Welcome to Brazos Matters.

I'm Jay Socol.

Co-hosting with me today is KAMU student content contributor and senior journalism major at Texas A&M.

Macey Litterst.

Hey, Macey.

Hi, Jay.

Thanks for coming back and joining us in studio.

Of course.

So last year, the FBI received nearly 860,000 complaints of cybercrime from the public, and the total potential loss experienced by those complaints was more than $16.6 billion.

And also last year, the Federal Trade Commission received nearly 6.5 million reports of fraud and identity theft.

So that brings us to today's discussion about what any of us, no matter how young or old we are, can do to protect ourselves.

So in terms of this topic, Macey, does this scare you?

Does it intrigue you?

What do you got going on?

I think a little bit of both.

In the past year, my family has been hacked with their credit cards twice, and I don't know how that happened.

So I am intrigued to learn more about this world.

Same, I was a victim of some, attempted identity theft.

And because all my information apparently was out there and somebody tried multiple times to open a bank account, with my information.

So, yeah, all of this information that we're going to get today, I think is going to be good for us.

So let's see what we can learn from our guest with us is Bast Schellhorn, a program specialist with Texas A&M Cybersecurity Center.

Bast, Thank you so much for joining us.

Yeah.

Thank y'all for having me.

Of course.

So I am curious about your background and what you do now.

Sure.

So, my undergrad is, about, B.S.

in psychology.

I've worked for the TAMUS Security Operation Center, which is network security, malware analysis, threat detection.

I've worked with the Texas A&M Cybersecurity Center for the past few years.

And currently, my my role there is, helping prepare students to go into the cybersecurity workforce.

And, I'm also pursuing a master's of education at the moment.

So continuing that education.

Yeah.

What are some typical cybersecurity vulnerabilities that we all experience?

Where do you start?

Yeah, right.

That's a it's a very, very wide range.

I would say one of the biggest things that people don't really think about, is network security specifically when it comes to, you know, public Wi-Fi is a big one.

I mean, the internet has become just such an integral part of our daily lives.

We sort of we don't really mindfully use it anymore because it's just there.

It's in your hand.

It's convenient.

It's what we reach for.

Absolutely.

I asked you when we had our zoom call, what about apartment complexes?

What does that have to do with that?

So essentially, my stance on public Wi-Fi is you shouldn't do anything on public Wi-Fi that you don't want the world to be able to see, because the world can see it in all reality.

And you mentioned specifically apartment complexes that offer Wi-Fi to their tenants.

Technically, you as an individual will have no right to privacy or, privacy for your data on that network.

You are not the policy holder.

And, in some cases, the internet service provider, can give a lot of information to the apartment complex.

Who who is the client about what kind of information or data is, you know, going across, your particular Wi-Fi connection.

Yeah.

When when we had our sort of preliminary visit over zoom, and Macey asked you that question, and you gave the answer, I could tell your face kind of.

Yeah, it's scary, very serious.

No privacy in your own living.

But there are tens upon tens of thousands of students and others living in, apartment complexes.

So this is not like an isolated thing.

Like what?

What advice do you give people who are living in these apartment complexes?

Well, I would say treat it just like public Wi-Fi.

Right?

Don't do anything on that Wi-Fi network that you don't want the world to be able to see.

Especially banking information.

That's an example that we use a lot because it's one that's relatively universal and incredibly impactful.

Right.

You're banking information is, a very valuable piece of information.

You mentioned the figure, I think 16.6 billion, right, to certain people.

That's a revenue stream, right?

That's an available market share.

Their goal is to make money just like any other human being.

They're just going about it in a a rather unsavory way.

Right.

But when when these complexes sort of hyper focus on this particular item, but when they say, free internet or you're, you're getting your service through, through their provider, is it any safer to be, having a wired connection within, within, you know, your living space than that, Wi-Fi?

Or do you really for ultimate safety and, privacy protection, but also being able to do the things that you want to do, do you need to come up with an even separate solution?

I mean, ultimately, a VPN, a virtual private network, is the sort of the best option in that scenario if you need to do sensitive things on your network.

A big thing with VPNs is pay for it, right?

Because a free VPN is not really free.

Your information is a commodity.

You are a commodity as a human being to a lot of companies, your data is a commodity.

So don't use a Free-P-N Don't pick, the cheapest VPN you can find, like you are paying to keep your data safe, so that it is something worth investing in.

A good VPN will not allow you to establish a connection that is unsecure.

So that somebody is attempting to intercept or to listen in on, a cheap VPN might not have the same capabilities and might let you go ahead and make that secure connection even if somebody else is, listening in, let's say, on average, what does a good VPN tend to cost per month or per year?

I mean, your eyes just got big.

I know that's may be an unfair question, but what what is the difference between a cheap VPN and a good VPN?

Off the top of my head, I couldn't tell you what the, the price range is because I have mine set to auto pay, but I would say someone like, can I name drop a brand?

Sure.

I would say that NordVPN is a very familiar name in the space.

So I would say around whatever NordVPN is pricing at is relatively reasonable and what you can expect to pay for a good quality VPN.

Yeah, because I'm guessing that, you know, all these things, all these little costs add up and not everybody can afford to do those sorts of things.

But you're saying if at all possible, that's a wise investment.

Yes.

Okay, okay.

Well talk about some other things that you personally do to keep your data secure.

So some steps you take and if there are any steps and surprises a little bit.

I would say the first step is password security, right.

A lot of websites will have you put in a password with uppercase and lowercase and special characters and numbers.

But when it boils down to the basics, it really doesn't matter what the content of your password is, it only matters with the length is from the perspective of someone trying to crack your password.

So anything over 14 characters in length is what I personally consider, safe for me.

Everything exists on a scale of, security and convenience is what we like to say.

So, a 30 character password would be really secure, but not very convenient.

A five character password is super convenient, but not very secure.

So, 14 characters takes a considerable amount of time and effort for someone to be able to crack such that I don't think it's worth it for them to to try and get my information.

But it it comes down to, you know, how much convenience are you willing to give up to protect your data?

So, like, not writing down passwords, not relying on the notes app in your phone, to keep track of all your passwords sort of thing.

Beyond that.

Social media is another big one, and I'm going to step on a soapbox here, do it for just a minute.

There is so much data out there on the internet, and there is so much that we willingly put out there, that we freely give and freely give scammers and hackers access to, social media is one of the most prolific, sources of data for bad actors.

So I would say be really, really careful about what you post.

Really, really consider if it's worth the benefit that you're getting from that social media to, to give up that security.

And, well, what kind of information are you talking about?

So I would say family members, you know, common security questions.

What's your mother's maiden name?

Don't make that easy information to get to.

What's the name of your pet?

What was the name of your first grade teacher?

You know, people who are posting, you know, throwbacks.

And, you know, here's every car I've ever driven.

Well, that's a security confirmation question that you get when you attempt to to take a loan out.

Now, me personally, someone might not be able to take out a lot of loans in my name, you know, because my credit's not that great.

But that doesn't mean that I want to give someone that information super freely.

Yeah.

So what can someone like Jay and I, with little knowledge of cybersecurity technology, do to better protect their information?

I would say minimize the details of what you post.

If you still want to post, check your privacy settings.

Don't make everyone your friend.

Right.

Post about things like vacations if you're going to after they happen.

Yeah.

Don't let people know in advance.

Don't post sensitive information.

Just be really, really careful about scanning what it is that you're posting before you do so, because there's a lot of information in the background of photos that we don't really think about.

And in conjunction with other sources of data, it becomes really easy for somebody to be able to, to trick you into thinking that they know you, and that they have information that they would only be able to have if, if they were a, a relevant and, good actor.

So you're talking about social media and it may be think about some other trends that happen about these different, you know, apps that, you can manipulate through filters like, make you look different, like you scan your face in it, it can turn you into something else or whatever, how you feel about the stuff where you're, scanning your face or photos of yourself that you're uploading for that kind of manipulation.

So, this is, a personal sort of fear of mine.

And I think it's a healthy fear.

As we move into the world of AI more prominently, every piece of data that's out there can be used as training data for an AI.

So the more information, a learning algorithm has about my face, the better it can be at, predicting what my face will look like when I, you know, move my mouth to make certain words.

The better it is, it reproducing my likeness in a very scarily accurate way.

So you, for example, I would be really worried about, an AI being able to replicate your face, pretty clearly.

Great.

Well, that makes me feel super, Bast, I appreciate that.

Well, and also, voice, voice duplication as well, because there's a fair amount of my voice out there.

And I know that seems to be, Yeah, that was that was my target as well.

That was something we talked about in our, initial zoom call.

