We talked with Scott Schober, CEO at Berkeley Varitronics Systems about Wi-Fi security, the evolution of ransomware, and the importance of cybersecurity education.
1. How did your company activity evolve? How and why did you also decide to add cybersecurity solutions and consulting services apart from offering security products and devices?
We’re excited because we’re going to celebrate 50 years in business next year. We’re a small family-owned business and engineering firm, and we’ve done diverse designs over many decades. People come to us typically with a problem, and we provide a full-turn key solution.
In the mid-80s and to the 90s, we started developing the beginning of the wireless test equipment used to build out all of the cellular networks that make our phones work. All the offshoots of the development over the decades of those types of products (2G, 3G, 4G and now the 5G as we know it), led to a lot of understanding of how mobile phones work and, of course, the security and vulnerabilities.
That really brought us into the forefront, especially the past ten years into the world of security and particularly cybersecurity. I have been focusing my efforts in not just developing niche tools to solve wireless security problems, but also educating people and taking time to explain to them the basics.
A few years ago, my company and I were targeted with repeated attacks. We went through the whole range with the debit card and credit card, Twitter account, repeated DDoS attacks with $ 65,000 stolen out of our checking accounts, which became a federal investigation.
I learned that sometimes the more you teach, help, and educate people in the world of security, the more bad guys will go after you. So, that’s a challenge that I’m constantly juggling. I shared my story with the whole world; it was initially starred with Associated Press, they did a feature article on small businesses getting hacked. I talked about it, and it became public knowledge. Then I wrote a book about it, I got hacked again, then I shared my story.
All day long, I’m talking to people about how to keep yourself, your small business, your friends, and your family safe from cyber-attackers. It’s rewarding to see they can do better, keep their employees and businesses safe, especially when sharing from the mistakes that I’ve made.
The one thing I’ve always tried to share that resonated with me is that businesses often think cybersecurity is too technical and they don’t have a budget for it. It doesn’t have to be technical as long as you’re willing to learn a little bit. It doesn’t have to be that expensive either because it’s about basic best practices we all need to do most of the time. If we’re doing all those things, we’ll start to improve our cybersecurity posture.
2. Name three of your best seller security products. And why are they most sought after?
The first product that really stands out it’s called WallHound-Pro, and we introduced it not too long ago. It’s a wireless intrusion detection system. What I love about this product is that it’s a niche product, and we really don’t have competition. No one else is making exactly what we make. The WallHound-Pro is looking for any type of wireless threat outside of a secure area where you’re not allowed to bring wireless or mobile phones, anything that’s Bluetooth or Wi-Fi. So, it’s doing a constant scanning 24/7, gives you real-time alerts, and it won’t just light up the screen in a unique color, but it’ll also talk to you. It’ll actually tell you: ‘Cellphone detected’! Or ‘Wi-Fi 2.4 GHz detected’, ‘Bluetooth low energy detected’.
That’s a game-changer because there are so many systems that are so complex that you have to wire into your building and educate the staff and analyze the data after the threat appears.
If you have a mobile phone on you, you already have Wi-Fi and Bluetooth on, the threat is there. You go into a secure space, maybe you take a picture of something that’s classified, like a password or intellectual property. Then you shut your phone off, and you walk out of the facility, the threat is gone. How do you catch it?
A system like the WallHound-Pro allows you to catch any type of threat instantly. It could be a rogue access point where someone tries to perform a MiTM (Man-in-the-Middle) attack or use a Bluetooth maybe for surveillance, audio bug; whatever the case may be, there are hundreds of ways you could use a smartphone these days that could be a true threat for a secure facility.
The second product is also interesting, it’s called a SentryHound-Pro, and it’s portable. We created it because customers were coming to us saying: ‘You make great stuff for radio frequency detection and wireless threats, but what if someone takes the battery out of the phone?’ What if someone shuts off their device, so now it’s not transmitting? Is there any possible way to detect that threat?’
The SentryHound-Pro does that by performing true ferrous detection. What’s unique about mobile phones that most people don’t realize is there’s not much metal inside a mobile phone. Yet, there are a lot of ferrous properties, high-power magnets inside your mobile phone for your speaker, your microphone, and your vibrating system. This product picks up on these and it uses multiple sensors and multiple detection zones.
