Preview Mode Links will not work in preview mode

Thanks for joining us! Let me know if there are any topics you'd like us to cover by sending an email to me at craigpeterson . com!

  1. All Episodes
  2. Encryption Busting Laws In Australia and more all on TTWCP Radio Show

Encryption Busting Laws In Australia and more all on TTWCP Radio Show

Dec 15, 2018

More what happened at Marriott.  Listen to find out how it actually went down.

Does the news about the Partnership with 23 and Me worry you?  We'll discuss how you can remove your information if you choose to and why you might not want to.

I know we have talked about Zero-Day Exploits before. Today we will talk about a new one

More on the stupidity of the Equifax hack.  Listen in and I will explain why it really was irresponsible and avoidable.

Australian lawmakers think they are Security Professionals. You know I like encryption and think it is a good thing.  Australia is passing laws that will have horrible global implications. 

These and more tech tips, news, and updates visit - CraigPeterson.com

---

Transcript:

Below is a rush transcript of this segment, it might contain errors.

Airing date: 12/15/2018

Encryption Busting Laws In Australia

Craig Peterson: 0:00
Hey, Welcome to Tech Talk with Craig Peterson we have a few things to talk about, as we always do. We've got a little bit more news on what happened with the Marriott hack, 23AndMe I didn't really get to this last week I had this article up on my website I wanted to cover this I talked about a little bit on the air this week it's a big deal for a lot of people there's a new flash zero-day exploit out there in the while wild another reason not to use flash we'll be talking about that and how that is frankly, going to impact you. It's scary. I don't know why flash is still out there at all. Frankly, this is it's a travesty the Equifax breach we got we got some new info on this just how dumb this silly thing was, and what happened there. And of course, that expose the personal data of hundreds of millions of Americans, the encryption has passed encryption, the Australians have passed and encryption law. So we'll be talking a little bit about that that's going to have some global privacy implications. And there was a bug that was left wide open to your Microsoft account that's going to maybe have some ramifications for you. This was kind of a crazy thing, again, something fairly obvious in retrospect, right? But you don't always notice these things in advance. And I had a great meeting this week, I want to do a quick shout out to john he is a CEO, oh, some multi location business and trying to get his security under control. And it made me think about this webinar did this week for the FBI on how do you sell security? How do you let the sea levels the managers, the directors know why they should? Now there's obviously there's the whole you got to be scared of this side of things, right? which I think makes some sense because you do have to be afraid of these things. But the other side is there are major business benefits to making sure your systems are safe. Do they go with all the way from, hey, listen, we're not going to be down because we have ransomware, right? And so how much would it cost us per hour to not be able to stay in business and, and we have a client, a multinational client who had to shut down worldwide manufacturing, worldwide sales, distribution, everything for a week or more, how much you think that cost them. So there's a benefit there, there are other benefits, including you can now use it as a marketing plus we have a number of Accountants is that we're working with an accounting firm, small firms, we're working with them to help them understand and what their footprint is, what their liability is. And I think that's a really big deal to Franklin, when you get right down to it, that that, hey, if you come to me, I have a differentiating factor, right? Which every business needs, right? We all need our own unique selling proposition. Well, if you can tell your customers that their data is safe on your systems. Do you think that's a big selling point? I absolutely do. I think it's a huge selling point. And we went through a whole bunch of things. And gentleman's name is Dominic gorillas.

He's a managing partner over to impress draw. Now, you might want to look them up by MP St. ra.com. He has been very busy over the years in large public companies doing things King consulting, he was over Capgemini and many others. And he did a lot of stuff over in Europe, helping to transform all of these businesses. So thank again to him to Dominic

because that was a fantastic FBI infra guard webinar that I put on with him here this last week, we're going to we be re-airing it looks like next week. I'm not sure if it's going to be Tuesday or Thursday, because there are there were some snap photos right there isn't that isn't that always happen where our clocks got messed up. And it was my fault

Because my clock got messed up I was thinking 4 pm because that's when I hold my webinars, right. I hold mine at four. And then I hold the webinars for the FBI infra guard program at 3 pm. So I I kind of got messed up and telling myself, so I'm going to run it next week. If you're in regard member, make sure you keep an eye out in your email for that announcement. Because this is a really good thing. I think, you know, of all of the webinars I've done this year, for the infra guard program. This may be the most important because it's helping businesses understand the higher level management understand what they should do, and how you can help them understand it as well. Okay, so let's get down to the business at hand here today. And that, of course, has to

do with all of our

friends who are over Microsoft and what they've been doing to us or for us.

