Bsides - RedRocks 2023 - I Thought I Was Secure... Until I Wasn't - Brandon Benson

um I've been in cyber security for a really long time about 18 years before pgp was acquired by semantic I work for pgp when I semantic acquired them I moved off I've actually been in several different disciplines of cyber security which is super fun because I've had the opportunity to see like cyber security from different views or lenses um this talk came I'll tell you the story of this talk and then we'll like jump into it actually don't have a whole lot of like slides with words on this talk um because I like stories and it's much more fun to tell stories and try and get points across in stories uh I work at Adobe and they came out and

said we're doing cyber security awareness I said great I'll present and I talked to the facilitators of that and they said okay what about um this topic and I said great I'll prepare something for that like two weeks later they said oh never mind we asked some of your um team members to do that topic instead but will you still present and I said sure and I'm like what topic and they're like I don't know I said you gave my topic away and they're like just find something and I've been thinking about this for a while and so I'm super excited so I thought I'll just put this together and uh let's have some fun with

it so that's what we're going to do um I've only got about five sides with um text and then everything else is like pictures so but they I'll have a story behind them um I'm a senior manager at Adobe I've been in cyber security since the 2000s early 2000s um I started like my whole career in Telecom and then went to sales engineering and then went to cyber security where we did encryption stuff and then I did audits for a few years uh I've managed a security operations center which was amazing and a lot of stress and currently I manag a security engineering team um I've traveled to tons and tons of countries right I used

to fly out um um I was in my neighbors used to tease that they thought I was a spy and I think my wife and my kids helped um because they used to say well you know what is your dad do he like well he does something with computers and he flies to a lot of really weird countries and they'd be like well what do you mean and they're like well last week he was in Ukraine and the week before he was in like Dubai and like he's in all these really weird like high stress places and so there was rumors and people like what are you actually doing I'm like well I do cyber security

stuff and they're like are you spy and I'm like no I'm not a spy um but even if I was I wouldn't tell you so it doesn't matter no I'm not a spy um but I am really passionate about cyber security part of part of what I do at least in my current role and I like to kind of keep track of things that that happen where like really interesting things happen is sometimes on the dark net and sometimes on the dark net what you start to look at is like they'll post things so in October typically at cyber security Awareness Month month and I was trolling around the forms as I was putting out

these slides and found this image that they had put out and I thought huh this like reminds me a lot of fishing right um so they put this out and this is like the caption they said Hey to raise awareness we're going to like increase our hacking for the month of October good luck guys like we know cyber security awareness month is here and I thought well this is kind of fun and it was even more fun when I looked at the uh the happy cyber security awareness month and if you didn't get a CN spelling like I did you'll notice that they did what we tell people to watch out for in fishing emails look for

misspellings and look for like bad grammar and stuff like that and awareness yes is misspelled like if you didn't catch that right and so the things that we try and teach people about today and like business and teach people about in security awareness training and and other places is really valid but it's boring and we keep hearing the same thing over and over and over again until the we just get numb to it and the reason we get numb to it is like okay I heard it I've been there I've done that right and so a lot of times when you look at what like they come out with with topics and these this these are the

topics that they came out with for cisa this year is like oh fine right we've all heard this before we've all had training about this before but so what like I'm probably okay maybe kind of well let's find out right um so the ca topics for this year um you know use strong passwords and password manager who has never heard that before like nobody right turn on multiactor authentication okay yeah what whatever right um recognize and Report fishing fine I mean the only add-on I added here is like if you get a v or a an a uh text fishing you can actually forward that to 7726 on your cell phone that I'll actually report it to your

cell phone carrier people are like what that's a thing and I'm like okay there's my like bonus add in here right but it works and then the phone companies are aware that there's people trying to fish you via text update your software we talked about that like nobody updates like it's too much of a pain uh for kicks and Giggles who can tell me what cesa means because we've talked about cesa and two talks do government agency that does something crazy or weird yeah that's what I thought right I'd look it up too I was like it's some government agency has does something C is a cyber security and infrastructure Security Agency so bonus question that's

what it's for that's what it stands for I know people are like what well that's kind of cool I just always call it cisa uh it's been around since 2004 that's how long cyber security awareness has been a thing uh I do want to talk a little bit about passwords um and I know we've talked about it before uh but I'm going to throw out these dos and do not and then I've got stories right uh and the rest of this talk will be pretty much stories whenever possible uh especially for financial or sensitive sites use multiactor authentication like I can't stress that enough I'll talk about that in a second like change your default

credentials and passwords we'll look at that later too use passwords or complex P or pass phrases or comp comp Lex passwords it sucks because if you actually sat down and said what are all the sites and like applications and stuff I need passwords for there's like a couple hundred and nobody can remember that many um if you think about why telephone numbers were like 10 digits it's because most people can remember seven and then the area CES just kind of an add-on right we we can't remember that many different things which is why we see people reuse passwords and why we see people like the same password across multiple applications uh it's just dumb to say I'm going to use the same

password for my bank as I use for Facebook like you're um I'm sorry you're an idiot if you do it but I'll talk about that so U rotate all passwords periodically I hate this like advice to myself um and which means you guys are like H I've got 300 passwords I should do it but I'll talk you know we'll touch on that um don't use the same password for multiple applications and services which means we're probably always going to be using some type of password manager uh passwords and spreadsheets are kind of crappy but they're better than like the same password I they're crappy because if somebody compromises your computer now they've got all your

passwords um don't click on fishing emails like anytime you get something that says hey your bank has like a really important message for you just go log in the bank don't click on the email because all banks and all financial institutions and other places have a message center and if they really did send you a message they can they'll actually get through that right funny story okay I don't think it's funny my wife doesn't either but I do um she called me one day it was a couple years ago about this time of year and she said hey so I got this email from Amazon like did you order something I said well no I didn't order anything

like you're in charge of Christmas right uh she goes well I got this email that said your shipment is delayed and I didn't know what it was cuz I didn't think I ordered anything so I like clicked on the link and then I entered my password and I was like and I said and and she goes well log me into on nothing was there and so I couldn't figure out what was going on and I said well congratulations dear you just got fished right you just lost your credentials hold on a second so on the phone I I logged into Amazon and changed the the password but it's that easy for us to get fish right especially this

time of year I don't know how many like I could probably pull up in my email today and say I don't know how many like hey there's this document or contract you need to sign or validate and it looks like a valui sign um like link or looks like like a valid something um the problem with that is I just don't trust anything and so my accountant called the other day and said look I sent you these documents and I'm like well you didn't tell me you sent me the documents they're like well you should have received something from docan I was like do you think I'm going to click on that stuff unless I know it's coming the

answer is no so thanks for calling I'll go find it and click on it right so it really irritates like people who try and send me stuff when they don't tell me they're sending it to me CU I just ignore them because there's it's way to easy to lose our credentials and it's way too easy to get fished um and then don't use default credentials we'll talk about that you give some tools out this will actually to build on some things we'll look at in a little bit um have I been pwned if you guys have ever played with it it's super fun um I can put in all my different like Hotmail Gmail if you're really old AOL email

addresses and I can go say hey have youve been involved in a breach right um it'll go through and say of all it collects databases of breaches or dumps of databases that have been involved in breaches and then it'll go through and like articulate those to say has your email been been involved in a breach if your email's been involved in a breach this is one of mine then you can say oh what breach was it involved in and then that kind of tells me what I should do as far as where should I change my password right and that goes back into if you if here information has been lost in a breach right Equifax got

compromised a few years ago if you had an account with eifax which you probably do um go change that password if that particular password was used anywhere else guess what he should probably go change that password in all the different places it was used when I started looking at this I thought okay The Ledger thing I can understand I don't know what online spam bot is and I don't know what verification IO is I think it's for payment something and I don't know what some of these other things are in other words our information is being sold all over the place and so there may be breaches that happen out there that we are exposed to

that our information or our passwords are in that we have no idea our credentials have been lost right which goes back to like the recommendation of just change all of your credentials periodically a couple of years years ago I was we were doing a response exercise we had an a uh an environment that we were investigating that had been compromised and as we were looking through the logs of the compromise environment it was a web application and we saw that three of the admin accounts of the web application got compromised and then we started looking and saying okay so how did these three get compromised and really what it was is we saw five accounts of this web

application of the admins that were targeted we don't know how those emails got out and we saw that two of those accounts were not compromised but we saw Brute Force attempts on them and then the other three accounts did get compromised U and with the same tactic it was a Brit Force attempt right they tried hundreds of different passwords with a valid email address and finally found some that worked we're like so then we started investigating and saying well why did these three get compromised and those two not and the only reason we could come up with is the two that did not got get compromised actually changed their passwords within the previous 3 months and the other three accounts had

passwords that were over a year old and I was like huh that's actually kind of cool right uh and so that's why again the recommendation go through and change your passwords on a regular basis let's talk about using the same password uh I was in an engagement a couple years ago and it was an executive this company and he's like you know I don't think you can like compromise me and I think I'm pretty secure and like my footprint is like really secure and I said that's great and so we engaged in the engagement and then um like this is so cringe worthy we got access to his guest Network on his um in his company and