What SentryHound-Pro does is it looks at the disruption of earth’s natural magnetic field. When somebody passes through the portal, first, it triggers it through their motion as they’re breaking the beam. Secondly, that mobile phone disrupts the magnetic field. Not only that we alert there’s a mobile phone on a person, but we could also tell where on a person it’s placed, under the hat, in their shoes, or any other place. That’s more for correctional facilities where people hide mobile phones because they’re not allowed to have them.
The third product is related to a totally different industry, which is electric vehicles & charger installation. Electric Vehicles are becoming very popular on the roads. So, we developed a 4G signal meter for LTE and found out where the best spot is to place this charger in the world and find the best coverage. In other words, it means signing up for AT&T, Verizon, T-Mobile, giving them the best coverage and finding the best spot to locate the antenna. Our sales have skyrocketed, and we introduced this product about ten years ago. When cybersecurity started to kick in, we started meters for electric vehicle charger installs, and we didn’t sell that many. Now, electric companies buy hundreds at a time, so we’ll continue doing this product. Next year, we’ll probably do thousands of these signal meters. It’s not actually a security tool, but it’s in the area of testing security, and we’re excited about it.
3. What can you tell us about the Yorkie-Pro device that’s related to ransomware protection?
Yorkie-Pro is very popular, we’re constantly receiving orders from government agencies, security agencies, etc. One of the prime things that Yorkie-Pro does is it hunts down Wi-Fi: rogue access points, Wi-Fi threats, but also Bluetooth threats or Bluetooth low energy threats. It’s actually a partner product to the WallHound-Pro wireless intrusion detection system.
What’s cool with these devices is that you can create whitelists with approved Wi-Fi access points in a facility, approved Bluetooth devices or whatever, to ignore or not false detect the approved points. That allows security personnel to engage in normal operations and use Wi-Fi in areas that’s deemed acceptable to use and it’s secure, but also to secure areas that don’t allow these unauthorized devices. It’s a great combination, especially in areas with classified information and secure servers where they’re housing data repositories that you need to keep safe. There could be board rooms or any place where there needs to be a level of security maintained from any potential wireless threat.
The Yorkie-Pro wireless detector can aid in stopping unauthorized rogue Wi-Fi access points from being placed in a secure facility. Rouge AP’s can be used as a conduit to dispense malware such as ransomware strains and need to be carefully located and removed.
4. Apart from your products, how would you advise a casual user to create a stronger Wi-Fi security?
I believe we developed the first Wi-Fi test tool; it’s called the Grasshopper, and it was way back in the day when IEEE was actually ratifying 802.11b the standard. We developed a simple spectrum that can actually hunt down any type of threat with a look at the Wi-Fi protocol. Back then, people looked at us saying: ‘what kind of threat could Wi-Fi be’?
Now, Wi-Fi is one of the predominant threats because Wi-Fi is everywhere. It’s in our smartphone, in our TV sets or smart TVs, our car, in hotspots, you name it.
4G LTE really improved; now, you’ve got Wi-Fi 6 on top of that, and it promises even more things. So, it’s important for users to use Wi-Fi, not to be afraid of it from a security perspective, but to embrace it. If they’ll embrace it and use it, they have to be conscious of it. By that, I mean being conscious of security.
For example, if you have a home Wi-Fi system or you’re in a small business and you’re setting Wi-Fi, don’t just take the access point out of the box! Most people set it up, plug it in, and think everything is great because they’ve got high speed and connectivity.
My advice is rather slow down! Create your own, unique, strong Wi-Fi password, think about the SSID (Service Set Identifier), don’t just use the standard SSID normally broadcasted or the default admin password like 1234 that’s set up with it. Take the time to configure it with security in mind. I also always encourage people not to broadcast or ID their network if they don’t have to.
People need to take the time and create a stronger Wi-Fi security connection. Then, they’ll feel safer and will actually be safer.
5. Name the top three of the most dangerous cyber threats today and give simple tips on how to overcome them.
The first one on my list has probably been the same one for the past year, and it’s ransomware. We all hear about it, but ransomware is starting to evolve. It’s getting more advanced. Back in 2018, for the average ransomware, the payout was around $5,000. Fast forward to 2021, the average payout is over $200,000. You could see how cybercriminals are monetizing ransomware very effectively, especially as different malware streams have evolved. They’re harder to detect, they’re hiding their code, they’re putting different countries, scripts and code together, and making it convoluted. So, it’s difficult to find the source of ransomware.
