Scott Schober is the CEO of Berkeley Varitronics Systems and the author of Hacked Again. Scott is a cyber security expert and talks to Jason on best practices to protect yourself from a hack. Jason and Scott also talk about car hacking, identify thief, drone defense, and much more on today’s show.
Key Takeaways:
[2:05] What’s happening in the world of recreational drones? Are they a threat?
[4:25] How do I protect myself when I’m banking online at a public location like Starbucks?
[8:10] How do we get around the NSA?
[12:25] How do we defend ourselves against drone attacks?
[16:30] Can terrorists jam our GPS?
[19:55] How can our car get hacked?
[22:20] Identify thief is very popular because it’s easy to obtain personal information or credentials.
[25:50] Scott likes the concept of LastPass and 1Password, but he would never store bank info on there.
Mentioned In This Episode:
Tweetables:
“TOR was originally developed by the United States Navy.”
Transcript
Jason Hartman:
It’s my pleasure to welcome Scott Schober to the show. He is CEO of Berkeley Varitronics Systems and they’ve been in business for about four years or maybe a little more and they specialize in wireless security and threat detection and there’s a lot of very interesting stuff going on nowadays. You hear about it in the news, but you know, we keep adding to the complexity here. Now, we’ve got drones flying all around the world and there were some drones flying around France. I was reading about in the news very recently. I don’t know if that’s still happening. We’ve got Apple Pay, we’ve got all sorts of new possible areas here that we need to talk about today, Scott, welcome, how are you?
Scott Schober:
Great, thanks for having me on, Jason.
Jason:
Well, it’s good to have you. So, like I said, it is a complex world and the complexity is just increasing by the moment, huh?
Scott:
Yes, that’s for sure. The cyber threats keep getting worse and worse.
Jason:
There’s a lot of convenience too. You know, let’s maybe first talk about drones and when we talk about drones, I’m not talking about big multi deca million dollar, you know, military drones. Just drones that, you know, are small, recreational or small business type of drones. Agricultural drones, etc. Of course, the FAA been talking a lot about this lately. They issued some new rulings on it. Should we be concerned about eavesdropping via drone or hacking into our cellphones or this kind of stuff?
Scott:
Well, certainty it’s becoming easier and easier to do. You made a good point, it’s necessarily these big expensive drones anymore. I can go out to the local store or hobby shop or over the internet and purchase a drone for maybe a $1,000 to $3,000 and I have pretty advance capability there if I wanted to spy on somebody with a high definition camera. I easily could or listen in with an audio connection or even worse, do what’s called a man in the middle attack in which I can actually fool somebody.
Fool maybe their cellphone or their tablet or perhaps their notebook from a wifi connection where I can pretend I am somebody else and I could actually steal their content and if their accessing a website entering a password or user name or anything compromised maybe like credentials. I could gather and gain that information and use it wrongful purposes.
Jason:
So, what does that mean, the man in the middle attack. Is that when the hacker makes your cellphone think it’s talking to a cell tower, right?
Scott:
Yeah, more likely, which is much easier to do, what is happening is a wifi connection. All of our smart phones have built in wifi connectivity, so you’re not on the cellular WAN, the traditional cell towers that we think of when we’re talking, but rather a close hot spot, a wifi access point is what you’ll be simulating there in a man in the middle attack and you could do is fix a bridge access point to a bottom of a drone, a simple payload. It’s maybe half a pound.
Jason:
So, Scott, I’ve always wondered about this. I’ve always wondered if with this type of thing, when someone is at a Starbucks, for example, or any hotel or any kind of public wifi, and you know, I have banked online many times at Starbucks or hotel. I’ve just had to. I need to do stuff and I’m not always using a VPN. I’ve only recently started learning about that and tinkering with that kind of stuff, but when it says HTTPS, you know, like it’s a secure connection. Am I okay or not?
Scott:
No, not a 100% okay and that’s typically what you would look for entering into a browser if you’re doing online shopping or as you mentioned banking and things of that sort. The challenge is often times we’ll go to those sites and maybe it is a secure browser and a secure connection. However, the means of communicating may not be on a wired linked, but a wifi link. Now you’re exposed if that..
Jason:
It’s always on a wifi link, right.
Scott:
Well, it depends, you can enter in HTTPS right now on a browser, but from a wired connection. Same is true on a wireless connection, but your wireless connection maybe through wifi. In fact, that’s probably the majority of the time. You don’t always know where that transmission is going, because these cyber thieves can actually mimic another website that looks exactly the same and fools you completely and that’s really where you gotta use caution. So, I always caution do not use any free public wifi sites, period. No matter how tempting they may be.