Well, there was a bug that was left wide open, and it allowed complete takeover of Microsoft account. So there's a bounty hunter out there, some of these guys and gals can make some decent money just looking for bugs, I called bug bounties and they can range all the way up to 100,000 bucks. But it's usually not that much even for huge bugs in it. It's shameful what some businesses pay to find out about bugs in their software. Sometimes, you know, the pay my I use $2,000, wait a minute, he just spent what, 510 years learning the craft to try and find bugs. And then they spent what six months finding this bug in your offering them two grand. But anyway, so he was working as a security work researcher here with a cybersecurity site called safety detective and discovered that he was able to take over Microsoft subdomain success dot office calm because it wasn't properly configured. So this lot, the bug hunter set up an Azure web app that pointed to this gets kind of technical, but pointed to the don't main see record.

So it's used to map domains and stuff moving around. So

bottom line, Microsoft Office, Outlook store and sway app sent

authenticated login tokens to him kind of a big deal here. So the issues were reported on Microsoft in June. And they finally fix them in November. Okay, so hopefully, again, this isn't an example of a good guy doing the right thing where he founded, he reported it Microsoft fixed at 10. And then, you know, we're all going to be relatively safe because of this. So, you know, hopefully, right isn't that kind of the bottom line here, we got to keep an eye out. If you are running a business and you have a software, you have a service, remember, you have an obligation to try and keep that safe. And that gets very difficult. That's why you should hire ethical hackers and hire these teams. And we have certified ethical hackers who are on our team if you want some help. But you need to not only make sure your software is pretty much safe, right. But you have to also make sure that your people are safe, that your systems

are safe. I guess I kind of goes back to whatever just talking about right with Dominic here this week on

that on that info guard webinar. But you got to make sure and another thing a lot

of people really aren't aware of. And, and I want to make this very clear, too.

And that is, if you're using Microsoft Office 365, or you're using salesforce.com, or you're using various other vendors, the liability for a hack still rests on you. So you need to make sure that you have an agreement in place with them, your agreement with him, not their agreement with you your agreement with them that says I am pushing liability for this on you my provider because you're supposed to provide me with security. We went into a restaurant two weeks ago to have a look at their security. We're doing a paid cyber health assessment. And we had a look at their other tablets

that they have hooked up, now they're on hardwired so you know, the thinking as well. Okay, well, they're relatively safe, because we've got, wow, a sonic wall firewall. And of course, we know we have a look at it. And it was disastrous. What was on there

is anybody could have put a logger on those. And they may have, right because we didn't go into that level of detail yet. But a keylogger on that, that grabs all of the credit cards that are run through that tablet. Think about that for a minute What a pain that would be. And because of the payment card industry standards, not only are his consumers hurt, because now they have to argue with the credit card company, which young not such a big deal, but he would get fined. And in this case, in the tune of about $8 million dollars, potentially based on the number of cards that go through his machines. Now, this is real, if you take credit cards, you have to live up to these PCI DSS the data security standards that they have in place, you signed it, we had another client that again, we just started doing security for the Payment Card Industry guys FedEx them a package that said, you know, we need you to go through this and sign it, it was 150 pages, printed pages, they wouldn't let them sign it online, they wouldn't let them do digital signal, say a signature should say they had to take and ship that package of paper, right. And they open it up. And of course, it's all legal ease. And it's 150 pages. And they're trying to figure it out. And so they sign it anyway. Right? Who hasn't, who hasn't just clicked on, I accept on a website. And now they are liable because the PCI, the payment card industry is going after vendors that have their data stolen.

