Today we chat with Shannon Morse. She is a content creator and influencer with a focus on infosec and privacy. We talk about her recommendations, how to factor physical security into your threat model, and lots more.
You can learn more and see Shannon’s videos on YouTube https://youtube.com/shannonmorse. She’s also on Twitter, https://twitter.com/Snubs. Be sure to check out her 30 day security challenge at https://snubsie.com/30-day-security-challenge.
Adam Tervort (00:02):
Hello world, and welcome back to another episode of SpiderBytes Podcast from SpiderOak. I’m your host Adam Tervort. Today we have an exciting show for you where we talk with an influencer who does a lot of work in InfoSec, both security and privacy focused on YouTube, TikTok, and throughout social media. You may have heard of Shannon Morse who’s our guest today. She is awesome. Has lots of great insight. So we will get to my interview with Shannon right after these messages. And welcome back to SpiderBytes.
Adam Tervort (00:41):
This podcast is sponsored by SpiderOak. At SpiderOak, we believe security is important, and it’s our mission to secure the world’s data, from security to compartments for collaboration and data storage, to protecting your backups with end-to-end encryption, or even protecting communications in space. We want to be part of your plan to protect your most important data. Learn more at spideraok.com. Welcome back to SpiderOak, The SpiderOak podcast. I’m Adam Tervort, and today I am thrilled to be joined by Shannon Morse. Shannon, welcome.
Shannon Morse (01:17):
Hi, thank you so much for having me.
Adam Tervort (01:19):
Well, thanks for being on the show. So tell us a little bit about you, either professional or personal. And one of the things we love is to know a tidbit or two that maybe other people don’t know about you.
Shannon Morse (01:35):
Ooh, that’s a tough one because I’m a YouTuber. So my entire life is on the internet. So yeah, I do YouTube. My name is Shannon Morse. I’ve been YouTube being as a content career for 13 years full-time. I recently moved to Denver, Colorado right at the start of 2020, which was very hectic and crazy given the world situation. But I ended up building my own home studio and I’ve been doing independent security and privacy tutorials on YouTube, as well as tech reviews and held twos for the past several years, the past decade. It’s a wonderful, wonderful job and it’s given me a lot of opportunity to teach people about security and privacy who may not have been interested from the start.
Shannon Morse (02:22):
I also have done shows with a channel called Hak5 which created this tool called the WiFi Pineapple, which I’m sure some of your viewers have probably heard of. And I’ve been continuing to make videos on that channel as well under a show called Threat Wire which is about security and privacy news. So when you all reached out and said, “Hey, I want to interview you,” I was like, “Yes, let’s do it. I love security privacy.” I’m a huge nerd about this stuff. Sometimes it annoys my husband because he has to share a network with me. But I live here with my dog, my two cats.
Shannon Morse (02:57):
And I think something that not…. Well, at this point, I think everybody knows it, but I’m obsessed with Sailor Moon to the point where one of my bedrooms is dedicated to my collection of merchandise. So I am that deep in that hole. So I’m a big anime nerd. I love going to Japan. And that’s one of my obsessions since I was a little kid and it always has been. I’ve never grown out of it. So I think that’s probably the weirdest thing about me.
Adam Tervort (03:28):
I also am a pretty big anime nerd and also love going to Japan. So we have that.
Shannon Morse (03:33):
Oh, nice. I’ll have to give you some recommendations for Tokyo.
Adam Tervort (03:38):
Yeah, I’d love that. Well, I’m excited because you’re such an expert in this field and already have such a strong background of talking to people about security and privacy. So talk with me a little bit about in either professionally or personally, what are the concerns and the problems that you think about and consider as you go about your daily life?
Shannon Morse (04:06):
That’s such a good question. Since I have a very public facing persona online, given my career, I’m constantly thinking about my security and privacy to the point where when I’m signing up to buy a cute shirt off of some website, I’m thinking about what address, what email address I’m going to put into their platform? What shipping address am I going to use? What credit card am I going to use? And I consider if they’re not protecting my data in the proper fashion that they should. How am I going to protect myself as a consumer if that data ever did potentially get late?
