Mar 16, 2019
Have you heard about sextortion? We will talk about this type of blackmail scam and why it is so dangerous.
Android vs. iPhone, what is your choice? Today, we're going to talk about it from the resale value side
What's up with GPS systems? Why are some experts not flying on April 6? I got some news and explanations for you.
And we have a report out of the UK, The Guardian about how easy it is to steal modern cars. We will discuss why that is.
Did you hear about the warning from Google this week? We will get to that and some other unexpected actions from Google
For more tech tips, news, and updates visit - CraigPeterson.com
---
Transcript:
Below is a rush transcript of this segment, it might contain errors.
Airing date: 03/16/2019
Duckduckgo For Search - Google Advisory On Windows 7 - Cars Hacked Via Their Security Systems
Craig 0:00
Hi, everybody, we're up to show number 998.
Craig 0:12
Does that mean we have to do something special, coming up here in a couple more shows? I can't believe 1000 weeks worth of shows. I don't number my shows based on the,
Craig 0:21
you know how many times I've appeared or how many times I've put podcasts up. Because I do, sometimes five. I've done as many as a dozen different podcasts in a week before. So I don't add them up like that. I'm talking about 1000 weeks on the air, on the radio. That is absolutely fantastic. It's frankly, it's just so exciting. I'm glad that it's happening. Well, today, we are going to be talking about sextortion. You might have seen this, I had one of the listeners reach out to me about this just a couple of weeks ago. And in fact, it happened to me, as well. We'll talk about Android vs. iPhone. This time, we're going to talk about it from the resale value side. GPS systems, April 6, I got some news for you. Some experts have decided they're not going to fly on April 6th, explain why. And we have a report out of the UK, The Guardian about modern cars much easier to steal than the old ones, and why? Google has a very big warning out this week that will get to. And Google did something else that was not expected by a lot of people. Google has quietly added Duck Duck Go as a search engine option for Chrome users. This is about 60 different markets globally in this is really big news. Because the chromium engine, of course, is made by Google. And you know, already the Google is very big in the search engine space. So, having them promote, which is what this effectively is doing. Having them promote competitors is a little bit of surprise to everybody out there. Now, chromium, I mentioned this a few weeks ago, which is the underlying technology for Google's Chrome browser is being adopted by Microsoft, they are completely shooting their own browser projects in the head. And they're building it all on top of chromium now, which I think makes a whole lot of sense. So does that mean Microsoft now is going to be using Duck Duck go, let me explain what this is? For those who are wondering, Duck Duck Go isn't just a kids game from 50 years ago, or probably longer than that, actually duck Duck go is a search engine. And it is designed with privacy in mind. I've had the founder of Duck Duck Go on my radio show before we talked a little bit about what he was doing. This was some years back when he was first getting started. And I'm actively promoted since then. And since using it, frankly. But people are saying, well, Duck Duck Go is the search engine to use because it is not tracking what you're searching for. It's just giving you kind of general advertisements, just like Google used to 10 years ago. And other people are saying, Well, why would I use Duck Duck go when Google has, frankly, better search engine technology, which it does, in many ways. Google has been able to invest a lot of money into its search engine technology and Duck Duck go just really can can't, at least not to the level that Google can. Now some people who are kind of skeptical, myself included are thinking that maybe Google did this with chromium in order to avoid some of the antitrust scrutiny. The anti-combines laws that are in Canada, UK much throughout the Commonwealth, but it is good news for people
Craig 3:59
I use Duck Duck Go as my first go to choice when I'm searching online, it doesn't track you it, I kind of like it, it doesn't always give me the results that I really need or really want. So for those types of results, sometimes I'll end up going to Google and check there. And I use Bing for some types of searches to. I find bings image search to be a little bit better, in some ways than Google Search. Bing doesn't have the reverse image search that Google has. But you know, all in all, I think it's pretty good. There's another pro-privacy search engine out there called quant I've used that before q, w, a, n t and chromium Google now offers that is another default. So you might want to look at that Duck Duck Go and QUANT and QUANT, by the way, is only available as a default over in France, which is where QUANT is from. But you can always just go to Q U A N T dot com or Duck Duck Go dot com. And you can use it in almost any browser out there as a default, and it's been added in I'm looking through the list Canada, basically all of our neighbors, I don't see Mexico on here. That's kind of interesting. See the UK, US Venezuela is, you know, if they get power back down there, they'll be able to use it. Good old socialist countries, right. So anyways,
Craig 5:30
it's been growing for years, it's really quite good. And this
Chromium instance, available on GitHub, if in case you're a
developer is worth looking at. I also when we're talking about
Chromium, I got to make sure I mentioned my other browser, my
favorite browser for privacy. And that's the Epic browser. E-P-I-C.
And I think on today's coaching call, we're going to end up talking
a little bit about that Epic browser. Because a lot of people are
kind of concerned and confused. And the Epic browser also uses
Chromium as a code base, which I think is good, because Chromium is
kind of those standard but it also just dropped a note down for
myself. But it also has the types of security the DuckDuckGo has,
in fact, it's kind of tied in hand in hand, it has VPN routes
through it used to just be Indiana out routes through a whole bunch
of different places. So check it out. E-P-I-C, browser.com. Epic
browser.com online and use DuckDuckGo whenever you can, for your
searches. If you want to try and keep things a little bit on the
private side. And if you're very paranoid, your best bet mom
depends on how paranoid right if you're like crazy paranoid, we're
you know, we're not going to talk about that right now. I could
help you out. But if you're more paranoid do the other thing I do,
which just switches it up, use different search engines use
different browsers use different machines when it comes to banking
because I don't want many my banking information to be stolen. And
I got to get back to some of what I'm doing some of it. Some of it
I'm not if you're interested, let me know might be worth doing a
masterclass about you know how to do this, how to do it for free
even and keep your banking information safe. So I should write a
little note about that. Well, we have a warning from Google, we're
going to get into that right now.
Craig 7:33
Well, our friends at Google have been paying attention to security
for a while, if you have the latest versions of the Google Chrome
browser, you're getting automatic updates. It's a technology that
Firefox Mozilla people have been using for a long time.
Craig 7:48
And these auto updates are absolutely fantastic. It can just save
you a ton, not only of time but not having to apply the updates.
But you know, security people can break in and drive-by download,
you know, all the crap that happens when you're online. So Google
has been very good about updating their Google Chrome browser, the
Chromium underpinnings and you know, they get updated as well. But
then the browser is really where they're most interested. Well,
now, Google is warning people about Windows 7, you know, if you're
listening for a while, that a month or so ago, Microsoft told you
to ditch to drag Internet Explorer into that trash can and never
use it again. You know that right? Number two now with Google out
here is Google's recommending Windows 7 users to stop using Windows
7 upgrade immediately to Windows 10, if at all possible. And this
is because of something called a kernel vulnerability. The kernel
is the core part of the operating system. The kernel is where
everything happens, really the kernel is how all of the processes
talk to each other, how they can access hardware resources, like
the disk, or the camera, the microphone, the speakers, everything
on your computer ultimately goes through what's called the
kernel.
Craig 9:18
Wow. Well, the third analysis group is explained that Google's
discovered two different security vulnerabilities, one in the
Google Chrome browser. And the other one in Windows. The Chrome bug
was already patched. But Windows 7 not yet fixed. Now this month,
the Patch Tuesday from Microsoft has a doozy set of patches, a
whole bunch of them, Microsoft is fixing all kinds of major flaws
and vulnerabilities in their software. I don't think this
particular fixes in that patch set. But it'll be out sometime, I'm
sure Microsoft saying the vulnerability is in the Win32k.sis kernel
driver. And it can be used as a security sandbox escape. Now, this
is getting all rather technical, but sandboxes are where you set up
a basically a way to execute software that nothing else can get
access to. And it can't get access to anything else as well. So you
use sandboxes for security. And having a major security problem
with the security sandbox obviously is very big. So here's the
statement we strongly believe this vulnerability may only be
exploitable on Windows 7, due to recent exploit mitigation to added
newer versions of Windows, Windows 10, and eight, all the Windows
10 has the most fixes. They've done a lot there.
