Speaker 0
0:10 – 0:12
Welcome to Tech Talk. Bye.
Speaker 1
0:13 – 1:48
CT. Tea. Welcome to CDT's tech talk where we dish on tech and Internet policy while also explaining what these policies mean to our daily lives I'm Brian was a lousy and it's time to talk tech If you're like me you are beyond giddy that summer is almost here and while I will be hitting the roads this Memorial Day a fair number of travelers will take to the skies instead headed for exotic places did you know that you are at your most vulnerable when you travel and cross international borders in terms of cybersecurity? It's true. And to help everyone stay more secure every day, CDT created a very, very awesome quiz, that you can take online that assesses your cybersecurity using the lens of international travel. CDT staff technologist, Greg Norsey, led the creation of the quiz and is working to create a series of tools and resources to help us all stay safe online. He's here today to talk about some of those tips. Welcome, Greg. Hi. So are you headed anywhere for Memorial Day? No. I'm just gonna do a staycation. Oh, that's good. That's good. I'm headed to the beach. I'm looking a little pale and pasty here. So I'm doing the traditional trek from DC to Delaware. So that will be wonderful. So why is it that you are at your most ins you're most insecure from a cyber perspective when you travel? What is it about travel that makes it different than saying just visiting your local coffee shop? Well, you know, when you're visiting your coffee shop, you're on, like, a hostile network. But when you're crossing these borders, you have zero rights. You you can be pulled aside. Your laptop can be imaged, examined, etcetera.
Speaker 0
1:49 – 2:19
So you really have to up your security. So is it just kind of the law of, like, the international land that when you cross borders, your rights are kind of given up? Well, yes. When you're entering a a foreign country or when you're coming back to The United States, they do have the right to search you, quite thoroughly, actually. You don't have the same rights and protections that you would have, say, if you were pulled over by a police officer. Now, generally, they try to only do that if they think it's necessary and don't subject everyone to a very thorough search, but it is a possibility.
Speaker 1
2:20 – 3:01
Yeah. Certainly, when I've traveled in different places, I do know some countries even when leaving the airport, you have your bag scanned another time to see what you've you've brought in. So it's like the behind the scenes and all that sort of stuff, and everything needs to go through. So alright. That makes sense. I buy this. So let's start to going through some of these tips that you have, in the quiz, which, like I said, was great. And, we actually unveiled it at South by Southwest, in Austin, and the feedback was phenomenal. So everyone should go to cdt.org and take the quiz, and hopefully, this this podcast will inspire you to do so. So first stop, you know, you're on your tour, you're getting ready to leave, and you're at the airport. The airport Wi Fi, We've all logged into it. Is this something we should be doing?
Speaker 0
3:02 – 3:24
Well, sure. There's not nothing wrong with just logging on the Wi Fi. It's what you're doing. So if I want to log on to the Wi Fi, maybe just, you know, go on united.com, check and see if my, flight's on time, that's perfectly fine. If you're gonna start doing, you know, financial transactions, shopping, logging into something where you're typing a password in, that's when things get a little hairy. So what are some ways then if, you know,
Speaker 1
3:24 – 3:42
we've all been on those long layovers or been stuck at the airport and you're like, okay, I need to do this. You log in, you wanna do the the shopping or you wanna, like, pay bills, that sort of thing or just, you know, log in to your work email. Are there ways that you can do this and still be secure? Yes. There's two things. Number one, you know, if you're over an HTTPS
Speaker 0
3:42 – 4:23
connection, look for the s, look for the lock. That's pretty secure. If you want to be absolutely sure, you can use what's called a VPN, a virtual private network. Personally, I use Astral. You know, you pay about I forget if it was $10 a month or $10 a year. But for a relatively small fee, you can have a VPN of your own. Is that like Tor, or is that or am I totally wrong on that? So the main difference between Tor and a VPN is Tor is an onion routing technology. So they're going to route you through several different servers, really make it harder to trace you. And on the other hand, when you exit the network, the it's exiting clear text. With the VPN, you're just doing one hop. Gotcha.
