Have you ever wondered what strange things a digital forensic investigator has to dig through? Listen to this episode to find out.
Our guest for this episode is Jake Moore. Jake Moore is a cybersecurity specialist for ESET, Europe’s number one internet security and anti-virus company. Jake previously worked in the police force for 14 years investigating cybercrime in the Digital Forensics Unit and Cyber Crime Team in Dorset. In 2016, he was asked to implement cybersecurity advisers in order to make local communities more aware of ever-increasing cybersecurity threats.
Jake shares many experiences working in digital forensics and cybersecurity. We also discuss simple things you can do to keep cybercriminals away and social media accounts safe.
“If my 73-year-old mum can do it then so can you.” - Jake Moore Share on XShow Notes:
- [01:05] – Jake shares the background on how he got started in cybersecurity.
- [03:20] – Without an understanding of cybercrime and what they are doing there is a huge chance that these companies are going to end up losing millions of dollars down the line.
- [03:57] – When Chris was in college he was very interested in crime scene investigation and he did a ride-along with a crime scene investigator.
- [06:13] – Jake shares a story about a time he received a laptop as part of a murder investigation.
- [08:37] – In the UK, they have a system for reporting all cybercrimes called Action Fraud.
- [09:53] – Cybercrime and fraud are making up over 50% of crime in the UK.
- [11:03] – Prevention is the best cure.
- [12:31] – Use a password manager. 90% of people are using two or three passwords for everything.
- [13:29] – Jake also suggests turning on two factor or multifactor identification. Every social media and email account offers it.
- [15:14] – If it hasn’t happened to them or their nearest and dearest then people think cybersecurity won’t happen to them.
- [17:22] – Sometimes in scamming emails they include an old password that they acquired from a data breach.
- [18:39] – Jake likes to make people aware that you can phish people’s information.
- [21:04] – Even people with awareness tend to forget about things as soon as something amazing comes along.
- [23:24] – Cybercriminals are very crafty and they are doing their homework.
- [24:34] – They often feed their victims’ egos just enough to get them to bite.
- [25:24] – Cybercriminals use urgency as one of the key factors.
- [26:06] – The use of authority is another key factor.
- [28:14] – Always backup your data. This is a good practice for everyone and can be beneficial in many different circumstances.
- [30:31] – It is important to have a local back-up and a cloud back-up.
- [32:01] – Chris has two back-up cloud services and a rotating clone of his hard drive.
- [34:15] – Chris shares a back-up story about a company that he worked for.
- [35:19] – Some people learn the hard way and sometimes that is what it takes.
- [36:46] – It is important to have a place to store your photos and just use your phone for recent photos.
- [37:21] – If Jake’s 73-year-old mum can do it then anyone can.
- [39:12] – Sometimes providing more information can almost backfire and trip people up.
- [39:44] – Awareness and education have to go hand and hand.
- [40:36] – The number one rule is never to click on any link in an email.
- [41:02] – Jake’s best advice is to do one of the things they talked about today in the podcast.
Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review.
“The number one rule is never to click on any link in an email.” - Jake Moore Share on XLinks and Resources:
- Podcast Web Page
- Facebook Page
- whatismyipaddress.com
- Easy Prey on Instagram
- Easy Prey on Twitter
- Easy Prey on LinkedIn
- Easy Prey on YouTube
- Easy Prey on Pinterest
- Have I Been Pwned
- Jake’s Website
- Jake on Twitter
You've been working for ESET for a number of years and dealing with cybersecurity in some capacity for probably almost 20 years now—16 years. Can you give me a little background on how you got started in cybersecurity?
Yes. I came out of university many years ago. I didn't really know what I wanted to go into, but I did know that I loved crime. I was fascinated with crime. I remember actually saying to my mom, “What on earth am I going to do?” She said, “Well, if you love crime, why don't you go and join the police? You can't obviously go be a bank robber. Why don't you go and target the police and learn how these bank robbers work?”
