Nov 16, 2019
Welcome!
Today there is a ton of stuff going on in the world of Technology and we are going to hit a number of topics from being aware of fake sexual harassment claims being used to mask malware to the advantages and disadvantages of future military technology, and why everyone should be using multi-factor authentication -- so stay tuned.
For more tech tips, news, and updates visit - CraigPeterson.com
---
Related Articles:
Donโt Take The Bait - Fake Sexual Harassment Claims
Can You Detect A Phishing Attempt?
Vulnerability in Popular Anti-Virus Program
Bots Losing Panache as Cybercriminals Hire In Third World
Not If, But When -- Donโt Think You Are Not A Target
Big Tech Has Your Private Medical Records -- Through Hospital
Partnerships
Future Defense and Military Tech
Best Practices in Authentication Still Mostly Ignored By Businesses
---
Automated Machine-Generated Transcript:
Craig Peterson 0:05
Hello everybody! Craig Peterson here. Welcome. Welcome, you are
listening to me on WGAN and online at Craig Peterson dot com.
Thanks for joining me. Today we are going to be talking about some
of the most important things that are happening in technology as we
do every week and more particularly what's going on in this
security realm. We'll talk about how you can detect if it's a
phishing site that you have gone to, New malware from TrikBot here,
a brand new one. Some complaints here about McAfee. Every piece of
anti-virus software McAfee makes has vulnerabilities. We'll talk
about that major, major security problem. We've got an accounting
fraud here and how it's getting harder to detect and Why we have
breaches? You know, I talked to so many people, I have a lot of
customers, a lot of business customers. And they're sitting there
saying, Well, you know, this is all inevitable. So what should I do
about that? We'll talk about that. Google, you might have heard of
project Nightingale. We'll get to that today as well. Defense firms
are on track to make some very, very scary hardware. We'll talk
about that as well as some of the myths of multi-factor
authentication. And there are a lot of myths out there about all
kinds of this security stuff, frankly, but let's start with our
friends at Microsoft. I bet you thought I was going to say Apple,
didn't you? Well, we had a big patch day, Patch Tuesday, and it
fixed 13 critical flaws this week, and one zero-day vulnerability.
Let's start by explaining what a zero-day is. In this case, we're
talking about a zero-day attack, which refers to a vulnerability
that is undetectable by any current antivirus software or
anti-malware software that has seen this particular problem before.
Now you noticed that made a difference a distinction between
anti-virus and anti-malware, right? Because anti-virus software
behaves in a certain way. Anti-malware behaves well, frankly, a
little bit differently. So what are the pros? What are the cons?
What's the difference between antivirus and anti-malware? Well, as
a general rule here, anti-virus is a subset of anti-malware.
Anti-virus is something that we're doing now will probably continue
to do forever. Still, it does not catch me. Most of the nastiness
that's out there today, anti-virus is you know, at best release
Some people would say zero percent effective, but I give it the
kind of the benefit of the doubt. And it's about 20% effective. So
if you have antivirus software, it's only useful about 20% of the
time against all of these different types of attacks, it's probably
close to 10%. If you pull in the human element into all of this,
anti-malware software behaves a lot differently than antivirus
software. Some of it is whitelisting, where it knows this is a
legitimate piece of software that was not modified. So it allows it
to run that on one side. These are quite difficult to keep up to
date because you have to continually monitor what's going on in
what the software upgrades are. What the checksums of that new
version of the software are, their libraries, are they all
legitimate all those DLL files and everything else they're using.
It gets pretty darn complicated from the whitelist listing side.
And there's a couple of companies that do whitelist. Some of them,
frankly, do better than others.
Craig Peterson 4:07
Some of them, in reality, isn't even really doing whitelisting when
you get right down to it. And then there is the next level up,
which is the anti-malware software. And anti-malware is software
that looks at the behavior typically of what's going on. And there
are there's software out there right now malware this designed to
fool the anti-malware software to so it looks at it and says, Okay,
this just installed Wait a minute, started opening a bunch of
files. Wait a minute, is writing to a bunch of files. Wait a
minute, and it's changing all these file names. That's the type of
behavior that would be typical of ransomware. Good anti-malware
software looks at the behavior of a program as it is opening all
kinds of part the TCP/IP packets, that are trying to use a network
to get to all of these other computers that are out there on the
network. What is it doing? How is it doing? Why is it doing all of
that? That's good anti-malware software. So it will do all of that
it looks at checksums, it looks at just all kinds of things. And it
typically has about a 10% performance penalty on your computer, and
it can be a little bit higher than that. But it's they're busy
looking at everything, examine everything trying to figure out what
to do. So we have anti-malware software out there, as well as
anti-virus. Those are the two significant types of software you'll
put on to your computers. And frankly, anti-malware like well we
use has multiple layers of software, and it ties into external
databases and, and Cisco Telos to get updates and everything else.
So that's what we use us what we do. So, in this case, we're
talking about a zero-day Hack against some of this Microsoft
software. So what does that mean? Well, that means that we're as of
right now, none of the antivirus software knows how to detect this
as a virus, none of it. That's zero-day, it's day zero. So tomorrow
will be zero-day plus one, right? So day one of this out in the
wild. And Microsoft, with their Patch Tuesday, decided they would
plug 73 security vulnerabilities in their software products,
including 13 of them, given the top level of a critical security
vulnerability. And I guess it's kind of fortunate that this month
only one of the flaws is known to be exploited. And this is a CV,
that's what they're called that scripting engine vulnerability and
Internet Explorer, and the sooner they get rid of Internet Explorer
entirely, the better off everybody lives. Everybody's lives will be
IE; they built it into the kernel so that they could have more
control over it. You might remember the lawsuit against Microsoft
saying, Oh, you can't ship a web browser that's integrated right
into the kernel. Because now, you make it so that none of the other
web browsers can work on internet XP on Windows, which was right in
the very beginning. And you're blocking us out of there, and
thereby it's anti-competitive, you know, it's all true. Now, IE
because it's inside all these versions of Windows, these
vulnerabilities can affect users who are no longer even using
Internet Explorer at all. In other words, you don't have to launch
the browser. You don't have to go out to the internet. You could
get nailed on it right away. Okay. Now Microsoft Office is using
the same rendering engine that has this vulnerability that internet
access Laura has, and it can be embedded and in fact, triggered by
an active x control on a booby-trapped web page. Active x is one of
the worst things Microsoft could have ever done. It's right up
there with some of the vulnerabilities and flash and Java. You
know, are you kidding me you allow a web page to run code on a
machine. And they at least they have markers on it, but it can be
Mark now was safe for installation. The whole thing's crazy. I
still don't understand Microsoft, and what they're doing here.
Craig Peterson 8:36
So bottom line, make sure you do your update. I checked right
before I went on air, and there aren't any significant problems
that have been found with the updates here for November from our
friends at Microsoft. They're often are. We also had this week, and
some more patches come out from our friends, my friends, and yours
from Intel. Now Intel makes a lot of the computer chips that are
inside our computers, mainly for using a Windows machine. But Macs
use Intel chips to, although they don't have to, I don't know why
Apple went with Intel, you know, my guess was it was less
expensive. And Intel also had some outstanding power performance
numbers saw, you know, I can't blame them. But we have a bunch of
patches that came out from Intel, that make all of their CPUs
almost every processor they've made in the modern era is entirely
vulnerable.
