How to protect yourself against the next generation of cybersecurity threats

TRANSCRIPT

00:00:00:12 – 00:00:30:02
Eric O’Neill
This is not a technological problem. A lot of it is a human problem. You can’t solve it all with technology. You can’t solve it all by installing something. You have to be smart and protect yourself. The government’s not going to do it. The cybersecurity companies can’t 100% do it, but you can do it. If you think the way that these attackers think, you get in their heads and you recognize the attack when it’s coming.

00:00:30:04 – 00:00:53:16
Alex Cleanthous
This is Alex Cleanthous. And today we’re talking with Eric O’Neill, a cyber security expert who worked as an FBI counterterrorism and counterintelligence operative and helped capture the most notorious spy in U.S. history. In this episode, we talk about the next generation of cyber security threats and how you can protect yourself in an increasingly dangerous cyber world. I hope you enjoy this episode, and make sure to subscribe to get the latest episodes as soon as they’re released.00:00:53:18 – 00:00:56:00
Alex Cleanthous
Hello, Eric, how are you today?

00:00:56:04 – 00:01:03:14
Eric O’Neill
I’m doing great, Alex. It’s, a little late here over in the, East Coast of the United States, but I’m, eager to get into this.

00:01:03:15 – 00:01:23:22
Alex Cleanthous
Yeah, yeah. Fantastic. Now, you, part of, a story that happened back in 2001. And in regards to capturing the most notorious spy, I believe, in the history of the U.S.. Is that right? Like, I’d love to just stop with that story because I started just to consume all the information. I thought, all right, this is going to be a great place to start.

00:01:23:22 – 00:01:25:12
Alex Cleanthous
So let’s start there.

00:01:25:14 – 00:01:49:24
Eric O’Neill
You know, that’s my kind of claim to fame. I’m happy to start there. Robert Hanssen was a, senior FBI official. He was a supervisory special agent at one point. He was a section chief. So he was very high up in the echelon of the FBI. He was also the top analyst for the Soviet Union back when there was a Soviet Union, and then continued to be an analyst looking at Russian spies and trying to hunt them down.

00:01:50:01 – 00:02:10:19
Eric O’Neill
He was also the top mole in the entire U.S. intelligence community for over 22 years. So he was selling secrets from very early in his career, like, I think he was in three years as a special agent before he volunteered his services to the Soviet Union and continued for over two decades. And during that time, he gave some of the most damaging secrets that have ever been given to a foreign power.

00:02:10:19 – 00:02:38:23
Eric O’Neill
And he didn’t just steal from the FBI. He was able to get on task forces with other agencies and steal from them as well, which masked where he was actually taking the secrets and made it harder for the Russians to even know who he was. So by hiding his identity, he was able to have one of the longest records of espionage in the U.S. he was certainly the most damaging spy in FBI’s history, and he goes down as one of the most damaging spies in all of U.S. history.

00:02:39:00 – 00:02:48:20
Alex Cleanthous
And so what was your role there? Because it’s a pretty interesting story. Yeah. If you could just kind of kind of set the scene right, because I believe that you’re around 25 years old at the time.

00:02:48:22 – 00:03:06:09
Eric O’Neill
Yeah, I was I was 26, 27. Right. So, it was by the time the case was done right after I turned 27. So I was young by, by the standards of someone who’s going to go undercover to catch the biggest spy in FBI’s history, but kind of the right person in the right place at the right time.

00:03:06:11 – 00:03:27:18
Eric O’Neill
And one of the few people who could do this. Let me explain why Hanssen was a huge conundrum for the FBI. First of all, they’d gone after this mole that they only knew from, a code name, which was gray suit. So they called this mole gray suit because they had no idea who it was, who they were, whether it was even a he or she and where they were in what agency.

00:03:27:20 – 00:03:53:13
Eric O’Neill
All they knew is we were losing intelligence secrets. The Russians were eating our lunch. We lost all of our spies in Russia between the years of 84 and 85. So we were completely blind to intelligence work. So there was a mole somewhere. So they gave this person the codename called M gray suit, and there was this two decade mole hunt at the very end, the very end of Hanson’s career in December 2000 when he was about to retire.

00:03:53:17 – 00:04:23:20
Eric O’Neill
So he was going to retire in April. 25 year pension gold watch. Get out of there. Go take a job somewhere else. We learned from a former KGB source that was recruited and that still happens. Enough information that was circumstantial, but pointed right at Hanssen and hard dropped in the FBI because not only was he the most damaging spy in the history, he was also at one point asked, as the top Soviet analyst specialist, to catch Grayson, he was asked to catch himself.

00:04:23:22 – 00:04:41:11
Eric O’Neill
So, I mean, that’s the perfect place if you’re a spy, right? I mean, it doesn’t get any better than that. And he was about to retire. So how do they keep him there? And they thought this case would go 1 or 2 years, because spies take that long sometimes to make major drops. And they wanted to catch him in the act of espionage, continuing to spy.

00:04:41:17 – 00:05:05:00
Eric O’Neill
So they gave him his dream job. They built an entire section in the FBI called the Information Assurance Section, and that was the FBI’s first real department that handled cybersecurity. And they put Hanssen in charge of it. Hanssen, who had stolen secrets from the FBI for all this time and was one of the first spies to steal data, stealing it from computer systems that were never built to defend from inside any.

00:05:05:00 – 00:05:25:21
Eric O’Neill
And actually his earliest job, some of his earliest drops were on floppy disks, those old like five and a quarter, you know, floppy five pop up. And then he moved to the like three and a half, which was a little stiffer. And, and then, you know, we got him before he could move the thumb drives. So they put him in charge of cybersecurity, and they needed someone who knew how to hunt a spy and also knew how to turn a computer on.

00:05:25:23 – 00:05:48:18
Eric O’Neill
And in these legions of special agents who were specially trained to go undercover face to face against the spy, I never was trained to do that. I was a ghost, so I was clandestine. I use disguises and telephoto lenses and thermal imagers and all this kind of stuff to never actually be seen by my target. Well, none of those guys knew how to turn a computer on and sell the idea for building cybersecurity for the FBI.

00:05:48:18 – 00:06:05:11
Eric O’Neill
But I was one of those, you know, good guy hackers playing with security writing programs back then. And they said, this guy can do it, and threw me in there and sort of shook this secret office in room 9930 and FBI headquarters up and down. And Hope day won, and I did.

00:06:05:13 – 00:06:12:19
Alex Cleanthous
And you did. And it’s a movie. I think the movie came out in 2008, with Ryan Flip and the other guy’s name.

00:06:12:21 – 00:06:28:04
Eric O’Neill
That’s right. So Ryan Phillippe plays me, and we’re close to the same age. He’s like a year younger, so he, he had a lot of fun with it. He’s like, I always play these old guys. I never get to play someone who’s a contemporary. Right. Chris Cooper plays, Robert Hanssen, and it was a masterful performance.

00:06:28:06 – 00:06:37:01
Eric O’Neill
And then Laura Linney plays my handler. There’s Dennis Haysbert. He plays the supervisory special agent in charge of everything, and it’s an all star cast. It’s a really great movie.

00:06:37:03 – 00:06:51:22
Alex Cleanthous
And so what an interesting, place to kind of almost start a career in cybersecurity. Right? And so you yes, you were one of the people who could turn on a computer. And I actually just remembers what a floppy disk was, actually, that just kind of just brought me back, you know, like back, back.

00:06:51:22 – 00:07:02:00
Eric O’Neill
And my kids have no idea what that is. I mean, they don’t even know what a disk drives are, much like, what do you what do you do with a DVD at this point? So technology changes so fast.

00:07:02:00 – 00:07:20:03
Alex Cleanthous
So what did you learn from the FBI that led you into, the cyber security space? Because obviously, I mean, that was at the very start, and it’s just accelerated. I mean, I’ve had conversations even, I think even as late as yesterday about kind of software to stop kind of some phishing attempts or whatever. Right? Like it’s becoming such a big thing.

00:07:20:03 – 00:07:29:04
Alex Cleanthous
Yeah. So how did you kind of transition and, and what have you seen over the two decades? In terms of how much more it’s become sophisticated and harder and so on?

00:07:29:06 – 00:07:50:03
Eric O’Neill
Yeah. Well, I, I got my start, you know, cybersecurity the first time that I’d really dip my toe in cybersecurity as a science was working with a spy in a, in a overt job where my cover job was really don’t build cybersecurity for the FBI. It was find out the secrets that will lead us to catching Hanssen. You know, so so I had to do both jobs.

00:07:50:03 – 00:08:08:24
Eric O’Neill
And Hanssen really didn’t do a lot of work. He was brilliant, but he wasn’t much. And doing work, it was more of like, this is what we need and I would have to go do it. So I was actually doing a lot of the work to actually build cybersecurity. I left the FBI and I became an attorney. I was also going to law school at night while this was all happening, which is not what anyone should ever do.

00:08:08:24 – 00:08:23:24
Eric O’Neill
Don’t try and catch a scam, catch a spy, work for the FBI and go to law school every night. It’s just it’s a miserable experience. And I was married and newly married and had only been married three months when I was put on this case. So at the end of the case, I was completely burned out, I won, that was great.

00:08:23:24 – 00:08:41:00
Eric O’Neill
I was it was time for me to go and see what I could do next with this law degree. I left and I started practicing law. I did national security and government contracts law. I wasn’t quite in cybersecurity, but cybersecurity and law weren’t really connected yet. And after about five years of the big firm, I decided to start my own company.

00:08:41:02 – 00:09:15:18
Eric O’Neill
I started the Georgetown Group, which does some cybersecurity. We do forensics and we do some cyber advisory work, but it was mostly, working in the the realm of competitive intelligence, giving our clients an advantage, helping them trust, you know, other parties they’re going to work with or personnel that they’re bringing in, all that kind of stuff. And as I was doing that and the movie breach came out and I started becoming a public speaker, I realized that there’s something missing in cyber security, and it was something I had that so many of the solutions were focused on just technology to solve a technological problem.

00:09:15:20 – 00:09:40:17
Eric O’Neill
But the problem wasn’t technology. The problem was people. And what was happening was these spies. Right? And this is the theme of my book Gray Day, really, is that there are no hackers. There are only spies that spies had evolved those cloak and dagger days of old. When I started at the FBI with dead drops and signal sites and clandestine meets and, you know, shadowy corners had been thrown to the wayside by technology.

00:09:40:17 – 00:09:59:22
Eric O’Neill
It was much easier to sit in Moscow as a Russian intelligence operative and just launch a cyber attack against a person. Spearfish them, steal their identity and become them within a data environment, and steal all their data without ever leaving the comforts of home. You don’t have diplomatic cover. You don’t have to go do big, big, long recruitments.

00:09:59:22 – 00:10:22:12
Eric O’Neill
You just steal. So now espionage is pure cyber theft. And criminals have learned from spies and gotten really good at this. So I realized what I bring is a whole history of counterintelligence. That’s what I learn. I’m a spy hunter. I know how to how to identify the bad guys, find them, follow the breadcrumbs, follow the trails and catch them.

00:10:22:14 – 00:10:35:09
Eric O’Neill
And that’s something cybersecurity needed. And now cybersecurity is all counterintelligence. It’s all threat hunting. That’s the best in breed. Cybersecurity is looking for the threat actively, not passively layering defenses to try to stop it from coming in.

00:10:35:11 – 00:10:57:07
Alex Cleanthous
So you talk about threat hunting versus hacking and then spies, right? So let’s just talk quickly about spies versus hackers, right. Because I feel like, you know, like if someone thinks I’m going to get hacked, they’re thinking of somebody at home, some third world country, they know the phantom software online. So some installed some software on someone’s computer.

00:10:57:09 – 00:11:04:17
Alex Cleanthous
Right. Names more, kind of lucky instead of more intent based. Right. So it seems like, you know.

00:11:04:19 – 00:11:07:11
Eric O’Neill
Yeah, we need to elevate the way we think it’s right.

00:11:07:11 – 00:11:10:17
Alex Cleanthous
Can we just explain that, please? Because I think my my stupid.

00:11:10:20 – 00:11:29:08
Eric O’Neill
Yeah, yeah, my soapbox, Alex, is all about elevating people’s thinking to understand the threat. If we don’t even understand the threat, then how are we going to defeat it? Because you have to know your adversary. Because otherwise you have no idea how to stop them. So I play this game when I’m doing a keynote, I’ll do a keynote for 3000 people, and I’ll play this game, and it’s always the same fun game.

00:11:29:08 – 00:11:56:07
Eric O’Neill
So I’ll play it with your audience here. You know, if I’m going to say a word and put in your head the image you get from that word and bear in mind, like Hollywood and, and TVs, you just sort of reinforces this hacker. Right? Okay. See, if I’m right. Bear with me here. Alex, am I right? Did you think about some kid in a basement, you know, black hoodie on like this, tapping away at a keyboard?

00:11:56:13 – 00:12:21:06
Eric O’Neill
You know, grandma yells from upstairs. He’s pounds an energy drink. He’s eat some bad carbs, and he clicks one key. And what is he say? Every single time I’m in into what? I mean, that’s like magic, right? It doesn’t happen like that. What actually is happening are these sophisticated, what I call a cyber crime syndicates are using the dark web as cover, so they’re completely anonymous.

00:12:21:11 – 00:12:48:07
Eric O’Neill
They can get paid through cryptocurrency channels that are difficult, even for law enforcement to trace. And they’re built like businesses. They have entire business verticals. They have payroll. They’re going to pay their bad guys. They have ways to bring in money. So they have a finance team. They have a help desk. If they lock you with ransomware and you pay, they actually have individuals who are part of a helpdesk, which will help you decrypt their malicious code.

00:12:48:09 – 00:13:07:09
Eric O’Neill
And they even have call centers, darkweb call centers, where there are people who are just trained on scripts to impersonate people or to trick people or to fool people, and they just make phone calls. They can buy the same phone list that telemarketers buy, or they can just buy whole identities for pennies off the dark web and learn all about you, and then call us your brother.

00:13:07:11 – 00:13:24:12
Eric O’Neill
And this is getting worse and worse. So by elevating our thinking, we’re not thinking is some kid in the basement everywhere. It’s sort of like a drive by. Oh, I was unfortunate. They’re actually targeting us, and they don’t care who you are, and they don’t care what you do or how much money you make or how prominent your business is or you are.

00:13:24:15 – 00:13:30:01
Eric O’Neill
They only care if you’re vulnerable. So if you’re vulnerable, you are going to get attacked.

00:13:30:03 – 00:13:38:00
Alex Cleanthous
I did think about, the guy in the hoodie, by the way. That’s exactly. Yeah. Everybody that’s literally the first thing I thought I actually did that one of the his meme for hackers.

00:13:38:00 – 00:13:43:21
Eric O’Neill
But that’s why I don’t like the term. Like when I think of a hacker, when someone says hacker, I think of all my friends.

00:13:43:23 – 00:13:44:21
Alex Cleanthous
Yeah, sure. Oh, who.

00:13:45:00 – 00:14:05:09
Eric O’Neill
Who were, you know, playing with security, finding ways to break it, to make it stronger. And now they all work for cybersecurity companies. For me, that’s those are the hackers, the good guys. They were the white House. The bad guys for me are cyber criminals, cyber spies, cyber terrorists, cyber activists. Right. Who are who are breaking, destroying, stealing and that’s who we’re up against.

00:14:05:11 – 00:14:29:16
Alex Cleanthous
I have so many questions. I want to keep it structured here. You talk about kind of endpoint security, right? Because there’s always security and there’s always a gap in security in some point. Right. And I think I want to try and stay away. Well, I don’t know if we should even talk about it, but like there are some companies who are so lax with their security, like they will have like kind of, oh, essentially everything is in, so everything is the same password.

00:14:29:16 – 00:14:45:06
Alex Cleanthous
I think some, somebody basically emailed us a client of ours. I think the email was basically all their password just by email. Right. And they all had the same passwords and so on. So I don’t know if we need to talk about that super simple stuff, but oh, we think possibly we should. But then it goes advanced from there.

00:14:45:06 – 00:15:09:10
Alex Cleanthous
Right. So maybe we start from the simple. Right. Because I think everyone just has like if I say like another password that is say for example, a four zeros or something like that, it’s going to kill me, right? Right. But I think start from the basics and then like, like I think just to explain to people kind of how the simple things are risks and kind of how they can start to protect themselves, because I think everyone like it seems to fit into the too hot basket.

00:15:09:12 – 00:15:20:20
Alex Cleanthous
That’s for my nephew. That’s for my kid. That’s for my cousin. He’s like, you know, that’s outside of my pay grade or whatever else it is. Right? So could you talk about, like, the layers of security, please? Yeah.

00:15:21:01 – 00:15:45:16
Eric O’Neill
So look, the most basic level is in security. Are the things that everybody misses and they’re the things that will save you. Passwords are useless. And here’s why. People have the same password and they use the same password across multiple accounts. So for example, you might think of this beautifully long password, which is the first line from the book that you logged in as a child backwards with an exclamation point right in the middle.

00:15:45:16 – 00:16:00:19
Eric O’Neill
And no one’s ever going to guess that password, but you use it for your work. You use it for your Gmail account, you use it for your email account. You use it for, you know, the login to the ice cream store. You use it for the login to this and that, and somebody along the way has lost your username and password in a breach.

00:16:00:19 – 00:16:21:05
Eric O’Neill
And now it’s on the dark web and it’s just been purchased and some attacker grabs a bunch of these and just tries it in places. So now they’ve got your password in there into all these places. So relying on a password alone means you’ve already lost this cyber war. It’s over. What has to happen? Everyone has to do the most basic thing you can do to protect yourself against the majority of attacks.

00:16:21:07 – 00:16:44:05
Eric O’Neill
Make it hard for attackers to compromise you is turn on two factor authentication. That’s the easiest place to start. I have it on everywhere. If I open it, if I open an account with somebody and they don’t have it, I close the account. I go somewhere else because I just don’t trust my passwords. Passwords can be guessed, and computers are getting so sophisticated and fast that now they can crack password pretty quickly.

00:16:44:07 – 00:17:10:06
Eric O’Neill
Unless you’re using special encrypted technology, which we’re not all using, that password can get cracked. They can also go on social media and learn a lot about you and the ones that are very savvy are going to guess your password pretty fast. So use two factor authentication everywhere. And for those who don’t really recognize what that means, that’s where you know you enter your password and then it sends you a text to your phone, or you enter your password and then it says open your authenticator app on your phone, which is kind of the best.

00:17:10:08 – 00:17:31:05
Eric O’Neill
And it gives you that one time code that you plug in. That code is golden. That code is what saves you because bad guys don’t have it. They can they can try and guess your password. But without that they can’t get in. That’s why you often see when you have your two factor turned on. For a big accounts like Microsoft Hotmail or Gmail, you occasionally get it.

00:17:31:07 – 00:17:46:23
Eric O’Neill
You know, here’s your code, here’s your code. That means someone has your password. They’re trying to get into your account, but they don’t have your code. So you don’t want to give them your code. Right? And that means that everything’s working. You can go change your password. They’re going to get your new password eventually. But that means things are working.

00:17:47:01 – 00:18:05:07
Eric O’Neill
So those are two of the biggest things that the the number one and to success. Well, cyber attacks like 99% of them come because of a flaw or a vulnerability that you didn’t patch. And the rest of them come because of spear phishing. So that vulnerability means I didn’t patch my stuff. You know, I don’t feel like updating.

00:18:05:07 – 00:18:27:13
Eric O’Neill
Well, normally when you know your phone or your computer, you know your your operating system send you out like you should update or, you know, sometimes they say critical update, sometimes they they’re a little more, trite. They say we’re just squashing a few bugs. Well, those bugs could be a serious vulnerability that attackers can use. So you want to update and patch your stuff as soon as you can.

00:18:27:13 – 00:19:04:18
Eric O’Neill
Organizations are terrible at this. Attackers know that, the amount of time between, say, a big vendor saying we have a patch and it’s a critical update to an organization or organization. Patching is an average of three months. That means when the when the, attacker sees that, you know, a big company has issued a patch, they go and find all the companies that use that company as a vendor or as an application, and they start attacking them to try to exploit the vulnerability, knowing that it takes a long time to patch, sometimes within 24 hours.

00:19:04:20 – 00:19:25:11
Eric O’Neill
The other thing is spear phishing. The only way to really stop spearfishing is turn on two factor authentication. 25% of successful attacks are because of spear phishing. That’s that email that completely fails you. It’s an impersonation attack and you, for whatever reason, trust that it’s true. And you open a link or you click on an attachment and it has malicious code that infects your computer.

00:19:25:13 – 00:19:34:03
Eric O’Neill
And by the way, no matter how much training you do, 25% of people will open that email and click that link. So it’s a 2525 roll.

00:19:34:05 – 00:19:51:17
Alex Cleanthous
Okay, I love this so far because this is like, this is something that everybody can actually do, which is great. So first of all, you know, don’t just use passwords. Turn on kind of two factor authentication. The second thing, the the second thing is update all your software. Yeah. So I would say like I’m no hacker, but I’m kind of more kind of technical than most people I know.

00:19:51:17 – 00:20:04:19
Alex Cleanthous
So they come to me, I fix their computers, I update their stuff. If they get stuck, they come to me. The amount of people that just keeps skip on that update is it just hurts me. I look at the computer, I’m like, can you just please hit yes next time? Is there something in people’s heads where they just don’t hit?

00:20:04:19 – 00:20:08:06
Alex Cleanthous
Yes. Right. But there’s there’s something which you can say to them, just.

00:20:08:06 – 00:20:26:07
Eric O’Neill
Like what it is, is there’s this fear. They’re like, well, if I update then, you know, I’m an early adopter of the patch and things might go wrong. And you know, what happened with CrowdStrike kind of reinforced this fallacy. But for the most part, updating is a good thing. I just turn on auto update, I have all my stuff turned to auto update, so I don’t have to worry about it.

00:20:26:07 – 00:20:41:24
Eric O’Neill
I plug it in at night and it like happens. And the next morning I say we’ve updated to the latest version. I’m like, this is great, but that is safer than not updating at all. There will occasionally be the time where there’s a problem with an update and it glitches, and you’ve got to roll it back, and that’s a pain in the butt.

00:20:41:24 – 00:20:58:10
Eric O’Neill
But it’s much better to have your systems updated to the most secure version and not fall prey to a drive by attack, or someone who’s targeting you because they assume you have an updated attack. Then to, then to not have it updated at all.

00:20:58:12 – 00:21:08:19
Alex Cleanthous
So is there any way that that people can get past the two factor authentication? It seems pretty secure, but I’m not the expert. I’m not saying they can tell if an attacker would they get past it. Yeah.

00:21:08:19 – 00:21:31:18
Eric O’Neill
So I wanted to attack you. Right. And leverage your two factor authentication. I would spoof you. So what I would do is I would send you a spear phishing email that that looked like it came from your bank and looked very legitimate and said, you know, you want to put someone in a crisis. Your accounts been compromised. We noticed this charge for $460.

00:21:31:20 – 00:21:49:06
Eric O’Neill
You know, if you dispute the charge, click here and we’ll send you to the fraud department so that you, you know, you don’t have to pay, basically. You know, it’s a lot more clever than that, but it’s worded well, and I is helping criminals. The grammar’s perfect misspellings. Perfect. They can translate it into any language. The logos look crisp and nice.

00:21:49:08 – 00:22:07:24
Eric O’Neill
So you get this email and you think, oh no, I, I’m going to be in trouble. I, you know, so you click through but you’ve got two factor authentication. You enter your password and your you enter your password, you your username, and you enter your password and then the fake website they’ve created opens up the next window.

00:22:08:01 – 00:22:29:21
Eric O’Neill
So now they’ve taken they’ve grabbed your username and password and their mock website. It’s not really your bank. And then it says enter your two factor authentication. And so you enter it thinking that you’re on your bank’s website, but you’re not you’re on that website. The attacker controls on a, on another screen. They’re now in your bank logging in with your username password.

00:22:29:21 – 00:22:51:14
Eric O’Neill
And then once you give them your two factor number, they plug it right in. And they’re in your bank account now. So yes, they can. You have to also be very careful not to click on the links, not to open those attachments. If you receive something like that from your bank or a delivery service, or your favorite food service or anything, you know, it’s great.

00:22:51:14 – 00:22:59:22
Eric O’Neill
It links convenient, but just close it and and then go directly to that company in the browser. Log in to your account that way so you know you’re in a secure browser.

00:22:59:22 – 00:23:21:10
Alex Cleanthous
Well so the summary is be careful on the emails that you open. I mean, I always like to see, the from address, right. Because sometimes, like they hide it. But if you kind of. Yeah, but if you mouse over the link or if you have a look inside of the actual email and have a look at the from and expand that out, it actually says something that is not actually the bank, but it looks very, very similar to the bank.

00:23:21:10 – 00:23:22:14
Alex Cleanthous
So the very out of that.

00:23:22:14 – 00:23:59:23
Eric O’Neill
That they, they will register domains that look very similar to the bank’s domain. Now, you know, and they get very clever. There was an attack using Amazon. And so people would go to what they thought was Amazon.com. Right. But the middle A was actually a Cyrillic A, it just looks like a, like a, an English A and so, if you actually grabbed the if you were to grab it out of the, the browser, copy it and paste it in a word document, it would be underlined red because that’s Cyrillic A is actually like an I, I think in and a US keyboard.

00:24:00:00 – 00:24:18:05
Eric O’Neill
But you don’t know when you’re looking at it. You think you’re at Amazon now? It would have to be a pretty good site, but in my forthcoming book, right, which is coming out next year, The Invisible Threat, I talk about the need to be an email archeologist. Right? Not, you know, the kind that’s dusting those beans bones carefully, like looking through that email.

00:24:18:05 – 00:24:37:02
Eric O’Neill
Because email is such a dangerous thing. Email is the prime vector of attack for cyber criminals, but cyber spies use it too. So we have to be careful when we’re an email. It’s not really a safe environment. It’s one where we have to take care. You know, maybe you’re maybe you’re the kind of archeologist that, you know, wears a fedora and carries a page.

00:24:37:03 – 00:24:42:15
Eric O’Neill
You know, you got to be you got to be really on top of things and in charge of, of your own data.

00:24:42:17 – 00:25:06:10
Alex Cleanthous
Sometimes it’s emails that have attachments that, some PDFs. Right. Or sometimes there’s like a link. Right. And I did remember saying some interview, maybe it was with S, maybe it was with Edward Snowden on the Joe Rogan podcast. And he said that sometimes, basically just essentially just hitting on a link is enough that they can install something on your computer that can actually start to track the keystrokes or to send information back, and so on.

00:25:06:12 – 00:25:08:20
Alex Cleanthous
How much of a risk is that these days?

00:25:08:22 – 00:25:34:08
Eric O’Neill
No, it still happens. So what happens is you open a link and then it opens your web browser, and then the attacker is using malware to scan your web browser and see if there’s a vulnerability. And they use that as a way to get into your system. So opening those links can be troublesome. But but more likely is what happens is you’ve just opened a opened a link to a spoofed website, a fake website that the attacker controls.

00:25:34:10 – 00:25:35:03
Alex Cleanthous
That’s more like.

00:25:35:04 – 00:26:00:03
Eric O’Neill
You’re in somewhere trusted, right? You know, it’s a little bit more, sophisticated where there are ways, there are linked list attacks. You know, that. But that’s that’s at a level of sophistication where most cyber criminals aren’t going to be doing that. And it’s not as much of a threat as the very basic things that work so well, you know, why do they have to go to that next level they really want they really have to want to come after you to use some of those.

00:26:00:03 – 00:26:13:24
Alex Cleanthous
And we’re going to come back to that in a second, because that is a question I have. But so Apple versus Microsoft, like, is there a kind of more secure platform or is it just that, yeah, there’s one that seems to just have like a lot more kind of popularity of hackers and others?

00:26:14:04 – 00:26:41:17
Eric O’Neill
Well, Microsoft right now has windows has what, 73% of the market share in the globally. Apple, which is much more secure, has 13%. I use a mac. I just like the operating system more a better the the operating system is more secure. Their endpoint security that’s built in is better there. They don’t well, they don’t give access the same way that Microsoft does to the kernel, which is, you know, sort of the center central processing part of the computer.

00:26:41:19 – 00:27:02:08
Eric O’Neill
That that happens at boot up, which is what caused the CrowdStrike problem. So yes, there are operating systems that are more secure, but Microsoft is also a big protest. When you’re in business, you’re pretty much in a windows box. Even if you’re on a mac, you’re using word, you’re not using pages. The world uses word and PowerPoint in Excel, so you can’t really get away from it.

00:27:02:08 – 00:27:18:09
Eric O’Neill
Microsoft could do better every once in a while, and, you know, in a post or an op ed, I kind of come after them because they really could do better, and they should do better because they’ve got so much of the market. The best way to be secure is to take care of yourself. You can’t just trust an operating system.

00:27:18:09 – 00:27:22:23
Eric O’Neill
I, I run a cyber security suite on my Mac. Right.

00:27:23:00 – 00:27:24:01
Alex Cleanthous
Which one do you use?

00:27:24:03 – 00:27:46:11
Eric O’Neill
You have to do it on windows. I use a it’s called AB avg antivirus, but it has a cyber security suite. It has ransomware detector, it has a phishing detector, and it catches. The nice thing is that it catches the, the, the obvious malware spear phishing links in my mailbox before I even see them, which is the way you want it.

00:27:46:11 – 00:28:02:22
Eric O’Neill
You want it to be gone before you even, like, have a chance to be to be caught. But there are many like that. There are there are really good ones out there. And for, you know, this is for like single users, if you want to go like the Norton route, you get LifeLock. They’re really good and there are plenty out there for the consumer.

00:28:02:24 – 00:28:20:17
Eric O’Neill
Then at the enterprise level, you know, you want to go to something that’s more robust and that’s all architecture based. Like how global are you? How many computer systems are you defending? They’re it’s less about like, who do you use? Right. Look, I still think CrowdStrike is a great product, even though they had that horrible problem.

00:28:20:22 – 00:28:39:08
Eric O’Neill
Sometimes when companies have terrible problems like that, they come back a little better. But they’ve got so many competitors that are also at that high end. Well, it’s important if you’re an enterprise, if you’re a business is you want to have what’s called endpoint security. Even my little cyber security suite for my personal computer is leveraging endpoint security.

00:28:39:10 – 00:29:03:05
Eric O’Neill
And endpoint security is a sensor that runs on your system, and it’s looking at everything that’s trying to execute right to your endpoint. My laptop’s an endpoint. Your laptop’s an endpoint. Our phones are endpoints. They’re just the devices that’s closest to the human that’s going to access data through that endpoint, the device. And at the other end is your data that’s sitting on a server somewhere, like in the cloud or a network or on a hard drive.

00:29:03:07 – 00:29:19:10
Eric O’Neill
So you want to protect the endpoint. And so that’s really for business. That’s basic. And that’s part of this, you know, we’re getting really into it. But that’s part of the science in cybersecurity called zero trust. Like we’re not going to trust anything unless we say it’s good, right. That’s what your technology needs to do for you.

00:29:19:16 – 00:29:39:18
Eric O’Neill
So when someone breaches you and they try to execute something on your machine, that endpoint says, and it stops it. It’s like a bouncer at a club, you know, with a list. And if you’re not on the list, you don’t get in. Right? I don’t care how beautiful you are or how well-dressed you are, how much money it looks like you, how you’re not getting in this club because you’re not on the list, and I’m so much bigger than you.

00:29:39:24 – 00:29:47:07
Eric O’Neill
It’s not going to happen. And then you can take it to next level. So it’s end point plus this and that. And you know you look at network security and and all the things you need to do.

00:29:47:11 – 00:29:55:12
Alex Cleanthous
So is two factor authentication enough or should people also have the endpoint security side for example like the avg.

00:29:55:14 – 00:30:08:05
Eric O’Neill
Yes. So you you do want to you do want to install something on your computer. You don’t necessarily have to install a the cyber security suite on, say, your phone because the operating system just works differently.

00:30:08:05 – 00:30:09:19
Alex Cleanthous
I was going to ask you about phones next.

00:30:09:21 – 00:30:28:15
Eric O’Neill
However. Yes, I endorse the use of a VPN. Like, ExpressVPN or NordVPN. There are a lot out there you want. The only thing you’d want to do is when you when you pick a V, when you choose a VPN, and that masks your IP address. So when you’re on your phone and you’re in the airport, you want to turn your VPN on.

00:30:28:15 – 00:30:48:04
Eric O’Neill
When you’re ever you’re in a hotel room because, hotel Wi-Fi is particularly able to be attacked, and now they can get everybody who connects to the hotel. You want to turn your VPN on because it’ll mask your identity. They won’t know who you are, where you are. You’re like, they see you and they think you, this guy sitting in Berlin when you’re, you know, over here in Washington DC.

00:30:48:06 – 00:31:01:05
Eric O’Neill
So that VPN is pretty critical when you’re traveling. I use a VPN on my home computer, too. You know, you you purchase the yearly subscription, they give you like five devices. You can put it on and you just stack it on everything that you can.

00:31:01:11 – 00:31:16:11
Alex Cleanthous
Yeah. For sure. I mean, like I’m in the crypto space as well. And so that’s the place where you need to be secure it up to the hilt and, oh, absolutely. Yeah. It’s a VPNs. I was always told, install a VPN. So I have like VPNs everywhere. I’ve got, like on my phone, on my computer, everywhere.

00:31:16:11 – 00:31:29:08
Alex Cleanthous
But can you explain how a VPN actually protects people from kind of, yeah, just from all this stuff, because I install it and I get I should install it, but how does it stop? You know, it’s a bad one.

00:31:29:13 – 00:31:49:15
Eric O’Neill
Yeah, one. It hides your traffic. So the the most important reason to have a VPN is your ISP, your internet service provider, doesn’t know what what you’re surfing because they can your ISP can log the website you visit, and you don’t want them to know that I mean, that’s your private data. You don’t want them to know what you’re looking at.

00:31:49:15 – 00:32:04:11
Eric O’Neill
I mean, maybe, you know, you’ve just found out you have cancer and you’re doing a lot of research on it. You don’t want your ISP to know that because you know, those can they can get breach too. Or, you know, law enforcement can ask for that. So a VPN can help you match that. It also match your identity.

00:32:04:11 – 00:32:22:14
Eric O’Neill
So your IP address is hard to pin down. That makes it a little harder for an attacker to, to breach your device. And, you know, phones are a little harder, but even your computer. So if you’re using a VPN, you’re masking who you are on that Wi-Fi network. So it’s harder for them to pin down your IP address and attack you through Wi-Fi.

00:32:22:16 – 00:32:34:04
Eric O’Neill
So it’s a good reason to have all that. But look, I the biggest reason is for privacy. It it makes your browsing more private. The things that you’re doing online more private. And we all could use a lot more of that.

00:32:34:06 – 00:32:46:00
Alex Cleanthous
Yeah, I noticed that there are some sites that I try to visit, I think even sometimes like Amazon or Instagram, where they say, sorry, I can tell you from a VPN this untrusted traffic, I’m like, you guys just want to track everything.

00:32:46:02 – 00:33:04:17
Eric O’Neill
Yeah, well, they do want to track everything, and they don’t want you logging on a VPN like Netflix is notorious. They’re very good at spotting whether you’re on a VPN. And, yeah, because, you know, I travel overseas and I log into one like a Netflix account or an Amazon account. And, you know, sometimes it’s like you can’t see this, this stuff here.

00:33:04:17 – 00:33:10:20
Eric O’Neill
And so, you know, then you go on the VPN and you just start switching countries until it kind of tricks it. I can watch my stuff again, you know.

00:33:10:20 – 00:33:12:01
Alex Cleanthous
Yeah, I.

00:33:12:03 – 00:33:37:09
Eric O’Neill
But but you know, there’s a lot of work to make sure that people aren’t doing it so that they can’t hide. Look, I use VPN, my wife is German and, my kids all speak German and there’s all these, German TV apps that, you know, it’s it’s the same as sitting down and watching TV in Germany. And I found a way to install a VPN on my router that makes the router think we’re in Germany, so she can load all those apps and watch them, and everybody’s super happy.

00:33:37:11 – 00:33:45:03
Eric O’Neill
You know, it’s made public. It’s public. TV channels, but it should be a everyone should be able to to see it. But the VPN allows it to happen.

00:33:45:05 – 00:34:00:21
Alex Cleanthous
And I think also, because this is, a story that the one of our developers actually kind of shared internally was like, sometimes at airports, the hackers will set up a fake Wi-Fi and it will sound like it’s like the airport. And so then you log in for free and then they just extract everything from you.

00:34:00:23 – 00:34:37:05
Eric O’Neill
Yeah. You want to be very careful of evil Wi-Fi. So the evil Wi-Fi, it was weather. Here’s a great story. There was a there was a coffee shop at Starbucks that was having a problem, and people were complaining that they kept getting breached every time they went in the coffee shop. And when some forensics was actually done to see what was going on, it turned out that the guy who lived in the apartment right next to the Starbucks had had grabbed a powerful Wi-Fi router and slapped it against the adjoining wall and was was transmitting his own Wi-Fi with the SS, ID, you know, Starbucks coffee place or something like that, you know, and people

00:34:37:05 – 00:34:59:11
Eric O’Neill
thought it was free Wi-Fi. So they’re logging in and now he can see their IP address, you can see their computer, and he can use a Wi-Fi attack to breach them. And that and you can see their traffic. So when people, you know, people go into the Starbucks and or any coffee shop and they’ll sit all day using free Wi-Fi and they’ll work, you know, they they got business confidential information that they’re emailing.

00:34:59:13 – 00:35:20:03
Eric O’Neill
They have, logins to their bank accounts, you know, when they’re paying for things. And this guy was grabbing all that and stealing identities and using their credit cards and all sorts of nefarious things. So you do have to be careful about that evil Wi-Fi. You know, when I’m traveling, I, you know, and I have my iPad or my computer, what I’ll normally do is just tether to my phone and use my data.

00:35:20:05 – 00:35:41:11
Eric O’Neill
It’s just a lot safer if you go in like a, if you go to the airport and you go into like a club, you can usually trust that Wi-Fi, to the extent that you know, you’re using your cybersecurity suite and your VPN. Right? And you log in but you’re not up, you will sometimes see people, they have their own little Wi-Fi devices, and it’s all over the place.

00:35:41:13 – 00:35:58:13
Eric O’Neill
I mean, we live under so much Wi-Fi, who knows what it’s doing to our brains. But, you can go in a club, or you can go in a hotel and make sure you’re on the right one, and you can actually ask when you check in, what is the name of your Wi-Fi access ID? Can you write it down for me so you make sure you’re logging into the right one?

00:35:58:15 – 00:36:14:18
Alex Cleanthous
Yeah. I’m so paranoid now that I just kind of hotspot off my phone. I just tether off my phone because I just don’t know enough to to know if I’m doing everything correct. So I figure, well, if I’m on my phone, that’s obviously going to be the safest connection, right? So I have to pay a bit more for that.

00:36:14:18 – 00:36:15:17
Alex Cleanthous
You know, like I’ll pay. I have a.

00:36:15:17 – 00:36:33:24
Eric O’Neill
Program. So so my cybersecurity suite, you know, I’m using app on my Mac that will actually scan the network for you and tell you whether, hey, this is this looks, you know, you know, tell you this is a public network. It’s like, yeah to hotel dude. And then it’s like, well, you know, there are this many people connected to it and you can kind of see, like, this is the one that I want.

00:36:33:24 – 00:36:36:13
Eric O’Neill
This is the one where it’s like one bad guy. Right?

00:36:36:15 – 00:36:55:22
Alex Cleanthous
So yeah, well, I’m definitely going to install the software that you use and I just Mac as well. So that’s good. Just quickly on phones, like how much of a risk are phones? Because I say sometimes, like, inside of the Google suite essentially does want you to protect your phone as well as your computer and stuff like that, just for all the, the staff members and so on.

00:36:55:22 – 00:37:02:05
Alex Cleanthous
But, I mean, how much of a risk of phones and I think you mentioned before, it’s not the same as a computer. So like like they operate a little bit different.

00:37:02:05 – 00:37:22:07
Eric O’Neill
Operating system is much more closed, at least with the Apple device. So I use an iPhone. Maybe I’m just in the Apple ecosystem. It’s easier to switch around. The problem with Android is that it’s a bit more open in the architectures of the Android phone, because phones get attacked and breached far more often. Both companies, though, have problems in the App Store.

00:37:22:07 – 00:37:44:08
Eric O’Neill
Just because you’re downloading something from Google Play or you’re downloading something from the Apple App Store, doesn’t mean that it’s 100% safe. Most of it is if you’re downloading things that you know, right, like Adobe right, or your Gmail right. But when you download some of these silly little apps that you know are this, you know, this game that they’re just trying to get you to play, but some of it, it can actually have malicious code.

00:37:44:08 – 00:38:06:18
Eric O’Neill
It does sneak through the quality control more, I think, on the Play Store than the Apple Store. But but it does get through both. You know, like using an Android is a little bit like using a jailbroken iPhone. You can do a lot more with it, but it also opens it up a little bit more. People bang their heads because you really can’t do anything with the iPhone that you’re not allowed to do by Apple, but that makes it a little bit more secure.

00:38:06:18 – 00:38:19:21
Eric O’Neill
So you gotta make your judgment call on which you want to go with, and some of it’s preference. Like I’ve been using an Android forever, so that’s what I like. Me personally, I’ve been using an iPhone forever since. So that’s that’s what I’ve stick with since I had like my Razr flip phone.

00:38:19:23 – 00:38:26:11
Alex Cleanthous
I remember those two. And can you protect yourself on your phone? Like okay, so install VPN, but is there like any antivirus, any anti protect?

00:38:26:16 – 00:38:47:15
Eric O’Neill
Oh, absolutely. Yeah. All of the major, cybersecurity and antivirus companies will give you like five installs and you can use one of those for your phone and it’ll run in the background, you know. Oh yeah. Yeah. It’s it’s it’s a good idea if you’re not super careful like me going through email is the main way that they’ll get you, but, attackers will.

00:38:47:17 – 00:39:10:20
Eric O’Neill
We’ll hit you up with text, too. And. And they don’t always have to install malware. I mean, that’s one of the misconceptions is that attackers are always trying to find a way to install malware. So we can solve this with cybersecurity. But the number one cyber attack right now is financial schemes using imposter or confident scheme attacks, like old scamming type stuff where there isn’t even a line of code that’s used.

00:39:10:22 – 00:39:29:23
Eric O’Neill
So here’s a great example. There’s a case where, an individual gets you get them all the time. Right. Hello, this is Alice. You know, is and they’re they’re just don’t they just grab phone lists and these are call centers, and they’re just typing it in and sending texts, right. It’s the laziest way to do it. But you reply because you reply, person.

00:39:30:00 – 00:39:44:14
Eric O’Neill
The the thing to do is just delete it. But you reply, no, you’ve got Eric there. Alice isn’t here. You must have the wrong number. And then it becomes a whole thing every once in a while I drag them around for a while just to see how long I can get them to go before they actually Google me.

00:39:44:16 – 00:40:05:04
Eric O’Neill
Or do a reverse lock up and figure out who they’re talking to. But but then the next thing is, oh, well, who is this? It’s, you know, it’s so nice to meet you. And and they’re looking for people who are lonely or elderly or, you know, just need a friend. And they become that friend. They will spend weeks, even months, sometimes creating this friendship, having these long conversations.

00:40:05:04 – 00:40:27:17
Eric O’Neill
They can move from text to phone. They’ll send, you know, they’ll never do like a video chat because it’s like some 18 year old kid. But they will send you pictures and, and they’ll use AI to, to use different voices and, and all that kind of thing. And then finally, when you establish this rapport and trust, you know, they start, they start small and it normally goes like this.

00:40:27:19 – 00:40:48:06
Eric O’Neill
Look, I’ve been an investor for some time in cryptocurrency and I’ve made a fortune and would you like to try you know, here’s my website. This and your website looks like an investment website. This is my company. You know, here are metrics and they show like this astronomical gain. You know, like the stock market’s getting 6%. We’re doing 22%.

00:40:48:06 – 00:41:12:15
Eric O’Neill
Right. And then they say just invest $1,000, you know, $100 whatever. I’ll show you how much you can gain. And, you know, just as a friend and I’ll do that. Normally it’s $100,000 buy in. But, you know, we’re pals, so give me $1,000. I’ll just want to show you how well this works. So you do, right? You give him $1,000, and then when he gives you you your secure login to the website, to the investment website, every day you look at it, that $1,000 is growing.

00:41:12:21 – 00:41:30:22
Eric O’Neill
Growing, growing, growing. And after a month you’re like, Holy crap, I have $1,200. If I if I invested all my money this way, I’d be a millionaire. And so you do. Hereby bet you do. And they keep pulling it, and they keep getting it, and they keep investing. They keep showing you growth and all this fortune. And finally you’re like, you know, I want to go take my kids on a cruise.

00:41:30:22 – 00:41:35:14
Eric O’Neill
I need to pull some money out. They’re gone. And that’s called pig butchering.

00:41:35:16 – 00:41:38:01
Alex Cleanthous
Wow. Pig butchering.

00:41:38:03 – 00:42:00:18
Eric O’Neill
Pig butchering. But they know it’s it’s a real ancient Chinese art. And what they would do is they batten the pig and fatten the pig and fattened the pig. And with the pig was so big it was going to burst. They kill it, butcher it, and they’ve got all that meat. So they, you know, they they tell you you don’t need to invest in an IRA, like, pull out your pension fund, like put it all in here, you’re going to make a fortune and you’ll retire ten years earlier than you planned to.

00:42:00:23 – 00:42:10:09
Eric O’Neill
Or you can enjoy your retirement for 20 years longer than you thought you would, and people fall for it. It’s one of the biggest financial crimes on Earth.

00:42:10:11 – 00:42:15:22
Alex Cleanthous
Isn’t that fascinating? And that one you can’t stop it because it’s you sending the money, right? Like that’s.

00:42:16:01 – 00:42:16:23
Eric O’Neill
You sending the money.

00:42:16:23 – 00:42:21:21
Alex Cleanthous
And you’re sending the money up. Yeah, it’s pass oil, your two factor authentication. It’s passed all.

00:42:21:22 – 00:42:23:11
Eric O’Neill
Past all that. It’s just you and.

00:42:23:11 – 00:42:24:08
Alex Cleanthous
Point security.

00:42:24:08 – 00:42:41:04
Eric O’Neill
Here. And they they will even so what they’ll do the most clever attackers that you that leverage pig butchering is they not only set up the mock website. This used to be harder. Now I’ll throw it together for you right away, you know, and they’ll manipulate all the all the statistics. You know, every time you log in, they make it.

00:42:41:04 – 00:42:58:22
Eric O’Neill
You know, every day they they bump it up a little. So when you log in, it looks better and better. But what they’ll also do is they’ll go in the dark web and buy an identity. You buy anybody’s identity on the dark web. You just find an identity. Can you make sure it’s a good one? You pay more money for those, you know, that means that someone hasn’t reported their identity stolen.

00:42:58:24 – 00:43:25:01
Eric O’Neill
Now you have their driver’s license, you go open a legitimate bank account, and that bank account is what’s called a drop account. So you think you’re transferring the money to, like, a Citibank or a Chase or what? This person has just opened a bank account with a stolen identity, which happens all the time. So you’re not even thinking like, I’m not sending Western Union or I’m not Venmo the money or and I’m not sending like a wire, which you can never get back from any of those, by the way.

00:43:25:03 – 00:43:49:18
Eric O’Neill
So be careful. Before you ever said anything, clear those three. And but now I’m sending it to a bank. I can always call the bank and say, you know, I need this money back. But what’s happening is it’s sitting in the bank account, right? So you can actually go check. And then as soon as it’s over, you know, as soon as they think that you’re on to them, they quickly move it out into cryptocurrency and that’s gone.

00:43:49:20 – 00:44:12:23
Alex Cleanthous
I guess this then leads to the conversation again of spies versus hackers, right? If someone is targeting you, can you actually stop them from actually hacking you if someone is coming after you? Because I saw it was something inside your book about, how kind of Wikileaks and CIA materials actually was stolen. I think a few years ago, all the code was online.

00:44:12:23 – 00:44:18:15
Alex Cleanthous
It’s all accessible. And they use that. And I think they hacked into some banks and hospitals and kind of airports and different things.

00:44:18:19 – 00:44:39:18
Eric O’Neill
Right? Yeah, they they actually stole. They stole, both. Nine. They actually stole it from the, from the CIA. They’ve, they’ve stolen, cyber attack tools from the CIA. They’ve stolen cyber attack tools from the NSA. It’s been released by disgruntled employees, and those can be used to launch further attacks. Now AI is just building it. You said they don’t need that, right?

00:44:39:24 – 00:45:04:20
Eric O’Neill
Yes, I know, I read the malware for you. Right. And launch attacks, but you. So what can you do? I get attacked all the time, but some of them are really clever. One almost got me. It was so clever. It was a, a whole scheme of attackers. There was like a, there were maybe like 3 or 4 of them each playing different roles that, you know, we had set up a fake keynote that I was going to deliver in Cape Town in South Africa.

00:45:04:20 – 00:45:26:20
Eric O’Neill
And, you know, I really wanted to go and I was really excited. And that that builds what’s called confirmation bias. And that’s what they want. And I mean, we even negotiated the keynote, negotiated the fee, like drafted a contract. They signed the contract, they sent me the reservation for my hotel, and then they asked me to buy my plane ticket and they said, buy it first class.

00:45:26:22 – 00:45:51:05
Eric O’Neill
So okay. And are you sure it’s $10,000 to fly first class? You know, that’s that’s like a good that that’s like a big add on to my fee, which is already like they were giving me my full fee. So I was real excited. And, and I bought the ticket. And now that really got you, because once you’ve spent $10,000 out of your own pocket, you truly want to believe it’s true, right?

00:45:51:07 – 00:46:13:08
Eric O’Neill
And that confirmation bias all psychology. It makes you start talking yourself into it. Now, I quickly thought, there’s something wrong here, because then they’re asking me to pay a repeat repatriation fee and escrow money before I went and all that. And so, you know, I’m an attorney. I called the embassy, you know, in DC. And I was like, have you ever heard of any of this?

00:46:13:08 – 00:46:31:16
Eric O’Neill
And they said, we don’t have an escrow or we, we don’t have a repatriation fee that you have to ask. So sorry, I’ve never heard of that. And I was like, oh, it’s a scam. So I quickly called the the airline. It was United, which I’m, I’m completely loyal to forever. And I told them the story and they were like, they were like, I am so sorry, sir.

00:46:31:18 – 00:46:33:19
Eric O’Neill
That’s such a great story. We’re just going to refund your ticket.

00:46:33:19 – 00:46:34:13
Alex Cleanthous
Wow. No.

00:46:34:13 – 00:46:35:09
Eric O’Neill
Harm, no foul.

00:46:35:11 – 00:46:37:01
Alex Cleanthous
What they did was. Yeah, I was hoping that.

00:46:37:01 – 00:46:54:24
Eric O’Neill
Yeah. And once, you know, I got that ticket, but now I was out. No money, and I just strung them along for a while. I strung them along until, like, till I collected all the evidence I needed to get them all arrested. And, so, yes, they probably shouldn’t have. You know, I insisted they call me. He called me on his personal phone number.

00:46:54:24 – 00:47:00:11
Eric O’Neill
You don’t want to do that. Like, don’t call me on your mobile phone. I’ll find out who you are in, like, 10s.

00:47:00:13 – 00:47:12:07
Alex Cleanthous
And I love. But I love the fact that it’s almost like, like a vendetta now because it’s like, hey, cool. So you got me to spend fifth, like, a lot of money on a first class ticket. And I wasted my time, which is the worst one. And you almost got me the.

00:47:12:12 – 00:47:28:02
Eric O’Neill
Amount of time, you know? And then I found out that I did some research, and I found out that they had scammed countless speakers who were out of that ten grand. Some of them even flew over there and showed up at the venue, you know, wearing their suit and tie and all ready to go. And they were like, what?

00:47:28:03 – 00:47:45:13
Eric O’Neill
And then they’re like, who the hell are you? It’s like, so now I’ve just spent 10,000 of my own money, plus like 5000 to 7000 a little. I ask as much as they can for this repatriation fee that I’ll never get back. I’m in Cape Town. I don’t actually have a hotel.

00:47:45:15 – 00:47:48:09
Alex Cleanthous
You’d feel like such a sucker in that moment. You’d be like.

00:47:48:09 – 00:48:03:16
Eric O’Neill
Damn, that just so bad for those people. Yeah, but that made it. That made it an I’m vendetta, right? Yeah, exactly like you said. Like I was going to take them down, and I just strung them along strong along and kept gathering information and evidence and them for me until I had enough in the ring to bring it to the police in South Africa.

00:48:03:21 – 00:48:24:12
Alex Cleanthous
Okay. So with AI and now with deep fakes and, you know, in terms of visuals and audios, I mean, I haven’t heard a story just recently where they pretend to be somebody’s son or daughter and they call and go, hey, mom, I just need something. Da da da da da. Could you transfer me or something? Right? From a corporate level, I can see some similar things happening.

00:48:24:14 – 00:48:36:21
Alex Cleanthous
If someone was coming after you, can you actually stop them? Are there just a bunch of things which you can kind of like? It’s almost kind of like obstacles along the way. This it just makes it harder. But they can always get you if they want you.

00:48:36:21 – 00:49:04:02
Eric O’Neill
You can make it harder and you can be smarter and you can catch the scam. The book I’m writing right now, well, I have written my first draft is with Harpercollins. So now they’re editing, you know, and I’ll be betting soon, but that’s coming out early next year in 2025. It’s all about that. So the first part of the book is using counterintelligence techniques that I learned in the FBI to teach you to think like a spy right now, you’re going to think you’re going to understand all the different ways that cyber criminals are coming after us.

00:49:04:02 – 00:49:21:22
Eric O’Neill
This one’s all about cybercrime. Gray day was about cyber espionage. This book is about cybercrime. Like what you and I have to worry about. Like if a spy is coming after us, I mean, we’re in trouble. Like a criminal. We can. We can spot it. We can totally spot it. Right? But and this teaches you how to spot it by thinking like them.

00:49:21:24 – 00:49:37:19
Eric O’Neill
And every one of my beta readers has caught an attack. And that’s that’s like, the best thing I could totally here, because that’s what I’m doing this for. The second part of the book is, okay, now you know how to spot the attacks. Here’s how you stop them. Act like a spy hunter. So think like a spy.

00:49:37:19 – 00:49:57:03
Eric O’Neill
Act like a spy hunter. But it’s that way of understanding the attacks. Knowing what pig butchering is, knowing what happens when you answer that text. You know, there was there’s a, a story I tell in the book about a mother in Arizona who got a call from her daughter while her daughter was supposed to be on the way with the ski trip with her husband.

00:49:57:05 – 00:50:11:22
Eric O’Neill
And, the daughter was screaming that they’re going to kill my mom. And then the next voice was this angry, you know, rough voice that said, and I’ve kidnaped your daughter, and if you don’t pay, I will. I’ll kill her. And the mom was was trying to get funds and getting ready to pay. And at the same time, she kept her cool.

00:50:11:22 – 00:50:31:07
Eric O’Neill
She, she had another friend, called 911. She had her younger daughter who was with her start texting the daughter, texting the father. They were away on a ski trip. So finally they they they got the text after like hours of this where they’re negotiating, like how she’s going to get the cash to the guy and where he’s going to drop off, where they’re going to meet in his van.

00:50:31:07 – 00:50:46:21
Eric O’Neill
And she’s like, I don’t want to come near your van. And, you know, the police were getting involved. And finally the daughter talked text back like, I’m fine, mom. It was a deep peck. They’ve gone on social media, cloned the daughter’s voice and used it. And it happens all the time now. All the time.

00:50:46:23 – 00:50:56:02
Alex Cleanthous
I spoke to a friend of mine and he was like, switch off your voicemail, because that’s a super easy way that they can just get to your voice. But I was like, But I’m on YouTube and I’m you and I.

00:50:56:02 – 00:51:10:04
Eric O’Neill
Are doing right there. And, you know, it takes it takes $5 and five seconds to clone your voice. That’s it. That’s all it costs to do a very to do a very good avatar. That’s going to say whatever I wanted to say. You can’t make a deepfake.

00:51:10:07 – 00:51:20:03
Alex Cleanthous
So thinking like a spy, right? I think it was the guy from Intel, Andy Grove, who said only the paranoid survive. Is that kind of the thinking that’s going to happen in the next ten years?

00:51:20:09 – 00:51:42:12
Eric O’Neill
Well, it’s a that’s a good point. Don’t be paranoid. In, in counterintelligence, in spy hunting, you know, in the FBI, but in the military and, you know, even people who do any kind of disaster relief paranoia paralyzes you if you’re paranoid, like, everything is in attack, you can’t function like you can never go online if you’re paranoid, but be suspicious suspicions.

00:51:42:12 – 00:52:04:11
Eric O’Neill
Good. Like you remember the old trust, but verify. Turn that on its head. Don’t trust anything. Verify everything right. Don’t trust your initial thought when you open an email. Shouldn’t be. Oh, it’s from my sister. No, don’t trust that. Verify. It’s from your sister, right? If anything looks weird or off, give them a call. Did you send me this email with all these attachments?

00:52:04:11 – 00:52:27:18
Eric O’Neill
Like, does your sister normally do that? Right? Start thinking like someone who’s looking out for themselves that wants to protect themselves. That thing about the deepfake, the call, like a mom. I’ve been kidnaped. Have a safe word. That’s what we did in counter-terrorism. If you were ever captured and, you know, they they want to sign a life when when you when they let me talk to them and then I give the safe word like I it’s really me, right?

00:52:27:20 – 00:52:50:00
Eric O’Neill
My family uses a color. I’m not telling you which one, but, it can be anything. You know, a weird word, something that your whole family’s going to know. And now when you get that call, you say, okay. Oh, my God, this is terrible. What’s the safe word? Bad guy’s not going to know that, right? If they know they’re screwed, but they’re not going to know that you can do that with your colleagues, with your your business associates, with your friends.

00:52:50:02 – 00:52:52:02
Eric O’Neill
Yeah. Let me get into a game.

00:52:52:04 – 00:53:14:14
Alex Cleanthous
So I’ve seen some big phishing attacks. I guess I just where an employee of a company that will get an email from the CEO of our company, right? And it will say, hey, look, I need you to urgently, transfer me, I mean, $1,000 or something, right? And so you did the the right. And I think some of them, like in the early stages, almost got caught with it.

00:53:14:16 – 00:53:18:24
Alex Cleanthous
I mean, now they’re just accustomed to it because it’s like, that’s not us, right. But in the beginning that was.

00:53:19:01 – 00:53:25:02
Eric O’Neill
No, it’s still it is still a, like what, a $49 billion crime a year is it.

00:53:25:04 – 00:53:25:14
Alex Cleanthous
What do you mean?

00:53:25:14 – 00:53:53:21
Eric O’Neill
Oh, it’s massive. It’s an increase. It’s incredibly huge. It’s called business email compromise. And it’s where the attacker either launches a spear phishing attack and compromises the CEO or the CFO or someone in the executive team’s email, and then figures out usually, you know, using resources like LinkedIn and social media, who are all the people in finance and then has that executives send emails to everybody in finance saying things like, this is a super confidential deal.

00:53:54:00 – 00:54:10:01
Eric O’Neill
It’s going to fall through if this wire doesn’t go out soon. Here’s the Swift code and all that information to send the wire. I need you to send me this. In the next ten minutes. You send this wire in the next ten minutes, $1 million to this vendor. Email me as soon as you’re done. Right now, we’ve trained that away.

00:54:10:01 – 00:54:31:17
Eric O’Neill
That’s still, by the way, works with all of the resources and all of the training and all the people like me who stand up on stage all the time like, this is the one of the biggest financial fraud attacks that happen. And, you know, it’s not even really using a line of code. And it’s working. It still is one of the most prevalent financial cyber attacks.

00:54:31:17 – 00:54:50:15
Eric O’Neill
And it’s still kind of a cyber attack because, you know, it’s primarily coming through email, business email, compromise. But it gets worse now. What is now what attackers are doing is they’re using deepfakes to make this better. So there’s a case in Hong Kong. There’s a multinational corporation that’s headquartered in the UK. They’ve got a branch in Hong Kong because everybody has a branch in Hong Kong.

00:54:50:16 – 00:55:12:01
Eric O’Neill
If you’re in finances, right. If you if you, you know, there’s all the big banks are there or whatever. There’s a in in our hero or protagonist and I call him the hero of the story is is sitting in Hong Kong. He’s a junior financial officer, and he gets an email right from the CFO. And we all know how this goes, right?

00:55:12:03 – 00:55:33:09
Eric O’Neill
But not what you think. It’s not. Send a wire. It’s join me on a zoom call. And he does. He jumps onto the call and just like you and I are talking here, he sees the CFO and two other people he recognizes from finance in the UK, but two other people he doesn’t. And the CFO just looks around and says, well, everybody, please introduce themself.

00:55:33:09 – 00:55:55:17
Eric O’Neill
He introduces himself. Then the two people he recognizes. He’s never met these people, ever. But you know, this is his boss, his boss’s boss, you know, asking him to join a zoom call. I mean, it straightens his tie and, and then the two people that he doesn’t recognize, introduces himself as these new partners, you know, these important partners for this new deal that is, ultra secret.

00:55:55:19 – 00:56:20:23
Eric O’Neill
And, and it needs to close soon. And then the CFO terminates the call. Now the email comes in, it says, thanks for joining the call. Here are your instructions. We need this wire sent immediately. Email me back when it’s done. And he does over two weeks. He sends 15 wires for $25 million before finally he calls over to the UK and says, do you really want me to send all these wires?

00:56:21:00 – 00:56:41:21
Eric O’Neill
And they never heard of him or the wires? Wow. So yeah, I mean, criminals are balding as well as the more we evolve, you see what I mean? When we started in the beginning, this is not a technological problem. A lot of it is a human problem. You can’t solve it all with technology. You can’t solve it all by installing something.

00:56:41:23 – 00:56:57:10
Eric O’Neill
You have to be smart and protect yourself. The government’s not going to do it. The cybersecurity companies can’t 100% do it, but you can do it. If you think the way that these attackers think, you get in their heads and you recognize the attack when it’s coming.

00:56:57:12 – 00:57:13:06
Alex Cleanthous
I think that’s a great point. To end the I could just keep talking about this. You’re so interesting because you have so much experience and such a unique kind of experience, and this is just been a fantastic call. And I love kind of how you think about all these things, and I love how you explain it all.

00:57:13:08 – 00:57:22:24
Alex Cleanthous
It’s very easy to understand. It’s also very confronting, I would say, for lots of people, I’m kind of used to it because of the crypto space. Like that’s just all of scammers. That’s like the wild, wild, wild West, right?

00:57:23:02 – 00:57:34:23
Eric O’Neill
I’ve just stayed away from it. It’s I did my toe. I realized I’m not good at cryptocurrency investing. There were like, these sure things, and I invested like ten grand and, like, I’ve got $900 left.

00:57:35:01 – 00:57:37:03
Alex Cleanthous
Yeah, yeah. And I was like, that’s enough.

00:57:37:05 – 00:57:37:18
Eric O’Neill
Right?

00:57:37:20 – 00:57:58:08
Alex Cleanthous
Yeah, yeah. But even outside of, like, if something goes up or down, the whole thing is full of scams anyway, right. So like, I’m kind of accustomed to that, but I think there’s a lot of people who are not. And I think most people that don’t really understand the scope of how sophisticated these hackers are. So I really am happy in terms of all the stories and information that’s been shared today.

00:57:58:08 – 00:58:07:06
Alex Cleanthous
I think it’s been super helpful. So how do people subscribe to you and how do people, get the new book as soon as it is released? Because obviously that’s something everyone should read.

00:58:07:08 – 00:58:35:08
Eric O’Neill
Yeah. The best place to learn all about me is Dot Eric O’Neill dot net. You know, Eric O’Neill, I don’t use the apostrophe when it’s, a computer related thing. Dot net and you can learn all about me. It’s brand new webpage. It has all my resources. It has. You can connect with me from there on LinkedIn on X, and I’m pretty good, especially on LinkedIn, answering questions and responding to direct messages.

00:58:35:10 – 00:58:52:10
Eric O’Neill
Obviously, anybody wants to hire me as a speaker. I’m your man. And, I can do all this on stage for you and your crowd. And you can you can grab me right from there. And once my, new book, The Invisible Thread, is ready for preorder, we’ll have it all over the world. But it’ll be on there and you can order it directly through that website.

00:58:52:11 – 00:58:54:10
Eric O’Neill
So for all things Eric, go right there.

00:58:54:15 – 00:59:10:21
Alex Cleanthous
Yeah. Fantastic. And I’ll have the link in the show notes. And I’ll also have a link to the LinkedIn profile and the Amazon page for. Great. Yeah, great. Yes. Everyone should. It’s just a cool story. And there’s a lot of good insights into kind of how to think about protecting yourself even though that was quite a while ago, it’s still.

00:59:10:21 – 00:59:18:20
Eric O’Neill
It’s very relevant. So when you write a book about cybersecurity, you have to pick stories that are going to be evergreen. It always has to be.

00:59:18:22 – 00:59:21:17
Alex Cleanthous
Which is hard in cybersecurity because it’s cyber.

00:59:21:19 – 00:59:42:12
Eric O’Neill
So you got a big, big stories that really matter and are going to stick in people’s mind. And with the invisible threat, I was very mindful about what I was going to choose to write about. You know, CrowdStrike just made it in at the end. It was kind of hard to explain. Like I’m saying, patch everything. And then I said, accept this happened, but don’t let that you know, not let you patch things that, you know,

00:59:42:14 – 00:59:55:15
Alex Cleanthous
I think that’s important as well. Right? Like it’s like you’d rather be on the side of security and yes, like the small percentage that that doesn’t work. Then on the other side, where there’s a much higher percentage that that someone’s going to be hacked.

00:59:55:17 – 01:00:17:04
Eric O’Neill
Yeah. But you know, I go into all the global I go into global tax. I have an entire chapter about my fears about critical infrastructure attacks. You know, I dive deep into the, the actual war happening in Ukraine, which started with cyber and is still cyber. Well, and constantly. And how so much, cyber warfare is being perfected there on both sides.

01:00:17:06 – 01:00:18:08
Eric O’Neill
You know, it’s the.

01:00:18:08 – 01:00:23:24
Alex Cleanthous
Russians versus the Ukrainians. Is that what it is, because they’re both good hackers? Or is it kind of like the Americans versus.

01:00:24:00 – 01:00:50:09
Eric O’Neill
They’re all becoming amazing, because they’re just testing stuff you would never test unless you’re in a war theater. Wow. You know, horrible, nasty things. And just the robots that are being developed to, you know, there are robots, there are companies that are in Ukraine that are developing robotic systems that, are completely manned by AI, and they just point in the direction that, you know, the bad guys, the the Russians, the opposite side is coming and shoot.

01:00:50:11 – 01:00:53:15
Eric O’Neill
You know, there’s some discrimination, but you sure wouldn’t want like.

01:00:53:15 – 01:00:54:23
Alex Cleanthous
Get out of the way.

01:00:55:00 – 01:01:03:18
Eric O’Neill
Right? Yeah. So, yeah. And both sides are doing it. So I mean, there’s an overlap of warfare innovation happening there. And AI is a big part of it.

01:01:03:20 – 01:01:10:00
Alex Cleanthous
So one last point. I just want to just quickly ask you this one. Should you pay ransomware if you get attacked by it?

01:01:10:02 – 01:01:33:01
Eric O’Neill
So in general, no paying ransomware does two things. It encourages attackers to continue to attack. And every time someone pays a ransom, it’s like, a devil gets its wings, right? Every time a ransom was paid. It encourages more cyber attackers and more people to join the ranks of the cyber criminals. There’s another problem with paying a ransom.

01:01:33:03 – 01:01:57:03
Eric O’Neill
You don’t know if you’re actually going to get a decryption key. Sometimes you do, sometimes you don’t. And even if you do get a decryption key and you can get your data back, that doesn’t mean you’re not going to be a repeat customer. All the problems we had still exist. So you still have to do all of the work and remediation and damage control and doing all of the stuff you should have done in cybersecurity.

01:01:57:03 – 01:02:19:24
Eric O’Neill
I always say, don’t wait for a pressure situation, like a ransomware attack, to decide to examine your cybersecurity. You know, do it when you’re chill, you know, but you’re still gonna have to do all that work. And it’s going to cost a multiple more money in the ransomware attack than just doing it. Now, when things are cool, your cybersecurity advisor, who you hire is going to charge a lot less than when you’re in the middle of a catastrophic attack.

01:02:20:01 – 01:02:28:01
Alex Cleanthous
Would you put everything in the cloud then and, you know, just kind of let somebody like, kind of the Googles or the Microsofts of the world, just kind of every single company.

01:02:28:03 – 01:02:50:01
Eric O’Neill
If you’re a small company and you don’t have a security operation center and you don’t have a knowledgeable CISO and cybersecurity professionals that are working for you, you’re safer by going to a cloud environment because there you have Amazon or, Google or whoever you’re using. You use the best ones whose entire job is to make sure they’re secure and they’re encrypting things.

01:02:50:01 – 01:03:08:00
Eric O’Neill
So even if it’s stolen, you know, until like quantum encryption comes online, decryption comes online. You know, nobody can see what they’ve stolen. But but it’s going to be way harder, way harder to steal your data from them. Then, you know, your little one room server that you’ve set up and had to install an extra air conditioner to keep.

01:03:08:00 – 01:03:29:16
Alex Cleanthous
With the other side of the fan with the fan running? Yeah, great. Eric, thank you so much for coming on the podcast. Everyone, this is, this is such a unique episode, in that he’s telling you what to do right now to protect yourself. Subscribe, purchase the book and yeah, just go to his website and subscribe to the subscribe to his email database.

01:03:29:16 – 01:03:37:09
Alex Cleanthous
And so that you get, kind of all the updates as they come out. Thank you so much area for coming on the podcast. This has been such a great conversation.

01:03:37:11 – 01:03:42:14
Eric O’Neill
Alex. It was wonderful. I love talking to you and hopefully we’ll do it again for sure.

01:03:42:16 – 01:03:58:17
Alex Cleanthous
Thanks for listening to the Growth Manifesto podcast. If you enjoyed the episode, please give us a five star rating on iTunes. For more episodes, please visit Growth manifesto.com/podcast. And if you need help driving growth for your company, please get in touch with us at Web prophets.io.