I thought this was an amazing idea. All those films that I loved back in the day could finally come to life for me. So, I went and bombarded the police after university. I did math back then. I can't do computing as I really actually wanted to because cyber computing wasn't actually there. But I said, “Wouldn't it be great if I could go into the police force?” There was a position available, but it was just as a statistician. It was only about six months I was in there until the high-tech crime unit came up to me and said, “Look, we've just started this high-tech crime unit. With your background, we'd like to train you up, put you in there, and go through digital evidence.”
I then spent 10 years in this department looking at all sorts of digital crime. Every day was different. We'd always be looking at anything from murder, fraud, missing people, and going through digital devices, trying to find that little nugget of information and then go to court and give my evidence that would hopefully put these bad guys behind bars.
But then, as time went on, cybercrime became a much bigger area of focus for the police and the Cybercrime team was formed. Again, they asked me if I'd like to go in, move across to the Cybercrime team, and do a little bit more around cyber forensics, but also go and give my experiences out to the public.
So I started to go and see my local businesses in the local area where I live and deliver awareness. That's when my love for delivering what I understand is relatively easy. Giving to the general public what I found had no real idea about the scale and magnitude of what cybercrime is actually doing. Without understanding cybercrime and what they're capable of doing, there’s a huge chance that those companies are going to lose millions of dollars (or pounds in our case) down the line.
Yup. It's pretty crazy when it comes to the amount of cybercrime that goes on out there. You see numbers in the billions and billions of US dollars every year in the US, and I'm sure internationally it's another magnitude more than that. It was funny when you were talking about having a love for crime and that aspect as a kid. I remember when I was in college, I was really interested in crime scene investigation. This was back just a few years before the CSI television shows and the forensics-type of shows came out.
I went to my local police department. I said, “I'm interested in doing a ride-along.” And they're like, “Oh, yeah. We do that all the time. Just do these forms.” I'm like, “But I want to go on a ride-along with the crime scene investigator.” And they're like, “Why would you want to do that?” “Well, that's really interesting to me.” So they were like, “Oh, well, we don't normally do that. We've got to talk to the chief of police and get his approval.” Spent the day with the crime scene investigator and it was the one day in the city where there was virtually no crime.
He's like, “Oh, wait. We've got a call of a vehicle burglary. The regular kind of front-end police guys were already there, but we'll go there and see if we can do some fingerprinting or something like that.” Every case like just before we got there, it was like, Oh, nope. It really wasn't a theft. Their kid took something out of the car and just didn't tell mom and dad, so it really wasn't a crime.
This is a whole day where nothing happened. Then we went back to the lab. He showed me how some stuff in the lab works. I found out afterward that I was the first and only person who had ever wanted to do a ride-along with the crime scene investigator. At least for several years after that, no one else asked and they decided we don't want anyone else to do it because we lost today the guy working in the lab. It was a total flop, but to me, all that was really interesting to see the crime scene investigation shows come out and the background of our work is really interesting to me.
I totally got what you mean. I love those shows as well and that's where my love for it came many, many years ago. But I did soon realize it wasn't every day that was always the fun and games that you'd expect. In fact, it would be strange when a murder came in because we'd actually get excited. Now, it isn’t that dark, terrible thought to think of, but it actually gave us something to really put our experience on.
I do remember once, I had a laptop delivered into the lab. It was in a bag, sealed; it was covered in blood, and they said we've got the guy. He killed someone. We're pretty sure he's done it. He was caught with an ax. However, as protocol would suggest, we need to know if he was doing anything on the computer at the time. If there's anything we can relate to—maybe he's going to have some sort of alibi he might try and use.
It's always good to tie up the phone and the laptop, especially as it was at the scene of the crime. So I get the hard drive, I take it out and make an image of it so I copy everything. You always make a copy and then you work from that copy. By protocol, I would just see if it was on at the time of the alleged offense. It was on at the time, so we checked the logs. I thought, “Well, I'll see what was going on in the timeframe that I've been given.” Someone had been on Google and searched for something. I thought this was interesting. What on earth would you be searching for around the time of a murder? I kid you not, genuine story. This person had googled ‘How do I get rid of a dead body?’
Oh my goodness.
Yeah. He had killed someone, chopped them up, and then as an afterthought, thought to himself, “Now what do I do? How do I clean this up?” I never saw the scene, but apparently it was a real bloodbath, and there's me with this laptop. I turned to my colleagues and said, “You're not gonna believe this”—and I said that a lot when I was in that department—“but this one probably took the biscuit.”
That’s a pretty crazy story. I actually do have a question for you about how police departments or law enforcement works. With running whatismyipaddress.com, I get a lot of people who come to me, that they were a victim of a romance scam or someone hacked into their banking account. Usually, it's their Facebook account. Usually, it's social media stuff that they're worried about. I'm sure that if someone called you and said, “Hey, someone broke into my Facebook account, do you guys actually do anything?”
It does depend. We have in the UK a system of reporting all cybercrimes. It's called Action Fraud. They are the frontline of those smaller scams, a bit of hacking, and so on. It's really a place to try and filter out all the low chance offending that you're going to go and locate. If you know who the person is that's got into your Facebook account—maybe it's your ex-partner, for example—they've done something and it points towards that person, and therefore the local police can go and do something about it, then yes. If you can locate that perpetrator, it's worth doing it.
But so much of the time—this is the sad point—we've got millions of cases coming in and the police are just sat there thinking we don't actually know who's done this. We can't go and look in the Bitcoin account because there's just no trace. They're using a VPN. They're using the dark web. We haven't got a trail here. It isn't like murder. Even a targeted murder will leave some sort of evidence.
Cybercrime is a whole new kettle of fish for the police, and it's now making up over 50% of crime, fraud, and cybercrime for the police in the UK. It's taken them right underneath their feet. It is absolutely, such a massively difficult area to go investigate. To make it worse, the public is bashing the police all the time saying, “Why aren't you finding out who hacked into my Facebook account?”
Yeah, and they're going, “Well, what did they steal? What's your monetary loss?” I think that's the hardest. When I'm dealing with people, I think that's the hardest thing for people to understand. There is this very visceral feeling of someone who has invaded my property, someone who has gained access to something very personal to me, but when there's no monetary actionable crime, it's really hard for the police to say, “What's the payoff if we catch this person?” Hey, do that again.
And there's always a cost involved as well. This is why the government—actually the home office—decided that awareness is far better. It's the old classic saying, “Prevention is the best cure.”
They set up all these departments around the country and said if you could have a few people that go into businesses in the public, and give them that advice, tell them the reason why that person got into your Facebook account is because your password is your cat's name, that you post on Facebook with your year of birth at the end of it. Don't do that and they won't have access. That's not a clever hack. That is social engineering. Social engineering is far too simple these days. If you're offering up what your password is and then using it on your every single account, guess what's going to happen?
This is where the police have wanted to really turn it back into the public and say, “We're not going to say it's your fault. However, we really want to give you the education needed.” It's not difficult and there are some really simple and cheap ways of bolstering all of those defenses to keep the majority of these cybercriminals away.
Let's talk about some of those simple things that we could do to keep cybercriminals away, then I'll ask you some questions about some of the questions that I'm often asked when it comes to Facebook accounts, social media accounts, people thinking they've been hacked, have they really been hacked, and what they should do. What are some of the things that people should be aware of?
The first thing I go say to people is, “Do you use a password manager?” I go do big conferences, but say I have 100 people in an audience. I'll say to them, “Who's using a password manager?” Usually, you get about 8-10 people put their hands up, maybe more if I'm doing it to an infosec community. But to the public, 8-10 people put their hands up. That means, I always say this, that means 90% of you roughly are using one, two, or three passwords for everything. That is a major, major problem. Those three passwords that you've got are probably going to be related to you. They say, “Yeah, but no one's going to go for me. Who's going to go? I haven't got any savings. Why would they want to ever go for my social media? It's boring. If they stole it, I wouldn't care.”