There are free tools available right now on the internet where someone can, take a training set of a person's voice, put it into, this program, and it will imitate your voice to the best of its ability.

And it can be done in, in real time, over a real time call.

So I could take your voice.

I could train a learning machine, and then I could call, for example, Macey, as you and I would attempt to imitate the cadence of your voice.

And this AI is going to essentially paste your voice over mine as best it can.

So you're giving answers to her questions, but she hears me.

Correct.

Truly terrifying.

Yikes.

Yeah.

Okay, let me, reset things just a little bit if you just tuned in.

I'm Jay Socol Along with Macey Litterst, you're listening to Brazos Matters.

Our guest today is Bast Schellhorn, a program specialist at Texas A&M Cyber Security Center.

Macey back to you.

I was wondering just how easy is it for someone to get into your emails, your social media accounts, anything that you have out there?

Well, there's plenty of free to use software, that I think most people comfortable using a computer could, learn to use in a day, that allows people to crack passwords.

Right?

That's that's the the easiest vector, because you start a program trying to crack a password and you leave it until it's finished, like, it's very hands off process.

So longer passwords make it harder.

Not clicking on spam links, is really, really important.

How do you spot a spam link, though?

I know it's hard because and we talked about the toll tags, text messages that we were getting a couple months ago, and it's easy to click on that because you're like, oh my goodness, I didn't pay something.

And you click on it and then it goes bad.

So phishing emails or smishing texts, most of the time they're relying on a sense of urgency, right.

Do this or else these consequences will happen.

Most of the time, if your bank or you know, your streaming service provider is contacting you, they're not going to be threatening you.

It's going it's going to be something more along the lines of, hey, this is something that needs to get taken care of, you know, please log into your account and fix this.

So I would say watch out for a sense of urgency.

Whenever you see something like that, try and take a moment, just to breathe and pause and think through it, because they're counting on you being reactive to it.

And then if you need to verify or check on something, don't go through an email link.

Don't go through a text link.

You know, if your bank contacts you open a new web browser.

Go directly to your bank's website.

Don't go through the email.

Don't go through a proxy.

I see like.

It's hard to remember that sometimes though.

Well, and I remember back when I worked for the City of College Station before coming here to KAMU, Periodically we would get people complaining about phone calls coming from the utility company saying, your account is delinquent, we're about to shut off your power.

Unless you pay in full right now.

Give me your credit card information or your your banking information.

And of course, we would have to put out messages saying we would never do that.

That's not how we communicate to our customers.

So what you're describing, makes a lot of sense in that same context.

Going back to I, are there like, how much has I complicated cyber security?

And do you and your peers talk about like, how much worse can this stuff get?

Oh for sure.

So not to fear monger, right?

But I do think it's something that people should be concerned about in a healthy way.

Currently, in the social engineering community, new attempts are being made, by hackers who are acting ethically to create AIS that will perform voice solicitation calls, scam calls automatically without having to be monitored.

And they're doing it with some success.

And these are people who are doing this in their free time, right?

As sort of a side project sort of thing, which makes me wonder what the bad actors already have at their disposal and the tools, that they have created when this is their full time job, it is becoming more and more prominent that we're seeing the use of AI.

In scams.

And I think it should be a concern because it allows the volume.

It allows the quantity of people who are, you know, receiving those solicited solicitations to increase.

It's not necessarily that the quality is going to increase with an AI, but scammers aren't relying on quality.

They're relying on sending out a wide net to hundreds of thousands of people and hoping that a handful fall for that scam.

That's how they make their money.

Is quantity over quality.

So I would be worried about the increased capacity that that I can provide.

Well, speaking of that, I am so interested to learn about Def Con and what it is and why people go to that.

Because when you told me about that originally, I was mind blown.

And that's actually a thing that people go to every year.

Absolutely.

So, Def Con is the largest hacking convention in the universe.

We like to say, it happens in Las Vegas every year.

And it is a collection of people, a lot of government, agents also attend Def Con.

It is a very collaborative environment.

Its intent is to share information, about well known threats and vulnerabilities, cutting edge in threats, in vulnerabilities.

People present research.

They're about new exploits that they have found and the danger that they pose.

But there's close collaboration between certain government entities and the hackers at Def Con.

It's all very aboveboard and in the spirit of helping everyone increase their cybersecurity posture, most of my time at Def Con is spent in the social engineering village, which is where the, the competitions take place.

For people who are who are making, those AI bots.

And none of that information is retained or used.

All of these competitors have to sign, you know, an ethics, an ethics contract.

But it's in an attempt to help create awareness of just how easy it is to, to with certain pieces of information for someone into thinking that you're a good actor and that it's okay to tell you certain things.

Yeah, well, that's interesting, because when you first told me about it, I had such negative feelings, I was like, why are people going to a conference to hack other people's like information?

But now that I know that there's not any like negative connotation is interesting, but what if what have you seen it?

Those Defcon conferences that has made you go, oh no, that's alarming.

So in the past couple of years, the things that I have seen at Defcon and, that scare me, the car hacking, especially as we get more and more vehicles, that can be autonomous.

I don't want to name drop any brands of cars, but, you know, I think we're all well aware, as we get more and more autonomous systems, we have to keep in mind that that is a vector that is a vulnerability.

If it can be hacked, that's quite a dangerous, you know, piece of, mechanical engineering on the road.

Satellite hacking is also something that happens at Defcon.

There are very wonderful sponsors who provided a satellite, for people to be able to, to practice on.

That scares me quite a bit.

Yeah.

You know, global communication relies, a little bit on satellites.

So a little bit of concern there.

And then the, the, the competitions in the social engineering village this year with the AI bots making the calls really scared me because some of these competitors were really, really good at making those voices sound eerily human.

Wow.

Oof!

Oh my goodness.

Okay, so so we're in the final stretch here.

I want to get back to maybe some of your top dos and don'ts recommendations, that most of us can take and and do something productive with.

Yeah, absolutely.

So I'm going to circle back to, to my soapbox.

Be careful what you post.

Be careful what information you are freely giving out.

Because your information is valuable to anybody who is, attempting to hack you.

Your passwords make them longer.

Don't write them down.

Pick a phrase is usually our recommendation.

You know, pick a phrase that you heard in childhood that's really easy for you to remember that.

No one could ever guess.

So don't use.

May the force be with you.

Don't use, a Bible verse.

Don't use something that's really prominent.

Especially if that's something you have posted on your social media.

That's one of the first things that a hacker is going to add to a database to attempt to crack, use something long and easy to remember that you don't have to write down.

Don't use public Wi-Fi if you can help it, and especially don't do anything sensitive on public Wi-Fi if you wouldn't want everybody looking at your screen seeing exactly what you're doing, don't do it on public Wi-Fi, such as Facebook information bank accounts.

Logging into your email is one that people don't think of very often.

You know, it's it's a very just natural thing like, oh, I'm going to check my email real quick.

And it's really easy to not realize that you're leaving that information out there and vulnerable.

If you can use a VPN, I highly recommend it, but do not use a free VPN.

If you can't afford a VPN, I. I would rather you go without a, a VPN than use a free one.

See?

Okay, so in about the final minute, your thoughts about, the security of our phones, of our smartphones and maybe wearable devices.

Oh, okay.

Speed round.

Yeah.

Sorry.

No, not at all.

I would say not just for phones, but for all electronic devices.

Do your updates, do them in a timely manner.

When your phone gets an update, it has security updates.

It has the newest vulnerabilities that your phone, manufacturer knows about.

So if you're not doing your updates in a timely manner, you're not getting those security, security updates and security patches.

So update often and, soon, for your wearable devices, Bluetooth is an incredibly unsecure, communication method.

So for those of you who get phone calls and text messages to your wearable devices, please keep in mind that people can see that people can access that.

And if you have, tap to pay on your wearable devices, that's something I'm not super comfortable with.

I won't say that it's dangerous or that people shouldn't, but it's outside of my personal realm of comfort.

I will never, use a wearable device to, to pay with, credit card information.

Mercy.

I know, my goodness, we could we could have, another conversation for another half hour, but best show hoard.

Thanks so much for being with us today and sharing some, some tips that I think we can all put into action.

Yeah, absolutely.

And if I could just drop one resource, for people who want more information in a very digestible fashion, stay safe online.org is a really great resource and I thank you all for having me on that.

Thank you.

Bast Schellhorn again.

Thanks.

Brazos Matters is a production of Aggieland's Public Radio 90.9 KAMU FM, a member of Texas A&M University's Division of Community Engagement.

For Macey Litterst I'm Jay Socol.

Thank you so much for watching and listening and we hope you have a great day.

And by the way, go online and check out all the archives for Brazos Matters.

Take care.