Jul 25, 2019
Soon we will 50 years of the moon landing, why do some think we were never there?
The cybersecurity gap and flaws in both iOS and Android apps.
The U.S. launches a cyberattack on Iran
How much liability do you have for a data breach?
I am planning a Security Summer for my listeners. I will have some free courses. I will also introduce you to some of the software that I use for my clients and how you can use it too. Also, I have some limited opportunities for businesses who have had enough with their security issues to work with me and my team and put their security problems to rest once and for all. So watch out for announcements on those.
For more tech tips, news, and updates visit - CraigPeterson.com
Below is a rush transcript of this segment; it might contain errors.
Airing date: 07/06/2019
In a few short weeks, we will celebrate 50 years of the moon landing. The cybersecurity gap and flaws in both iOS and Android apps, the cyberattack on Iran and data breach liability.
Hello, everybody and welcome course, this is Craig Peterson, your host for the next time, give or take 27 minutes, we're going without commercial interruption again, we are going to be talking about some of the details of our lives are digital lives. And with the 50th anniversary of the moon landing coming up, we wanted to go through some of the facts there, because we've had a lot of people who seem to be confused about it. And it's kind of amazing to me because I remember it so well like it was yesterday. But it's amazing to me to think that more than half of the people alive today. Were not alive when the moon landing occurred. And, you know, that's just a matter of perspective. So you're, you're talking to me, and I'm a little bit older, I guess. And then most people if that's the case, but anyways, talk a little bit about that, the cybersecurity gap. And some interesting observations that were in Forbes magazine here this past week about it. flaws in our iOS and Android apps, you might be surprised. But there are security flaws in almost as many iOS apps from Apple, as our Android will tell you why. And what those are. We have some new Mac malware that's out there right now. And this is an interesting one because this could go both ways. You could call this a user error. Or you might want to call it a security problem that Apple has, or maybe Apple created, but it is behaving the way it's supposed to. Third-Party contractors, this comes from this week, I did a big presentation for University of New Hampshire group here. It is a mastermind group of CEOs. And we were talking about the biggest liabilities, and more than 60% scent of your fast is coming from inside. And that includes contractors. So we'll talk a little bit about that couple of warnings here from 3 am, about business travelers, we got to talk about this, the US has launched a cyber attack, instead of launch launching a kinetic attack, and we'll talk a little bit about the implications to you and your business because of that. And there could be some enormous implications there. And a little bit more here about liability for a data breach. So we're going to talk about all of this right now. So let's get into it. First off liability for a data breach. As I mentioned, I had a great presentation, and I think it was created at a lot of compliments on it, as I spoke at this mastermind group for the University of New Hampshire. And it was kind of fascinating because there were several different CEOs, I guess this group has kind of a non compete thing where none of the members can compete with each other. I'm in a mastermind group, a paid group and there, they don't have that restriction, you have to be a good person. But there are people in your same line of work, I kind of like that. As a general rule, there is a lot of business out there for everybody. When you can talk to someone that speaks your language in your line of work about what's happening is important. I had a few people comment afterward, the stories that I will Vin about clients of mine, that have had security problems, we're unable to solve them themselves. You know, they tried, obviously, but they weren't successful, because they got hacked, they got breached. So, you know, I use a lot of stories with some of these things. And when we're talking about a data breach and your liability, I did bring that up this week. But it's huge. And we're talking about an average cost right now, for a data breach of over $7 million. Here in the US, it's 3.8 million average, worldwide. But it's about twice that here in the United States. As we look at some of the data breaches, it's going to continue to grow. There's going to be more and more companies that are failing to assess their systems for security flaws. And that's why you got to have a third party come in, and you can't trust your CIA. So your security person to do these types of audits, you need a third person to do it. And then you have to plug the holes. And sometimes you can have that third party do it because maybe they know what they're doing. Many times, if you're a slightly bigger company, and you have your own IT staff than your it, the staff is going to do it. But you got to think about who when you get hacked. What are you going to do? Your data is gone, you know, are you out of business is your goose cooked is the expression, great article, and Kiplinger that I have up on my website right now about it? And are you as a business person on the hook for any losses sustained by the client, and I spent some time in the presentation talking about insurance. And that is an essential thing to have. for your business. However, more and more of the cyber liability insurance claims are getting cut back or even denied. Because the company hasn't been doing everything that they should have been doing, even not doing things are listed in the contract insurance contract. So two main ways that civil liability for a data breach can occur. One is finding negligence. You have to be aligned with the peers in your industry, the best practices if you will. If you're not if you could have had better protection, then yes, indeed, you may have civil financial liability and some of those governmental fines we've talked about on the show before. And secondly, even if you did everything that was required to prevent a data breach, it could still happen. So then the next stage is, did you do enough after the event to reduce the harm to the people affected? You know, did you notify them right away? Did you take immediate investigation remediation steps? Did you contact law enforcement? What did you do after the fact is considered reasonable? All the things we need to keep in mind as we are business people. And having that plan in