Eric Brown: 0:05

You're listening to the Audit presented by IT Audit Labs.

Mandi Rae: 0:14

Hello and welcome back to the Audit presented by IT Audit Labs. I'm Mandy, and joining again today is Eric, kyle and Nick. Hey guys, hey guys.

Nick Mellem: 0:25

Hey Mandy.

Mandi Rae: 0:27

I think we're going to jump right back into our personal information security in a modern era. And, Kyle, what are we going to talk about today?

Kyle Rosendahl: 0:38

Yeah, today we're talking about personal email and personal messaging, including, you know, SMS and MMS on your cell phone.

Mandi Rae: 0:46

We all do it.

Kyle Rosendahl: 0:47

We all do. What's MMS Multimedia messaging service? So things like your standard video and photo messages that get sent between devices.

Mandi Rae: 1:01

Like when someone on your security team sends you a picture of a really cute kitten jumping over rainbows and you open it like, why would you send me this? And here, it was to capture your geo coordinates so they could tell you exactly where you were at that time. That's the kind of stuff I deal with over here uh, was that person on this call mand. Mandy, they're not, but they are showcased on other episodes, so I'll be sure to call them out later.

Kyle Rosendahl: 1:33

So kicking it off, personal email security, right. What we like to talk about with this is that those free email services that are very convenient and very easy to set up things like gmail, yahoo um, you know, hotmail used to be a thing, but outlook, um, msn I'm sure you can list off more than what I'm coming up with here um, they scrape your contents of your emails as well as kind of the metadata and the usage statistics to again you, you know, add to that big data portfolio about you. So they're looking at things like message times, what you're writing about, who you're sending to contacts that you often send to right, how long the messages are, if you have any attachments on them. You know you don't really have any expectation of privacy when you're using their servers to do your mailing, although they are convenient, right. So one of the things that we like to recommend to security practitioners is to use a paid subscription to a trusted email service, something like ProtonMail, which I use, and I know a lot of other people that use security and non-security people alike. Mailboxorg is another encrypted service, and Tutanota is another one that's a little harder to say and a little weirder, so I tend not to use it, but it does email encryption and security, similar to ProtonMail. Some of the pros of using a service like this are your emails are encrypted at rest and in transit and the email provider does not look into the contents and there's no way for them to decrypt your emails as they sit on their servers. You can feel a bit more secure in kind of sending and storing emails and personal information through these services, because you know emails and personal information through these services, because you know the email is going to be encrypted and some of these have, you know, different applications like Google. They have a calendar, a drive, a VPN service that you can purchase as add-ons.

Kyle Rosendahl: 3:38

Some of the downsides to using something like this are sometimes you run into non deliverdeliverable addresses. So, um, I'll give a story about that and and this costs money. But, um, when I was applying for, you know, home mortgages one of the the lenders that I was working with to secure financing to purchase a home, I was emailing their broker with my proton mail and for a while it was all working, and then they just stopped receiving my messages and so I asked this mortgage lender that I was working with, like hey, I've been sending you emails and you haven't been replying. And she said oh well, that's weird, I don't know why. So she checks in with her IT guy who says oh, that's because they're encrypted as they're coming in and we don't allow encrypted emails to come into our systems.

Mandi Rae: 4:33

Which is crazy because of what you're giving them.

Nick Mellem: 4:37

All the information. Shut the front door If there's any PII it's going to be with a mortgage company.

Kyle Rosendahl: 4:43

And he says well, why is he using an encrypted email? Only terrorists use encrypted emails.

Mandi Rae: 4:49

Oh my gosh, who is this guy?

Nick Mellem: 4:52

I could give you a name, but I'm not going to. Let's get some names Kyle.

Eric Brown: 4:55

Never do business with that company Wow.

Kyle Rosendahl: 4:58

Yeah. As the person on the call who isn't a security engineer.

Mandi Rae: 5:05

I didn't know and was shocked to find out that what I'm sending via my Gmail account was not private to me and whom I was sending it to. And I'm sure I'm not the only person out there who's not in the cybersecurity space who would be shocked by that. And it kind of makes me think of an earlier conversation. Like I tell my kids if it seems too good to be true, like, don't do it on the internet and this is a free service. Like why didn't I even think of that?

Nick Mellem: 5:36

I'm more curious on what he meant by only terrorist. Use that, so anybody that's trying to be safe.