Shannon Morse (04:44):
So I got a UPS store box that’s publicly available so people can send me boxes like PR. I often get products to review. So I just give them that. So if it does leak or if they’re not securing it properly, it’s okay because it’s already public. So it’s fine. My home address is not public unless you’re really good at it, which I’m sure some people are. I pay for products every year to protect my identity because I’m worried about people trying to dox me. I’m constantly thinking about these scenarios because when you have such a public facing job, it’s not only you that could potentially be attacked, but the people around you. So people know that I’m married and they know who my husband is because we troll each other on Twitter. So I have to teach him how to protect himself as well and make sure that he’s making the proper choices online.
Shannon Morse (05:39):
So educating other people, as well as myself constantly and thinking about how would a malicious actor, what to attack me and what kind of entry points they could use, not only just on the network, but also physically about my house and also about my person, what am I going to share online? And how am I going to protect myself in the process? But still I’m a very friendly person I always have been. So I still want to make friends. I still want to make acquaintances online and network. And I often have to consider, how am I going to share the information that I want to share while also still protecting myself and the people around me constantly?
Adam Tervort (06:23):
Well, since you’re in a unique position of being a person with a big public persona. So for other people in this situation, particularly, maybe less tech savvy people, what are some recommendations you’d give that would help them in your position to maintain either physical or digital privacy and separate their public persona from their private life?
Shannon Morse (06:54):
Yeah, absolutely. Oh my gosh, Adam, there’s so many different features that we have made available to us now as consumers. Luckily, we have a lot of ways to protect ourselves better, even if you do have a public persona. One of the things that I’m constantly recommending to people is, be very skeptical about every single site that you go to and constantly be on guard when you’re checking your email, when you’re opening a new site. What links are you clicking from Twitter or Facebook? Can you really trust that hashtag? There’s a lot of different ways that a malicious actor could use potential links or use websites to gain access to your personal data. They could create a fake phishing site and use that to collect information about you. And at that point, if they’re using it to collect your two-factor authentication code, or your password on a site that doesn’t use two-factor authentication, then it doesn’t matter if you use a different password on every site. They’re still going to get access to that one website.
Shannon Morse (08:01):
So constantly being on guard is really important. And also considering just like what I said previously, what kind of data you’re going to share. And another thing to consider is when you’re going to share that information. So for example, one thing I experienced many years ago was, I was working in this physical studio with a network and it was a public studio. So people could come in and they could watch live shows, which was great. It was really cool to meet people that were also part of the audience.
Shannon Morse (08:35):
This one guy came in and apparently he like professed his love to me and started calling the network and we had to get the police involved. It was very serious. And because of that, I started considering my physical location and how I’m going to share what I’m doing online. So now whenever I post pictures on Instagram, which are always super fun, or if I’m posting an update on Twitter and talking about what I’m going to be doing, usually it’s like a couple of days later because I don’t want to tell people where I am at a very specific time. Or if I go out to dinner with a friend, I’ll let people know after dinner. I’ll say, “Wow, this place is great.” So that people aren’t showing up right when I’m there because that would be super awkward and also might be dangerous potentially just given that I’m a YouTuber. So there’s a lot of dangerous situations that can be remediated if you take the precautions ahead of time and just consider if I’m putting this data out there, how could it be used against me?
Shannon Morse (09:42):
And if you think like that, if you try to think like a malicious actor or a criminal, you’ll notice I never used the word hacker because hackers are people too and a lot of hackers are good people, but malicious people, a lot of times you have to think about how are they going to use this against me and how can I protect myself? And when it comes to a home network, how am I going to protect that home network, especially if you’re using consumer-based routers? Are you updating the firmware? Are you using a separate SSID for your guests whenever they come over to your house? Is it all password protected? It better be? I sure hope so. And make sure you’re updating all your devices, IoT and your cell phone. And if your cell phones no longer getting security updates, make sure you get a new phone at that point because you could be vulnerable to potential hacks. So there’s a lot to consider when you really start delving into security and privacy. But if you take it one step at a time, it’s absolutely doable and it’s not going to overtake your life.
Adam Tervort (10:44):
So let me ask a follow up question to one of the things you mentioned. Say for example, Twitter, you said we have to be really conscious and careful about what we click. Do you have a specific tool you use for that, some kind of sandboxing or something that you use to help you look at the clear text of a link before you click it?
Shannon Morse (11:08):
I hover over it. Excuse me. Other than that, honestly, I just use Chrome’s built-in browser because it warns you. If you do click on a link, it warns you if something’s happening and it’ll tell you this might be a malicious link, it might be dangerous. Do you want to continue? And then you have the choice. If you click advanced, you have the choice to continue or you can close it and go back to safety. So really that’s all I use, but there are other tools available. I just don’t use any of them.
Adam Tervort (11:40):
Well, and I do pretty much what you just mentioned. I was just curious if you have something fancy that you use specifically for that.
Shannon Morse (11:49):
No. I actually try to avoid as many third-party ad-ons and extensions as I can and I try to use whatever is built-in and the most up to date just to protect myself because that’s another potential problem that you can face is, the more apps you download, the more third-party ad-ons or extensions that you might grab for. They could potentially be a vulnerability. There are third-party extensions for Twitter that can use your Twitter for something called OAuth which allows you to just use your Twitter account to log into their product. And if they had some kind of vulnerability, that could give somebody access to your Twitter account too. So I really try to audit what I’m doing online constantly and just make sure that I’m cutting down the potential entry points as much as possible.
Adam Tervort (12:45):
Yeah. Yeah, and that’s a great point. One of the things you mentioned is about physical security and sharing online. My family ran into this a couple of weeks ago when we were on vacation because I’m like you, I don’t post about my vacation before or during, only after. And about halfway through the vacation, my daughter started showing me on her Instagram all the great pictures that she’d taken and posted. So we had to sit down and have that conversation.
Shannon Morse (13:15):
Adam Tervort (13:16):
We’re not home. We shouldn’t tell people that we’re not home for the next year.
Shannon Morse (13:19):
Yeah. Usually if I do mention… If I’m having a meetup in another city, I’ll say like, “Hey, I’m going to be here on this date.” And then I’ll just be like, “I’m so glad somebody’s staying at my house to take care of my dog,” which is always true. Somebody is always going to be here, or I’m so happy. I have my security equipment set up where I have a cop in the neighborhood or whatever it might be just to throw people off and be like, “Okay. She actually is like taking strides to make sure that she’s safe,” but that way I can still have those meetups in person and still be able to network and do my job.
Shannon Morse (13:53):
And that’s also really useful if I’m going to a convention. If I’m promoting an event that I’m going to be at and hosting at. Anytime like that, I’ll usually be like… My husband stays home. He doesn’t go to those kinds of events with me. So I’ll mention like, “I’m glad my husband’s staying home to take care of the animals,” which he is, but I want to make sure everybody knows somebody is still at the house. Don’t go over there.
Adam Tervort (14:19):
Yeah, and that’s a delicate balance you have to strike-
Shannon Morse (14:22):
It probably is.
Adam Tervort (14:22):
Because I’m sure they’re going out in the networking is a really important part of how you grow your audience and help build fans.
Shannon Morse (14:31):
Adam Tervort (14:31):
They want to be interacting with you.
Shannon Morse (14:35):
And I think that’s an important point to me to make is, it’s never a solid line between security and being public for every single person. Every single person needs to consider what are their potential threat vectors? How are people potentially going to affect their lives? Because not everybody is going to be a YouTuber. And I know that and I’m very aware of that. So a lot of times the safety precautions that I take as a public content creator are not something that somebody else would use if they’re working as a CEO out of their home office constantly, or if you’re working at a bar. There’s a lot of potential possibilities, but all of them are going to be different for each person.
Adam Tervort (15:19):
So how do you learn to think like a malicious actor?