More specifically, double extortion is the bigger threat. Not only are they going to ransom and encrypt your data, but before they even do that, they’re going to exfiltrate it: pull all your data, encrypt it, and demand a ransom. If you don’t pay it, they’ll threaten to put all that data they exfiltrated on the dark web, and pull all your credit cards, social security numbers, and private information, and make your life miserable. Or they will double extort and tell you to pay for that data, and the data they encrypted. These types of things are evolving. Sometimes, it’s even beyond double extortion, we’re starting to hear about quadruple extortion, which is quite scary.
These cybercriminals’ targets will also get more advanced; they’ll go after politicians, high-net-worth individuals, celebrities, and technology like smart homes, smart cars, and cloud services. That’s what stands out as the dangerous cyber threat.
Education is extremely important to overcome it. Training and awareness are also important; people need to learn to stop clicking on those phishing emails. That’s still one of the most predominant ways people fall for ransomware attacks, getting malware by clicking on malicious links.
Let’s also not forget anti-malware and anti-virus software – they are effective and stop at least a percentage of these threats. They’re not going to stop all of them, but they help. It’s important to keep in mind to update this software regularly, update the security patches.
Network segmentation is also an important step depending on the size of your company, but segmenting will protect you if you’re a victim.
Another tip I always like to share and remind people, even if it won’t prevent ransomware: backup your data! It’s not going to stop you from being the victim of ransomware, but at least you have recourse. You can wipe your system, use your backup, make sure your backup is disconnected, you’re regularly re-backing it up, and it’s also immutable; so, the backup can’t be written over or modified in any way. That’s just a practical way of doing it and it will help people.
Another area, even though I hate to mention it, I’ll bring it up because it’s a huge problem, and it’s related to passwords, and everything tied in with complacency.
Many people still face issues like weak passwords, password re-use across multiple logins, not properly using MFA (multi-factor authentication) or 2FA. I encourage people to enable strong passwords and use MFA for any type of email they use.
It’s indeed an added step. You have to trade convenience for security by taking a little bit more time. But especially for the stock market, 401 (k) plan, banking, make sure that you use MFA across all those platforms, just to keep safe.
6. How do you believe the cybersecurity field will evolve in the next few years (both positive and negative sides)?
First thing, we’re all seeing and I’m guilty of as most of us, it is our mass adoption of technology, our love for technology, especially with smartphones and IoT. The latest estimate that I read is that in 2027, 41 billion IoT devices will be connected to the internet. I just bought one yesterday, a wise thermostat. We’re all guilty of buying all these devices, from doorbells to smart refrigerators or smart TVs, etc.
We’re all connecting things to the internet, but do they really need to be plugged in? Probably not. And more importantly, if you are going to buy an IoT device, make sure that it’s secure or has the means of being secure. So, you can get a software patch update if or when a vulnerability it’s discovered; this is an important aspect.
Another thing in the cybersecurity field that will evolve, and we’re hearing a lot about this, is the data privacy issue. It’s enough to just think of the controversies with Apple computers, Google, Microsoft and more recently, Facebook, (now renamed as Meta). Data privacy will be at the forefront because, as digital citizens, we’ll say: ‘wait a second! I want to think before I click and agree on those terms and conditions there. What am I giving away?’
When you download a game like Candy Crush, you’re giving away something, whether it’s geolocation, access to your contacts, etc. I have to be conscious of what I’m giving away, and companies have to be more transparent and share more explicit terms and conditions. The point is that nobody reads them; the stat I always share with people is: ‘if the average person with over 50 apps downloading on their smartphone now actually reads all the terms and conditions, it will take you three months to do that. ‘
I don’t know one person who has ever spent three months of their life actually doing that.
The skills that are being taught in terms of cybersecurity aren’t enough at an early age. So, I strongly encourage, and part of my mission is education for younger ones, starting at elementary school. Kids are smart, they embrace technology, have computers and connectivity, and know how to surf the internet; but they don’t receive adequate training about cybersecurity at a young age.
So, my goal is to work with more schools and get kids educated about this. Those basic practical skills can be taught, and they can be performed in tandem with parents. It should start at home and at school at the same time.