Chris Badgett of LifterLMS talks about web and personal security for your course platform with Shaun James from Pentester University in this episode of LMScast. Shaun teaches people how to do ethical hacking in order to perform penetration tests to help strengthen cybersecurity of websites and online businesses.
Penetration testing is ethical hacking that tests the cybersecurity of companies and tells them where holes are that bad guys could potentially get in so that the holes can be fixed. When Shaun was young, he learned how phone numbers work as codes. That got him into puzzles and ultimately led to him becoming the owner of a cybersecurity company.
Schooling for learning network security is very expensive. So Shaun started a YouTube channel teaching people how to do it for free. He received great feedback from that, so he has started an affordable school where he teaches people how to test network security.
When creating online courses you are normally collecting customer and student information. Making sure that information is protected for students’ safety is important, and that is a major part of what penetration testing is out there to do. Any page is vulnerable to hacking attacks, even static ones. Having security even on basic, non-interactive HTML pages is important.
Chris tells a story of one time when he got hacked and how the hacker was able to redirect his website to the app store if a user accessed it on an iPhone. Shaun shares some great tips on how to protect yourself from attacks and how to protect your backups. They also describes what SSL is and how that is used to protect information.
SQL injection is a way that unprivileged users can make the server give them information from a website. Shaun shares an example of how a website is vulnerable to these injections. He also talks about JavaScript injections and what those are and how they work to attack users.
They discuss concepts such as worms and DoS attacks, which are denial of service attacks. And Shaun gives an example of someone whose website was crashed by a DDoS attack. This type of attack causes a website to get so much traffic that it crashes. Shaun gives some great tips on how you can mitigate these types of attacks for free.
Hackers can also gain access to your camera and/or microphone and be watching or listening to you so making sure you are safe in that regard is important as well. Shaun gives some tips on how you can prevent that from happening.
When your website is under attack from hackers, you should shut it down immediately. This stops it from getting much worse and protects others from getting infected. Changing your password is also necessary when restarting after an attack. Shaun gives these tips and much more to help you in an attack situation.
Having backups and taking care of your website are very important. There are a lot of possible things that can attack and corrupt your cyberspace, but that does not mean you should avoid the internet all together. You should know the ways to prevent potential problems from happening, and when they do how to mitigate them.
You can learn more about Shaun James at Pentester University. You can also find him on YouTube at NetSecNow.
Thank you for joining us. You can post comments and subscribe to our newsletter for updates, developments, and future episodes of LMScast.
Episode Transcript
Chris Badgett: Hello, and welcome back to another episode of LMScast. My name is Chris Badgett, and today we have a special guest, Shaun James from Pentester University. We’re going to get into web security, personal security and how that relates to your online course platform, but before we get into that, Shaun, I just wanted to thank you for coming on the show.
Shaun James: Thank you, Chris, I appreciate it. Thanks for having me.
Chris Badgett: Yeah. Well, tell us a little bit about your story, because you’re a cybersecurity expert, so can you tell us about your journey, like where you came from, how you got into cybersecurity?
Shaun James: Sure.
Chris Badgett: How you got all the way into teaching others about cybersecurity, and for those of you listening, Pentester stands for penetration testing, but I guess first, tell us what that is, and then tell us the story from the beginning.
Shaun James: Okay. Penetration testing is really just companies trying to hire an ethical hacker to find the holes that the bad guys would use to get in, break in, steal customer information, business critical information, stuff like that. That’s really all it is, and cybersecurity over wraps that, if you will, to include many things like network security and defensive and offensive security and things like that.
Chris Badgett: Very cool, very cool. Well, how did you get into this world of cybersecurity? What’s your story?
Shaun James: It’s actually a really long story, so I’ll try to keep it short. I actually started when I was a kid. My parents used to get super mad at me when I’d pick up the touch tone telephone and start dialing pound codes and star codes, writing them into a notebook and figuring out what they did and all the messages, and the phone company would actually call my house and ask what the heck we were doing. When I got old enough to ride my bike down the street, I used to go to a pay phone and do it.
I’ve been doing this stuff since I was a little guy, but what really got me interested in it is the love of technology and the fact of being able to legally break into systems and figure out security holes, and it’s like a puzzle. To me, it just made sense that that’s what I had to do with my life. I didn’t always, I wasn’t always a penetration tester. I went to school, I learned a different trade, I learned automotive.
At the same time, after high school, I learned networking and computers and security and stuff like that to get really in depth with it to get my certifications and so on, so I always had a back up career. Hurt my back working on cars early out, so I decided that, to heck with this, and I went on to start work for other companies and eventually started my own company and they started subcontracting me and eventually I cut out the middle man and went right after the big fish myself.
That’s really how I got started in that, and after you do something for a really long time, you look for another challenge, so what I did was I created a YouTube channel that now has 35,000 subscribers and I started teaching for free. That was pretty cool, I got really good feedback from that, so I decided to start an online school and actually teach people how to do it because the biggest problem is school is not affordable. It’s just not. I spent $16,000 for six months of school for network security. A lot of courses are $5,000 and some are free, but I live by the old adage, you get what you pay for. I decided to start my own affordable school and here we are.
Chris Badgett: That’s awesome, that’s awesome, and one of the things I want to highlight, it’s not really the topic of this show, but the fact that you were already creating content and you found that you had community on YouTube, that’s an awesome way to go about it because a lot of people start with the tools and they don’t have any content yet, they don’t have the community, they don’t have any traction or momentum, so I just want to commend you on your starting point there.
Shaun James: Cool, thank you.
Chris Badgett: Well, when I think of ethical hacking and getting hired to do that and the economy around that, I think about banks wanting to protect their stuff or, but what is, who else should be concerned?
Shaun James: Anybody that’s online really. If you have a computer connected to the internet, at some point, you’re vulnerable. That’s just the way that the world works. That’s the internet for you. If you want to be 110% secure, unplug from the internet, stop using it. Really, that’s what we tell people.
Everybody really has to worry about that, and specifically, online course graders. A lot of times you’re collecting customer information, student information, things like that, and you want to make sure that that stuff is secure. You don’t want to have it vulnerable, like the Amazon and credit card companies get hacked all the time, and banks, and other businesses, and that’s just what it is. That’s the nature of the beast. Everybody has to worry about it, really.
Chris Badgett: Yeah, yeah. Well, what, for someone who’s, this is new information to them, what areas do you focus on for the course creation platform to have increased security? Is it just eCommerce related? Is it logging in to the back end of WordPress, or where do we need to be concerned?
Shaun James: It’s really almost everywhere. I know that’s a terrible answer, but it’s everywhere, so even if you had a static website, right, that you’re posting some information on. For instance, if I was an attacker and you had a popular website for whatever niche it was or whatever it was, even just a static page, if I were to be able to break into the back end of the FTTP server and upload or change your files to include a payload inside of the website, you’ll never see it.
I’ll never modify the text of your website. It looks like a normal website, however, when users go to visit there, I can steal their cookie information which is used for logins. I can steal information from them. I can take over their computer and use it to attack other computers. It’s really important to have, even website security on basic, very basic static HTML websites.
Chris Badgett: Absolutely. I think getting hacked, sometimes it’s not even a question of if, it’s a question of when.
Shaun James: Right.
Chris Badgett: One of my first online course websites, WordPress website, got hacked and there was some kind of code that somehow got in there, and it was actually smart. If I was logged into the site as a WordPress administrator, I couldn’t tell it was there, but, and even people on computers couldn’t tell it was there, but if you were on a mobile phone and you went to my website, it would redirect you to some app, something for sale in the app store.
Shaun James: Right, so it was just a click jacking, if you will, is what we call it, and that’s just to take a specific set of users that you want, for instance in that case, to make app sales or free downloads for the app so they can make money off the ads, it’s just to redirect those users away. I would make a payload, for instance, for iOS and for any other cell phone operating system, and then I would redirect users based upon, every time you surf a website, your information’s given out. What you’re using, what version, all that good stuff.
Chris Badgett: What, where do you start? What’s the first place to start with, okay, I want more security? Where do I start? Is it with hosting? Is it with other plug-ins? What do I do?
Shaun James: What I would start with is the hosting company itself. You obviously want a reputable company, and with that, you want to make sure you’re keeping your own backups. You can’t always trust the company to actually keep and store your backups. Things happen. Backups get lost all the time, so you want to make sure you choose a good host. For instance, since you’re using WordPress for the Lifter LMS, right?
Chris Badgett: Right.
Shaun James: I use the same thing, so what I wanted was a reliable host, and there’s tons of them out there, big name guys. I used to have a hosting company back in 2002. Well, I know a lot of these guys started around the same time I did, so I know where they’re at, but the point is that they can’t all offer really good security. The host I personally use is WP Engine, and I think that, in my research, they’re one of the best. They offer good security, backups, live sites. They do all sorts of good stuff.
The next thing you want to start with there, and this is probably more logic than anything, is not to use a common email that you use everyday for regular communications for your site admin email. Make it an email that you don’t use anywhere else but specifically for that, and that helps because if I was able to get your email address and I know your website and I want to break into it, the very first thing I’m going to do is pop that into what we call BruteForcer, which just really tries username password combinations over and over again until it gets the right one, and I’m going to try a password list. I have one that I created for 1.2 million unique passwords myself, and I would break into your website and then do what I had to do.
Don’t use your regular email. That’s number one. Two, there’s a lot of plugins for WordPress, and I guess this conversation’s going to go more towards WordPress because that’s what we’re all using, like for instance Wordfence. Wordfence is a really super good plugin for all types of security. It offers firewalls, spam scanning, malware scanning, if somebody did break into your website, it scans the site for your users so it could pick up common attacks, things like that.
Also, there’s a plugin, I can’t remember. I think it’s made by, Huge-IT is what it’s called, the company, and they make a login redirector, so usually what happens is when you setup a brute-force type deal, you would go to the WordPress login. That’s pretty common because it’s the same on every single website. You set your attack up to go to that URL and guess those usernames and passwords. However, the Huge-IT thing has a pro version and a free version. Free version probably works pretty good, too, but it really just creates a pop up, if you will. It’s harder to attack a pop up because it’s not an actual URL.
That’s some of the common things you could do there, and again, the host is key. You should have SSL on your websites if you’re collecting any information, even if users are registering for a free account, or logging in, or giving you any information whatsoever, you should definitely, definitely have SSL, and it’s free.
Chris Badgett: Let me ask you some questions around that.
Shaun James: Sure.
Chris Badgett: Secure Shell Certificate, is that what it stands for? What-
Shaun James: Secure Socket Layer, yeah. SSL.
Chris Badgett: Oh, there we go. There we go.
Shaun James: Yep.
Chris Badgett: What does it actually do? What does it do?
Shaun James: When you communicate on the web, you’re sending out packets. Think of a packet as a pill, right, and inside the pill you have, what’s the payload there, is the medicine, right? You have the outer shell of that. What SSL does is it’s basically the outer shell to the critical information that’s inside. It encrypts the communication between you and a server, so when you’re sending your stuff over, it’s encrypted by 128 bit SSL certificates, and there’s a public and private key.
There’s a lot of technical stuff that goes on behind the scenes, but really what it does is it encrypts the session or the line between you and the website. Any information you send or the website sends back is in that encrypted tunnel, or in that pill.
Chris Badgett: Right, so for example, your students in your online course website, when they’re typing in their username and password, that’s communicating with your server, right?
Shaun James: Correct.
Chris Badgett: The SSL is, you’re actually protecting your students’ email addresses and passwords and things like that.
Shaun James: Right, and all their personal information, so for me, I send out some gifts to my students when they first enroll, depending on what they enroll in and so on and so forth, and I collect their mailing addresses. A lot of people don’t put their right mailing addresses, but nonetheless, the users that are serious, they put in their real address. I want to protect that information.
I don’t want to give that out to anybody that may be eavesdropping, and it doesn’t have to be anybody eavesdropping on the websites, and their computer could be compromised from somewhere else, a suspicious download or a crazy email or something. Their computer could be giving up the information, not necessarily our website, so I want to make sure that no matter what, both of us are protected so we create that encryption.
Chris Badgett: That’s awesome. That’s awesome, and I’ve heard of a simpler plugin than Wordfence called Limit Login Attempts, which all that does is, I mean Wordfence does a lot of things and I’ve used it a lot too, but Limit Login Attempts just helps with that brute-force situation where someone can only forget their password three times, then they get locked out for-
Shaun James: Exactly, and what that does is ban it by IP address, so even that said, that’s not even really safe anymore because you have things like VPNs and proxies. Tor was a infamous proxy that used to switch your IP address or your proxy fake IP address every so often. If I was a BruteForcer and I’m using Tor to do that, all I’m going to do is shut Tor off, start it back up, fire the attempts again, and of course, I have a new IP address and I can keep hammering the system.
You also don’t want to set that threshold too low, so if you set it at three, now the user’s locked out, blocked by their IP address. They can’t really just change their IP address. Now there’s support tickets and chaos, so you have to find that happy medium with the threshold to set it for a lock out.
Chris Badgett: Yeah, that’s a good point. I like what you were saying, too, where sometimes things are just obvious, like if I’m going to a website and I’m like, “Hey, I wonder if that’s a WordPress website,” I actually just add wp-admin to the end. I’m like, “Oh, there’s the login window.”
Shaun James: Right.
Chris Badgett: WordPress used to, they used to create the first user account with the username Admin, so, okay, now all I have to guess is the password.
Shaun James: Exactly. Seems pretty easy.
Chris Badgett: Yeah, yeah. Security is something that keeps evolving.
Shaun James: Sure.
Chris Badgett: It’s always just worth looking at, but what about, let’s talk about eCommerce a little bit. Help me understand this issue with, like with Lifter LMS, if you sell with credit card, there’s a screen powered by Stripe, a little part of the checkout screen, and then, but Stripe is actually handling the PCI compliance or whatever. Me as the site owner, on my website and in my Stripe account, I can only ever see the last four digits of the credit card number or whatever.
Shaun James: Right.
Chris Badgett: We’re used to that when we call somewhere and they’re like, “Hey, what are the last four of your credit card,” there’s some security checks in place there.
Shaun James: Sure.
Chris Badgett: If I’m selling credit card, accepting credit cards on my website, am I good with Stripe and a SSL certificate? Is there anything else I need to think about there?
Shaun James: No, you’re pretty good because Stripe themselves has to self regulate according to PCI DSS compliancy, like you said. That’s a very strict compliancy they have to meet at a certain amount of months, I think it’s now three. Every three months, every quarter, but they have to have their own set of security there. First of all, they have to have SSL, that’s number one, primary, before they ever get their certificate to be able to do any kind of credit card transactions.
Two, when they’re storing the user’s information, credit card, so on and so forth, it has to be encrypted. You have the point to point encryption, which is the SSL, and then when it’s stored on the server, you have to have security at rest. There is strong encryption there to encrypt the actual databases where the credit card information is stored. It’s not impenetrable, it happens all the time, you see whatever bank gets hacked, whatever credit card company gets hacked, and the things are leaked.
Ashley Madison, the whole nightmare that went down there with all those poor guys that lost their credit cards and their personal information and everything else, it’s just a common occurrence, but you’re safe as a teacher, as a course provider, because you’re offering the best encryption you can from them to you, and then from you to Stripe, that’s handled on Stripe’s end. Stripe has to create that encryption tunnel. Users usually are secure in that way. It’s not impossible, like I said, to interrupt that transmission. There are ways to do it, but it’s not something that’s going to happen every single day.
Chris Badgett: I got you, okay. Well, also, since I have the expert on the line here, I wanted to, I’ve heard of SQL injections or whatever, so anywhere there’s a form, like a comment on a blog post or a contact form, a hacker can insert malicious codes through those areas where they can input stuff sometimes. Can you tell us a little bit about how that all works?
Shaun James: Sure, so SQL injections, or SQLi, is basically where, whenever you create a website that has any kind of interactivity to it, you click a button, you go to a different link, you fill in a form, all that stuff has to be stored somewhere. SQL is basically a database where it stores that information. When code’s written improperly, it allows users, or malicious users I should say, to actually inject malicious code into that to trick the database server into giving up the information to unprivileged users. When you create a database connection, you’re saying, this username, this password has access to change, modify, update whatever tables inside this database or retrieve that information also.
When I trick it to do it, it’s because the code doesn’t properly sanitize my input. I can, for instance, if you ever notice, you go into a webpage that says, www.somesite.com?php or index.php?id= and then a number, that’s very susceptible sometimes to a simple attack. If you put an apostrophe there, you can see that it returns an error. When it returns an error, you can say, “Okay, this is susceptible to SQL injection,” you can go further. It’s just, it doesn’t properly sanitize that extra character that I put in, so it gives up that information.
With that being said, once I’m able to do that and figure out that there’s some errors there and it’s not properly sanitized, I can drop the entire database table. I get usernames, passwords, credit card numbers, social security numbers, everything. That’s how a lot of these big hacks actually work.
Chris Badgett: Is that scraping? Is that what that’s called? If you, let’s say you want to get all the emails or credit cards out of something, what’s scraping?
Shaun James: Well, scraping is a tool or sometimes people actually, before there was tools, we used to do it manually, go in and view the source code of a website and do searches for whatever, email addresses or usernames, passwords, things like that. Scraping is basically a tool that goes to the website, does the same thing, opens it up almost in a text editor, if you will, and pulls down any kind of information that you want it to get.
For instance, an email address, is there a list on a website for support, for, a lot of websites for whatever reason still have directories of employees, I don’t know why, with email addresses and telephone numbers and all this good stuff, so if I wanted to, for instance, do a spoofing attack, I’d go scrape the website, get all the email addresses. Now I have the email addresses, I can either try to break into their emails or fake an email to somebody else in the company from somebody else in the company and get them to open a file, and then I’m in to their company and that’s it, it’s over. A scraper is really just going to the website, pulling the information down and having that information available to you for whatever use.
Chris Badgett: Got you. Well, let’s talk about another area that has always, I’ve always wanted a deeper understanding on, especially with WordPress sites, is where does all that spam come from? Is that really a security thing, or are those bots that, leaving comments that have nothing to do with the blog post? What is that?
Shaun James: Well, so I usually recommend using plugins that would use reCAPTCHA, which is Google’s idea of trying to defeat these robots or spambots. The comment spam comes from just being, somebody smart enough to be able to write code to find a comment section, input the correct fields, and then hit post. Really, every time you hit a button to post a comment, it’s just a data packet. That’s all it is. It’s a post or a get or something like that in the HTTP protocol. It’s pretty simple to actually make those things. That’s why I think that WordPress should just roll out with reCAPTCHA right off the bat.
Chris Badgett: Right.
Shaun James: You know what I mean? It’s so common now. It’s constant.
Chris Badgett: Yeah, no. There’s no reason to get up to 500 comments pending in the queue.
Shaun James: Right.
Chris Badgett: I agree with you that they should just, at least have it turned on by default.
Shaun James: Right, and the thing with comment spam is, if it’s, SQL injections are not the only thing you can do with forms. I can do JavaScript injections, which are called remote code injections, and I can actually upload or post a comment that looks like a normal comment, “Hello everyone, welcome to whatever,” and inside that, hidden, is a payload that will steal your cookies, your login information, redirect you, whatever. Download a file to your computer or whatever.
It’s pretty important to have that, too, because there’s a lot of people that create those bots that go out and look for vulnerable forms to post that kind of code into, and that’s how they create botnets, is basically taking over one computer to take over 100 computers to take over 1,000 computers and so on and so forth.
Chris Badgett: That’s like the concept of a worm, right? What’s a worm?
Shaun James: A worm basically replicates through a network, and it’s, it used to be where it’s like a user got something and say if there was 10 computers on the network, the worm would actually be intelligent enough to try to search out these other computers, see if there’s any open shares, everybody shares files across a network, and replicate itself through those shares and then execute itself. Then it would take over all 10 of those computers and use those 10 computers for whatever it was, distributed computing, compiling code, trying to hack other people, and now that’s really turned into botnets, as we all know, we see on the news.
The hacker group Anonymous, you know they’re so infamous for DoS attacks, or denial of service attacks, and that’s how they do it. They don’t necessarily just use one tool, because it’s easily preventable. They’ll use 10,000 computers that they have at their will by one program to command them all to attack something.
Chris Badgett: Yeah. Back in our agency days, we were helping clients who sometimes were suffering from a DDoS attack, which is like a, it’s a lot of fake traffic that, it’s too much traffic and it causes the websites to crash.
Shaun James: Right.
Chris Badgett: Well what, so what causes, what if somebody, how does that happen and how are you supposed to fix it?
Shaun James: You’re talking about a worm attack or something?
Chris Badgett: Or just like a denial of service, like, “My site keeps going down, there’s all this fake traffic. What do I do?”
Shaun James: There’s a great, great company called Cloudflare, and what they do is actually content filtering. What they’ll do is mitigation of those attacks, so like you said, the attacks work by additional, DDoS stands for distributed denial of service attack, meaning there’s multiple computers all over the world attacking one website, server, what have you. What Cloudflare does is actually redirect that bad traffic away. It doesn’t really necessarily shut down your website. They have what’s called a CDN, which is a content delivery network, so they spread your site over around multiple servers.
Now Google and Yahoo and all the big companies have been using that for almost a decade now, and now Cloudflare actually does it for free, pretty much, I think. That’s the only way to really mitigate that. Back in the day, I used to write custom scripts on my servers in the server company to actually deal with that. I would set a threshold to say, if there’s five connections from this same IP, take that IP address and send it to fbi.gov. Let them go attack fbi.gov and get arrested.
Chris Badgett: Right.
Shaun James: There was ways to do that, but now it’s more efficient. Cloudflare is just awesome. There’s other companies like that, like GoDaddy has their own little thing that they do there, but I’m pretty sure they use Cloudflare as their back end anyway. It’s all DNS mitigation now.
Chris Badgett: Got you, and we use WP Engine ourselves too for all our sites, and we’re really happy with it. I know there’s also, if you do get hacked, what’s somebody supposed to do? Where to they turn to to trust? I can just share, in my experience, when I first got hacked, the story I was telling you earlier, that’s when I became a customer of a company called Sucuri, and they cleaned up the hack and then they, I paid for extended firewall service and monitoring. I had a great experience with Sucuri. Where should people go? How do they know where to go if all of a sudden their site’s redirecting or they’re getting weird ads or things appear to not, so they might be hacked, what should they do?
Shaun James: Sure, so the very first thing that I would do is shut down the website immediately because you don’t want anybody else getting infected. You certainly don’t want it getting worse and you definitely don’t want to ruin your reputation, especially if you’re a popular site. Then what I would do is, again, backups are key. Restore your backup.
Change your password, because it’s possible that they broke your password and that’s how they got in. Change your FTTP password, which is where you upload your files to change, any kind of control panels, back end admin logins, change all those passwords. Password security is key here. What I’ve noticed with Lifter LMS is, from default, it makes you use a secure password, which I love that. I do.
Chris Badgett: That’s a public service that we do that some people don’t like and they immediately set it to weak, but we’re trying to be good citizens of the internet here.
Shaun James: No, that’s awesome. Yeah, and that’s awesome because it doesn’t take just your admin account to be hacked. It could be a user’s account. It could be anything, anybody that has any kind of right access on the website, so really what you want to do is shut down the website immediately. Change the password to your FTTP first, because that, maybe that’s how they got in, they cracked your FTTP username and password. Change that password first.
Change any of your control panel passwords. Restore a backup and figure out where the hack came from, so there’s various sites out there, I’m sure you can Google and search for them, that will actually scan your website for malicious code. Again, the WordPress Engine is pretty good at protecting against that stuff, and also, Wordfence is pretty good at protecting that. Maybe you have an outdated plugin. Maybe it was some code that wasn’t written correctly and allowed a remote injection or some sort of payload upload or something like that. Very first thing is always keep a current backup.
I like to make backups every day. I’m just crazy like that, but just in case something does happen. I’m not a guy that wouldn’t get hacked. I’m sure at some point it might happen. Hasn’t happened yet, thank god, but it’s, anybody’s vulnerable. The NSA gets hacked, for god’s sake, so they have millions of people working to protect their security and they get hacked by six year old kids in Indonesia.
Chris Badgett: Wow.
Shaun James: There’s nothing you could do to prevent it. Really, there’s nothing you can do besides not be on the internet, but really, that’s the first step I would do, is to make sure you [inaudible 00:26:10] and then change your passwords and restore your backup.
Chris Badgett: That makes sense, and yeah, backups are really important. Some people overlook it but, and especially if it’s your main business or you spent a lot of time building it up. You should have a good web hosting company that’s doing automated backups. You should have a copy locally, like on your computer. Download it or put it on a hard drive or something, and then if you want to get really crazy about it, download it, put it on a hard drive, and then keep it in a different location in case your house burns down. You can go to-
Shaun James: You can go really crazy.
Chris Badgett: If you’re making a lot of money off your platform, you should treat it-
Shaun James: Invest in it.
Chris Badgett: With an insurance policy like that.
Shaun James: Sure, sure. You definitely invest in it. Listen, we don’t do a million dollars a year in my course. We’re still getting traction here and getting going, but the thing is, I like to invest in any kind of ventures that I have a vested interest in, whether it’s financial or time or labor or whatever. I was going back and forth between a cheaper web host, hosting it myself, or somebody that’s going to do it for me and it’s just done.
If I have a problem I go, “Hey man, I got a problem. Can you fix it, yes or no,” and that’s it. I don’t have to worry about the nuances of fixing it and worrying about it and all that stuff. WordPress Engine does automatic backups, which I think is awesome, even for the lowest level plan. You really can’t beat that, but backups are definitely key.
Chris Badgett: Yeah, yeah. WP Engine is, I think their for one site plan is $30 a month, which is more than the $10 a month shared hosting plan starting point that a lot of people start with, but the peace of mind that comes with some of their security measures, backup system, a staging environment for testing stuff, it’s worth it. You’ll end up paying eventually for other services or whatever.
Shaun James: Right.
Chris Badgett: Well, let’s talk a little bit about the difference between web security and personal security. Where does the internet stop and where does personal security begin? What do you mean by that?
Shaun James: Well, so you could have the most secure website in the entire world, where it’s password protected, encrypted. You could have all the bells and whistles that we spoke about, and then some, and it still may not be good enough. Here’s the thing. Everything comes back to you in the end. You have to have some sort of personal responsibility for your user’s security, your student’s security, what have you, and that starts with your own personal security.
Again, there’s no way to protect you 110% besides not being on the internet. I know I keep saying that, but it’s, that’s the truth. That’s the reality. The thing is, your personal security is key. If you’re not really, like Windows is very susceptible to hacks, and it’s hacks and viruses and malware and all sorts of bad stuff. If your system’s compromised, it doesn’t matter how good your website security is. If you log in to your website, there’s a possibility there’s a key logger, which captures your keystrokes on your keyboard on there, and it sends it to the hacker. Now the hacker doesn’t have to do anything, just log into your website.
Usually you get those kind of infections by downloading files. I know, I used to be, when I was in IT repair, viruses were my key business. I’d charge $100 per virus removal. It’d take me 15 minutes to an hour, and these were repeat customers, like every week, it was like a bad drug habit that these people had. They wanted to download everything, every little popup that came up, “Download now,” “Okay, great. Run it? Sure.” Email attachments, that was huge. “Oh, Johnny’s sending me a document, let’s open it up.”
It was just crazy, and the problem is that that’s really considered what we called social engineering, right? I’m tricking you, as a user, whether I’m spoofing email addresses or sending you questionable information, and you just don’t know any better, and I take advantage of the human element and I trick you into downloading something, clicking on a link, what have you. Now I take hold of your computer and everything that your computer does from there on out, I take over that. Even SSL is not going to save you in that way because SSL starts when you actually send the information. When you’re typing it in there, you could be typing into a secure form, but if I have a key logger in your machine, I’m capturing those keystrokes before they even leave the computer to on the website.
Again, personal security’s key. You have to have a good antivirus. That’s first and foremost. There’s a lot of free ones out there which are really good. Your firewall in Windows should stay on. You don’t want anybody jacking up your system there, and you should just use some common sense. Don’t download everything on the internet. I promise you it’ll still be there tomorrow. Make sure your email attachments are really coming from the people that they say they’re going to come from. Don’t click on links in emails. That’s another common way people get infected with all sorts of good stuff, and that’s it. You have to just have some logic behind using a computer these days.
Chris Badgett: Yeah, and the reality is, it’s just out there. Facebook, you see all the time where somebody, we’re almost getting comfortable with it as a society, like, “Oh, hey, ignore all that. My Facebook account got hacked.” I’m like, “Oh, that’s why you sent me all these airline ticket deal sites and some discounts on some Ray-Ban sunglasses, and I haven’t heard from you in two years.”
Shaun James: Right, exactly.
Chris Badgett: We’re getting comfortable with it, but if you’re going to be on the web, you have to get comfortable with the realities around that, around information and security.
Shaun James: Sure.
Chris Badgett: We’re not trying to scare anybody, but talking about your actual machine, your laptop itself, it’s important to take that into the equation. Some of the things that I see that some people who are the most concerned about security or are paranoid about it or whatever, they put a piece of tape over their camera. Somebody can actually hack your camera, is that right?
Shaun James: Yeah. Actually, I do the same thing. To be honest with you, I turn my camera off in the computer, and I still put a piece of tape over it because, realistically, I don’t want anybody seeing what I’m up to in here. If I’m typing away and working on something or if I’m having a conversation, even the microphone inside the keyboard or my microphone here can be turned on and anybody can be listening to you.
If you’re worried about it, turn it off, unplug it, put a piece of tape over it. My microphone, like I said, I unplug. I’m a little paranoid myself because I know what can actually be done. Not that I have anything to hide, it’s just, I’d rather not have the availability for somebody to listen in on a conversation. For instance, I’m talking with my lawyer about bank accounts or about bank numbers or something, credit card, I’m on the phone giving somebody a credit card number or something, I don’t want anybody hearing that potentially.
It’s all due diligence to yourself. You got to have some sort of self responsibility. Not to make people scared, like you said, where, “Oh my god, hide the laptop underneath the mattress or in the safe or something every night,” but the point is, is that, try to take care of yourself because there’s no one piece of software or hardware or any kind of security whatsoever that’s going to cure the human element. We’re vulnerable as people. That’s just the way it is. We’re very trusting in nature, so people abuse that power.
Like you said with the Facebook stuff, so Tom Jones is on your friends list. Haven’t spoken to them in a couple of years, but you see him and you want to follow up with him and see what’s happening in his life. Tom Jones says, “Oh, so many people viewed my profile today. Sure,” and then it says, big stupid button, “Log in with your Facebook account.” Oh, that’s easy. They click the button, and now they just gave their username and password away. It’s a no brainer that their account’s now used for spamming purposes and try to grow whatever it is that the spammer is after. It’s just the way it is. You have to use some due diligence.
I always yell at my wife on the tablet. “Don’t click anything on Facebook. Just don’t do it. Stay away from my laptop for sure, and whatever you’re doing on your stuff, just don’t click anything, don’t sign in with anything, just stop. If you have a question, ask me.”
Chris Badgett: Yeah, and while we’re talking about personal security, one of the other things I just wanted to bring up, if you’re doing a security audit of your online course business or whatever, you probably, when you set up your Stripe account or whatever, I recommend treating your business like a business, even if it’s from your laptop from home or kitchen table or whatever. You probably set up a bank account for your business and you connected your, the Stripe account to your online course business website, or bank account. Also your personal information, like your business name. You don’t have to make that your home address. You can get a-
Shaun James: PO box.
Chris Badgett: UPS Store box or one of these, whenever you see suite whatever, those are business mailbox services. If you want to maintain a degree of privacy, at all levels there’s always another step up that you can take if you want to take that kind of stuff into account.
Shaun James: Sure. The thing for me is I teach cybersecurity, right? A lot of my students are just, they just want to hack something. A good portion that sign up want to be jerks, too. They just, they probably already know some stuff and they just want to get at me because my popularity on the internet with the network security and the YouTube channel and everything else. It’s just common ground for guys like me.
A lot of guys in my industry have this happen to them all the time. They do a couple talks, they do some conferences with other hackers that are at the conference, and you have somebody that just has it out for you for whatever reason. “I hacked the big guy.” Everybody used to be after Kevin Mitnick, a good friend of mine, one of the world’s most known hackers ever. That’s just the nature of the beast.
From what you were saying with the PO boxes and stuff like that, keep your personal information guarded. None of my personal information is online. It’s just not. I don’t even use my real last name. That’s how serious you have to be because there’s people, when you get to a certain level of whatever it is you’re doing, there’s people that want to ruin it for you and they just want to harass you and send crap to your house or just be jerks. Try to treat it as a real business, like you said, and keep everything separate from your personal life and just make sure that your mailing address is not your house if you’re worried about that. Make sure your bank account’s a business bank account, and you shouldn’t have any problems.
Chris Badgett: I’ve heard of one more that I just wanted to ask you about while we’ve got you on the line about personal security where, if you have a phone, smart phone, or your laptop’s in a bag, people can wear these devices that literally pull data from other devices as they walk by you or something like that.
Shaun James: Yes.
Chris Badgett: Can you tell, again, we’re not trying to scare anybody, I’m just trying to raise some public awareness about security outlets.
Shaun James: Sure, so yes, there is, it’s referred to commonly as RFID, which is what credit cards use and things like that, to give out your information. Magstripe readers, things like that, so even Bluetooth enabled cell phones. Everybody’s walking around with smart phones, like you said. I can hack your Bluetooth and take your contacts, anything you have in your phone, anything you saved inside your phone, pictures, emails, the list is brutally endless.
Here I have my old cell phone here, it’s just an old HTC, and I’ve reprogrammed this to actually do the same kind of things. Here’s my new phone, it’s an iPhone. Doesn’t matter that they’re two different operating systems. It just doesn’t matter. If you’re walking by and you got Bluetooth on this, steal, and I walk by like this and I crack your Bluetooth key and I can steal all your information, download it to the phone, you never know.
For instance, I live in New York, so if I’m in the city and I’m walking down a street, I just hold this right like I’m looking at a cell phone, like every other dummy that’s walking down the street, and really I’m collecting everybody’s information. It’s just the nature of the beast. Technology is a double edged sword. It’s a good thing because we get to do a lot of cool stuff, science and technology and stuff, but it’s also a bad thing because everybody puts all their stuff out there. Everybody does. Companies, regular people, everybody. Everybody does it.
Chris Badgett: Right. Well, tell us about your course, Shaun. Who’s it for and what, who’s it a good fit for and is this a good career for people? What kind of people is it good for? Who are you trying to help and what’s your dent you’re putting the universe with your online course?
Shaun James: Sure, so for me, I offer a different way of teaching than most other people, and that’s what I’ve been told on my YouTube channel and everything like that, so that’s why I keep progressing with this idea that I have. It’s really for anybody. If you want to make a career change, I’ve got a lot of people that were stockbrokers. I’ve got a lot of people that were bankers or people that were just factory workers, people that were in the military and have nothing to do when they come out, they sign up for my courses. I even have people that are in IT that are just looking to change in a different direction and stay in the same relative field that sign up for the courses.
I teach them from complete beginner. I could teach you in 30 days or less how to become able to do a penetration test. The goal for me is to have more people that are on the good guy’s side than the bad guy’s side, because the bad guys are always 10 steps ahead of us no matter what we do, how smart we are, how many people we are. The idea is to grow the cybersecurity community and the problem is that school is very expensive. I’ve paid $16,000 for six months of schooling, and then you have other online courses that are $5,000 for boot camp, and you don’t really learn much. They assume that you know a lot already.
I fit somewhere in the middle, and I help people at an affordable fee to be able to progress into a career into cybersecurity, and you don’t really have to know anything when you sign up for my courses. I’m trying to make the world a safer place by putting more good guys out there than bad guys, like I said.
Chris Badgett: That’s awesome. Well, what’s the name of the course and your website and where can people find out more about you if they want to connect with you on YouTube or social media or anything?
Shaun James: Sure, so it’s pentesteruniversity.org. That’s the website, and we have one course up there right now that I’m in the process of completing to upload the content, which is Penetration Testing for Beginners. Then we’ll have an Intermediate and an Advanced course, and then we’re going to have Linux courses and Web Security courses and all sorts of good stuff up there continuing on from our old platform.
If anybody wants to reach me, they can go to the website, reach me there. There’s a contact us form, a secure contact us form. My YouTube channel is NetSecNow, it’s N-E-T S-E-C N-O-W, and that’s where I got 35,000 guys so far up there. Feel free to reach out to me anytime. If you have any questions or anything, just contact me, I’ll be happy to help you.
Chris Badgett: Awesome. Well, thank you for coming on the show, Shaun, and I really appreciate you sharing your experience and helping us all level up our game when it comes to security, so thank you.
Shaun James: Great. Thanks, Chris. Thanks for having me, and thanks for the good work on Lifter.