This drives me crazy, but it just sets in stone where the problems lie. I then say to them, “At least turn on two-factor authentication, or if you call it multi-factor authentication, you must go and set this up. It is very simple. Every social media account offers it. Every email account will offer it, and that is where you need a password to get into it. Then you need a one time password that only works for 20 or 30 seconds that is sent to you into your device or your smartphone and then you've got access to get into it. Only you.”
So someone else did have your password. If your cat's name is […], for example, then they still wouldn't be able to get into your accounts from a separate device because that one-time passcode is going to be sent to your device in your pocket. This is seriously going to reduce the chance they're going to get in.
Yeah, that's definitely a recommendation that I make to everybody is absolutely use a password manager. Absolutely use two-factor authentication, and a lot of people are like, “It's just such a hassle to have to use that one-time passcode.” I always think about it as, if someone took my life savings, that's a considerably bigger hassle than me having to enter a six-digit number every time I logged into my bank account.
But I think people don't think it's going to happen to them. When I go for a cycle—I cycle every day—I lose count every day of how many people are still driving while texting, which is illegal in this country and it gives you a lot of points on your license and a huge fine, but people still don't think it's going to happen. They all said they're not going to get caught.
I think the same thing happens with cybersecurity—that if it hasn't happened to them or their nearest and dearest, then they just think it's one of those problems that happen to someone else. But you speak to someone that's had it happen to them, and they'll have fantastic security. They understand that a password manager is actually way more convenient to have set up.
I can't remember all of my 200 passwords, but my manager has them all in that. I just kind of copy and paste it. That's so much easier. I don't know why people aren’t joining this yet, but this is what keeps me in a job. I get to go around the country and say to people, “This is why you should do exactly what I'm saying.”
I like to tell them a story about how I've gone to socially engineer someone—usually one of my friends—and how I got into their website, how I can get into their WhatsApp, and how I can hack into their business. I've done a load of different scenarios to then use that as my way to make them think, “Huh. Maybe I might just listen to what this guy is saying.”
I know the takeaway that you mentioned of people having this mentality of, “I'm nobody special. I'm not being targeted.” I think that's one of the things that I see is almost the flip side of that is because these attacks aren't targeted in general; they're just, “I've got 100,000 username and password combinations that I'm just going to try and just happen to get it.” No, you weren't targeted specifically, but we got in. But I also see the opposite side of that is because there are so many of these brute force attacks going on that I'm going to send this ransom email to 10 million people, that someone who gets one of these actually thinks they are being specifically targeted.
You almost see it both ways that when the person is thinking about it, “Why should I do this? I'm not being targeted.” But when they do receive it, it's like, “Well, why are they targeting me?” Once they become the victim, they feel like they have been targeted. But prior to that why would anyone bother to attack me?
Especially when those emails might have an old password that is being breached from (say) MySpace, LinkedIn, Yahoo. They've all been hacked and then they throw it in there. I've had people ring me up and go, “Oh my God, Jake. You'll never guess what. I have this e-mail and it's going into my account. It even showed me my password.” I've gone, “Okay, first of all, that's the password that was breached years ago. Second of all, it's rubbish. Thirdly, are you still using that password from many, many years ago? That is probably your favorite football team?” “Yeah. Okay, Jake, enough of that ‘I told you so.’ Just make it go away.”
I remember getting one of those, and it was using a password that I had way before I was using a password manager. I was like, “Wow, that's from a really, really old data breach.” I don't know how I knew, but I knew it was from a really, really old data breach. I'm like, but someone's been using that password within the last year or they use it multiple places that just trips them emotionally. It's like oh my gosh, they really have hacked my computer, but in reality, they haven’t.
Yeah, That really can throw them off. You're absolutely right.
What are some of the other awareness points that you talk about when you're public speaking?
I like to make people aware that you can phish people's information. A lot of the time, I might even show them how their passwords can be shown to them because I actually found a list on the dark web. A list of 1.2 billion passwords. This is quite interesting. It had people's usernames and passwords in there, and I'm able to type in their email and come up with those passwords. As you said, you've seen one before, which is many years ago, but some people who are still using those passwords are extremely shocked to see that, in their eyes, I have their password and email address on my laptop.
Now, this scares people. But I wonder how I would be able to find people's information if I didn't have that. Now, there are all sorts you can do. There’s open-source research, social engineering people by just looking them up on the Internet, googling them. I found information on people before using MapMyRun. I don't know if you use those mapping apps, and so on. People will post photos on there. Again, it's another tool to find information.
I was once able to target a guy who allowed me to do this. I sent a rogue email to his PA. I said to him I was going to try and get a password out of him and he said, “Go on then, mate. Try it.” Now, I went to his PA knowing that he would probably not touch his emails for those three weeks that I was going to try and get into him as a penetration test example.
By going to the PA and pretending I was from a TV company, and I wanted to use their company because they are so amazing, wonderful, and they looked so vibrant, picking her up, making her like me. She couldn't believe it. I don't know, but she probably ran into the boss and said, you won't believe this. ITV wants to come and film us and speak to you on camera. Now, this was the moment where I thought he may have twigged, “Oh, that Jake’s up to some dirty tricks.” But like most people who have even been given awareness tend to forget about that as soon as something amazing comes along.
It's not too good to be true because they've emailed and she checked out the background and went, “Oh, well, they looked like a genuine person, of course. Comes from a real TV company. Yeah, why not?” I go, “Okay, fantastic. What I'm going to do is send you a document. I need the boss to fill it in.” I didn't go and make a fake ITV website, that'll take far too long. He'll probably notice it. So I just use Google Docs. It was actually Google Forms. Google Forms is awesome. You can just make up a form and make it look pretty good straight away.
What you’ve got to do is get an image of whoever you want to be, stick it at the top. Add some numbers after saying application form 4.1.2, because some numbers always make it look more professional. I asked for his name, age, and address. I went for it. Just to really wind him up, I even asked him for his shoe size in that form and not just the Religion and Disability Act and so on. Shoe size now and then in brackets, we said, “We understand you may think this is odd, but we've got product placement in this TV show we're doing. We're being sponsored by Clarks Footwear and we need to know your shoe size so we can then order the shoes in. Then, when we do some cutaways, we'll have photos or footage of your shoes while we're talking to you.”
Now, he fills this all in, and at the very last question—it’s, also to set up this application,—you need to set up an account with ITV so please put in your password here. He then put in his password and submitted that form straight back to me.
I ring him up instantly and say, “You're never going to believe what I've just done.” He goes, “No, no, no, you're never going to believe I'm gonna be on ITV.” I went, “Oh, really? Well, I know your shoe size.” He then goes, “Oh, my God.” That is the moment he realizes he's being duped, luckily by his friend. But it really does prove how easy it is to make people fall for those kinds of scams. He knew it was coming to him, but it was packaged in a way that was so well-targeted, which is what cybercriminals are doing. They're doing their homework. This is why I do it and I actually do this in a talk. I make it a big half an hour to really go into the detail about what those social engineer, phishing cybercriminals are doing. Very, very crafty.
With that background, knowing that he would be forgetting all of that awareness advice he's been given before—and like I say, knowing I'm going to come for him—he then still gives away a password and, funnily enough, it was his football team with a dot and then a number at the end of it.
I divulged this to him and he could not believe how easy it was for me to get that just asking him. You go ask someone on the street, “What's your password?” They're going to say, “Jog on,” of course. But if you package you in a way and give it a week's thought, they might hand-deliver it in a lovely package for you.
Yeah, just looking like you're a vendor. It's often what you see with any type of a relational crime is that you're making the person feel good, making them feel important, that they're valuable, and just kind of feeding their ego just enough to get them to bite.
Yeah.
I would say, “Hey, if I came and I told you I've got $20 million for you,” you'd probably go, “Okay, well, that's a scam.” But if I said, “There’s this $200 refund.” “Oh, okay, that's much more reasonable,” and I know who your seller is, your provider is and it's a refund for, what's it? E3? Is it EE out there?
Yeah. They’re so good doing that research. I read up a lot about this, but it's about the powers of persuasion, the influence tactics that are used. In my emails, I was going back and forth with the PA. I used urgency as one of the key factors that just said, “This needs to happen by end of day today.” But I built them up. I went back to liking them. These are two of them.
There are six powers of persuasion that you'll get in any type of phishing email. If they're used perfectly, but not too much, that's when most of the people that are maybe susceptible to it will give away information, any passwords, maybe financial information, or even more.
I was recently talking with a psychologist about the psychology of why we fall for scams. One of those elements that she talked about that I hadn't necessarily…when I looked back at it was like, “Oh, that's obvious,” but at the moment, I didn't think about it, was authority. That if you looked like you are one in a position of authority, you're not claiming to be the president of the United States, but you're claiming to be with the military—“I work for the police department”—It’s just enough authority to say, “Oh, I should listen. I'm a good person.”
That works really well, actually, with military personnel as well, because they understand authority better than anyone. If you are of a higher rank in the police force, then you do what they say.
You might not even know who that person is, but you make a phone call to a police officer and say you are detective inspector whoever. There's a good chance they're going to listen to that phone call and start divulging information that they never would. The fact that you just heard the detective inspector, they're thinking, “Oh, gosh, yes. I'm going to have to give you everything I can see on my computer right now” before they even think about it. Then it's that five minutes later, “Oh, my goodness. I really don't think I should have given away that info.”
I wonder how many times reporters and people for newspapers use that to find out what's going on with investigations.
Funnily enough, while I was in the force, that did actually happen and they had to change the way that they would give a code. If they were ever suspecting that someone wasn't who they said they were, they asked them for that week's code and that week's code was only found in the weekly police newsletter on about page two or three.
That was the only way that they could think of that and would say it has to be someone from the force because they know the code. Obviously, there are ways around that, but it was something that they were trying to overcome because, as you say, reporters or anyone would love to ring up the police and find out what's going on.
Very much so. Is there one more top awareness item?
I always tell people to backup their data. This is like pulling teeth. You tell them to backup and they go, “Yeah, that's on my to-do list. I'm going to do it. I'm busy right now and I'm busy tonight, but I definitely will do it.”
One of my horror stories is when this guy—he was a police officer, a good friend of mine—it was just after Christmas and he came to my house. He said, “I don't know if you've heard, but my house burned down because of faulty Christmas lights.” Horrible time of the year to happen, but he said, “The house is burnt down to a crisp, but there's only one little thing that I've gotten, and it's my safe. I did leave my laptop in the safe.” He said, “I don’t know where to go, but I know you can get deleted data back so maybe you'll be able to get this because my computer doesn't work anymore.”
I said, “First, before we even start getting into any of that…sit on our hands. Did you make a backup?” He said, “No, but I've told my wife I did. So I'm hoping that you can get all our baby photos back from this computer.”
I am looking at a box covered in ash, I'm not extremely hopeful right now, but I opened up the safe. Yes, there was a laptop in there. The laptop wasn't too badly damaged, I must admit, it was a very good, pretty fireproof safe. However, the smoke, I believe, killed the laptop.
As you may know, you don't get the data necessary just from opening and turning the laptop on. I took the hard drive out and I plugged it into my home computer. Luckily, it spun up. You could see the happiness on my friend's face and I got the data off. I put it on another hard drive and I gave it to him.
He then went off knowing that he still had those five years of photos. Now I see him every so often and I joke about it with him and I say, do you still do regular backups? And he says to me, “Oh, my God, you wouldn't believe. I am now terrified of losing anything.”
He has local backups and he has about three cloud accounts for every photo he ever takes of his kids now because he is desperately scared of losing any image ever again. But it's funny, it took that amount of stress and pain for him to be categorically always wanting to back up.
Now, I did go and tell people that story, but if people don't have that personal feeling in their stomach of dread, then they tend to just put it off. Procrastination is a very easy thing to do, but until you really know what that feels like, I still speak to people today and they said, “I've dropped my phone. It's absolutely smashed up. I cannot turn it on.” I say, “First thing, have you got the photos backed up?” Then, they'll say “no.” I said, “Why on earth are you leaving all of your photos? Back in the old days we never did that. Back in the old days of our photos of our childhoods, our wedding photos and whatever, were never just kept in our pocket at all times. We had albums and albums at home physically, even if no one's printing photos out nowadays. Please go and store them somewhere else.”
I'll tell you of my backup strategy and people think I'm psycho for this. I do have two separate cloud backup services. I do a rotating clone of the hard drive. Once a week I do a full clone of the hard drive and I have two drives. One stays in a safe at home and one stays at a safe at the bank. Every week I rotate them and then I have a local […] as well.
Wow. I didn't think banks were being used anymore. I didn't realize banks are being used to go and leave your hard drive there.
That's the only thing I have for that safe deposit box is a hard drive. A lot of people like your friend were like, even if they're actually making a physical backup locally, whether usually, it's in the same location that their computer is. If the house burns down, a backup really isn't a backup if the backup is in the same location.
That's such a good point because so many people only think of one thing happening. People may think, “If I have a fire, at least I've got it in the cloud.” But then a lot of people will have that backup via a USB that is always connected to their computer.
Ransomware comes along and kills the whole computer. It kills the backup as well, which I've seen in so many businesses and then I say, “Well, have you got a cloud backup?” And they say, “Yeah, we pay just for the Dropbox minimum levels, so that's going to be encrypted as well.” “Your local backup, where is it?” “That's there as well, but was only using the local backup because I thought I might get hacked.” People tend to forget about what might happen. The fire situation is one. The cybercriminal is another.
Wow. You're doing the right thing. I'm preaching to the converted here. Very rarely do I meet anyone who even doesn't backup, let alone every week.
I was always pretty good at a previous job. I was working in IT, making sure things were backed up. At some point, when the company moved and things changed, they stopped their automated backup platform. Bad things would always happen when I would be on vacation. I remember getting this call when I'm on vacation. The CEO's computer crashed and he can't do anything and we can't reboot his computer.
Luckily, email and all that stuff is stored on servers and things like that, but he had some documents that were not on the server, that were only on his local machine. I remember saying, “Well, call this company. They'll come out and see if they can get it working. They couldn't get it working, so just give him someone else's computer and you'll have to deal without those documents until I get back.”
I got back and yanked the drive out, tried to see if I could get the files off of it. I couldn't. So I had to take it to a local drive recovery company and I think it was about $1000 to get back a couple of files. Well, you could have easily spent $60 a year to have that in the cloud and have your files back in two minutes, but it didn't work.
Those people learn the hard way, but sometimes that's what it takes. If that is what it takes, then so be it. Luckily, they can sometimes get their data recovered, those data recovery services. They know what they're doing. I think over here it's £500 to see if it's possible and then a further £500 if you really want it.
Of course, everyone's got to the £500 level and then go, “If you get it, of course I'm going to give you another £500 to go and get it. So, hey, take my money.” They've learned the hard way. I think the toughest I've seen is people who have genuinely lost their data on maybe the old days of an iOS upgrade and they haven't done a backup. And when it used to brick your phone sometimes, they say, “All right, Jack, can you get that data back?”
iPhones, crafty as they say, are very difficult with the equipment I used to have to go and get those photos back and you'd see that dread on their face. There are thousands of photos of many years that've just been disintegrated in just a few minutes.
It baffled me that whenever I heard people say, “Hold on a second. I need to delete some photos off of my phone so I can take some new photos.” I'm like, “You're not storing them anywhere else? You don't just have your recent ones on your phone? What are you doing?”
It's a great point. People just need awareness and it comes back to your point. I love talking to people about awareness, trying to make it interesting. I don't wanna be too scary.
Yeah, I probably sound a little bit scary tonight, but I really like to be able to give people just the chance to go and do it themselves. If they can then understand what I've said and then go away and think, “You know what? That guy probably had a point. I will go and get a password manager. He said it's not too easy.”
My mom is my test. She's 73. If my mom can do it, anyone can. She's my guinea pig. Everything that I go and tell people when I find it easy, I know it's easy because I've watched my mom do it. I've set her up with it to be able to do it herself. Then I say to people, you know what? If she can, you can. That's what I love when they think, you know what? Maybe I just will.
Yes. That's a good one. If mom can do it, anyone can do it, because mom’s not IT.
That's right.
There's one thing of awareness that I find that frequently trips people up. Let's say social media sites. Let's use that. Let's use Facebook as an example. You can go into Facebook and say someone thinks they've been hacked and so they go into their Facebook accounts. It will show me all my recent access history.
All of a sudden, they start seeing all these IP addresses and all these locations, and they utterly freak out going, “Oh, my gosh, there's a dozen people accessing my Facebook account over the last six months” or whenever as far as the history goes back. Because one of the challenges is Facebook doesn't know if it was really you or not. It's just an IP address. It doesn't know whether it was your home IP address, or when you were at the coffee shop, or you were at the mall WiFi, or you're in your office and on the WiFi there. An IP address, geolocation, isn't always that accurate. It might be a couple of cities over. Maybe it's right, maybe it's even hundreds of kilometers away.
The immediate assumption is, “Oh, my gosh, somebody has gotten into my account.” It's unfortunate that sometimes providing more information almost backfires, like, “Hey, we're going to create awareness. We're going to let you see the activity, but we're not going to give you the tools to understand what that activity means.”
But if they are using two-factor authentication, then they can clearly understand (if they clearly understand it) and they can sit back and know that each of those access IPs would have been them if they truly understood it. Yes, of course, the awareness has to go with education hand-in-hand into making them aware this is possible. But then teaching them well, actually this is what it is, this is why it works, and this is why there's a good chance, a 99.9% chance that someone else won't have gotten into your account. If you set it up correctly, then if someone was to get into your account, you don't even get an email to say someone on this IP has just entered or accessed your Facebook. Therefore, it's the only way to go about it on all of your accounts.
Yes, exactly. Then you have the people who get fraudulent emails, forged emails saying, “Hey, someone tried to access your Facebook account. Click here to confirm that it wasn't you.”
True. The number one rule is never click on any link like that. No way.
Never click on an authentication link. Always go directly to the source and verify it there.
Well, I super appreciate you spending half an hour, 45 minutes of your time with us today, sharing your experiences. Is there any final word of advice you have that you'd like to give people?
Do one of the things I've spoken about tonight. If there's anything you're going to go away with, at least promise me you're going to do one of those things. Password manager, back up, set up 2FA. If you haven't done one of those three, go and do that now, you will notice the benefits in years to come.
I like that. Pick one and do it in the next half an hour. If someone wants to learn more about you, hear more about where you're speaking, how can they find out about you? How can they find out more about ESET?
I've got my own website, which is where I promote all my stuff that I'm doing, which is jakemoore.uk or you can follow me on Twitter, which is Jake_MooreUK. I'd love it if you want to keep in touch. I'm always open to any questions. Contact me through there and thanks for having me.
Leave a Reply