The Audit - Presented by IT Audit Labs

Email and Mobile Security Tips with Dean Morstad

IT Audit Labs Season 1 Episode 33

Send us a text

Is your digital footprint secure? In our latest episode we unravel the complexities of email and mobile security. Join Dean Morstad, a seasoned cybersecurity expert, as he shares invaluable insights and practical tips to enhance your digital safety. 

The conversation includes: 

- Why and how are most of us viewed as a “product”?  
- Practical email security tips and best practices 
- How to avoid phishing scams and other social engineering strategies 
- Mobile device and location tracking insights 
- Organizational security policy tips  
- Why use a password manager 

Speaker 1:

Dean, welcome to the audit. Thanks for coming on. I've heard you talk about privacy a couple of times in the past with some of the teams that we've that we work with and thought this would be a great topic to dive more into for the listeners. So appreciate you coming on for that. Thank you, Eric.

Speaker 2:

I appreciate that Right.

Speaker 1:

Yeah, and we Dean and I and Nick we all know each other from previous engagements and current engagements. And during the pandemic, if we can call it that, I was really impressed with Dean. He did what a lot of us, I think, wanted to do, and that was take full advantage of being able to see the great country, travel around, work remote, and I often said to myself why am I in my basement when I could be anywhere in the country? And, and Dean, you did just that. So congratulations to you for doing that. Thank you, yeah.

Speaker 2:

It was a great experience, looking forward to the next big trip.

Speaker 1:

Whereabouts are you these?

Speaker 2:

days Out in Utah, up in the mountains, just enjoying the snow and the skiing oh that's awesome.

Speaker 1:

I had the opportunity to fly over Zion with a trip I did over the summer and I had never been out there before. But really gorgeous, At least it was from the air. I hope one day to be able to see it from the ground too. Yeah.

Speaker 2:

Very beautiful out there. Yeah, a lot of great hiking and outdoor activities. Great place to go.

Speaker 1:

As we think about that, both in our business lives and our personal lives, what are some of your thoughts Dean on on how to start to separate how we view ourselves individually and then how we're seen through the online algorithms that attempt to monetize us and sell us to different advertising venues to essentially make money from what we view, where we go online and how we interact with each other.

Speaker 2:

Yeah, Uh, great question. Let's start with uh, you know why? Why privacy, right? And? Um, why do I need to be concerned about it?

Speaker 2:

A lot of us today love the fact that our lives are interconnected and our devices are interconnected. We're connected to our social networks, into our professional networks. We love to tell everybody what we're doing. You know, it's great to be able to share those experiences and thoughts and to be able to communicate and collaborate, but we have to remember that there's folks out there that can use our data against us. Right, both personally and professionally. People use that information against us for phishing, attacks or social engineering.

Speaker 2:

Uh, we hear about all the time the Nigeria scam. You know you won the Nigerian lottery. Or a prince of Nigeria wants to give you an inheritance. They wouldn't do it if it didn't work, right, I mean, we joke about it Like I'd never fall for that, but they do it because it works. People do fall for these scams.

Speaker 2:

Part of that is protecting yourself from being scammed. The more somebody that knows about you as an individual, the more information they can use to attack you and take advantage of you. Right, they know the names of your children or your grandchildren. They can say, oh, bobby got in an accident and you really need some help. Oh, they know my grandson's uh, you know first name. They must know him. They must have some personal connection. This must be valid. I really need to help out, right, and so, you know, just a little bit of information can go a long way to help somebody you know who might not have your best interests or might want to take advantage of you.

Speaker 2:

Well, businesses face the same problem, right? Uh, we're, we're all in cybersecurity and we're all talking about how can we help our clients and help them protect themselves, protect their data, protect their clients data, protect their revenue streams, right, and uh, then corporate secrets, right? So what we're trying to do is the same thing. There are actors out there, threat actors, that don't have the best interests of the organization in mind. They want to come after you, they want your information and they can use that information to hurt your organization. Very simply, social engineering, uh, fishing attacks, spear fishing these are all common topics that we know about and a lot of it is just based off some very simple information that you can get online, and you need to do a little bit of data mining. You find that information and you can use that to infiltrate an organization and cause damage. So it's really important that we understand how to keep our information private.

Speaker 1:

So how do we? We do that along those lines. What are some of the things that that you're cognizant of and you take steps to do to keep your information private?

Speaker 2:

There's two ways to do this. We have to really consider what is it that we're trying to protect, right? So if, as an individual, I'm trying to protect my personal information, and there's ways I can go about doing that One of the most simple is, uh using multiple email addresses. Right, so you could have um any you know an email account that you use for all of your business transactions. I use this with my bank, I use this with my utility companies, I use this with my phone company. I'll have a second, that email address that I use for professional purposes. Then I use that for communicating uh with coworkers or engaging in professional communities, and I know that that email address is only ever used for professional capacity. Um, then you know we all like going out and we all have our own personal interests and hobbies and we go out uh gamer. Or if you are a crafter, you're going to have different interests and you'll want to engage on different uh websites in different ways.

Speaker 2:

And if you have a specific email address that you can use for those activities, most often what we see as individuals use a single email address, and when you do that, you don't you don't have a way of sorting the emails that are coming in, or identifying where that email address came from. A lot of times, we sign up for a website and they'll they'll share our, our email address, so they'll sell it to their partners, and then, all of a sudden, you end up a mailing list. You start getting a bunch of junk email. You don't know where it came from. How did I get all these lists?

Speaker 2:

Well, if you're using individual emails for different topics within your life, then you could say well, I know that this, this is coming into my professional box, which means that one of my uh, one of my professional uh websites gave away this email address, and so you know you can, you can identify well this. This was disseminated within my professional environment and, and so you know, maybe I could give it that level of weight. Not that it makes it safe If you don't know the sender. So there's ways that we need to understand how we protect ourselves both, both personally and professionally. Um, and so you know, being aware, where do you use your email address? Don't use your work email for personal purposes Right, there's a good one, right there. Don't use your personal email for work purposes unless you have a special one that's used for for professional reasons. So I know, nick, you've worked really closely with social engineering in the past and just knowing how to use this information once you get ahold of it.

Speaker 3:

Yeah, dean and me, you served up a bunch here. You know the social engineering. The social engineering role is huge, right? And then kind of what you're what you're talking about here is open source intelligence, everything you're talking about. You know, it's a quick Google search and you can find everything you're talking about and that leads to a phishing attack like you were talking about.

Speaker 3:

If somebody is being lax a day's ago, you know, for lack of a better term with their security, we find we can poke a lot of holes in into somebody's private and personal life. You know, here we're maybe more talking about, you know, a larger organization, and really it might be easier at a larger organization because people probably aren't as guarded, because they might not have as much stake, right? So a quick phone call into an organization and going on their LinkedIn and knowing a handful of names and individuals, their coworkers oh, I'm working with such and such person on this and that leads to a password in. I've been involved in many of those kinds of attacks where I have personally called in and and talked to an individual and got a password just posing as an IT person, and this took me three minutes, probably a couple of minutes online and then a minute and a half phone call posing as IT and I had a script. So I'm diverting a little bit.

Speaker 3:

But to your point, if email is one thing, social engineering is linked because of phishing and we have so many different topics. We can go on. But to me social engineering is kind of the crown jewel because it's where everything starts and it's the easiest form of attack. So there's a lot there that you know that we can dive into just with social engineering. But you know some of the things that you were talking about with you know, for me it's kind of like a burner email and a burner phone number right, like I have a couple of Google phone numbers right that you might put in if you buy something online, or a separate email that you use just because you know you're going to get so much junk. I would assume you're doing the same thing.

Speaker 2:

When you start using your personal email, you're giving hackers a key to who you are, right. So we read about these breaches and all these websites that get hacked and you see these lists that are released and you see them. That list a bunch of work email addresses, people using their work email to sign up to these websites. Now you have that contact information. Now you know you can reach out to these individuals and say, oh, I have a contact at this company. Now I have their email address, I have their name and maybe there might be a couple more mixed in there, using that, tying in on LinkedIn, doing a couple of Google searches. Next thing you know you have a profile of the company, right? So you want to be able to protect that as much as possible and keep that information out of the wrong hands.

Speaker 1:

There's a really good site that's free and you can go to it's. Have I been pound? And that's a way for individuals to check their personal address and their business address to see if it has been involved in a breach. And those are the lists that the Dean's talking about, where it exposes all of the the user names that have been involved in a breach previously. It's compiled in these large lists and you're essentially looking up to see of the published breaches where your account has been used. And that's where you get into the personal and private of not using business email for your personal things, but also not reusing passwords across sites, because if your if your Starbucks account is the same one as your your Wall Street Journal account, they could just reuse that password and they'll try that against thousands of different sites. And if you're reusing passwords, it's an easy way for the malicious actors to get access to multiple accounts that you own.

Speaker 2:

Yeah, and I don't want to. I want to also just mention it's not only the potential for risk or infiltration right, where your password might get stolen and used against you. It's risk for reputation. Back in 2015, we saw a hack for an extramarital site that people knew about called Ashley Madison, where you could go and arrange extramarital activities, and somebody hacked the site and published the list of email addresses and there were a lot of work email addresses that were on there. You know people's professional email addresses and they were basically, when that list was published, it was advertising.

Speaker 2:

Here are individuals within these companies who've been seeking this type of you know, activities outside of marriage and that can have an effect on the organization as a whole. Right, and you know, on your own personal professional standings. There are times when we do need to use our email addresses when we sign up for websites. There are professional websites we use right, github, slack, and so there are other reasons why we would go out and use our professional email addresses, but we want to limit the use of that right. Use it when you need it, but when you don't need to do it. Don't mix work and play and as an organization, you know it's the duty of the leaders to help educate their user base as to why we don't use professional email addresses for personal purposes and why we don't use them. You know, use them sparingly as we can across the internet.

Speaker 3:

Yeah, dean, that's. I'm glad you brought that up, because that was what I was going to. Was I was looking to get into was what is the best route for an organization? Right, because we all, and you know we're engaged on many other projects similar to each other. But education and policy are one thing and we're very passionate about those because you know we can't really do one without the other. And as an IT professional, you know we talk one direction to the organization but we can't always talk down from a leadership level.

Speaker 3:

In your point of view, is that enough, right? We can write policies and tell you know we're blue in the face. We can talk about it and, you know, put the knowledge out there. I guess where I'm kind of going with this question is you know how good can we be? Because you know we try to keep ourselves as clean as we can. On social media, social media policies I'm really kind of spiderwebbing here to the greater thing. But you know what's the best way an organization can protect themselves? Is it just policies and procedures? Are they? Should be communication? You know what's your ideas there.

Speaker 2:

Well, policy procedures are always where you start, right. So, notifying the users that it's expected that they're only going to use the work emails for work purposes right. That your emails are property of the organization. That anything you do with that can be audited by the organization. They pay for those emails, those email services. They pay for the domain names right, that's part of their branding. It's been well established through legal precedent that the organizations own that email address and the data associated with it. So, setting forth a policy right that, hey, we own this, that we have the right to audit and you need to help us protect it right From policy, you can drive them down into enforcement and audit right, so you can.

Speaker 2:

There are ways that you can audit. You can audit, you know, incoming email at domains to say, hey, who's emailing our individuals? You know, do we see a lot of emails coming in? Are people using their work email for their Netflix account or for their Hulu account? Right, are they using this for social media? You can, you can do an easy audit of your incoming emails. There's also products out there and vendors that give you more control. You know, we've all had experience with those tools where we can really tighten and block out unwanted emails and we can prevent that from a technology perspective. So we can implement technology to enforce policy and really I think it's up to the organization and it's a lot of that goes into really your risk analysis and weighing the risks and benefits, right? So what is the risk of somebody using an email address inappropriately? What's the cost going to be to our organization from a breach or from a loss of reputation, right?

Speaker 1:

I was working with a customer and we had some tools where we're going in to identify what maybe black lists or what lists people's email accounts were on. People's work email accounts were on and it came across a user who was clearly using their work email for personal business and reached out to the individual to talk about it, and the reason they told me that they were using it for personal business was that the work spam filters were really good and it stopped a lot of spam from coming in that their personal email didn't, so it was just easier for them to use their business account for personal stuff.

Speaker 3:

Kudos for him for thinking about that. I mean, at least he's thinking about it. That's interesting.

Speaker 1:

Nick, didn't you get a real letter? Was it a while ago? Was it your mom that got it? Somebody got a real letter, I got one, you got one. Maybe we talk about that, because that was an interesting one. Where across to the physical boundary.

Speaker 3:

I got to jog my memory. Yeah, it was about if I didn't make this payment for a credit card, that it was going to go into default, you know, or whatever. And this is obviously not true. But I can't remember who it was from. I think it said American Express or something, but then it was down below. It says call this number to set up a payment plan or whatever. And I haven't seen it call the number. But yeah, it was super random too, because now I'm thinking about it. I also got that random bottle of protein from Amazon and remember I texted you. I said did you, as a joke, randomly send me this whey protein? But it's just random, but it was my address, so it's super weird. That's pretty good, dean. When it comes to phishing emails, I just got to ask have you, have you seen any good ones? Is there anything that stands out?

Speaker 2:

Yeah, so they're good questions. So there are pay for services like proton mail. Proton mail is pretty good. Also, free emails there's good. You, I mix it up right, so you have hotmailcom. You can get a free email address and you can use it and you can throw them away when you don't need them anymore. Yahoo, you can still use those. Aol I've seen they're AOL, still alive and well. You can AOL if you want pay for that. Everybody knows Gmail. Keep in mind, if you're not paying for a product, you are the product, right?

Speaker 2:

These companies don't go out and stand up whole data centers and set up free email servers just because they like you. They're farming information off of you, who you're talking to. They're pulling keyword metadata out of your emails and looking at types of things that you're. You know that. Did you subscribe? Do you like subscribing to certain websites or certain mailing lists? Right? They're scraping that off of that. And if you read the fine print from these sites that they say they own your data, you sign up and you get the free email, but they own the data, right? I mean, you go to these websites where you upload pictures. Facebook says upload all the pictures you want your family, but understand, we own the pictures from the time you upload it, right?

Speaker 3:

Because it's a Friday night. So does that mean tonight you'll be up late reading fine prints for all these apps that you use and that's your light reading.

Speaker 1:

No, I laugh at those things, because how many times have you guys been out to dinner with friends or family? The meal comes and somebody whips out their phone, you know, like they're a food critic and has taken pictures of the meal, and they're uploading it to Facebook like anybody gives a shit about what you're having for your meal. Right, it's absolutely ridiculous. And if you think about all the metadata, you've got the GPS location of where you are, you've got the meal, the restaurant, the time of day and you could start to look at other people in the vicinity who may also be posting to social media and you could start to build those relationships. But it's just like. It's asinine the amount of stupid stuff people do. That's just giving away data for no reason, like nobody cares that you're at McDonald's at 10 o'clock at night.

Speaker 3:

I've got something to say here. I love what you're saying. I can be one of those people because I'm a photographer. But here's the difference. Here's the difference. I don't take the picture on my iPhone, I take it on a digital camera and I have geolotate geotaking off and when I'm in Lightroom I take out doing any editing, I take out all that information. So if somebody gets it, they're not going to get anything. But it's funny you say that, because when people and here's a good point to what you're bringing up, eric, and something that we do for organizations if we do a physical security assessment, if a professional is doing that with their iPhone, you have a problem or a smart device they should be used. I don't have one on my desk right now. They should be using a digital camera with the geotaking right off if it's connected to a phone.

Speaker 2:

So that's a funny point that you're bringing up.

Speaker 3:

I'm actually glad you brought that up because we do see that and you should be using a digital camera, right? That's not an iPhone that's taking all that information. Funny topic to bring up.

Speaker 2:

Yeah, or download the pictures to your computer afterwards, scrub out all of the metadata. You can get apps that'll do that for you. Scrub out all the data and then you can share them and post them. But don't do it. Don't do it. Don't post straight to your app right after you take the picture. Don't go straight to Instagram, straight to Snapchat. You know, use a little restraint. You can wait. I do want to mention you asked do I'm going to spend my Friday night reading the fine print on the websites?

Speaker 2:

I have to say no, but I have to tell you, every time I look at a website, I will skim through their privacy notice. Most of them all say we own the data. And as soon as you see that and you say they own the data, great, anything I do in this website they are welcome to monetize is basically what they're saying. Right, they can monetize anything I do or say on this website. But, more importantly, I read contracts, so I'll go and I'll get it. I signed a. I got a mortgage from the bank and I went in and they handed me, like you know, 60 pages that I had to sign in. You know you sit down and they say, oh, sign here, sign here. And I looked at the first page and I started reading and the lady looked at me and she's like, oh, we'll be out of here in 20 minutes. And I started reading the contract. She's like, oh, no, that's gonna be more like you know, we're dealing with.

Speaker 2:

She said, well, this is just a standard contract, standard mortgage contract language. And I'm like, yeah, but I have to read it Right. And I read, I read those contracts, I read contract language. You know, I was at a bank and something I was getting a car loan and they said, oh well, here it is, it's a three page contract assigned for the car loan. And I started reading it and that the person, the loan administrator, was like, yes, just a standard contract, it's okay. Yet you know, most people just sign it. They were getting very impatient because I was reading the contract before I signed it.

Speaker 3:

And then to me, though, that he said that I'm more skittish now. If that he had to bring that up, that he's like worried that I'm reading it. If you wouldn't make anything, maybe you would just speed up and be like okay, nothing, nothing crazy here.

Speaker 1:

Right, you bring up the car loan and that's interesting as well, right, because most people by default leave their credit unlocked so anybody at any time can can run their credit or open credit in their name. And I always I have mine locked. And then you have to make a call or go through the website request form to unlock that credit for a very short duration of time. And going through that that car loan process, they just assume that you'll give them your social security number because they want to run a credit check and see if you're, if you can afford the car that you want to buy. And I know security minded people who aren't security minded are probably just you know. Here you go and go ahead and run it, which not only. How are they treating your, your social security information, right? Sometimes they're just writing it on a piece of paper. What are they doing with that afterwards? And and then, more importantly, you're going to take a credit hit on that if your social security number is run multiple times and that's going to impact your score negatively.

Speaker 3:

It's interesting to Eric. I just had a situation kind of like that. My daughter started daycare a couple weeks ago and the daycare facility wanted our social security number on a piece of paper, you know filling out the application, and you know we just put a line through it and I we, you know, we gave the information, but in person and you know they typed it in in front of us versus writing it on a piece of paper, because for me, the first thing that comes up is what are they doing with this piece of paper when they're done?

Speaker 3:

I don't know if they're going to put it through a shredder or a burn box or what, or what they're going to do with it. So my name, my wife's social security numbers are not going on a piece of paper to go to a child care center where we have zero control.

Speaker 2:

Along that lines, and this is kind of deviating a little bit from where we're at. But lots of companies will just give you a form and they'll ask for tons of different information that's not relevant to the transaction, in hopes that you'll fill it out and you'll say oh yeah, you want my email address and though, you want my, you want my, you know who to contact my emergency contact. Oh yeah, you know. Well, that sounds perfectly legit. You know if I'm, you know, signing up for something, right, and so they ask you for this information. People just write it down. You'd be surprised how many times you can leave most of that blank and you just put your first name, your last name and your phone number and they'll accept the form and they don't need any of the other information.

Speaker 1:

Or you can put down you know fun things like you put down Josh's name or Kent's name or even Nick's name and see how it works out.

Speaker 3:

Yeah.

Speaker 2:

Now, one thing I do want to mention about email addresses, too, is, if you're going to start using throwaway email addresses, don't pick anything for an email name that would lead them back to you. Don't use parts of your name. Don't use parts of your profession. Maybe use something that has to do with, like, the interest that you're doing right, and then always store all those you know you're like oh, so many emails, so many passwords. Get a password manager right. They're free, you can download it, install a password manager and you have to worry about managing the email, the passwords for all these websites that you're on right, you just it's all taken care of. You have to look it up once if you have to go check an email for something, but for the most part you're never gonna go back and look at these email accounts, unless you get challenged for something. You have to renew something, right. You're never going. You rarely use these email sites.

Speaker 3:

You're gonna say something that you know, that's a bold point of mine to bring up is in probably a lot of people aren't using them and I think for me, the first thing I think about if you're not using a password manager you're much more easier.

Speaker 3:

You're probably gonna reuse a password many times over because you remember it. Right? If you use a password manager a lot of times, you get the option on Apple does it too to create a strong password for you. Well, you know, let's see this is low hanging fruit, but we would always educate, you know, users to use a different password for every website. Right and to your point. That's what.

Speaker 3:

I the first thing I think about if you're not using a password manager, you might be reusing a password right, if you are, it's probably gonna create a password for you and you've got many passwords, so if something gets breached, it's kind of inevitable, probably gonna happen. But you're protected then Right, it'll help you remember all of those different Gmail accounts too, you know.

Speaker 1:

And while we're on the email topic, I don't particularly like Gmail just because they're filtering through those emails for keywords. They're looking at the pictures. You know they're using the content for their own profits, but I don't mind sending them a ton of spam. Let them filter through that. The nice thing about Gmail is, if you, it doesn't pick up on periods in the email, but you can filter on the periods so you could have you know if you were using you know a word, like doing something with aviation and you know you put in like Cessna.7749, you could change where that dot is and you could filter based on that. So you know that when you're signing up for something that's just gonna throw you a ton of spam, put that dot in a different place. Create an email rule that deletes everything from that you know, based on where that dot is.

Speaker 2:

Yeah, definitely yeah. And as an organization right to prevent password reuse across your organization you can provide password managers to your staff and train them on how to use them right. So, as your staff have to go out and use these websites, they have to use them for professional purposes. They're just gonna reuse their password over and over, and over and over again, and if one site gets hacked now, all of their access is out in the open. And so, as an organization, we can actually help promote security and safety within our organization and train people on better practices and behaviors for password management professionally. That will then hopefully lead to better habits in their personal lives, dean do you have a smartphone?

Speaker 3:

Do I have a smartphone?

Speaker 2:

I have a smartphone, I do it is.

Speaker 3:

I would not be surprised if you said I just have a regular old smartphone like an old Ray's.

Speaker 2:

I think it's the lowest level smartphone I can get and still work on the network.

Speaker 3:

Do you go in there and have like a default setup, Like, okay, I turn all these privacy locations off, or are you like digging through and like, let's say, you download an app you know and they wanna use your location? Are you just scrubbing all that right Use once and then turn it off, or what? How do you combat that?

Speaker 2:

I don't understand this download app thing. What do you? I don't get that. What's the sweetening download app?

Speaker 3:

This is why I served it up. Honestly, I was waiting for you to go there. I know Dean does download applications on his device.

Speaker 2:

I do not.

Speaker 3:

That was the pick up there. I do not.

Speaker 2:

I do not, no. So I went down to my local computer store and I bought this handy little tablet for $20, right.

Speaker 3:

Okay.

Speaker 2:

If I need to download an app, it goes on this $20 tablet, right, and I have a $20 tablet for work. I got a little nicer tablet for home and so if I need to, whatever the app is I'm gonna play a game with my coworkers and we need to download an app it goes on the tablet. It doesn't go on my phone. Exploding counties yeah, exploding.

Speaker 3:

Where can you Google?

Speaker 2:

Maps, I don't know. Then I look it up at home and I print it on paper, hard paper, and I take it with me, like the little days with MapQuest from 1999, when you had to use MapQuest and print it out on paper. I will do that.

Speaker 3:

You need a co-pilot now Take a screenshot.

Speaker 2:

If you take a screenshot, you can email it to yourself, you can upload it to your phone, right?

Speaker 2:

You can go to a website and you can get the directions. Screenshot them and then use that screenshot while you drive Mobile device. We could do 20 podcasts together about why not why mobile devices are terrible when it comes to security. Really, we just need to know from the top, both professionally and personally. A mobile device is absolutely not secure in any way, shape or form. It tracks your data and location in multiple ways. The phone company is tracking everywhere that you go. Every tower you connect to You're running 5G. Every time you connect to a tower they're giving you an IP address. Your phone, constantly, is getting an IP address that's traceable and rotatable on the internet You're getting. We can track. The phone company can track you from your tower locations and now you have an IP address.

Speaker 2:

And then, on top of it, hey, guess what guys? I have a GPS chip in here and I'm gonna turn that on and I'm gonna start recording all my GPS locations. Now I have three different ways. And on top of it, google found a great way with their Google cars that drive around, they record open networks and they record all the networks that they find us with their Google cars and they have a database of all the networks that they found. And so you go and you connect to a network and that SID and you store that on your mobile device. You're now saying here's the network I connect to, right, and Google can trace that back. So if you're sharing your network location and your network configuration with any app, that app now can double, can check that against the Google database to find out where that network location resides, right? So now there's four different trackers in your phone, in your mobile device. And now I say, hey, guess what? Hey, there's this fast food rate. And you know what? They'll give me a free sandwich if I download their app. Hey, a free sandwich, that's fantastic.

Speaker 2:

So I download their app from the app store, I install it, I get my free sandwich and then whoever goes back and kills the app. The app's sitting there and it's running on my phone. I leave, I go off. Now I go to this store and that store and I go to my place of worship and you know, that app is running the whole time.

Speaker 2:

It knows where I'm at and it's calling home, even if I say don't share my location. It just has to do it call home once and it will get my source IP and then that source IP is being, it's being recorded by other apps in a big database and so this big database knows hey, dean was assigned this IP address on this day. They can cross reference it and go. Well, hey, you know what? This fast food app just track Dean going to this store, this store and this store using that IP address. Now we tie it all together, right? So all your apps are all catching this information. It just takes one TCP IP call from your app back home and now that vendor that created that app has your IP address and they can sell it, and they sell it for a lot of money. They make good money off of you, dean.

Speaker 3:

I love the passion. The passion is there and I love it.

Speaker 1:

Why does all of that matter? So, what that Pizza Hut now knows wherever I'm going and they're sending data around and they're following me around, right, there's cameras all over the place that are probably doing that. Anyway, from rain cameras to traffic cameras or what have you. At the end of the day, why does that matter?

Speaker 2:

Well, ultimately, I mean, it's what level of privacy that you are comfortable with. Some people love that. They love everybody to know. They post on Instagram every 30 minutes because they want you to know. Hey, I was at this store. Hey, I'm at this beach. Hey, you know I'm at this restaurant. They want you to know that, right, and they have no problem sharing that right.

Speaker 2:

And we just talked about hey, if you're gonna take a picture, scrub the location data, right. Well, why bother scrubbing the location data out of it if your intent is to tell people I was at this restaurant on this day, right? And so some people want that information out there. They want people to know where they've been and what they've done. And there's others who don't, right, and where maybe you take your children for daycare. I don't want people to know and I'm not gonna publish it. I'm not gonna put pictures of my kid on the internet, right?

Speaker 2:

So there's certain things that we do to take steps to protect that type of information, right. And so, as an individual, you might say, hey, I don't really care, I know. So they're gonna use this information to sell me ads. It's not the people that we know who are doing bad things with their data. It's the people that we don't know, right. And so that information, once it's out there, can be used in different ways by people that we don't want to have that information right. And if they ever are able to tie that information back to our physical address or physical home location, they can start contacting us through snail mail and they can start.

Speaker 2:

You'll start to get stuff in the mail. You'll start to get mailers for credit cards for these stores that you're visiting and they're coming to your house and you'll say how do they know where I live? Why am I now getting this stuff in my mailbox, right? Well, hey, you didn't care, I don't care if they know, I don't care if McDonald's knows that I live at one, two, three, four main street, and then McDonald's sells that to somebody you know. So you start getting a discover card, you know applications at one, two, three, four main street, right? So you say you know.

Speaker 2:

And that's actually another problem, which is one way that people could steal your information, is by going to your home address and getting those mailers out.

Speaker 2:

Let's not even talk about physical home security, but I mean getting those credit card applications and stealing it from mailboxes is one way that people have gone about stealing identities and getting information right, and so you know it's good at a certain point to make sure that you're limiting the amount of data that goes out, because you never know where it's gonna go right, and information once it's out never comes back right. And if any of these websites have figured out how to tie your information together and they get hacked, now that information gets correlated together and sold on the dark web and not only are they able to correlate, oh now, hey, guess what? Now I know Eric Brown's email address and his location data. Oh, and I can now tie that to this other location here and they tie it together. And now they're selling your home address online and you never gave it out, but somebody correlated that from the information that they were able to extract from different sites.

Speaker 1:

Once the genie is out of the bottle, you can't put it back. So I like what you said there about once the data is out, you can't get it back if you decide to change that later. Which is one of the reasons when we talk to high school age kids these days and college age kids, just about being so careful about the pictures that you post. Now you're out on a Friday night holding a jug of whatever it is that they call it these days, or it's just different alcohols in that jug, and hey, that's a lot of fun. But is it gonna be fun 15 years from now when you're trying to get a job as a director of some department and somebody hits the archives and finds that picture you standing out on the corner with that jug? It's not, you can't put that back, so why put it out there to begin with, Right?

Speaker 2:

I've reminded of the gentleman who posted on. It was one of those IDs companies we won't name the name and the president of the company said we do such a good job of protecting your ID. Here's my social security number. And he put it up on a commercial and what they don't tell you is is his identity had been stolen like four or five times since that commercial was found public, right Like it was basically Life lock. Life lock.

Speaker 3:

He was yeah, I wasn't gonna say the name.

Speaker 2:

He was basically fronting the criminals. You can't steal my identity, and they did right. Once the genie's out of the bottle, it's out right, and so you know, no matter, you can always go back, and I always hear the argument well, I can go and I can put a lock on my social security account or I can, like, do screening and things like that, and you could right, and you could lock up your credit. But it's a lot easier if you don't put it out there in the first place, and so it's not something that you have to protect because it's non-existent right. It doesn't exist, it's never been out there. There's so much to unpack.

Speaker 2:

There is so much, there's so much. So the easiest thing about the mobile devices, you know, just like the web browser, it says do not track me. You know, don't use trackers. And you know, on your phone it says do not track, do not allow GPS, and you feel safe. Oh, this app's not gonna track me.

Speaker 2:

No, there's still multiple ways to track you. There's your IP address that's calling back. That can be married up with other information. Now how do we translate that from personal security to corporate security? Right, well, corporate.

Speaker 2:

We have corporate devices, right, so there's, and you have people who bring personal devices to work, right, so now, now you have this person who has this device that can track everything that they're doing and it's recording that this person's in your office eight hours a day, right, and so now there's a correlation that this person works for your company, right, so you're bringing that information into your organization. Then they connect to your Wi-Fi and they're going out and they're surfing the web and they're doing all these different things using their personal information and they're correlating that now they're surfing habits to your corporate IP address, right, and so now all that information's being tied together. Get the software, the mobile device management software and box in what they can and can't install on that. Don't let them get a mobile device for work and install Angry Birds right. So there are ways that you can as an organization very simple ways that we can start to protect our data.

Speaker 1:

I know we're getting we've covered a lot and we probably have to have a few more of these conversations, because we could go so deep on a lot of these topics and just giving information to people to help them right Protect their data. So, Dean, maybe we should have another one of these here soon and go deep on maybe one particular vertical. I think that might be a lot of fun.

Speaker 2:

Oh, yeah, yeah, how's tomorrow work? Oh, it's tomorrow Saturday. Yeah, definitely, yeah. As you can tell, I have a passion about this.

Speaker 3:

I just wanted to leave the guests here with a couple tips, and, dean, if you could give a tip to any of the listeners. Just low-hanging fruit. A couple things that you could do today to better protect yourself. What would be like one or two of those tips that?

Speaker 2:

you could give. Sign up for a second email address. Go find a free email site Yahoo, gmail, whatever and start to offload your emails, right? Either, let you know, start to move away all of your non-personal activities onto this throwaway email account, right? If you're at work, stop using your work email for personal sites. Use that throwaway email instead. If you're looking for a better filter because of the spam, use the throwaway. Who cares if you get spams into that email? It's not your main email anymore. Right? It's. Save your primary email for just conversations with family and friends or for whatever your professional activities are. That's the easiest thing. Right, there, as an individual, as an organization, do a little investigation, see where those email addresses have been exposed. Go out to the have I been pound and look for your corporate domain and check to see who are the people in my organization that are using their personal email addresses out on these websites. So both personally, I can stop bad habits and professionally, as business owners, we can help people and we can identify who those people are that need that help, right?

Speaker 2:

Mobile devices we chatted about that. Just briefly. Don't install apps. I know it's easy to say it's hard to do, right, because there's a cost to that right. A lot of these apps bring conveniences to our life. They give us access to things that we haven't ever been able to do before.

Speaker 2:

If you can put your apps on a tablet, buy a tablet and as many apps as you can offload onto that tablet. Get a good tablet that has GPS on it. Separate separate those activities. Move your non-essential activities off. You don't wanna be running your birds on the same app that you're using for your banking account, right? Separate those activities. I know now I have two devices to carry around. Well, really do you need to carry around? You have to have that tablet with you to play Angry Birds wherever you're going. No, most of the time we go to work and we come home, you can leave the tablet at home. Play with it when you get home, right? So there's some really simple, basic things that you could do as an individual to start making yourself a little bit more secure. Love it, dean. Thanks so much.