advance can save you a ton. I went through some of those statistics as well. Here are some good points for everyone to pay attention to one have a breach coach who can help you put together your breach plan and then run the ball response and get an attorney involved getting them involved early. Everyone should know what their roles are. That's part of what we have, that's going to be part of our security summer this year. So make sure you're signed up. Because we have some documents about what your plan should look like who should be involved whose responsibility is each part of that, then so that it just makes a huge, huge difference. These people who are most liable if you're a consumer, and you've had your information breached, pay attention to this as well, because you have the other side. One, if you collect payment information for online sales, if you maintain a database of personal information on current past or prospective customers, and say you have employees, if you store information about employees digitally, including social security numbers, medical information, guess what we're getting into their the HIPAA regulations, I bet you thought if you weren't a medical practice, you didn't have to worry about it HIPAA while you do if you have employees, if you rely heavily on technology for daily operations, remember, you're going to be out of business out of operation for days, weeks, or even longer. If you are located in any jurisdiction that has a mandatory Breach Notification laws. Right now, that is true of everywhere in the world. Well, you know, the first world countries, if you will, the United States has them. For every state, there are some federal notification laws. Depending on what type of business you have. Same things true in Canada, the same things true throughout Europe. So be careful here too, with cyber insurance coverage. And we talked about that this week with the UNH co people, and what you should have what you can expect from cyber insurance coverage. And again, we'll talk more about this during our security summer, and if you haven't already, make sure you sign up, go to Craig Peterson dot com, and you'll see a sign-up, come up right at the top of the homepage, you can sign up right there. And I'll let you know when the security summer starts. But we're going to be covering all kinds of stuff about firewalls about backups about the liabilities, CEO type things through home users, and what you can do what you should do. Mac This is called malware. As I said, I kind of debate, whether it is malware, because the software is behaving as expected. Mac OS has something now called gatekeeper. And it keeps an eye on the programs on your computer, what you download where it came from, is it signed. And it allows developers to have software that you download that is signed, and then refers offsite to allow you then to get additional files, get it a database server. And in this particular case, that is being talked about over on ZD net. At lunch, you gain access to a file server, and it's called an NFL server. And this is the calling that ZD next call is a security flaw. I'm not so sure it's a security flaw. Apple has known about it for a month, they haven't patched it, it would be easy enough to patch, but it would also break a lot of good software out there. So here's the trick. If you're running a Mac or a PC or anything, do not download software from sites that you are not 100% confident can be trusted. It's just that simple. It's back to the brass tacks. get right back to it. What are the brass tacks and security one of the first is don't click on stuff? In particularly don't look download and run software that is on your, you know, on a web browser that you're putting on your computer. Now we know President Trump said he was going to respond to the Iranian aggression and shooting down is drunk. And there's dispute by Iran whether or not the drone was in the Iranian airspace. And there's some question about that, too, because the United States, for instance, claims a 200-mile jurisdiction. the international agreement says it's a 12-mile zone, and some are 20 miles, and the Straits of Hormuz are I think it's 12 miles there the narrowest point. So was it an international space? Technically, yes. Did Iran claim the space it was in as their own? Well, they did. So President Trump pulled out of this kinetic attack, we were going to bomb, there, the radar installations and the missile launch in facilities. It came out this last weekend that we hacked them. Now, I found out something exciting about this Russian power security breach that happened a couple of weeks ago, don't know if you heard about that. But apparently, we broke into and had control of several Russian power stations located in Russia. We flipped the lights on and off a few times to let them know - Hey, guys, we're here, Quit messing around with our elections and Quit messing around with any other stuff that's out there. We have that capability. President Obama put some cyber offensive capabilities in place, and President Trump has upped the game there. And apparently what he did this was the report from last week weekends he authorized our cybersecurity guys to attack Iran. Now, when Russia attacked Ukraine, of course, that piece of malware spread worldwide and brought down hundreds, thousands of computers, s down, taken off the internet, and many others were ransom because Russia did not have control over that malware. We got malware into some of their missile launch systems. And we were able to shut them down. And possibly it didn't spend any farther. Just like when we got into their centrifuges for making bombs for their purification of uranium, that code did not get any further than the centrifuges and destroyed them. Now, we went after them, and US businesses now should be ready for what's going to be a massive attack from Iran. We remember Iran doesn't have the finesse we do, and they don't have all of the talent that we do. And they don't care if they're hitting a military target or not. When it comes to CYBER WARS, these retaliatory strikes from there are very likely to hit pretty much anybody here in the US. They've already been attacking us before President Trump launched this attack, apparently against them. According to The Washington Post, Iran has been bombarding US businesses with software designed to wipe the contents of networks and computers, rather than to steal their data, which is rather interesting. It was from Chris Krebs, a director of the Homeland Security department's Cyber Security Division. And what that means is if the Iranians get ahold of your business systems are your home system, they are going to wipe it clean. So make sure you have excellent backups.