Jason:
You’re making it very inconvenient here, Scott. A lot of listeners are thinking, gosh, that’s going to really mess me up. What about. I mean, does a VPN solve that problem. If you use a VPN and then access the bank website, for example, have you laid your fears here or should you still be worried?
Scott:
To me security is not 100%. You should still be worried. What’s more safe is probably a better way to approach it. In my opinion, you can go out and buy a simple hotspot. A 4G Verizon LTE hotspot where you would use, again, the cellular communications over the tower where you have the safe, secure, modulated signal that can’t be hacked and then locally redistribute the wifi to your actual phone.
Jason:
Or use the hotspot built into your smart phone. That’s the same thing, right?
Scott:
As long as, again, you’re not using it’s connected to local wifi at Starbucks or something else.
Jason:
So, if the smart phone is not connected to wifi, you’re purely using the cellular network, that’s good. What does modulated mean? When you say a modulated signal.
Scott:
A modulated signal. If you look at a traditional, continuous wave signal, it’s like a wave form. Like a wave in a sense if you had to envision it from a – like the ocean or something like that. Whereas a digital signal is modulated. It’s much harder to hack into and it doesn’t have open standards and that’s what these cellular phones these days are using. The old days, remember, the cellular phone you can go to RadioShack, you could listen into the conversations? They were analog signals, easy to hack. New modulated signals with CDMA or LTE networks that we hear about, 4G, fourth generation technology. Very hard to hack into and thus much safer than your traditional signals or the wifi standard, which is very easy to hack into.
Jason:
Right, okay, good. That’s good to know. Thank you for telling us that. So, that’s the way to do it. Do it over your cellular network. What about, do you deal with, I mean, I know you – you’re a government contractor, correct?
Scott:
Absolutely. We sell to a lot of government agencies all the time.
Jason:
So, what about all these people and this may be a conflict of interest, just say so and I’ll shut up and I’ll stop asking questions, but you know, what about people who, you know, are really concerned about the NSA. I mean, we know they are eavesdropping, right? And wanting to get around that and there are, you know, there’s that, what do they call it, the black phone. I was reading an article about that the other day that says, you know, we’ll pay you if you can hack our phone and the NSA can’t even hear, but remember, it’s two side of the communication. Assuming that is true and I’d like you to comment on it, but the whole other side of the communication has got to be on the black phone too or some kind of…
Scott:
Exactly. It’s got to be secured and encrypted both sides of the link. So you’re absolutely right. Is it more secure? Absolutely, but I don’t think you can expect the average listeners to go spend an exuberant amount of money to get a black phone to be secure. They can use applications that will add layers of encryption on to your phone. Probably more concerning for the average person is their email or perhaps their texts. What you can also do that is free.
I also encourage people is what’s called the TOR Network and the TOR browser, you can download it free and what that is used by is a lot of media and journalists around the globe as well as a lot of the bad cyber guys that are doing a lot of corrupt activities so they remain anonymous and can not be traced, because it bounces the IP traffic from server to server, computer to computer.
Jason:
I remember seeing the Wiki Links movie and I think they were talking – that’s the onion thing, right?
Scott:
Yeah. It’s called the onion router. In short they call it TOR and again, that allows you to be completely anonymous. Bad guys use it, but good guys use it too and it’s just doesn’t allow somebody like an agency like the NSA or others to spy on you. It was originally developed by the United States Navy and it’s now supported by free volunteers around the globe and it’s popular.
Jason:
How do you know you can trust that type of stuff, though? How do you know that the NSA doesn’t just own that?
Scott:
It’s a good point. The big difference with that is it has very strong encryption. So, it was designed from day one to send secure information. If you’re one government entity to another working on another part of the world, you could use that and it’s heavily encrypted and again, since the traffic is bounced around, you can’t trace where it came from. It’s pretty safe and that’s why the government uses it and a lot of the media professionals and of course the bad guys use it to hide.
Jason:
Right, so the problem with those types of things is it becomes really slow, right? Because the data has got to bounce all around rather than going and taking the shortest path.
Scott:
You’re right, there is some latency in some of the communication, but I don’t think it would be enough to discourage somebody from using it. It’s pretty advance stuff. It works well. I’m surprised that more people don’t use it, but I think it’s got that negative connotation to a lot of the bad guys and they are afraid to be monitored.
Jason:
Yeah, interesting stuff. So, what about that – back to this cellphone cloning and so forth. Tell us about some of these ominous ways that small drones could be used by crooks and so forth. I mean, they can spy on you. When the drone thing becomes really wide spread, I don’t know what we’re going to do about that. That’s just a really weird kind of invasion of privacy that could be going on all the time. I mean, these drones are going to get really small where they might get the size of a bumble bee, you know, they might be tiny.