Craig 10:53
They're trying to make it as good as Mac OS. It'll be a while
before they get there. But they're almost to the point that Unix
was at 20 years ago. So you know, kudos to Microsoft. To date. Back
to the quote to date, we have only observed active exploitation
against Windows 7 32 bit systems. So the note from our friends at
Google and their security research team is get rid of Windows 7
upgrade to Windows 10 as soon as you can. Microsoft says it is
working on a fix. They are publicly disclosing the existence
they're saying it is a serious vulnerability. So they're admitting
it no big deal. There will see, By the way, Windows 7 is reaching
the end of support the end of 2019, it's actually January 2020,
read it however you want. But you've only got months left before
Windows 7 will no longer get patches unless you pay Microsoft a
king's ransom. In other words, our federal government will be
spending a lot of software with Microsoft. I'm sure in the years
ahead. It's still paying Microsoft to support Windows XP. Isn't
that crazy? Let's talk about our new cars for a second
Craig 12:19
We talked last week a little bit about our cars and insurance with
autonomous vehicles. What does it mean? When are things going to
get better? When are they going to get worse? Well, we have more
smart in cars today. They have something called CAN bus which links
up all of these computers throughout the machine throughout your
car. You know, most cars nowadays and more modern ones, they don't
even have a connection from your stereo to the speakers directly.
There's no amplifier in there. It's all going over this network in
your car, little land in the car. Well, that means that computers
are there and they can be exploited. We have already seen that we
saw a hack that went through the radio in some of the Chrysler
products and allowed people to remote control Chrysler cars if they
use this hack on their radios. So it is a concern. I'm not sure
they've addressed it all well enough and not just talking about
Chrysler here I'm talking about everybody gets me very concerned.
There's been issues with BMW and others in the past as well. Well,
there's a British infosec company called Pen Test Partners and
they found that the Vipers Smart Start alarm and products from
Pandora were riddled with flaws. And these flaws allowed them to
have an attacker steal a car fitted with one of these devices. So
if you have a Viper Smart alarm, the Smart Start alarm, which I do
know people who have this. I'm gonna have to reach out, let them
know individually case they're not listening today. But the Viper
Smart Start alarm and products from Pandora allow cars to be
hijacked. And now here's from a blog post about they're finding
from Pen Test Partners. Before we contacted them, the manufacturers
had inadvertently exposed about 3 million cars to theft and their
users to hijack.
Craig 14:28
This is a very, very big deal. This was really started because of
Pandora's alarms. The company noticed that their security was
advertised as being on hackable, which is a bad thing to say right?
What's on the hackable. So I guess Pen Test Partners took that as a
challenge. And they found an API, which is this application
programming interface and some simple parameter manipulation that
allowed them to be able to change the Viper Smart Start user's
account password, registered email addresses, giving them full
control over the app. And the car that the alarm system was
installed on. All they had to do was send a regular web post
request to the API with a parameter email redefined to one of their
own choices, and that overrode the legitimate owner's email
address, and now they had control over the account. So there you
go. Okay, major issues using the apps ability to clone the key fob
issue RF commands from a user mobile phone. And they dug into this
little bit more, by the way, and they discovered a function in the
Viper interface that remotely turned off the car's engine. So the
pen or a big also allowed researchers to remotely enable the car's
microphone so they could listen to eavesdrop the conversation on
the occupants. And they also said the Mazda 6, the Range Rover
Sport, the Kia, what is this, Course I guess. The Toyota
Forerunner, Mitsubishi Pajero, Toyota Prius 50, and the Rav4 all
appear to have undocumented functionality present in the alarm API
to remotely adjust the cruise control speed. So it goes on and on
car, security remains poor, and you don't need guns, you don't need
lock picks, to steal modern cars, or to even to cause them to
crash. I wonder if, if any of the crash investigators might look
into this, if they realize, wait a minute, there's a remote
controllable API in this car, maybe we should subpoena the court
records from the manufacturer of the device and poke around a
little bit and see if maybe someone manipulated it and told the car
to floor it down a back road Street, we're going to have to get a
little smarter about some of this stuff, right? Even though the
criminal investigations. Well, let's talk about April 6 here. Wow,
this is something I wasn't even aware of this until just this
week.
