Jun 29, 2019
Did the Apollo moon landings happen?. Yes they did! Listen in to find out how it is provable 50 years later.
Are we in a Cyberwar with Iran? Unfortunately, yes and why you might get caught in the crossfire.
Business Productivity, for many it means the use of Third Party Software and Cloud Services. But is it safe? How to protect yourself.
Visual hacking and why it is putting Business travelers at risk.
I am planning a Security Summer for my listeners. I will have some free courses. I will also introduce you to some of the software that I use for my clients and how you can use it too. Also, I have some limited opportunities for businesses who have had enough with their security issues to work with me and my team and put their security problems to rest once and for all. So watch out for announcements on those.
For more tech tips, news, and updates visit - CraigPeterson.com
---
Transcript:
Below is a rush transcript of this segment; it might contain errors.
Airing date: 06/29/2019
Did the Apollo moon landings happen?. Yes they did! Are we in a Cyberwar with Iran? What you need to know the risks with third party contracts.
----
Hello, everybody and welcome. Of course, this is Craig Peterson, your host for the next give or take 27 minutes, we're going without commercial interruption again. We are going to be talking about some of the details of our digital lives. With the 50th anniversary of the moon landing coming up, we wanted to go through some of the facts about that event because for some odd reason a lot of people seem to be confused about what took place. It's kind of amazing to me because I remember it so well like it was yesterday. It's incredible to me to think that more than half of the people alive today were not even alive when the moon landing occurred. That's just a matter of perspective, right?
We'll talk a bit about the cybersecurity gap. There was an article with some interesting observations in Forbes magazine this past week about it.
We will discuss some flaws in both iOS and Android apps, and it might surprise you, but there are security flaws in almost as many iOS apps from Apple, as Android and I will tell you why and what those are.
We have some new Mac malware that's out there right now, and it is an interesting one because it could go both ways. You could call this a user error. Or you might want to call it a security problem that Apple has, or maybe one Apple created. However, it is behaving the way it's was designed to work.
This week, I did a big presentation for a University of New Hampshire mastermind group of CEOs. We were talking about the most significant cyber liabilities, and I shared that more than 60 percent of your theft is coming from inside. From inside I mean, those with authorized access which includes all Third Party Contractors. So we'll talk a little bit about that.
If you travel for business, 3M has a couple of stark warnings for business travelers.
Oh my, we've got to talk about this, the U.S. launched a cyber attack against Iran, instead of beginning with a kinetic strike. We'll talk a little bit about some significant implications to you and your business because of that.
Then a little bit more here about liability for a data breaches and we will talk about all of this right now. So, let's get into it.
First off liability for a data breach. As I mentioned, I had an
excellent presentation this week at this mastermind group for the
University of New Hampshire. There were a lot of interactive
questions and comments about what I presented. It was kind of
fascinating because there were several CEOs from various
industries. For this group, they have a non-compete criterion that
precludes the members from directly competing with each other. I
belong to a mastermind group, a paid group, and they don't have
that type of restriction, you have to be basically a decent person,
and so there are many people in your same line of work, I kind of
like that. As a general rule, there is a lot of business out there
for everybody. And being able to talk to someone that speaks your
language that's in your line of work, and discuss with them what's
really happening is a huge deal.
After my presentation, I had a few people comment afterward, that
the stories that I wove in about clients of mine, that experienced
security problems and were unable to solve them themselves. They
tried, obviously, but they weren't successful, because they got
hacked, they got breached. I use a lot of stories with some of
these things, and it is especially important when we're talking
about a data breach and your liability. I didn't get to bring that
up this week, but it's absolutely massive.
How significant is that liability for a data breach right now? We're talking about an average cost of over $7 million here in the U.S. The worldwide average is 3.8 million, but here in the U.S., it's about twice that. When we're discussing some of the data breaches that are going on and how they are continuing to grow, there's going to be more and more companies who are failing to assess their own systems for security flaws, realistically. That is why you need to have a third party come in. You can't trust your CIO or your in-house security person to do these types of audits, you need a third person to do it. Then once they have identified your weaknesses, you have to plug the holes. Sometimes that will also require the services of a third party do it because they know, exactly what they're doing. Many times, if you're a slightly bigger company, and you have your own I.T. staff. Then your I.T. team is going to do it. But it is something you have to think about.
When you get hacked, what are you going to do? Your data is stolen, and you are out of business or as the expression goes - your goose is cooked. There is an excellent article from Kiplinger that I have up on my website right now about this very thing. As a business owner, CEO you on the hook for any losses sustained by your clients. I spent some time in the presentation talking about insurance. And that is an essential thing to have. For your business. However, more and more of the cyber liability insurance claims are getting cut back or even denied. Why? It is because companies are not doing everything that they ought to do, those things that are listed in the insurance contract. There are two main ways that civil liability for a data breach can occur. One is finding negligence. That is determined by whether your company is aligned with other peers in your industry, and adherence to the best practices if you will. If you're not or if you could have had better protection, then yes, indeed, you may have civil financial liability. Including some of those excessive governmental fines and penalties, we've talked about on the show before. Secondly, even if you did everything that was required to prevent a data breach, it could still happen. The next stage is, did you do enough after the event to reduce the harm to the people affected? Did you notify them right away? Did you take immediate investigation remediation steps? Did you contact law enforcement? What did you do after the fact, was it considered reasonable? These are all the things we need to keep in mind as business people. Having that plan in advance can save you both time and money. I went through some of those statistics as well.
Here are some good points for everyone that this article makes and you should pay attention to. One you should have a breach coach who can help you put together your breach plan and who can run the breach response. It is crucial to get an attorney involved and involved early. Everyone should know what their roles are.
This will be part of our security summer this year. So make sure you're signed up. I will have some documents about what your plan should look like who should be involved whose responsible for each part of that process. It can make a huge, huge difference.
Here are the most liable people. If you're a consumer, and you've had your information breached pay attention to this as well because you have the other side.
As a business if:
You collect payment information for online sales,
You maintain a database of personal information on current past or
prospective customers
You have employees, and you store information about employees
digitally, including social security numbers, medical information
(guess what you have HIPAA liability) I bet you thought those only
applied to medical practice, you didn't have to worry about HIPAA,
Well, you do.
You have employees,
You rely heavily on technology for daily operations( remember,
you're going to be out of business, out of action for days, weeks,
or even longer.)
You're located in any jurisdiction has a mandatory Breach
Notification laws.
Right now, that is true of everywhere in the world. Well, in the first world countries, if you will, the United States has them. For every state, there are some federal notification laws. Depending on what type of business you have. The same is true in Canada and throughout Europe.
Be careful here, too, when you are selecting your cyber insurance coverage. What you should have, what you can expect from that cyber insurance coverage. We'll talk more about this during our security summer, if you haven't already, make sure you sign up, just go to Craig Peterson dot com. There you'll see a sign-up, come up right at the top of the homepage, and you can sign up right there. I'll let you know when the security summer starts. We're going to be covering all kinds of stuff about firewalls about backups about liabilities, CEO type things all the way through home users. What you can do, what you should do.
This week some are saying that Macs are infected with what they are calling malware. As I said, It's debatable whether it really is malware, because the software is behaving as expected. Mac OS has something now called gatekeeper, it keeps an eye on the programs on your computer, what you download where it came from and is it signed correctly?
It is used by developers to have software that you download that is then referred off-site to add additional files, to get into the database server, etc. In this particular case, that is being talked about over ZDNet, it lets you gain access to a file server, it's called an NFS server. ZDNet is calling this a security flaw I'm not so sure it's a security flaw. Apple has known about it for a month, they haven't patched it, it would be easy enough to, but it would also break a lot of good software out there. Here's the trick. If you're running a Mac, or a P.C. or anything, do not download software from sites that you are not 100% confident can be trusted. It's just that simple.
It's back to the brass tacks, right? Get right back to it. What are the brass tacks? In the security field, one of the first is: Don't click on stuff. Don't download and run software that is on your on a web browser on your computer.
Now we know President Trump said he was going to respond to the Iranian aggression and shooting down our drone. There's dispute by Iran whether or not the drone was in the Iranian airspace. There's some question about that, too, because the United States, for instance, claims a 200-mile jurisdiction. The international agreement says it's a 12-mile zone, and some are 20 miles. Well, when we're talking about the Straits of Hormuz, I think it's 12 miles at the narrowest point. Is it an international space? Technically, yes. Did Iran claim the area it was in as their own? Well, obviously, they did.
President Trump pulled out of a kinetic attack, we were ready to bomb their radar installations and their missile launching facilities. It came out this last weekend that instead we apparently we hacked them.
Now, I found something exciting about this Russian power security breach that happened a couple of weeks ago. I don't know if you heard about that. But apparently, the U.S. broke into and had control of some Russian power stations located in Russia. We flipped the lights on and off possibly a few times to let them know, Hey, guys, we're here, Quit messing around with our elections and quit messing around with some of the other stuff that is ours there. We have that capability. President Obama put some cyber offensive capabilities in place, and President Trump has really upped the game there. Apparently, what he did, and this was the report from last week weekend, is that he authorized our cybersecurity guys to attack Iran.
Now, when Russia attacked Ukraine, of course, that piece of malware spread worldwide and brought down hundreds of thousands of computers, as many were shut down, taken off the internet, and many others were held ransom because Russia did not have control over that malware. We apparently got malware into some of their missile launch systems. We were able to shut them down so that it didn't spread any farther.
It is just like when we got into their centrifuges for making bombs for their purification of uranium, that code did not get any further than the centrifuges and destroyed them. Now, we went after them.
U.S. businesses now should be ready for what's going to be a massive attack from Iran. We remember Iran doesn't have the finesse we do, they don't have all of the talents that we do. And they don't really care if they're hitting a military target or not. When it comes to CYBER WARS, these retaliatory strikes from Iran are very likely to be against pretty much anybody here in the U.S. They've already been attacking us before President Trump launched this attack, apparently against them. They've been bombarding us with software that's designed to wipe the contents of networks and computers, rather than steal their data. This is according to The Washington Post that I think is really kind of interesting. And that was from Chris Krebs, a director of the Homeland Security Department, Cyber Security Division. This means that if the Iranians get ahold of your business systems or your home system, they are going to wipe it clean. So make sure you have excellent backups. Again, if you don't make sure you attend my training here my security summer because we're going to be going over that. This is free people. It's absolutely free for anyone to attend, you can upgrade if you want to, to a paid version which will allow more access, but you're going to get all of the core information absolutely for free. Whether you're paid or not, you're going to get all the information for free. The same data, let me put it that way. Whether you decide to get the golden ticket, or just do it for free, that that's what I'm doing for the radio listeners, anyone can attend, because I want to get this information out there. Be prepared for the Iranian attack, they've already started attacking our businesses.
We've already had North Korea attack. Russia attack. I mentioned this, in fact, in that CEO presentation I gave this last week for the UNH group. It happened right here in N.H. I was looking at one of our customers, who just had a website, and was looking at their firewall because we have some very advanced firewalls sitting in front of even web servers. These firewalls that we were looking at, just for that one web server, we were logging, five attacks. That is just crazy. Five attacks from Russia. It wasn't as I said, it wasn't only five attacks from Russia, it was five attacks per second, on average, over the last I think it was 36 or 48 hours. It was just crazy how this company was getting just hammered. However, you guys already know, if you listen to me for a while about a client that we picked up, that had been having email issues. We looked into it, and we ended up bringing the FBI in, with the client's permission, because we found Chinese back doors into their systems. This is a small manufacturer who kept all of their plans, of course, electronically, all of the manufacturing stuff, etc., etc. Now, they get to compete against China, with their own designs. That just blows my mind, frankly, How could you do that? It's, ignorance, right? It's thinking you're okay.
In fact, going back to this story from Kiplinger, I was referring to earlier here, here's a great little quote from the author here, Dennis Beaver. And he says "My father is a dentist and is up in years, his office has all of his patient's record stored electronically, which he accesses from home from his laptop by leaving the server always on at the office. I mentioned this to a geeky friend who the next day, showed me dental records from my dad's office that he had hacked, he claimed to be doing this as a favor to get my father's attention about cybersecurity, and I believe him. By the way, be careful, never do that without permission, right?
There are ethical hackers in my business here, who are doing penetration testing, but we make sure we've got full consent from the company. So don't, don't just go and do this. Thus, the story goes on. "When I told Dad, and he immediately changed the password but didn't seem too bothered.
Here's another one. "I knew one fortune 500 company CFO who used the same password for over 10 years. Most think that it's a joke, but it was real and proved not so funny after his credentials were found in seven data breaches. His password was used to hack the company's email servers, spoof emails, and steal 10's of thousands of dollars without anyone noticing for months.
I picked up a client here, a local one here in the northeast who had had $80,000 taken out of their operations account. And of course, they realized that pretty quickly, but by the time they noticed it, the money was gone. Be very, very careful.
We're going to cover these things in our security summer, again, just Craig peterson.com. And subscribe right there on the homepage. And we'll let you know when that starts. Tentatively it is going to be mid-July by the looks of things right now. And we're talking about 10 to 15-minute sessions a couple of times a week. And we're going to keep them up for at least a week in case you miss it so that you can watch one of the replays a little bit later on.
Okay, man, we are almost out of time here. 76% of mobile apps have flaws, allowing hackers to steal passwords, money, and texts. These are some high-risk vulnerabilities. They're universal across Android and iOS, Android has a little bit more risk than iOS, we're talking about, but 5% higher risk. This is according to a company called positive technology. They went in and looked at some of these mobile apps, and the biggest problem is in secure data storage. So be careful about that.
Again, Cisco has an answer to that. And with iOS, it's just phenomenal. Nobody has anything like this other than Cisco.
Be very, very careful, there are products out there that could be useful to you. Remember that stored information can be stolen. You can't necessarily trust the app developers, they might be taking your data. Great article, you'll see it on my website. It is from Forbes, and this is about the cybersecurity skills gap and won't be solved in the classroom. So have a look on my website for that one.
Business travelers, something new called visual hacking, and this is from the Czech Republic, again, that's up on my website and in this morning's newsletter.
The U.S. launches a cyber attack aimed at Iranian rocket and missile systems, and we will talk a little bit about that. We've got a couple of great articles online.
I spoke about this with the UNH co mastermind this week third-party contractors. They are our weakest cybersecurity link. And they're just not being held accountable. You know, if you ask people who are the biggest cybersecurity threats out there who have talked about today, I mentioned what Russia, China, I said, North Korea mentioned Iran. And you'd be right. But those countries are the most significant foreign threats. And I, as I mentioned this week at the speech I gave this, is the real problem is internal. And by internal, I don't just mean your employees, I mean, your contractors. And that's one of the things you have to go through. When you're looking at the penetration testing, you're doing the analysis of your business and the data security.
Now from the Customs and Border Protection, I talked this on May 31. They had a breach where 100,000 people were photographed inside vehicles crossing the border and a couple of lanes and included images of the vehicle license plates, maybe some other stuff that was that stolen, it was taken through a third party contractor that was doing work for Customs and Border Patrol.
The most significant breaches of the last 10 years have also been self-inflicted. So let's look at this one. This is a significant number here. This is quoted in The Hill from Flexera. Patches were available for 86% of the vulnerabilities on the day of disclosure. In other words, when these companies came forward and told people about the hacks that had happened, at 86% of those were hacks, that didn't have to happen, because there were patches out already.
Okay, in other breaches, access was gained by compromising a third party like the vendors who we were just talking about and stealing their credentials to log into the corporate network of the eventual target.
Speaking of Target, look at Target, and back in 2013, 40 million credit cards were lost through a third party air conditioning provider that was connected to the corporate network. All the hacker had to do is break into the air conditioning system, and now they had a launch pad.
Think of what happened out in Las Vegas, beautiful big fish tank, they put a smart controller in it that would warn them when their temperature got too cold because the fish are so expensive. It was hooked up to their network, and it was compromised. That fish tank temperature control system was used as a launching pad.
We're seeing that all the time with cameras security cameras, the Office of Personnel Management was breached through Key Point government solutions. This is a third party used by the Office of Personnel Management. That third party gave China, 21 million personnel files, including the background checks conducted on top security clearances.
In2017, Australian defense subcontractor lost 30 gigabytes of highly sensitive data, including information on the drone strike for the Joint Strike Fighter program. Crazy. By the way, the software had not been updated for 12 months.
In 2018, China compromised the network of yet another defense contractor doing work for the Navy. Again, our technology, our advanced military superiority, has literally been stolen from us. Again from The Hill, in an assessment delivered to Navy SECRETARY RICHARD v. Spencer in March and reviewed by the Wall Street Journal, the Navy and its industry partners are under cyber siege by Chinese and Russian hackers.
So think about all of that when you are thinking about your business and even your home computer. Segment your networks, break them up, use good passwords, this is all stuff we're going to review in our security summer. Again, Craig Peterson dot com, you can email me, and I'll let you know when it happens. Just text Me at Craig Peterson dot com, we're going to cover all of this. I want you guys to know what to do, whether you're an individual or a small-medium business. In most companies, face it the computer guy or gal is whoever likes computers the most, or maybe the one who wanted a raise. They're not necessarily computer professionals. It is very, rare to find security professionals. We're working every day trying to keep up to date. Even though I've been doing this for 30 years, and I'm still learning stuff. So be careful when you go out and hire outside firms.
On to the Apollo program. I read a book back in the early 80s. And I marked it all up. And it was about how the lunar landing was a hoax. Hollywood has made some films about it. There are many people, and more and more kids nowadays think the whole thing was a setup. This is a great article written by Ethan Siegel. In the article, he talks a little bit about the moon landing. People are saying that the entire space program and NASA is nothing more than a hoax. Let's get go through a little bit of evidence. Number one, we can still see the evidence of the Apollo program on the moon even today. If you walk on the sand on a beach, the waves are going to level it out, and there won't be any sign that you were ever there. Right. But none of that exists on the moon.
Even in the Sahara Desert on the sand, you've got the shifting
winds that shift that sand around. However, that is not the case on
the moon.
We actually have pictures from regular people of the moon of the
landing site, Apollo 12,14, and 17. Those have all been
photographed from Earth. On the Apollo 12 landing sites. There is a
ton of stuff you'll see this article from Forbes magazine. You can
view all of the pictures. You can see it up on my website at Craig
Peterson dot com. I have a link to a number to extensive
photographic and video evidence from the Apollo missions
themselves. The one I like the best is one that I am personally
familiar with. This is a Lunar Laser Ranging, and there are many
others. But this is one that we Ham Radio users use. We can bounce
off of the moon there's a reflector that was left up there by the
Apollo missions we can bounce a laser off, and we use that
scientifically to figure out how far the moon is away. But there
are also lunar seismometers there is the solar wind composition
spectrum lunar surface magnetometer, a lunar dust collector, many
more. It was all left up there all where it ran for years. Some of
this technology is still running. We were there. Don't let them
tell you otherwise.
Take care, everybody. Make sure you sign up for the security summer at Craig Peterson, dot com Take care, everybody. Bye-bye.
---
Related articles:
Be Careful What You Browse β Drive-By Malware on the Rise
Are You Ready? Iranian Cyber Counter Attacks
Cyber Breaches β How far does your liability extend?
What We Know About Apollo Missions After 50 years
Mac Non-Vulnerability Vulnerability
During Travel Is Your Data Safe from Snooping Eyes?
Who Is Your Biggest Cyber Liability? Maybe It Is Not Who You Think
---
More stories and tech updates at:
Don't miss an episode from Craig. Subscribe and give us a rating:
Follow me on Twitter for the latest in tech at:
For questions, call or text:
855-385-5553