Craig Peterson 9:39
And that's a terrible thing, including vulnerable not just on your
desktop, but vulnerable in all kinds of operating systems and data
centers. So, if you think hey, listen, I went ahead, and we moved
all of our stuff to the cloud. They are just taking care of because
it's in the cloud. Microsoft knows what they're doing. The answer
to that is, well, they kind of know what they're doing. But they're
stuck with this Intel vulnerability. There will be more patches
coming out according to the people that found these vulnerabilities
in every model of Intel CPU, Major, major, vulnerabilities.
According to these people, there are more than Intel hasn't passed
on yet for whatever reason. It's really, it's kind of crazy,
frankly. So we got Microsoft patches for some major ones. This
week. We've got Intel patches, some major ones this week, we've got
Adobe patches that are out as well. So make sure you do the
upgrades. I'm not going to go into all the details here. Man Adobe
light set of patches this month only 11 security vulnerabilities
from Adobe and Adobe Bridge, animate illustrator, and Media
Encoder. Two months in a row where there are no patches for Flash
Player. I'm not sure what that's about if they keep happening with
flash player or if something else is going on. All right, stick
around. We're going to be right back. You, of course, listening to
Craig Peterson here on WGAN, make sure you visit me online at Craig
Peterson dot com. We've had a few pop-up-trainings already. I'm
doing some Facebook Lives and getting information out, and you'll
only find out about them if you're on my regular email list. Craig
Peterson dot com slash subscribe, and all of today's articles are
up there as well. And there's a sign up right there too. So make
sure you sign up to find out about all of the latest that you need
to know. Craig peterson.com, when we come back, we're going to talk
about chick bought something new going on out there trying to get
us to do something we just shouldn't be doing. Stick around. We'll
be right back.
Craig Peterson 12:02
Hey, welcome back, everybody. Craig Peterson here, little beach
music. I was out for the last week and a half out at a conference
in Phoenix, Well I guess isn't exactly near the beaches is it, but
it was sure nice and warm. And then I got back home, and you know
what's happening up here in the northeast? Yeah, a little bit of
cold weather. Some of it's a little too cold for my liking. You
know, it just came on so fast. We were like in the 60s and 70s. And
then all of a sudden it's like the 30s and 40s. I don't know what's
going on. Well, let's talk about this TrikBot. It is a new malware
that's out there. I've spoken to many times here on the show about
what the FBI has been warning businesses, which is the business
email compromise. You probably heard of that before bc we're
talking about something that's cost businesses. Well over 10
billion, I think it's over $14 billion now. And we're not just
talking about a little waste of time. No, we're talking about these
guys and gals going right after our business bank accounts. And the
way they do it is they're kind of sneaky about it, they get and get
you to, to basically for the money, right to wire the money to do
other things that are going to hurt your business. You may not
realize it at the time, and they're just trying to fool you. Right.
So how do you fool someone? And I know I know you can't fool an
honest man. I've heard that so many times in the past, and there's
a lot of truth to that. But here's what they're starting to do now.
And you might have gotten one of these. I have had several
listeners reach out to me. I and quite a few saying hey, I just got
this email chain that, you know it's it's got a video of me
visiting this, this nasty website out there right so you guys are
probably heard about that one before it's been around a little
while. Well, now what's happening is they are sending an email that
appears to come from the US Equal Opportunity Commission. This
email is saying that wait a minute here, and we have a sexual
harassment complaint against you. Now I understand as a business
owner, how this can be kind of crazy. And I owned a building, a
business office that I had my business running out of, little more
than 20 years, maybe a little longer. Ago now. And that business
office, I put in doors, and all of the doors were floor to ceiling
glass because I didn't want anybody saying that I was harassing
somebody or doing something illegal. Now, of course, I, you know,
we didn't have microphones and cameras and things. But I just
wanted everyone to feel reasonably comfortable that no one was
going to corner anybody. And, you know, I think I was kind of
mostly successful about that one of these days or forever sitting
down having a beer, you might want to ask me what happened there.
But anyway, this is something called Trikbot, and it's a banking
Trojan. And it's going after employees of large companies. And it's
trying to scare these employees into thinking that the US equal
Equal Employment Opportunity Commission EOC is coming after them.
And they are trying to get them to and are being reasonably
successful in having them handing over sensitive information. And
they're using a bunch of different social engineering techniques,
including malicious payloads or redirecting them to fraudulent
sites they control by emails that look like coming by somebody they
trust, etc. Okay? Now, these spearfishing emails, and I'll read you
the text in one here in just a minute here. But they, what they end
up doing is dropping a malicious payload on to your computer. And
as part of this campaign, these malware operators use the
information they've collected from people, such as their names that
company they work for job titles, phone numbers, to customize these
phishing emails to make them a lot more convincing. Now think about
your business and your business's website and other information
that you're making available to the public. Digital website has,
who the officers of the corporation are.
Craig Peterson 17:04
Now I know that all of us for our businesses, we have to file with
the state chapter file with the IRS and various other things. But
when it comes to the state, those records tend to be public. So
people can go online, they can find out who the President is, who
the officers of the corporation are, who the Registered Agent is,
etc., etc. Right? And so now a bad guy can go online and find out
almost anything they want to find out about a smaller company
because it's right there on the website. Now is that easy or what?
Now let's go into one of these pieces of email. Everything from the
email subject This is from bleeping computer dot com. Everything
from the email subject and the message content to the malicious
attachment. Each of these mouse spam email Males comes containing
the potential victim's name. Now I'm looking at it here. It's got a
form, and it seems like it's legit. It has the logo of what I
assume is the US Equal Employment Opportunity Commission because it
looks official enough to me, and the title at the top is the U.S.
Equal Opportunity employment commission harassment complaint. Then
the complete submission of a complainant form has initiated an
intake interview with an EOC officer. Okay, this is what they're
sending out right now. It looks very, very legitimate. And they use
the name of the victim with a grievance raised against you. That's
a subject for each of the phishing emails, and they're trying to
get you to pay attention. They also have a customized email body to
instill a sense of urgency. So it'll say, dear name of the victim,
private and confidential. One of your co-workers has lodged a
complaint with the EEOC. Now on top of it, all the malicious
attachments, drop TrikBot payloads also have customized names. And
again, it's the name of the victim-dash harassment complaint
letter, and it's got a phone number on it. The entire purpose is to
get you to open that attachment. And by adding this personal touch
to the phishing emails, they've been increasing their chance of
people opening them. Now, you know, I do a little bit of marketing
for some of the courses that we offer and, and for some of the
other services, you know, like the security services that we offer
the businesses, so I've studied some of the marketing stuff that's
out there. And I can tell you right now, most people, if you get an
email that looks like that are not opening it. If you're concerned
about a particular email and you have listened to my show for the
last 20 plus years. You're very, very worried about it and
legitimately so.
Craig Peterson 20:10
So I'm not sure just how effective this is, you know, spam emails
right now have an open rate of about, well, it's less than 1%.