Again, if you don't make sure you attend my training here my security summer because we're going to be going over that this is free people. It's free for anyone to attend, you can upgrade if you want to that's paid. But you're going to get all of the core information absolutely for free. And I think we're going to do it is no matter where whether they pay you or not, you're going to get all the information for free. The same data, let me put it that way. Whether you decide to get the golden ticket, or Jessica can do it for free, that that's what I'm doing for the radio listeners, anyone can attend because I want to get this information out there. So be prepared for the Iranian attack, they've already started attacking our businesses, we've already had North Korea attack Russia. I mentioned this that the CEO presentation I gave this last week for the UNH group. I was looking at one of our customers, just at their website, and looking at the firewall because we have some very advanced firewalls sitting in front of even web servers. These firewalls that we were looking at just for that one web server, we were logging, five attacks, which was just crazy. Five attacks from Russia! It wasn't as I said, it wasn't only five attacks from Russia, it was five attacks per second, on average, over the last 36 or 48 hours. It was just crazy how they were getting just nailed, nailed, hammered. You guys already know, if you listen to me for a while about a client that we picked up, that had been having email issues. We looked into it, and we ended up we asked the client, it was okay to do this. We ended up bringing the FBI in because we found Chinese back doors into their systems. And they were a manufacturer, they had all of their plans, of course, electronically, all of the manufacturing, etc., etc. So now what now they get to compete against China, with their designs. Amen. To me, that blows my mind, frankly, how could you? How could you do that? It's, but it's ignorance. It thinks you're okay. Going back to this story, let me go back to this is the one from Kiplinger, I was referring to earlier here, here's a great little quote from the author here, Dennis Beaver. He said my father is a dentist, and up in years, his office has all of his patients records stored electronically, which he accesses from home from his laptop by leaving the server always on at the office. I mentioned this to a geeky friend. And the next day, he showed me dental records from my dad's office that he had hacked, he claimed to be doing this as a favor to get my father's attention about cybersecurity, and I believe them. So by the way, be careful, don't just to that without permission. We have ethical hackers in my business here, who are doing penetration testing, but we make sure we've got full approval from the company. So don't, don't just go and do this. So the story goes on. I told that, and he immediately changes passwords but didn't seem too bothered. There was another one. I knew one fortune 500 companies CFO who used the same password for over ten years, most think that it's a joke, but it was improved. It was not so funny after they found his credentials in seven data breaches used to hack the company's email servers, spoof emails, and steal 10s of thousands of dollars without anyone noticing for months. We picked up a client here, a local one here in the northeast who had had $80,000 taken out of their operating account. Of course, they noticed it quickly, but not before the money was gone entirely. So be very, very careful, we're going to cover these things in our security summer, again, just Craig peterson.com. And subscribe right there on the homepage. And we'll let you know when that starts. That's probably going to be mid-July by the looks of things right now. And we're talking about 10 to 15 minutes sessions a couple of times a week. And we're going to keep them up for least a week in case you miss it so that you can watch one of the replays a little bit later on. Okay, man, we are almost out of time here. 76% of mobile apps have flaws, allowing hackers to steal passwords, money, and text. These are some high-risk vulnerabilities that are common across Android and iOS, Android has a little bit more risk than iOS, were talking about, but 5% higher risk. And this is according to a company called positive technology. And they went in and looked at some of these mobile apps and the biggest problem in secure data storage. So be careful about that.