Scott:
Yeah and they can actually talk amongst one another so you could actually send out a swarm of drones. Imagine 10 or 20 drones that are on a mission to do something.
Jason:
The military applications got to be pretty awesome, though.
Scott:
Absolutely, yeah. I think about some of the more recent things. Maybe if you look at this and not to scare people, but imagine a threat if you’re in a giant sports complex and somebody in the parking lot takes a drone and they fly it up and it carries a payload of five pounds. Imagine if they had an explosive, they had advance cameras, they had other things that they could leave in the middle of the field, that could be very threatening to a very large crowds of 100,000 plus people.
Jason:
Oh, I couldn’t agree more. It could be extremely – what would ultimately be the defense against this. I mean, you know, like, years ago you could have said, well, missiles, you know, you can’t defend against missiles and now we can. We have the patriot batteries, you know, that’ll defend and there are missile defense systems, but you know, something as fragmented and small.
I mean, what would be the thing to do with the drone? Will it be to just jam the GPS system somehow? Will it be to jam the radio signals, because, you know, they can ultimately be autonomous where they can think for themselves . They won’t need a radio signal. Someone won’t need to be controlling the drone. Someone can just send it on a mission and it’ll go do its mission without direct control, right?
Scott:
Sure, the one big problem is first of all you can not jam any of the radio frequencies, be it the GPS or the traditional cellphone bands or even the wifi bands, because it’s illegal, at least here in the US.
Jason:
Well, I’m assuming criminals don’t follow the law, so you know..
Scott:
Yeah, that’s true. Criminals don’t. Probably what we’ve approached it from this standpoint is the detection and location of a drone or a threat is more valuable, so you can actually with one of our tools, it’s a yellow jacket tool. It focuses on wifi drones. We look at both bands so that the pilot controlling the drone as well as the drone flying and we can hone in on a particular signal and it has a US address to the drone as well as the pilot controlling it in the actual controller and we have a direction finding antenna.
So, now we can look up at the sky and aim it back and forth, move it like a Geiger counter and see the signal strength increasing as it gets closer. We can look up from the MAC address what’s the make of the drone. We can determine with one of our algorithm how far the drone is away in altitude and see that it’s a approach and also statistics about it. Okay, this drone can fly two miles high. It can go 50 miles per hour. It’s a quad copter. So on ad so forth.
So, we can get those parameters and then we can switch over and hit the button and say, okay, now I want to locate the pilot and to me, that’s the powerful part, because you want to take the threat out or determine where the guy is sitting in the black van flying this thing.
Jason:
This will be the defense system, yeah.
Scott:
exactly, exactly what you’ve identified. This is one means as a defense system. So, we’re offering this right now, but just as you said, people that want to take a drone out and they want to do jamming, certainty that’s possible. There is also attack drones now. There are drones that are being trained, if there’s is a drone threat in an area.
Another drone would be dispatched immediately and go above this drone and they drop something, so it lands into the props of a the drone. It could drop a small net. There’s different guns that they sell as well when it gets close. You can shoot the drone down with a net. Again, it’s anything to block the props will take it out of the sky.
Jason:
The concept of Top Gun is now becoming micro, you know? It’s just amazing. Yeah, but these are military applications. I mean, civilians can’t own any of this stuff, I’m sure, right?
Scott:
Oh, no. All the drones that I’m talking about are civilian drones. We’ve bought about three of them so far.
Jason:
No, no. I’m talking about the defense system. I mean, certainty you’re not allowed to have a drone that shoots things. I’m sure, right?
Scott:
Oh, no. That would be somebody that’s going to counter the drone and that would be a mobile command center that is dispatched at a giant stadium or a government facility would buy that and use that. Not your average citizen, you’re correct, I’m sorry.
Jason:
When I was talking about jamming the signals before, I was talking about the, you know, the government doing it in the defense of the population in that stadium example you gave. Can the, you know, I’ve always been curious. Can the GPS system hacked or jammed? I would assume that in war time this is something would want to do, right, because our GPS guided bombs and missiles are so precise nowadays. Wouldn’t Al Qaeda and ISIS want to somehow jam or mess up our GPS system. Are they able to do that? Is that possible even?
Scott:
Yes, certainty possible and there are GPS jammers on the market. Again, they are illegal, but they are easy to obtain. Most of the GPS jammers are for local proximity. In other words, I could buy one and put it in my car, so my boss can’t spy on me if I have a certain route to drive or truck drivers and such will often buy them, but there are high powered GPS jammers as well as scary as that is and that could be used for wrongful intentions of bad guys and they certainty do do that and there are also tools to scan for intentional jammers, so you can actually hunt them down. We do sell tools to the FCC as well as other organizations that can hunt down jammers for cellphones, jammers for GPS and so on.
Jason:
Very interesting. What else is out there? What haven’t I asked you about that you wanna talk about? Well, actually before I let you have free reign, I got a question for ya.
Scott:
Yeah, please.
Jason:
Car hacking. We’re on the verge of having a wonderful revolution in my opinion of autonomous self-driving cars. I’m going to be the early adopter, I’m going to be the first kid on the block with one of those. It’s a huge thing I really want. I want to have a computer chauffeur me around, but nowadays. I mean, I was just watching Blacklist last night on Netflix, great show by the way, and the guy hacked into someone’s car and made the air bag go off while he was driving down the street, caused an accident. You know, what about car hacking? Is that a big threat?
Scott:
Yes, it’s certainty concerning. I wouldn’t say it’s a wide spread threat where people should not drive in their cars and be paranoid or things of that sort. However, people should keep in mind with modern cars if you bought in the last year or two or a new model now, they all have cellular modems imbedded in them. This is the 50 most popular car companies out there put in these telematic modules. It’s the essence of what’s inside of our cellphone and that, again, allows your car to call out to the dealership if there’s a problem, emergency services, so on and so forth, but the fear is that somebody, again, could hack in by that means or if there’s a wifi hotspot, again, how if they are in close proximity blue tooth.
All of these things are possible, however it is difficult to do. It’s been proven that it can be done, but it’s more in laboratory type of controlled experiment. However, hackers are pretty knowledgeable and they’ll take it to the next level until they can find a real threat and before you know it they could – imagine applying the breaks if you’re driving down 60 miles an hour or an air bag goes off or things of that sort. It’s extremely scary that someone could have that level of control over your call. So, car companies have been very careful just in the past six months to look very closely at securing and encrypting some of their internal wireless technologies to minimize this from happening. Still a threat though.
Jason:
Tell us if you would how, you know, give us the angle of the criminal for a moment. I’m sure you’re not going to expose anything someone can find out with a few Google searches anyway. How do they hack things? I mean, I don’t even understand the concept of it like, how does someone clone a cellphone tower and fool your cellphone. How would someone hack into your car? What do they do? I mean, how does that even work?
Scott:
Well, often times if you give the example of your car and they know that the car has wifi connectivity or cellular WAN connectivity talking to the cell towers. What they could do is kind of look where it is not secured. Often times they don’t provide secure passwords to get access inside to the car.
So, maybe somebody hooks a computer up to test their diagnostics and they do it wirelessly through this hand held device or they do it through what’s commonly called an OBD2 Port under your steering wheel. When they have that level of connectivity and there’s not a secure password and many companies, unfortunately, never thought about the threat and they are producing cars, they’re not producing security devices.
Once that’s figured out how to hack into the password. They can get in, they can take over, and have control. More likely what a cyber thief would do is try to jam your car when you try to lock your car. Imagine you’re going to the mall, you get out, you press your button to lock the doors, at the same time they see you they press a button and it jams the signal, so your doors do not lock. You go into the mall, they hope in your car, they rob some stuff, and they take off. You never know what happened.
Jason:
Yeah, okay.
Scott:
That’s a big problem.
Jason:
That’s probably an easy one, I assume, right.
Scott:
That’s an easier one and that’s more the occurrence of what’s happening honestly.
Jason:
I mean, do all these guys have to be, you know, electronic engineers or is this something they can go on Amazon and buy? I saw some, I remember there was a news piece about a car key sort of replicator or something and I looked literally on Amazon.com. I was curious about it and it seemed like you could buy that thing for a $170. I was shocked! Is it really that easy?
Scott:
Unfortunately a lot of this technology or the know how is easy to procure. I typically don’t mention any of the sites or where they can go, but it’s safe to say in the dark web, which is again, that layer under the surface web where we are, where all the criminal activity, every single thing is for sale for a price and you can get tools to hack, you can get algorithms, you can get, tool kits, you can get anything you pretty much want to do to conduct crime via wireless, wired, computer fraud, you name it. It’s scary.
Jason:
Yeah, it’s an amazing and scary time to be alive at the same. Is identity thief still, like, the biggest problem out there? That seems to be the crime of choice the last several years.
Scott:
Oh sure, identify thief is. Why is that? Because number one it’s easy to obtain people’s credentials, compromised credentials. They could steal them. They can put them together in large lists and again, they can sell it in the dark web easily for quite monetary gain and there’s two or three stages of where it passes hands, so it’s hard to trace it back to the original thieves. Thieves like that, they can sit in their basement on their computer in the middle of Romania, make a lot of money selling other people’s identity and it’s hard to catch them. So, they are very attracted toward that.
Jason:
So, I’m going to sort of take the positive angle for a moment and see if you agree with me, Scott. I think all of this identify thief and this cyber crime threat in a weird way, it’s almost good and here’s how I’m saying that. If we just sort of give into the idea that there will always be crime, there will always be a bad element in society and that’s just the way it will always be, hopefully, it won’t always be that way, but it always has been that way at least, so far, right, and at least with the crime moving toward the web and cyber crime, you don’t have to worry as much about your physical self.
You know, it’s less likely you’re going to get mugged on the street nowadays and maybe this is the reason violent crime in some cases in some areas, depending on how you slice and dice the stats, of course, and it’s really revisionist and maligned I’m sure in many ways and understated, but it doesn’t seem to be as big as threat as it was in say the 70s or the 80s and maybe that’s because a lot of the criminals have found a cleaner way in the information world to commit crimes, right?
Scott:
Oh, absolutely. I think you hit it on a good point. I mean, until it touches yourself personally, it’s hard to fully identify. We unfortunately, our company was a victim of being hacked. Our debit card, credit card, our checking account where it’s under federal investigation, tried to take down our website, Twitter feed. Once those things happen, what do we do? We had to reinforce our security and look at the way we do business differently to protect our customer, to protect our money.
So, you think of things differently. To me, it forced me to write a book on it to share the mistakes we’ve made with other people. It’s called Hacked Again and I share in there chapters that I focus in why it’s so important to have a password. What are the dangerous of identify thief and how to protect yourself. What are the wireless threats out there and how you can secure your wireless network. All of that type of information, I’ve gone out there and kind of shared best practices so people can protect themselves, because once it affects you personally, you look at it very differently.
Jason:
Oh, it’s got to be just a monumental hassle. I mean, I have had some scrapes with it personally too, you know, a few things. I don’t know if anyone has stolen my complete identity, but you know, there’s several forms of identity thief. There’s criminal, there’s health records, there’s credit cards and banking, of course, but there’s a lot of forms of it. Do you think that these password generator tools and memory tools are a good idea like LastPass and 1Password and those kinds of apps. Do you like those or are they dangerous?
Scott:
Yes and no. I like the concept because it’s easy to remember one long strong password, 15 characters or more, upper, lower, symbols, numbers. However, if and when that is ever compromised. You basically have given somebody your entire key chain. That’s the gotcha. So, it’s more safe in some ways, because you only have to remember one thing, but if that is ever compromised and somebody hacks into LastPass, can you imagine the damage that would ensue. That scares me. I don’t use it personally, but I understand it and I do recommend it for certain people with certain things, but for financial information, if it’s your stock portfolio or bank, I would not store my password on LastPass or any other of those sites myself.
Jason:
Yeah, I would just have to add to that, that’s good advice, I would have to add to that that if you have a stock portfolio, you’re getting victimized all the time, because Wall Street is the modern version of organized crime. Just had to throw that in. You know you’re getting screwed if you own stocks.
Scott:
But if you’re going to own stocks, you can buy cyber security company stocks and do pretty well, because they’re doing very well.
Jason:
Well, there’s a thought. Yeah, absolutely. Hey, give out your website.
Scott:
Absolutely. It’s www.BVSystems.com
Jason:
BVSystems.com. What questions didn’t I ask that maybe I should have asked or anything else you want people to know?
Scott:
Well, certainty if people have questions, they can certainty go to that website, especially if it deals with wireless threat detection. If they have more common questions or want to learn more about best practices, if they go to the site HackedAgain.com, we have a book that’s coming out and it covers best practices and we share a lot of tips. We have a lot of blogs and information there that is constantly keeping you abreast of the latest threats and, again, how to protect yourself.
Jason:
Scott Schober, thank you so much. This has been a very enlightening discussion and we appreciate you sharing these tips with us.
Scott:
Thanks again for having me on, Jason.
Announcer:
This show is produced by the Hartman Media Company, all rights reserved. For distribution or publication rights and media interviews, please visit www.hartmanmedia.com or email [email protected]. Nothing on this show should be considered specific personal or professional advice. Please consult an appropriate tax, legal, real estate or business professional for individualized advice. Opinions of guests are their own and the host is acting on behalf of Empowered Investor Network Inc. exclusively.
Podcast: Download
Subscribe: Apple Podcasts | RSS