Tech Tips to Protect Yourself Online

Published 7/16/2024

Spotify logoApple Podcast logoiHeartRadio logoAmazon Music logoYouTube Music logoYouTube logo

View Video

Drew Thomas  0:04  
Fast Fact, in 2023 cyber-attacks accounted for over 343 million victims. I'm Drew Thomas, and you're listening to Bank Chats.

Drew Thomas  0:39  
Welcome to the next episode of AmeriServ Presents Bank Chats, I am Drew Thomas, and as we have discussed in the past, cybersecurity topics are absolutely a very ocean-rich topic that you can dive just as deep and wide as you want to. And so, we're going to once again revisit the topic of cybersecurity. In this case, we're going to talk a little bit about not so much specific scams and things, but really about how the different types of technology that are out there, and how they might impact your cybersecurity life in the real world in your day to day life and talk about some of those terms and how they work and what exactly they are. And, once again, I am very pleased to welcome back some previous guests that we've had on the show. We have Kevin Slonka once again with us, as well as Michael Zambotti. And both of them from Saint Francis University, and welcome back, guys.

Kevin Slonka  1:35  
Thanks. Nice to be back.

Michael Zambotti  1:36  
Hey, glad to be here.

Drew Thomas  1:37  
Yeah. Let me give you guys a chance to explain your, your credentials to those that may not know you from past episodes, and then we'll go from there.

Kevin Slonka  1:45  
Sure. So, Kevin Slonka, I teach Computer Science and Cybersecurity at Saint Francis University. And I've also worked in industry since about 1999.

Michael Zambotti  1:56  
Mike Zambotti, I have worked in the financial services arena in the past, and now I teach Cybersecurity and do consulting as well.

Drew Thomas  2:05  
All right, fantastic. So, in the past, we've, we've done sort of, a general overview of cybersecurity. There's an episode that we did on that if you haven't heard it, you can go back and listen to that sort of touches on all things cybersecurity, to very, very shallow level. We also did an episode where we talked about various scams and went more in depth about things like ransomware and phishing and things like that. Today, we're going to talk about some of the different technologies that are out there, and how they might impact you in the cybersecurity world. And I think that one of the things that we were talking about that we want to start with is the cloud. Everybody talks about everything being in the cloud, as though it's some sort of a mythical place where you can go and visit. Let's talk a little bit about what the cloud is.

Kevin Slonka  2:52  
It's up in the sky, isn't it?

Michael Zambotti  2:53  
Yeah, whenever you talk about the cloud, you have to look up. Yes, it's, that's where it is, your data is up in the sky. If it rains, you can't get to your data.

Drew Thomas  3:02  
I, you know what, that is possibly something someone might think I mean, it's but I mean, really, so your data is not being hung out just somewhere in the ether, it lives somewhere.

Kevin Slonka  3:13  
Yeah, I mean, saying the cloud and saying your stuff is in the ether is, I mean, it's a legitimate way to think about it, because it's not like physically within our possession on our computer. It is, you know, I'm putting air quotes here, somewhere else. But, you know, the way we always like to explain the cloud is that it's just somebody else's computer. Right? So, if you're storing your data on, say, Dropbox, or Microsoft OneDrive, you know, something like that, where it's some external service, you have to log into out on the internet to store your files. That's the cloud. But that is literally just on somebody else's computer. You know, if you're storing your files on Microsoft One Drive, those are physical servers in a Microsoft data center somewhere, right? Whether it's in California, whether it's on the East Coast, they have data centers everywhere, but your data lives somewhere physical, it is somewhere, but to us, we don't have to care about that. And that's the benefit of, air quotes again, the cloud, is that we don't have to care where our data is. It's just magically accessible to us, and somebody else takes care of the physical part and the storage part, you know, we don't deal with that.

Michael Zambotti  4:28  
Yeah, there's definitely benefits to the cloud. There’re challenges as well. And we'll, we'll cover both and kind of dip into those a little bit throughout the episode. But yeah, as Kevin said, it's, it's really somebody else's computer. Your data is in a data center. You know, if it's in Microsoft, East Coast, probably somewhere in Virginia. There's a giant building, which has more servers that you can even imagine, and that is the cloud. Interesting, Microsoft actually did a proof of concept where they put kind of a carrier of servers underwater, just to see if they could do it. And they ran services from basically an underwater data center, an underwater cloud? An underwater cloud, yeah. That's like fog almost right. But yeah, the cloud could be anywhere, your data could be anywhere in the world. Maybe someday there'll be data centers in space. Who knows.

Kevin Slonka  5:16  
What, and that's a really important thing that you just mentioned, you said the world. That's something that we also need to be cognizant of when we're storing our data in these random websites. Where are those data centers? Like we tend to think, oh, you know, California, Virginia, Idaho. But could it be Russia? Could it be India? Could it be China? You know, the internet is everywhere, these data centers could be anywhere. So, I mean, that has its own host of problems if you start dealing with your Rossen country lines.

Michael Zambotti  5:50  
Yeah, whenever we think about challenges, you know, think about our data, if your data is stored in a country like China, last time I checked, they don't use the US Constitution in China. They have their own set of laws, and their laws apply to data that is, in their data centers, whether it's China, Russia, Ireland, Ireland is actually a country with a lot of data centers.

Drew Thomas  6:10  
So, what so in a strange way, for people that might be really old school, when it comes to technology, it almost has this sense of being a mainframe. The old idea where you had a mainframe computer that took up a room, and you had terminals throughout the building that all access the data on that mainframe, it's just a much more modern Internet capable version of that idea.

Kevin Slonka  6:32  
Yeah, the cloud is mainframe 2000.

Michael Zambotti  6:34  
And you might even say, well, oh, you know what, I've never used the cloud. I just use things like OneDrive on my computer. But I don't use the cloud. Well, you do use the cloud. Services, many of the Google Drives, well, Google Drive, Microsoft OneDrive, you're on the cloud, congratulations, you made it.

Kevin Slonka  6:50  
Yeah, do you have an email account? Right, because where's your email stored? It's not on your computer, it's in the cloud somewhere.

Michael Zambotti  6:56  
So, it's something that really impacts pretty much everyone that uses technology.

Drew Thomas  7:00  
And it's, it's a very convenient thing in some ways, because if you are trying to access your email on your phone, and then you want to also be able to access your email on your laptop, and you want to be able to access your email on some other device, the only way to do that is to have that email stored somewhere not on your device, which is in the cloud. And that's how you can reach the same email from multiple devices in your home.

Kevin Slonka  7:22  
I mean, think of it like your physical mail, you know where, you can only access your physical mail in one place, right, at your house where your mailbox is. But with digital technology in the cloud, we can access it anywhere.

Michael Zambotti  7:34  
Yeah. Which, which is great. You know, as far as, you know, in security, we often will talk about functionality versus security. And it's as far as functionality, that's awesome, that's great technology. But on the security side, there's also some interesting challenges. If you can access your data anywhere, maybe somebody else can as well.

Drew Thomas  7:50  
So, if you're using something that is in the cloud, which it sounds like it's pretty much anything, everything, yeah, I mean, everything's out there, right? Is there something you should look for when you're deciding where to set up your email, for example? Because you don't really have any control over where they store your data, correct? Right.

Kevin Slonka  8:04  
Yeah, you can't say I want my data here or there. Yeah, so I mean, go back and listen to previous episodes where we talked about passwords, you know, that's the first great step is if your data is somewhere else had better be behind a good password, so people can't break into it. But also, if you're looking for, you know, to use a new file storage service, or whatever, do some research on the company first. Google the company name and see where it's based out of. Would you rather use a company that is based out of California, or a company that is based out of Denmark? Not saying there's anything bad about Denmark, but that's a different country, different laws.

Drew Thomas  8:40  
Something is rotten there.

Kevin Slonka  8:43  
Do you want your data there? You know, I don't know. But that's a choice you have to make. And you have to be cognizant of the companies who own the services you're using.

Michael Zambotti  8:53  
Interesting also, probably not a road we want to go down, but Europe has different privacy laws. So, if your data is stored in Europe, or you're working with people that are in Europe, you know, maybe a topic for another episode, but it's something that a business might think of as an individual, you're probably not going to think of that too closely. You're not going to be too concerned about that.

Kevin Slonka  9:10  
Yeah, here, here's one thing that I can almost guarantee is going to apply to everybody, TikTok. We were talking about this off-mic before, but with TikTok, do you know who owns TikTok? It's, it's a Chinese company. So, when you use TikTok, and you make an account there, you've created a username and a password that China has access to. Do you think that's okay? All of the stuff you're looking for on TikTok, all of your usage on TikTok, is on Chinese servers now. Do you think that's okay? And you're using an app that you've installed on your phone that was developed by China. Do you think that's okay? Could that not have malicious code in it? We would like to think not, but you're essentially giving, we talked on a previous episode, how China has a whole portion of their military whose job is to hack other countries, you're giving them free rein to your cell phone, if you have an account on TikTok, and you have the app installed on your phone. You know, you're essentially just opening up the door to them. So, looking into companies that make apps on your phones is also as important as like Dropbox or file storage services, you really want to know where your data is going.

Michael Zambotti  10:28  
Well, years ago, also, maybe even during the cold year process, whenever Russia wanted to spy on the US, they would actually physically send a spy to the US who would get a job here and integrate into society and send back reports about what was happening in the United States. That's how they knew what was going on here. Now, you know, like Kevin mentioned with TikTok, the content is also going directly to these other countries, it's giving the other country, possibly an adversary, really, really deep insights into what we do here every day, you know, and what our people are doing.

Kevin Slonka  10:59  
And that's a good word that you just use adversary. A lot of people don't hear that unless you're like in the federal world. But just to make it clear to people, the two largest enemies of our country, from a political perspective, are Russia and China. So, when we talk about, you know, do you want your data being in Russia? Do you want your data being in China? We're saying that as a bad thing. Like, you don't want that. Because those are the two countries that are constantly trying to attack us and steal things from the United States.

Michael Zambotti  11:29  
So, it's almost like we've given them the ability to do espionage without even trying, yeah, we're providing the information for them, let alone,

Kevin Slonka  11:37  
yeah they don't need to send a spy anymore, right. We're just giving it to them.

Michael Zambotti  11:39  
Right. We're feeding them that information. So, you know, and we have touched upon artificial intelligence, and we'll talk about that on future episodes as well, which is a topic that's hot in the news. For artificial intelligence to work, you know, at its core, it has to learn from something. So, there's thinking that the owners of TikTok are using all these videos that were, the millions of hours of videos, to teach artificial intelligence, to learn about US customs, our society, how things work here, what our people do, how we speak. And so, whenever we talk about possibly deep fake videos, and let me get my tinfoil hat back on.

Kevin Slonka  12:16  
We never took it off.

Michael Zambotti  12:17  
Right, exactly, but you know, we think about the emergence of deep fake videos where a video might be showing you, saying something that you never said, maybe it was born out of a TikTok video that you made a couple of years ago. So, some not to, not to scare anybody, again, the tinfoil hat is firmly on my head, but it is something that's possible, something that we need to think about as people that are trying to defend our, our nation and our data.

Drew Thomas  12:43  
Well, again, in a previous episode, and you know, we talked about some of these different scams, right? And we said that one of the biggest things that you can do to help protect yourself is to simply not give the keys to the kingdom to the person that's trying to steal your stuff, right? I mean, speaking from a bank perspective, you know, you can put as many firewalls and protections around our servers and information as you like. But no matter how much we defend that data, if you, as an individual, give the keys to your data to someone else through some sort of a scam, there's nothing anybody can do about that. Right?

Kevin Slonka  13:17  
If you put your debit card numbers out on joestoyshop.com, yeah, you get what you get.

Drew Thomas  13:22  
So, in a way, this sounds like the same thing. You know, it's exponential. I mean, the amount of data that we're exporting out to the internet in terms of YouTube videos, TikTok, video, social media, is just absolutely amazing. And you're just handing that information to somebody else.

Michael Zambotti  13:38  
I've seen statistics, and it's probably hard to actually quantify. But we create now as a society more data in a day than they did for like decades at a time before the internet was born.

Drew Thomas  13:50  
So, we were talking about the cloud being sort of in different places around the world, right. And I think that leads to a conversation about this thing that, that people are hearing now called VPN. This idea that if you're on a VPN, you're protected. If you're on a VPN, magic, you can pretend that you're in a different place, you can pretend that you're in a different part of the world, you can, you can somehow protect yourself. So, let's, let's talk a little bit about what VPN is and what it really does.

Kevin Slonka  14:15  
Yeah, so you brought up two points there. One is that you're safe, and two is that you can pretend you're in a different part of the world. So, point number two is true, VPNs can do that. Do they make you safe? Depends on how you use them. So, it's important for people to know this because you all listening, probably have seen the commercials on TV. You know, there's one company, specifically Nord VPN, that has commercials during everything. So, you've probably seen that commercial where they tell you, you know, install this Nord VPN service, and your internet browsing will be safe, everything will be private. Magically, you know, everything's awesome. Yeah. So, so what is a VPN? I think the easiest way to explain it is, is to give the example of like an employee who works from home. So, if you have a job and you're in your office, you're actually at the company's office, you can access all the stuff that is in that building, the servers that are in that building, your files are in that building. And you can only access it when you're in that building. Well, with people working from home, companies need to give a way for people to access those things that are only in that building, while they are at home. So, enter the concept of a VPN, which basically makes this secure connection, this secure tunnel, between your computer wherever you are, and your company's building. So, it makes it look like you're in the building physically, even though you can be anywhere. But the key to the VPN is it's encrypted. So, if anybody tries to spy on your traffic, your work-related traffic, they're not going to be able to read it. It's all scrambled, it's encrypted. So, Nord VPN is trying to sell you this tool that kind of started off as, as a business tool to allow people to work from home, as a way to say that, you know, we are sending your data through our encrypted tunnel, and therefore your data is private and safe. And it's true to a point. But the, the key question you have to ask yourself is, who are you trying to hide your data from? So, when you browse the internet, what you type in, say, you're logging into a website, that goes out across the internet, and it goes through your internet service provider. You know, around this area, you may have Comcast, you may have Breezeline, whoever you have, so your data is going through their servers. Technically, you could say they could see your data because it goes through their servers. And then it goes through however many other servers until it gets to the final destination. So, if you didn't want your internet service provider to be able to see your data, you could use a VPN, and then it would be encrypted, and they wouldn't be able to see your data. Nord VPN, that's, that's what they're saying, is that if you use us, your ISP won't be able to see your data, your service provider can't see it.

Drew Thomas  17:00  
And so, what's the advantage to that?

Kevin Slonka  17:02  
Exactly, yeah. And there really is no advantage from that specific argument unless you think your ISP is spying on you. And you don't want them to see your stuff. Because the, the point that nobody ever thinks of and the point that they don't say in the commercials, is that Nord VPN can see your data, because the other end of that encrypted tunnel is coming out on Nord VPN network. Do you know who Nord VPN is? Who works there? What country they're in? Where their servers are? Like, you know nothing about this company, but yet you're paying them and using their VPN service, and you're giving all your data to them. So, yes, it allows you to make your data private and to hide it from certain people. But you're also now exposing it to other people who you may not want to have access to your data.

Michael Zambotti  17:49  
As Kevin mentioned, Nord VPN is a paid service, so that's bad enough, you are actually paying for the service, and you're, you're getting it and ostensibly, they're hopefully not looking at your traffic. There are a host of free VPNs, quote, air, I'm gonna borrow Kevin's air quotes, the free VPNs which...

Drew Thomas  18:05  
Audio only is rough.

Michael Zambotti  18:07  
Exactly. These are even worse. If you see a free VPN, building a virtual private network infrastructure is expensive. So, why would a company give away that product for free? What, you know, one of my favorite sayings is if you're not paying for the product, then you are the product. So, there has been cases where free VPNs were actually injecting advertisements into your, your browsing experience. And in some cases, actually just snooping on your traffic, which they can see because it's going through their servers. Yes, it is encrypted, you have an encrypted connection with them with the provider of the virtual private network, so they can see all your traffic. And in those cases, you know, I would say, stay away from generalities, but, or absolutes, but I would say almost absolutely stay away from any free VPNs.

Kevin Slonka  18:54  
Yeah, and if you really are concerned about people seeing your web browsing traffic, that the best thing you can do is not go out and buy a VPN, it's make sure that every website you browse is encrypted in and of itself. And that's very easy to see because most web browsers in the address bar will show you a little padlock to let you know that that site is encrypted. Or if there is no padlock, you can look at the URL and see that it starts with https. If you see that letter "S", that's telling you it is secured, it is encrypted. So, as long as you make sure that the websites you're browsing and giving your personal info to are encrypted, you don't need a VPN because your data is already encrypted with that browsing session. So, just make sure that the sites you're browsing have that HTTPS, that they are encrypted and that is technically good enough.

Michael Zambotti  19:46  
Now also one thing to be aware of what the encrypted need to look for that lock in some browsers will have the little green lock or just the closed lock. Yes, you have an encrypted connection with that site. Some attackers, and we did talk about this a couple episodes ago with the phishing emails and landing pages where if you click on a link, it goes to a rogue landing page. It might look like you're signing into a certain resource like Amazon, but it's actually controlled by the attacker, and attackers have gotten smart. And they actually will purchase what's called a certificate to show their website is also, it will show it as encrypted. And yes, while you do have an encrypted connection with that website, then unfortunately, that is a malicious website. So, if you see the lock, it doesn't guarantee your safety.

Drew Thomas  20:26  
It basically means that that website had paid for a secure, right security encryption key of some sort.

Kevin Slonka  20:28  
Yeah, you still have to verify that that website is the website you intended to go to. Yeah, you know, somebody didn't swap it out on you.

Michael Zambotti  20:37  
Right. So, the encrypted traffic, you have this encrypted connection with the, the attacker, congratulations, no one else can see that correspondence except you and the attacker, which is, you know, which is great. Except for you know, you just gave your credentials to somebody just relying on one thing versus looking at a couple different factors.

Drew Thomas  20:59  
So, we're talking a lot about things, we keep mentioning traffic, internet traffic, back and forth. When we talk about internet traffic, we're talking about data being sent out from your devices and data being received by your devices, right? Sure. So, and when we talk about devices, we tend to think of things like our cell phone, our laptop. What we don't always think about, I think in today's world especially, is the fact that there are so many other things in our homes that are connected to the internet that are sending and receiving traffic all the time. And they call that the, that the internet of things, that IoT, right? So, you know, is there a danger? Is there, maybe danger is the right word, maybe it's not. Is there a danger to connecting my, my refrigerator to my network so that I can monitor the temperature of the freezer? Is there a, let's talk a little about that. 

Kevin Slonka  21:48  
Yes, throw them all away.

Michael Zambotti  21:51  
I saw an interesting story about a what's called a smart refrigerator that was connected to the internet, it would send you an alert if the door was opened. So, refrigerator doors ajar it would say hey, the doors ajar. So, the next thing was well, if it was that smart, when to just shut the door. Why tell me?

Kevin Slonka  22:07  
But yeah, that's I mean, you bring up a good point that anything we buy that has the word smart in it, a smart whatever, the word smart basically tells you it's connecting to the internet, right? You have to configure it for your Wi Fi or plug it into a network cable somehow. But and we have mentioned this in a previous episode as well, all of these devices are computers. Like, yeah, our phone is a computer, if you have a smart refrigerator, there is a computer inside of your refrigerator, just the same as your laptop. And literally it is a computer. And a lot of these devices, what we see, is that the people, the manufacturers who are making them, I'm gonna say this, they basically don't care about security. They never tested for security, they tested for functionality like Mike had talked about before. Does it operate as a refrigerator? Does it alert you when you're low on milk? Does it do all the refrigerator thing, but because it's a refrigerator, nobody ever thinks to protect it as if it were a computer. So, having all of those devices on your network that were never tested for cybersecurity vulnerabilities, that just opens up what we call the attack vector, the ways that a hacker can break into your home network. And once they get inside your house, what do they have access to right? Your personal laptop that has your credit card data on it, your personal phone, you know, whatever is in your house connected to your home Wi Fi, which is everything right? It's everything.

Drew Thomas  23:32  
So, I think it's that, that brings up a good point that having a secure home Wi Fi is important. I mean, when you buy a router at your local electronics store, and you take it home and it has a default password of admin.

Kevin Slonka  23:47  
Never changed.

Drew Thomas  23:50  
Easy to remember, I mean somebody could literally be sitting out on the front, you know, sitting in a car parked out front of your house, looking completely innocuous and be checking to see what the Wi Fi networks they can reach just from sitting out on the street. And if you haven't changed your password, they now have access to everything that's going, you know, all that traffic on your network and inside your home.

Kevin Slonka  24:11  
Yeah, this is hacking 101, that is literally the first thing I teach my students when you're trying to break into a device. Try default passwords. Yeah, try admin admin try admin password. Try all the default things that companies might put on their devices first, because chances are somebody didn't change it.

Michael Zambotti  24:28  
Well, what I do is I change my passwords to incorrect so that if I typed the wrong thing, it says your password is incorrect.

Kevin Slonka  24:34  
It is not a real thing. Don't do that.

Drew Thomas  24:36  
That's a great joke. Don't do that. And yes, also for the longest time the most common password was what, 123456 or something?

Kevin Slonka  24:44  
Yeah, it still is.

Michael Zambotti  24:46  
Yeah, the list of top 10 passwords has been unfortunately the same 123456 password. password with the "@" sign as the "a", you know. Yeah, "$" signs is the "s" but consistently, and that's what attackers will do, like Kevin was saying, hacking 101 or ethical hacking 101, if you're trying a password, you try the simple ones first. And, you know, if you try 100 people, maybe one or two you get and that's all you need. You have the opportunity then.

Drew Thomas  25:11  
Stealing from Spaceballs the movie, that's the kind of password that somebody has on their luggage. Yeah.

Kevin Slonka  25:19  
It's true, though. I mean, and who really changes the default password on their router? Most people probably don't even know you can they just get the router from their ISP, plug it in, they have Wi Fi, they're happy.

Michael Zambotti  25:31  
They want to get up and running. Yeah. Don't want to necessarily change the password. Or they want to say, well, what if I forget it? You know, what if, because how often does the average person access their router?

Kevin Slonka  25:41  
Yeah, I mean, after it's originally set up, you probably never need to log in again.

Drew Thomas  25:45  
And that's it, you make a good point that so many people get their routers from their ISP, they don't even buy their own anymore, right. They're using one provided for them by their internet service provider. And that ISP has a default password that they use, that you can change, but most people just allow that person to set up their network, and then as long as they can get online, that's good.

Michael Zambotti  26:04  
That's the goal. All right, yeah. And, you know, we look at these Internet of Things devices, and it is really a two-edged sword, because, you know, I can see the use cases, I was at a party and somebody was, the woman looked at her phone, and she's like, I'm gonna feed my cats now. So, she logged into the cat feeder back at her apartment, and was actually feeding, I was like, wow, that's pretty lazy. But it used to be, you'd have just a friend go over to your house and maybe toss some food out for the cats. Yeah, but there's functionality and people like that technology, people, they want to interact with technology. But like Kevin said, these Internet of Things companies, sometimes, especially the drone companies, you know, a lot of them, the drones are manufactured in China, they don't think about security, or they're actively looking for ways to sabotage and gain passwords or gain access. So, you know, the functionality is there on one hand, but on the other hand, we do have scenarios where, hey, they're not thinking about our security, we need to think about that.

Drew Thomas  26:06  
And if I can borrow your tinfoil hat, I think we're all wearing them at this point. It really makes you wonder, like, if these drone companies are not somehow sending that visual data, somehow back to a server somewhere, and getting, I mean, they can get good maps of neighborhoods, they can get down to the street level, you know.

Michael Zambotti  27:19  
GPS coordinates, everything, you know.

Kevin Slonka  27:21  
Well, you just brought up an interesting point of, you know, spying on that visual data. Do our listeners think that they would ever just willingly give bad guys an open microphone in your house or an open video camera in your house, so anybody can watch you? But we do this all the time. I see where you're going. Yeah, how many of you out there have an Amazon Alexa, or any, like a Google Assistant, something that responds to your voice at home? Or how many of you have a small child, and you have a smart baby monitor near the crib that has a video camera? You can do a quick Google search and see that there are people out there who are breaking into these smart video cameras to like spy on babies. And because you can speak to your kid through them, these people are talking to other people's children. Because these are smart devices that are on the internet, and people have found a way to break into them.

Drew Thomas  28:18  
That, that is terrifying.

Kevin Slonka  28:19  
Yeah, think about I mean, yeah, you are just giving the bad guys, and you know, what's the number one reason why this is happening? Because those devices have default passwords, and people don't change them.

Michael Zambotti  28:30  
And why do so many people use these devices? Because, and it's you know, the functionality versus security debate. They are functional, they do have a purpose that is making people's lives easier, right. But if we only think about the function, that's only one side of the coin. Also, that security side. Yeah, I've seen stories too Kevin, like you mentioned about the baby monitors, strangers talking to your child, which to me is just the height of creepiness, in your own home, where you would, you expect to be in a safe environment.

Drew Thomas  28:57  
It makes you wonder, what would possess people to do this? And I think sometimes it's simply the challenge. I think certain people find, you know, they go I just want to be able to see if I can do this and they do it. That's creepy enough. But for, for somebody that's also then using it for a nefarious purpose, you know, to be able to tell when you're at home, where you might be located in your home or something like that. That is, that's really scary.

Kevin Slonka  29:19  
Yeah, especially if you have, you know, smart security cameras. So, not just baby monitor cameras, but security cameras around your house. If somebody can access that, they might be able to record the footage of you in a compromising situation and post it online to blackmail you. So, you don't want to be giving people free rein to see inside your house. Right? With the Amazon Alexas, the same thing with listening inside your house. Like have you ever really thought how a Google Assistant can respond when you say, okay, Google? It has to be listening 24/7, that microphone has to be on 24/7 so that it can hear you say okay, Google. What is it capturing and recording in all of that downtime when you're not saying, okay, Google, while it is waiting for those trigger words, and where is that data going?

Drew Thomas  30:08  
Yeah, and this is, there's another guest that we would like to have on the works with the gentleman that does look at this from like a legal standpoint. And I would love to sort of have this conversation with him here on a future episode to talk about the legalities that, that are involved in in some of this, because there have been legal filing suits and things like that, that get filed against some of these people to prove that the data that they're collecting, when, when you're not actively using the device is not being used for a purpose, not intended. Whether or not that's ever been completely proven, or anything else is anybody's guess. And to the point that was made earlier, and I can't remember which one of you made it, that there are functional uses for these things. I mean, it's, we're not sitting here saying that, you know, you should just strip every piece of technology out of your home and never ever, ever use them. Although Kevin might be.

Kevin Slonka  31:00  
I do have some smart devices in my home.

Drew Thomas  31:03  
But, if you are going to use them, to use them as safely as feasible. And that means doing the basic stuff, like changing passwords, when you receive devices, you know, initially right out of the box, because, and correct me if I'm wrong, I would have to think that if someone is trying to access your home network, they're not going to waste a lot of time trying to break into a network that has a changed password, if they can also find one, a block away that isn't protected, right?

Michael Zambotti  31:32  
Most attackers are opportunistic, they're going to go for the low hanging fruit. They're going to try yours, they're going to try, it's almost like if you broke into a hotel, and hopefully none of our listeners are breaking into hotels, but if you did, you're going to run down the hall and check every single door. Hey, you found one that was open, it doesn't matter whose room it was, it just matters that you found an open room, that's where you're going to explore. So, you're an opportunistic attacker. And that's generally the majority of, of cyber criminals will have that opportunistic mentality. Some are motivated, where they're gonna go after a specific target, we might see that with maybe a state sponsored espionage-based cybercriminal group. They want to go after, they want to get the plans for a jet, fighter jet. Well, I don't have the plans for a fighter jet, but Lockheed Martin does. So, that's a motivated attacker, they're going after that specific target. That's in the minority, most attackers will be opportunistic.

Kevin Slonka  32:22  
Yeah, this actually happened, I can give an example from a company that I previously worked for. There was a vulnerability that got publicized with Microsoft Exchange, which is the Microsoft email server that companies can, can run on their corporate servers. And, you know, our adversaries found out about this. And what they did was basically exactly what Mike said, they did kind of, they took an opportunistic take to it. And they just launched that attack against the entire internet, basically, just to see who they could break into using this new vulnerability. But they weren't looking for money, or, you know, just to take what they could, they were looking for specifically, like government type data. So, we had found that one of the clients that we managed, was breached because of this vulnerability. So, as we were investigating, we realized that they breached initially and then stopped. They didn't move on to phase two of the breach. And the reason that the attackers probably did it is because this company wasn't a government contractor, they had no data of interest. So, yeah, like Mike said, you know, you, you could be hacked right now, every one of us could be hacked right now and not know it. There's always the chance that they just steal whatever they could steal, but there's also the chance that they didn't find what they were looking for, so they move on.

Drew Thomas  33:48  
Something you said about being opportunistic, and then you also said about the hotel example you gave me, I wanted to circle back to the idea of public Wi Fi. And the fact that, you know, we're talking about protecting your home Wi Fi and having passwords and so forth, but, you know, there's a lot of businesses, a lot of hotels, coffee shops, whatever, that, you know, say free Wi Fi, you know, come sit down, look up your laptop, and you know, work here while you eat, drink, whatever. But ever is that a good idea?

Michael Zambotti  34:15  
Public Wi Fi is something to be aware of, and yeah, it's easy. Hey, you go to the coffee shop, and you go to Starbucks, and it says Starbucks free Wi Fi. I have a device called a Wi Fi pineapple, okay, it's something that anybody can purchase. You can set up what's called a rogue access point, a rogue access point, which means I can sit at Starbucks and create an access point that says Starbucks high speed. Okay, and just sit there. Anybody that connects to that access point, I will see all the traffic. So, whatever it is, if they type passwords, I will see the traffic. They will have no idea because they will also connect to the broader internet, they'll get the traffic that they were expecting. They want to go to their bank, type in the credentials, they're not going to see that I was able to capture those credentials. So, this is something that can happen whenever you're using public Wi Fi, you don't know even if you're connecting to the resource that you think you are. It could, you know, you can make a Wi Fi access point called anything once you have the proper hardware.

Kevin Slonka  35:10  
This actually happened, I watched a YouTube video of an ethical hacker who was demonstrating this. And he went to a hotel, I think it was a Marriott, and the, the name of the Wi Fi, the real Wi Fi network was just Marriott. But he sat out by the pool and set up his own Wi Fi access point, and he called his Marriott pool. Sounds logical, right? If you're out by the pool, that's probably the one you want to connect to, right? If you're a guest, you're not even thinking twice, right? You're connecting right to it. And what he would do is he would watch people's traffic, figure out who they were, and then walk over and tell them hey, look what you just did. I just saw all your stuff. You should probably be more careful. Yeah.

Drew Thomas  35:50  
We talked about like being a review that traffic, right? Do you have to have specialized software to understand what that traffic is? Or is it just a bunch of computerized ones and zeros streaming past? And it's not the matrix, right? I mean, you're not.

Kevin Slonka  36:04  
I mean, it is the matrix. And yeah, you do need specialized software. But it's not like you have to pay for it. You know, all of these tools are free. Anybody with a couple of quick Google searches can get software to be able to read that traffic, it's not difficult.

Michael Zambotti  36:18  
And things like YouTube are excellent for learning, you can learn so many different things on YouTube. You can also learn how to do things like malicious activities, like setting up a rogue access point. If you want to learn those skills, you know, the tools are cheap, or free. And you can go on YouTube and find out exactly how to do it, it will take you maybe a couple hours to get up to speed. So, it's not something like you have to have a tremendous amount of hacking ability or computer ability. You can get up to speed pretty quickly and do some malicious things. So, not to scare anybody but, public Wi Fi, probably something that I would avoid, unless you, you know, unless it was an emergency, I don't know, if there's emergencies where you need to have Wi Fi. But you can use an alternative would be using your phone as a hotspot. So, you have control over, over the Wi Fi or, or purchasing a hotspot or maybe just saving your net activity for whenever you're in a Wi Fi that you control.

Kevin Slonka  37:09  
Yeah, if you absolutely have to use public Wi Fi, probably the only thing we could say is, at least use public Wi Fi where they make you put in a password to connect to it, because at least then your wireless connection is encrypted. If you're connecting to one that doesn't require a password to connect, then that is plain text. And anybody could be sitting there like Mike with his pineapple sniffing that traffic and reading your passwords as you send them. So, you know, at a minimum, make sure you're at least connecting to one that requires a password.

Drew Thomas  37:40  
But going back to your previous point, then you're sharing your data with someone, someone you're sharing your data with that company theoretically.

Kevin Slonka  37:48  
You have to trust in Starbucks, if you're sitting at Starbucks that they're not reading your data. Yeah, this is probably the one case where a VPN might be a good idea. If you have a legitimate VPN, that is not some, you know, random garbage one that's also stealing your data.

Drew Thomas  38:04  
So, people that travel extensively, things like that, and maybe, maybe, maybe that's...

Michael Zambotti  38:08  
Maybe invest in a hotspot, yeah, you know a lot of the cell providers, you can purchase a separate hotspot, or use your phone as well.

Kevin Slonka  38:15  
And it's probably only what $10 bucks more a month to turn on the hotspot feature for most companies, that's definitely a good thing to do, right.

Michael Zambotti  38:21  
But it comes down to your particular use cases. If you are traveling a lot, maybe you do want to have internet. So, we can't go 100% on the security side, we do need some functionality.

Drew Thomas  38:30  
And I think that's one of the reasons why we're doing all these episodes, and, you know, why we've done the ones in the past that we've, that we've already released. Because we live in an era of technology, unless you really want to live off the grid, and just shun almost all of modern society, it's almost impossible to not interact with technology on some level. And the trick is trying to do it as safely as you can. Which is not to say that it's 100% safe no matter what you do. But then again, getting in your car in the morning and driving to work is not 100% safe, it's an acceptable level of risk that you take when you drive to work every morning because you feel that the benefit is going to outweigh the risk. And that's kind of where you are with these pieces of technology, the Internet of Things, the voice assistants, whatever, you have to personally be comfortable with whatever level of risk you're willing to take for the amount of benefit you're willing to receive.

Kevin Slonka  39:25  
And that's the word I was just going to mention that I'm going to steal Mike's thunder, but I'll let you talk about it because you love to use the term risk appetite.

Michael Zambotti  39:27  
Yeah, absolutely. What we have to do is consider the threat, you can never eliminate risk. You want to get in a car, there is a nonzero probability you can be in a car accident, but you can also put into play controls. You put controls in place, you have seatbelts, you have safe driving processes, you have airbags, all those things, there will always be a residual risk. So, we're not saying hey, don't use technology. We're saying let's use it smart. Let's use it in a way that we're aware of the threats and we're putting controls in place, you know. And one thing I did want to mention, you know, go back to our Internet of Things discussion. We were talking about inside of the house. To open up another can of worms, what about things like Ring doorbells and outside of the house? You know, I see, you walk down the street in the city, everyone has a Ring doorbell. It's almost like you're on camera, if you're walking around.

Drew Thomas  40:17  
Oh, it's, it's to the point where, you know, you see that all the time, even on TV. Law enforcement will go around a neighborhood that has had some sort of an event, you know, people breaking into a cars or doing something. And they'll go to the neighbors that if they noticed, they have a Ring doorbell, they'll say, you know, can, can we look at your Ring doorbell footage, you know?

Michael Zambotti  40:33  
Well, one step beyond that, they'll actually subpoena Ring. They'll subpoena them and actually get the footage. So, you have no say.

Kevin Slonka  40:40  
Yeah, you actually agree to that whenever you set up and log into your Ring doorbell for that, uh, that end user license agreement that nobody ever reads for all of their stuff. There's a little line in there that says, by using this doorbell, you agree that, you know, Ring has access to all of your videos and can provide it to law enforcement at any time. So, you don't have to say about it.

Drew Thomas  41:01  
That's, we, we were again, this is one of those things we were talking about it before we started recording today, but it comes up, you know, and it goes to risk appetite, I guess too, I like that term as well. If you want to use these things, sometimes you don't have a choice, right? We were talking about, like captcha, and things like that, like, you know, there's a, there's a functionality that may be beyond the obvious for some of these things. But if you want access to that site, you don't have a choice, you know, you got to complete the captcha.

Kevin Slonka  41:28  
The only choice is not to use it.

Drew Thomas  41:30  
Yeah, you know, and the same thing, you know, if you want a Ring doorbell as an example, you have to sign that license agreement, or you can't use it. So, again, it's one of those things where you should read those things. Right?

Michael Zambotti  41:40  
That's the thing, though, as consumers, we are kind of behind the eight ball. If we read it, and there's something we don't agree with in there, we can't cross it out. Do you want to use this product or not? Okay, well, are you not going to use this product because of one line in the User Agreement. That's, you know, most people are not going to make that decision. Most people are not going to read it. I have heard stories of companies that will put easter eggs in their end user license agreements, where it will say if you read this line, email this, and you get something. One company was giving out, I think $1,000 or $2,000. And it took like six months before somebody claimed it, it was a long time. But it just shows, hey, in classes, I've done that in my syllabus. I have put in there, if you read this line, email me, and you get five extra credit points. Generally, 20% of students will email me. So, even in a college course, a syllabus, that's only a couple pages, we're talking end user license agreements that are hundreds of pages in point, what is it, two, like two-point font? Yeah. I mean, yeah. And it's in legalese. All the sentences are, you know, a paragraph long and you read the first line, and you're like, this is not happening today.

Drew Thomas  42:45  
Yeah, it's a strange world, I mean, that we that we live in. We've talked about you know, just that exposure that you're, you're putting yourself out there for even when it comes to using email or doing the basic stuff, like being able to send and receive text messages and stuff. I mean, that has a risk. We talked about, you know, not clicking on links, things like that in previous episodes, but theoretically, just owning a cell phone has a certain level of risk, because it has to connect. I mean, I don't know that you can buy a cell phone these days without having a data plan, you know, without having some internet connection on that phone.

Kevin Slonka  43:17  
Well, and the way that the cell companies are going now is that all voice will be done over data in the future. So, you really don't have the option anymore. Yeah.

Michael Zambotti  43:27  
Right. And we think about it, you know, in the context of us, purchasing technology and using it, you know, our Alexa's or our Ring doorbells. But what if we don't even have one? What if our neighbor has a Ring doorbell, we've never even agreed anything. But every time we go out of our house, we're on camera. Our neighbor can see us and what can we do? You know, what's our defense against that? Yeah, really none. Move, I guess.

Kevin Slonka  43:49  
There's no right to privacy in public.

Michael Zambotti  43:51  
That cabin in the woods that we are, we aspire to live in, covered in tinfoil. Yeah.

Drew Thomas  43:58  
All right. Well, guys, I mean, I, once again, lots of great information and information that we could go into deeper detail on, but in the spirit of trying to keep things from becoming too overwhelming for our listeners, we'll try to wrap things up here. So, I think the, the takeaways from our discussion today really are understand when you adopt some of this technology or agreed to use some of this technology, you may or you may be agreeing to some things you don't necessarily know. And when you get these things at home, you know, change the password. I mean...

Michael Zambotti  44:29  
Yeah, it goes back again to basic blocking and tackling. You know, we talked about it a couple episodes ago, having a different password on every website, changing a default password on an Internet of Things device. These are not things that you know, that are super complex, but it can really improve your, your personal security posture.

Drew Thomas  44:46  
All right. Well, thank you very much for once again, having a great discussion. We appreciate it. We'd love to have you back and do some, some additional discussions on these things. Because again, I mean, we, my gosh, we could talk about all kinds of different stuff that we haven't even, there are words we haven't even uttered at this point that we can do entire episodes on.

Kevin Slonka  45:05  
I'll be interested to see the comments that you get, you know, yelling at me for telling people to stop using devices or not.

Michael Zambotti  45:11  
Well, they can't comment because they've gotten rid of their computers. That's right.

Drew Thomas  45:14  
What I mean, in all seriousness, though, we definitely encourage comments, we encourage suggestions, we would love to hear your questions as well, because, you know, we do intend to have Kevin and Mike back and, you know, give us some feedback about what you want to know, give us some feedback about what you'd like to hear, what you'd like, you know, some, some feedback on and some information on that, that maybe we haven't covered yet. If you haven't had a chance to listen to the previous episodes on cybersecurity, be sure to go back and listen to those as well. There's some really, really great information in there that we did not necessarily cover in this episode. And we hope to definitely revisit some of this stuff again, you know, in the not-too-distant future. And with that, yeah, thank you very much. Excellent, thanks. All right.

Drew Thomas  45:55  
This podcast focuses on having valuable conversations on various topics related to banking and financial health. The podcast is grounded in having open conversations with professionals and experts with a goal of helping to take some of the mystery out of financial and related topics, as learning about financial products and services can help you make more informed financial decisions. Please keep in mind that the information contained within this podcast and any resources available for download from our website or other resources relating to Bank Chats, is not intended and should not be understood or interpreted to be financial advice. The host, guests, and production staff of Bank Chats, expressly recommend that you seek advice from a trusted financial professional before making financial decisions. The host of Bank Chats is not an attorney, accountant or financial advisor, and the program is simply intended as one source of information. The podcast is not a substitute for a financial professional who is aware of the facts and circumstances of your individual situation. Jason Dorsey of the Center for Generational Kinetics once observed that back in the 1990s, a young Generation X was considered to be the most tech savvy generation, those most likely to both be using the newest tech and the ones most likely to understand how it worked. The people and the technology grew up together. Gen X is now middle aged, and the young Gen Z and older Boomers are finding that they have something in common, they are more likely to be tech dependent rather than tech savvy. While it isn't necessary to know everything about how technology works, knowing at least a little can really help make you more aware of how cybercriminals may be trying to reach you. Our sincere thanks yet again to Kevin Slonka and Michael Zambotti for lending us their time and expertise on the show. We also welcome your comments and feedback. You can click the links in the description to get in touch with us. Thanks to our producer and part-time co-host, Jeff Matevish, for all of his hard work and dedication. AmeriServ Presents Bank Chats is produced and distributed by AmeriServ Financial Incorporated. Music by Rattlesnake, Millo, and Andrey Kalitkin. If you enjoyed the show, please consider liking or following the podcast. For now, I'm Drew Thomas, so long.

Comment via Text Message

Leave a Comment on Our Website

Back by popular demand, Kevin Slonka and Michael Zambotti from Saint Francis University, continue their cyber-centric chat with Drew on this episode of Bank Chats. In this episode, the trio discuss tech topics such as cloud-based technologies, VPNs, and users’ rights in terms of privacy. Want to learn what a Wi-Fi pineapple is? Check out this episode and find out!

Credits:
An AmeriServ Financial, Inc. Production
Music by Rattlesnake, Millo, and Andrey Kalitkin
Hosted by Drew Thomas

Tech Tips to Protect Yourself Online

View Video
      • Please enter a valid phone number
      • Comment/Question is a required field
      • reCAPTCHA is a required field

      DISCLAIMER

      This podcast focuses on having valuable conversations on various topics related to banking and financial health. The podcast is grounded in having open conversations with professionals and experts, with the goal of helping to take some of the mystery out of financial and related topics; as learning about financial products and services can help you make more informed financial decisions. Please keep in mind that the information contained within this podcast, and any resources available for download from our website or other resources relating to Bank Chats is not intended, and should not be understood or interpreted to be, financial advice. The host, guests, and production staff of Bank Chats expressly recommend that you seek advice from a trusted financial professional before making financial decisions. The host of Bank Chats is not an attorney, accountant, or financial advisor, and the program is simply intended as one source of information. The podcast is not a substitute for a financial professional who is aware of the facts and circumstances of your individual situation. AmeriServ Presents: Bank Chats is produced and distributed by AmeriServ Financial, Incorporated.