# #

October 20, 2021

Cybersecurity at Home: Family First Webinar Featuring Cyber News Reporter Kerry Tomlinson

This Family First webinar was produced especially for our Cybersecurity Awareness Month customers. Want timely, relevant security awareness programming like this for your organization? Request a demo

These days, we do everything online. And that can create some interesting problems when it comes to securing your work, your personal information, and even your family. In the newest installment of our Family First webinar series, Living Security’s Jenny Kinney sat down with Emmy Award-winning journalist Kerry Tomlinson to discuss actionable steps for keeping ourselves and our families safe in the digital world.

Highlights from the webinar:

  • The easiest ways to keep cyber attackers out of your home.
  • How to make sense of your home router.
  • How to turn passwords from foes into friends.
  • The number one trick for keeping enemies out of your accounts.

Catch the replay below or continue scrolling to see the full transcript of Kerry’s presentation.

 

Cybersecurity at Home: Work > Live > Play Secure

 

Jennifer Kinney: Hi there, and thanks for tuning in to our Living Security webinar called Cybersecurity at Home Work, Live, Play Secure. We know you're busy, so taking time to pay attention to the session is appreciated. And I'd also like to sincerely thank your security awareness program owners who are investing in you like this, and for partnering with us to bring you valuable content throughout Cybersecurity Awareness Month. I hope that each of you learns something that you can apply at home and share with your friends and family to keep them safer from cyber crime. I am your host, Jennifer Kinney with Living Security, and our presenter today is Kerry Tomlinson. Kerry is a cyber news reporter who works to help people stay smarter and safer online. She's spent three decades as a TV news reporter, often going undercover to investigate crimes. She's won multiple Emmys, and other local, regional, and national journalism awards. Now she travels the globe both in real life and virtually looking for creative and compelling ways to show people what is happening in the digital world, and how it impacts them. And today, we're so happy to have her share what she's learned with us. And she'll give us actionable steps to help keep us and our families more secure online. Kerry, are you ready to drop some knowledge on us?

Kerry Tomlinson: Yes. Yes. I am so glad to talk to you all. And you see the title slide Cybersecurity at Home Work, Live, Play Secure. Well, why? Because now, everything is online. We work online, we live online, we play online, we do everything online. And that creates some interesting problems that we together today are going to solve.

So first all, a little bit more about me. So you saw that I worked for 30 years in TV news and got multiple Emmy awards. And what I did during those 30 years is I gathered information about threats and crimes that were happening to people, and I shared them so that we could all live better. Well, I'm doing the same thing now. And I've been doing this for more than five years now in cybersecurity. The same thing with news about our digital world. I'm currently doing it for Ampere News Network. But my goal, my mission, my entire life's has been getting information for you and sharing it with you so we can do this better.

So this is good because today, we are going to learn four good things. We're going to learn the easiest ways to keep cyber attackers out of your home. We're going to learn how to make sense of your home router. We're going to learn how to turn passwords from foes to friends, and the number one trick for keeping enemies out of your accounts.

Now, this presentation is really aimed at people who feel intimidated by technology or are very busy and just don't have time to invest and learn about technology, which is most of us. Really, we're just trying to get through. So if you have any sort of trepidation, or hesitation, or any feeling like that about your home cybersecurity, we are here to help.

So not only will we help you, but also let's say you have some knowledge about tech, but you're just busy and you just want to verify that you're doing things right. This presentation is also for you. And if you are very tech savvy, and you know what you're doing, this will be interesting because you can see the kinds of that your friends, family, and coworkers are going through, and maybe you can help them just a little bit more.

So we start working from home. And we use memes for our presentations, and memes that are going to be really pixelated because memes traditionally are passed on from phone, to phone, to phone, to phone. And it's a way of communicating with people and saying something, and maybe a little bit something to think about at the same time.

So this one is when you work from home and somebody wants to video chat and you go, "Oh my gosh, do I have to turn on the camera?" It's a reminder that we've all been working from home or at least doing more online in the past year and a half or more, I think it seems like. The problem with this is while we're working from home, the attackers are attacking from home. Doesn't really matter to them if they're at a home or office. They've got their laptop, and they will come after you. This is a meme of one of the bad guys in an Austin Powers movie. And he always does little quotes, "Working from home." So they're working from home, but they're really attacking from home.

And what are they doing? They're attacking your home from home. This is a headline from an attack that has happened during the pandemic. Russian hacker group Evil Corp, you may recognize the name from Mr. Robot. Evil Corp targets U.S. workers at home. And these are two fellows that have been indicted by the U.S. government for allegedly leading this group Evil Corp. But what they said was, "Hey, if people are working from home, we're just going to go after them at home."

This is your front door. Not your actual front door, but a representation of your front door to your house. And I'm guessing you lock the door when you leave the house, because otherwise people can get in. Most people lock their front door.

Well, this is the front door to your digital world. Are you locking your router? Are you leaving it unlocked? Your router is really your front line of defense just like your front door. Are we paying enough attention to that front door to our digital world? We're going to learn how to do that to make sure we're just covering all our bases and slamming that door shut for attackers.

Your router is actually worth a lot of money, and you may not think about that. And I don't mean you have to spend a lot of money to buy it. Maybe you do. But it's worth money to other people.

And this is an attack that is happening now. This is a very new attack for 2021. And you see this image. This is taken from a Reddit forum. So Reddit is a forum where people talk about various things. This one was spotted by Cisco Talos, who reported on this threat. "When your grandma lives in the other state and have a phone with unlimited data." Obviously someone who English is probably not the first language, but then you see the meme. It's free real estate.

So what this attack does is it allows you to take software and put it on other people's devices, other people's phones, other people's laptops, and use their internet connection and actually sell it. Various companies that do this, they call it proxyware. But you make an account with them, and then you plop this supposedly just on your device, and then sell your internet connection to other people. But of course, what Cisco Talos and other companies are finding other researchers is that bad guys are throwing this onto your devices and onto your routers and internet connections so that they can use your internet connection.

Here is one person talking once again on Reddit about this. And I'm not going to read it word for word, but basically they say that they're making accounts with these proxyware companies. And then you look at the numbers. These are the numbers of devices that they have taken over. Two IP's, meaning IP addresses at home on four devices. Two devices per IP. Whoops. Sorry, my bad. Let's go back and see, because it's really interesting to see.

So on phones, me and my partner's phone. At my office, at my partner's office, at my parents' place, at my brother's place, also at my parents' place. Question, are they telling all these people. I mean, saying hey, at work are they saying, "Hey, can I use your, my coworker's laptop for something so I can make money off of you?" This is a problem. Not only are the people who are actually knowingly signing up for this using it, but the rest of us who are being unknowingly used for this. This is a problem and something to watch for. Here's an ad for this kind of proxyware. And once again, the English that's not completely correct. "Your traffic is worth pretty much."

So that's to sell to someone who supposedly only uses it on their own devices. But the researchers found not only are people who are making these accounts using it on other people's devices, but also fake proxyware companies are tricking the people who actually use this and try to use this software by also doing attacks on them. So you think you're being clever by stealing other people's internet connections. And really the companies, some of them are stealing stuff from you in the process.

It's all pretty dark and scary, but we need to see one more layer of this. And this is the kind of thing they can do if they get access to your internet traffic, your internet connection. This is a sad story. You see the headline of our slide? Your router equals more than money, and this is why. This is a headline from a story. This actually happened in the UK. And this is a family saying, "Did weak wifi password lead the police to our door?" And this is a quote from the family. "They took everything. Our desktop computer, both our laptops, our mobile phones, a laptop I had borrowed, even old mobile phones that were lying around in drawers," said Kate, which is not a real name by the way.

So what this family did, mom, dad, and two kids, they got a knock on the door from police. And police raid their homes and took everything. Why? Because their internet connection was being used for child abuse images. And I don't want to say too much more about that because it's pretty sad. But child abuse images, or being passed through their internet connection. So that is one reason that the bad guys want your internet connection. And isn't it convenient that they can convince other people to make accounts for these companies that sell internet connections so that these people who may have shady ethics that are jumping on your internet connection and selling it, and then really bad guys are jumping on that and making it even worse.

There indeed, as you have just seen, is there is a fight going on over your router, over your front door. The bad guys want it. There's a headline from a new story I did a while back. "There's a war waging in every router out there." What that simply means is that criminals are trying to get in. There is also fierce competition over your router. Because as we learned from a security company called Guardicore, "Being the only attacker on a machine is powerful." Then they get your entire connection, your entire bandwidth. Access to all of your information, all of your passwords, all of your bank accounts, all of your data. So they will clean up the machine, kick off any malware, put their own malware on it, keep it updated so that you don't notice that anything's going on. And then another gang will come in and kick them off and do the same thing back and forth. And you won't even know. That's the hard part is you will not know that this is happening.

How are they getting in? Well, one big way is brute force attacks on home routers. Brute force is when they just try a bunch of different passwords on your connection and see if they can get in. And this is from security company Trend Micro, the data. Back in September 2019, they recorded 23 million brute force attacks on home routers. Start of the pandemic, March 2020, 94 million brute force attacks on home routers. Nearly 10 times as much. And of course, the attackers have stayed on. As the pandemic has its ups and downs, the attackers have stayed there. They know it's successful. Why? Because we are not as good at security at home as our workplaces are at work. They've got departments, they've got experts, they've got consultants. We've got us. We've got us. And sometimes, we don't know what we are doing. But we are fixing that today.

This graphic really shows what's going on, this from BitSight. It says the blue dots are attacks on corporate networks. The gray dots are attacks on work from home remote office networks. And there are so many gray dots, that it looks black. Because the attackers know, "Hey, this is how I am going to get in. I will get into a work network and get to do ransomware or steal data and hold it for hostage, and cause all kinds of problems. And, I get all your juicy home data as well." And don't forget that your passwords, and your bank account, and your data are super valuable, because they can sell them on the dark web and make some nice money.

How are we letting them in? Well, through easy passwords. And this picture here is a little Lego home router that I made, because I thought it was cute. And they're getting in through our default passwords. That is the password that comes for example on your home router when you get it. Like admin admin, username admin, password admin, that kind of thing. And if we don't change it, the bad guys can look it up on the internet, and then just jump right in to our home routers. We use popular passwords like I love you, and Star Wars, and COVID-19, and spring 2021. They're also very popular. The bad guys just put that in their database, try it automatically. They don't sit there and type in the passwords one by one. Use automation, and they can get in. Short passwords, eight characters or less the research shows that boom, it can be cracked in a matter of seconds. Longer, 15 characters or more may take years to crack.

Also reused passwords, you reuse a password. You may already know this, but let's think about it. That means if the other platform like let's say LinkedIn. If the other platform is hacked or if there's a data breach and there's a new data breach every week, that means that password that is connected to your identifying information can easily be automated and retried on your other accounts until they get in. Reusing passwords, a really easy way to get hacked.

But we do it don't we, because we've got a lot going on with the passwords and we'll get to that a little bit later, about how to deal with that password headache. A survey from August 2021 shows that 62% of us have reused passwords or are reusing passwords now. So that means 62% of us are making it really easy for attackers to get into our accounts. In August 2021 for example, a database of 70 million AT&T customers popped up for sale on the dark web. And this is the ad on the dark web.

So if there are passwords that are not encrypted or scrambled in this, that means those 70 million passwords are for sale and they can just try them on all your accounts until they find oh okay, you reused your AT&T password on your work account, or your bank account, or maybe your email account. And we'll talk about why the email account is no good coming up soon.

So what do they want? They want your money from your bank account, or PayPal, or what have you. They want your passwords. They can use them, or sell them, or use them to check your other accounts and get in. They want your email. Why? Email is great for taking over and pretending to be you for various reasons. One, if they send out a nasty piece of let's say malware, an attack on your friends and family, your family is going to think it's you. And they are more likely to trust it and click on it because they thought it was you. Also for an attack called business email compromise, which is a huge problem and has been for several years, where they pretend to be you, or they use your email to get to someone else at your place of work. And they convince either someone at your work or another company to instead of sending the money that would normally go to that company, to send it to a slightly different account, which is the attacker's account. And then your email has been used to trick someone else. They will delete the messages and use systems so that you won't know that's happening, but they can get in and do that.

And your data, always valuable, always a market for it on the dark web. Because people come up with all kinds of crazy attacks, whether it's directly on you, whether it's on you and you don't know it, or whether it's 10 years from now when they have your awesome data that they can use information about anything, like what are you using for your let's say security questions. Your pet's name. Just your pet's name is very valuable because people use them for passwords and things. So really they want everything, and they are glad to jump in your router and do this.

Another awful thing they can do if they're in your router. It's called redirection. And that's where you sign on to your bank site. You put in the web address for your bank site, and off you go. Well what they can do, and they're very well prepared. They can redirect you to a bank site that looks just like your bank site, but is a fake. So when you put in your username, and your passwords, and security questions, anything like that, boom, they have all that. This is indeed a fake NatWest site. It looks much like the real NatWest site if anyone is a NatWest customer. And the only way you'd be able to tell is if you happen to look up at the web address and you see well, this is not the exact same web address that I normally look at.

A lot of people say, "Hey, solution is to bookmark your web address." And that's a good solution. And get in the habit of just checking, memorize your bank web address, and then check to make sure that is what you are actually on.

They can also sell your router. We talked about people using the proxyware to take over your router and use it. Well, they can take over your router and they can sell it, sell your access on the dark web. This is an actual ad selling access. And they can use it to send out attacks. Once again, another actual ad from the dark web, where they send out attacks. What kind of fun attacks do they do? Well when they send out these attacks, they do it en masse. So it's not just you and your router. It is you, and your router, and 100,000 other routers that are ensnared in these networks of zombies. Your device becomes a zombie. Your router becomes a zombie, which means it's under the control of the person in charge. The mastermind, the criminal mastermind.

And if they sent traffic from everyone's router all at once to another network, or website, or hospital network, or other similar critical infrastructure, then they can shut that down. Because it's being so bombarded with traffic, that it can't operate. And some attackers say, "Well, we have ethics. We will not do this to a hospital during a pandemic," for example. But they're plenty glad, first of all, some of them don't have those ethics and do it anyway. But they're plenty glad to attack other stuff that you might want or need and bombard it and say, "Give us money, or we will continue to bombard your system and you can't use it."

For example, what if they do this to a gas company that is bringing your gasoline? There will be supply problems. Or many of the other critical infrastructure companies that you rely on. Or what if it's just a website that you you want to use and you can't get through? Well, the irony would be that your router is attacking a site that you want or need to use. You are invisibly participating in this, and you don't know. But this is inspiration to say, "Okay, I need to do something about this, because I don't want to be the source of my own problems." Or anyone's problems, but also really, you're causing yourself more headaches and trouble.

And this kind of attack, they're called bot attacks where you are the bot. You are under control. You are the zombie. These bot attacks grew 41% in the first half of 2021. Attackers are really focusing on this. You see the zombie hand of your own devices controlling your device. Of course, you wouldn't actually see it. And that's the terrible part is you wouldn't see that this is happening.

So what are we going to do? We are going to win back your router. We are going to take control of our routers and do good router security because that is the front door to our home. And darn it, we will just lock it up like we do the front door of our actual house.

First step, hug your router. This kitty hugging the router because it's warm. But we are going to learn to not be scared of that router. We are going to learn how to use it, how to make it work for us. And sometimes, that actually means just touching it, and picking it up, and looking at it, and being confused by it. That's the first step. And that is okay, that's fine. We will hug our router.

So really, the most important part is not hugging and touching our router, but that does actually help you and be surprised how much it helps to pick it up, and touch it, and look at it, and be confused by it.

Any questions we have about our router and other security, but especially the router, Google it. You see this well traveled meme. "The wifi password is on the back of the router." So you turn the router over, and the back of the router is hieroglyphics, and you can't tell what's going on. What do those numbers and letters mean? No problem. Why? Because security experts Google it. Any search engine doesn't have to be Google. They search it up, because there are so many routers out there, so many brands and so many versions, that there is no one person who knows how to deal with every single part of every router out there in the world. So everybody does it. Every security experts do it. If you ask them a question and say, "Well, how do I do this with my router?" They'll say, "What brand is your router?" And then they'll Google it. So we're going to do the same thing. We're going to take out the middle person, and learn to do it ourselves, and do our best. What questions do you ask when you Google? Well, we're going to go through this.

So very first thing is getting to your router. From any device in your house, you go to the IP address or internet protocol address for your router. And you say, "Wait a second. I don't even know what an IP address is. How will I know what it is for my router?" And that's a great question and is not a problem because you go do the search function on your device that you do a million times a day, and you type in, "What is the IP address for my fill in the blank brand router?" The address is often one of these two. We're just showing them as examples. But you can look it up, and then you type it in. And that will help you access your router, the dashboard to your router.

So think of it like we are getting to the steering wheel and the dashboard of our router. If our router is a car that takes us everywhere on the internet that we want to go, then we are going to learn to private.

Next step is change the default password. You see the username admin and the password admin. So those are the ones that come on the device. When we change it, this meme to the left is really going to illustrate what's going on. And that is what you see, that's the picture on the left turning on and off the router, versus what your family sees when you reset the router. They think of you as a guru, a technological guru. You've got the skills, you've got the vest on. And when you change the default password, you will start to feel like that same person. Like, "Okay, I got skills. I can do this."

So a lot of people say, "Well, I don't know what the default password is on my router." And that's not a problem. You just search it up online, Google it. "What is the username and password for my blank brand router?" It's very common, it's easy to find, and that's why it's so deadly when it comes to your router actually. Because the bad guys can easily look it up. They can enter it. And then they're the ones driving your router, not you.

So look up your default password, and change the username, and change the password, and save it in a safe place, which we'll talk more about that very soon. Save it in a safe place, change the password to something long and strong. This is the password that accesses the driving part, the dashboard. This is not the password to your wifi. This is something different. And that's an important distinction, because we're not always clear about what these passwords are for. We're talking about the one that gets to the driving part.

Because now that we're in there and seeing the dashboard, we need to update your router. Update, a lot of people say, "Do you mean buy a brand new router so it's updated?" No, this is the guts of your router. The software or firmware as it's called inside your router, that makes it do its thing. And we talked to a cybersecurity expert that says, "If you update your router, you're pretty safe." Well, that's great.

The bad thing is people normally don't update their router. We don't. We don't think about it. We don't realize how essential it is. But here's why it's essential. With just about everything, electronic with stuff going on inside it, computer activity so to speak, there are security holes. So, researchers are looking for them to try to find them before the bad guys do. And also, bad guys are looking for them to try to find them before the researchers do, so they can get into your router, and do all the attacks, and sell it, and do all that good stuff. So somewhere along the way, and pretty regularly, either the attacker comes up with it or the researcher comes up with it. And then the researcher notifies the manufacturer, and/or the attacker does an attack and the manufacturer finds out.

And then nowadays, the makers are more likely to send an update in the past. They were less enthusiastic because overall, people were not as enthusiastic about cybersecurity. But we're all becoming more aware. So the manufacturers, if you've got a decent manufacturer, they will send out an update electronically. And you may need to download it to fix it. If your manufacturer is not updating your router, you really want to get rid of it and get another one. And that is why many people choose well known names of routers and not just any old cheap thing that they find on Amazon. Because you want someone who will update it regularly.

Being a big manufacturer doesn't always mean it's the most secure. So you can do some research if you like, and we'll talk about the best ways to do research a little bit later on. So strive to keep them updated.

Well, how do you keep them updated? That's what we'll talk about now. Once you get in to your dashboard, it may look something like this. This is an ASUS screen. Just I picked it because it's actually kind of scenic and pretty. And it may look really confusing and a bunch of words that you don't understand, and that is okay. I encourage you to just kind of stare at it and maybe look for words that you know or words that you can search up. But remember we're looking for updating. And you'll notice in the top right, there's some information about updating. So when you get to your dashboard, scour around, look around until you see the word update. And if you have any problems, you can simply do a search. "How do I update my blank brand router?" And the good manufacturers will have step-by-step instructions on how to do it to guide you through.

Don't worry if you don't recognize other words, or phrases, or things going on. That's not important right now. What's important right now is step-by-step. We're going to do just the basics to make sure you're secure, and updating them is very important. Sometimes you can set automatic updates, which you do want to do if you have that opportunity for your router.

After I gave one of these presentations, lots of people have contacted me and said, "Oh my gosh, thank you so much because I checked my router, and I had not updated it in a long time." The longest I heard was someone who had not updated their router in nine years. And we're getting to the point where a nine year old router is pretty, pretty old. We're seeing experts say five and six year old routers are considered old. So it's not a bad idea to consider purchasing a new one. But we do want you to check and see when was the last time you updated. Or at least if you can't check that, just get it updated and you'll be better off.

Okay. Next step, change your wifi password. That's the password that you and other people use to access your wifi, so you can do the connection. This is not in the dashboard. We see this fun meme, "Are you my home router?" Because we connected automatically. Because once you connect to someone's wifi, then you can do it automatically from there on out if you say remember this one. That means anyone who's ever had your wifi password can connect automatically.

So the first thing I say is make sure you do have a password for your wifi, set the password for your wifi as you do that through your dashboard. And make it a good one. And then if you haven't changed it in a long time, it's a good idea to change it, because then people will have to ask you for the password instead of just connecting automatically. Things are a little different now with the pandemic. We're not socializing in our homes as much as we used to for the most part, but it's a very good idea.

Because if the bad guys can get on your wifi, they can also do damage to you. So your wifi password is another way for them to get in. So when you're in that dashboard, check for the wifi password. If you have any questions, say, "How do I set or how do I change the wifi password for my blank brand router?"

Once again, I did want to highlight that the router password, that's the one that you use to get to your dashboard. And the wifi password is the one that you and other people use to access your connection. And there's a difference, and you want to make sure you have a password for both, and a decent password for both.

All right. Last thing we want to do while we're in there on our dashboard is we want to change the encryption. And you can do that by looking for the word encryption on your dashboard or searching it up. And what you want to set it to is WPA2 or higher. So WPA2, or WPA3, or whatever comes after. Which stands for wifi protected access two or wifi protected access three. You don't need to memorize that. Look for level two or higher. And encryption is when your data is scrambled so to speak so that if someone is eavesdropping on your data, and your passwords, and your credit card number, it is being scrambled. So it is much harder to hack. So you do want to set that.

So those are the good things we want to do with our router to make us feel buttoned up, tidy, locking that front door. There are other things that come along with all of this that we should think about. How long should my password be. I did mention it earlier, 15 characters or more. Best thing to do is to come up with a passphrase to save your brain. So the giraffe represents the long password with the long neck. And to come up with some passphrases we put on the giraffe mask so we can channel our inner giraffe, and come up with some fun and easy past phrases that make good passwords. These are ones that we just came up with as giraffes, half human, half giraffe today. "Why are you staring at me like that? Might I have a bite of your mimosa?" Because giraffes eat mimosa leaves. And what do you do with those nice long pass phrases or passwords? And all of those are over 15 characters, and yet they're relatively easy to deal with. The latest standards say you don't need to add in the hieroglyphics, the at this, and the punctuation mark, and the capital. Although some systems still require it, and that's fine. These are much easier. They save your brain, even just typing in is much easier.

So what do we do with them? We use a password manager. Otherwise, we are like this pickup truck with the long logs being weighed down by all these passwords. We can't possibly remember them all. Starting to use a password manager for the first time can be a difficult transition in that we're not used to it. The easiest thing to do is to have a friend or family member help you with your password manager, help you find a good one, and help you use it, and help you just get started with it.

And once you get started with it, you'll find it so much easier. Why? Because you just need to remember one 15 character password, and not 100 of them. Because you just use that one password to get into your password manager, pull out what you need, use it. Then the next time you need one, go in there, pull it out, and use it.

A lot of people are hesitant about this. I would say the number one reason people are hesitant is because it is a hassle to learn something new. I would say the second layer is after the hassle is people say, "Well, I'm afraid it will get hacked." But honestly, that's really more of someone saying it's a hassle. And therefore, I don't think it's worth it. So I'm going to come up with something. And why do I say that? Because cybersecurity experts say you are much more likely to get hacked using a short password, or a reused password, or a default password, or a popular password than you are using a password manager, that it's rare for password managers to get hacked. And if you're reusing passwords, you're probably already hacked, and you need to tidy that up and take care of it.

You can also ask your IT department at work to see if they have a password manager they recommend, or if they can help you with it. It is a hurdle to get over. I know. I had to train myself to do it. But now that I have it, I am so happy, and so relieved, and passwords are no longer a headache. We do need to go to there in our lives.

A reminder that the other smart devices in our house not just routers, they give attackers more doors to get into our house. This is a headline, North Port family left shaken after unexpected swatting incident. This was a family in Florida that had a Ring camera. And someone called police from that house and said, "I've just killed my wife. Just killed my wife." So of course, law enforcement has to show up at this house and find out what's going on. Well, it turned out a hacker, malicious hacker had hacked into the Ring camera and had made this up. The wife was alive and out doing errands.

But this kind of swatting incident is extremely dangerous because law enforcement could have shot and killed the man inside, the father of the family, thinking that he really had just killed his wife. While law enforcement was there on the scene at the house, the Ring camera started mocking them. It has a microphone and it can talk. And it started mocking them. So the malicious hacker was monitoring this whole thing, and watching, and laughing at the family and law enforcement as this was happening.

How does this happen? In many cases with this kind of thing, these smart devices, it's that we leave the default password on the one that comes on the device that's easy to search up. If you remember back to the case at the beginning that we talked about where the family was raided by police, they said they had left the default password on their router. And they believe that's how the attackers got in. By the way, that family ultimately, they got all their things back, but it took months of legal wrangles to figure it all out.

Another similar case with a Ring camera. These tend to get in the news a lot about the Ring cameras, but lots of smart devices are vulnerable. Man hacks Ring camera in eight year old girl's bedroom, taunts her. "I'm Santa Claus." He says, "I'm your best friend." And he told her to mess up her room and break her television. Luckily, the parents were home, and were there, and came running in. But once again, that was something where although there are vulnerabilities in smart devices which is why you want to keep your smart devices updated. But also a lot of times, it's people using easy passwords, or reusing passwords, or using default passwords on their smart devices. So you want to protect every smart device in your house. Here's a cute example of a pet feeder where you get to watch your pet and give them food during the day while you're gone. Every little device even like that, you need to protect it because the attackers can get in and not just do things like taunt you and nearly kill you by calling in a swatting incident. But also, because they can get into your system and access things like your router through your wifi and other systems.

Okay. Finally here. Finally, finally, multi-factor authentication. If your key opens the door to your front door, multi-factor authentication is the dead bolt on top, a separate key. It makes it harder for attackers to get in. They ultimately of course like with every single security defense, there is a way to get through. But it is in some cases very complicated. And it's more like something that will deter attackers. And they'll say, "Well, I'm not going to try to get into this account because they have multi-factor authentication." What is that? Well, your password is one factor to get into your account. With multi-factor authentication, they say, "Well, you need more factors than just your password." You might need for example, a login code to get to your account. Let's look at the different kinds of multi-factor authentication.

The phone code. You've probably already used that by now, really in the past couple years. Multi-factor authentication or MFA has become much more popular, much more prevalent because cybersecurity experts say it works. It keeps the bad guys out. If they steal the password to your account and you have multi-factor authentication, then they'll have a really hard time getting in.

Another way is through an app. These are five popular apps. I don't recommend any particular app, but there are many. And that will send you a little code that you can type in as well to get into your account. A token that you can carry around on your key chain that gives you a number to type in. Also a key. You can also carry this around on your key chain. And unless you insert that into your device, you don't get into the account.

Another way that is fun and interesting to think about is your habits count as MFA. A lot of financial institutions are using this. The way that you type is different. Everyone has a different way of typing. The way you hold your phone. How quickly do you press that S key? How quickly do you go from S, to T, to R? Is one hand stronger than the other? All those things are micro calculations that can be used to determine is it really you? Also, what time you log in and from where do you normally log into your bank account from your home on Sunday nights? Why are you suddenly logging in from Antarctica at 3:00 AM on a Tuesday? And why do your hands seem more like wings tapping on the keyboard? It's likely a penguin, not you.

This is something a lot of organizations use without actually telling you about it. And if something trips up like say you have a broken collarbone and you have trouble typing, you may be asked to do some more authentication to actually get in.

A key with MFA, what we're seeing is that attacker are trying to get into your accounts and set it before you do. So if they set it before you do, you will have a hard time getting into your account. A great example of this is after I did a presentation like this, someone contacted me and said this happened to their son in their gaming account. So their gaming account was stolen. The password was stolen and taken over, and he had valuable things in there because you can buy things in games. And when he tried to get his account back, the game company said, "Well, I'm sorry. We use multi-factor authentication and the code isn't going to you. So we can't get you back to your account." The attacker had already set the MFA.

So a good idea to get it set. How do you get started? You can look for terms like settings, account, security, safety. This is me doing multi-factor authentication for Twitter a while back. They call it two-factor authentication, and we want to highlight this because different platforms call it all different kinds of things. Two factor authentication, two step verification, log-in verification, log-in approvals. The easiest way to do it is to go to that search function on the internet and say, "How do I set multi-factor authentication or MFA for my blank account?" My Twitter account, my bank account. And if you have any questions, you can also contact the company itself through email. For example, your bank. Or do the chat function on a website to be able to access that information.

You do want to do it on every account. This is my laptop with a club on it. But definitely start with your work account and your financial accounts, because those are the most important ones. You don't have to do it all at once, because it is kind of a big job. But start with work and financial, make some progress, and then a little bit at a time, do it on your other accounts. It is like the club on a car. Attackers can get through the club, but if they see the club on your car, they're less likely to steal your car. They're more likely to steal someone else's car because it's more of a hassle.

All right. Wrapping this all up, where to go for info. You have lots of questions now and you say, "Well, how do I pick the best authenticator app?" Or, "How do I pick the best router or password manager?" Well, we are here to help. First of all, we're enjoying this meme. When you call IT, they say, "Have you tried turning it on and off again?" Which actually does often work. But in this case, he's a rodent. So for him, he says, "Have you tried chewing on the cable?"

We don't want you to go to the rodent for your advice, because he's going to give you advice that is a little off target that promotes his needs, not yours. But one place you can go to check and see if your email accounts have already been breached I should say, if they've been released in a data breach, which means you should change the password. You can go to a site called Have I Been Pwned. And there you see it. Haveibeenpwned.com. There is no vowel in there. It's P-W-N-E-D on the website. And pwned stands for have I been owned by the attackers? It's sort of hacker slang Have I Been Pwned. And this website, this has been amassed together by a fellow who works in cybersecurity, Troy Hunt. And he has amassed databases from breaches that are being sold on the dark web so that you can go there and type in your email address, and see what specific breaches it has actually been in. And then you know, "Okay, I need to change the password for that one, make it a nice long password, a new one, a fresh new one, and put it in my password manager."

Where to go for information about products? Do not just go to the internet and do a search like, "What is the best password manager?" Because shady companies and attackers will seed the search results with things that you really don't want to use. So, cybersecurity experts recommend you go to well-known publications. PCMag is one that experts rely on. Tom's Guide is one that experts rely on. Consumer Reports. The thing with PCMag and Tom's Guide is because experts rely on them, they have more terminology in them that you may or may not understand. That's fine. If I don't understand it, I just read through the article, and I look for what I do understand.

PCMag and Tom's Guide, often Consumer Reports as well, they provide ratings. So they will evaluate these certain products. Password managers, and routers, and things like that. And they'll give you a star rating, and they will also tell you their criteria for why. And even if you don't understand everything, you can just go to these articles, and read, and take a look, and get a sense, and find something that works for you. And this is a great way to get information without putting yourself at risk by just doing a search on these things.

All right. We are doing this. We've got this. We are going to protect ourselves. First thing's first, get to know your router. It's no longer that box that sits in the corner and hopefully it lets you go online or it doesn't. And then you get frustrated, and you turn it off and on again, and hope that it works. Now, it is your friend. It is your car that drives you on the internet. We will change the default password on it. Go in and check. Does it still have the default password? And then change it to something long and strong. Put it in your password manager. If you don't have one yet, write it down on a piece of paper, in a book, and hide the book. Do not put it on a sticky note anywhere. That is a disaster. But experts say if you haven't yet gotten your password manager ready, and the sooner you do the better, then for now, write it in a book and hide the book.

That's a tough one. Do you bring your book with you when you go shopping so you can get in on your apps? You probably don't do that. And then you might lose your book. And then you're in really big trouble. If it's stored electronically, you can access it if something happens to your laptop or your phone. But a little book is potentially problematic.

You want to update your router, make sure that it's got the latest security updates. Set it automatically if you can. How often do you check? Experts say it's a good idea to check them when you check the batteries for your smoke detector, which we all do that, right? Not always. So every six months is what experts say if you're not checking it regularly. At least every six months.

You want to use MFA on every account. If this dog can do it, so can we. Get there. Start with just the super important ones to get yourself used to the whole process. Use strong passwords on every device in your house. The pet feeder, the Ring camera, the security camera, the security doorbell. Whatever device you have, put a nice strong password on it. Otherwise, you could have people getting in and messing with you.

Use a password manager. We've talked about this. Yeah, it's that time. I like to tell this story of when I was working early, early on in my TV news career at a TV station and Yakima, Washington. At that time, a relatively small town. Photographer came to work set his pickup truck had been stolen out of his driveway. I said, "Oh no, that's terrible. How did they do it? How'd they get your keys? Or what did they do?" And he said, "Well, in my town, we leave the keys in the ignition in the driveway." And you may laugh and say, "Well, who does that?"

Well, that's where we are now with the internet. If we're not doing secure things like using a password manager, we are leaving the keys in the ignition of our car that will be driven away. Someone will jump in and drive it away. However, we won't know that. Unlike a car in your driveway, we won't know that. And it can be used against us much later on. So we need to transform to a society that uses password managers that doesn't leave the keys in the ignition.

Going through, the things that we said we were going learn. Number one, the easiest way to keep attackers out of your home, protect your router. That's your front door. You protect it, and it is really your best bet. How to make sense of your home router? Go to the dashboard, stare at it. Look for updates and look for setting encryption, and just do a search if you have any questions about how to do these important things that we talked about.

How to turn passwords from foes to friends? Use passphrases, instead of trying to come up with something long that's a bunch of crazy letters and numbers, and then cursing because you can't remember it or because you got a letter wrong. And use that password manager.

And the number one trick for keeping enemies out of your accounts, multi-factor authentication. I just read about a new round of attacks that was happening on email for U.S. government accounts and for the U.S. Military. Email attacks. And what the U.S. government said was the number one way to keep these guys out is multi-factor authentication. Because if they can trick you into giving up your password, for example they may put up a screen, a fake screen that says, "We're having trouble logging you in. Enter your username and password." If you have multi-factor authentication, they're stuck. And they can't go beyond unless they start to do some really big somersaults and go through some big hoops to make it happen. Look how smart we are now. We're like the dog. We're super smart.

One last thing, Live Security. That is a bonus code that I understand brings you something of value. So we wanted to make sure to get that in there so that you can remember the bonus code and enjoy the benefits that come from that. Live Security.

That is our presentation for today. Hope you enjoyed it. If you have questions, go ahead and ask us. And we are here to help out. You definitely have a resource in your work IT department. And it depends on the company, but many work IT departments are there to help you as well. Especially if you're working from home, because home security is work security. And if not, then remember that Google is your friend. The search engine is your friend in the sense that you can get so many things answered now that you know what to do and what to search up.

And that's me. So glad to talk to you. Feel free to connect with me on these various places. I just launched a new news organization called Ampere News that has cool videos and articles that will help you stay safer as well. We'll see you there.

Jennifer Kinney: Thank you so much, Kerry. And I would encourage everybody to connect with you on LinkedIn if you're on LinkedIn. Because I love the videos and the real-time news stories that you share. It's just such a valuable resource for me. So you guys, please do connect with Kerry. Kerry, this was so helpful and interesting. I love your memes. We appreciate you sharing your expertise with us in such an actionable and understandable way. It's very helpful and valuable. And thanks again everyone for joining us. Please do take the information and share it with your colleagues, friends, and family as much as possible. Like Kerry said, we'd encourage you to share any questions with your Security Awareness program owners. We talk to them regularly at Living Security, and we're always happy to help them out. So have a great day and stay safe out there.

Kerry Tomlinson: Thank you so much. Bye.

Jennifer Kinney: Bye.


Whether you’re already getting a jump on your CSAM 2022 planning, or you want year-round security awareness programming, Living Security can help. Request a demo today to see how our platform can build a culture of cybersecurity for your organization and prevent cybersecurity breaches!

# # # # # # # # # # # #