So in this case,

they were relying on a back to the restaurant, they were relying on the cloud service that was doing all the credit card clearing and, and tracking all of the orders and doing everything for them. Right. So we're all set. But that vendor wasn't keeping any of their data save, which means when it's stolen, they're out of business. And we just had that happen in my hometown, it was one of these chain restaurants. And the people in that restaurant weren't taking credit cards. And we're keeping copies of the credit cards. And so the whole thing had to shut down the whole chain that the guy owned multiple of these of these restaurants, right name brand restaurant, and he had to shut down completely because of the liability. And people just don't pay attention to that now. And I get it right. I sat down there just this week and went through all of the different things that I have to worry about. And believe me, there's, there's a lot of things, right.

One of the things was security, but I have about two dozen, what I call silos of responsibility. A lot of those have to do without reach. But they have also to do with maintaining customers, employees think about everything,

I know it right, you're a business person, you know what this is like. And just putting one more thing on to that pile just pushes it over the edge, right, it's just too much to do well,

in this day and age, it's not anymore.

Because if those cards have been stolen, this restaurant chain would also have been out of business, this other chain, we had a quick look at,

they would have been out of business as well, because they had this data. And this data was a place where wasn't being kept safe. So that's a pretty big deal, frankly,

and I just want everyone to think about it. If you need help, let me know or go to anybody out there. Please go to anybody. We have certified white hat hackers, these are guys that know how to hack in, they have been certified, but they work for us. And they we have bonds, right. And insurance and everything case something happens. But you got to do it in this day and age. It's unfortunate. But it's absolutely the case that you have to take care of this.

So I've got an encryption busting law we've got to talk about

because this is going to happen all over the place. This is from our friends over Digital Trends. You'll find this article as well as all the other articles I talked about today up on my website at http://CraigPeterson.com. But they've got some new legislation

in Australia

that could have some global consequences for security and privacy on the internet. Now, we know that various law enforcement agencies have been pushing to have a backdoor in for encryption. And this isn't, you know, this isn't a Trump era thing. People, okay, don't get all about set with President Trump about this, this goes way back. This goes back to

the beginning of time, really. But do you remember during the Clinton administration, this whole thing over the Clipper chip, and we're going to have encryption and this is the best standard in the world? And they pushed it out to the world and it turned out it had a backdoor and it had a way for the federal government to get in. Now, I kind of understand this right to in many degrees of if you're a victim of a crime, obviously, you want the crime solved. If you're trying to investigate a crime, you want the right evidence and as much of it as you can get, you don't just want to have a phone that you can't get into. And you don't want to have just hearsay. You want physical evidence. You don't want somebody to say Yeah, well, I heard so and so say the lesson such here. All right. I remember one case, I was sitting in a restaurant. And I overheard a discussion between two waitresses and they were talking about the commission of a murder that had occurred and who they knew was involved with this murder,

local-ish murder, right? My, I don't think my hometown kind of murder and very, very long time, but you know, very local, the next town over next big town over and they were standing there talking about it. So I called up the detectives that I knew and said, Hey, guys,

for what it's worth,

I heard so and so and so on. So talking about the murder of this other person. And they said, they are confident that this person committed the murder. And here's kind

of the background on at what I heard. And of course, the detectors have, thank you very much. And I have no idea what they did with that information. At the time. They said, yeah, this is this is useful, but they said, it's stuff we have, we already knew. But it's just, you know, another the checkpoint, it's another data point on this, that we know now that, okay, there has been some involvement in it. So I

understand you can't use as talking about here, say, right, fifth hand, who knows how far out this was, this is just rumors, a couple of people chatting right over something that they might not have really known anything about. So getting into that phone or getting into a computer can be very important. And the same things true when we're talking about things like snapshot chat, or we're talking about FaceTime, or we're talking about some of these others, it can be really important for the police for their investigation to know what was said, or know what is being said. So there might be a crime, they're watching somebody right now. And there, they're listening in, right, kind

of like the Pfizer warrants and, and major major general right, but General Flynn who was kind

caught up in all of this and you know, how can he divides a whole another story. But when something like that happens, and they want to listen in, it's one thing to be able to listen into a regular phone call, it's almost impossible for them to listen in to one of these encrypted calls that you can use just, you know, as I said, FaceTime, you can use WhatsApp, there's,

there's just a ton of them out there.

