Cybersecurity for Event Planners

Originally recorded Wednesday, May 18, 2016

There’s a new battleground out there, with hackers, cybersecurity experts, governments, and spies all struggling over information – your attendees, your members and your own. Responsible event professionals look for ways to protect their data and privacy, but cutting through the technical mumbo-jumbo and media hype can be daunting.

Learner Outcomes:

  • Online security and privacy and what’s the difference.
  • Your top five real security risks (and the ones you can ignore no matter what the hype says).
  • Seven simple steps to securing your data.

In the webinar, I promised I would publish a link to Pablos Holman’s great TEDx talk, in which he hacks a hotel room, tracks someone at an event using Bluetooth and generally causes digital mayhem. Well worth the watch!

Read the transcript 

Jordan Schwartz

All right, thanks everybody for making some time today, to learn a little bit about Cyber Security for the Event Planner. I am as I mentioned, Jordan Schwartz, that is not me. That is how I pictured myself in the early ’80s, when I was a hacker. I ran a bulletin board, out at my home with twin 2600 baud modems and we traded codes on it. I stayed involved in that, for about for five years until some representatives of the federal government showed up at my door while I was at school, and asked my mom and dad if they would pay closer attention to my user use. I stopped.
I’m sorry, that wasn’t showing my screen. There we go, all right I turned back on my screen there. That’s me. That’s a little bit about my background. I have been in software for, gosh I don’t know, close to 20 years now. I worked at Microsoft for about ten years. Leading teams and software development including in security issues. I have been the president and CEO of Pathable. We build mobile apps for conferences and trade shows, as well as event websites for the same.
Community platforms, for conferences and trade shows. I know, hopefully I know a fair about, bit about what we’re talking about today. We will be talking about cyber security, with an eye on how it is, most relevant to the event planners. Just a little bit of housekeeping. This webinar is good for continuing education units that you use, if you’re looking to renew your CMP. You simply printout the description page of the webinar and use that as the form that you as part of the form that you submit to the CIC, and I’ll follow up with some more information about that.
I … If you have questions as we go, Jonathan has kindly volunteered to watch the question window and in GoToWebinar. Feel free to just go ahead and type your questions in, he will either ask me, and we can discuss them as we go, or help they’ll get them answer to you directly, or we could follow up afterwards as appropriate.

Jonathan Bray

Hit me up folks.

Jordan Schwartz

Hit him up. All right, so hacking has been in the news quite a bit, recently and I’m sure you know, Sony Pictures right down there, in Jonathan’s hometown of Los Angeles got hacked. Jonathan that must have been, did the town go crazy?

Jonathan Bray

It was serious. It affected my paychecks. We were delayed.

Jordan Schwartz

Is that right?

Jonathan Bray

Yeah.

Jordan Schwartz

I’m sorry to hear that. I’m sorry that … Pathable, Pathable paycheck was is on time, regardless. It’s some kind of security here. Target was hacked recently as well, I think they captured something like 15,000,000 credit cards from that system. Home Depot, I mean just this list. One after the other, after the other. What we’re talking about today is how you can protect yourself both personally, protect your attendees data, your organization’s data, and just be more aware.

Before I get too far down, I want to draw a distinction. Between, privacy, which is about things like what website you visit, what purchases you make, your personal communication being available in some form to other people that you may not realize, and security which is more about people stealing things from you in an illegal way. Getting access to your bank account, using your identity to open up credit or downloading your membership database, to abuse in any number of ways. Using corporate secrets.
The sanctions important, number one because many of the issues on the left, privacy are uncomfortable but not legal issues. They, it, what companies are doing when they violate your privacy, may be distasteful to you. It often is not illegal. Where of course, if they’re stealing your bank account, that is what just straight about, can’t do that. I want to talk about privacy a little bit first. I’ll give you an example. Let’s say, I did an experiment when I was putting together a slide deck.
I went to Amazon and I search for vacuum cleaner. It’s just something I have not thought about in a very long time. I got a pretty good one. Then, I waited. In about ten minutes later, I went over to Facebook, and of in my sidebar were vacuum cleaner ads. What’s happening is, how does Facebook know that I care about vacuum cleaners? What’s happening is something called retargeting. Where these companies not just Amazon, I mean every online retailer and media companies will leave what are called cookies, some tracking pieces of code on your computer after you visit their website.
They use it to that day it gets aggravated together with information from other websites you visit and resold to other companies that sell ads, and then they can use that to target specific ads at you. It’s perfect, for some reason, around the same time I was doing this. I kept getting these ads in my sidebar for cat food, and cat litter. I just kind of illustrate for you, how inappropriate that is. I thought I would draw up this little graph. On the left you can see the average number of cats in other people’s houses on the right is that bar showing number of cats in my house. It’s none. Cats in my house.
When I give this slide, in a live audience I was going to laugh so hard in the webinar so Jonathan can you help me out here? Thank you, that’s perfect, that’s perfect I appreciate it. Retargeting is uncomfortable violation of our privacy. Again it’s completely legal. What’s happening is, these companies aren’t, it’s not just the cookies that they leave on your website. There are companies that aggregate this information with other publicly available information. Your driving record, your voter ID record, your credit score.
They’ll take all of that information from this different sources, pull it together to draw up this very rich profile of you, and then sell it to advertisers. It extends even into your e-mail. I was … I’m on a mailing list, where I was discussing robots with somebody. You can see this got robot turtles. I’m an Uber user, so Uber sends me an e-mail as well. Then in my e-mail, or I start to see ads about robots or Uber in coming through in my e-mail. Those ads are actually being the information that’s being use to target me is not just what websites that visited, but the content of my personal e-mail that I’ve sent. That … I mean Jonathan, am I basically saying that gives you the…

Jonathan Bray

I was about to add, there was a question about that. Is that legal? The …

Jordan Schwartz

It is. Yeah.

Jonathan Bray

… Head from Utah, is asking.

Jordan Schwartz

Yeah, it is legal. The … What they can’t, they can’t read your e-mail. Although I mean given the term of service, you may want to read it. In some cases, they may be allowed to. Google, and all the major e-mail providers are not allowed to have any individual read your e-mail, but they can analyze it and use the information and aggregate for retargeting purposes such as this.

Jonathan Bray

Simply because they host it on their servers?

Jordan Schwartz

It could be because they host it on their servers. That’s right. If you, I mean I have not spent the time to read their terms of service, I doubt anyone in the world, outside of several lawyer as, even them. I doubt even people wrote it. I’m sure, that there is an allowance for that. Some people will say that it’s, it can work in your favor, right? I’m shopping for a vacuum cleaner, I start to see odds for vacuum cleaner. Maybe they give me a special offer on a vacuum cleaner. That’s great. I’d rather see that, than ads for cat food, because I don’t have a cat.
But they’re down side to it as well. Airline pricing is a great example of that again, obviously very relevant to all the folks on this call who travel a lot. Airlines have, it is a known practice that they will use this information, retargeting information to offer different pricing options depending on who you are. They’re taken into account your shopping history, it’s like flying frequency, where you live, what you fly, your age, gender, and even marital status how close.
I’ve been searching for a ticket repeatedly over several weeks and the flight date is coming up. They will offer me a more expensive price on that same ticket than they would offer Jonathan if it was the first time that he had visited the site. We’re looking at the same flight, we’re looking at the same time and yet we’re getting different prices, we’re getting retailer prices. Again there’s nothing illegal about it, it’s let’s just say though, to work against your interest.

Jonathan Bray

That was [Cosamelo 11:07]

Jordan Schwartz

That was Cosamelo? it was beautiful. It was beautiful. I should added a little more sunscreen. The … I’ll give one more example of this now, this is where it starts moving from kind of uncomfortable, just downright creepy. Target was … Is a big proponent of using aggregate data, they track all … Everyone’s purchases and it was this big database then they use it to send special offers and things like that to their customers. There was a case, about three, four years ago where a irate father of a 16 year old came, went to Target and said, “Look, you’ve been sending my daughter advertisements for maternity clothing, and baby toys.” I try to encourage her to promiscuous behavior, why are you trying to tell her she should be a mother, this is inappropriate.”

He’s very angry. Then a couple of months later, apologized when he discovered that Target knew something that he didn’t, which was that her daughter was pregnant. They had determined that based on purchase of certain lotions and vitamins that they had determined where often associated with people, with expectant mothers. I mean it’s super creepy for any number of Asians, I mean the fact that he then learn something about his daughter that she hadn’t shared with him. That’s where, I think it really starts to cross some lines.
There’s a … If you, I will include a link to a video that a YouTube video when I send out the [inaudible 00:12:59] by a friend of mine [Pablos Holman 13:03] who’s at … He’s a professional hacker, he’s what’s called a white hacker. He’s hired by companies to hack their networks and show them how he did it, among other things he’s also an inventor. One of the things he did, is he went to a security conference, a conference about network security, and online security. He placed Bluetooth sensors all over the building.
Your phone, if it has Bluetooth turned on. It’s constantly broadcasting a little signature. Anyone with a Bluetooth sensor can pick up that signature and read it and track it. All it really knows is that that, particular phone has come within X distance of that particular sensor at this particular time. He was able to use that to build this map of this one person traveling around the conference center. He knew exactly where that person was, when, and then he identified that person as Kim Cameron who is the chief security officer for Microsoft at the time.
Very telling example of how even security professionals can be hacked, there’s nothing that important about knowing what talks he attended, and when he went to the restroom. If he was meeting with private clients, with clients in their suites, that starts to give more information that I think he would feel comfortable sharing with competitors and such. Then of course, snooping by the National Security Agency has made what’s … Made the news often recently, and again makes people uncomfortable.

Jonathan Bray

Another question Jordan?

Jordan Schwartz

Yeah, sure.

Jonathan Bray

Speaking of the NSA, asking this is from Lisa. “Did it … Do you think that the NSA is more or less probing would be how to summarize this question. Than the private companies you’re …”

Jordan Schwartz

Interesting, so the NSA has more, has access to more information than private companies. As we have become painfully aware they can know every phone call that you’ve made, how long it was, to whom you made the call. They, with a court order can have access to the content of that, if the text messages and things like that. With even without a court order, they know when you’ve made calls and to who. Of course, private agencies don’t have that information. It is I think a longer-ish question than we have opportunity to get it today, to decide to talk about what they actually do with that, and I think the private companies are using this every day to change your experience on the web.

It really, it can be impactful, I know that Facebook was recently got in trouble for doing an experiment on its user where it change the content of people’s news feed just in a really subtle way. It started, it tweak its algorithm, so a certain subset of people saw happier stories, and another subset of people saw sadder stories, or stories that seem to have words in it, that can noted negative emotions. Then they track the kinds of updates that those people made. What they found was that, the people who were seeing in their feed that was sad, actually became measurably more sad themselves.
The people who saw things that were happy became more happy themselves. They got, it’s what they did is probably legal but certainly unethical there are human subjects review board issues when you use psychology experiments like that, that they didn’t follow. It proves the point that what these private companies are doing, even at the level they’re doing them can have really negative effects.

Jonathan Bray

Interesting.

Jordan Schwartz

What do you do about these issues? One I kind of, rule of thumb. If it’s on the internet, it isn’t private. That’s probably, if you keep that in mind, your, we’ll have some level of protection. I don’t know, stay off the internet, is that a good strategy, and phones? In this day and age, it really isn’t. There are things that you can do. One thing you can do is, use an Adblock. Adblock Plus is a plugin that you can install into Internet Explorer, into Google Chrome, into Safari. Whatever your favorite browsers.
There are, there’s an iPhone version, there’s Android phone Chrome version. What it will do is block those cookies that the companies are using to track you. It also blocks the ads that they’re showing from showing up in your interface. There’s some controversy around using ad blockers. The issue is that the internet as we have become, as we’ve come to enjoy it is largely free. I don’t pay for Facebook. I don’t pay for … Well I pay for the New York Times. You can use it for certain number of articles for free.
Sites like CNN, and Google. I mean these are all free services. Of course companies are making lots of money and they’re making them by selling ads. If you’re blocking ads, you’re essentially using a service without paying for it. They’re not asking to pay in money, they’re asking you to pay … They’re asking you to pay with some of the pixels on your screen, and you’re violating that implicit agreement. I don’t know how strong they feel about that one. If that is something that bothers you, then you might up for something like privacy badge. Just a similar plugin.
It’s created by the Electronic Frontier Foundation which is a nonprofit dedicated to privacy to protecting the privacy of citizens. It does the same thing. It rather than specifically blocking ads, it looks to target the tracking cookies that they use more specifically. That maybe a better option for you. Jonathan do you see their Adblocker or Privacy Badger, anything like that?

Jonathan Bray

I don’t. I thought about it. They could still read the body of my e-mail right? Wouldn’t … if it was Privacy Badger. Would it still be able to target to some of them?

Jordan Schwartz

Yeah, no that’s a really good point. They can read the body of your e-mail. It’s something like Facebook, where you’re signed in. They know who you are, they know what you’re doing. They don’t need a cookie to track that. Then information still gets aggregated exact in the same ways, as I was talking about before. This really just prevents tracking from of your activity on sites where you are otherwise an ads. I found, I did, I’ve tried both of these. I have found that they do a good job, but they will sometimes interfere in the operation in the normal operation of sites.
As they’re trying to block these cookies, that algorithms aren’t perfect, and they end up blocking the CSS or java script that some pages need to just look right. I would be looking at a page, I go, “Oh my God, this website is broken.” Then I would find out that it was my Adblocker that was breaking it and I just, I could disable it on that site, and go about my business. It became … I mean enough of a bother that I decided that I wouldn’t worry about it.

Jonathan Bray

What I’d be concerned it might affect my close personal friendship with Mark Zuckerberg as well. I leave that out.

Jordan Schwartz

That I am sure, I’m sure that’s going to be an issue for you. Let’s move away from privacy, now we’re going to talk about Malware, and either, didn’t know … Searching for a term to kind of capture. All the different ways that control can hurt you online. I call them, Badnesses but a little [inaudible 00:21:53] I’m after that. There are, well there are a lot of them. I am not going, I have a slide for each one of them. I won’t … We’re going to plow through this pretty quickly.
I want to get to the point, where I give you an actionable information, and also talk a little bit about, make sure that we spent some time talking about not just cyber security, but cyber security as it relates to conferences and events. I think some defining some terms is going to be useful, kind of help you create a framework for online security. A virus, we use the term fairly loosely but it does in computer security circles, it has very specific meaning and it’s a self-replicating program.
That means, it has to be able to … it has part of what the program does is copy itself to other computers. These may get on to your website, or onto your computer sorry, when you visit an infected website, if your browser isn’t up to date, or has some security hole in it. I visit the website, my browser, the software on my computer loads up that website. It gets an instruction to download a piece of software and install it locally and it does it. Of course these modern web browsers are designed so that they won’t take those instructions.
They’re not allowed to do things that, like install malicious software on your computer. There are sometimes error in the way programmers have written these web browsers that allow people to get pass that. A Botnet is what happens when you have a lot of infected computers. What … What the kind of big professional hackers do, the ones who launch attacks on Sony for example, is they will infect literally millions of computers with a virus. All that virus does is sit there, quietly waiting for instructions.

The hacker from their underground layer in, on the North Pole or wherever can at their discretion, simply push a button, sends out an instruction waking up the viruses on these millions of computers, and then they will all go do something. If a million computers all wake up at the same time, and go start just trying to load a webpage at once. Suddenly a website that is used to having thousands of visitors, goes to having millions of visitors that’s going to come down real quick and it overloads it. That’s one of the techniques that professional hacker use.
I mention it, because even as an individual who probably is not going to be exposed to a Botnet attack. You want to keep viruses off your computer, because you don’t want your computer to be one of those bots, that is suddenly getting instruction and being part of this zombie army attack. A worm is kind of like a virus, it’s a self-replicating piece of code. The difference between a worm and a virus is really that a worm doesn’t need you to do anything.
If your computer is connected to the internet and it doesn’t have a good firewall, and there’s other holes in your operating system a worm can penetrate your computer just by leaving it on. You don’t have to open a web browser and visit a website. A trojan is a program that’s designed or advertise to get you to install it, and then it does something beyond what it had been told it would do. Ransomware is the biggest, hottest new thing in online attacks. Jonathan I don’t know, have you … Do you know anyone that suffered from these?

Jonathan Bray

No, this is news to me.

Jordan Schwartz

Okay well, just batten down the hatches. Go and lock your door, I’ll wait while you do that. Ransomware, using a virus or worm or other attack mechanism, like social engineering which we’ll get to in a moment. The attacker will lock up your computer, or encrypt it. Suddenly all your documents, all your data. Your database is your … All that information that you depend on to operate your life, is suddenly you can’t access it. They send you a message, they say, “Hey, I locked up all your data, send me $500 and I’ll unlock it.

Jonathan Bray

Wow.

Jordan Schwartz

It’s really distracting. The crazy part is, if you were to go, this happens to you. It’s happened to the people I know, or at least that my parents know tends to be the older generation unfortunately is getting targeted more by this kind of thing. If you go to the FBI and you say, “This is happening, can you help me?” They’ll say, “We advise that you pay the ransom.” There is no way around it work, hopefully maybe if you have backups of your file, you can restore the backup just don’t and, close the hole so it doesn’t happen again. There’s no … Once it’s happened you really at the mercy.
The crazy part is, this is such a frequent occurrence. It’s so popular these days that it’s been become a refined business. If you don’t know how to send them $500 in Bitcoin because how clueless others in Bitcoin. Unless you’re part of the [inaudible 00:27:36]. They have a call center, they will walk you through. Friendly people will walk you, explained how to do it, and show you. They’ve set the price point, it’s $500 up to $50,000. Because they know you’re not going to come up with $50. Optimize the price point, make sure that you’ll pay the ransom.
They unlock your software, and if you’re smart, then you make sure it doesn’t happen again. They’ll really do it, they’ll typically, they will unlock it, they don’t just take your money and run.

Jonathan Bray

When you’re done, is there a survey for asking the customer service?

Jordan Schwartz

I’m sure there is. I’m sure there is. Press 2 if you stay online.

Jonathan Bray

Jordan, is it just the hardware they’re hijacking or you can’t access your Gmail from anywhere?

Jordan Schwartz

They may lock you out of your e-mail account. Typically it’s your hard drive that they’re locking. They’ll take all the files, and [crosstalk 00:28:35]. Yeah you can get a new computer, but you have to find out how to get your file that you may not have backups off of your old computer.

Jonathan Bray

If you have it backed up, you could just get a new computer and restore it.

Jordan Schwartz

Of course, we all back up don’t we? Okay, we’re going to … Let’s cruise this, some of the Spyware. They’re watching you and use the information for some of these other attacks. Adware is software that just pops up ads on your computer that it may look like they’re in the web pages, that you … That you’re loading, or it may be outside of webpages. They just, they sell ads that’s their business model. The way that they deliver those ads, instead of working with content publishers like Facebook, and CNN and the New York Times is they install adware on your computer without your permission.
That maybe via a virus, it maybe via a Trojan. A lots of place they can do that. Identity theft, I think we all know what that is. Password theft, lots of ways to do this. Jonathan I got to asked you, do you reuse, do you have the same password on multiple websites?

Jonathan Bray

I do.

Jordan Schwartz

Just remind me that I am your … I’m your boss, and I entrusted you with the company security. I’m asking you one more time, do you use …

Jonathan Bray

My boss keeps telling me to change that. I think I’m going to do that.

Jordan Schwartz

Well a lot of people do, and it’s … It’s just hard, you got to keep track of all these different passwords. I have some suggestions for that. One of the most common attacks in terms of password theft is they have you signed up for a website. Some new service, it’s free ice cream delivery, just create an account, enter a username you like, enter a password you like, great. Then they take that password and they go and they try it on your Gmail account, they try it on your Yahoo account, or your Hotmail account. If you use the same password in your Hotmail and Gmail as you do on their website, then bam, they now have access to it. They can do lots of things.
Including lock you out of your own account, and then so you access to it. There’s also what I call dictionary attacks. Where [inaudible 00:31:06] to use. They’ll try out common passwords. There’s a security company that publishes the list of most, the most common passwords in news. This was the 28 15 less of 25 most popular passwords that people use, and so you know, some on there … What’s that?

Jonathan Bray

Michael.

Jordan Schwartz

Michael. I don’t know. It’s funny that it changes a little bit from year to year. It seems to go up and down, I love you was on this for a long time and princess was o this for a long time. I don’t see either one of those on there. 696969, we know or we know wherever our head is. What I think is actually the most interest, funny one. If the attentive reader has notice that I said 25 most popular passwords, and everyone only listed 24. The 25th most popular password, trustno1. It’s the irony, the irony.
Typosquatting is a company will buy the domain name, that is easily mistype for actual websites. Instead of going to Google, G-O-O-G-L-E.com. Maybe they’ll get G-O-O-G-L.com or something similar. Waiting for people to type in the name of the website, to mistype it. They arrive at this malicious website and it will look exactly like the real website that you thought you were going to. Then so when it says, “Please enter your username and password.” You do, now they’ve got the username and password that they can just turn around and sign into the actual website as you.
If it’s something like Salesforce or such then that can be a pretty painful experience, or your bank can be a pretty painful experience. Again we’ll talk about ways to fight that in a moment. Social engineering, this really, I’m not sure if I had it in this side deck. This is one of the most, for major attacks and even the ransomware, this is the most common attack [inaudible 00:33:17]. It doesn’t involved anything technical. It really can be as simple as, and this is what happen to the next my mom, next door neighbor.
Somebody called her up, and said, “Hi, this is Microsoft Tech Support. We’ve … Thank you for purchasing protection. We’re … We’ve notices asked for violation for computer. We need you to change your password right now. Can you turn on your computer?” “Yeah, sure I’ll turn on my computer.” Then essentially it was not Microsoft, it was somebody else. They instructed this person to change their password on their computer to something that was known, and then they immediately hacked into their computer and said, “Okay, now I’ve just locked up your computer. If you like to access to it, you’re going to have to get, you have to pay us $500.”

It … There are, these are the techniques people use. This is … In back when I was a hacker in the ’80s. This is pretty common to, where we pretend to be the telephone company or something like that. Shouldn’t … I’m all better now. Keystroke loggers, Phishing and Spearphishing is a very common attack as well. Phishing, I’m sure everyone knows phishing it’s an e-mail that you get that says, “This is from Chase Bank click here to reset your password.” It’s not really from Chase Bank, and it brings you to a malicious site, etc.
Spearphishing you’re familiar with that term, Jonathan?

Jonathan Bray

No.

Jordan Schwartz

No? Okay good. I get to teach, I like that. Spearphishing is when … Is a more targeted e-mail. They know something about you. Rather just sending 20,000,000 e-mails to people saying, “Your Chase Bank account is, you need to reset the password.” It goes to I don’t maybe 10% of the people that it goes to. Actually have Chase accounts, but that’s fine. Because everyone else just ignores it, and then maybe they get some of that 10%. Spearphishing is a sent … It looks like it’s coming from someone you know, and it’s sent with something personal.
Jonathan you might get an e-mail that says it’s from me, and it says, “Hey we’ve got a new customer. I need you to, you need to transfer our $20,000 into their account, so that we can get them provision or something like that.” We’re pleased, install this software that instruction everyone in the company to use, and then the attack continues from there. This is the Sony attack, they believe started with a Spearphishing attack, that was always used to get the initial piece of malware into the [inaudible 00:36:05] network.

Jonathan Bray

Wow.

Jordan Schwartz

I can think…

Jonathan Bray

… These people Jordan? Why they can’t figure out where this stuff is coming from? Ever?

Jordan Schwartz

The internet is enormously complex, and really was designed to protect people, and to keep them anonymous in some ways. I mean we could go back to that, their whole first half of the conversation where we’re talking about protecting your privacy, and making sure that there are ways that these companies can’t take advantage of information that they need from you. How important it is to do that, and then we come to something like this, where you want the government to have access to that information, to be able to track people.
It really, it’s difficult because you can’t serve both goals at the same time. The … I have, I’ve given this talk in a number of conferences, and I have had people say, “Yeah I personally got one of these where, I got an e-mail from my boss saying, that we got a new vendor and to send them money. There were just something weird about it, where my boss was in the next office. I was, it was unusual that they would have e-mailed me rather than just telling me to do it. I got called over and found out that it was a Spearphishing attack.
This, Evil Twin network, this is something very specific to the conferences. It’s a malicious Wi-Fi network that uses the same name as a legitimate network to intercept traffic from users. When you join a Wi-Fi network, you typically, you’ll say I’ll go to a conference, and I see the list of networks, and I see one that says, “Hyatt Wi-Fi, or conference Wi-Fi.” Maybe I didn’t have the right password, and it requires password. I click it, I log onto that Wi-Fi network, and I start using the web, and maybe I’ll use it to access my membership database or my CRM.

Evil Twin network is setup by somebody with the same name, as the legitimate network, and maybe even the same password as the legitimate network. But all the traffic is going through their servers, instead of through the legitimate network routers that were setup by the conference center. When that happens, they can see all the traffic that goes through. They can see every, in less, and we’ll talk about this unless you’re using SSL. They can see the passwords that you typed, they can see the e-mails that you send, they can see everything all the information that is being pass to and from your computer.
Network Intrusion. I want to talk specifically about some conference specific, privacy and security issues. This Evil Twin network, is one, I would say that the most unusual and conference in specific network security issue. The, there isn’t a lot that you can do about it. There are, there is software that you search and if someone wants additional information feel free to contact me after the talk. I can send you some links. There is software that is produced that we’ll seek to detect these, and shut them down.
I mean it’s actually hardware device you can, if you know that someone is doing it. That someone can carry around and use it to narrow down physically on where that Evil Twin network is broadcasting from. But, I would say that unless you’re [DAVOS 39:45] or a financial conference where you expected someone might actually launch an attack like this, that there’s enough private data, private communication going on. You probably don’t need to worry about it. If you do, you probably don’t, there’s nothing you can do about it. Except protect yourself personally, as a … As you would on any public Wi-Fi network.
We’ll talk about some of those techniques in a few minutes.

Jonathan Bray

Question from Maggie, real quick. Do, you … In these situations, do you see the other.

Jordan Schwartz

Do you see both networks? Yeah, you can see the network listed twice in your list. There’s no way to distinguish the real one from the fake.

Jonathan Bray

Got you.

Jordan Schwartz

The … What you want to do is use SSL for all of your tools. SSL is stands for Secure Socket Layer. If you visit a website, and you look up in the address bar. Instead of saying just HTTP:// my website account. It says, HTTPS and there’s a green check or kind of green marker next to it in the modern browsers. That’s going to indicate that the communications you’re having with the network had been encrypted and verified that it’s really … Two things, no one can read it, even they can eavesdrop on your Wi-Fi network, or have an Evil Twin. Two, no one can replace traffic.
It is also possible via an Evil Twin network that if I go to a non-SSL site, and I send my information. That when that information comes back from the website, so they have their sign in page, or any page of information that they’re sending me. It can be manipulated by the server in between and change before it’s sent down to me. The page that I’m looking at, isn’t the one generated by the server that I think I’m getting it from, it’s being generated by this malicious user. That’s obviously a bad thing. What SSL does, is it ensures that it is really only the server that it’s in the address bar can generate that page. No one else can change it, on its way from that server to you.
Your registration service, should certainly be using SSL, if you’re accessing your CRM, outside of your office when really even inside of your office. It should be using SSL. All of your vendors should be using SSL all the time. If you’re wondering what they do, you can look at that website URL. HTTPS, and there should be a little green mark next to it that indicates that the whole site is secure. Apps aren’t web browsers. They’re custom pieces of software that talk to servers. They can also use SSL, both in terms of communication and to encrypt the data on the device or on the servers.

This is a conversation you’re going to want to have with your app provider. There is no way just from looking at the app, to know whether or not it’s using SSL for example. There’s some tools that a IT professional can use, to sniff that as the traffic that’s going on with the wire. For the average event planner, meeting professional. This, your best [inaudible 00:43:44] is just to ask and make sure you get an assurance from your app provider that they’re following these best practices.
Bluetooth & Beacons. This is part of what I talked about privacy and security upfront. Bluetooth, so beacons are … There are privacy issues around beacons and Bluetooth. For that scanner that I told you about earlier where he was able to track someone’s motion throughout the sort of conference is a good example of that. But, in term … In addition to that, Bluetooth itself is inherently in secure protocol and secure way it’s having your device talk to another device. Honestly, for 99.9% of us, it doesn’t matter.
Again if you’re a DOVOS and you’re using your bluetooth keyboard, to type or you’re using your Bluetooth headset to talk. Understand that there are security holes in the Bluetooth protocol that would allow somebody to pick up the letters that you’re typing at your computer, or to listen in on your phone call. It’s not an easy hack. For security professionals, the fact that it exist is enough to say, I know my friend’s in these security industry and when they travel to China for example. I mean not only did they, they didn’t even bring their regular phones with them.
They get what I call [burner 45:25] phones. So cheap phones that they’ll only use for that trip because they don’t want malicious software installed on it. They certainly will turn off Bluetooth’s all the time, or when they’re, [inaudible 00:45:36] situation which is it concern that somebody nearby might have malicious intent. It’s what I think a little to something interest at time, we’re going to leave that one off. They’re just … I kind of a few stories that I think it’s worth telling here to take illustrate how these attacks happened.

How vulnerable we all are, and how it’s typically a combination of some of the different techniques that we, that I outlined today. You’re going to need to use a … There’s no single silver bullet that will protect you. I’ve got virus protection software installed, for example. That’s not enough. Just about, I think it was maybe six months ago. The director of the CIA John Brennan had his AOL, it’s his personal e-mail hacked by a teenager. What mistake did he make? I’ll tell you that the first mistake was that he’s using AOL as his e-mail.
I don’t mean to be … Sorry if it’s … Maybe it sounds pretentious but there are much more modern software programs for managing your e-mail, so the fact that he was on this older system, kind of tell us something. The hack was a combination of social, was primarily social engineering act as well as password use in such. What he did is, he started off, by the teenager started off by calling Verizon and said, “Yeah this is so and so. I’m a Verizon line worker, and I’m out on a call right now, and I need to verify some information about a customer.”
Sorry my computer is down. Verizon rep said, “Yeah, sure I’ll do it.” He was able from that interaction to get the last four of director Brennan’s social security number. Not the whole social security number, but the last four digits and his phone number. He use that to get access to the voicemail on the phone, then he use that to do a password reset on his AOL account, which asked for his phone number and the last four of his social security number. Then once he had access, I mean of course he had access to the e-mail.
Once he had access to the e-mail, then that gives him access to a lot of different things. He could go to the bank for example and said, “I need to reset my bank password.” They go, well we’re going to have to send that to your e-mail address and they … Then comes to this e-mail and you can read an e-mail and that is going to have access to his bank account, and all sorts of bad things happened. There was another … There was an interesting article in the New York Times, about a year ago now. Where somebody offered to have them to be hacked.
All they did was give group of hackers the person’s name, the city they lived in. What they did is they went on Facebook. They friended her, you’re looking at her through the window there, that [inaudible 00:49:09]. They friend her on Facebook, and she accepted the friend request from a stranger as many of us will do. Then they … Kind of watch her in [inaudible 00:49:19] a little bit. They noticed that she had, she was signing up, she signed a petition on …

Jonathan Bray

Change.org?

Jordan Schwartz

Yeah, change.org or one of those [inaudible 00:49:30] petition. Those are change.org. They went and they created a petition for something that seemed in line with her politics. They put it up on their own website. Instead change.org.maliciouswebsite.com. It kind of look, if you just lay and sat, and you would think that it’s a change.org. It made the webpage look like a change.org webpage, and they sent her up, posted on her timeline, “Where we’d like you to sign this petition.”
She signs the petition, and she goes to the website and they said, “Okay please sign in.” She signs in with her change.org username and password, even though it’s not change.org that she’s signing into. Now they have her username and password for change.org. They turned around and they used that same username and password on her e-mail, and lo and behold she has used the same password in two different places. That and then almost sorts of bad things happened from there.
Let’s get to the important. How are you going to protect yourself? Number one, virus protection software. This protects against viruses, adware, spyware. I’m not going to spend a bunch of time on it, because I think that this is the best known and most common piece of advice. You should install it. They tend to slow down your computer a little bit, and God if I have more time, I would tell you some funny stories, about McAfee and Kaspersky. But, I don’t. We’re going to talk about Password Manager instead.
If I had one piece of advice, that I give, that I take away or one thing you change. It would be, get yourself a password manager. Password manager is a piece of software you installed on your computer, you installed on your phone, and it will keep track of all the passwords that you have, across all your websites. It will help you generate random passwords that even you can’t remember. Every password on every website, is different that you don’t fall victim to what this woman fall victim to.

It will only fill in, it will fill in your password for you, so you even if you’re at a computer with a keystroke logger on it. They can’t see you type your password. If your Bluetooth is being eavesdrop, they can’t see you type your password. It will only type in your password into the appropriate website. If you end up at a … You can’t end up on a typosquatting website, and give away your password that way. It will … There’s … it’s a good thing. There are several … I use Dashlane, Lastpass, and Roboforum is another one.
I haven’t heard about a lot about Roboforum recently. The most, the two common ones that I, that people seem to like are Dashlane and Lastpass. This free version of both of those, I think Dashlane is something like $30 a year. In my opinion it’s well worth it. You install it, the premium version, you can install it on all your devices and it shares the passwords between them. I create a password on my computer, I open my phone and I don’t have to type in my passwords there, I got to take care of it, takes care of all of that for me.
I know, one concern people will have is, “What if Dashlane gets hacked?” It … All I can say is, that Dashlane, it’s their whole business and they have literally hundreds of millions of dollars being pointed at solving this problem of network security. I want them on my side. Yes, maybe they maybe hacked but I rather, if I have to bet I would say that, they’re going to be the most resistant to hack more or so than my posted notes on my computer with listed passwords.
Two factor with authentications. If your e-mail does get hack for some reason, what’s to prevent them from using that to reset your password on other websites to [inaudible 00:53:46] such. Two factor authentication is a powerful way to protect yourself. Two factor authentication is, it takes a password and combines it with something else like that it’s essentially something you know your password, plus something you have like your phone. When I, whenever I send a wire transfer to my bank. It requires me to …

They send me a text message in addition to my password, they send a text message to my phone and I have to enter the six or ten digit number that they’ve texted to me, in order to send that wire transfer. What they’re doing is not only do you know the password but you have your phone. Physically have your phone. Maybe you physically have your phone. Maybe you physically have a USB key or you’ve physically have a key card, that you have to slide into a slot. It’s an added level of protection.
Even if someone steals my password, unless they steal my password and my phone, physically then they don’t … They won’t have access to some of that more important information. Most banks are enforcing to backdoor authentication now. Most e-mail services, I know Google, Yahoo, and some of this other give you the option of turning it on. I don’t, I turn it on throughout my banking, I don’t turn it on from my e-mail. You decide what level of protection makes you most comfortable. I use SSL everywhere, we talked about that already. There’s that green bar that appears little green lock, that means that’s the visual indication this is really SSL with Chase.
That the extra big Chase, JP Morgan Chase & Co. That’s to verify that it isn’t some hacker that has bought SSL on their hacking website. You want to check that, yes it is Chase.com that has bought this SSL, not some other website that [inaudible 00:55:49]. Personal VPN, this is a nice to have. It is a … It essentially takes, it will make all of the traffic from your web, from your computer even the none SSL traffic gets encrypted. All of your communication happens in an encrypted way with this company servers, and they forward on the information from there, to the respected destinations.
If you want to avoid eavesdropping and you’re concern about it, on sites that aren’t using SSL. This is an option for you. I use TunnelBear, for my own use. Private Internet Access is another one, and NordVPN they’re always to encrypt all that traffic. It’s good against, Evil Twin attack, Evil Twin Networks. There’s Wi-Fi hacks and coffee shops things like that. I have a little bonus with TunnelBear is it will change which country you’re browsing from, so I can pretend to be in the US, when I’m in Europe I can pretend to be in Europe, when I’m in US.
Which if you’re trying to use a site like Netflix for example from a country that doesn’t support Netflix that can be really handy. Update your software. I know it such a pain. We always get this little pop ups that says, there’s a software update you want to do it. Do it, and do it quickly. Maybe you don’t want to do it at exactly the moment it pops up. I will do it within one day, and seeing that reminder. There’s this constant war going on between hackers and the software company.

It’s where the hackers are trying to find holes in your operating system that they can use to exploit to use worms and other viruses to get into your computer. Whenever they find a hole, whenever the software provider finds a hole, they’re going to patch it really quickly, and then they release that patch to everybody so everyone has up to date software. Well if the hacker finds it before the software company. That’s where you ran into problems. That’s where your computer can get infected without you doing anything, except maybe visiting a harmful website.
If there’s … There’s a race, when that exploit is first discovered. The software company is going to try and update you as fast as they can, and the hackers are going to try and exploit it as fast as they can. You want to make sure that if that software company has the fix, then it’s on your computer absolutely is fast as you can get it there. Then the final piece of advice that I have, is just protect yourself against social engineering. If somebody calls you and it sounds weird. My customer support doesn’t ever call you.
Nobody is ever doing you a favor, you haven’t ever really want anything. If they’re being pushy, be suspicious, if they’re being friendly be suspicious, if it seems weird be suspicious. Verify. Someone ask you to install a piece of software. Pick up the phone and find out whether they’re not, it’s really the person that sent it. You should never need to install an app, to do a picture or to view a document. PDFs and word docs is all very standard across all computers. If someone sending a document in some other file format, I would definitely be suspicious.
That is the summary, we’re just at a minute pass, I apologize, I kind of whipping through probably the most important piece. If people have important questions that they or questions they want answer. Please feel free to follow up. We’ll be following up after this, with a survey and some other follow up just to see which is on, and we do have an ongoing series of webinars like this that we’d love you to participate in and looking for suggestions in both how the webinar went, and what we can cover in the future.

Jonathan Bray

Jordan question on, “Will the Powerpoint be available?”

Jordan Schwartz

Yes, I will make the Powerpoint available. We’ll post that on the website as well. Watch for information on that, by the end of the week. If there isn’t anything else, even if there is anything else I apologize. We’re time, so I want to thank everyone for taking the time out of your day and hopefully you learn something please let me know what you thought, and of course if you’re interested in chatting about apps for your conference, or community platform for your trade show or event, please talk to Jonathan.

Jonathan Bray

Yeah, thanks everybody.

Jordan Schwartz

Thanks Jonathan, have a great day.