Shannon Morse (15:25):
Because I had one. Just kidding. I think part of it was watching a lot of hacker tutorials and I also worked with Hak5, which their core audience is ethical hackers and information security professionals. So a lot of the content that I made over there, I’m completely self-taught and that content was focused on, okay. How do you gain access to these networks? How do you take advantage of this vulnerability? And then for every single one of my tutorials, I would say, “This is how it happens, but also this is how you can keep yourself safe.” And if there is not some kind of patch or some kind of update available, these are the mitigation processes that you can develop in order to protect yourself as a consumer now that you know how it happens.
Shannon Morse (16:19):
So a lot of it, it was just teaching myself how do these hacks happen? And looking at forums, reading books about hacking and really understanding how this stuff happens. So if you just watch a Hollywood movie like Hackers, that’s a great example. That’s not going to give you a very good opinion of hackers. But the thing is, a lot of times you can read actual professional books that are written by security penetration professionals, people who are hired to companies to learn what kind of vulnerabilities exist and protect those networks. You can read what they’re doing. You can read news articles about what’s going on in security and privacy and learn a ton just focused on how these hacks happen.
Shannon Morse (17:06):
And once you get to that point, you can really start studying up on, oh, okay. So there’s a Synology network attached storage issue that recently came out. And I read about that and I was like, “Oh, I have a nest.” So I should go into my account and make sure that that is completely patched and it’s updated so that I’m protected. And once you start reading up and what’s actually happening, you can really start protecting yourself and learning just based off whatever you’re sponging up to really get an idea of how you can protect yourself as a consumer.
Adam Tervort (17:37):
That’s great. So what do you use to help keep up our… Where are you getting your information from? Is it social media, or RSS feeds, or I’m curious on what your process is to do that?
Shannon Morse (17:53):
I use a… So in my Chrome browser, for example, I use a couple of different browsers just to test things. But in Chrome, I have an entire folder dedicated to security and privacy news articles from a series of websites like Bleeping Computer. CNET is another really good one. There’s VICE. They have a lot of good articles about hacking. There’s a lot of different news articles that are written by people who are journalists, but they’re also a part of the security and privacy industry.
Adam Tervort (18:28):
Shannon Morse (18:29):
So they have really excellent articles about how this stuff happens. And they’re very on top of it. So I read those every week on Mondays, which also helps since I do a Threat Wire News website or a new show. So that definitely helps. So I definitely do that, read up on everything once a week, which is very quick, it’s an easy process. And then I also use a series of tools to protect myself and guard myself against potential attacks.
Shannon Morse (18:59):
Abine is one which is DeleteMe. I use their product, which is excellent. It’s pricey, but it’s a product that I’ve been using every single year to protect myself. And they basically go through all of the yellow page type of websites or white page type of websites that collect your address and your email and your name and phone number and all that good stuff. And they will send opt out requests to all of those websites for you so you don’t have to do it yourself. You can do it yourself. And all of them legally have to give you a way to opt out. But I don’t have time. So I pay somebody else to do it.
Adam Tervort (19:35):
Shannon Morse (19:37):
I use SpiderOak. I’ve loved the SpiderOak platform myself since, I want to say the early 2010s or the late 2010s. I think that’s when I first signed up for SpiderOak, but I’ve been using that for forever as my trusted cloud platform because of the ethics behind SpiderOak of protecting your information and making sure that even SpiderOak doesn’t have access to it, which can be great. Can also be really scary if you forget your original password for your SpiderOak account. Ask me how I know. Definitely went through that.
Shannon Morse (20:12):
I use two-factor authentication absolutely everywhere that I possibly can about once a year. I’ll go through all the websites that I have signed up for. I keep track of them through my password manager so I know exactly what I’ve signed up for. And I will check them and see if they’ve enabled two-factor authentication if it wasn’t originally available. When I first signed up for that website. And if it’s not, I will give them crap on Twitter about it. Password managers-
Adam Tervort (20:45):
It’s surprisingly effective when you do like that.
Shannon Morse (20:48):
It really is. Yeah, especially if you can get it a lot of people on board for asking for a new feature. I did that with Patreon , which is a site I use to fund a lot of what I do online as a content creator. Patreon is like a crowdfunding platform. So your viewers or your fans can donate a dollar or two a month. It’s great. But for a long time, they didn’t have to have 2FA. So I started bothering them about it. I even walked into their office once for an invited event.
Adam Tervort (21:18):
Shannon Morse (21:18):
And I was like, “Where’s your security person? Can I ask them a question?” And I was like, “Why don’t you have 2FA?” They have 2FA now, and they do allow you to use an app. However, I don’t think they have added a Physical option yet, which would be a plus. So I’m constantly looking for ways to upgrade my security, make sure my devices are updated and make sure the websites I’m signing up for are all updated as well. And they allow me to add these security options wherever possible.
Adam Tervort (21:50):
Well, it sounds like the process is really important to you. And I imagine part of that is out of time-savings. If you have a good process in place, then you don’t have to think about it quite so much.
Shannon Morse (22:00):
Oh yeah, 100%.
Adam Tervort (22:02):
Yeah. Well, that’s great. Well, speaking of time, I don’t want to take too much of yours, but thank you so much for all the things you’ve shared. One of the ways we like to end these interviews is with a favorite quote. Do you have a quote you’d like to share with us?
Shannon Morse (22:18):
I do. Let me… I’m going to look up the author of it because I want to give credit to the offer. It’s opportunity is not a lengthy visitor, which I often find is very true in my real life opportunities and situations, as well as my job. Oftentimes I get the opportunity to do really cool stuff like this interview. And if I don’t say yes, that opportunity may disappear quite quickly. So opportunity is not a lengthy visitor. And that was originally a quote from Stephen Sondheim who wrote Into the Woods, which I played Cinderella in when I was in high school because I’m also a thespian, a theater geek, and which is part of the reason of why I do YouTube now. But that was a big…. Ever since I did that show, that was a really big quote for me. And I’ve taken that to stride when it comes to my own career and the opportunities that I take, and I also take those when it comes to security and privacy. If there’s a vulnerability, the opportunity to protect yourself is not a lengthy visitor.
Adam Tervort (23:25):
Yeah. Yeah, that’s right. So true. Ah, thank you so much. Well, my guest today has been Shannon Morse. Shannon, thank you so much.
Shannon Morse (23:35):
Thank you for having me. That was great.
Adam Tervort (23:39):
All right. Well, stay tuned. In a few days, we’ll release another episode and we will see you then. Some things are best kept secret. You wouldn’t send your company’s financial data through snail mail on a postcard. So why would you use the insecure digital collaboration tools? Introducing CrossClave, a file sharing and collaboration solution built with security in mind from the first bite. It’s like signal for business. CrossClave uses distributed ledger technology in end-to-end encryption to deliver a true Zero Trust system designed to protect you and your business’s most valuable data. When you need to share collaborate on your most sensitive information, SpiderOak’s CrossClave is your only choice. Go to spideroak.com/podcast to get started with a free account, no credit card required.
Adam Tervort (24:33):
Thanks again for listening. For all of us at SpiderOak, I’m Adam Tervort. We hope you enjoyed this episode. If you did, please consider subscribing. If you’re interested in joining us as a guest on SpiderBytes, send me an email at firstname.lastname@example.org. We’d like to thank Mel Graves for our theme music EarShot. We’d also like to extend our special thanks to our law firm, Dewey, Cheetham & Howe, SpiderOak’s Communications Director George Stayontopothis, our Self-esteem Coach Mia Culpa, and our Staffing Agency, Click & Clack. Thanks everyone
Jonathan discusses the risk to low-Earth orbit from Russia’s successful test of an anti-satellite weapon, and whether the kinetic threat is a big as the cyber one. Are non-attributable attacks in space the ones we really have to worry about? Transcript Christian Whiton (00:00): Welcome back to Cyber Context, featuring Jonathan Moore. I’m Christian Whiton. […]
In our first episode, SpiderOak CEO Dave Pearah talks with SpiderOak CTO Jonathan Moore about New Space and the challenges around security in orbit. We are moving into a new space age, one that’s about commercialization and scale. Access to space is getting cheaper by the year. Cadence of launches are increasing. There’s going to […]
This episode of SpiderBytes features Fábio de Salles from Brazil. Fábio works in business intelligence and has a strong background in security.