Kyle Rosendahl: 5:44

I think his logic behind it was well, what are you trying to hide with an encrypted email, Right?

Mandi Rae: 5:48

I don't know, my social security number, my financial documents.

Nick Mellem: 5:53

Everything that you asked for Right.

Eric Brown: 5:55

We need to go find that company and help them with a security assessment.

Mandi Rae: 6:00

They need this presentation for sure.

Kyle Rosendahl: 6:02

Yeah, so, and funny enough, this dude who actually works there. I was in cybersecurity master's program with his nephew, so you know it's not like his family, is that far from InfoSec?

Mandi Rae: 6:16

We've got to take his nephew out for a beer so that we can help him, help his family.

Nick Mellem: 6:21

Do you think that he would be a guest on the podcast?

Mandi Rae: 6:25

I could reach out to him I don't want to showcase that kind of ignorance now that we're terrorists and all yeah, I've got a funny proton mail story and it involves kyle here.

Eric Brown: 6:38

Uh, now, kyle, we've known each other for a couple of years and and back before we knew each other. You were applying for a couple of years and back before we knew each other, you were applying for a position and you're, aside from your astute security knowledge, one of the things that stood out in your resume, or you were the first applicant that I had seen that used a ProtonMail email address and it was. You know. It's like okay, this guy's really a security practitioner, right he's. Everybody else is using like a Yahoo or a Gmail or Hotmail.

Eric Brown: 7:16

Yeah he gets it and I don't. I think I've seen, you know, I don't know probably 100 resumes or more since then, and maybe only one, maybe two other resumes where they were using a pmme or a ProtonMail, and I just I don't get it. If you're a security practitioner, why are you emailing your resume in with a Gmail account?

Mandi Rae: 7:43

Practice what you preach, practice what you learn.

Eric Brown: 7:46

Yeah.

Kyle Rosendahl: 7:47

It's a hot button for me, yeah, and it doesn't have to be ProtonMail, right, there's plenty of services out there now that provide this type of security. But yeah, to that point, I mean, we know beyond the reason of a doubt that free services are just scraping up all this information. So if you're uncomfortable with that or you're recommending other people do it, I mean just do it so, and it's really not that expensive. I mean, it's a couple bucks a month.

Mandi Rae: 8:15

So I mean, we pay that for iCloud storage. I feel like nowadays you're just, you know, you buy an app, it just it doesn't seem unreasonable, yeah, cool, what else?

Eric Brown: 8:26

My eyes are opened. They've got other offerings too, don't they Like VPN?

Kyle Rosendahl: 8:33

Yep, proton's got a VPN, I think. Two to note mailboxorg and ProtonMail all have an encrypted calendar application as well and like a ProtonDrive, so you can do some secure encrypted cloud storage out there as well. They're not as fully developed as what Google has, but they're getting better and they're constantly in development, and I think I just opened up the calendar app the other day and there was an option to import from Google Calendar so you can ditch your Google Calendar and throw it into Proton and add other people to it and share your calendar. So it's getting a lot more robust. Well, and wasn't it that ProtonMail other people to it and share your calendar? So it's getting a lot more robust.

Nick Mellem: 9:10

Well, and it wasn't it that ProtonMail just did a third-party audit that basically proved they're not actually keeping logs.

Kyle Rosendahl: 9:17

On their VPN. Yep, and why is that?

Mandi Rae: 9:21

important for people out there like me.

Kyle Rosendahl: 9:25

I mean, we'll talk about it more when we get to the VPN episode, but essentially, a VPN anonymizes your traffic and there's certain VPN providers, especially ones that offer free options or are less than upfront about how they're using that data. Your internet service provider, collecting your browsing information and selling it to advertisers and people like that. The vpn is basically doing the same thing that the isp would be doing, but with your vpn traffic data, so for them to not be collecting logs and have no way to access your traffic logs. You know for sure that where you're navigating to, when you're connected to the VPN is known only to you.

Mandi Rae: 10:13

Oh, that's. Great. Thanks, Kyle.

Kyle Rosendahl: 10:16

A couple quick tips on email security right. Using a paid secure inbox for personal correspondence or PII information is always really good, but there's always more you can do to kind of keep your email secure and keep yourself out of spam lists and things like that. So I know something that I do is I have my personal ProtonMail that I use. It has all my encrypted data and I tend not to give that out to advertisers, vendors, things like that. And then I've got a couple free email inboxes that I use to sign up for rewards cards services. If someone at Walgreens or CVS is like sign up for our rewards program and it sounds like a good deal, I'll give them my junk free email inbox so that it's then hooked up to that account. So then, rather than getting all that spam and junk in my personal email, I'll just collect it somewhere that I never sign into and use that to connect to my rewards cards. So things like that Again, if you want to Really smart.

Kyle Rosendahl: 11:21

Take an extra bonus tip. You can give it some goofy name about it being a junk box. Or stop wasting my time so that when they ask you for your email at the restaurant or the rewards points, you can give them a little middle finger, figuratively.

Nick Mellem: 11:38

Now, that's the person that would probably be labeled the terrorist not the person that's using good security.

Kyle Rosendahl: 11:43

Yeah, I'll be one of both.

Nick Mellem: 11:48

I think we had talked about this before and I think Eric brought it up about putting the period in the email. You know it's like for Gmail. This works so like you can use your first name and your last name or vice versa and put the period in between. But when you actually signed up for Gmail you didn't use the period. Right, somail recognizes it so you could email or use the same tactic, kind of like you're saying where, for all those rewards, you could use the period and then go into your tools, create a rule that sends all those to the trash can mm-hmm yeah, so like if you're nick mellum, yep, and you're at the coffee shop yep your email address could be nick mellum at gmailcom, but we're gonna give the coffee shop nick period mellum.

Mandi Rae: 12:42

either way, gmail is going to recognize it as one in the same, but you can create that auto rule so you just don't have to deal with the crap.

Nick Mellem: 12:49

You'll never see the email. It just goes straight to the trash can.

Mandi Rae: 12:52

Very smart.

Eric Brown: 12:54

The Nick Mellum email address. Can we take a little side jaunt now For the poem? Yeah, let's take a little look-see here, shall we?

Mandi Rae: 13:09

Yeah, let's introduce. Have I Been Pwned? For anyone who's not familiar.

Kyle Rosendahl: 13:16

Yeah, so have I Been Pwned. Is a Troy Hunt? Is he the one who developed this?

Nick Mellem: 13:21

Yeah, it is.

Kyle Rosendahl: 13:22

But essentially he's got a database of data breaches that he maintains here on this website, of data breaches that he maintains here on this website, Meaning if a website was hacked or a service was hacked and your email was registered to that service with a password and a hacker was able to get into that system and compromise or tie together username and password or password hash, right. He has an entire list of what those combinations are and he provides a free service here on this page to look up your email address and determine whether your email has been involved in a breach, which breach that happened to be, and then whether you should be changing your password based on what you find.

Mandi Rae: 14:11

Bless him. So we are looking up one of your real accounts there, Nick.

Nick Mellem: 14:18

Yep, this is an old one that has been hooked up with quite a few. I think it was seven of them. You can scroll down and see all of them.

Mandi Rae: 14:31

I was part of the. Myfitnesspal breach too. Someone out there knows that I don't really work out often.

Eric Brown: 14:41

Go ahead, eric. Yeah, this is interesting, right, nick? Because you, being a security practitioner, you're using a different password for each of these sites and you've got two-factor authentication turned on wherever you can. This Robinhood one is interesting. They didn't get passwords, but they did get email addresses, and presumably the same thing with this Park Mobile, where they got email addresses and passwords. If they were able to reverse engineer and crack this password, then they could try that same username and password against your Robinhood site, which Make accounts all of it.

Eric Brown: 15:23

Yeah, if that didn't have two-factor authentication on it, then somebody could be trading all of that Google stock that you have.

Mandi Rae: 15:33

Well, and I'm interested to see that a customer service representative was socially engineered. I know Defcon Kyle, you had watched social engineering competitions. I would love to get to hear that call and how that happens, because that's a lot of exposure. We employ risks.

Kyle Rosendahl: 15:56

Yeah, well, I mean and that's one thing that we always do say as security practitioners right, the number one risk in any business is the human element. Right, it's not always the technical. So many I mean, even like the most recent uber breach that was announced was done via social engineering and collecting information from somebody over the phone and through whatsapp, right, they?

Nick Mellem: 16:18

didn't do any password, Kyle.

Kyle Rosendahl: 16:20

Yeah, and they got an admin password from this person signed in and stole a bunch of data. So I mean, really, they didn't have to know the technical details on how to break into the systems, they just had to trick someone into providing information and they stole everything.

Mandi Rae: 16:35

So and like us. You could get you a man who do both like Nick Mellon and like us you could get you a man who'd do both, like Nick Mellum.

Eric Brown: 16:48

Well, now that people have Nick's Gmail address, it'll be interesting to see what kind of stuff he gets. Yeah, I mean, I know he likes pictures of kittens and recipes with Beyond Meat or Impossible Any sort of vegan meat he likes that.

Nick Mellem: 17:00

Yep, I love it. I'll forward it on.

Mandi Rae: 17:03

Well, thank you for sharing this, nick. That was really interesting, and if you want to check out itauditlabscom, we'll have the link for have I Been Pwned? We'll definitely share a lot of the different articles and references we're having throughout this podcast series for you, and we encourage you to check it out yourself.

Eric Brown: 17:21

And Nick may have. Do you want to post a couple of your favorite vegan recipes?

Nick Mellem: 17:27

Along with some of the social engineering websites, but we will definitely go back to that website in future episodes. To to unpack quite a bit more.

Kyle Rosendahl: 17:36

Yeah, and just quick note on personal messaging security. Right, when we think about text messages, right, most people, if it's not between iPhones, right with iMessage. The typical format for sending a text message is via SMS, which is short messaging service. That's your standard text. Or MMS, which is a multimedia messaging service. These are going to be your texts and video messages. Neither of these are encrypted.

Kyle Rosendahl: 18:08

These are being sent just across the airwaves through your cellular provider and routed to whatever phone number you're sending it to. That makes them pretty, fairly easy to intercept. They're collected by those cell carriers and are logged and can be provided as part of a data discovery with a law enforcement warrant. And then in the past, with trying to remember what the name of the system was, edward Snowden worked on with the National Security Agency, but it was a Draget or something like that. Essentially, they were scooped up and are able to be analyzed by the NSA or anyone with proper technology to collect these things. So they're not very secure. Just like your email, they could be read, they could be viewed. If you're sending personal information via SMS, someone else could get it. So there are some ways that we, as kind of security people, try to prevent this.

Eric Brown: 19:07

On this one here. What's the name of the fake cell phone? It essentially spoofs the cell phone provider, and they're then able to sit as a man in the middle.

Kyle Rosendahl: 19:26

Well, Eric, if you want to look that up, I can talk about Signal here.

Kyle Rosendahl: 19:30

Go ahead yeah, cool, kind of the best alternative that I think most of us I think everyone on this call uses and a lot of people in the security field use, is Signal. It's free and open source, so you can view the source code of it, you can contribute to it, you can help develop it. Free and open source is always kind of appreciated in the security world because it keeps people honest as they're developing things and you know where the data is going as it goes into the program if you have the knowledge to look through it. When using Signal you get that encrypted messaging between other Signal users. So any messages sent between another Signal user will be fully encrypted, end-to-end. Likewise, you can make encrypted phone calls using Wi-Fi or data. They call it a Signal call, but that will encrypt your voice calls as well.

Kyle Rosendahl: 20:22

It's super easy to set up with a phone number. I mean you download the app, you install it, you hook up your account, you're good to go, and it also manages your SMS and MMS messages. So if other people aren't using Signal, you can still use it as your kind of default texting app and still reach other people. And as easy as it is to set up, it's just as easy to kind of find other people. So we're not endorsed by Signal, we're not being paid. That'd be nice if they would.

Mandi Rae: 20:48

But we love it though, Every last one of us.

Kyle Rosendahl: 20:52

Yeah, we're all big fans, so it's constantly being developed. Some of these cons. You know there's other standard messaging apps like your iMessage or your Google messaging apps. They're a little, probably a bit more slick, or you know, they interface much more nicely with your default installation of your phone. You do lose some of that, like Google connectivity in Signal. So you know you trade off the convenience for the security of this. And then I guess the last con is just your choice, whether it's good or bad is it has a pretty open default policy for privacy, so it makes it very easy for other people to find you. It lets other people know that hey, a new person on your contact list has just joined Signal. So it does hook up to your phone number. And if you're looking for something that is super private and doesn't even connect to your phone number, this one's not always the best option, but for something easy, that's good. We're big fans of it.