Legitimate emails have an open rate of, you know, as much as 15 to
20%. So I don't know how well they're doing. But when they're
sending out 10's or hundreds of millions of emails, we're talking
about some pretty darn serious stuff here. A lot of potential
victims. These are highly targeted and regularly updated. That goes
into some of the problems with antivirus software we will talk
about later on. And that is if it hasn't seen that before, it's
going to get tricked. This spear-phishing campaign delivers the
malware payload. It's evolving. It's a banking Trojan. The purpose
is to get you to give some banking information out. And apparently,
it's been pretty successful. By the way, it's been in the wild
since October 2016, one of the most aggressive pieces of malware
that are out there right now. Stick around. When we come back,
we'll be talking about McAfee's antivirus software and what's going
on with that. Especially as it relates to some of the malware
that's spreading out there in the world, right now. Make sure you
are on my email list. So you keep up to date with everything that's
going on. Craig Peterson comm slash subscribe. I'll let you know
about the pop-up-trainings. I want you to pay close attention
because I'm not going to hound you about this stuff. And we've had
a lot of people attending them. They're free. Usually, they have
two-hours worth of content and questions and answers. Stick around.
We'll be right back.
Craig Peterson 22:05
Hey, everybody, welcome back. Hey, did you see this? It was an
announcement by one of the investment firms saying that Tesla might
be missing the boat when it comes to electric cars? You know, we've
all thought Tesla was the leader in the in that isn't so many ways
right and built their battery factory. They've been just doing all
kinds of amazing things, but it looks like they might be losing a
little bit of an edge when it comes to the overall electric car
business. Because now you've got Ford and GM, the major US
manufacturers, I think Chrysler as well. I know Ford and GM both
have some major stuff going on, as well as the Japanese firms like
the Nissan LEAF. That's been all-electric for a long time, although
Nissan stops making the thing some of these us manufacturers are
definitely in the middle of it all. And you probably heard me a
couple of weeks ago talking about some of the real risks when it
comes to Tesla electric cars, particularly in the event of an
accident. It's a scary thing. Frankly, it's a frightening thing
being involved with the MS for all of those years to think about
it. Well, we spoke a little bit in the last segment about this
TrikBot malware using fake sexual harassment complaints as bait. We
started off the hour talking about Patch Tuesday, and 13 critical
fixes for Microsoft software, this critical fixes out for Adobe
software, you got to apply these patches. According to the stats
I've seen. There are, on average, about 65% of Windows computers
that do not get updated at all. If this is you if you're one of
those people, I urge you to spend a few minutes, let's make sure
that the machines are updated. I know some people that say forget
about it. I'm just going to replace my computer when it's just so
far out of date. I know some people have done that with cars, too.
I had a good friend I haven't talked to in years. But he was
telling me that his dad did the math, back in the day, many many
years ago. His dad did the math, and he figured that if he paid for
oil changes throughout the life of an engine just wasn't worth it.
So he said, Hey, listen. What did an engine cost back in the day it
was a couple of grand for a boxed engine, and he was a mechanic he
could quickly put in a new engine. And if I pay for oil, filters
and my time to change the oil
I will pass the break-even point at about 30,000 miles. So, in
30,000 miles, it was cheaper to replace the entire engine, than to
pay for years of oil changes. Can you imagine that? So I did some
quick mental math, and I agreed with him. He said, Listen, it's not
as though I don't have oil in the engine. The engine will run off
this known oil in it. But all I do is add oil when it needs oil
added, and he never changed his oil. And at about 50 to 80,000
miles, you'd have to replace his engine. So he figured he was ahead
of the game. Nowadays, with these new engines and filters and oils
and the oil is just so thin. Nowadays. They're saying 10,000 miles
give or take between oil changes, so it's not anywhere near as bad.
Plus, some of the cars today will tell you, hey, I know Need an oil
change? So you don't even have to keep track of the miles, you
know, used to be 3000 miles. Do you remember you might not be old
enough to remember, but the oil did not have the cleaners in it
now, nowadays they have been detergents because your engines would
get all sludgy? And what a mess ever take one of those apart, even
just the head of the engine, the mess that was in there, we don't
have those problems nowadays. Well, some people have taken that
whole idea of, hey, it's cheaper to change the engine than it is to
change my oil. They've taken that to the extreme. But you know, it
is not like that when it comes to computers. You can't just have
the laptop sitting on your desk or under your office and leave it
there for years to come and say, Hey, listen, when it breaks down,
I'll replace it. I'm not going to bother doing upgrades of my
software won't work because it's running Windows XP, or whatever
some old version of Windows, I'll go out to one of these, big-box
retailers, and buy another computer and throw this one away.
Craig Peterson 27:14
That is a very, very bad idea.
Craig Peterson 27:16
And I suspect that's where some of the 65% of people come in, that
are not maintaining their computers. Now you have to keep them
because unlike your car, your computer is continuously under
attack. So, that means you have to not just upgrading and updating
windows but all of the software that's on your computer. You know,
I talked a little bit earlier about Internet Explorer, and only
Internet Explorer alone having it on your computer will cause other
programs on your computer to get infected and allow hackers access.
It's just plain old, not worth it. Well, let's talk about
Anti-virus doctrine. Oh, you remember I said antivirus software?
Yeah, I convinced myself that it's, it's about 10% effective at no
more than that guaranteed. And we can go through all the numbers
again, if you want to buy me a beer sometime we'll sit down and go
through all the numbers, and how virus software does not work.
Craig Peterson 28:19
Well, Let's talk about some software that doesn't work. McAfee
antivirus software. In an article from ZD net, has a code execution
vulnerability, a severe security flaw that can bypass the
self-defense mechanisms built into McAfee antivirus, very, very big
deal. Safe breach labs, their cybersecurity team. It is one of the
groups that go around and test software, tries to find
vulnerabilities, and then lets the manufacturer know so they can
take care of it. But they're saying that this particular
vulnerability can be used to bypass McAfee self-defense mechanisms
and could lead to further attacks on a compromised system. Now,
this vulnerability exists because of a failure by McAfee's
programmers to validate whether or not these DLL's it's loading
have been signed, let alone appropriately signed. Remember, I even
mentioned that in the first segment today. These self-defense
mechanisms are essential, and they need to be in place, even though
the antivirus software is going to be at best 10% effective at
least you would have 10% effectiveness right. So because they can
bypass the self-defense mechanisms and leading to further attacks
on a compromised system. It needs to get fixed right away. See an
arbitrary unsigned DLL that gets loaded into multiple services that
run is NT authority, backslash system.
Craig Peterson 30:06
Now, the only good news is that attackers need to have
administrative privileges to take advantage of it. However, I
rarely walk into a business where everyone isn't running with,
with, frankly, administrative privileges. The companies do that,
and I understand why they do it. It's a bad thing to do should
never do it. Right. But I know why they do it. They do it because,
oh, it's just so much easier if I have to install software right or
to call the IT person. And the IT person is the Assistant to the
owner. And she's always busy. He's still running around doing
stuff. I don't have the time, and I can't keep asking for
permission to do things. So, everybody gets administrative
authority. There are three main ways and which is why vulnerability
gets exploited according to the Safebreach lab. Anti-virus software
might not detect the binary, and it loads it without any
verification against it. Impacted software includes McAfee total
protection, anti-virus plus AVP from McAfee, and Internet Security
up to and including the version 16.0 point 22. You must get the
latest software. So, if you have McAfee update, pronto. And as I
said, you should update, anyways. And don't use antivirus. I
recommend getting a robust anti-malware stack of software.
Craig Peterson 31:39
So what are people doing? Vendors doing? They're just renaming
their stuff is anti-malware stacks. Yeah, yeah, that'll fix the
problem. Your listening to Craig Peterson on WGAN stick around.
We'll be right back.
Craig Peterson 32:02
You know, it's funny how you get used to the weather, whether it's
hot or cold. You're listening to Craig Peterson here on WGAN. And
online at Craig Peterson dot com. You'll find my Facebook page by
going to Craig peterson.com slash Facebook. And I've started
posting some stuff up there. Well, I do that actually, every day.
My wife is the one that's putting the articles up that I come up
with every week, every day. But you are also starting to find I'm
doing Facebook Lives and YouTube lives, and just you know, I'm
getting a little better at some of this stuff. And there are a lot
of possible angles here. By the way, you know, I mentioned I was at
this conference, and I was learning a little bit more about
marketing and product development out there. Product development is
what I kind of love doing, Right. We can do it quickly. We know
what we're doing. We know how to do it. So we're trying to figure
out how can we produce a very inexpensive product that is going to
help a lot of people when it comes to security. And I think we've
got the answer. I don't want to be, you know, mean and nasty about
this, but we're working on it. And we should have something in a
couple of weeks from now, that I think is going to change lives. I
think this is going to be earth-shattering. If we do this the right
way, it is going to change everything for anybody that decides that
this is for them. So we'll be talking about that in a couple of
weeks from now. But it's an idea from another industry that in
fact, it's the tennis, tennis training business, and I think it's
like the world's most perfect idea. Here when it comes to us, so
we'll be talking more about that. But you can find that you can
find information on the articles that I have every week, you can
see all of that stuff you can find out about the free pop up
classes, the pop-up-trainings that I've been doing, you can find
out about some of these Facebook Lives and YouTube Live. All of
these are free training. I'm just trying to get this information
into your hands. You know, the Whats, the Why, and the Hows, all of
that stuff. And there's only one way to get it. And that is to sign
up, go to Craig Peterson dot com slash subscribe, and I will make
sure that we send you every week just a quick summary of the stuff
that's going on. I'm going to have a special sign-ups for these
pop-up-security-trainings, So no, I'm not going to send you a lot
of emails unless you ask me to write by default. We got a great
article from Joan over at darkreading.com. Dark reading dot com is
one of those websites, one of many to which I pay quite a bit of
attention. They do have some great, great content. In this article,
they're talking about fraud and how it has changed. You, I'm sure,
are familiar with our friend, the Nigerian prince, and all the
things he did and how he tried to get his money out of the country.
And all he needed was to use your US-based account, and you could
keep some of that money. You remember that right then, it's just
full of misspellings. It was just terrible, and there are reasons
for the misspellings, there are reasons for the way they do things.
No doubt about it. Well, things have changed. Now economics have
changed. And they are swamped, making a whole lot of money. And
they're doing it in different ways. They've done it before. You
know, we've got tools now to detect and mitigate some of these
attacks. And the easiest way to do that we have some software that
all the email flows through, and it's looking for patterns look,
make it look like it's a bot that sending out these emails. And
when we put those this particular filter in place, in fact, it's
and AI bought itself. That right the Battle of the AI that's coming
to, but you know, the amount of spam these things dropped by 90
plus percent. It's just it's dramatic, how much it helps.
Craig Peterson 36:58
Well, what has happened now is the bad guys have found that labor
is getting cheaper and cheaper in some of these developing nations
out there. And they're able to get people in Venezuela, for
instance, where they are starving to death where they are picking
through garbage because of their socialist government. And man, I
saw this thing the other day, it just shocked me, they were using a
sharpie to write on people's forearms a number, so they knew when
they could get food. Yeah, when they could get food from the
grocery store. That's how bad it is in Venezuela. So you have to
wait in line. You have to obtain a number one thing. God is not a
tattoo. It's a sharpie, but you have to get a number there on your
forearm, and then you can get Food. And if you can't wait, and if
you don't get enough food for your family, you're going to have to
go through the garbage. It's just absolutely insane. Well,
cybercriminals are hiring workers in Venezuela now, where the
hourly wage has gone way down compared to other currencies. I am
not sure if you remember, but Venezuela used to be the wealthiest
nations in Central and South America by far and is now one of the
poorest countries in the world thanks to their socialist
government. Well, the hourly wage is so low that it now makes
economic sense to pay people to manually carry out the fraud to
write these fraudulent emails to research to get the stolen account
data instead of using bots like they have been doing before. So,
here's a quote straight from the article. "attackers are giving
people a script and saying here's a quota you have to hit,
criminals are always trying to figure out what is the lowest
hanging fruit as merchants and companies evolve with defenses,
these attackers evolved, humans just happened to have become the
flavor of the month." So, these human-driven attacks are increasing
quickly and exponentially. Now, the most recent fraud report that
came out covering q3 2019. So. just this last month, found that
attacks carried out directly by humans, both loan perpetrators who
are trying to get money to support their families in third world
countries, and organized criminal groups increased 33% over the
previous quarter, nearly one in every five fraud attacks are manual
now rather than automated.
Craig Peterson 39:57
Now, of course, their goal is to look as legitimate as possible.
Having humans involved does increase your chance of success. And so
many people worldwide speak English because English is the
international language of business. And it's causing a problem.
This quarterly report that came out from our coasts looked at 1.3
billion transactions spanning account registrations, logins, and
payments in the financial services, e-commerce, travel, social
media, gaming, and entertainment industry's overall fraud increased
30%. In q3, and bought driven account registration fraud is up 70%
as cybercriminals test stolen credentials, in advanced of what in
advance of the US holiday season. Isn't that amazing? But now every
third attack on financial services is manual. Attacks are coming
from fraudsters now with access to stolen identity information.
They're using the latest tools. Over half of the attacks that
originate from Russia and China are now human-driven. It is
changing everything. The data highlights that the entire attack
incentive for countries across the globe is economically based.
We've got some substantial economic things happening here in the
US. If a nation's currency is worth only a fraction of the US
dollar, then the incentive of a criminal in that country to defraud
an American business
is very high, because they've got that multiplier based on the
value of their currency compared to the value of the US dollar. So,
it's incredible what's going on. You've got to watch it. You got to
be careful that There are a lot of bad guys out there that are
looking to get their hands into your accounts. And we've got this
shopping season right in front of us now. So what I would suggest
to everybody is, check with your bank, depending on your bank, some
of the banks and doesn't matter if it's visa or if it's MasterCard
visa sent tends to be pushing this a lot more than MasterCard is.
But whether it's Visa or MasterCard, you're going to find that they
have virtual card numbers that you can use. And the idea behind
these virtual card numbers is that you have a one-time card number
that you can use when you are buying something online. So, instead
of having your regular credit card number that you're using, that's
sitting there in a merchant database, that may or may not be
configured appropriately or secured. Remember, a secure server
doesn't mean that their servers secure; it just means that your
data going to it is protected in transit. Instead of giving them
your real credit card number, and having that stored in a
potentially insecure database, now all you have to do is give them
that temporary credit card number. Go to your bank, and you can
usually check on the website before you start buying stuff online
for Black Friday. And we're going to have some Black Friday deals
to or Cyber Monday, or you know, whatever it is for Christmas, for
Hanukkah, for whatever you're celebrating. We have birthdays to
over this holiday season. Get your bank to give you access, and
this will be online access to get a different virtual credit card
number every time you do a transaction online. It's cheaper for
them to do that than It is for them to issue new credit cards when
compromised or stolen. It keeps happening. All right, stick around.
We will be back. We got one hour to go. We're going to talk about
Google's project Nightingale and see if that's scary enough for
you. We are concerned here about some of the defense firms,
multi-factor authentication. I will run through how you can tell
right what's the best way to do it. And how to detect a phishing
site. We'll get to all of that. In the next hour. You're listening
to Craig Peterson on WGAN and online, Craig peterson.com. Stick
around. We'll be right back.
Craig Peterson 44:52
Hello, everybody, Craig Peters on here on WGAN and online at Craig
peterson.com. Hopefully, you join me there and sign up for my email
list. I get you in my newsletter. You can do that by just going to
Craig peterson.com slash subscribe and subscribing to my
newsletter. Every Saturday, we are here and talking about some of
the latest in technology and security. The things that frankly you
don't hear about, at least not the right answers in the general
media out there. It's just amazing to me how many things they get
wrong, again and again, and again. I try never to attribute to
malice what can be easily attributed to incompetence. Is that a
terrible thing to say about some new people in the media? You know,
if you get right down to it, they have so many things that they
have to know about and be semi experts on to write some of the
articles, so I guess I really can't blame them for well for least
Some of that. Well, let's talk about the chaos here for a couple of
minutes. We are in the new normal. Now I'm not talking about with
President Obama said the new normal was, which is people high, you
know, unemployed, high levels of unemployment and stagnant economy
and stuff. I'm talking about a recent survey that was conducted by
a security company out there that showed that 86% of 250 top
security officials who participated in this survey believe that
cybersecurity breaches are inevitable. Now that opens up a whole
can of worms because it's unavoidable, does that mean there's
nothing you can do about it? I think by definition, it does. It is
inevitably going to happen no matter what you do. So why do
anything? Many people have done nothing. Remember, in the last
segment, and if you've been listening in the previous hour, I
talked a little bit about how 65% or so of computers never were
upgraded. That's, that's a bad thing, right? And nowadays, when we
get right down to it, and we're talking about these 250
professionals, people that know what's going on. We're talking
about people who realize that the complexity of today's
cybersecurity in businesses makes it so that it's almost
inevitable. Now, when we think about cybersecurity, and we're
thinking about companies. Obviously there is some truth to this for
home users and, and that's why we did this security summer you
know, I had that hundred and 50 pages of cheat sheets that we gave
away to everybody. Who participated in this. And it was designed to
help you understand what you had to do in different circumstances.
And hopefully, you got all of those I start, you know, they were
all sent out well, by the end of September, because, you know,
summer doesn't end until September 21. So I little extra time as my
team and I delved into that labor of love out there. But there are
a lot of pieces moving parts to this puzzle, and it makes it very,
very difficult. Nowadays, we're making our lives even worse because
of cloud adoption. We're using cloud services. We're using hybrid
environments spread across physical machines, different locations,
different teams, various cloud providers, and now businesses are
using something called containers. I remember when I first heard
about them, I was thinking about, well oil container on Okay, so
we're talking about the types of things you put on a truck and then
put on a ship right or, or you can rent while you are making the
improvements like I did in my kitchen.
Craig Peterson 49:11
I got one of these little containers, one of these small pod
containers, and loaded it up with all of our stuff while we were
working on it. Yeah, that's not what the containers at the
businesses are using. These dedicated containers perform a specific
purpose, like running a website, or a database or something else.
It's just getting very, very difficult to keep track of it all. And
frankly, that's why we're seeing some of the major breakdowns. Now
we do not see in these in breakdowns like Equifax. What was that?
It was, Oh, yeah, a username of admin with a password of admin
rights. Stuff like that is just plain old, stupid, but because of
everything so complicated and were not tested thoroughly, they
broke in. Now, if you are in a business-like, for instance, a
shipbuilder, you are thinking about failures. Because if you're out
in that open ocean and you get a rogue wave that comes in, hit you
on the side, your ship is going to flip over. Now obviously, you
don't want to name your ship, Concordia. Another one just ran
aground this week over Norway. Of course, the big Concordia running
the ground was in Italy, and what a mess. But shipbuilders realize
that ultimately, ships are going to fail. There is going to be that
rogue wave, or it is going to run aground or the propulsion systems
going to go down. And the extremes are like submarines where you
have all the compartments, and the idea is that a breach might
occur in one compartment, but the other compartments will not. So
we're spending billions of dollars, and we're likely preventing a
lot of bad stuff. The number of high profile breaches is just
increasing and causing devastating damage to us as consumers. It's
going to last for decades. And why? Well, like so many other
industries, people in the security business are not preparing to
fail. And companies are not preparing to fail. It's like what I
teach in my backup course, the three to one backup methodology, and
I should do another pop-up-training on that. Frankly, you've got to
have multiple copies of backups numerous generations of backups on
various types of media, in numerous sites, because of Smith's
commentary. Now, you might not be familiar with Smith's commentary,
but Smith's commentary on Murphy's Law is that Murphy was an
optimist. And of course, Murphy's Law is, if anything can go wrong,
it will. So shipbuilders have engineered the systems, they have
segments in the halls, they have multiple hulls, double triple
hulled ships so that if it's carrying oil or something else, if
there is a penetration to the hull, the ship won't dump oil or
whatever, into the ocean. It's been done this way since the 15th
century. And it's been done in today's modern vessels as well. Even
the Titanic had some of these things in place, although it had some
other problems. I don't know if you've seen some of the more recent
studies, by the way, on the Titanic. It's fascinating. But it looks
like what happened was, there was a fire in the Titanic's hold coal
fire that they couldn't put out. And they had been smoldering and
caused a weakening of the ship's hull. And that's why when it hit
that iceberg it tore open. But that's another story here. So let's
talk about some principles here security principles that they use
in shipbuilding that we need to look at in modern IT. Shipbuilders
assume that at some point, the ship will suffer leak. So how do you
protect against that? How can you fix that? Well, they create holes
that prevent a single leakage from sinking the whole ship. So, in
the same way, you have to assume there might be a breach in your
corporate environment and segment your network so that it doesn't
spread. There's a lot of details we could discuss, and maybe I
should do some Facebook lives on these things.
Craig Peterson 53:52
Your staff who's responsible for maintaining the ship's hull is
monitoring for leaks. They're watching for leaks, and they're
regularly patching. They're painting they're scraping right to get
rid of the rust and to make sure that there isn't a major flaw in
the ship's surface, or you know, hull, they're trying to keep the
ship safe. So, in the same way, our modern security teams have to
be vigilant about monitoring and patching. To prevent these cracks
in the perimeter, as well as the interior. We just last week had a
client who had an internal breach. They were using a VPN to allow
our remote office to get into their primary network. That remote
office was breached and was used as a launching pad to get onto
their primary network. And then once on one machine on the main
network that they could breach, they now we're able to spread
within the main network. We got to watch this. The ship's most
sensitive equipment is in the engine room. And in the tape game you
know in the case of a business you got to venture critical IT
assets are considered ships that staff lookouts 24 seven to make
sure there is a good watch, we need to do something similar with
our data. Keeping the crew from accessing the bridge is an
important safety measure. We got to make sure that our user
identities get set up correctly and their employees, contractors,
remote users can only get data they should be getting to. And we
could go into attack after attack after attack. But the bottom line
is when you're designing your security, you have to anticipate a
breach. You've got to patch everything, keep it patched and up to
date. And you've got to segment your networks. And if you need to
be secure, the newest types of networking are called zero trust
networks where nothing can talk to anything else on the network.
Unless it's explicitly allowed because we can't trust it. So the
very least segment out your Internet of Things devices, make sure
your sales guys are on a different network than your accounting
people. Right? Break it all down in the business space. When we get
back, we're going to talk about us in the consumer world and
Google's Project Nightingale, man, is this a scary project, but you
know, heck, it's Google, but not can do anything wrong right here
listening to Craig Peterson right here on WGAN.
Craig Peterson 56:43
Hello, everybody. Welcome back. Craig Peterson here after the top
of the hour. And we are talking about the latest in security and
technology. What's going on out there? We cover in some depth here
some of the things that you need to understand. Some of these
things are specific questions that I've gotten from you. So if you
have a question of any sort you'd like me to answer on the air or
maybe answer directly, email me. It is ME at Craig peterson.com. I
am glad to do it, or you can drop it on my Facebook page. Now I
have to say that I get thousands of emails a day. So sometimes it
can take me a while to get around to it. So don't feel bad if I
don't answer your question right away. But I am pretty good about
answering most of the questions that people ask and particularly if
you email them me at Craig Peterson, dot com that's so that's what
I monitor kind of the most. Some of my team helps you track that
too, which is a very, very good thing. Mountain View, California
dateline. It is a scary story. And you know, we just had Halloween,
but here's what's going on. You might not be aware of it. HIPAA is
a law put in place, oh, decades ago now, I think maybe even as much
20 years ago. The most significant part of HIPAA is this whole
concept of portability. Now, you may not realize it, the bill was
certainly not advertised as being this way, but it is this way.
Here's the problem. Before HIPAA went into place, what was going on
if you had your medical records, and those medical records had to
be kept private, they could not share them with anything and what
HIPAA did was. It defined the rules for sharing, among other
things. Before HIPAA, your medical records were considered private
and kept secret. After HIPAA went into place, your medical records
could now be shared anywhere almost in the medical community. And
of course, with portability, the idea is, well, you've got your
medical records, you want to go to Florida for the winter. So you
want the doctors in Florida to be able to have access to your
medical records, which is all well and good. It makes a lot of
sense. However, other things going on in there still are. If I want
the medical records of every patient in hospital x or health plan,
why? And I say, Hey, listen, I'm going to buy the company. I'm
thinking about buying the company. I'm thinking about purchasing
that hospital. The hospital has the right to give me all of your
records. That's the bottom line. Scary. And that's been happening.
Our medical records have been shared and traded like trading cards.
So, one of the largest health systems here in the United States is
called Ascension Health. And you might have heard of it before,
mainly if you are at all involved in the Catholic nonprofit health
system. The Catholic Church has taken care of millions of patients
for free, much of the time, you know, no charge to the patient. But
the Catholic Church has been behind many of these medical hospitals
and medical treatment that has been out there that we have used for
generations, frankly, and you know, good on them. It has been
wonderful. And they've kept costs under control reasonably right.
By right by where I live. There's a Catholic medical center that is
renowned in the region for its cardio care. And like many other
hospitals that are out there, they will also provide charitable
care for those people who can't afford it. So Ascension partnered
is with Google Now ascension is, again, the largest health system
here in the country. And it partnered with Google. And Google now
has access to detailed medical records on 10s of millions of
Americans according to a report by the Wall Street Journal, and It
is code-named Project Nightingale, I'm sure you can figure out why
they call it at night and Gail. And it has enabled at least 150
Google employees to see patient health information that includes
diagnosis laboratory test results, hospital records, and other
data. Now, remember before HIPAA, man, you could have sued and won
if your medical data got shared without your knowledge, let alone
your permission. Now, some of the negative results of those HIPAA
regulations are coming to light, where the largest health system in
the United States, Ascension, shared your medical data with Google.
That is a very, very big, big deal. Now, this is reported by the
Wall Street Journal, and it's according to internal documents and
the newspapers other sources in all the data amounts to complete
medical records and contains patient names and birthdates according
to The Wall Street Journal. Now, this is a move by Google to try
and get a strong grip on the medical business, the sprawling
healthcare industry. In November, Google announced a deal to buy
Fitbit that has gone through. I'm sure you've seen that. So now, it
has access to all the sensitive health data that amassed from
Fitbit. How much information have you been giving them? They've got
all kinds of health records. They've got what have you put into
those things? And we have Google, Microsoft, Apple, and many others
competing to get access to all of our medical records and to be the
storehouse so that when you go to Florida today, your records are
there because you shared them on purpose. Neither Google nor
Ascension, according to The Wall Street Journal journal, neither
Google nor the country's largest health system Ascension has
notified patients or doctors about the data sharing 2600 hospitals,
doctors' offices, and other facilities across 21 states and the
District of Columbia. So Google's ultimate goal is to develop the
searchable cloud-based tool, but here's what I found particularly
interesting, and that is about transforming care. In a statement
from Ascension, the VP of strategy and innovations, Eduardo Conrato
said, "as a healthcare environments continue to evolve rapidly, we
must transform to meet better the needs and expectations of those
we serve, as well as our caregivers and providers." So what are
they doing? Here? Well, it turns out that apparently, they're
having the hospitals enter in your data to these healthcare
records, uploading them, analyzing them, and helping the doctors
come up with diagnosis as well as prognosis frankly. They're hoping
to improve outcomes, reduce costs, and save lives ultimately, and
you know what they probably will. But the issue at hand here goes
back to the HIPAA act of 1996. And should we be able to control our
medical records? That's the big question. It looks like the answer
to that is no and has been for 30 years. Thirty ish years not quite
25. All right. When we get back, we're going to talk about Rola
robots of the killer variety. What is going on with some of these
government contractors out there? Man is a scary show, isn't it
today well after compensate next week, you're listening to Craig
Peterson here on WGAN and Tune on Wednesday mornings at 738 with
Ken and Matt, and I'll be online there too.
Craig Peterson 1:06:38
Hey, Craig Peterson here. WGAN. Online Craig Peterson dot com. We
are nearing the end of the show here. We only got two more segments
together. But that's enough time to cover a couple of these
articles I want to get to today. Let's start with this one first
here, which is the Robots. You know, I have long been concerned
about robots as have many other people. Some people much smarter
than I have been very concerned about them. Take a look at what
ElonMusk has been saying. That's part of the reason he wants to
move us to Mars is artificial intelligence and robotics. Think back
wow, even to the like the early 1990s with iRobot. And, and that
Russian author, I can't remember what his name was, but it's been a
concern for a very long time. Now, things changing rapidly. In an
article from QZ.com, a new report is out from Pax, a nonprofit
based in the Netherlands that's campaigning for peace around the
world. And of course, Pax is the word for peace in many languages,
and they're warning about this new potential trend that's coming
out. I don't know if you've seen some of these moves. Movies where
there are swarms of drones. And those drones swarm in on something.
There was a recent one, and I think it was Angel has fallen with
Gerald Butler. And the President is tagged by the attack by this
swarm of drones. We had the same thing happened. I think it was
only one or two drones in South America trying to take out a
president down there. Well, our militaries are looking at some of
this newer technology to conduct war. And you know, frankly, they
have to because the bad guys, the other guys, whoever our ultimate
future opponents are, are looking at this as well. China has spent
a lot of time on it. And if you look at something like these
drones, you could easily have killer drones out there. These drones
have to have an ounce of high explosives in them, get close to a
combatant, and explode themselves in Kill the combatant. That's all
it takes. We're worried about what's being called this third
revolution in warfare. The first revolution was gunpowder. You
know, you could argue right bows and arrows and various things, but
the gun powder was a considerable revolution in warfare. And then
you had the atomic bomb, which was not too long afterward. The
Chinese invented gunpowder. But now activists and military leaders
are calling for international regulations kind of like what we have
with the Geneva Convention where we defined how wars get fought.
They want to govern all-new weapons systems that have a type of
artificial intelligence in them, a type of machine learning. They
don't want life or death decisions to be made on their own by these
intelligent systems. And they're looking to ban them outright. Key
governments, including the US and Russia, have resisted it so far,
and I understand right.
Craig Peterson 1:10:18
But what are you going to do? nears we can tell militaries have not
yet deployed killer robots on the battlefield? At least
offensively? What are you going to do with a robot that makes life
or death decisions and gets it wrong or gets it right heaven
forbid, either way, where you've got a robot out there that it
doesn't have to think twice about pulling the trigger to kill
someone because it doesn't think twice about it. It's almost like
having some of our troops sitting in Virginia, flying a killer
drone in the air that's over a site 5000 miles away. And just
pulling the trigger and off that missile goes. That is not a life
or death decision made by that missile. That is a life or death
decision made by a human that has to pull that trigger. That's
frankly a very, very big deal. The big difference between the two.
Now this organization called PAX has identified at least 30 Global
arms manufacturers that don't have policies against developing
these types of automatic life or death, killer weapon systems. And
apparently, they're doing it at a rate that's outpacing regulation.
Now, this is normal when it comes to technology. I've talked about
this so many times. Technology always leads any regulation, and
it's still in front of the laws. It's still outpacing the
regulatory ability of governments, but we're talking about
companies that include Lockheed Martin, Boeing, Raytheon. We've got
some Chinese state-owned conglomerates like a Vic cask, Israeli
firms IAIL bit Raphael, Roz tech of Russia, Turkey's STM. It is a
very, very big deal. So what are we going to do about it? It's, it
is a very, very good question and courts are trying to address it.
You will see this article if you're interested in it up on my
website as well at Craig Peterson, dot com. Still, activists don't
believe that the military use or some degree of artificial
intelligence is problematic in itself. The problem or the systems
that are designed with AI to select and engage targets, right? The
terminology that's used is acquired, identify, and engage targets.
And they're able to do it at least three times faster than any
human. Today, we use those types of systems, but a human still has
to authorize it. So I'm I'm concerned about this packs is more
concerned about the potential deployment of artificial intelligence
and offensive systems, the systems that are used to go after people
that will select and attack targets on their own without human
oversight. I think that all makes sense. And the question is, are
we going to get regulations are we going to have a Geneva
convention that covers this type of technology out there? Who's
accountable if an autonomous atomic weapon broke existing
international law or some of these future laws or regulations, and
we're talking about lives on the lines? We're not talking about
weapons destroying weapons. So I'm very, very concerned, defense
firms. According to courts, they're not building these weapons in a
vacuum. The PAX guys are saying companies believe that's what
militaries want in the Arsenal's and I'm not sure the wrong about
that. Google and Amazon have both face public criticism about what
they have been doing for the military. Although I have to say both
of them have been to face about it, notably Google who is
developing artificial intelligence at three facilities in China
with the involvement of the Chinese government. And they're not
doing it here in the US and yet at the same time, they won't do
minor things that are designed to help protect us in that it states
you know, Google I just don't get it. Understand this stuff. But
there's a whole list here of weapons that are existing now. These
little loitering munitions, kind of like land mines that sit in the
area they wait, like maybe loiter in the area for hours before they
attack a target, small or cheap that can be easy to produce.
Craig Peterson 1:15:17
And there there's just a whole lot of them. They've got STM This is
a Turkish state-owned defense company that produces an AI-equipped
loading munitions got facial recognition, kind of like again Angel
has fallen can automatically select an attack targets using
coordinates pre-selected by an operator they're looking to use
Turkey is Kamikaze drones and Syria. There's harpy a fire and
forget luxury munition manufactured by Israeli aerospace industry
ranges 62 miles tail off for two hours. What's next, right, what
are we going to do? All right, stick around. We're going to talk
about the mess of multifactor authentication. How did he tech, a
phishing site when we get back? You're listening to Craig Peterson,
right here on WGAN. And of course online, Craig peterson.com. Stick
around. We'll be right back.
Craig Peterson 1:16:25
Hey, welcome back, everybody. Craig Peterson here, Happy Saturday
weekend. Whenever you're listening to this, of course, we podcast
this show as well. And with more than 20 million podcasts, there's
bound to be an episode that you're interested in as well. You can
listen to that by just going to your favorite podcast streaming
site that you'd like to, and you can sign up under iTunes or
Spotify. I'm on TuneIn. I'm kind of all over the place, and we've
had a lot of good Great people downloading it, which makes me happy
as well. You will find all of that. The easiest way is to go to
Craig Peterson com slash iTunes, I should put a special page up
that just gives all the podcast info, but for now, slash iTunes.
And I'd really appreciate it if you would subscribe because that's
what really helps drive up our numbers. And that's what helps get
people to notice. And in fact, if we had a whole bunch of people
sign-up at once or you know, over a week, then the algorithms would
notice that, and they would get promoted a little bit more. So I
would love it if you do that. But you know, that's up to you.
Again, Craig peterson.com slash iTunes. Hopefully, I've earned a
five-star rating from you. Or you can just with the TuneIn app,
which by the way, you can listen to WGAN on the TuneIn app as well.
And you can listen to me on Wednesday mornings at 738. with Matt
and can on the TuneIn app so even if you're on the road anywhere in
the world, you can listen to this station you can listen to me, and
my podcast is also here on tune in. All right, an app, and a
website. We got some how's here, you know, I talk a lot about the
what and the why. And I give you some how's as we go through the
show and a lot of the How is really left for trainings when I do
courses and trainings. But we got two articles that I really want
you guys to understand a little bit better. And one is from sigh
where ones from dark reading. And we're going to start with this
first one which is which is the myths of multi-factor
authentication. Now without multifactor authentication also called
two-factor authentication. In one employee, employees leave, they
can quickly get back on if you don't change their passwords, but if
you take their token, their physical token back, then life's a
little safer. If people lose passwords, if you are a home user, and
your password is stolen or compromised, someone can log into the
websites. So let's talk about what this is. The best type of basic
security is something you have, along with something that you know.
So something that, you know, that would be an example of, for
instance, your username and your password. So you put them
together. And that's something that you know, your username and
your password. And then something that you have might be, for
instance, a token a digital token. I don't know if you've seen
these. We use the type with a lot of our customers that aren't
very, you know, technically advanced, that have had like a little
six-digit number that keeps churning Gene on the token. So when
they go to log in, so for instance, they will use this for a
defense contractor or a doctor's office where they have to keep
information safe. And when they log in, they're going to put it in
their username, and they're going to put in their password. And
then they're going to look at their token. And they're going to
type in that number that changes every 60 seconds or so. Now you
can do this type of two-factor authentication in several different
ways. You can do it with your cell phone, a lot of people do it
that way, where you get a text message from the website, giving you
a code that you can type in.
Craig Peterson 1:20:46
Now that's cutesy, Don't you love that I get my code on my phone.
That is eminently hackable. One of the articles that I found this
week, but I'm not going to share with you guys because it's you I
don't have enough time. But it's, it's all about this guy that just
lost $20 million in Bitcoin because he was using two-factor
authentication, but he was using his phone, and then somebody
sim-jacked them. And that's where a cybercriminal takes over your
phone number so that when they try and log in, in this case to his
Bitcoin account, I'm simplifying this I know. But when they go to
log into his bit calling account, it sends a text message, and then
he types it in, and then he's in Okay, so using your smartphone
with SMS with text messages is not very smart because it's easy
enough to get around. So use something like we use dual DUO. It
ties right in with one password, which we also use. It's fantastic
for your business. Now, if you're home, you User look at Google
Authenticator. That's what it's called Google Authenticator. It's
free. And when you go to a website, and you sign up, and you go to
your settings and your security settings, you'll find there that it
often has Google Authenticator as one of the two-factor
authentications. So you install this app on your phone, you're
going to scan a little code that comes up on the screen using your
phone, a short QR code, or maybe you're going to type something in
the URL, etc. And it will set you up. Now when you go to that
website, later on, to log in, you're going to put in your username,
you're going to put in your password. You can open up your phone,
the Google Authenticator app, and you're going to go to the
authenticator app section for that website is going to give you
this six-digit code. You're going to type it in, and it knows that
it's you. That is an excellent way of doing it. Mike Soft, of
course, being Microsoft has to do differently than everyone else.
And Microsoft has its authenticator app that you can use to
authenticate their websites. I don't think anybody uses Microsoft
authenticator other than Microsoft, but I could be dead wrong
there. So that's the easiest, cheapest, and best way to do
multifactor authentication, not using text messages.
Craig Peterson 1:23:28
Now the myths are that large enterprises only should use MF phase
multifactor authentication, absolutely false and home users should
as well. Retirees should, in fact, use it. It is more critical for
small businesses or home users to use MFA than it is for the large
enterprise because you probably don't have all of the other
security defenses and staff in place. It's only used to protect
privileged users again, wrong. You don't want your bank account
emptied. It's not working Perfect, which is true, but it's darn
close, mainly if you're not using text messages. And it doesn't
disrupt users' productivity. Because multifactor authentication
usually, you only have to use it maybe once a day.
In some cases, you have to use it more or less. Some sites, it's
only once a week that you have to use it. Now let's move on to our
next one. It is how to detect a phishing site. Now we're talking
about the pH fishing. And this is where the bad guys are trying to
con you out of giving your information. So here are the main tips
for detecting whether or not you are on a phishing site. Number one
is to check the connection type. Make sure that the address bar
shows a lot on it or and or has an HTTPS tag. Now that doesn't
guarantee that it is who you think it is. If you want to dig into
more, if you click that lock that's up on that URL bar, click that
lock it, you can scroll through, and you can get more details,
it'll tell you who signed this certificate and who the company is,
that is using their certificates. So, you can usually make sure
that it is who you think it is, okay? Most legitimate websites have
valid SSL certificates issued by an authorized provider. In other
words, you don't have to install some certificate on your browser.
And they also indicate who the actual company is. Look closely at
the URL. They, these phishing sites have URLs that are very similar
to the real ones. So it might be micro snot. Instead of Microsoft,
something that's easy enough for you to overlook. So look at them
very carefully, make sure it is legit. They might be doing
something like using.net instead of com or.edu or some other
extension co look at it closely. There are online resources you can
use. There's something called the whois database. It's been around
for a long time part of the In fact, the whole internet structure
that came into effect in the early 90s. You can do what's called a
whois lookup if you're on a Mac Linux machine, you just use the
whois command if you're on Windows, or a Mac, you can or Linux, you
can use a web browser and just say who is space and the website
that you're interested in. And usually, the search engines will
send you to one of the main whois servers that are out there, and
you can see where their site supposed to be, what it is, what they
are, what the real domain name is. Website content setting up a
website. It's a massive project that takes a lot of time, a lot of
energy. If there's a lot of grammatical mistakes, low-resolution
pictures, a lot of advertising, you're probably on a phishing site.
Look for the privacy policy, contact information, those types of
pages. Those are usually pretty much dead giveaways of a legitimate
website versus a phishing site. So be careful when you're going
online. Another tip is one that I've seen far too many times. Many
people, instead of typing in the URL into the browser, they'll type
it into a search engine which continually amazes me people do it
all the time.
Craig Peterson 1:27:59
I have a Client whose accountant, their lead accountant, was going
to Google and typing in the website address of the bank
including.com. And Google would come up with the search results,
and you click on the top one kind of blindly, right, not paying
attention. Well, that's a great way that if the Google database is
poisoned. An excellent way for the bad guys to get you to click on
their website instead of the legitimate bank website. You might
want to use a bookmark once you've got the correct URL, and then
just double check when you log in that it is a secure server, and
that it does have the right certificate. All right, everybody. Hey,
thanks for being with us today. We'll be back next Saturday, same
time 1:00 pm on WGAN. And I'm releasing these podcasts. They also
go out on Saturday. So if you subscribe, you'll get all of this for
Free, plus more subscribe Craig Peterson com slash subscribe. Easy
enough, go to Craig peterson.com you can subscribe to my mailing
list there, my newsletter, and you'll get all of this and more
Transcribed by https://otter.ai
---
More stories and tech updates at:
Don't miss an episode from Craig. Subscribe and give us a rating:
Follow me on Twitter for the latest in tech at:
For questions, call or text:
855-385-5553