then we had found out that he had accidentally shared his hard drive out to like everybody on the network right which is like fantastic for me and terrible for him um in so many different ways and so it was about lunchtime and so I thought well I just grabbed an empty removable Drive I set it to download the contents of his hard drive and went to launch and came back and you know by then he had gone home or he had done something and I I thought well I wonder what he has and so I started going through and I had his desktops and his documents and his email folders and his downloads folder and I

thought with those three things I can probably find a bunch of really juicy things and I did right I found his like Excel document that said password which was fantastic fastic for me um and I found out that he really liked the Braves and I found out that like his graduating year was like you know 86 or something like that because all of his passwords were some type of combination of Braves 86 Braves 1986 Capital Braves 1986 Braves ex exclamation mark 1986 and I was like great and so then I had kind of everything and then he also had a list of where those passwords were used and so part of that I was like wonder what I

could actually get access to right and so then I started saying well I wonder where I can get in just with these passwords and which ones will challenge me with um challenges that I like security questions and stuff like that so I started with like his social media accounts I was able to get into um his Google account but not Facebook for example and I was able to get into his um Amazon shopping account and then I thought well his bank accounts here I didn't I got into One bank account but not the other because of the challenges um and then I I was like hey your like your online trading accounts here for retirement and I was able to get in

there right and then I like screenshotted like his $250,000 portfolio and then when I presented it to him he's like you're a jerk right I was like I'm so sorry better me than somebody else this is what you did and kind of walked him through what he needed to do to fix it right and after that is when I was like okay any any time I get the option doesn't matter if it's Gmail or my bank or anything like that I'm going to PayPal right um I'm going to use multiactor authentication because I don't know if my password is going to get compromised somewhere like this and then it's going to be um like used to like I I would be

really really mad if I lost all my money I'm kind of irritated when like my credit card's compromised I'd be even more mad if like my bank accounts Hur like I couldn't pay rent and stuff so breaches happen all the time so much so that we're pretty immune to it we're pretty numb to it um you know things you can do freeze your credit check your email addresses like using I have I been pwned for signs of compromise um and some other things as well we'll take a look at social media in a bit let's talk about software I love software I also love free software um I hate paying for software uh but free is not always free um as I've gone

through when I was a college student like when I first started my career if I could find like a crack piece of software I was pretty happy um and we see that happen a lot um I need to do this I need to do this action I'm going to go find crack software I should be able to download it it should be safe right sure it might be um but free isn't always free so I want to talk about a couple of Investigations we did probably in the last two or three years that kind of demonstrate that I was we were investigating a compromise where a user had lost his password and they had lost

a whole bunch of other stuff and he's like yeah I needed this piece of it wasn't even software for business he was like I I game a lot and I found this like plugin is for Counter Strike I think is what this one was and he's like okay I'm going to go ahead and download this like add-on for Counter Strike um and so he downloaded it and kind of ran it so we ran it in a test environment this is kind of what we got and then um executed it he's like it works fine like my game's not broken or anything but that's all he saw and I was like okay so let's go friends okay let's actually go

see what happened with this piece of software for this plugin that you added what really happened was the game did work great like it didn't do anything but what it did in the back um background is actually add a bunch of like really cool like gotas like surprises bugs not bugs but little nasty surprises what this software actually does is it installs the add-on perfectly so your game con function you can have like the overhead displays and stuff but in the background because it's free it also goes into all your browser caches like your Chrome and um Edge and stuff like that and it grabs anything like that's saved as far as cookies and passwords and credit cards and stuff

like that and it sent it out to a C2 server and so we saw the C2 server is like somewhere in Russia and then it would take the anything that had a credit card it would sent out to a different C2 server right that could be used in like a credit card breach I was like o that's not bad right in fact that's so not good but you don't really realize it and it's like really not sexy to see so we're going to do other stuff right um worst case scenario like you could end up with a thing like this you like your computer automatically reboots you end up with this um message that says hey your files are encrypted and

currently unavailable you can check it you know congratulations uh but if you want them back go ahead and pay me you know $1,000 in Monero or $1,000 in Bitcoin and guess what you just got Ransom word um which is bad the problem with ransomware is that you usually don't um get your files back or it's you know you never have that guarantees so you may be out your files plus your th000 bucks if you decide to play the pay the ransom and we've seen that happen all over the news these days right um there's uh some new things that have come out like in the last couple weeks they're actually running like full infrastructure ransomware as of service just like

normal companies do they've got customer service lines they've got like hey R like negotiators that will negotiate ransoms they've got like people who will do access management so they'll go get access to environments and systems then they've got like not just the access but they also have like the um installers of the ransomware and then the maintainers of the ransomware so these are just like they run like normal businesses right but they make money by stealing other people's data they recently changed to say we're not just going to Ransom you and like trying and get money out of you but we're also going to like Ransom your customers on the back end saying hey I've got all this customer data we're

going to post it um on the internet unless you also pay us a ransom report and now they'll report to and now they'll report to the SEC that was so classic right I'm going to be a hacker group I'm going to go ahead and report to the SEC because you refused to pay the ransom so that the SEC will come investigate you and cause you a whole lot of pain is really what that was so well played for them um as far as yes so the terrible terrible so this is boring to watch um and so because we've all heard this before I just wanted to take and like throw on a different spin of like what happens when

we use untrusted software and so the best way I can demonstrate this and in here is I started playing with showan and so let's play with video cameras right um why not so I was uh on showan you can see that there's video playing here uh and I was able to go out and find like these cameras that you can just buy out of the store and I was and I actually owned some of these cameras I was like wait a minute like out of the box these are pretty secure they're typically cameras that you set up in your home if I'm on my home network I can log in I can see what's going on

like in my Alleyway or my backyard and stuff but really what's really going on here um and what I found was people wanted to take these cameras so they didn't have to pay the fee for ring or have to pay the fee for um whatever security companies are out there and they wanted to say I'm going to set this up at home and so somebody's developed this software that they're saying hey you can remotely access your cameras on the internet all you have to download is this package install it and then from your cell phone all you have to do is like get this information we'll show you how to get and then if you're out for

dinner or if you're like have a rental unit like this or you want to see what like deer are running through your backyard or elk right all you have to do is log in or click the button and log in and you can see this which is great um except for whoever created software I don't think gave any type of security consideration to it because what they accidentally did is did something like this is like these managers or these small store owners decided that hey I don't want to just look at like what's outside my house maybe I'll put this camera that's in my um store right so I can see what's going on in the store the

problem here is that anybody that's connected to the internet so anybody in the world can actually go through and say okay um as long as I have the IP address and I know how to do it like I can go ahead and log in and see what's going on in the store right it's fine until you decide to put the camera right behind the register and now I can like turn on the video and now when they log in I can say okay let me just go ahead and grab the password right or let me go ahead and grab the credit card like transaction or let me go ahead and grab other things that are in here and I thought okay well

that's like a little creepy um and stuff but hey like could it get worse yeah where else do you put cameras well I I just heard someone like gasp yes you are correct um you are absolutely correct right but maybe um hey I'm a grandson or I have some technical ability and I want to make sure Grandpa's still alive right and so what I'll do is I'll just go ahead and set up a camera in the living room because that's a good idea and then download this software that's completely not secure and then I can log in and check on Grandpa whenever I want to I don't actually know whose Grandpa's that is but I can check on him like if you

guys want the IP address you can too right or maybe I'll decide to set this up in my kids room right because that's not creepy at all to know that anybody on the internet who actually stumbles across my IP address can log in and see what my kids are doing yeah terrifying I found some other stuff that wasn't like conference worthy um but there was some crazy stuff I saw I was able to log in and watch like people out on the back like porches smoking I was able to log in and see people in their garage um I'm able to log in like if I'm like he in a neighborhood and I can say wow I can log

into all these cameras and I can see when the cars are there and when the cars are not there so if I'm a burglar or I want to do some type of harm I know when people are or not home right if I can log I watch some lady and son have have an argument in their living room one day um I thought that was kind of funny I thought well this feels like weird so I logged out I don't know what the argument was about but they were watching lat on the TV so so if we if we actually take and so we think normally like we're secure and we'll download the software and we'll

trust it but sometimes we actually do things that actually expose us to um in inadvertent ways to make us not secure and that's kind of what I wanted to point out here just because I download a addin or a patch and I haven't paid for it or if I don't know what software does what I can actually do is say instead of being able to just keep track of my kids make sure my family and my home is safe what I accidentally did here is said hey anybody anybody on the internet can actually intrude into my personal life or log in and see what's going on in my house as well and as a dad I am not

comfortable with the thought of people being able to log in and watch my kids right um as uh but I want to be able to so it's making sure that we set things up actually in a secure manner so I'm going to switch gears because that was creepy enough um to what uh remote access right we've heard about remote access how you can actually compromise systems and stuff like that we actually went out and we um decided to like go through and see what we could find on Showdown for remote access we ran across a whole bunch of computers that like showed screen so this is me somebody has VNC which is a remote access software um

as you see what I was able to do is just say here's the IP address of this computer go ahead and let me in what did we not see here we didn't see a password prompt right in other words people have actually opened up their computers to the internet for either remote desktop access or they've opened up their computers to say I want it be to be really easy to log in now I don't read Chinese but my kids do they said this is either a business site or an educational site they weren't quite sure and I didn't really want to poke around which means I can be here in Utah and it doesn't matter where you're at in the

world um you can access like computers that have been left open right um so often times for convenience or because we want things to be easy we may inadvertently expose ourselves to things that just require no Authentication whatsoever the way we've seen these use is great um if you want to do malicious things or you want to hide your tracks right we've seen the movies where people like pop all over the world and you know bounce off of connections and like hey how did I access this if I wanted to hide where I was coming from and do you know some type of bad activity where I didn't want to get caught I might look

for these servers or these computers on the internet log into them with no password go through and erase the log so it doesn't show on there and then I'll hack from that computer so if the FBI or somebody chases it back they're chasing it back to some little poor mom and pop or some little Education Institute and they actually don't know who I am right all they're going to see is like some type of rati logs for a period of time knowing when I was there um okay so that's fine maybe I just I'll make sure I have passwords here right um and but it's hard to remember passwords and so I I want to feel like I'm secure

but really not so I'll just use a default password maybe it's my router at home or maybe it's my video camera uh at home and what I'm going to do is I'll just set up the camera it's got a password so nobody's going to get into it right and I don't want to have to remember it so admin admin should work or admin man should not work right so this is a factory in um Vietnam I think uh I found that had a camera set up so I knew it was a camera um in the header of when I um scan I was able to see kind of what the manufacturer of the camera was and I was like huh I wonder

what that default password is a little Google okay it was like what's the default credentials of this Canon manufacturer and then I didn't even have to click into the link it said the default credentials are admin admin I was like great let me try and connect to the site via admin admin and now I can watch the factor workers work right um and stuff like that so um but that's you know I showed you a Chinese and I show Vietnam that's great let's see if we can show you something a little closer to home uh does anybody live or know anybody in Atlanta Atlanta Georgia nobody that's fine if you're on the corner Valley and

Creek Side I can give you a morning traffic report right so this wasn't set up by an individual this is definitely on top of a traffic pole definitely using admin admin is the def credentials as you go through and like set it up so just because you have default credentials don't think you're safe and just because you're like well nobody's going to know it's this type of camera nobody is going to know it's this type of system obviously that's wrong right um it's pretty easy for us to try and determine what systems there are uh one of the defaults I always check is admin admin because it's surprising how many people still use it um as far as that goes and

uh it doesn't matter if you're outside the country or inside the country you know you got to be careful with that if there's security guidance and as you set up your modems and your routers and your computers and your home Labs don't use default credentials right don't use like the top 100 yeah you've got a question

so yeah so it can be beneficial right here's some other screenshots you show down I pull these up for the next demonstration there's kind of three things we need to be able to hack into a system right it's nice to be able to say okay I've got a username I need to find a username or at least guess a username I can usually guess admin and stuff like that or I can guess other things uh I need passwords and I need the IP address right well it's pretty easy to find the IP address you can use Showdown or you can people inmap the internet they scan the whole internet looking for remote access but if I can actually remote and

to a remote desktop and I can see a screen like this that has everybody's names in now I know what usernames to attempt right so what am i m what am I missing in this Triad well we're missing passwords well we just talked about have I been pwn and there's all these password breaches out there what's going to prevent me from going out and grabbing all these password dumps because they I can usually find them and saying hey are there any um of these usernames and do they have passwords and then can I go through and say Here's here's the password I found maybe on Facebook or Equifax or somewhere like that and then maybe I'll enumerate

different variations of that password cuz probably they've used the same thing if they're not very clever or they've used the same one or I can just feed it like a whole what's called a rainbow table a whole like database full of passwords to see if I can get in and that's kind of what we did here right so what we did here is we actually went and this is an older one but we went and like did a bunch of scans we found a network that we could scan I actually did this for a conference okay so I'm going to set this up and I'm going to talk through it sorry um I was at a

conference um in California with a bunch of business Executives and they had the Wi-Fi open and so I was getting ready for my conference talk and I thought well I can talk and like really you know be boring like everybody else um or we can do something fun so I had about an hour before the conference so I scann the whole conference Network that they had all the people join and then what what happened was I found a whole bunch of computers that had remote desktop enabled that were on the conference Network and I thought well this is great and so then I went through and started looking to find usernames and then I started found a bunch of usernames and

then I was like well let me just grab like the Thousand most common like admin passwords that are out there and so then I grabbed the Thousand most common passwords that were out there and then recorded this as I put this together so I was getting up talking about like security and stuff like that to all these Executives of this conference and then I went through and kind of played this video and it say so I apologize to whoever's laptop um like rebooted or like log them out but thank you very much for giving me access to your system and somebody was not happy right um but it made the point that we were trying to make that you have to do

things that are like in a secure man and it was fun well for me it was fun I said whoever this this is like come talk to me after I'll talk to you about it and so they came and talked to me after and I talked to him about it and then we kind of walk through like he had remote access enabled here's what we're able to do because you're on insecure Network and then here's what you can do in the future and they're like dude you need to come to my business and uh like tell us how to do this better right okay so that's enough about remote access default passwords and stuff like

that let's chat social right so we all talk about how we can like be exposed socially we can accidentally expose stuff um that we don't mean to expose uh be careful about what you post U be intentional about the information you share and then help friends and family be security aware why do I say help friends and family be security aware is because it's amazing how many friends and family post stuff on my social that gets tagged on my social media feed that I really don't want out there oh your son's turning eight today happy birthday to him and I'm like please now you know my son's name his date of birth and that he's a you know happy anniversary you

know things like that and so the problem with social media or the challenge is is that once it's out there like it's out there and there's things that we expose about ourselves that we can like clude together I may not know who zodiac is Right Matt I'm going to pick on you uh and I may say man I've heard about this hacker handle called zodiac I don't know what it is but I can Google zodiac with conjunction with st con and I can Google zodiac with conjunction with like bsides and now I've got a name to match to a handle right and it's that easy and so I want to kind of walk through kind of

things that you should be aware of and it's not just like people it's not just what people post but it also can include pictures that you post as well so we're going to go through two more demonstrations with that and then we'll open it up for questions and answer

so it's spoiler we're going to do that but we're going to do it a little different so it should be fun um so enjoy this video I found it this person is great I was planning on setting something up but she does it much better than I could and she's much more Dynamic cat named garbage says find my birthday oh you're making an office reference in your username Millennial alert okay if we start on your Tik Tok profile it says Haley at the top and you have two videos they are not helpful at all really so I went to your followers and oh boy let's talk about your first one on the top of her profile there's no indication on

what her name is in one of her Tik toks she's talking about how she got sick she went to the hospital and her bill was crazy someone was like uh I don't believe you so what did she do she showed the entire hospital bill and did not censor out her full name so I looked her up on LinkedIn and she works for a dental billing company in Texas the second thing that helped me was the way that you said something on her Tik Tok Hal friend posted a video about how she always talks to this rep on the phone at work who has roosters cro in the in the background you commented on that video

and you said I haven't heard from rooster lady in a while how was she doing the rooster lady story was just something you had heard from your friend you would have said I haven't heard about rooster lady but you didn't you said I haven't heard from that tells me you've also interacted with rooster lady which means you work with this friend because I already knew where your friend worked from LinkedIn I looked that company up on Instagram hoping that someone named Haley followed them someone does and they have your same profile picture as Tik Tok Haley profile is private but it does say a full name and last name starts with d I googled this username and I found some stuff

first thing I found was you asking someone to talk more about birken stocks on Tik Tok which means your old username used to be here as Haley but you changed it to a cat name garbage so I love a good comfy bur the second thing that came up on Google was you tagged in this photo at a dental plate it's not the dental billing place that your friend works at but guess what your friend is in the photo someone in the comment said I love our accounts team my guess is that you used to work with your first Tik Tok follower at this Dental place but you still know about rooster lady because Dental billing places would

interact with the same reps right hi de Rass we're looking for your birthday but also I got inis line like 5 years ago did my teeth look nice haly scrolling on that Dental place's Instagram and it's a good thing they love you cuz they did a whole post about you you said you're the account supervisor you live in Texas and oh my God you play the violin cool the post wasn't even the most helpful thing for me it was the comment someone said love Haley B and I said wait your Instagram says Haley D I think Haley B is your maid name and Haley D is your married name so I knew if I went to

Facebook I was looking for a Haley D or a Haley B but lucky for me there was one more result on Google when I looked up your username here is Haley this post of your friend getting married and you commented Happy anniversary baby and this friend has a lot of posts with you in it she calls you her best friend a couple times and you're in her bachelorette party photo right there in the middle and she do be loving the burken stock friend also has her full name on Instagram and it's pretty unique so to Facebook we go and remember we're looking for a Haley D or a Haley B and this post came up on your friend's

