Episode_11_Why_Should_I_Care?

Hello and welcome to episode 11 of the Sudo Social Club. I’m Edward Miro and in this episode I am going to be discussing the question: Why should I care about cyber security?

The Sudo Social Club is a podcast and YouTube channel centered around cyber security awareness, IT security training, hacking capture the flags, wargames, and crypto challenges. Check us out at www.sudosocialclub.com where there are links to the YouTube video, audio only and a feed of all my past episodes for you to use anytime you need it. If anyone has any feedback or recommendations on how I can improve the channel please leave a comment or email me at sudosocialclub@protonmail.com. Thanks for tuning in, now let’s begin:

So if you’ve been following this channel from the beginning you will have surely noticed that the focus has shifted this way and that and I have explored various concepts and ideas for where I want the project to go. I’m sure this is common with starting new creative projects and sometimes it’s not easy to know how an idea that sounds good in your mind will play out in the real world. I still think a podcast/YouTube channel focused on CTFs and crypto challenges is a good idea, but I’m still unclear how to make it work. My issue is that to show how to work through a CTF or crypto challenge in a time frame that makes sense, but also be interesting. This created an issue because if I showed exactly how I accomplished a CTF it would be hours of me Googling and there’s no way I have the improvisational chops to fill that kind of dead air. The CTFs or challenges that can be done without prep and scripting are on the easy end of the spectrum and less abundant. I could always script and prep harder CTFs, but I hate doing that. One because it’s not realistic. And two because I find my own content more interesting when I’m speaking off the cuff.

Another thing that I’ve realized after starting this channel and also in combination with my participation in the National Cyber League last semester was that I’m almost 100% sure I don’t want to be a pen tester anymore. This was my dream for over 5 years now and it’s weird to admit this. I love CTFs and crypto challenges and during the preseason game where you have a week to get as many flags as possible I scored well enough to be in the gold tier for the individual game so I’m decent at hacking. The individual game however was less fun for me. Instead of a week you get 3 days. It was very intense and I didn’t do that bad honestly, but the stress, the pace, the whole energy about that part made me not like hacking, at least during that time. If that’s what being a professional pen tester is like I don’t think it’s for me. I love INFOSEC and will never stop hacking or doing CTFs, but I think if I had to do it for work it would ruin it. I have even more respect now for people who can excel in this line of work and if you are also interested in going down that road be aware it’s not easy or fun.

Diverting from this path has lead to another which I find even more rewarding and where for the most part this channel is going to be focused on. If I find the right CTF or crypto challenge that I can do without prep and in under an hour I will feature them from time to time. For now though this channel is going to start focusing on cyber security awareness, training and developing content centered around solving the problem we have getting the average person to start adopting more proactive cyber security practices and protocols.

Having the honor and opportunity to speak twice so far at two Norcon hacker cons, having lead a lock picking workshop at Hack Davis 2019, speaking at the Butte College security+ class last semester and being a potential coach for next semesters NCL, I have found my voice within the field and I’m strongly drawn to public speaking and training.

My goal starting today is to publish a new episode every other week and in each episode I will go over the basics of cyber security and information security in a way that makes sense to any level of technical expertise, but also shows that these concepts are easier than most people think, less inconvenient than most people think and even small incremental changes can make an incredible difference.

The days of “Why would anyone hack me?” is over.

To start just go to https://haveibeenpwned.com/

Try all your email addresses there. What accounts do you have that have been compromised? It doesn’t mean you did anything wrong, it just is. Now consider that most people use 1 password for everything, or they use password patterns that easily guessable. If you have more than one account involved that just adds to it to the potential the bad guys have. If you have an account listen here it means your private data to some degree is out there.

I think when people say things like “Why would anyone hack me?”, their presumption is that unless someone is a worthy target, they won’t be targeted. I don’t think enough people realize how much hacking and cyber crime is less about laser focus and more of a shotgun approach. Credential stuffing is a technique attackers will use that has been in the news and media lately. What they’re doing is taking leaked account info, like your email address and password for whatever account was hacked and trying that address and password on all the other sites just in case you do what I mentioned earlier most people do and that’s use the same password on all your accounts.

Credential stuffing and attacks like this are all scripted and require very little overhead to implement. Just think about how if the expenditure necessary to target a victim is proportional to the likelihood it will happen, then we are all almost guaranteed to have already been hacked or will soon.

My opinion on information security protocols is that they are now so easy to implement that within the next few years they will become commonplace and being ahead of the curve will be huge. The last thing you want to be is the low hanging fruit. I’m going to conclude this episode by selling a few things that I’ll be devoting full episodes to in the coming weeks. I’ll be going into depth for each one so this is just a tease:

  1. Password managers are awesome. You only have to remember one password, all your accounts can have have very secure passwords and password manager apps make it easy.
  2. VPNs are easy, fast and run on everything. There’s very little reason to not use a VPN on open networks at a minimum. Your privacy matters, even if you have nothing to hide.
  3. Two factor authentication is massive in prevention getting hacked. And like password managers become habit really fast. Such a small change has a huge impact on your attack surface.

This is just the first few I had in mind. I want to give everyone the biggest bang for their buck and will be looking at phishing, social engineering, open source intelligence and many, many more topics.

Cyber security matters and it’s going to be my goal to show you why and what you can do to stay as safe as you can without making things too inconvenient.

Alright. If you like this week’s episode and want to help support this channel please subscribe to the podcast through whatever podcatcher you found me through and please subscribe to the YouTube channel. Links to everything on www.sudosocialclub.com, and if you want to help the channel grow please share on your social media. Once again I’m Edward Miro and you can contact me at sudosocialclub@protonmail.com with any comments, questions, corrections or feedback including ideas for future episodes. Thanks for checking out the Sudo Social Club. Have a great week!

Written on June 16, 2019