So Australia has come out now with this law.

And it's saying that the apps like I message from Apple like WhatsApp, or what app telegram SIG signal

that is used to keep messages private between people. And we already know that some of the Federal investigations that have gone on, they did not have access to this.

It's not like Peter struck in the FBI sending Texas deletes a page because every text is kept Okay, that doesn't matter if you deleted off of your phone, it went through the phone company. And they keep those things for a period of time. Well, that private conversation is something they'd like to listen in. And frankly, some of these are pretty high-level privacy. And the Australian Government now has decided that they want to compel technology companies to help them access the information.

Now, we're going to have to see what happens here in practice it what's really going to happen in practice is still being debated. But there are critics in the tech industry that made it clear they're not on board, the government's having this kind of power to snoop. Many of them say the bill of blind just tech companies to put backdoors into their security systems so the government can get in. But of course, that gives now the opportunity for bad guys to get into it for fraud to occur, right? Because if there's a door, somebody is going to find that door and they said, the bill does have a safeguard this has companies are not required to build systematic weaknesses into the software. But systematic was not defined, meaning that the actual legal requirements are unclear. There are other concerns with this bill, which is the lack of judicial oversight in the process. Look at all of the problems we've had recently with the fines a warrant

Right, essentially a star chamber it the judges see in here, it is completely private, there's nothing public about it, and you can easily have someone that does something they shouldn't do, right. So law enforcement agencies in this case, will still need a warrant. But you know, how do they go ahead and break the encryption and once the warrants issued? There's no further oversight now because most tech companies are global. We're talking about a very wide net here, are you going to design a system that has a back door so that you meet these Australian requirements? And, frankly, the Chinese requirements? So are you going to put a back Dorian and then somehow keep that door closed for the rest of the world that that's the problem out there. There's a human rights lawyer down in Australia, Lizzie O'Shea, she says The truth is that there's simply no way to create tools to undermine encryption without jeopardizing digital security and eroding individual rights and freedoms hackers with bad intentions will do their utmost to take advantage of any such tools that companies are forced to provide government

so there you go it I think a bad

idea and a good idea all at the same time I can absolutely see both sides of that argument It drives me crazy I'm not sure what the right way to go is entirely but I gotta say I'm not sure that the government having essentially unfettered access to our papers is what we want you to know, they used to be a constitution and a constitutional amendment about being secure right in your papers. You used to have privacy but that that seems to be kind of going by the wayside but if there's a warrant required I guess that is a check and balance it should be public there should be oversight but you know, as they said an enemy of the state so who's going to oversee the overseers, overseers.

right but that's not a direct quote pipe away but that's kind of where we're going

so let's talk about Equifax

here and there's some dumb hack we had the House Republicans investigating this Equifax breach because they really cared that this was a very very big deal and it needed some oversight and how the justice department they did some investigating into this not a whole ton but the House Republican spent 14 months now investigating it and they reach the same conclusions that everybody else that looked at this came to and that I came to about a week after the hack and that is the breach was entirely preventable and that the credit reporting agencies management didn't anything to shield can consumers from this mass. Now the article I posted from Gizmodo up on http://CraigPeterson.com has some colorful language in it. So if you're not into the colorful language, you might not want to read it because I'm skipping over that part here. But there are no new laws in place about this. There's no new accountability. And I'm not sure we need new laws about this. But I do think the regulations need to get a little bit more in the line of teeth. If you are a small company like these people we deal with every day, you know, you're under 20 million in revenue, it's hard to justify a major investment in security. It's, I get it, it's very hard, although you should be sent spending one to 3% of your budget if you're a large corporation of your IT budget on security. Okay, the little guys, that's the wrong number. It's a very high number, unfortunately, but they there have not really been any changes. private organizations, as I mentioned earlier, like the payment card industry is enforcing new rules. And they are legitimate rules. They are very tough rules, but the rest not so much. Okay. So they found in the info here that it was entirely preventable, that Equifax failed to take a to fully appreciate and mitigate its cybersecurity risks they found that had been the company taken action to address its observable security issues, the data breach could have been prevented lack of accountability and management structure, Equifax failed to implement clear lines of authority between their internal IT management leading to an execution gap. That's something else. We covered this last week

In my FBI infraguard webinar.

They had complex and outdated IT systems that you know, because of their aggressive growth. They had all kinds of problems because of acquisitions, not moving stuff in Does that sound familiar? Like the Marriott hack that just happened, right? Well happened started in 2014. And it's not entirely Marriott's fault but they've been on an acquisition spree and Starwood had been hacked. So there are some problems there right so they were out just out of date there were way too complex custom-built legacy systems IT security very, very challenging for implement responsible security members, they allowed over 300 securities certificates to expire including 79 certificates from monitoring business-critical domains they failed to renew an expired digital certificate for 19 months and that one it's expired certificate left Equifax without visibility on the X filtration of data during the time of the cyber attack. And we see that all the time you get an attack, there are indications that compromising yet the businesses have no idea what data was stolen, unprepared to support affected customers. It goes on and on. And there's a link in this article again on my website to get a full copy of the report and it's well worth reviewing. It might be something that I'm going to have to do a master class on,

you know what lessons learned basically from the Equifax breach. So I'm going to set this article aside because I do want to follow up on that one. And wow,

okay,


all wrapping it up here. We only have a couple of minutes left if

that we've got fresh

zero-day exploit that's been spotted in the wild. So if you have flash on your computer updated, and I strongly advise that you remove flash. Now if you're using iOS devices, iPads, iPhones, you don't have flash, they've never had flash, Steve Jobs, Apple have never allowed flash to be placed on iOS. Okay, so

you're safe.

If you have a Mac. It is not enabled by default. But many people install it particularly a few years ago because many websites required it and in this day and age, there's no reason to have flash anymore period. Goodbye. So Personally, I'd say delete it because it has had so many security problems if you need flash for some particular reason, and make sure you update it because this one's another huge Okay, this is a zero-day flaw it's exploited in the wild already. And if you've given your DNA to 23 and me I've got a great article from Business Insider up on http://CraigPeterson.com DNA testing company, 23AndMe signed a $300 million deal and that's kind of a big deal because it's Glaxo Smith Klein. They're using the data to do research for developing medications that are a personal medication that you can use. And you know, I think that's a good thing frankly, because that's the future but let me your personal information your DNA is going to be out there and it's going to be shared so you got to make that decision visit 23andme.com make changes as you want to make sure you subscribe to my email list. I'm still getting that Christmas present together for everybody about how to keep your personal information safe the things you can do to stop the bad guys from opening credit cards and stuff in your name http:CraigPeterson.com/subscribe. Have a great week. We'll be back next week. We will take care bye bye.

---

Related articles:

Encryption-Busting Law Passed In Australia Will Have Global Privacy Implications

Equifax Breach Was Just As Infuriating And Dumb As You Thought, New House Report Finds

Flash Zero-Day Exploit Spotted โ€“ Patch Now!

A Bug Left Your Microsoft Account Wide Open To Complete Takeover
---

More stories and tech updates at:

www.craigpeterson.com

Don't miss an episode from Craig. Subscribe and give us a rating:

www.craigpeterson.com/itunes

Follow me on Twitter for the latest in tech at:

www.twitter.com/craigpeterson

For questions, call or text:

855-385-5553