Speaker 1
4:24 – 4:56
Okay. Yeah. There was a a stretch where I I was living abroad, and I did have to, to access any sort of site, you kind of had to use that weak filter. So I had to use a a VPN of sorts and often would use Tor and then, you know, Tor is pretty good and it worked. And suddenly, you know, I was based in The United States and could see everything you could see in The United States. One of the other tips that I thought was interesting in there, was about USB charging ports. You know, I'm constantly that person that's, like, running low on battery and trying to find a place to charge my phone. So why are these so vulnerable?
Speaker 0
4:57 – 5:16
Well, because you're trusting that all it's going to do is deliver power. It is equally possible that someone could ring up something that it'll push some malware onto your, device whenever you plug it in. That's why, personally, I like to carry a portable battery for about $50. I've got a a little dealie that can give me power for about four or five days.
Speaker 1
5:16 – 5:44
Wow. For $50? Yeah. That's a sweet deal. Why have I not done this? This is ridiculous. No. I mean, the the USB ones, I'm just thinking of, like, every time I upgrade, or, like, try to sync my phone with my laptop and that sort of thing, which I am doing less now because of the cloud. But it does happen every now and then where I think it's a good idea. Yeah. That's data that's being transferred and I you don't often think of that, like, same port as the one that you get power and data through. So you're you know, it's trust.
Speaker 0
5:44 – 5:51
You and, you know, maybe you can trust the, you know, DCA, but, you know, what if you're in Moscow?
Speaker 1
5:51 – 6:12
That's right. That's true. Good friends just visited Moscow and said they it was lovely. So another surprising tip in there, and this was the one that I'm like, what? This makes no sense to me, was to put stickers on your laptops. And I'm, you know, we're sitting at my desk right now and I actually now have stickers on my laptop which used to not be the case. They used to be pristine. So you have changed one of my behaviors. Congratulations.
Speaker 0
6:13 – 6:52
What is it about stickers on your laptops? And maybe not just your laptops, your your devices that actually adds a layer of security. So if I'm going through airport security, you know, somebody can't be like, oh, I'm sorry. I thought that was my laptop I was picking up. The really interesting thing is that especially when you have, like, these MacBooks or these ThinkPads where all of them look the same, somebody could take your laptop and replace it with one that they have placed, an image, the cloud backup image on your laptop plus some malware or maybe plus a physical key logger of some sort. So you could have a situation where you're crossing an international border. They say, I'm sorry, sir. We need to examine your laptop.
Speaker 1
6:52 – 8:07
The laptop goes into a room. The laptop never comes out of the room. A different laptop, which has been bugged, is brought back to you and given to you. When you put the stickers on, that makes it much, much harder to do something like that because now they have to have the stickers on hand. Now they've got, like, an iron and stuff like that. It's like, no. That's not gonna be a realistic scenario anymore. That makes a lot of sense. I mean, the number of times before I had stickers on that I'd have to open my laptop after going through, you know, the metal detectors to make sure it was actually mine, which is embarrassing. Now I know and I have a gorgeous CDT sticker on it that, if people haven't checked out, we have a relatively new logo. I don't think I can call it new anymore. We unveiled it way back in what, February, something like that. But it looks great and it it looks very great on my, my Apple laptop. It goes great with gray. So, more tips. You recently wrote a blog post. You're starting to now flesh out, the things that were covered in the quiz in more depth, which is fantastic and really helpful. You wrote one on software upgrades. I think we've all had, you know, the push upgrades where it's like, you know, upgrade your software now, remind me later, that sort of thing. Why is it important that we actually don't just ignore these and push, you know, remind me ten days from now or whatnot, but actually do it. Sure. Because, usually what happens is that when they're pushing an upgrade,
Speaker 0
8:08 – 8:34
often there's some sort of security update in there. So what ends up happening is when they publish the security update, number one, it's protecting you you that somebody can't come in and hack your device. Number two, whenever they create that update, hackers can look at that update, see what the exploit was, and then weaponize it. So then, you know, Microsoft has their patch Tuesday where they put out all their patches, and then you've got Exploit Wednesday where everybody's shooting vulnerabilities around the Internet.
Speaker 1
8:35 – 8:43
So what happened? Tell me about Exploit Wednesday. What is that? I just didn't even know that was a thing. So the idea is that, you know, even if the patch has been released,
Speaker 0
8:43 – 9:06
you know, there's going to be a lag between when the patch is released. You know, not every single computer on the Internet is going to get patched immediately. So you can run a computer scanner, port scanner, try and find computers which have not been upgraded, and you can check thousands and thousands, hundreds of thousands of computers a second until you find one that's vulnerable, push your vulnerability out, and own it. Wow.
Speaker 1
9:07 – 9:20
Does that happen with other products as well? Or is Microsoft I mean No. Microsoft known mostly because they're the ones that seem to have so much of the business market. I Microsoft catches a lot of flack, but they're also one of the largest OS shares. I you know, you're starting to see more and more,
Speaker 0
9:21 – 9:52
malware for OS 10, malware for Android. You know, no operating system is safe. It's usually just more that, you know, criminals want to get the biggest bang for their buck. So when they when you're writing some sort of malicious software, you're gonna try and write it towards that's gonna be usable on the most machines possible. But then, conversely, if it's a targeted attack, if somebody wants to get at one specific person, then, you know, being an Apple user or being an Android user is not going to protect you because they're gonna craft their exploit for you specifically. That makes sense. You know, the number of times I've had friends say,
Speaker 1
9:53 – 10:17
you know, in all different camps, you know, make arguments for what's more secure, whether it's the PCs or the Macs. And it's mostly the Mac folks that seem to be the ones that, like, I have a Mac. I'm a 100% secure. Yes. But I tried the console. That's just, you know, silly. That's, you know, silly. So this is good. I'll make them listen to that. So what are some of the other things that you're, like you said, you're doing a series of tips here for people.
Speaker 0
10:17 – 11:23
What are some of the other topics that you are gonna flush out a bit more or interested in writing about? So we've done a blog blog on, you know, why you should be updating and why that's so important. We're working on one about the importance of what's called two factor authentication. This idea that when you're logging in, you won't just be typing in your password, but a one time code as well. That way, even if someone hacks into the website that you were visiting and steals your password, if they don't have this one time code, they're not gonna be able to use it. If that password was used on other websites, they can't just take that one password they stole from, you know, say, LinkedIn LinkedIn and then use it to log in to your bank because they still don't have the two factor code. The other thing we're going to be talking about is password managers. You know, creating a strong password is hard, and, you know, it's frankly not your fault if you can't remember a super strong password because we were only built to remember about seven chunks of information, seven words, seven numbers. So usually what we recommend is that you have one very strong passphrase that you have memorized, and then you can use that passphrase to unlock your password manager, which then stores all the other passwords. That's interesting.
Speaker 1
11:24 – 11:58
This I read an article recently where I I think we have probably all remember those days where whether it's a website or your system administrator or, you know, just some other service forced you to change your password every say ninety days or whatnot. And that practice seems to be no longer, you know, in vogue. Why is that? Is that would you agree with that? Or do you, you know, you seem to suggest that one really strong great password is the way to go. And I saw some reading on that. But, you know, why is why are the days of, like, the change your password every ninety days kind of over? Well, because, you know, again, if you have a strong password,
Speaker 0
11:59 – 12:27
it's going a truly strong password should take longer than the life of the universe to crack it. So therefore, then the problem isn't so much the changing of the passwords, the security of the system that's storing the password. And then again, if you have layers of security, if you're keeping your software updated, if you have your two factor code, if that password is only to one website, it's just a situation where the, the time and energy it takes to be changing that password every ninety days versus the realistic
Speaker 1
12:27 – 12:40
risk of it being compromised. It's so small that it's just a waste of your time that you have better things to be doing. That makes sense. So you are a world traveler. I know this, and you've shared some of your travel stories with me, which are amazing. Yes.
Speaker 0
12:40 – 15:27
Do you have, like, an ultra paranoid story that you could share to, like, make people, like, realize just how insecure you can sometimes be when you travel? Or even, you know, just to experience from your travel where you're, like, I am so glad that I was a technologist and that I was, you know, saying about this or thinking for you. So at one point in, in in undergrad, I went to this, Defcon, the computer hacking convention in Las Vegas. And this was, like, when I was you know, I had just turned 21, and I didn't really do much of a twenty first part birthday party because it was the middle of the semester, and I had midterms and things. So I just sort of saved it for the summer. So I go out to Defcon. I was out there with my my roommate, and, you know, he says, oh, I'm gonna go hit the ATM, get some gambling money. And I said, well, you know, we're in, you know, the world's largest hacker convention. Maybe you should consider going across the street to use the ATM. And we're arguing back and forth a little, and finally, he goes, like, fine. So we walked down the strip. I think we went to, like, In N Out or something, you know, used the ATM along the way. We, later on, I found out that the the ATM we were standing next to and arguing over was was not a legitimate ATM. What? That apparently what happened was, you know, the casino has a lot of, you know, security cameras. And this casino, I haven't told the story, you know, until now, but the casino has now been blown up and doesn't exist, so I don't mind revealing this security vulnerability. But, apparently, the casino security office, there were no cameras in front of the casino security office because they had, you know, police I don't know if they're police or security officers, officers, but they had men with guns staring out. And Intimidating. And, they just assumed if some sort of crime was occurring that they're just gonna physically see it, and they need a, camera there. So what whoever put this ATM did and did was that they knew that. So they had, like, hats on or whatever and wore, you know, janitor jumpsuits, and they come in. They put this ATM into the casino that is not an ATM. It's just sucking up your information, and they just do it right in front of the security office because there were no cameras, because this was not on the casino floor. It was off to the side. You could just come in the door and, you know, you could you could do it off camera and there would be no record of who did it. And then, I guess, the idea was then that they were gonna come back later and the ATM would just tell everyone, oh, there's no money in the ATM when really it was just sucking up everyone's credit card information. You know, things like that aren't gonna happen as much now that we're moving to the new EMV standard, the new chip and signature, because, you know, you're gonna you can't just steal the Magstripe data. You're gonna they have that chip on there. But at the time, if you had put your, ATM card in, you're putting your ATM card in. They've got your Magstripe data. They're gonna get your PIN number. And then if they had been able to retrieve that data, they would have just drained drained all the bank accounts of everyone who had used the ATM.
Speaker 1
15:27 – 15:45
Well, I take two lessons from that story. One is that the biggest this is gonna be the most relevant one, is that the biggest vulnerability is often right under your nose, and the casino learned that pretty quickly. And the number two is clearly that if I ever go to Defcon, I will only live in cash. That's it. Well, I mean,
Speaker 0
15:45 – 16:26
now I mean, for me personally, I actually will, you know, somebody said this to me last year. I was in the gift shop, and I have a I have a I have a credit card. And you're not actually responsible for fraud on your credit card. Sure. You know, so I I have a credit card that I don't use for, like, my bills and things so that, you know, if something happens, I'm not I'm gonna make sure that, you know, everything gets paid. Yeah. I'll buy a bottle of water, and and then I'll just check my statement at the end of the month. And if somebody charged a bunch of stuff, I'm not responsible. I'll just call the credit card company. I'm still operating in cash. I mean, I just I don't know. That may be my paranoia. And you have done a great job of making me paranoid, but in a good more cyber secure way. So thank you for that. Again, I encourage everyone to check out the quiz online,
Speaker 1
16:27 – 17:02
and then check back to cdt.org regularly because Greg is, as we've already talked about, going to be producing more and more content there. Thanks so much, Greg. Thanks. That's it for this episode of Tech Talk. You can find CDT's cybersecurity quiz and Greg's post on software updates online at cdt.org. Also, if you want your very own own awesome CDT sticker to make your laptop more secure, hit us up on Twitter or shoot me an email to briancdt dot org. I am Brian Waslowski, and thanks so much for listening.