Facebook with a Haley Marie B in the caption but it's not blue which means you deleted your account because your profile was deactivated I looked up Haley Marie B on Facebook and went to photo hoping that someone said your name in a caption they did there's a photo that says congratulations Haley Marie be in the caption you're a violin that's you and then I clicked who liked that photo to see if anybody had your same last name and one man did and I looked up Haley on his profile and this post came up that says you can't tell me what to do you're not my grandbaby my grandma and grandpa talk like that so I assume

every grandparent does someone else with your same last name commented on this and said so very true Haley Marie B knows this she has her granny wrapped around her thing went on her profile and I looked up Haley nothing I looked up birthday nothing but guess what everybody that doesn't mean that it's not on their profile Facebook search sucks and for some reason you will get more results if you filter your search by year I looked up the name Haley on her profile and started searching in 2014 only in 2015 only and on April 21st 2020 your grandma wished you a happy 25th birthday happy birthday April 21st 1995 Haley Marie B if you had any doubt

that I wouldn't find your birthday let me just play you a song on the world's tiniest violin bye I thought this did a great job of being able to tie information together to say how can I find out as much information as I can about people I had somebody at my work say you know that's like that's Tik Tok or that's Instagram that's like not really real I said if you're okay I'll do it to you right and so she's like fine she's a person Runner of cyber security awareness program cat oops we and uh so I took kind of a couple hours and went through and by the time I was done I said here's your name

here's your ma name here's your where you went to high school here's the year you graduated I said you've got got a cat or dog cuz I found out that she had made a donation to like a animal shelter she goes oh my gosh like that's when I had my cat spayed or neutered or whatever and they have to publ like they have to publicize those like publicly of all donations right and then I found out she bought a house cuz her real estate agent was super nice and like did this whole profile and like posted something on Facebook so it wasn't her that posted it and then I found like the small town she lived in and they put a newspaper

article out kind of like St George right they said hey like this person bought this house and here's how much they paid for they're proud new owners and I said so now I know how much you paid for your house where your address is where you live I know that you love pets and I know what you're graduated I know you did a fun run at this company and then based on what I found in LinkedIn like I gave her all this information she goes that is like absolutely terrifying right like the and she goes but I try and be like secure in my online profile I try and be you know do what I can to make

sure that I'm not exposing stuff and I said it's not necessarily you you did pretty good it's everybody around you that decided to post stuff that included information about you right and and that's part of the problem we run into now with social media because I get tagged in photos and I why did you tag me in that photo and they're like well I found this and I thought it would be cool like family photo or something right and I'm like it's not cool if I want to have a clean online presence but we can't stop it and once it's out there we can't get rid of it right so it goes back to like way at the beginning of the

talk I talked about do stuff like freeze your credit and like check your passwords well let's take a look at Google photos um ziac talked about it I wanted to do this different I thought well it would be fun um there's been things that have gone around the news where and recent articles where uh people are companies have been hiring and what's happened um and this is the reason for this next demonstration what's happened was was uh people are hiring and what they'll do is find these resumes online and then they'll actually go through and like interview the person and then what ends up happening is that somebody like in India or Vietnam or somewhere and you'll

end up with these fake profiles and they'll put somebody who's really knowledgeable about the subject that comes in and gets interviews and gets gets these jobs and they're totally like ghost positions and stuff like that so that you can get Insider threat and stuff going um I heard about a story of a cyber security engineer who got this text from his friend and he said hey I just interviewed somebody and they had your look like your resume with your picture on it and he goes but you're not out looking for a job he goes no I still work at the company I'm at I'm super happy and so he shared and sure enough like somebody had taken or scraped his

information from Facebook or from LinkedIn created this job post that mirrored it applied for these jobs and actually had somebody stand in for the interview to get the job right then they get hired and get all the access and I have this great like Insider threat thing going I thought well I wonder so that sounds like we can do it with Google Photo I can let go and look for stuff but I wonder how far I can take this and that's what kind of the garbage says oops uh demonstration talks about so I thought well I wonder if I could do something like if I'm recorded here somebody could actually take a screenshot of me and then be able to

find information about me and I didn't know if it would work but obviously it did because um I've got the demo right so I found this like ad video online where uh it's a Photoshop one because I work for Adobe and really what I did was I said okay this video was playing it talks about how you can use this product or software to like put head on a bald person I think is what it was right all I really wanted was this and so what I did was I stopped the video and I took a screenshot of it so there's the screenshot that I took and I thought well I wonder what I can find based on a

screenshot out of a video based on this person seems interesting right so I did so I went to Google and I popped it into like Google photos and I said okay here's the photo I took from the screenshot right and I want you to go tell me where this is and sure enough it's like an actor and I started to see like all these places where we pulled up um which I thought was super kind of cool I said huh well let me go see kind of where he shows up and so as I got through the rest of this video we actually talk through how we can like he shows up in like an Amazon ad and shows

