was just giving them fake, fake six digit numbers and pretending like oh, my God, I want to help you. You know like I'm sorry, I like to troll people that troll me. So we literally tried for like hours, like I just kept giving them no, I don't know why it's not working. Like this is the number that I'm getting texted, you know. And then eventually they just gave up. Right, you know there's a human element. Right, that has to happen in almost every attempted intrusion, you know. So, don't be that human element, you know? I mean if something is weird.
Craig Petronella:Back to the training and testing that we've always talked about. You just constantly have to train and test your people and yourself so that you get into that muscle memory and that that just that reaction is again set. I know what you're saying, blake. I mean it's human nature and psychology to want to help people and I think they and it does go against the grain and the psychology of your kind of your roots, right, your, your DNA but you have to train and test and drill yourself to protect yourself and your, your bank is not not going to ask you in an email to give you your social security number or pin number or something Right? So be very cautious and always again verify. Don't immediately trust that whoever's on the other end is who they say they are, and do your part, because the more you do your part, the less likely you are to become a victim.
Blake Rea:Yeah, yeah. And at that, at that point I mean there's a lot more on the line right, like if you do the wrong thing, if you open up your company to some huge exploit or some attack, I mean who knows what could happen. You know your, your livelihood is at stake. At that point, if you know you open a door that look at look at that from a business owner perspective.
Craig Petronella:Let's say you're a small business and you're you're working with sensitive information. Or let's say you're a medical company. You know, I heard on the news earlier today the Lazarus group the people responsible for the casino hack they are are basically hoarding and collecting cryptocurrency and their next projected victim is the healthcare industry hospitals, medical. You know they're going after them for ransomware and ransomware payments so that they can hoard more Bitcoin and more and more crypto. My point is that you know we just have to go through the exercises and keep drilling this stuff into the human side of things to prevent that malware from being able to be dropped. You know, I know we're all busy and everybody's working multiple hats and multiple jobs, but you could have the best security and if you you're human side, you know it goes back to people, process and technology. We've talked about this. If your people are not trained and they hand over the keys to the bad guys, well, I mean, there's only so much the technology leg of the stool can do, right. I mean, yeah, you can rely on XTR and hope that that's, you know, contained and. But there could be more social engineering and impersonation that can happen to further deepen the hack, right? So, like you know, like if you picture you're on the other side and you're the bad guy, you're the hacker. If you do something and it doesn't work, you shift gears to do something else, or maybe the person you're talking to is too well versed and trained, so you find another victim and you look, you look through social engineering, social networks and LinkedIn and Facebook, and you find another executive that you can prey on and see if that person, he or she, is going to fall back.
Craig Petronella:So my point is that these, these hackers nowadays are it's their day job to do this stuff. You know, they're the ones that are, like you said, they were kids, they're younger, 16 to 20, you know, they may be in a country that is a poorer country, and this is this is what they do for work. They're actually in the States, okay, so so they're in the States and they're doing this for work. You know they're getting paid. You know, I, I, I remember when we were looking, we're researching the MGM hack last week. It's just, it's crazy how it's. It's become like a business model, and there's also a business model for basically taking down your, your competitor too, like you could buy like ransomware kits online and try to you know, just pummel your.
Craig Petronella:Yeah 商一直 안. It's a nasty place out there.
Blake Rea:It is weird to think that little Johnny on your son's soccer team may be taking down corporate yeah, fortune 50 companies. Here with millions in bitcoins is hanging out.
Craig Petronella:If your company isn't training and testing your folks and doing these tabletop exercises and these pen tests, if you're not paying the money and investing in your company, all it takes is one person on your staff to make a mistake. If you think about that, if you're 10 people, you have to train those 10 people. It's your responsibility as the owner to provide the training and the security controls to protect your systems. The more sensitive the information you have to protect, the more at risk you have. If you think about it, if you're a small company and your secret sauce is really how you're surviving, because if competition had all of your secrets and intellectual property, what else do you have other than price to compete on?
Craig Petronella:If somebody on your team isn't trained and hands over all your intellectual property to a competitor or to a bad actor group who sells it to a competitor, my point is that your survival as a small business is limited. Think about if you're 100 people or 1,000 people or 10,000 people. You're larger companies. Now you just exponentially amplified your risk factor because now you got 10,000 or however many employees. You have to make sure they don't do the wrong thing. It gets really complicated really fast.
Blake Rea:Yeah, just stay alert out there. Stay alert, Trust. Nobody trust nothing when it comes to your personal information, data, your keys to your castle. If it seems weird, if it seems odd, there's a reason why.
Craig Petronella:usually, yeah, and going back to the consumer level or the personal level, the more you listen and implement these layers, the more not only unhackable you become, but you become more unhackable at a personal level too. What I mean by that is, let's say, something happens with a skimmer at a gas station and they try to steal your identity. If you have more protections around your identity and you have monitoring, you're less likely to become an identity theft victim. My point is that, like Blake was saying earlier, you have to think about all the software and all these different things on your computing devices, but you also have to think about it on other areas, like your car and what gas station you go to. You know what I mean. You have to look at all this stuff.
Blake Rea:I've seen those little pictures or videos on the internet of people lifting up the keypads on the card readers that are literally one-for-one clones of the text, as like new fear unlocked. Every time I go to a gas station I'm trying to rip the keypad off.
Craig Petronella:Some of them have a sticker like oh, it's tamper proof, it's got the orange sticker or whatever. But again, you have to do. You think that somebody could buy an orange sticker on Amazon or somewhere and put that sticker there? My point is trust no one. You've got to protect yourself. Then I think some people are probably listening and they're like oh, I'm just going to not worry about that, I'm going to rely on my credit card company to protect myself. And yeah, the credit card company may have like an anti-fraud kind of guarantee where you're not responsible for that. But I'm not talking about just that transaction, I'm talking about the after effects of identity theft that could happen from that event.
Craig Petronella:So it's not only where do you frequent, where do you get gas, it's who you do business with at a personal as well as a business level and limit the amount of information you share and demand privacy and security.
Craig Petronella:If a vendor or somebody you're doing business with on a personal or a business level says, hey, I need you to fill out this paperwork and you see this paperwork and it looks sensitive to you, meaning you don't want some of this information just blatantly on the internet about you or your business or whatever. Push back and say, look, how are you securing this information for me? And if they're saying, oh, just email it back to me. No, push back, email's not secure. Why would you send all this information? First of all, push back on why they even need the information and push back on the methodology around how you send it to them, and then also push back on what are they doing to ensure your protection and your privacy and your security. Because if they don't have good answers to those questions and they don't, in my mind, score well, then think again about whether you should do business with them, because if they don't have your best interest at heart, well, that's another risk factor for you to get breached information.
Blake Rea:I also think, going back to financial institutions, I think these financial institutions just know your credit card information is probably likely already in a data leak, whether it's this company, that company, whatever and the way that they've combated that pretty recently is implementing the locking features on your card, where you lock your card after use, and that's something that I personally do.
Craig Petronella:You can call it freezing right, so you could freeze your card, yeah freeze your card.
Blake Rea:I literally will do that for every single one of my cards. I will literally be that guy in line holding up the line. Hold on, let me unlock my card. Sorry for anybody who's behind me, but it's a scary world and a lot of times, when they buy this information through the dark web or whatever, they'll just go through a list of them and then, if it's declined, they'll delete it. If it's declined, they'll delete it. Oh, and then this one works right. Okay, cool, let's hang on to this one.
Craig Petronella:So you made me think of something. Have you heard about the security flaws around Hyundai and Kia vehicles?
Blake Rea:No, but my dad has a Kia, so I'm curious.
Craig Petronella:I think Tesla is somewhat affected too. So I was reading some security information I think it was a day or two ago and they were saying that the security is so bad with and these this includes brand new Kia and Hyundai vehicles too. The security is so bad with the, the lack of encryption with their key fobs and things like that that car thieves. It's not just like single digit percentage increases of thefts, it's like exponential in the hundreds of percentages of how easy car thefts in those brands are occurring right now. And if you think about that as a consumer, you know you might really like one of those vehicles that you know. Maybe they're, it's a good price, or maybe you feel it's good value, and they may be true. But again, as a consumer you have to think about well, if I buy this car or truck or whatever it is, I'm now trusting that company to keep me safe in my vehicle. Or if I go to a restaurant or wherever and you know, a few years ago I never would have thought like, oh, you know, my vehicle is going to get stolen or whatever I pretty much trust that my vendor and my key fob is, you know, I lock my doors and stuff and you feel like you've done your part right. Well, when I read this article, I was like, oh my goodness, I'm like. You know, you can have this brand new car and you can lock it and wherever and it's just like child's play for thieves to not only steal the contents inside the car if you've got packages or whatever in there or, god forbid, you're in medical and you've got a laptop in there and you lock it. You thought you did good, you locked it up or whatever, but for whatever reason, you didn't encrypt it or do the other layers again right, that we're talking about and that thing gets out there. Well now, not only did you trust that vendor, in this case Kia and Hyundai, but now you suffered a breach because of their lack of security, right? So that's what I'm saying. Like, think about this at a personal level, where, what if my car can get opened from some adversary and I've got stuff in there? What am I doing to protect not only my stuff, but what am I doing to protect my car? Are there additional things that I can do to protect myself? You see what I'm saying. So it's just kind of a weird world.
Craig Petronella:But yeah, I think we need to push back on the dealerships and on the car manufacturers like, look, I really like this car, I would buy this car. But here's the latest headlines and this is like the number one and they're not getting these cars back. By the way, they're like they're going to chop houses and they're divvying these cars up and selling them for parts and stuff. And one extreme could be at the consumer level. Oh well, that's why I have insurance and that's they're going to give me. And, yeah, that might be an option as far as depending on your coverage and things like that. But that's not the point. The point is that we need to do more as consumers to push pressure on our vendors and who we buy products from and services from to take our security and take it more seriously and do better to protect us.
Blake Rea:Yeah, I mean 100% agreed. And then you know we've talked about this and hopped on this a lot, but the human element, you know, again, like I think I read an article somewhere that the instance of car break-ins increased because of, you know, somebody looking into the car and seeing a purse or a backpack or a box you know an Amazon box, or so you know something that you can do that takes zero effort really is if you're going into the grocery store and you're like, oh, let's me leave my work laptop, my work backpack here, you know you just got off work, boom, it's in the back seat. Put that in your trunk. You know, I know that sounds really simple, but you know, if somebody who's getting ready to break into your car looks into your car through the window because they're just not going to go oh that's a, you know that's an Audi, or oh that's a BMW or Mercedes Boom, smash. You know, like, doesn't work. Like that.
Blake Rea:They look into your car and see what they're going to get access to if they're not deciding to take your car and, like Craig said, to a chop shop and you know, get in and do the entire car jacking. That's a lot of work and there's a lot of risk. You know it's easy for them just to knock the window out and grab your your bag, right? That's a lot easier and it's, you know, a lot less sketchy, right, because then they have to transport that vehicle to the chop shop when you just reported it missing, right? So there's a lot more added risk, but something as simple as putting those things in your trunk and keeping your car clean, you know with no visibility.
Craig Petronella:I would agree with that. The only part that I wouldn't agree with is don't put a laptop in the trunk and let, like you know, if you've got it end to end encrypted and you're really certain that you feel that that laptop has enough safeguards. Do an experiment and just hand it to somebody and just kind of think that if you were to hand this to somebody, do you feel that everything is protected well enough that you won't suffer a breach? Obviously, put your, your valuables and things like that out of out of sight. Put them in the trunk, yeah.
Blake Rea:Carry them, carry them with you, you know. Yeah, the whole point I was trying to make is just get them out of, get them out of vision, get them out of sight. Yeah, don't leave that sitting in the front seat.
Craig Petronella:I think the other part that's more alarming, though, is that you can or a bad actor can buy these repeaters to legitimately repeat the signal from your your key fob and open your door. So it's not a matter of they break the window as often anymore. This is more higher level crime, where they're buying electronic devices to then repeat the signal, either bounce it off from your valid key fob in the restaurant If it's not far enough away. So that's why we talked about Faraday bags and protecting your keys and using RFID protections around your wallets and things like that. Now, again, I mean yeah, it goes back to layers, but I don't know if everybody wants to carry a Faraday bag with them. Maybe it boils down to layers, like we talked about. What do you, what do you want to do to make it more difficult and what are you willing to do it? So you're willing to go to try to make yourself as unhackable as possible.
Blake Rea:Yeah, and those repeaters are cheap $125 on Amazon. They're not illegal to own either. So, you know, that's, that's crazy. So they were selling them at DEF CON.
Craig Petronella:Yeah, I think you can get a Faraday bag for 15, 20 bucks on Amazon. So yeah, you know, as an experiment for homework for listeners, you can try do an experiment. Get one of the repeaters, buy a $15, $20 Faraday bag and see if you can get it to work on your own vehicle. You know that'd be a pretty inexpensive experiment to do on yourself to see if you see how much at risk you are.
Blake Rea:Yeah, yeah, absolutely. I mean, don't make it easy, don't make yourself the target, you know, because if you're the low hanging fruit, you know these people have to eat.
Craig Petronella:Yeah, and then you know, consider some type of camera or recording device on your vehicle. You know I know they make dash cams now that go both. They have two cameras, one inside, one outside. You know you can consider something like that. But, yeah, the more, the more stuff you have from a security perspective, more layers you put into place, the more evidence you can collect that, god forbid, something does happen. You know, then you've got more stuff to catch the criminal.
Blake Rea:Yeah, I've seen some of these apps now, some of these car apps for the new modern cars. Like you can lock the car from your phone and then it'll also tell you, you know, if your alarm's going off, like, oh, like my car, you know, somebody just opened the car door and the alarm went off, or tried to open the car door, you know. And then there's a button that says, like you know, press. You know, call 911, or something. Like you know, they're getting up there trying to make these things more helpful to you, but just be careful out there, you know.
Craig Petronella:Yeah, absolutely.
Blake Rea:Well, I think we went a little off topic, but we still had some good information.
Craig Petronella:Yeah, agreed. Well, stay tuned for our next episode. We'll have another one for next week and maybe we'll do a short in the meantime.
Blake Rea:Yeah, yeah, all right, take care, bye.