Again, Cisco has an answer to that. And with iOS, it's just phenomenal. Nobody has anything like this other than Cisco. But be very, very careful because there are other products out there that could be useful to you. But remember, any data stored can be stolen, you can't necessarily trust the app developers, they might be taking your data. Great article, you'll see it on my website. It is from Forbes, and this is about the cybersecurity skills gap and how classrooms are not the solution. Have a look on my website for that one. Business travelers, something new called visual hacking coming from the Czech Republic. Again, that's up on my website and in this morning's newsletter, and the US launches a cyber attack aimed at Iranian rocket and missile systems. I'll talk a little bit about that. We've got a couple of great articles, online. I spoke with the UNH CEO mastermind group this week about third party contractors and why they are our weakest cybersecurity link. And they're just not being held accountable. You know, if you ask people who are the biggest cybersecurity threats out there, who have I talked about today? I've mentioned what Russia, China, I mentioned North Korea and Iran. You'd be right. But those countries are the most significant foreign threats. As I said this week at the speech I gave, the real problem is internal. And by internal, I don't just mean your employees, I mean, your contractors. It's one of the things you have to go through you have to consider penetration testing, taking an analysis of your business, and the data security. Here's the Customs and Border Protection. I talked about this a couple of months ago, on May 31. So it wasn't even two months ago, they had a breach where 100,000 people were photographed inside vehicles, crossing the border in a couple of lanes, and included images of the vehicle license plates, maybe some other stuff that was that stolen, it was taken through a third-party contractor that was doing work for Customs and Border Patrol. The most signal severe breaches of the last ten years have also been self-inflicted. So let's look at this one. It appears in The Hill from Flexiera. Patches were available for 86% of the vulnerabilities on the day of disclosure. In other words, when these companies came forward and told people about the hacks that had happened 86% of those hacked, it didn't have to happen, because there were patches out already. Okay, other breaches. They gained access by compromising third-party vendors like were talking about and stealing their credentials to log into the corporate network of the eventual target. Speaking of Target, back in 20 1340 million credit cards lost through a third party air conditioning provider that was hooked up to the corporate network, all they had to do is break into the air conditioning system. And now they had a launchpad. Think of what happened out in Las Vegas, a beautiful big fish tank, and they put a smart controller in it that would warn them when their temperature got too cold because the fish are so expensive. It was hooked up to their network, and it was compromised and used it as a launching pad.
We see that all the time with cameras security cameras. They breached the Office of Personnel Management through Key Point government solutions. A third party used by the Office of Personnel Management. And it gave China 21 million personnel files including background checks on top security clearances. In 2017, Australian defense subcontractor lost 30 gigabytes of highly sensitive data, including information on the Joint Strike for Strike Fighter program. Crazy. By the way, they had not updated their software in 12 months. In 2018 China compromising network of yet another defense contractor doing work for the Navy. Our technology, our advances our military superiority were stolen from us, again, from the hill in an assessment delivered to Navy SECRETARY RICHARD Spencer in March and reviewed by the Wall Street Journal, the Navy and its industry partners are under cyber siege by Chinese and Russian hackers. So think about all of that when you are thinking about your business and even your home computer.
Segment your networks, break them up, use good passwords, this
is all stuff we're going to review in our security summer. Again,
Craig Peterson calm, you can say him, email me and I'll let you
know when it happens. Me at Craig Peterson calm. We're going to
cover all of this. So you guys know what to do, whether you're an
individual, or small-medium business because in most companies face
it, who's the computer guy or gal? It's whoever likes computers the
most, or maybe whoever wanted to raise they're not necessarily
computer professionals. And it's extremely, rare that their
security professionals, security professionals, you know, we're
working every day trying to keep up to date. And I've been doing
this for 30 years, and I'm still learning stuff. So be careful,
hire outside firms.
Okay, blah, blah, okay. On to the Apollo program. There are many people I read a book, and I remember reading this back in the early 80s. And I marked it all up. And it was about how the lunar landing was a hoax. Hollywood has made some films about it. And more and more kids nowadays think the whole thing was a setup. So this is a great article, written by Ethan Siegel. There you go. And we are talking a little bit about the moon landing. So let's go through this. People are saying that the entire space program and NASA is nothing more than a hoax. But let's get go through a little bit of evidence. Number one, we can still see the evidence of the Apollo program on the moon even today. If you walk on the sand on a beach, the waves are going to level it out, and there won't be any sign that you were ever there. Right. But none of that exists on the moon. Even in the Sahara Desert on the sand, you've got the shifting winds that shift that sand around. That is not true on the moon. We have pictures from regular people of the moon of the landing site, Apollo 12,14, and 17. They photographed those from Earth. On the Apollo 12 landing sites. There is a ton of stuff you'll see this article. You can view all of the pictures. It is from Forbes magazine. You can see it up on my website at Craig Peter song calm. I have a link to a number to extensive photographic and video evidence from the Apollo missions themselves. The one I like the best is one that I am most personally familiar is the lunar Laser Ranging retro-reflector, and there are many others. But this is one that we HAM's us we can bounce off of the moon there's a reflector that was left up there by the Apollo missions we can bounce a laser off, and we use that scientifically to figure out how far the moon is away. But there are also lunar sighs month the seismometers there is the solar wind composition spectrum lunar surface Magnum, Magnum, meter, magnetometer, lunar dust collector, many more. All were left up there all ran for years. Some of this stuff is still running so we were there to let them tell you otherwise. Take care, everybody. Make sure you sign up for the security summer. Craig Peterson dot com, take care, everybody. Bye-bye.
More stories and tech updates at:
Don't miss an episode from Craig. Subscribe and give us a rating:
Follow me on Twitter for the latest in tech at:
For questions, call or text: