Jul 19, 2019
There was massive, colossal third party hack this week.
Zoom and a considerable security problem tied into a problem they're having in France right now. If you use Zoom on a Mac, listen up.
Congress that requires the federal government to remove some of these security cameras. I will tell you why it's almost impossible to remove these things.
Apple this week made some changes to the Mac books. They discontinued the MacBook itself.
I am planning a Security Summer for my listeners. I will have some free courses. I will also introduce you to some of the software that I use for my clients and how you can use it too. Also, I have some limited opportunities for businesses who have had enough with their security issues to work with me and my team and put their security problems to rest once and for all. So watch out for announcements on those.
For more tech tips, news, and updates visit - CraigPeterson.com
Below is a rush transcript of this segment; it might contain errors.
Airing date: 07/13/2019
A massive, colossal third party hack this week. Zoom security problem. Congress that requires removal of Chinese made security cameras. Apple changes their Mac books.
Hey, everybody, welcome. Craig Peterson here, hope you're having a great day. There is a ton to cover today. I'm going to kind of talk a fair amount about something I think is essential. Everybody we've got had a massive, colossal hack this week. But you weren't hacked. But your business wasn't hacked. But there was a third party breach. And this is going to affect many companies in a significant way. So we're going to tell you how to avoid having that happen to you in the future. Exactly what's going on there. Today, we also going to talk about Zoom and a considerable security problem tied into a problem they're having in France right now. If you use Zoom on a Mac, listen up. There is a huge battle going on right now behind the scenes. That's what happened in France to not zoom, but they did the Bank of China. Man, we talked about them before. There was a bill passed in Congress that requires the federal government to remove some of these security cameras. I will tell you why it's almost impossible to remove these things. If you have security cameras, man, oh, man, we have seen those be a huge problem. It's called a launch point for attacks. It's just crazy. So we'll talk a little bit about that. Apple this week made some changes to the Mac books. They discontinued the MacBook itself. So they now have some very cool MacBook Air models and some MacBook Pro models. A lot of people ask me, and this is probably the biggest question I get from people when it's talking about Apple. Especially for those who have not used this platform before. Is it worth it? Well, I think it is, is frankly, they cost a little bit more, upfront. But when you add up the prices, the cost, they're cheaper, they're a lot cheaper, I typically expect a MacBook Pro to last me eight years, maybe 10 we've had in the last 10 or 11 years before, but an eight-year life versus your average laptop, which is two or three years over on the windows side. So I do think it's worth it. Plus, the machines tend to work a lot better, they're smoother, they are less likely to be attacked, and they have a more secure operating system. Although I have to hand it to Microsoft's new CEO, he is pulling up the socks over there, Microsoft on many, many fronts. While I am not an investor, I can say it's finally a company I would consider investing in as they've done some fantastic things.
Apple has made some changes with these Macbooks that they announced this week. And that's an excellent thing. But the 12 inch MacBook is gone. Now. Remember, when they introduced the MacBook years ago, those little plastic ones, which I liked, I had one used one that was quite cute. I think you might like them. There has been a lot in the news over the last few weeks about Amazon listening in. And obviously, you don't want anybody listening to conversations. And you probably already know my opinion on this. But here's the bottom line for those that haven't heard it before. Yes, the Amazon devices, the Google devices, etc. Yes, they can listen, and they have to. But I know with Amazon with their echoes, they've got the hardware setup in such a way that if they're turning on the microphone to send data to record, that little light bar has to come on, they haven't checked it lately, I probably should. But the hardware was designed so that if it's captured audio that light bars on so other than listening for its name, you know, the wakeup word that you would use, it's not capturing anything, it's not sending it up to the cloud. And we've seen court cases a murder cases where they subpoenaed the records, and they wanted to listen in on the conversation that happened just before the murder. And of course, it was not recording it. So there was no conversation that they could playback. And there's nothing they could use in the court case. Now, if you're very, very paranoid, and I know a lot of people that are, and I am on the Paranoid side by myself, you probably don't want to have one of these things. Now I do have them because I want to understand how it works. I found them to be convenient. I use it, frankly, kind of sparingly. But that's what's happening with the Amazon Echo devices, these personal assistants. Now, Google has hit the news just this week, revealing that Google was sharing recordings of people's commands with third parties. Now, in this case, the third parties were developers, software developers, and frankly, you've got to expect them to have access to your, you know, recordings, right? You hopefully aren't thinking that if you ask Alexa or Amazon, Google Home, whatever it is, if you ask them a question, hopefully, you do not think that it's never recorded and never kept because they are. And Amazon keeps the recordings of your voice forever. And unless you go in and manually delete them, and there's some you can't delete, etc. So don't ask stupid questions that you might regret later on. So Google's getting the heat now because some of these Google Home device recordings ended up in the hands of third-party contractors subcontractors to Google now is that much different than having them in the hands of Google employees? Hard to say, I guess you could certainly argue that, once it's out of Google's hands, they don't have access to or control over the data. And because of that, a could be a bad thing, right. And I get that I do get that because hopefully, Google has perfect security. And for everything we've seen, they probably do have some excellent security. But who knows about the subcontractors. Now, that's the bottom line there. So it was disclosed that I think it was like 1000 or so I'm sure the numbers will change over time. But some of these recordings are in the hands of contractors. And so I think the media is frankly, blowing it up here. I'm not going to blow this one up. Because, again, I think if you're asking the electronic assistant to do something for you, you do not have a reasonable expectation of privacy. You know, there's some expectation of privacy. But how often are these devices hacked and everything right? It's just, and it's a constant thing. So you know, don't expect your data to be kept safe. Next up, we talked about deep fakes before. And I saw this, and I was so disappointed. Did you see Star Wars Rogue One, this isn't 2016 Rogue One, A Star Wars story, I thought the story was rather good. It didn't have a whole ton of tie ins. You know, there's like, there's not a fork that I can see that they're planning on running with off of Rogue One. Maybe they are, frankly, you know, early rebellion type things. But in that movie, there was a terrible version of a young Carrie Fisher, Princess Leia. And that actress, there was an actress obviously, that they used her face. And they tried to make it look like Carrie Fisher, and they did a terrible job. But Today, even this was back in 2016. Today, you can do a better job than they the Lucas Films did. Right now with your reasonably high-end home computer. And the question again has come up in this age where we have deep fakes, where we've got Mark Zuckerberg faked online, we've got porn, which they have faked where they're putting some famous actresses face on someone else's body in a porn shoot. How can you tell what's real? And I have talked before about how this could be a huge problem. When it comes to politics. Think about the things that you could have a politician say because it's not the politician that saying that you look at some of the things President Trump says and you kind of roll your eyes. Why would you even say something like that? Right? And you know, this is separate from his policies. But if you have a deep thing that comes out that looks like the person that sounds like something they might say, how can you tell if it's real? And then let's move on to the next step. Remember, Ronald Reagan with the open mic, a lot different than President Obama's open mic where he said, you know, tell Vlad, I'll have more flexibility after the election, right, when he was cooperating with the Russians, and they were colluding together. So, you know, not the President Obama thing, but the open mic with President Reagan, where he was saying, Hey, listen, the bottom line, well, I'm trying to remember the exact quote, but the missiles on Moscow will start falling in five minutes or something like that, I can't remember what it was. And it freaked out the Russians. And some people attribute that to kind of the death nail for the great Soviet Empire. Big all of a sudden now, you know, they couldn't feed their people, they didn't have items on the shelves, it was a socialist system. And as usual, it was failing. And they now figured they had to escalate the arms race and do so much more, because of what President Reagan said. So now fast forward to now, maybe next year and election year, what will happen if they deep fake President Trump saying something that is going to get Iran all up in arms, right, as though there's not enough tension already? Or maybe Russia or China or you name it? How about just one of our good trading partners, Great Britain, or Canada or Mexico? What's going to happen, then? There's, I think, the biggest potential problem with deep fakes because what that means is we are potentially going to see wars started, maybe not between the US and other countries, but maybe between smaller countries, maybe between politicians, right? We already know politicians are out there saying things that are just outrages, taking stuff completely out of context. And even worse, fabricating stuff. So what happens when they can do this and make it look like their opponent set it? Huge, right, huge deal? Well, now the Actors Guild and the actors are starting to get a little bit concerned, because of the potential of these virtual acting stars. Look at what Disney has done lately with Dumbo and the Lion King, where they're pulling the real world in with CGI along with animation. And so much of it is just so seamless. It's amazing. Not that you can't tell that Dumbo isn't a real elephant. Or some of these other characters are actors aren't real, but that's going to change, and that's going to change very, very quickly. So it's going to get to the point where they could hire an actor or actress to act in something. And it's just an, a, b, or c actor. It could be almost anybody off of the street. Now they have to be able to do a little bit of acting; obviously, their facial expressions have to be good, and they have to match. But let's look at the voiceover industry that used to be in cartoons. We had Mel Blanc who was doing all of those things for Warner Brothers, but in cartoons and voiceovers for commercials. You had professional voiceover actors who did a great job. And then it changed a little bit, and Robin Williams was upset because one of the things he did not want to happen has happened he did the voice of the genie in a Latin your remember that I'm sure he did a great job. He improvised the line. Robin Williams had expressed at the time that he did not want the whole voiceover community to be hurt by this he didn't want it to switch to having brand name actors doing voiceovers, you know, doing the comedy sketches basically in the middle of movies. And of course, that's what ended up happening. That the community now has moved from just a straight-up professional voice actor to now, we have regular actors doing commercials and voiceovers, etc. Some of you know it's one thing if they're they're the face of a brand it's another if it's just a straight-up voiceover. So what's going to happen here with the next step, the next evolution in this which will be having voiceover type talent, having an instant? Is it going to be the reverse right? Instead of paying an actress like Carrie Fisher who's passed now button, you know A, B or an A actor to do a scene, they can now come up with a new creative face.
That is just the most beautiful face ever most handsome face has the exact attributes they want. Maybe it's the evilness looking face, and, and create that character that they can use throughout a series like Avengers. Look at we've lost Tony Stark now, in from the Avengers series. And according to what I've been reading, they lost the actor. There are two or three actors that are gone now. Because they wanted too much money to do new movies. And I get it from the actor's standpoint. And you know, you don't want to be typecast, etc. You help build that brand. But when the brand is 100% copyrightable, where they created the face, they created the voice with the work of, let's say, a voice actor or someone else. And they now absolutely own it, then what's going to happen? Very interesting. I think that if you're a waitress, I mean, an actress in Los Angeles, in Hollywood, you might want to think twice about this. Now, we see right now a resurgence of need for actors, actresses, because we have everybody producing content, which is, by the way, going to drive up the cost, you thought streaming was going to save you money over the cable TV, not so much. Because what's going to happen here shortly is as CBS, NBC, and Netflix and Hulu, and Disney and even Comcast compete for the eyeballs, they're going to be creating more content. And that means they're going to be raising their prices. So instead of just subscribing to maybe Netflix and Hulu. Now you're going to have Netflix, Hulu, HBO, NBC CBS, ABC, Fox and each one of those is going to be 10 or 20 bucks a month. So the costs are going to go way, way up. So that's the next evolution in that. But ultimately, within ten years, this technology is going to be cheap. And I don't think we're going to need the actors anywhere near what we need Today. The salaries that they are demanding 10's of millions of dollars to do one movie and these days are going to end. You might even remember, Industrial Light and Magic ILM, and they came out of nowhere from the Star Wars universe. And now they're in every major motion picture. You're going to get studios, like an ILM, that develop a character with a backstory and stuff. The primary thing is a character with some flaws one we can love, one that we like listen to and watch. There will be a voice and video, you know, an entire visual presentation and the whole world will change. It's going to change in a big way. Okay, so next up of with let's get into the big news of this week. You're listening, of course to Craig Peterson, make sure you get the weekly updates I had I just got in a shout out again to Sue hopefully you're listening. Today I met with Sue this week, she had sent in a request we did a cyber health assessment, and we're doing some more stuff for her now. We're doing a deeper dive, and we found some stuff that is not only questionable but negative. So shout out to her. We also had a comment this week. And I want to thank James for this one. And this is where he said hey, thanks, Craig. If I hadn't been on your email list, I would not have known about this vulnerability, and he patched it because, of course, I gave instructions on it. So if you want to know more if you want to make sure that you can get the right patches at the right time make sure you visit my website Craig Peterson calm and are right there on the top of I think pretty much every page now. You are going to find a sign up to sign up for my email list. I believe me I don't scam you spam you anything else. Not like one of these marketers is sending you two pieces of email a day. I keep it minimal, absolutely minimal. So Craig Peterson calm. Okay, next up. So this last week, it came out that there was a breach of a US-based cloud solution provider. Now here's how this affects you and your business. This company, called PCM, is generating 2.2 billion dollars in revenue. They've got more than 2000 customers; each of them is a business. It is an article from Security Affairs. The sources say PCs discovered the intrusion in mid-May 2019. Those sources say the attacker stole administrative can credentials that PCM uses to manage client accounts within Office 365 a cloud-based filed an email sharing service run by Microsoft now that came originally from Krebs. Krebs on security is a great site, by-the-way, you should check it out. Krebs is speculating that the intruders could be the same that hack the Indian IT outsourcing giant Wipro this year. It is fascinating because again, this is further proof that outsourcing your IT outsourcing your cloud management does not make you safe. Very, very big deal. Now, I have to tie something else into this because I think that these two may be related. Microsoft Corp. Now, of course, this is the company that makes office 365. We use Office 365 for a lot of our clients. It depends on their size and specific requirements, and we also host email servers for some of our clients. We use Office 365, before other of our clients, and Microsoft themselves even says, Hey, listen, we're not guaranteeing you any security, we're not guaranteeing you any good filtering for your emails, we're not guaranteeing that your data will be safe if you put it on the Microsoft Cloud. We're not even guaranteeing that your data will be there next week. Because we don't back it up for you, you have to do all of this. So most businesses that I've talked to aren't aware of any of these things. There are huge deficiencies in the O365. But what's Microsoft going to do? Well, especially at the price points they sell it for, they there isn't a margin in it for them. To fix this, Microsoft uses companies like mine and many other companies, not like mine, to resell their office 365. And what Microsoft's thinking was or is, is that we have Mainstream, we have Craig company, authorized to sell, install, help their clients use Office 365 features, right, and so now people using Microsoft Teams, and they're using the Microsoft email and outlook and they've got word and you know, whole office suite and everything. And it's a wonderful thing. But I am as the provider, and I am now the master administrator for my clients. And as a Master administrator, I can create new users for them, and I can take them off, I can add specific licenses. If someone wants to use this particular Microsoft product, but other people don't need it. And they pay by the month and based on what the usages. I can reset the passwords, and I can check the security logs, right? I can do all of this stuff is basically a super administrator for their service, then this is great for Microsoft because now that if someone calls them up and tries to scam them saying, Yeah, I'm on the CEO of IBM, and I want access to my account, I lost my password, reset it for me What? Okay, what do you change it to, right? So someone calling Microsoft, it's going to be hard to validate who they are. But somebody's calling Mainstream. I know who the customers are, right? My people know, we know their voices because we were a small company. We're a family company, yet we have other people that are members of my family. But we're a small company that cares about and works with the clients. So a client calls me and says, Hi, I'm president of x, y, z Corp. We know if they are not right, we know what they do. Typically, we're not going to give away figures out their store to someone that is faking it. So from Microsoft standpoint, it's great because they don't get those calls, they don't have the liability that goes along with it that we have, which is why we provide a million dollars worth of insurance underwritten by Lloyds of London, I think that's an important thing for security for businesses. So if they do get hacked, or something happens, you know, there is coverage, and then we also have that kind of coverage. But anyhow, Microsoft doesn't want all that liability, and they would need a million-dollar, they probably need 100 million dollars. they probably self insure they have plenty of cash. It is a fascinating business model.
Now, a lot of people out there a lot of businesses who were brake fixed shops have said oh, well, you know, we can make more money, recurring monthly revenue or a monthly recurring revenue by selling office 365. Because we'll earn $5 a month, per account, you know, five bucks a month. Are you kidding me? That's, it's hardly worth billing for $5 a month if you're a small company. The collections of follow up, you have to make a phone call because I didn't pay it. But you have the check processing fee from your bank all of this stuff. How's it? How's it worth it? It's not. So what you have to do is you have to bundle it as a service offering so they can call if they have problems and we take care of things. But these other companies, unlike Mainstream, who are out there not I'm not saying every company like this. But these different companies, what do they know about security? What do they know about the in-depth stuff? Right? I've been doing it now I hate to admit this, but for 45 years? Me personally, okay, then when you add in all of the time from all the people working with me, and we're well past the century mark. So there's a huge difference. But how do you know? So a lot of people, we just lost a client. Because of this, though, they'll go out. And they will say how much for we need 500 email boxes are 50 email boxes, how much do you want to charge how much you charge for that. And so we'll quote it, but we don't just quote as email box, because we know we're going to have to do support, we're going to have to back up those email boxes, we're probably going to want to run their email through our high-end filter, before we send it to Microsoft, because Microsoft's email filters are nowhere near as useful. We're going to want to do all of this stuff. And backup restore, we're going to have to account maintenance and everything. And so they say, oh, wow, well, this guy wants like a 10th of what you want, and you know, the answer is, yeah, they're not doing anything near what we're doing. And you're going to get stung. And in fact, this client did this once before, and another product and they got hurt, badly. Okay, so you've, you've got to watch that it is a huge deal that you do not want to get involved with, you know, it's just crazy. So now, this is how this all ties in this breach at PCM. They lost all the administrative credentials for their 2000 business clients. Now, Microsoft will require multifactor authentication for their cloud solution providers. And these are the guys that help companies manage their office 365 accounts to see what's going on here. It sounds like PCM, a $2.2 billion-dollar company was not keeping their clients record safe. That is huge. Now we use multifactor authentication for everything we possibly can we go further than that. And we use these little keys that are encryption keys that we have to put into the devices to even be able to log in. If you remove that key, that physical key, the system shuts off, all access is blocked.
At Mainstream, we keep all of our client confidential stuff highly encrypted digital containers and only decrypt a record when we need it for the client. Microsoft requires that all its cloud solution providers, meet those same standards.
Today's show can be found at Craig Peterson dot com.
The sponsor of today's show is Craig Peterson's Security Summer Summit. Make sure you attend the summit. Make sure you sign up for the list — and this absolutely free summit. You can find out tons of stuff security summer, go to Craig Peterson dot com, sign up for my emails, and we will talk with you guys later in the week. Take care, everybody. Bye-bye.
More stories and tech updates at:
Don't miss an episode from Craig. Subscribe and give us a rating:
Follow me on Twitter for the latest in tech at:
For questions, call or text: