Don’t Get Hacked: Expert Tips for Online Security – Interview with Val Vesa
Maciej: Hello everyone. My name is Maciej Nowak and welcome to the Osom To Know podcast where we discuss all things WordPress. My today’s guest is Val Vesa. Val is social media strategist, Community Manager at Cloudflare and privately a security and photography freak. And today’s episode will be all about security because security is something that is other’s problem until it’s your own problem. And stakes are high from wiping your personal account to losing your customer’s emails. And we talk with all about your personal cyber security measures because it is you who is the gateway to your bank account or company server. If you don’t want to miss new episodes and keep learning more about WordPress, subscribe to Osom to Know newsletter at www.osomstudio.com/newsletter This is: O-S-O-Mstudio.com/newsletter. If you watch this on YouTube,give us a thumb and subscribe to the channel – this means the world to us. Without further ado, please enjoy my conversation with Val Vesa.
Intro: Hey everyone, it’s good to have you here. We’re glad you decided to tune in for this episode of the Osom To Know podcast.
Maciej: Hi, Val, how are you doing? Good morning.
Val: Nice to see you. Thanks for having me.
Maciej: I wanted to start this conversation with a little bit of a background maybe, so our listeners can know you better. So if you can give us like one minute intro of who you are and what you do?
Val: Yeah, I think I can be under one minute. My name is Val Vesa, or Valentin Vesa is the legal name. Everybody calls me Val, so you can call me Val. And for the past 20 something years, I have been doing social media at different levels. I remember starting back in the day when Facebook was not even available outside of the US universities and, you know, anxiously, anxiously waiting for a Facebook profile in Europe and then all the way up to now to working in social media and in the community department for Cloudflare. And I would say that my specialties are community management and social media and security inside the social media space. And also I’m a huge fan of photography. So that would be my favorite pastime is, you know, practicing the hobby. I love the most photography.
Maciej: Great, great stuff. So I would like to talk about security, right? So this part that’s part of your, let’s say, professional life and because security is, you don’t think about security until this hits you very hard. So, you know, security…
Val: Yes, exactly.
Maciej: …this is when you remember, you know, I should have changed that, you know, admin password or whatever. So can you talk me through basic security issues? You know, in the general public, everyone uses PC, laptop, phones, so we are connected, you know, non-stop all the time to the network. And what should you think about when, you know, like, like a word security surfaces. So what’s the basic security you can think of? That’s no brainer. You have to do this all the time.
Val: So that’s a very simple, yet very complex question. I would say, and now speaking as a security professional, as a social media professional, and even as a parent I would say like the advice I would give is the same advice I give to my children. So we have a 19 year old and a 16 year old, so teenage, late, teenage and young adult. And if anyone watching this is a parent, they will understand perfectly. What I’m saying is please don’t set your password to, you know: ‘I love mom’, ‘I love dad’, you know, ‘1, 2, 3, 4, 5’ or ‘demodemo’ or you know, stuff like that. Because as much as we like to think that attackers are very, very smart and they take, you know, extra measures to hack our accounts, most of them rely on our inability to actually create at least decent passwords. So the first thing would be to make sure your password is long enough and diverse enough in terms of characters and signals, you know, symbols and so on. I usually create all my passwords with a minimum 50 characters and…
Maciej: 55 characters?
Val: Five, zero. Yes. And if the website you are using doesn’t allow you to create a password that has at least 50 characters, maybe you have to reconsider using that service. Just an advice. Also, most likely your bank will have issues with you using passwords that are longer than 8 or 12 characters depending, usually banking system, although it should be the safest in the world. It’s really, really bad. Like they delay all the developments on the security side until, as you mentioned, something happens. So, for example, if your online banking is requiring you to not use a symbol as one of the banks that I used did, I literally just called the bank and I said, I want to take my money out and I go to another bank. It’s impossible in 2023 to use an online banking service that only allows you to use up to 12 characters and no special symbols, just letters and numbers. That’s just very bad security. Number two would be never remember your password. So the moment you can remember your password, that password is easy to crack because all of the algorithms are actually scanning for your passport. All the brute force attacks happening happen with, some of them happen with what we call vocabulary. So they actually look for meaningful words, sentences, you know, stuff like that that actually makes sense for a, for a regular person to use. Like, ‘I was born in [city name]’ or ‘I was born [on date]’, or you know, something like that. And then if you can’t remember your password, that means you have to rely on a password manager. Now I’m not gonna say which one cuz you can, you know, there’s plenty out there, but make sure you use a password manager and make sure your master password is very, very difficult to guess. Again, this is the access to all of your passwords. So even if like, we’ve seen last pass, for example, right? Hacked in what July and then August I think, or other password managers, you know, leaking, let’s say lists of depending on what they lost. But again, because all the passwords are hashed, most likely they will not have the actual passwords leaked out there. But still, if an attacker gets the list of all of the sites that you know, Val has in his last pass, most likely I will be seeing in the future, in the following days fishing attacks. Cause if I have an account on, you know, gmail.com, most likely I will see an email that looks like Gmail asking me: oh, you know, after the recent last pass hack, make sure you change your password, click here. Which will never happen from Gmail. And you’ll click, and that will not be a Gmail site.
Maciej: Yeah, if I may stop you here, because you also used, this is, this is very interesting. You also used that word when the attacker is attacking you, or the algorithm uses ‘cablary’?. How, how did you call it? The algorithm is called?
Val: Vocabulary attacks.
Maciej: So this is like a semi-dictionary attack where… okay. All right. Yeah. Okay. So yeah, so sorry for interrupting. This is very interesting that you and I see this also. Yeah, okay. I also see this, you know, with my friends sometimes, you know, distant family, that they are relying on those tricks to remember the password. And those are terrible passwords, you know? So my heart is with your recommendation. And when you said 50 characters, I was just, you know, astonished how you can remember this. But since you are explaining now that you are using password manager, this makes sense. Yeah. So let’s get to these password managers, because this is also like, like the gate to the, to your, to all of your passwords, right? And then how to remember that password that wouldn’t rely on vocabulary, but still be long enough not to be cracked and so on.
Val: Yeah. So I would say when you pick the password manager you want to use, or when you make your choice, look through all the features that they have. And the password manager that I’m using, actually I will not share it, the name, but what’s important for you is to decide, does it have 2FA? So you have to be able to enable two step authentication on the account. Also, on top of that, because even 2FA to some degree can be spoofed. So if, for example, your 2FA relies on sending an SMS so you get the code to log in, your number can be spoofed if somebody is close by or, you know, there’s different techniques that other people can actually get that SMS from you and log in instead of you. What I also use is on top of 2FA, I use a physical key into my laptop and on my phone. So I have to confirm that I’m physically next to my device and that can only be done by me to make sure that I can log in. So even if somebody, you know, let’s say, finds out what my password manager master password is, they still have to go through the 2FA and the physical token authentication to actually get into the account. That’s a collaboration of factors that usually doesn’t happen.
Maciej: Yeah. So there are three layers. Your master password – the password you’re using all the time, there is 2FA, which is two factor authentication and then there is the physical key that’s with you all the time. Wow. This is this complex setup. I bet there is like less than one promile of people of society who uses this levels of sophistication.
Val: It’s also not a very expensive, actually, it’s very affordable. But again, you have to do your homework and it’s, let’s say this – most likely, or maybe we are going to a world where people will not use passwords anymore and different other methods of authentication will be used. But for the foreseeable future, we still are going to be used passwords. So it’s always make sure you always go through like anybody working in IT, in tech, looking at this podcast will most likely have some sort of cadence. So every six months, every 12 months, every three months, for companies who are more focused on security, all the employees are getting prompted to change their passwords, you know, for their domain account, for their laptops, for their profiles, or different tools that they use. And I would say a good security measure is to at least once a year, at least once a year, make sure you regenerate or you change your passwords for any of the services you have, any of the services you have. And if something that is more important, well, actually not more important, but like the next step I would do is never use the same password on any other profile. So if, for example, you log into your Facebook account with you know, ‘password one’. You have a Twitter profile, you should have ‘password two’, not the same one. You have a Gmail or whatever email provider you use account – ‘password three’. Why? Because if somebody hacks into one of these profiles, it’s most likely that they go through, for example, your DMs on Twitter or your private messages on Facebook, or they go through your emails, or if they get through your email and that’s the email you use for your regular conversations, that’s fine. I would recommend you have an email address only used for your password and settings on, you know, relating to security.
Maciej: That’s interesting.
Val: So for example, my personal Gmail address, I never use set up profiles for security reasons, so I always have a separate security email address that I use just to set up the password for Twitter or, you know, something like that. And of course, for example, services like LinkedIn or even Facebook, they allow you to have multiple email addresses into your profile, right? So if an attacker goes over your Facebook, and let’s say somehow they manage to get inside your Facebook, although even Facebook has, you know, good security measures for password, you can also enable 2FA on your profile and so on and I recommend everyone has – if any service you use has 2FA – two step authentication – please, please enable it. If anything else you don’t remember from this conversation, you remember this, make sure if your service, whatever service you use, even a simple email address has a two-step authentication feature, enable it. That’ll be the first step to make sure it’s very difficult for attackers to go into your account.
Maciej: Right. This is interesting that you separate your, let’s say work email – that’s another story – but your personal email…
Val: Credentials, I call it ‘credentials email’
Maciej: Okay, this is great – ‘credentials email’. This is great. I never thought about this. You know, I’m in the space, but you know, I never thought you can you know, and this is simple stuff. You have just two-three emails. One is for storing your credentials. This is your vault for security purposes. And then there is a lot of, all of the other stuff that’s happening on your like daily used email. This is great. What about – and this is for you – what about kids? Right? You have 19 years old, and this is, you know, I guess your kid has this training and when you see, you know, dumb stuff, kids do, you know, I guess your hair is like, you have goosebumps, right? But what do you tell your kids, you know…
Val: That’s true. That’s true.
Maciej: Yeah. This is, tough. That is simple enough to understand, to be understood by everyone. But until you are burnt, you don’t understand this. So I, this is my general rule of thumb that unless someone gets burnt, that person won’t understand. He will or she will remember, but that person won’t like, viscerally understand what we are talking about until that person gets burnt. And this can be security, this can be you know socially, you know, social circumstances, whatever. But someone has to get burnt to really understand. So what about your kids? What do you tell them?
Val: So that’s a very good question. I started with a friend of mine back maybe 10, 9, 10 years ago. We started a project called Media Safe, where we literally went and talked to back then it was five to eighth grade, so let’s say middle school kid children. And then we talked to high school students or pupils and also with their parents at various stages of their children’s ages. So depending on age we sort of tailor the content that we talked to them. And basically the whole conversation revolved around how to keep your children safe in a world that is, you know, let’s say increasingly unsafe for children online, especially on social media, especially with all the scanning that is happening, you know, from all these platforms. Like you have a Facebook tab open right now and it scans literally everything else you do on all your other tabs. Or the fact that children are prone to attacks just because they can’t even think of a complicated password to use or not even to mention a password manager. Like, show me a teenager that uses a password manager and I can give them, you know, $500 right now, if you are a children and you do that, I will send you the money via PayPal. But they don’t. Oh, and that’s just because security is not built in into the way we think because we take things for granted as adults even. And then if you know you are at work and your employer sends you an email saying, please reset your password on your device, what is the first thought through your mind? Oh, not again. When it should be: Oh my God, thank you for actually having such an employer that actually cares about my security profiles. That it enables me every three months or every six months or whatever the time is to actually do a reset and make sure my password is not, you know, easy to crack. Sometimes you would even have the recommendation of your password is too short, your password is not complicated enough.
Maciej: Yeah. But then when you change that, my guess is 80% of people will add winter, summer, autumn to their password plus the year. So the rule says the same, that there is that differentiator plus year.
Val: Yeah. And this is where if you don’t use two-step authentication, that’s where people will say like, okay, so if the password was ‘hotsummer2022’ and now we are in 2023, what if – says the attacker, what if they just changed the last digit? So I’ll try for ‘hotsummer2023’ – boom! I mean, and there’s no 2FA on the profile, so easy. And again, if you asked about teenagers, and I think at the speed at how things move right now on social media, that’s the ground where our children are mostly targeted. And losing a password is, or having your profile hacked is not necessarily something that, you know, stops there: Oh my God, my password was leaked. Now they got into my account. But usually children and teenagers have so much content that they share with, you know, among themselves or with others, that, that content, if it’s not, you know, safe and I’m talking all kinds of selfies, nudes, right? You know, videos of yourself that you send to your girlfriend, your boyfriend, but that content can calm down and harm you in the future big time. Because if somebody leaks that content or even just harasses you saying: Hey, if you don’t send me, you know, so much money, or if you don’t send me more of your naked photos or whatever, I’m gonna release this to your friends, or I’m gonna release this to your parents or you to your church, or to your employer. Well, kids are not gonna be working me, but you know what I’m talking about. And I had the experience of actually talking to parents who were approached by their children at the very last level when they said, you know dad, mom you know, I sent some nudes of myself to somebody that I thought was my girlfriend, or I thought was my boyfriend, and apparently they just wanted the content to, I don’t know, harass me or ask for ransom and basically hold them for hostage digitally. And that’s the worst thing you can do because you can literally destroy all your future life at age 15 or 14 or 13, even younger, just because of one stupid selfie you took and sent to somebody you thought was a reliable partner or you know, friend who then comes back and harms you. So, I always say to my children, who are you talking to online? I don’t necessarily care. Like, I’m not gonna policing your DMs and I’m not gonna be like, show me everybody who you talk to today. But I do teach them and I did taught them basic let’s say verification steps. You know, if you would be embarrassed of the content you send via private messages, then don’t send it and always assume you are going to be hacked. Always. Don’t consider it a big shock. Don’t consider it a big surprise at some moment in your life, one or all of your profiles will be hacked statistically. So if that happens, how much bad stuff can the attacker find there? If they find, you know, email passwords, like, do you regularly send via DM to your children – Hey, this is the password for this service. You know, go there and I don’t know, set up your school profile or set up your. I don’t know – bus or train or something, a subscription and so on. And you send that password via a private message or a you know, WhatsApp message or a Viber or whatever you are using. Also, how much of the content that you have in your private messages is sensitive to, let’s say, risk data or credentials of your customers, or photos of yourself or of somebody else. And you know, this is, we think of, oh, this is never gonna happen to me, but it will happen. And if it happens, if somebody does get access to your profile, then make sure you have at least some measures of, like, I know somebody in my friend’s group that has this tool that automatically deletes all of the tweets that they post after seven days, everything. So, it’s I mean, what? Cause I asked, I was curious. I said, why are you deleting your tweets? And the person said: well, think of this. Twitter is a high velocity social sharing platform, right? So it should not matter what I shared a week ago. It should matter what I shared today or what I shared yesterday. Maybe if yesterday you say something like, oh please be with me tomorrow at, you know, 10:00 AM because I’m gonna launch this product, or I’m gonna launch this service, or I’m gonna announce something, then maybe you wanna do a comment, you know, an extra comment to that initial tweet and say, by the way, this is now life. But other than that, why do you need to keep your Twitter history forever? There, even DMs. Go to your DMs and delete them. Now, of course, you can only delete your side of the conversation for many of these platforms. But for example, on Instagram, and this is something that I always teach children, make sure you don’t DM back to anyone that you don’t know. And if you did send a message you can in Instagram, I don’t really know of any other platform right now, top of my, my mind that allows you to do this. But on Instagram you can unsend. So there’s this feature. Once you long tap on a message, you send, you can unsend it, which means it’s going to be deleted from your device, from the destination device and also from the cloud. There’s gonna be no trace of that. So if you send a password or a bad word, or you know, some inappropriate content, you can unsend it and at least fix that. So you can do that, you know, pause this podcast, go back to your profiles and check.
Maciej: Yeah. This is great advice. And also this opened a couple of paths for me because speaking of this auto purging Twitter account after seven days, there is that investor called, whose name is Michael Burry and he’s that famous investor who recognized the you know, the real estate crisis and made huge like money on top of it because he analyzed this and his Twitter profile is delete, like messages, tweets are deleted after 24 hours. So this is put to the extreme. He has like crazy number of followers but this is the first time I noticed this kind of precaution. I was also like Why he’s doing this? Like, it’s, it’s some kind of weird thing to do out of, you know, being, let’s say weird because, you know, he’s a little bit of weird to be honest, from, what I read and so in the…
Val: We are all weird in our own way.
Maciej: Of course, exactly. And when you think about this, we are very weird as every individual human being. And this is great stuff. And also on the topic of deleting messages I think iMessage now introduced recently possibility to edit your messages. So I’m not sure if you can delete them but for sure you can edit them to be, you know, empty messages, for example, which is exactly what would mean to delete the message if it’s empty.
Val: I’m going back to the teenagers or you know, children. We do know that children don’t care about anything security related. Unfortunately, much of the adults that I’ve met don’t care about security as well. So it’s not only about children, it’s about anyone. Think of your parents, think of any elderly who literally are provided with a set account. So most likely, you know, if you listen to this, you have your grandparents or your parents and you set them up for an email account, or you set them up for a Facebook profile just so you can be in touch with them. Maybe you live in another country, maybe you live in another continent, and that’s the only way you can keep in touch with them. And if the password you set for them is, ‘I love your mom’, or ‘I love your dad’, please stop this podcast and go back and even remotely try to regenerate that password. Because most likely they will not have the precaution you have, and they will share stuff on their private messages that is secure to them. Maybe they’re gonna send out banking information, maybe they’re gonna send out credit cards. Maybe some fisher will try to, you know, please upload your copy of the front and back of your credit card so we can verify your identity. This should never happen. No bank in the world or no system in the world will ask you to actually send a photo of your credit card.
Maciej: But speaking of this, every now and then a message surfaces or Twitter tweet, a tweet surfaces where someone was so happy that person’s flying to, you know, whatever destination they share their ticket photo. And then some funny guy, yeah, cancels the booking for that person and there is no trip anymore. So, in speaking of this, people are not aware of the kind of information they are sharing and what you can do with this kind of information. Because you have on flight, you know, on the airline portal, you only need a booking code, which is, I don’t know six characters – it’s very short. Six characters plus your surname. You see exactly surname, you know, Nowak. It’s five characters everywhere. Twitter, LinkedIn. This there, this information is, is no information at all. You have to get hold of five characters, six characters for the booking reference to counsel someone’s flight ticket.
Val: Because we are talking about social media and as I said, I also have this huge hobby of doing photography. This is something I always take very, very, very good care of. So you know, we’ve met at a WorldCamp. I go to WorldCamps a lot, and I was one of the organizers of the photography team. So I led the team many times at work in Europe. I will go this year again in Greece, almost like you’ll meet in June if you come in Athens for work in Europe. But every time I take a photo, every time anybody in my team takes a photo, I always tell them, make sure inside the frame that you’re taking the photo of, even if it’s a selfie, make sure you don’t have any identifiable information as like you mentioned booking reference codes even parts or even the complete photo of a credit card. Even something like, you know, key number. So let’s say there’s an event, you take a photo of a group and somebody in the group has the key in their hands and you can see the number of the room. Why would you let that out on social media? You know, any attacker, anybody, you know, any harasser, any, I don’t know, rapist, you know, forgot sake, they can actually go to that room number because they know for sure it’s somebody that they found in the photo. It’s gonna be easy to find their way in, in a way. So the less information we share on social media that can identify us specifically, it’s only going to build up more security for us online. And this is a sign check for anybody who you know, for example, you’re in the call, like right now we are in this conversation on video. And if I take a photo of the screen just because, you know, I want to send it to you so you can see, or for the audience who didn’t see this, we did a bit of a technical setup before we went on and you sent me a screenshot of your screen so I can see how so I look like in the photo. So for example, if I took the same thing and you would see my bookmarks, you would already have half of the information you need to hack me because you would know these are some of the services Val is using because he has the bookmark on his browser. It’s as easy as that. And then you’re gonna try to see if he can hack those. Or if I take a photo in the meeting room, for example, we have a meeting and on the whiteboard there’s, you know, information that maybe is NDA, maybe we’re launching a product and we write down some details and I take a photo and saying, you know, hard at work, you know, keep up the good work. You know, this is Monday, Monday rolling something. And in the background anybody can see the name of the my future product or what I’m trying to build, maybe even password for like the corporate WiFi or something like that. So these are bits of information that a smart attacker will not attack you instantly. They will actually initially start harvesting information for weeks, sometimes for months, and then when they have a pretty good picture of who you are digitally, they will attack.
Maciej: And more, more about this, because this opens again, something in my mind. Last week I read about a guy who has scanned all of the Python libraries open source libraries, that’s you know, out there on GitHub. And he found, I think 53 AWS keys to servers, you know, production keys that he was, would be able to, you know, spin off new machines or you know, change setups or from, you know Microsoft…
Val: That’s too much access, let’s say that.
Maciej: Yeah, but those were publicly pushtcomming using public you know exposing your private keys to AWS infrastructure of, from different companies. You know, those were huge corporations.
Val: Big, big mistakes.
Maciej: Exactly. And there were, out of all of those libraries, there were 50 production usable keys. You know it’s amazing, how this leaks and then you, what you can do as you can.
Val: You can also make a lot of money with that.
Maciej: I bet.
Val: You can make a lot of money because actually companies have services where you can find bugs or find security risks reported to them, and then you get money back, right? So it’s like I just found out about the bug or you, as you mentioned, some machines are openly available and the credentials are just laying out there for anybody to find and hack into or literally log in cause you did a really hack anywhere, cause you just had them available to you and then you report that. And usually the companies will pay for you to actually support them, you know, in a way testing their systems, their infrastructure credentials and so on. So I think that’s also some, something good to do in actually going back to the companies and reporting risks that you found.
Maciej: Yeah, this was reported back to the, AWS I think even provides you with a mechanism to report such stuff like phone keys and everyone was notified. But what you’re saying is white hat hacking, so you’re the, the good hacker. And also work with the bounties the companies pay for, for finding and, and for example, in crypto, I’m also into crypto a little bit. So the protocol, so the crypto, blockchain, you know, define companies that have open back bounties and there are a lot of people who, you know, are finding bugs there. Also crypto is very vulnerable to attacks because there is money directly sitting on the blockchain. So this is, those are like honeypots for all of the hackers. And also there were like enormous hacks, like from the, there were like $200 million, $600 million pulled from those protocols, which, you know, you don’t hear very often that the bank got dropped of 6 million, 600 millions dollars. Right? So half a billion dollars was pulled out of the bank which is on blockchain. So you don’t hear about this a lot. And it happened last year like many times. But the vector was, someone’s computer was not protected. Someone got you know, fishing email and so on. Someone got a CV and the CV was the…
Val: Weakest available link
Maciej: Exactly, yeah. And someone got a CV, for example, and through that CV, which was PDF with malware, got the protocol got had for hacked for a couple of hundreds, million dollars. And, you know, in this crypto space, I also heard about a situation where there was a conference in Amsterdam for Ethereum conference. And one of the person attending the conference found AirTag in his backpack. So someone put at an AirTag and tracked that person after the conference, which is crazy when I’m thinking about this. This is so creepy that someone was literally like you know attacked with, with a physical device. It’s like, you know, a plug, like in the Bond movie, someone puts a GPS tracking device under your car, for example. And this happened with our technology. And in Apple there is that notification when the phone sees that you are tracked, that you are traveling with an AirTag, which isn’t yours. So there is a measure to mitigate the risk, but you have to understand what this little memo says. What’s the meaning of it that you are traveling with an AirTag that isn’t yours.
Val: And also that brings me to an idea of how many of us, any of us, I’m not talking teenagers, children, any of us, how many of us are actually reading the terms and conditions of the services we use? One. And two – how quickly do we say okay or cancel or, yes on any prompts we see on a flow of sign up, registration, login, you know. Hey, something happened and we just click: okay, okay, okay. You know, go away. I need to read something. And that’s maybe an inform message.
Maciej: Okay, go away!
Val: It could be a security. Yeah, it could be a security prompt, it could be a, you know, password reminder, reset or something. And we just disconsider it as like: okay, go away. I do something else now.
Maciej: It’s like ?? memory.
Val: Yeah. Yeah. That’s the problem. You can, when you are too much into security, how should I say this mindset of I need to do this, I need to do this, I need to do this. Then it’s going to become very difficult to be hacked. It’s not impossible, but it’s going to become difficult because you have some patterns. You’ve taught your mind to think in silos, right? So like you mentioned, three layers of access or two layers of access, and every layer should not be rushed into. So for example, if somebody says you know, you go to a login screen and you know, you think you’re on your online banking page, but you could be on a phished page. What I usually do is I always look at the address bar in the, you know, in the URL address bar of the browser. Even if I’m 100% sure that I’m on my banking website or that I’m on my, you know, whatever other website, I look in the URL address bar or sometimes, because now Chrome actually hides away the HTTPS, you know, or other subdomains in front of the domain. I literally go and like, something that I do right now is I put my mouse cursor inside the URL and then everything is visible. I read it and I’m like yeah, I’m on the right one. It takes 15 seconds, maybe 10 seconds, but it’s much better than actually go on a phish to website and provide your credentials and then be hacked.
Val: I think when you talk about security there’s something that contradicts security all the time, and that is speed. So people say: I wanna be fast, I wanna do things fast. I don’t care about security. But at the same time, it is very important to realize that being fast most of the times means you are not safe. Even driving cars, even logging in, even changing passwords – fast most of the times is not safe. not all of the times, cuz there are services and some providers who make it happen for you to be safe and fast. As I like to think about my employer, Cloudflare, but also usually you have to put that into your mind. If I do things too fast somewhere, my security is not being taken care of very good because it’s just too fast. Things are happening. You are an entrepreneur, you’re a startup. You start scaling up and then you’re like, oh, I need to use all these other services. Do you do a security check on your future provider before you sign up on your account? You know, do you check your I don’t know CRM or ERP or any, any of those systems before you actually sign up? What do they do with your data? How much of your internal details are being saved in the cloud of that provider? And so on.
Maciej: A great example. My favorite is when you want to rent a car, when you want to, I know, rent a jet ski in Turkey or whatever on your vacations or even snowboard you know, in the mountains. What will they require of you to do? They will want your ID and provide a card. Just not only this, this is obvious, but they will want your ID, your personal ID not your driving license. And they want to just copy, paste, you know, into the system, the data. They will want to have a copy of this like do the zero.
Val: A scan.
Yeah, do the zero copy. And this is something you, you don’t have to allow, you shouldn’t allow. They are not allowed to store this and everyone does this. You, you rent a 50 euro worth of equipment and they want to do this. And this is terrible because you get, like, you share your full color copy of the document that can be forged, used to take a short loan for a thousand Euro, for example, and then be harassed by, you know, not paid loan, for example. No one thinks about this because they will say it’s safe with us. When, you know, they, this is the first time the loan fact is, is just the bridge of safety. That they shouldn’t be doing this. And they will say: it’s safe with us and we will not share this information with anyone. Please, please believe us. We won’t take a loan for you.
Val: I think we should start learning to say number one: no. But also: why? So if you go, as you mentioned, renting space for a car, right? And they say, we need your ID. Okay, here’s my ID. You show it to them. And then they go like, we wanna copy your ID. First thing you say is no. Second thing is if they insist, second thing is why? I booked it online, or I’m going to be paying it with my physical credit card here. You are getting the money. I am getting all my details to you so you can find me if you need to find me or you know, you can file a lawsuit if something happens. Like there’s a car crash or there’s an accident or you know, if I need to come back and say I’m on, on a claim insurance because somebody broke my window as I was driving the rented car. But if they don’t have proper legal cause and reasoning, like if the country you go to, let’s say is Germany, I’m assuming now, I don’t know for a fact, but let’s just say you go to Germany, they wanna rent a car and they say we are legally binded by law number, paragraph number to actually get a copy of your ID, then yes, you know, provided if you are safe and you are okay with actually trading that information for getting a rental car, or maybe you can go and pay five extra euros per day and get another company that doesn’t require you to provide that data. it’s all about choices. And I know, again, in security you wanna be fast. Like I’m not gonna go again and find another rental company and, you know, lose all this half a day to, but then you can’t have both ways fast and secure. So you need to make some effort to always choose security. And I think in the following years, this will become more and more of a sad news because people are used to not being very safe and not to care about their security. And it’s making it easier and easier for attackers to, you know, hack profiles or do all sorts of breaches. Just because even if we hear so much of the media and news about, you know, this company got hacked, like you mentioned, crypto stolen in all these news pieces that we find or we see on TV and apparently like a teenager, we still don’t learn. We still do the same mistakes like a parent says to their children: Look, I’ve done this mistake in my life. Please don’t repeat it. Guess what? They repeat it. Sorry.
Maciej: They didn’t get burned. They have to get burned, but they will be burned.
Val: Yes, exactly.
Maciej: Very painfully. But you know this, what’s your opinion? Is it like more and more people because new teenagers are growing. Kids get phones earlier. So a lot of exposure. There is more and more exposure. There are more users of the internet because younger people get phones, devices at the younger ages. Those who got them are, you know older and entering like first jobs and so on. So there are more internet users. It’s only growing, so we have more users and is it like there will be more hacks, you know, problems, security and so on, because there are more users. So statistically, you know, this is the bigger number, user base to get hacked? Or maybe it’s like people are actually getting more aware of the security problem, so they are mitigating this or maybe not? So I wonder because it’s like moving environment, it’s like the base number is changing. It is growing. So for example, if you have the same number of hacks but the user base is growing, so they are actually more secure, you know, statistically, right? But if the number of hacks is growing faster than the number of users, new people are getting you know, worse and worse.
Val: It is true that when you look at statistics, you hope that maybe in time more people will get more educated in security practices and, you know, there will be less and less hacks happening. But like you mentioned, because of the scale of people adopting technology and devices and so on, and with the world population growing exponentially, of course there’ll be more and more people being hacked and more and more information being stolen. And if you set up like a, for example, a Google alert on breach, fished, hacked banking hack or you know, combinations of these, you’ll actually be astonished cause I have such alerts of how much news there is about that. And still people don’t learn because if you are part of a larger list that was breached or leaked and you don’t know about that, then you think, oh, you read the news, right? And you are like, oh, poor people. You know, their profiles were hacked. You are part of that group there.
Maciej: Yeah, their profile.
Val: It’s, it’s their problem, right? So then if you use services, like for example Troy Hunt has this amazing service called Have I Been Pwned? And then you literally sign up with your email address and if they find your records in any of the leaked breaches out there on the internet, you get an email saying, oh, by the way, last week, your email address or your name, or your whatever was found in such and such breach, then you begin to understand. The level at which this game is played. Because yes, attackers rely on numbers and they rely on numbers not necessarily of how many people use services online, but of how many people don’t care about their security. They think it’s okay to have a password that has five characters or you know, four digits, like a pin card of your, of your credit card, and even physically in the physical world. If, let’s say you get mugged on the street and somebody steals your wallet, right? What do they find in your wallet? Well, they’ll find your ID. So there’s one, right? They can, they can clone that, they find your credit cards or debit cards. Now, if they’re credit cards, they can actually pay for services with using that online because they have the physical one. So they have the number and the CVV code right on the back if they are debit cards and your pin code is the same on all of them. And if by some, you know, twisted mind error, you have a small post-it note or a small note, or maybe even on the back of the card that I have seen, maybe many parents do. They literally have the pin code written down on the card. So the attacker has now, let’s say five cards from your wallet. One of them has the pin on the back, and guess what they do? They’re gonna use the same pin on all of the cards because they know for practical reasons, people say they go to their ATM machine once they receive the debit card. And most banks now allow you to actually change the initial or the default pin code. Right. And you’ll change to what? To the same one on all of the cards. Why? Well, it’s easier. I just remind one pin when actually for your security posture, that’s the worst thing you can do, have the same pin code on all of your. If we say, please don’t repeat using the same password on your online services, well, the heck the same rule applies to your physical devices. So don’t have the same code on your phone, don’t have the same pin code on your cards, and so on.
Maciej: We talked about sharing information, direct messages on social media. What about the best storage of passwords inside the company, which is Slack? I bet there are companies like 9 out of 10 companies are sending passwords to the services through Slack messages. This is the best. This is like they, if you are on Slack is like, if you’re on a paid plan, the memory never erases and it’s like the best space you will. There is a search, you will find everything you want to find there. And this is the best place obviously for storing the password for all of the services you use internally, which I’m just joking by the way.
Val: Yeah. But unfortunately something that a lot of people do, again, because of, you know, I need a comfortable, easy, fast way of sharing passwords. But as I mentioned previously, if you use a password manager and if your company luckily has done a wise decision of adopting a password security manager for all of the employees, then it’s very easy to even set up groups for like, let’s say, you know, the marketing team has maybe access to all these tools and some of them allow for multiple seats. Some of them don’t. But then again, this is an agreement you have with your provider. So if you have a shared password for, let’s say for Twitter, right, you have multiple people in your team accessing the same corporate Twitter handle. Some of them for paid social, some of them for regular organic tweets, some of them for setting up campaigns and so on. So they need the password to actually access the Twitter account. But you have to share that on last pass or whatever other password manager you use, keeper security and not share it via Slack or via private messages or via emails and so on. Even if they self-destruct, even if they self-destruct, which they don’t, you can still find traces of that. And if somebody, you know, hacks into that Slack instance and discovers your passwords, who are you going to blame? You’re gonna go like, oh, they hacked Slack. Slack was hacked, so I need to go and file a complaint with Slack. No, you are the one sharing passwords in Slack. It’s your fault.
Maciej: Yeah. Because there’s nobody else’s phone. Yeah. Every, everyone will read the press memo that this company got hacked. And there is like a two page explainer why the hack happened. And there is, for example, oh, we were something called security stored in Slack, but the slack got hacked, whatever. And no one will, you know, blame Slack for this, but they will blame the company who got, you know, the end in the chain will get blamed, you know. Probably, you know, rightfully so because you know, for whatever reason. But I’m also thinking we talked a lot about like private security, private measures, you know, taking care of your stuff. The stuff you can do take care as private, like a person, your bank accounts and passwords. Also the same rules apply to your professional environment. So how you know, if a, if password leaks, that’s, you know, we can know what, what to expect, but how this, how, how a person can be also attacked? Like, like you mentioned phishing for example. What are other methods of attacking for like breaching information, getting access to the passwords and so on. What, what are other vectors other than phishing?
Val: So phishing is, actually, phishing is done via email, right? Most likely. So the first entry point is you getting an email with something that looks like your online banking or some other service you use online, and it’s asking you to do one of the two things. One is, verify your identity because our service is detected at blah, blah, blah. You know something. And they’re gonna ask you to maybe upload like your ID or your credit card, or your passport, or depending on what they look for. And two – is where they actually ask you to reset your password and to reset your password. They will ask you for your previous password, which is similar to other legal or you know, rifle services. Because some of the services, when you reset your password, they do ask for your previous password and then ask you to enter your, you know, future desired password. So phishing attacks these days are you know, it’s not just a basic, a very bad ugly design and a PDF attached, which would most likely trigger the attention of most users and they go like, oh, this doesn’t look right. But actually now they build very, very realistic or, you know, looking, lookalikes of the actual websites from the email. So if they convince you in the email that this looks legit and you click the second step, I do always, as I just shared, is look at the URL. If I feel that this doesn’t look right, I look at the URL, am I on the right URL? Sometimes the URL doesn’t change because you have a huge eye frame in the browser and you don’t know. So the URL is the correct one, but somehow inside the page you get redirected to another content. That’s very scary. Now this is where some of the attacks are successful is also because people clicking on that and then somehow thinking that this maybe is not safe don’t have a way or a destination where to report that. So for example, asset classes, if we see anything that doesn’t look right, if we see any email into our inbox that looks like phishing, looks like spam, looks like at a possible attack, what we do is we report it internally to our security incidents team, and we say, I just got this email. It looks fishy, it looks strange. Can you please look into it? And we have a lot of people in the security team to actually go through the email and say, yes, this is a legitimate concern or No, this is a false friend. Guess what? Nobody ever gets blamed if you report a false friend or a false flag. It’s fine because that’s how you get trained. Nobody, no manager, no team lead, no department manager will ever say Hey Nowak or Vesa, or, you know, why did you report this? Because this is not an incident. Actually. It’s appreciated and encouraged. And when you have an internal culture that actually encourages people to report anything you see, like, I like to see every time I’m out in the subway – I’m based in London by the way, I don’t know if I said that – but every time I go into the subway, they have this sort of a recorded voice that keeps saying the same thing. See…
Maciej: Mind the gap?
Val: …report it. That’s also too, but see it, reported, sort it. So you see something that is not okay, you report it and then somebody will fix it. And this is something that is built in, into the British way of not only in the subway, but you see this other, you know, in other places, like in public places or events or you hear this police. Or you know, security forces messages all the time. See it reported sorted. So this is something that we should have ourselves as well. If my employer doesn’t have a way of me reporting a possible phishing email that came into my inbox, I should actually go to my manager. Or that manager should go to their security manager and say we need this. We need something like this. We need a team internally that can handle security incidents because it is only going to be an attempt if you have good security. If it’s an attempt and you have a bad security, it will be a success from the attacker’s point. I mean, attackers will try all the time. They try at our place all the time. I mean, our company see so much attacks happening every single day. But all of the, almost 4,000 people at Cloudflare, they always do this. Every time you see something suspicious reported, nobody will blame you. Nobody. Even if you clicked on something that, you know, after, you know, a few minutes oh my God, this was a bad site to click on, or I submitted my credentials. Even if you do that, you still have to report it and nobody will blame you, but will try to fix the problem. And there’s a lot of lateral security permissions and access points actually are, you know, like even physical keys, if you, I mean, somebody can try to hack it, but they’ll not successfully do it. Even if they hack Macieks’ or Val’s account, they’re not gonna go laterally into other accounts or other teams just because security is very tight.
Maciej: Mm-hmm. And if, for example, someone gets that phishing email and clicks on a button to do whatever they want you to do, is it already dangerous or unless you provide, like type your information, you are still safe? Because I always wonder if, if you’re already compromised or you are just looking into, that trap only.
Val: The correct answer would be it depends. And why? If you actually need… So the attacker would need to somehow download a payload onto your device to have that payload activated and, you know, do something phish for information, collect information, monitor your bandwidth or your network traffic, find out what ports you have open, what other services you’re communicating with and such and such. And for that, most of the devices would have some sort of a prompt, you know, you would see something like, oh, your antivirus is updating. And because again, we talked about it a few minutes ago, you don’t carefully look to, you know, what is this notice? Should I click or not? You see antivirus alert? Yes. Click, okay. So there’s some part of user steps that need to be done in order for an attacker to actually download or install or even run a software or a piece of code or a piece of, you know, like a some sort of script. But many times you also don’t need to click on anything. Just land on the page because in the background they will try to run, maybe they will try to, I don’t know mine for Bitcoin using your CPU power or your electricity and so on. So I would say as long as it stays within your email inbox and something that looks suspicious, oh, actually I have a recommendation here. When you get an email that is obviously spam or phishing or so on, don’t just delete it. First – report to Gmail, Yahoo, Hotmail whatever service you use, report as spam or report as suspicious. Leave it there for like 24 hours in the state that it’s like reported, so that the algorithm can pick it up and look inside of it and then understand and update and then delete it. This is very good if you want to actually let’s say help somebody else, not just yourself. If you wanna help just yourself and you’re selfish you’re fine to just delete the email. That’s it. You delete the email, you don’t care. But if you also want to help the algorithm learn from that experience and help others who may not be so you know, careful and paying attention as you did, then you report it and then automatically, you know, the power of collective volumes that actually get reported into each of the email providers will help them establish better rules and filters so that similar content in the future will get automatically flagged and sent into the spam or junk box so that the users don’t even see it in their inboxes. Just a friendly advice.
Maciej: Yeah, that’s great advice. And spam is you know, notoriously sent by, sent by millions of messages. So, you know everyone should, should report this. I also wonder because one of the earliest advices apart from clicking to you know, like unknown links in unknown emails is, you know, WiFi in cafes, hotels, also USB chargers in the hotel room where you can plug your cable and charge your iPhone, for example, inside that USB cable can, there can be hardware you know, trying to monitor your phone and Android it is very like, vulnerable to such attacks. And also, funnily enough, like a year ago, I think there was a big news that motherboards manufactured in one of the, you know, manufacturers in China were get hardware like a spying device inside the motherboard. So it was implanted on a chip in a server motherboards for one of the big US companies that, and they only knew about this because those motherboards were to be used in a military environment and they got reverse engineers and that is the reason why those chips were found. So the amount of spying is crazy. And also maybe, have you heard about the stats that about 40 something percent of internet traffic is generated by humans. All of the, you know, 60 or 55% is generated by bots and like hacking activities, let’s say both, you know, automated systems and so on. So I opened like a couple of topics. So let’s stick to the first one, which is WiFi security at cafes. Sorry…
Val: Yeah, no worries. Let’s say you enter a country. Most likely you come by plane. So you land in the airport, the first thing you do is save bandwidth, save data, right? And you’re gonna connect to WiFi. Usually it’s the airport’s WiFi, so you get free WiFi. And also I’m not sure, I’m not an Android user, but I know on the iPhone it’s automatically also showing you this is an unencrypted or not safe connection. That should be the first warning for you. The moment they provide a publicly available WiFi, but they don’t encrypt it correctly, that should be already a warning that something is not okay. So that means anyone can see the traffic from devices to the router and back, which is not okay. So a sniffer can be right next to you and you think that you are using all the proper security measures. So you use a last pass or other password manager, you have a 2FA, you have all that and then you communicate via protocol WiFi that is unsecured. And anyone in the airport or in that room with you can actually sniff your packets going back and forth from the router. So, you know, you can install an app like for example Cloudflare Warp that actually encrypts communications from your device to the first point of entry, which would be the router or other apps like that. But I would say unless money is a really, really big issue for you don’t use publicly available WiFi. Never, ever. So if you go to a country that is, let’s say, not in a commercial agreement with other countries so that you don’t pay extra for roaming services and so on, then carefully consider if you have the budget. And if you don’t, you know, buy a local SIM card that has data attached to it and use that. I never use WiFi anywhere I go. I try not to use WiFi as much as possible. If I use WiFi like I’m using right now, I’m always making sure that my warp is enabled so that I filter all my trucks through Cloudflare Warp, and that’s a free service anyone can download and use. But also when you use VPN services, that’s a big warm rule because people think, oh, I’m using VPNs so I’m safe. And my question is, who is providing that VPN? How much of the data you share through that VPN service is logged and what do they do with it and where do they save it. If you are a European citizen, do they save that data locally in your country or in the European Union, or do they save it in an Amazon machine somewhere in the US or, you know, I don’t know. So even if they save the data somewhere, do you have access to ask for deletion? Because by GDPR rules, we know that you can reach out to any of their providers and say, please delete any traces of me from your system. I want my account canceled and I want all the copy of any of the data I shared. Delete it. Can you do that? If you reach out to your provider and you ask for that and they say sorry, or we’ll look into that, that means that they don’t have a process. They don’t know how to do it, or they don’t even know how much data they have about you, or they don’t have a physical separation of European data versus any other country data. We know GDPR only applies to Europe, right? So, do you, or the services that you use, can they guarantee that your data as a European citizen is physically protected and saved in a cloud storage or facility that is based physically in the Europe? You know, these are some of the questions you should ask yourself. And I try to also make sure that, for example, you know, we talked about teenagers and children, they would connect to anything that has WiFi. Like you go to a subway and everybody there is connected to WiFi or, you know, hotel rooms and conference rooms and events venues and so on. So even when you provide WiFi to your event, if you organize an event, make sure it’s always encrypted, make sure it’s always via password. But I will also encourage everyone to have apps on their devices that actually encrypt their traffic.
Maciej: Mm-hmm. Great stuff. And also I remembered when you were talking about this antivirus notice, I like changing gears here a little bit, because you mentioned also the kids. And I remember too, you, you think about, you know, people clicking on this antivirus fake messages. I talked with a friend whose father is just retired CFO of a big organization, you know, big organization CFO, person trained in finance, which isn’t like, you know…
Val: An easy topic.
Maciej: …an easy topic. You have to be very diligent in this. And every like two, three months, he has to go to his father to fix his computer because it got totally malware with those antivirus messages, you know? Yeah. I clicked this. Why, why did you click this? Because I wanted to buy, I… you know, it’s I cannot like, recall the whole conversation, but person, it’s like changing totally, the person changes the moment he leaves this professional environment and enters PC environment, let’s say computer environment, the mechanisms he would have inside his field, which are nearly the same with the messages are totally lost. It’s like two different worlds. Like people, children, like going to kindergarten and running and screaming and at home they are, they are fine. They change the environment. Wow. Running, screaming. And this is like grown up, you know, trained person, professional, mature. And the behavior is totally, totally changing because no one is reading those messages. Maybe there are too many messages.
Val: Well, out of the abundance of, you know, bombarding people with banners and warnings and alerts and all that, people have a tendency of just click away. Just click and make it go away. That’s why I hate, and I literally hate all those pop-ups where I go to your website and the minute I move one pixel to scroll, I get a pop-up newsletter. Would you like to, yeah. Newsletter sign up. Why the heck would I want to sign up to your newsletter? Because I literally just landed on the page. I haven’t read anything. What’s gonna convince me to sign up for your newsletter? Let me scroll the goddamn page. Let me read the content and then have a moment where I say, oh my God, this is so useful. I want to find your newsletter. Sign up form.
Val: So, but there is, again, I think a lot of marketers in the field of digital marketing are making use of all these banners and alerts and subscription models and all that, so much that they actually help decrease the security awareness of people because they mistake some you know, they, they’re confused about, oh, this could be a newsletter or something. Okay, let me just put my email and send, submit. And that could be actually a phishing window where people now have the email address. Now, if I have the email address, maybe if I show him another ad, you know, with something else, they would give me the first and last name. Maybe they’ll give me you know, date of birth and then I can put them all together in the background and have a virtual copy of their identity from like three or five interactions. Again, remember, good attacks happen in time. They study you, they gradually harvest information of your profile, and then they put things together and say, okay, now, this is Val digitally, now attack him.
Maciej: Yeah, because there are a couple of levels of attack. There are those mass images, this like notorious Nigerian Prince attack, which is like very broken English, which by like, interestingly, I heard about this a little bit. And this broken English is by design. So this is like qualifying. Like you at sales, you have qualification of leads if they are fitting your profile at price point and everything and you decide to take on or decline. But this Nigerian Prince hack or scam…
Val: A classic.
Maciej: Yes, the first one. And, and the English is broken because, they are looking for naive people who will not care about, you know, broken English in this case. So if you are keen to, you know, engage with such an email, you are a very well profiled person vulnerable to this attack, then you have more sophisticated directed. And on the other spectrum, I saw about, I read about one attack again, crypto space. There is a founder who is and in crypto because the vector is interesting, really interesting and very elaborate. So there is a guy who is a founder of a crypto company, also a little bit notable investor. On blockchain everything is visible if you want it to be visible. It’s like you have an open account bank account, everyone sees what you have, if you want to match you with this account. So, it’ s known he has some crypto and some meaning like 50 – 100,000 euro in crypto and he runs a Discord community around his company. And people, you know, it’s like community, people share, do stuff for free and so on. And a guy is appearing, helping with the project a lot, creating 3d movies for the cause of the project. They talk a lot. Now, long story short, the you know, they have great, you know, talks and so on. He introduces him to the founder, to another person. This person creates the opportunity to meet with Airbus and executives because this is the same space. This is physical startup. And the guy, by the way has some crypto. So this is great opportunity for a young company and so on. But then: please check out my project I do on the side, and you can meet NFTs. And you, I will send you one. You only have to connect your wallet to my NFT page. And this guy has separate account for all of the crazy stuff, you know, to test out, right? And he uses this separate account to mean this NFT. And in crypto, when you connect wallet to any protocol, you have messages that explains what you are doing. You are allowing your wallet to be able to read, to write, you know, to interact with a given token. And it, instead of a token that that person said would interact, it was another token and the one he had on his account and he, you know, allowed this or I don’t remember if it, if he allowed or not allowed, but if he would on his like normal storage account, he would be, you know, that it would be empty. He would be totally wiped out. And I’m saying this and explaining this story because it took between two to three weeks of time to build the connection between two people to produce custom stuff, which were 3D animations with you know 3D designs and so on. It’s not like, you know, you craft an email, you reuse you. Those were created just for the startup by a person talking on Discord, you know, in proper English and everything. It failed. But how many of them succeed? You know, and this is totally opposite of the spectrum of sending 1 million Nigerian Prince emails, right?
Val: And also imagine if you know the Nigerian Prince, cause you gave that example, it’s a very, you know, it’s an old, like this is 20 years happening, 15 years happening. But imagine that attackers now can rely on, for example, something like ChatGPT and…
Val: …write perfectly email in English that makes sense, that have unique angle to each of the emails. So they don’t need to send the same email to a million people that they harvested emails from. They can send a million emails to each individual, something that is unique so that even the phishing filters or the spam filters would not catch it. So they will definitely come into the inbox of the person that is targeted. So, again, I’m going back to the fact that the more people advance in using technology, the more attackers will have it easier and early access to use technology for something that is bad to hack, to try to hack, to try to phish details and so on. So I would say that again, unfortunately, security, you can’t really have good security if you want to have only very good speed all the time. You know, with most services, you have to take your time and understand, what am I doing here? Okay, I’m creating a new profile. What details are you asking on me? Think of something simple on social media, like connecting your Instagram profile to, you know, some scheduling tool, right? You wanna, you want to connect your Instagram profile to Buffer, to schedule posts, right? Nothing out of the ordinary. There’s, I said Buffer, but it can be any other tool. Now I know Buffer, for example, for a fact, they allow you to connect via the Facebook’s API so you don’t actually put your username and passport for Instagram into the Buffer interface. You actually get redirected to get a token authentication via your actual credentials from Instagram and then redirected back to you know, to Buffer or whatever other platform. But think about all these tools that I see, for example, social media influences and travelers and social media managers who manage multiple companies, social media profiles. They go to some of these tools and the tool is requesting the person to literally put the username, meaning the user, the Instagram username, and the Instagram password for that user into the browser unencrypted. Why would I do that? That’s the biggest red flag ever. If they can’t allow me a redirect option via Facebook API and come back to the tool authenticated, which means of course, extra time, extra development, extra code, extra mining, put into that tool, then I would say as a social media manager, that tool is not trustworthy and I will not use it. So again, if you want to take this as a takeaway, if you’re watching this, if any of the tools you are using to connect to other profiles, request you to physically text, enter your username and password for that third party tool. Don’t use the tool. If they can’t make yourself redirect to the API of that tool. Connect and then come back. It’s not worth your risk. Even if it’s a cheaper service. Use a more expensive service that provides more security.
Maciej: Okay, we covered social media. What about the agencies? So a client comes to you, or you are, you are the client. How should you think of sharing your server information with the agency that you want to let fix your website? Because there are, you know, many different reasons why you want to change the agency, but instead, but the new agency have to know about your code and understand the code. So you have to grant the access. What’s the best way to do this?
Val: Well if they, for example, let’s say they need to access your WP admin, right? The dashboard number one is make sure you create another profile. So don’t share your main profile, the main admin profile. Once you create that profile, do not email them directly the password, no ever. Create in your password manager, create that profile, share it with them, which means that they have to have the same social, the same, sorry, password manager as you have. So that’s already let’s say making the list of available providers shorter because if they don’t have, so you can, okay, let me stop you here. You can go back, you can say something like this: you send an email out to five agencies and say I want you to provide services for my website. Or they email you and ask for that, and then you should send them a short, let’s say survey. Number one, what are your security practices? Let them detail. Don’t ask specific questions, cause if you ask specific questions, they can give you simple answers they may fool you just say, what are your security measures? Or how do you deal with security for customers? They can say whatever they say. If they come back saying, we have, you know, X or Y or Z, this is the password manager we are using. And if you like that idea and if it’s the same password manager as you use, even better. If not, you can actually also set up a new profile with a new password manager just for that customer. It’s not gonna be, or that agency, I don’t think it’s a big issue. As long as you don’t need to send passwords, share them in clear mode on any type of messaging system, but send them through the password manager from you to them or backwards. Right? And then number two would be, if they don’t really need full admin access, don’t provide full admin access. Maybe an editor level access is enough for them. Maybe just capacities to, you know, let’s say you hire an agency and somebody in that agency needs a profile to upload product pictures on your media gallery right on WordPress. You can just grant them access to do that. There’s many plugins, actually, I don’t think you, you can natively do a lot in terms of access levels on WordPress, but there’s plenty of plugins who can do that, that actually allow people to do very specific things, like only added pages or only upload photos and stuff like that. So the basic rule would be only grant the level of access that is needed for the task at hand, not more. They don’t need admin access to change your text on the page,
Maciej: Like the CIA rule on a need to know basis. Right?
Val: Yeah, absolutely. That’s called layered security. You only have access to do what you need to do. So in order to perform your job, if you need more access or more depth access, then you should require that. And then you have to say, why do you need it? Always ask the question why? If they come back saying, we need router password access to your server, just ask them why? If they can’t give a good answer, don’t give them access.
Maciej: Yeah, cause this is easy for us. Yeah, because this is easy – speed as you mentioned. Sure, sure. Alright, so let’s wrap it up. Thank you very much for all the information Val, this was great stuff.
Val: Thank you for having me.
Maciej: I think this is not only valuable, for like people in the personal environment, but also their parents and their children. This is great stuff and this is very much neglect that in my opinion, this is…
Val: A family safe content.
Maciej: Exactly, exactly for all the you know generations. Thank you very much, Val, and take care! Thank you!
Val: Thank you. Thank you for having me. And if your audience finds this useful, I’m happy to do it again and you know, like a second episode and then we can talk more. But until then, make sure you keep safe and don’t care about speed so much as you care about security.
Maciej: Perfect. Thank you very much.
Outro: If you like what you’ve just heard, don’t forget to subscribe for more episodes. On the other hand, if you’ve got a question we haven’t answered yet, feel free to reach out to us directly. Just go to www.osomstudio.com/contact Thanks for listening and see you in the next episode of the Osom To Know podcast!