Eric Brown: 21:54

And I did come up with the name of it. It's a cell site simulator known as a Stingray.

Kyle Rosendahl: 22:03

Stingray yeah.

Mandi Rae: 22:05

It was so close.

Eric Brown: 22:08

So these devices can pretend to be, or simulate being, a cell tower and they then intercept the communications that your phone would have with an actual cell tower. So similar. Nick, you mentioned the pineapple, which we can use for doing something very similar for Wi-Fi connectivity, the stingray, which is you can do it with cellular connectivity.

Mandi Rae: 22:45

That's really scary.

Eric Brown: 22:49

We'll talk about the eye in the sky too. At some point, with some of the surveillance that was going on down in Juarez in Mexico, and the eye in the sky I think there was a balloon over Baltimore that did something similar too, but we're probably getting off track and this will be a 10 part episode Totally.

Kyle Rosendahl: 23:18

I think we're close to wrapping up. I think we just got one more slide here talking about messaging. Yeah, a few other options. Threema is one that I've also used in the past. It doesn't automatically hook up to your phone number, so you actually set up a private ID that doesn't have to tie to you at all. There's the one-time purchase, so I guess it's not completely private. Someone would know that you purchased it with a credit card or something like that but it gives you a lot of good privacy options.

Kyle Rosendahl: 23:53

It's much harder to set up than Signal. You have to connect with other Threema users. So if you have a group of friends and you want a super secure private messaging application, you know it's really good. I like it, but again, very difficult to kind of configure and make sure it's all hooked up and ready to go. And then Telegram is another option that does secure encryption. You can do private messages with encryption on them. It's also free, has pretty good speeds with video calls, easy to find people, similar to Signal, things like that, much more kind of used in other countries around the world and really utilized for group messaging and things like that.

Kyle Rosendahl: 24:34

It's not always clear how they're making money, so I always put a caveat on this one that while it's got encryption, it's not the most open platform for knowing exactly what encryption or how the encryption works or how the keys are generated. So take it with a grain of salt. I wouldn't use it for anything super secure, but a lot of people do tend to use it for messaging and you can set up a pretty private profile on there as well. So just some options out there and if you want some recent news I think it was two, three weeks ago you know current geopolitical states in the world.

Kyle Rosendahl: 25:19

Telegram, I think, was developed by a Russian guy, same guy who developed VK, which is kind of a big social media platform over in Russia, eastern Europe, kind of like Russia's Mark Zuckerberg, I think is kind of how they describe him. When he created those platforms he wouldn't give the encryption keys or like all the stuff over to the Russian government and I think actually fled the country to keep his secrets to himself. But I think that the Russian government claimed to have cracked the encryption on Telegram, just like two, three weeks ago. So I don't think that's been corroborated yet that I know of, but they claim to have broken the encryption on that. So again, take it with a grain of salt.

Eric Brown: 26:06

Other geopolitical news. Signal is looking for some volunteers to help with the trouble over in Iran and help Iranians bypass their government censorship during the protests using Signal. So if you just search out Signal blog, help people in Iran reconnect to Signal. There's a request from the Signal community to build those proxies.

Mandi Rae: 26:44

That's pretty cool, makes me love Signal even more. If they don't want to sponsor us, I'll take merch. Well, thank you guys. I found this fairly interesting and I'm going to have to come up with another word that isn't invasive and scary, because I think those are always my initial thoughts is like oh, this is icky, what people don't know, right, but I believe what you presented is just really eye opening. So next time, what are we going to talk about?

Kyle Rosendahl: 27:15

Internet browsing. Internet browsing VPNsns, isps, passwords and forms cookies, cool.

Mandi Rae: 27:26

well, I expect that to be a bigger, larger conversation that might even break into more part series, because there's just so many avenues and things to talk about as it relates to these topics. So thanks for joining us again. On the Audit, please check us out at itauditlabscom and we will see you again.

Eric Brown: 27:45

Thanks, everyone Thank you Bye, want security leadership without the headcount. As an extension of the team, it Audit Labs will provide the experts to guide and counsel your company. We will start by creating a custom security program that caters to your industry while providing transparency and remediation, to improve cyber posture while reducing risk. Contact IT Audit Labs to find out more.