up in like a university and shows up in like a training seminar and you want like Professional Services here's like your guy and he shows up here you know so here's the Amazon ad you can be the best ad ever thanks Photoshop we love our products right because we can put a coffee mug in his hand um but you can also find like hey here's a sale where he's like there's the men's collection there he is again right but I didn't do it with just this I'll let this keep playing but I thought I wonder what else I could do do with it because when I looked at the previous video or one of the previous videos um that I thought

about using uh they were able to associate somebody with a dog right and so I started looking at things that could be pulled out based on appearances of people so if you can find somebody who has like the same ring you can actually isolate the ring and go search for the ring and see if you can find the ring in photos and it'll find things like Rings or it'll find things like necklaces or it'll find things like if you've got a favorite ball cap and stuff like that you can actually isolate and look for things that are not just the person or the face but you can search for people's pets or you can search for

people's cabinets or anything else that could be part of a photo right um so crazy stuff that we can do online again not a bad idea to take your photo if you've got a LinkedIn photo or if you got a Facebook photo go take and throw it into Google photos and search it and see if you've showed up somewhere that you weren't expecting to be show up it's one it'll keep you up super late at night because it's super fun and interesting and two it'll let you know if like somebody's actually taken and trying to impersonate you or at least your profile in some ways that you can then reach out to LinkedIn and say hey

that's that's false like please go ahead and tear that down so I hope this is fun I thought it was fun uh we're about out of time we've got about four minutes I'm going to just pause here and answer any questions you guys have none

okay so that's a great question because if you start talking about like password managers and stuff like that like I hate to say this is going to sound counter to like what I just said but I got a story so I've always got a story sometimes with at least especially with grandparents um often times you'll see that they keep a lot of stuff written down in notes especially as they get older and start losing their memory it's not necessarily a bad idea to say okay write this down in a notebook right now is it safe Like Totally Secure to write it down in a notebook maybe not what's my risk right and the risk is that I lose a notebook

right well what's the risk of that well the only way I could lose that notebook is if somebody broke into the home knew where the notebook was and then took the notebook and now they have all the passwords right so that risk I think based on the situation becomes less and less secure if you're in a business and you had a desk and I would never tell you to write down your passwords in a notebook because the concept of password manager for them like flies way over their head right but the concept of but an Excel file I think is almost worse because they're the ones that click on like links and stuff like that so

there's a wow on my neighborhood my neighbor called story story time my neighbor called there's a wiow in my neighborhood and she called and said man my computer's acting up and I went down and allergic to cats like she had cats and took three allergy pills to go work on her computer and finally said what did you do and she goes well I found this photo it was paid for it's like a musician I'm really you know excited about and so I download it and she downloaded malware and so that means that now that you have malware anything that's on her computer can be accessed but on her notebook no right so I said well don't do that ever again cleaned it

up locked it down and then she called me like two weeks later saying man my computer has M again what's going on so I went back to her house and said what happened she goes well I couldn't download some of the photos because of whatever you did so I had my nephew come over and he undid all of the security I put it on your computer and I just shook my head and walked away right I'm like I did that because you got M on your computer and it was stealing all your information right and so part of it is is that we have to unfortunately with like our older families do what we can

to make them secure and in some cases it's here's a notebook keep it in a safe spot and write down your passwords there so that's a good question like if kind of counter to what I always preach but in that that's the scen I'd probably recommend somebody use a notebook so other questions this was fun yeah

question

yeah so big thing is like Arlo make sure like the firmware and software is updated and that using passwords and then change the defaults right that's pretty common the other thing especially with the RLS are some of these that are meant to work from home is I had actually set up a VPN that will actually let me reach into the network instead of exposing those IPS publicly on the internet that anybody can reach um we've seen situations and I'll kind of throw this out um and I'll give an example of Utah right I was talking to some folks at the state and stuff like that so we've seen situations where we've had servers at least at my company like come

online and within 15 minutes are compromised right like the time to compromise if you have like an insecure configuration is so short these days that you almost don't have time to recognize that you've been compromised unless you have like like a full-blown like security monitoring learning program and you're popped but if you set up like a secure VPN the only thing you have to secure is that VPN and making sure that only the right people have access to it and then you can do whatever you want inside your network and not give yourself unnecessary exposure when the Olympics came to Utah in 2002 they saw the accounts as far as probes especially in the state of Utah

like quadruple it went up like 40% of the people who are probing IPS within Utah to try and find like vulnerable servers and stuff like that and we see that increase like year over-year like we don't even care now at least in our company of people who inmap or scan us like who cares because it happens so often that like it's just something that happens like in 1998 you get arrested for that in 2023 2024 I don't care what I do care about is if you can scan and then like break into something right and that's kind of what I look for so that's a good question I don't know if that answers it so other

questions I get the like my flag s amount of time thank you so much this is fun so