Craig 17:21
Of course, I was aware April 6 was coming people, okay. Don't give
me a hard time about that. Because, you know, I gotta remember
April 8, which is my anniversary, right? So I don't want to mess
this up. April 6. Anyhow, I knew the 6th was coming. And it's
certainly getting close. But this has to do with GPS systems. If
you remember, 1999, if you were doing programming, if you were
involved with computers back then, it was a scary time, many people
kind of predicted the end of Western civilization. And they weren't
totally wrong about that either. Western civilization could really
have come to an end because of what was called the Y2K bug. And it
was because of programmers like me, in the 70s and 60s that wrote
software that said, Well, if I want to figure out the time between
this date, and that date, all I have to do is use it two digit
year, and those two-digit years, going to take up less space in the
storage. And if you have a million records, times two more digits,
which typically would be 2 bytes, then well, that's, you know, 2
million more bytes of data, which at the time was a whole lot of
data. So we took shortcuts, and one of the shortcuts was storing
the year as just the last two digits. So we didn't worry about the
19 part, we only worried about the 79 part or the 99 part. So there
were a lot of predictions about software. And I knew a guy who
started the company that was designing software to specifically
look for this Y2K flaw and fix it. Of course, as it turned out,
there were some problems, they were relatively minor. But most of
the companies out there are certainly the ones that were in
business realized that Y2K was coming and made some basic
adjustments so that there wouldn't be a big problem. Many people
expected, they're not to be another problem until maybe the year
10,000, right. So instead of Y2K, in the future, we're probably not
going to be around. But in another 8000 years, we got another
rollover. Well, that's not the case.
Craig 19:43
I have been aware of what's called the 2038 problem. Because in the
Unix world, there's a timestamp the Network Time Protocol uses and
many machines user, which means by the way, Windows uses us to
synchronize times, well, that particular clock is going to roll
over in the year 2038. And that's most likely to affect embedded
systems. Now, there are fixes already in place, and many versions
of Unix that are out there Linux and some of these other
derivatives that are have already taken this into account. And
then, of course, there's bad programmers that really don't realize
all of the implications of what they do.
Craig 20:27
They've always existed and they'll always exist. In fact, I think
in many ways, it's getting worse than it was before, you know, the
bad programmers that is.
Craig 20:34
But maybe that's because I'm just getting to be an old man, right?
been doing this for too long. So we know that the Y2K problem was
real. And in most cases, it was fixed, that 2038 problem is real.
Most cases it will be fixed, although again, we're going to be
affecting embedded systems and most, In other words, those that
don't get the software update one was alive last time you upgraded
the software in your car, or some other physical device to clock on
your disk. Hopefully, none of it's going to be life-threatening,
because some systems are using Unix that is embedded systems. Well,
there's another one, this is the April 6
Craig 21:18
bug. And this has to do with the GPS and there are some security
experts, including one guy over at RSA. And RSA does a whole ton of
security work. They provide some of the algorithms that run public
key systems. They have little key fobs, little devices that have a
timer on them, you've seen them before. It's a little number that
rolls over every minute or so. And you might use them with your
banks, etc. Well, those guys are the guys that are now warning
about this April 6 problem. They talked about it at a security
conference just last week out in San Francisco. And he says that
some of the older GPS systems are going to be in serious trouble.
Because the computers in these GPS systems are going to have
counters that flip back to zero. So they are going to literally run
out of time reaching the end of their counters. And that really
could cause some major major effect. This guy here. Bill Maliki's
there's another guy he's a VP over Trend Micro, they do a lot of
computer security, cybersecurity. We've used some of their stuff in
the past, he told the media that he would not be flying on April 6
and suggests that it could be bad, it could be a lot worse than Y2K
was because the effects are going to be more widespread, widespread
because many more systems have integrated GPS into their
operations. And many of these are embedded systems ports. He's
talking about here, loading unloading containers automatically,
using GPS to guide the cranes. Some of those systems could be
affected in the cranes are going to shut down. Hopefully, public
safety systems use GPS traffic monitoring systems for bridges, the
bridges that raise and lower automatically the ones that change the
lanes ever been on one of those roads were part of the day. This
lane is northbound. The other part it's southbound, you know, 20
years ago, these GPS systems were really important primitive shape,
and they were embedded. So the impact on this could be even greater
governments have issued warnings to state and private sectors to
update their technology. But some of these systems we not, we're
not even aware of how some of these work that companies have gone
out of business, there's no way to get an update. Nobody really
realizes their GPS in there. Because you remember, GPS isn't just
used to locate you. GPS is used to locate because it uses very
fancy high-resolution timers. And the way it works to locate you is
it listens for the satellites to send a clock signal.
Craig 24:24
So each of the clocks will announce what time it is. And because
the satellites are different distances from you, you will hear the
time at different times. Right? You know, that if someone's yelling
at you from across the room, have you here or you see a gunshot and
range you will see the gunshot before you hear it. Right. Well, if
someone fires that gun, right next to you, you're going to
hear it instantly correct. So you know, that the the guy that fired
the gun, and it took a second for that Soundwave to reach you, you
know, that guy's further away than the guy who fired the gun. And
immediately you heard it. Well, that's how GPS works using
extremely high precision timers. So another thing people do with
GPS signals is they use it to get a clock source. So many computers
are using GPS receivers to figure out what time it is. So the
systems are reverse traffic that controls bridges, etc, etc. Many
of them are sinking their clocks and their timers up to GPS. And
when it's an embedded system that hasn't been updated, we could
have some serious serious problem couple of real quick things here
before we go today. And of course, you'll find these articles and
many more up on my website. http://CraigPeterson.com. I have also
been doing a special podcast called It's A Security Thing, you're
not going to find it unless you look for me because I haven't split
it out yet. But in it, I'm talking about these types of security
issues, things in the real world. This week. I was talking about a
CPA firm what they did to respond to a cybersecurity event two
weeks ago this happened, what they did right what they did wrong
and you will find all kinds of these things are posting them almost
daily. Now at my website, there's a special section, http://CraigPeterson.com. So make
sure you have a look at it. We are writing all of these articles
ourselves. These are not references to other articles. There might
be links to other articles, but these are really great. If you're
interested in cybersecurity and finding out more you'll find them
on my home page again, http://CraigPeterson.com and it's all small
businesses. It's all things that did right things that did wrong
and what happened and they're all very, very current. So check it
out. You really really should and wearing sending include some of
those also in my weekly email. If you're not a subscriber /http://CraigPeterson.com/subscribe.
Apple is crushing it on resale value in their laptops. But also the
iPhones they destroy the Android iPhone X versus a Samsung Galaxy
S9 Wow, iPhone X was 1000 bucks when it debuted, it's still worth
700 9 months later. So that's a drop of 30% the Samsung Galaxy S9
costs 720 but it was worth just $290 and drop 60%. So consider that
too. When you're looking at the prices of devices what you should
be mine and by the way, you should be buying the iPhone. Hey, have
a great week. Make sure you check us out online.
http://CraigPeterson.com. Take care everybody and we'll be chatting
again next week. Bye-bye.
---
Related articles:
No Guns Or Lockpicks
Needed To Steal Modern Cars If They're Fitted With Hackable 'Smart'
Alarms
Sextortion Scammers Target Employees
Google Has Quietly Added Duckduckgo As A Search Engine Option For Chrome Users - Privacy
iPhone Crushes Androids On Resale Value
---
More stories and tech updates at:
Don't miss an episode from Craig. Subscribe and give us a rating:
Follow me on Twitter for the latest in tech at:
For questions, call or text:
855-385-5553