Is your event safe from major event cybersecurity risks? Are you doing everything you can to secure your online data from attacks? As event profs, we hold so much data within our registrations, software, and events. We have peoples addresses, credit card numbers, emails, phone numbers, even flight, and hotel information. If you aren’t protecting people’s information you are making yourself and your clients an easy target for a cyber breach. If event cybersecurity is not on your radar yet we guarantee you by the end of this episode of Event Tech Podcast you will be running to your computer to implement the tips we are about to share!
In today’s episode of Event Tech Podcast, Will Curran of Endless Events and Brandt Krueger are going to talk all about cybersecurity at events, why it will be the next big thing (and should be!) in event tech, and how you can take steps to improve your event cybersecurity. Will and Brandt will share their top three ways to protect your events information, how and what cyber attackers will look for, personal anecdotes and more. You cannot miss this episode!
Intro: Welcome to the Event Tech Podcast were we explore the ever-evolving world of event technology every week. This show is brought to you by Endless Events, the event AV company that doesn’t suck. Now, let’s talk tech.
Will Curran: Hey ladies and gentlemen this is Will Curran from Endless Events, and joined by the lovely, as always, handsome.
Brandt Krueger: I was gonna say I like how I’m always the lovely Brandt Krueger. That’s not a moniker I get very often.
Will Curran: Am I the only one who calls you lovely Brandt Krueger?
Brandt Krueger: I think you are.
Will Curran: Does your wife not call you that?
Brandt Krueger: No. No. I don’t think she’s ever called me lovely.
Will Curran: Oh my gosh. It’s like man crush Monday over here, which is ironic because we publish this show on Monday’s too. All right. So good.
Brandt Krueger: With that being said.
Will Curran: That being said, everyone, today we’re talking about why cyber security is the next big thing in event tech, and why you need to be concerned about what apps you’re using, how the data is being handled, your wifi security, and just generally be a little more perturbed about how you’re doing your security.
Will Curran: Brandt and I have been doing a session, and let’s be honest, it’s Brandt’s session. I’m here just to add comic relief.
Brandt Krueger: Oh, no.
Will Curran: Brandt, and I, have been doing a session all over the interwebs, and all over the events industry conference circuit, about why you need to be worried about your cyber security. We figured, naturally, we should do a podcast about it. Should we dive right on into it Brandt?
Brandt Krueger: Should we do a podcast about it?
Will Curran: We should do a podcast about this rather than just talk about it. No, actually, let’s rewind. Something we don’t get to talk about when we do this session is why did you get interested in this. You kinda spurred me to thinking a lot more about it as well. I was kinda already there, but then you really helped me kickstart my interest in it. How did your interest in cybersecurity kinda get started?
Brandt Krueger: It’s been a few things. Part of it has just been my personal podcast listening that I’ve been doing pushing about 10 years now, probably more than that. I discovered podcasting when I was a new dad, and started trying to find things that I could listen to quietly while the baby’s sleeping, or while trying to rock her back to sleep, and stuff like that.
Brandt Krueger: I’m pretty sure I had a Blackberry Storm at the time listening to podcasts.
Will Curran: Whoa.
Brandt Krueger: Yeah, I know.
Will Curran: Whoa.
Brandt Krueger: By the way, that thing got a bad rep. That’s a podcast for another time. That was actually a halfway decent device. Anyway, I was listening to a security podcast, and have been for the better part of the last ten years called Security Now, and it’s by a guy named Steve Gibson who was the OG cybersecurity guy, like, literally coined the term malware, and spyware, and things like that, and was one of the first ones to kinda realize that viruses, and things like that, were really going to be an issue.
Brandt Krueger: I’ve been kinda steeped a little in that world for a while, and then more recently I heard an interview with one of the winners of kinda the hack-a-thon things that they do at the Black Hat type conferences. I don’t remember which one because there’s a couple of them. She was really good at doing the social engineering side of things, the get a hold of this person, get their email, then pose as this person on the phone, and then you get this information, and using very little information to start with, but then getting to the ultimate goal of finding something out from a top-level CEO. That kinda thing.
Brandt Krueger: In listening to her talk about how she was getting the access to this information it really started to dawn on me how vulnerable we are as an industry. The amount of information that we are the guardians for is really pretty ridiculous. We’ve got personal first and last names of executives, titles, emails addresses, phone numbers, personal cell phone numbers, travel itineraries, hotel reservations. All of this information is a gold mine for hackers because all they need is a couple of legitimate pieces of information to track … we can get into some of this stuff later, but to crack phishing emails, and things like that where they’re able to make it look like it’s a legitimate email coming from the registration when actually it’s gonna take you to a webpage that takes control of their computer, and all of a sudden you’ve got the keys to the castle.
Brandt Krueger: The information that we’re sitting on is a tremendous treasure trove for hackers. Combine that with some of the high profile hacks that we’ve seen over the course of the last few years, so think about Target, Home Depot, Equifax. Most of these big hacks, especially thinking about Target, and Home Depot, they came in through the side door. It wasn’t that Target themselves got hacked it was I believe in that case it was an HVAC company that they contracted with that they’ve given somebody access to something, so the hackers came in through the HVAC company.
Brandt Krueger: Home Depot, it was coming in through the company that built the credit card readers. It wasn’t even that these companies themselves got hacked, it was coming in through the side door. Well, guess what? We’re that side door. It’s not so much that somebody’s gonna hack me personally, and get my personal information, or my company information, it’s that they’re going to use me to get to my clients whether we’re a planner, or a vendor, some kind of registration supplier, we’re gonna be the soft target on the side that hackers use to get to our high profile clients.
Will Curran: Preach, oh my god, that was amazing. The first time we talked about this I had to agree 100%. I’m definitely not gonna debate you on this one for sure. I think that it’s just so obvious, and I think the warning sign has been already shot with the big Marriott hack, is that everyone realizes, they’re like, oh, well, oh my gosh, I can’t believe this just all happens. Like, guys, that’s one degree of separation from all of us.
Will Curran: I can’t say a single planner out there who doesn’t have a Marriott account that probably wasn’t by it. That’s just personal, but then think about it, all the executives that probably stay there. Oh my gosh, it just goes on, and on, and on.
Brandt Krueger: They weren’t even the [crosstalk 00:06:46].
Will Curran: I think the thing that-
Brandt Krueger: You asked me kinda where did they kernel come from, and it wasn’t any kernel, it’s been a roll. It’s been one thing after another, after another, after another. There were other high-end chains where the individual hotels were being targeted in East Asia countries where they were targeted specific executives accounts at these high-level luxury hotels, and I got to be honest with you, most of those just kinda got swept under the rug.
Brandt Krueger: There would be a quick little news announcement, I won’t say the names of the chains, because I’ll probably get them wrong, but it was all the big names of luxury hotels would get hacked, and then you’d never hear about it again, and then it would be another one. I think it was only because this Marriott one was so big they got stuck, and their name stuck in the news cycle, as opposed to kinda the onesies and twosies that were happening before.
Will Curran: I think you bring up a good point, too. I think you used the term, you call it like an attack vector, right? The attack vector is us as the events, and things like, for example, our registration systems, it’s our event apps, and it’s all just a starting point. It’s funny because you hear about it all the time, and I think one of the things that had made me more aware of it, at least recently, was when I signed up for Dashlane, and they notified me every single time there’s been a breach of data, and some of these things I’m like, wait, I’m a user of this. I didn’t hear about this in the news at all.
Will Curran: The only reason I’m getting notified is because Dashlane just does a really good job monitoring it. I just can’t believe on at least a weekly basis I think you joke about it because I just send you … I’ll be like, oh, by the way, did you hear XYZ got hacked, and you’ll be like, yep, just another one. It seems like it happens every single week. It’s funny because how much the news can kinda protect it, or if they do a good PR crisis management, or a crisis communication as our good friend Alex would say.
Will Curran: They can really sweep it under the rug, but this stuff is happening all day left and right. We have to really make sure that we’re being diligent in protective, otherwise, we’re gonna be in big trouble.
Brandt Krueger: Exactly. You mentioned the attack vectors, so it probably makes sense to spend a couple of moments talking about some of the ways that we’re vulnerable as an industry. One, I kinda mentioned a couple of times, and that’s the registration platforms themselves. We’re kinda just assuming that whoever it is we’re hiring has some kind of cybersecurity in place. When I hire registration platform X I’m just assuming they’ve got folks that are in charge of that kinda thing, and I don’t really have to worry about security.
Brandt Krueger: The problem is I can’t tell you the number of times that I’ve been on site and registering for an event, and you look down, and you see the laptops that they’re using, and you can see the password has been written on the screen on a stick note stuck to the side of the laptop screen for whoever random temp worker X who’s coming to work the event, so they can log into the registration platform, or where the planner or someone else who needs access to that, and same kinda thing.
Brandt Krueger: You set it to something that you can remember, or you set it to something that you can get … we’ll get into what we can do about all this stuff later on, but for now just know that it’s not so much that the registration platform itself again is gonna get hacked, it’s more that we’re using insecure passwords, or we’re writing them down on little slips of paper, or those kinds of things.
Will Curran: I think you bring up a really solid point about just the fact that there’s also the temp workers. That’s something we talk a lot about, because how many times do we say that? You were a black polo, and black pants, and you can walk in anywhere and do anything you want. Far too often, just think about it, how often have you had it where someone just shows up and says, oh yeah, I’m here to show up for XYZ duty, you go, okay, cool, boom, and they have the keys to the castle.
Will Curran: Not only on the physical security side but just the fact that, yeah, they could easily get in there. I remember talking about registration platforms one of my clients is doing the whole Self-Reg thing, and I totally get it. Self-Reg, super cool, you can go up and do it real quick, save us on staffing cost, but I walked up one time I think it was before the conference even started, and they had the platform all up, and I just realized I could just export that list, and get in there right then and there, and steal all the information, and it wasn’t even that hard.
Will Curran: Granted, again, I wasn’t staff wearing a shirt, maybe someone from the hotel, or maybe someone from the event might’ve been weirded out when they saw me walk up to the laptop, but I doubt anyone would’ve. I could have totally made off with that data if I was just a random Joe Schmoe walking through the hotel.
Brandt Krueger: That’s one of the things that Steve Gibson the podcaster that I was talking about talks about all the time, is the balance between convenience and security. Convenience and security are kinda like natural enemies. The more you make it easy to access information and get to information, and register, same thing as physical security. If you make it really easy to get in and out of the room as in there’s no security. There’s no security. That’s the easiest level of access.
Brandt Krueger: If you have someone scanning a badge that’s better than nothing. If you have someone checking ID that’s even more than scanning a badge, but it’s less convenient for the attendees. While we’re implementing all this technology to make it easier to register, and easier to get in and out of sessions that also means we’re opening that technology up to be used and abused, and it can be taken advantage of.
Brandt Krueger: You mentioned on-site staff, and that’s a perfect example of another one of our vulnerabilities. Like you mentioned, yeah, I’m a 40 something-year-old white dude. If I put on a black polo I can go anywhere in a hotel. Honestly, I don’t think I’ve ever been challenged in the 20 something years that I’ve been doing this walking down the back hall.
Will Curran: Once. Only once for me.
Brandt Krueger: You’ve been doing it a long time too. It’s one of those things where if you look like you know what you’re doing, and you’re wearing the right clothes, and look the right way, you can get access, physical security access to wherever you need to go. I can absolutely think, you know, now you start kinda extrapolate that out to temporary staff, or someone’s who’s … a lot of the kinda big news cycle stuff that we saw during the campaign, during the 2016, ’17, time was catering staff. People that were recording what was going on just tapping their phone, and putting it in their pocket, and recording things, and then releasing that information later, in what people thought were private events.
Brandt Krueger: That extrapolates out as well to audiovisual staff. You and I might trust the people we’re working with, but a lot of times the companies are bringing in local staff that they’ve never worked with before. You don’t know them from anybody, so you don’t know. Are you requiring your AV companies to sign confidentiality agreements? I’ve probably been asked twice maybe, maybe three times, to sign an NDA or a confidentiality agreement. Think about the stuff that we handle. I probably stomped on exactly what you were gonna talk about it, so go for it.
Will Curran: I was gonna say, I mean, yeah, the times that you get handed a hard drive with all this confidential information, but then I totally get it, like, let’s be professional, make sure you wipe the drives. That’s kinda the assumed thing, but no one ever makes sure that we do this. No one ever asked about the process. To be honest, if it wasn’t for the fact that A. we’re a little foresighted in knowing that we should wipe them, but how many times that I’ve already pulled up rental laptops and it still has the PowerPoint from the last show still on it.
Will Curran: Guys, if it wasn’t for the fact that I think some of these laptops don’t get wiped, install a new OS, or whatever it is to keep them running new, I mean, I’d bet there’d be PowerPoint decks back to like 1999 on them.
Brandt Krueger: The other side of that is the number of times that someone’s trying to save a couple of dollars, and so they don’t want to rent a laptop either from the AV company, or from a rental company, so they’re bringing in, oh yeah, we’ll use John from marketing’s laptop, and he’s got all these files on the desktop, and pictures of his kids on the desktop, and stuff like that.
Will Curran: Totally, and probably all his saved password in the browser.
Brandt Krueger: Again, you’re then setting that up in a room that anybody’s got access to, or at the very least maybe you’ve got some temporary staff, or somebody who’s got access to it, and if someone had malicious intent that again would be a gold mine of information.
Brandt Krueger: If anything, like you, say-
Will Curran: How many are laptops are stolen from a show. A laptop’s been left our front of house, and you didn’t secure the venue, because you assumed the venue would take care of it, whatever it is. People have walked in stolen laptops right off our front of house. Imagine that’s the CEO’s laptop, or your laptop, oh my gosh, that’s just kinda the physical bridging the digital side of things. My god, the data. The data.
Brandt Krueger: The data.
Will Curran: The data.
Brandt Krueger: The data. Yeah. Like you said, maybe you run into a rental company situation where they forgot to wipe it or something like that, but more often than not I’d say it’s safer to either get a laptop through your AV company or through a rental company for that very reason.
Will Curran: For sure.
Brandt Krueger: They generally do have systems in place to make sure that information is being wiped from a show to show basis.
Will Curran: Oh, you’re back. I thought I lost you there for a second.
Brandt Krueger: Oh, no, I was gathering my thoughts.
Will Curran: Oh, man. There’s so many thoughts.
Brandt Krueger: Sometimes I get deep into thoughts.
Will Curran: And sometimes you never get out. I’ve been there with you before.
Brandt Krueger: To go back to it, yeah, we talked about the onsite staff, and making sure that is something that you’re looking into. Kinda the next big category is hotel WiFi. I knew you would.
Will Curran: I want to get in this one. This is my jam right now. For those who don’t know we’re preaching the idea of making sure A. you’re looking at better WiFi, but also all the things that come with it. Ironically, I was literally doing a webinar two days ago, and I then reference this exact presentation that we give, and say, hey, you need to know as much about cybersecurity as you do why you need fast WiFi. Oh my gosh, I can talk about this one for days.
Will Curran: The tips that I have. I think everyone knows WiFi needs to be secure. You wouldn’t leave your home WiFi wide open for anyone to connect, because A Johnny down the street is gonna like download illegal games on it, and here you get served with a huge penalty from the Recording Industry of America or something like that. But then, sometimes people don’t realize that the reason why you also secure it is because the information passing over the WiFi can be picked up at any moment from anyone at all.
Will Curran: We just talked about the presentations, and the data on these laptops, and physical devices, but also imagine the data flying across the airways at your event. Let’s just talk about reg, and credit card data, things like that, for example, that can be easily sniffed off the internet, but then think about all your attendees who might be doing online banking, or let me log into my corporate email account. It’s terrifying how open these hotel WiFi networks are. When was the last time you remember actually entering a password into the WiFi?
Will Curran: I think this is where we always make sure we clarify. A lot of times when we say password a lot of people are used, okay, I connect to the WiFi, then a web browser pops up, and says enter the password, Aruba2019, well, no, we’re talking about when you actually connect to the WiFi network it will not do anything at all unless you enter the password. On Macs it’s in the top right when you go to connect to the network has a nice lock on it, on Windows, it will say secured right next to it. When is the last time you saw one of those at an event?
Brandt Krueger: The good news is the answer for me is this week.
Will Curran: Oh my god, it’s amazing.
Brandt Krueger: It’s really is pretty rare.
Will Curran: Our preaching is working.
Brandt Krueger: Other than that, it’s been very few and far between, and for some reason we’ve gotten in this mindset that if you’re in public it should be open, so when you go to Starbucks, or wherever you go and you’re just supposed to be able to click on it and go, and I think that started because people didn’t understand WiFi. Oh. It’s so confusing and weird, and oh, what do I have to do? I have to click on this thing, and then what?
Brandt Krueger: At this point, most people understand the difference between an open network and a closed network. A closed network you have to put in a password before it’ll give you access to it, and an open network then yeah maybe you get some kinda splash page, thanks for coming to Starbucks, now you agree to the terms of service and click and go.
Brandt Krueger: If you are seeing anything that is branded, or it says welcome or says anything other than enter the password then it is not a secured WiFi network. If it’s asking you for a meeting code, or it’s asking you for your room number, or anything like that, that is a not-encrypted WiFi network.
Brandt Krueger: You mentioned things like banking, and things like that. Theoretically, that’s all being encrypted in the web browser, so that’s when you get the little lock in the upper left-hand corner and all that kinda stuff. Theoretically, if you’re connecting to your bank over those connections it’s kinda saying are you who I think you are, yes, okay great. Now, we’re gonna encrypt between the two of us, and then all of that information wouldn’t be sent in the clear.
Brandt Krueger: You and I have told a lot of people, and again, we’re gonna get to some tips and tricks here at the end for what you can do to do about all this. You and I have talked in the past about tell people look for the lock, look for the lock. We’ve been saying that for years, and then I ran across an article just a few weeks ago where it basically said that something like 60% of all of the fake malware website have the lock, so you can’t just look for the lock anymore.
Will Curran: Oh, no.
Brandt Krueger: It’s gotta be one of those things where … so what they’re doing is they’re getting security certificates. All that’s doing is saying hey we’re encrypted between each other. It’s not any kind of identity verification it’s just saying you’re encrypted, I’m encrypted, great. Let’s talk.
Brandt Krueger: And so, what they’re doing is they’re actually encrypting their fake website so that you’re sending your real information to their fake website, and it’s got the lock. Now, it’ll be BankofEmerica.com, or something like that, or Sorny.com instead of the actual address, but nonetheless, it is actually still encrypted. You can’t just look for the lock.
Will Curran: That’s terrifying too because Google made such a good effort with Chrome about three or four months ago to make it so now if your site is not encrypted it takes you to this big bright red page, and says warning, warning, warning. It made people like me who … like on my site there’s not a lot of really super private information we share. It’s like enter your email address and subscribe to the blog. Well, my site even needs to have an SSL. It’s called SSL or secure socket language. Did I get that right?
Brandt Krueger: I think so.
Will Curran: I’m sure you can fact check it while I continue on. Even my site needs an SSL certificate now. As Brandt said, yeah, definitely the lock doesn’t do enough.
Brandt Krueger: Close. Secure socket layer. Way to go.
Will Curran: Dang. I was so close. Rewind back to hotel WiFi, and why you want to make sure that’s secure. Big things are to make sure that it has the encryption on the WiFi obviously. One big thing too is now as Endless now we’re starting to provide WiFi for events is that also realizing that you need to put protections in place to also not allow your attendees to use the WiFi for malicious things as well. Ironically, because it’s not only the fact that they can get in to get the information, but also utilize it for nefarious things like I talked about.
Will Curran: You don’t want Billy Bob downloading the latest movie, and getting you in trouble for having him do that, so making sure that you have some sort of blocking firewall in action as well. If a lot of this sounds super duper confusing on the networking side of things Brandt’s and I’s biggest suggestion that we have is get a guy. Just find a guy who either knows network security, it’s the IT guy who set up all your networks at your office, like, you should have a person onsite just like you have an AV person to monitor all the AV and make sure it’s running well.
Will Curran: You should have a networking person onsite who not only is taking care of the security obviously, knows all the stuff, and can kinda talk jibber jabber to the WiFi providers but also as well can do as a bonus make sure that your speeds are good, and your quality of WiFi is really good, like, oh, if something has an issue they can help spot it and hold them accountable, so you don’t have to play tech nerd, which as much as I wish everyone knew everything about technology it just doesn’t make sense. With all this stuff moving so fast just get yourself a guy.
Brandt Krueger: Yeah. I’m a gender neutral guy, guy, by the way, so when I say guys I mean all kinds of people.
Will Curran: For sure.
Brandt Krueger: Just to clarify on that, because I know some really good guys that are gals. Talking about just the WiFi. For me, the ultimate thing that I want to kind of leave on this topic is just get that password. If you’re talking to the venue just set that password, because even if you set that password to 12345, and even if you put that password on every single piece of paper in the hotel including the toilet paper in the bathroom, if you put that everywhere, that is still more secure than not having a password on your WiFi and asking for a meeting code, or something like that.
Brandt Krueger: It automatically as soon as you put any password on your network itself that turns on encryption, and it just reduces the likelihood that someone’s gonna be able to sniff the traffic, and get information. If I can stress any one thing that’s probably my biggest thing. It drives me absolutely up the wall that we’re not securing our WiFi at our events.
Will Curran: Another bonus tip that I’ll add to this as well is as we start to provide this also create different virtual networks for different types of people who need to connect. For example, you need to make sure that you have a separate virtual network for all of your registration, your credit card processing. Attendees should not connect to that same WiFi in any sort of way.
Will Curran: Same with presenters. Presenters should be separate because they’re gonna have a lot of confidential information. I highly recommend if you’re gonna have any sort of executives from the team or something like, maybe they need to be on a separate WiFi, and exhibitors on a separate WiFi, and then attendees finally on a super simple, secure, separate WiFi that completely is completely secured, as Brandt said, have that WiFi password written on the toilet paper.
Brandt Krueger: Also, then if you’re able to if there is a problem start to narrow it down. On this event that I was just on from a setup standpoint, they did it properly. They had different networks for the attendees, the staff, for the iPads that were running the kiosk, they all had different networks, different logins for each one of those. We were actually able to isolate, hey, wow, the attendees one is actually running pretty well, but the staff one for whatever reason is getting hit, and so we were able to narrow things down for troubleshooting.
Brandt Krueger: When you’ve got everybody on the same network, well, maybe somebody’s watching Netflix, or maybe somebody’s … you’re able to start reducing the number of things that you need to check when there is actually a problem.
Will Curran: Preach. All right. Beat that one with a hotel router.
Brandt Krueger: What can we do to fix this? You’ve made me so sad. I just want to know. What can we do?
Will Curran: To fix hotel WiFi?
Brandt Krueger: What can we do to tell people to start making this better? We’ve scared the crap out of them hopefully at this point, so what can we do to start making it better.
Will Curran: Well, I think first thing is just be aware of the issue. I think that far too often ignorance is bliss. You think to yourself, oh, I’ll be fine, don’t worry, until your social security number gets posted by Equifax everywhere in the world. Now, you become an expert in data security. I think that’s one of the biggest things is like be willing to have the conversations about it, and ask the questions.
Will Curran: For example, when it comes to hotel WiFi, if you’re aware of the issue now you can also talk to it. For example, you’re going to your hotel you can ask them the hard question. What are you doing to keep me secure when it comes to your WiFi?
Brandt Krueger: I think that’s a great step, and I then I think the other thing is changing our mindset a little. That it’s not somebody else’s responsibility. It’s not gonna be the vendor’s responsibility. It’s not gonna be the AV person’s responsibility. It’s all of our responsibilities. We have to take whether you’re a planner, you’re a vendor, you’re a venue, all of us involved in this thing we do called events we all need to take personal responsibility for security.
Brandt Krueger: What I’d love to do is like I say step number one, for me, number one, secure your WiFi. The second one and I know you’re down with this as well, is a password manager. You mentioned it to Ashley, and why don’t you tell folks about password managers.
Will Curran: I’m a huge lover of password managers, and Brandt and I have different opinions on our favorites, but they’re still both very good. Brandt is a LastPass kinda guy, I’m a Dashlane kinda guy, and it’s kinda like the Galway girl kinda thing you can be from Dublin, or you can be from Galway, either way, I just say that because I’m in Ireland right now. When it comes to password managers just get one. They’re so easy. I can’t tell you how many people that I referred to signing up for a password manager, and they say this changed my life. I don’t hear that very often when I say here’s an app, and they go this changed my life.
Will Curran: When it comes to password managers it just automatically fills everything in. It lets you know when things are not secure. It makes sure that you can have super duper secure passwords that you can’t remember, instead you have one master password. You can Google why you should a password manager, and I think that will do a much better job explaining than us, but it’s really crazy how people just use one single password to manage everything, and how easy it is as soon as that one password is compromised, boom, they can go from, oh, they hacked Joe Schmoe’s let’s say … I’m just gonna use your Art of Frames website where you ordered that one frame for that piece of artwork, they got hacked, now they have that password, and then now what they do is they go and test all those sites.
Will Curran: They test all the major banking websites, all these things like that, with that one password, and boom, if you have the same password across everything you’re hosed. It’s scary how little secure passwords are for it, and I think the video that you show at the beginning of the presentation, like, it’s Jimmy Kimmel, but maybe if you want to get a chance to explain what that is, and then kinda give your two cents on password managers.
Brandt Krueger: Like you say, it’ll change your life. You go from having to remember every password for every site to never having to remember any of them. The things that password managers allow you to do is to set long, random passwords for every single site that you access. Like you said, if random website X gets hacked it’s no big deal, because they’re not gonna be able to use that same password on any of the rest of your stuff, because you’ve got a long, random, different password for every single site that you use.
Brandt Krueger: And so, if you’re using monkey123 as your password for your registration platform, and you also used monkey123 as your password for Gmail, or god forbid something else if they get that information like you said they’re gonna start trying every single thing, and then once they’ve got access to your email you’re pretty much cooked, because then they can start changing your passwords and using that email to receive those password change notifications, and things like that.
Brandt Krueger: The biggest thing is once you start entering in your information in password managers it’ll say, hey, whoa, just so you know you’re using this on another site. Would you like me to change that for you, and keep track of it, and do something different? Absolutely, password managers 100% change your life as far as what you can do about it.
Will Curran: Real quick. I was gonna say, the one thing that I think as far as … obviously, it’s really nice to be able to do that. You might be thinking to yourself I can do that on a spreadsheet, or whatever, well, the thing that I think that makes password managers really fantastic … I know LastPass and Dashlane both do this, and a bunch of other sites are doing this now as well, it gives you the ability to also share passwords securely as well. I think in the events industry I can’t tell you how many associations that I’ve been a part of where they say, hey, can you give me the Twitter password, hey, can you give me the MailChimp password, hey, can you give me the password to the bank account.
Will Curran: For my local ILIA chapter I made the big switch, and I pushed everyone, I said, we’re gonna use a password manager, we’re gonna have super secure passwords, and I’m never gonna actually share the password with you. I’m gonna share it via the password manager, and what is cool about it is it allows you to share passwords so they can login without ever seeing the password, which for temp staff, for volunteers, for that, hey, can you send me the password to XYZ really quickly, makes your life so much easier.
Will Curran: The best part is if you have employees this will change your life when it comes to it, because when they get done you don’t have to worry about changing the passwords ever you just revoke access, and boom, you’re all done. As a business owner, it changed my life as well.
Brandt Krueger: Well, yeah, that’s exactly it. The day after that event is done you can revoke access to all of those people, and they don’t have access to the passwords anymore, or if you as a business owner you got to let someone go, or they move on to a different job or something like that, you want to be able to revoke those passwords as well. I discovered accidentally that about three years after I left my previous employer I still had the username and password for their FedEx account.
Brandt Krueger: I went to go log in and it auto-filled the information because it was in my LastPass, and they hadn’t changed it. It was one of those things where I was like, oh, wow, okay, good, look at that. You mentioned the Kimmel thing. That’s just an example of the fact that we think we’re so clever coming up with these passwords, but the fact of the matter is the human brain’s just not capable of remembering a different password for every single site. I’m just curious. I’m gonna bring up the number of sites that I’ve got here in my LastPass.
Brandt Krueger: I’m gonna bring up the number of sites that I’ve got here in my LastPass.
Will Curran: Yeah, I’m gonna do that too.
Brandt Krueger: It’s got to be in the hundreds. It doesn’t show it unfortunately in the vault, but it’s definitely in the hundreds.
Will Curran: I think I got something up on you.
Brandt Krueger: Did you finally find a feature?
Will Curran: Yeah. Dashlane will show me. I’m logging in right now.
Brandt Krueger: Well, okay, I’ve got these categorized. Let’s see, there are 119 personal ones, 185 professional ones, 172 shared family ones, 63 shared financial ones, and 16 shared medical ones.
Brandt Krueger: That’s only in the course … I think I just hit my 10 year anniversary of LastPass a little bit ago.
Will Curran: They should give you some champagne.
Brandt Krueger: Yeah, something like that.
Will Curran: I’m gonna one-up you. You ready for my number of passwords.
Brandt Krueger: Yep. Go.
Will Curran: They had this health score app, but I have over 630 safe passwords. Technically, I have one that’s compromised. It looks like it happened literally a couple days ago. Whitepages.com got compromised, so I gotta change that one. I do have 12 reused passwords, but usually, it’s because someone else has shared the password with me, and I have it saved in there, and it’s used. For example, my dad refuses to use a password manager, so his Netflix password is the same as his HBO password.
Will Curran: Also, I just admitted freely that.
Brandt Krueger: So, you get the warnings.
Will Curran: Yep.
Brandt Krueger: Yeah. You get the warnings. Yeah. I’ve got a few of those as well.
Will Curran: And that I use my dad’s Netflix as well. But yeah, it’s crazy cool how it can help you stay on top of it. It just makes it so easy for you to manage your passwords.
Brandt Krueger: All right. I know we’ve got a lot of other suggestions for folks. I want to leave off some of the higher end stuff, and continue with the easy peasies that we’ve got, so the last one that I think is good to hit for this show is two-factor authentication.
Will Curran: Oh god, yes. Oh my god. I have so much more I want to talk to you about this. We’ve had a couple of process changes I’ve done for this since we last talked about it. Explain Brandt, what is two-factor authentication? Why does it matter?
Brandt Krueger: At it’s most basic level that’s when your bank says, hey, we just didn’t recognize this device, we want to send you a text, so then it sends you a code, and then you punch in the code. The idea being it’s not only a password, but there is a second factor, and it’s some other thing. Usually, the best way to do it is that it involves not only something you know, but also something you have like your phone.
Brandt Krueger: In that example, you go to your bank and type in your password. It says, oh, we don’t recognize this browser we would like to send you a code to your phone assuming that you have your phone, and so you’re able to then get that code, and punch it in. The other ways of doing that is using an actual two-factor authentication app, which is the same kinda idea where when you first log in, and they say, hey, do you want to set up two-factor authentication, and you say yes, it pops up a little QR code, you know, one of those little black and white dotted codes, and that is essentially like setting up a secret code between your phone and that website that’s unique to you.
Brandt Krueger: It’s not something that anybody else would be able to have, so as soon as you snap that code into your two-factor authentication app it starts generating these six-digit codes every minute, and so once every minute it’s gonna generate a new code, so when you go to login to that website it says, okay, what’s the code? You check your authentication app and punch in that particular six-digit code for that minute. And then, it’s gone, so it’s kinda a one time use kinda thing that is constantly revving these codes.
Brandt Krueger: Those are the two most basic ways, but then beyond that they actually have these physical USB key type things where that is essentially the same thing, where that USB key is generating a code once a minute, so you plug that in at the time you’re logging in, and you set up the two-factor authentication, it connects with the USB key, it says, okay, this is what we’re talking about. That’s you, great, okay, now I know that’s you when you’re punching in that code.
Brandt Krueger: And so, Google is doing this. A lot of the higher end kinda mail clients, and DPN clients are doing this. I think you’ve got one of those.
Will Curran: Yeah, I definitely have one that I totally recommend. Google actually released their own version of it. Just search two-factor authentication key Google, but when Google announced this product that they were selling they also made a huge announcement which is that they require all their employees to use physical USB keys plugged in, and since they’ve required that, they have had zero breaches in any accounts across … I mean, how many employees does Google have, a bazillion.
Brandt Krueger: Which is always dangerous when you announce something like that, but that shows the confidence they’ve got in that system.
Will Curran: Absolutely. It’s impossible to replicate because you have to have that physical key. Unfortunately, not every site is utilizing that yet. Even more, unfortunately, is a lot of them are allowing you to do the two-factor authentication app, which is nice, but I’m just so disappointed. For example, we have an industry-specific tool we use for scheduling our teams, and it texts you a two-factor authentication code. If you want to get nerdy with it technically you can hack a text really easily, spoof the cell phone, get the text, boom, good to go, whereas these apps technically they’re only on your one phone except for like my weird set up that I definitely want to talk to you about.
Will Curran: When it comes to this definitely push to use the app as the highly recommended thing. If you can go physical key as well. It makes it so worse comes to worse if let’s say one of your super secure passwords in your password manager gets leaked, or somehow your account still gets hacked because of vulnerability you’re still having that protection, because all of a sudden you’re gonna get a notification saying someone tried to log in your account, and either failed to do two-factor authentication, or you get that really weird message where all of a sudden it’ll say, hey, someone tries to access your account, here’s that code, and you go, I didn’t try to access that just now, and you go, oh gosh I should go lock up my account right away.
Brandt Krueger: Exactly. In kinda order of what we’ve talked about today the easiest thing, check your venues, and say, okay, let’s get a password on the WiFi. The next thing is definitely, definitely, definitely use password managers. There’s no excuse not to at this point. And then, the third is whenever available do two-factor authentication.
Will Curran: Definitely.
Brandt Krueger: Use one of these apps. Be careful, because once you set it up if you lose that information it can get really … bad things can happen. It’s a check against making sure that it’s you.
Will Curran: Can I talk, like, give that personal story about that, because this is where it kinda evolved recently. I just want to share this anecdotal story, is that okay?
Brandt Krueger: Yeah, go for it.
Will Curran: It’s like, no, Will, shut-
Brandt Krueger: I’m just trying to keep an eyeball on the time. I don’t want to go too long with it.
Will Curran: You guys, this is gonna be a special episode. It’s gonna be a little longer because we love it so much. Brandt and I love two-factor authentication. For the longest time, I’ve always used Google’s default two-factor authentication app that does the code recycling like he was talking about. I love that app because it’s super simple, easy to use.
Will Curran: The thing about though is the way to set it up is you have to scan the QR code. The idea is it’s not like a password manager where you enter your one master password, and boom, you get access to all your codes. It’s all local on your phone, so the idea is your phone is the only one in existence that has these two-factor authentication codes.
Will Curran: A long time ago I got a new phone, and I was smart that I ordered the phone, got it, and I kept the other one, didn’t wipe it, and re-setup all the two-factor authentications on the new one, because first, you have to log in to the accounts to get the new two-factor authentication out, so you still need those old codes, so I was smart about that.
Will Curran: Well, in let’s see, October, I was in Charleston, and I picked up the new Google Pixel 3, and I was just like, you know, oh, yeah, I’m good, everything’s backed up, and I just decided in the store wipe phone, and I had the other phone in front of me, and I handed it in, traded in, to get the credit, and about five seconds later I realized and went oh god all those two-factor authentication codes are local.
Will Curran: Oh my god. It was the worst thing in the world. What ended up happening is that I had to spend a serious amount of time going back into those accounts. Here’s what was scary to me, and this is where we have to pressure I think our software companies to think smart about this, it was so easy for me to get into 98% of my apps with either a … most of them, luckily, I had probably maybe half of them I had backup codes for, but so many of them were so easy to get into without a two-factor authentication code.
Will Curran: Like, oh hey, instead of using my two-factor authentication app you send it to my email or sending me a text. I’m like, no, I don’t want you to be able to do that. Turn that off. I made that mistake, and now I’ve been recycling phones so much that I got kinda perturbed with having to keep it locally on one phone, and also there’s a couple apps that require me to two-factor authenticate every single time I login versus, hey, remember me.
Will Curran: It’s so frustrating when I just needed to check something really quickly on the accounting software, or whatever it may be, or check a payroll number. My bonus app that I’ve been sharing with everyone, which I have to admit, and we talked about this very briefly, this is not as secure as technically only having it only on one device, but I’m utilizing an app called Offy, which is kinda like a password manager meets two-factor authentication codes.
Will Curran: The idea is that you can only log into it on certain devices, so I have it on my phone, and my computer, and my desktop. The reason why I like it is then I can copy the codes really easily on my desktop, computer, and my laptop when I need to re-go into the codes a million times versus where’s my phone, oh, my phone’s charging in the other room, let me go get my phone to get the two-factor authentication code.
Will Curran: Again, but that goes back to the convenience thing, right?
Brandt Krueger: I was just about to say exactly that. I don’t want to scare anybody off of using a two-factor authentication with that. It just means you have to think a little about things. That goes back to exactly that, the convenience is kinda that enemy of security, that yeah, it’s gonna be a little inconvenient to use a password manager at first.
Brandt Krueger: They really make it pretty painless, because every time you enter in a password it pops up a little thing it says, hey, do you want to save that? And then, you’ve got it saved. And then, once you start getting those saved you can run a check against it, and it will tell you how many times you’ve reused your passwords.
Brandt Krueger: And then, same with the two-factor. Yeah, it’s a little more annoying, and yeah sometimes it’s like, uh, god, I gotta get the app, but I gotta go get the number, but you are paying a price for our lack of security in the past, so now we need to start thinking about these things. We need to make it our responsibility. I think that’s probably a good way to wrap this all back up is to say that we as an event industry we are a target. It’s not a question anymore of whether or not we’re going to be a target.
Brandt Krueger: We are a target, and the Marriott hack shows that that people are actively starting to look at hospitality, and events, as a target. We need to start taking responsibility for it. We need to start, yes, inconveniencing ourselves a little from here and there, and taking responsibility for the security not only of ourselves but of our clients. That’s the biggest thing to me, is that, okay, great, if I get hacked, yeah, that’s gonna be a pain, but if something I’ve done enables one of my clients to get hacked that’s unforgivable.
Brandt Krueger: That’s something that you take with you possibly to your grave if bad enough.
Will Curran: Yeah, absolutely. I can’t agree more. You definitely don’t want this to happen to you, but if it’s ever happened to your clients, my god, the worst thing in the world. Real quick. I do want to mention, we talked a lot about this, but there is so much more to talk about. If you are fascinated, and you want to hear more, Brandt and I actually did a full webinar on this topic.
Will Curran: What we’ll do is we’ll leave that down in the show notes below at EventTechPodcast.com, so you can go check that out, and we’ll include that link, so then that way you can watch that webinar on your own time. It’s just like what we talked about here, but even further into details, more things you need to be thinking about, and some tactical tips on softwares, and tools, and all that jazz, all together in one.
Brandt Krueger: Exactly. I think that’s good enough for this episode. We wanted to kinda give you a teaser on why we think this is gonna be such a big issue. I think it’s gonna be a huge issue for the next year. Marriott’s just the tip of the iceberg, and we’re gonna start seeing some of the other big, whether it’s the registration platforms or things like that, do not be surprised as we start to see some of these things start to get hacked over the course of the next year.
Brandt Krueger: We hope you’re enjoying Event Tech Podcast. It’s been great for me. Will, I know you’re having a good time calling in from Dublin to help record these things, so I really appreciate that. We want to know what you think, so please do send us an email.
Brandt Krueger: If you’re on any of the social medias be sure to shoot us a note, #EventTechPodcast. We’re kinda still finding our feet here, and we want to know what you think, so if you want to hear more about subject X or subject Y please do let us know, otherwise, we’re just gonna keep talking about the stuff that we want to talk about in the show.
Will Curran: Absolutely.
Brandt Krueger: Which is just part of the fun of it.
Will Curran: Yeah, and absolutely make sure that you are sharing the Event Tech Podcast with your friends. If you know someone who would be interested in this help us help you by helping get the word out. That was a lot of helping all in one sentence, but basically, take our podcast, tell them to go to EventTechPodcast.com, and tell them to sign up.
Will Curran: That way, we can have awesome people joining the conversation, and so in that way, we can make some more awesome podcasts for you guys.
Brandt Krueger: Exactly, because a podcast without an audience is a phone call.
Will Curran: Did you just come up with that?
Brandt Krueger: I literally did, yeah.
Will Curran: Amazing, and that is the power of podcasting right there ladies and gentleman.
Brandt Krueger: Exactly. Without you guys we’re nothing. Guys. Let us know what you want to hear more about on the Event Tech Podcast, otherwise, we’ll see you next time.
Outro: Thanks again for listening to the Event Tech Podcast. Be sure to rate and review us on your favorite podcasting app. Also, be sure to head to EventTechPodcast.com and leave us a comment about this week’s episode. We’ll see you next week on the Event Tech Podcast.
- Security Now Podcast
- Steve Gibson
- Is Your Event Vulnerable to Cyber Attacks?: The Good, the Bad, and the Really, Really Scary
- Jimmy Kimmel, What is Your Password?