Preview Mode Links will not work in preview mode

Thanks for joining us! Let me know if there are any topics you'd like us to cover by sending an email to me at craigpeterson . com!

Oct 31, 2020

Welcome!  Craig has an exciting podcast that covers quite a few interesting topics this week including USB safety, Properly disposing of your smartphone before getting a new one, Why the National Guard is being used to investigate Cybersecurity incidents in Louisiana, Iran, and threatening mail sent to democrat voters, Phishing is back in the news and why you must train your employees to watch for it.  Then he talks about IT Wages and problems with the H1B Visa program.

For more tech tips, news, and updates, visit - CraigPeterson.com.

---

 
 
 
 
 
 
 

---

Automated Machine-Generated Transcript:

Craig Peterson: [00:00:00] We've even seen where USB thumb drives come pre-infected with viruses and other pieces of nastiness. So, just how safe is your USB drive in this day and age of us taking them home and to work?

Hi, everybody, Craig Peterson here. Welcome. We're going to be talking not only about USB drives, but how to protect your privacy when you're selling your phone. Okay. We've got a national guard call out in Louisiana over the election. We've got the government concluding that Iran was behind some email sent to Democrats and we've got artificial intelligence that's going to just supercharge, spear phishing. We'll be talking about that. Defining both of what they are.

IT wages are no longer considered exceptional. That's a study from Harvard business school. Guardrails in cloud-native applications are needed. That's a great call. I love that.

Corporations using this STEM shortage myth to abuse the H1B programs. H1B visa programs that President Trump has been trying to clamp down on.

What do you call these little devices that we have these a USB drives, thumb drives? what do you call them personally? Probably about 10 years ago, I grabbed the domain. I registered thumbdrive.com and I never did anything with it. I was thinking, Oh man.  I could have a whole bunch of different thumb drives up there.  I ended up letting it go when I was really low on cash one time. I just went to it today. Thumb drive.com and it's somebody selling Toshiba thumb drive type stuff.  It's still the disappointments in life that you tend to remember much more than the successes. So it's a bit of a shame. But thumb drives have become way more useful in this day and age. We're going from work to home. Our kids are taking their work for school. They've got to bring it to the teacher. Many of the times, of course now it's electronic, right? We upload it. We don't even use FTP anymore, but we upload it. We download it and we might email it. We use Box or Dropbox or Google drive in order to share files. That's really the most common way to do it nowadays.

But thumb drives are still out there. They're still in wide use and I still have a supply of them and somehow they all seem to keep disappearing and that's where the problems start, really?

If you own at least one thumb drive, you've transferred a file. You might've used it as a method of backing up some of your documents or your photos or other things you might like to carry your work with you. So you can dive into it at a moment's notice and you keep it in your pocket. I have one that is waterproof. It's a light fireproof, and it sitting there on my key chain. So that I have it if I ever need it in order to do something and you know what, I've used it a few times, but not so much. I've even got thumb drives in my wallet. Just really thin ones in case ever need them. I have used them from time to time.

If you're like most people. You might be using thumb drives that aren't necessarily trustworthy. So let's talk about that for a minute. Students tend to use flash drives to print out study materials at a Kinko's store, or maybe they go to a library to grab something. Maybe you are using it to move documents back and forth to your work, to your family events, soccer church, or whatever it might be.

Now, when we're talking about kids, they also tend to lend their classmates these drives, and they might have their notes from their class on them. They might've made their notes on a Google Chromebook, and now somebody plugged it into a windows laptop or Mac. Think about spreading diseases, right? It's the same sort of thing as they're passing them around and sharing them.

It's not just kids in school, in college. It's also friends at the office. It's friends that you have at home and you really can't be sure of these things and how protected they're going to be.  If any of those thumb drives have been infested with malware, it's really very possible that your computer, if you've used one of these infected thumb drives, that your computer is now infected as well.

Some devices like your Macs, for instance, you've got a Mac laptop are immune to all windows viruses that are windows based. So it can spread them. It's like a little super spreader. So that if there is a virus for windows, that's on your Mac in a file, your Mac, will be just fine. It doesn't care. But when you now transfer it to somebody else, or you put it onto a drive you're in big trouble. here are some options that you can take.

Microsoft has made a big change a couple of releases ago, major releases in the windows operating system. There used to be an autorun file that was there, on, for instance, a CD drive or a thumb drive. So when Windows opened it up and said, okay, I'm going to run this file. And that file would do something like cool, play a movie for you. Or it might run a video game or whatever it's supposed to be doing on there, but the bad guys started taking advantage of that pretty early on. They started using this crass cross-contamination route using these autorun files as a way to send all of their malware to other people. Okay, so you have to be careful.

We're going to get into some solutions here in just a minute. What really do you have on your thumb drives? I want everybody to think about it for a minute. What are you using them for? How can they be misused?  What happens if they're lost? I mentioned that this week on the radio, what happens if you lose the thumb drive and it has some intellectual property on it?  has personal information on it?

I know a couple of listeners who are using external drives, which are more common now than they used to be. They plug into the USB port. It's the same sort of problem. You can't put these into your pocket like you can a thumb drive, but you can certainly share them. You can move them around and they're using these USB drives now spinning media, or sometimes even SSD, they're using them to move stuff back and forth.

So how do you deal with it? One of the ways is what we tend to do for our customers that need high security.  We remove the mechanisms for people to be able to use them in the first place. We'll disconnect it from the motherboard if that's possible and we'll fill the port with epoxy. So people can't just put it in there. Now most of the time, they're not being malicious. They just want to plug it in and grab this file.

But there are people who are malicious who are trying to steal data. Which is why, again, in high security, We remove those USB ports. So that the thumb drives just can't be put in there. Companies like IBM have opted to completely ban removable storage devices, period. It's a real big deal. They were talking about all of this at WeLiveSecurity.com Amer Owaida is his name who was talking about some of this stuff. But when he looked around, he found that IBM was banning it, many other major companies were.

Let's start with what can be done. First of all. When we're transferring sensitive information from one place to another. So for instance, we might be tightening up security in a doctor's office or helping a doctor's office upgrade their systems, and we need to send all of their patient data.

To the third party who now has this new system that they're going to be starting to use in the doctor's office and we want it to be secure. So we have a disk drive cabinet that is encrypted the whole thing is, it's just a little thing. It's not much bigger than a disc drive and it has a drive inside of it. You have to enter the key when it powers on, and then it uses that key for the encryption on the disk So even if somebody breaks into the case, it doesn't matter because the disk that's inside is encrypted using this key. So you could consider doing that. There are thumb drives that have built into them. Thumb print readers. Most of them that I've seen are pretty easily defeated, but let me tell you that's harder to do than, having to defeat one of these things than just plugging in a drive that's not encrypted okay.

So step number one. You need to have, if you can use them, drives that you can trust for confidential information. That means they need to look different. They need to be different than the drives that you are using for home for your personal data, for your personal backups.  So first of all, they need to look different. So maybe just having that thumbprint reader on the drive is enough to remind you. Sensitive data should be on that drive with a thumb print reader.

The next thing you probably want to do is encrypt all of the sensitive data that you want to load onto the drive. Now there's a number of ways to do it. You've got built right into windows, full disk encryption. Same thing's true for your Mac. So you could encrypt it that way. You can also use something that's free. I think it's pretty easy called PGP, which uses public keys.  You encrypt the files before you put them on the disks.

I do like the hardware security solutions for the thumb drive that uses a pin code. That's probably best, as I said, I don't really trust the biometric scanners, but there's some really great articles out there about these thumb drives, and what could possibly go wrong.

Now there are thumb drives that are designed to burn up your computer, literally melt it down. Don't pick them up. Oh yeah, we've used that trick against Iranians before.

Our smartphones have our lives on them. There are some very quick ways to make sure all of your data on them are destroyed, because we're upgrading these things left right and center.  It isn't just about e-waste as they call it. It's about your personal information.

Let's start getting into our security here on your phones. People are getting rid of their phones on really record rates. In fact, in market for new customers, their smartphones has dropped dramatically. We've reached saturation in most markets, worldwide, where people who want a smartphone have a smart phone, people who want an iPhone or maybe an Android, heaven forbid, have got those devices and they're pretty happy with them.

Now, the Android is going to be cheaper initially. If you ask me, it's way cheaper in the longer run to have an iPhone. What do we do with these things? We're talking about 50 million metric tons of e-waste every year and a large part of that is our smartphone devices.

Most of it isn't recycled. However. Your smart phone can be. So instead of tossing it into the trash, I think you need to look at a few different options. You can recycle it. You can donate it. You can sell it. There are a number of different places that you can go in order to get rid of these things and really make back a few bucks in the long run here.

Best Buy, Whole Foods, Home Depot, Lowe's and Staples typically have free drop off spots to take dead batteries. So that's step one. If you have a removable battery. You can remove it and drop it off on one of those. You can also check out a website that's called earth nine one one, and it's simple or nine one one.com and it will tell you where you can recycle these things because they've got all kinds of nastiness in them. The button cells, the older ones had mercury. You've got lithium, you've got zinc in these things. So that's always a good place to go to start recycling them.

There's also cell phones for soldiers where you can donate. That's their website, cell phones for soldiers dot com they will take your cell phones and they'll provide them to soldiers overseas. This is really cool too. Cell phones for soldiers also provides about 2,500 calling cards every week as well for the soldiers to use. Man, I'm choking up a little bit here. 

In case you didn't know it, by the way, we're planning on building a 4g cell phone network on the moon and a 5g cell phone network on Mars, like real soon now with the next couple of years. So maybe you can donate them to NASA for them to take while they go up there. Now, there are a few places that you can go to. Recycle specifically, and I've used Gazelle before.

Let me just check. Make sure they are online still. Yeah, there they are. Gazelle, G a Z E L e.com. They'll let you buy refurbed pre-owned phones. You can sell them as well. They'll trade them in for cash. So let me just see, I'm poking around on their website as I'm here.

I'll tell you how to clean up your phone securely here a little bit, but let's say like me, I've got an iPhone eight plus, right? That's my phone. It's probably about time to upgrade it.  I'm going to say it's factory unlocked and it's saying, I think mine's a  two 56. So I'm going to say two 56 because I want money. Does the device power on? Yes. If I slowly functional all parts work. Yes. Front and back. Free of cracks. Yes. Cosmetic looks like new, which is true. So for excellent condition worth 181 bucks, light signs of use it's worth 173, normal signs 160 bucks. Then you can send it in. I've even seen gazelle having kiosks, where you can go ahead and just put your phone in. They have cameras in them and somebody remotely will look at the phone that you just stuck into it and will give you an offer. So there's buy-back services, flip C and all kinds of others.

So before you get rid of it, make sure you have a good hard look. Declutter gadget gone. That's a cool name, right? Oh, Apple, by the way, they've got store credits. I got $300. Last time I turned in my iPhone at the store. right now my iPhone eight is worth 170 bucks at the Apple store. So it's worth about the same as it is worth over on gazelle. Best buy let's you trade it in. Some will take them to Craigslist, Facebook marketplace, E-bay and others. So there you go. There are some things to do with that phone. Eco ATM, by the way, that's the name of the ATM that's owned by Gazelle trade. Amazon has a trade- in store, but just look, if you do a search for gazelle, you're going to see ads for others as well.

Before you do that, let's talk about your privacy here. Before you just throw it away into one of these recycled bins. So this is some suggestions from Tech Republic and I'm of course, going to add my own little tips into this as well. Veronica Combs wrote this original article. she says that you should unpair all devices. I don't think that matters really. I don't think you have to unpair anything because of what gonna do next is sign out of all services.

Now that can be important. If you have an iPhone, what all you really need to do on your iPhone is go to the settings. Once you're there in settings, you're going to go to general and then reset and then select a erase all content. Before you do that, you're going to have to turn off, Find my iPhone because if find my iPhone is turned on not only does it let you find your iPhone, if it's lost or stolen. but What find model iPhone it is Also it makes the phone, so it cannot be erased and then used by a third party. You have to be able to log into the phone using your Apple ID if it has been reset. So turn that off first. Find my iPhone. Then go to settings general, reset, erase all contents. Now it's not really erasing the content on the iPhone and also un-encrypted Android devices. What it does is it destroys the decryption key. That only takes a second or two. Once that's destroyed that phone is now completely reset. It's like a factory reset. There is nothing left on the machine. So on Android phones turn off the factory reset protection.

This started a couple of releases to go with Android. You can go to settings, privacy, factory data, reset, and then choose reset phone. once you've done that with your phone, either one of them. You are safe to send it off to a recycler.

Now, if you're like the campaign staff for Hillary Clinton or her phones themselves, they just took ball-peen hammers to them. Once the investigation had started and it was illegal to destroy evidence. So remember that, if you use a ball-peen hammer, apparently it's legal to destroy it that way. By the way, it'll make it pretty much unrecoverable if you really bash the living daylights out of How could our elections be attacked? Well, they already are according to a report right now in Louisiana.  It may not have been directed at our election infrastructure, but it sure is affecting it.  Here we go.

We have some serious problems being reported down in Louisiana. According to threat post the Louisiana National Guard, has been called out. Now that's a very big deal. You might ask yourself, why would they call out the National Guard to battle a cyber security problem?

That would be a good question, if you were to ask, so let's ask it. The answer to that would be. That the national guard, as well as our military, have been trained. Not all of them, obviously. They have teams that have been trained to do cybersecurity work, and we've done some. I've done some training on that for the FBI InfraGard program, so I have some intimate awareness of how this stuff works. Here's the bottom line, according to the article that was in Reuters. They're saying that there's evidence suggesting a sophisticated hacking group was involved.

So what happened now? This is something that happens to businesses. It happens to government agencies. It happens to almost everybody out there. They were attacked. Most of the time these attacks are coming, the more successful ones, in the form of phishing and phishing campaigns.

I've got some training that if your company really wants to do some, phishing training, let me know. I have some excellent training materials and we buy licenses for these from our third party. It just isn't worth it for me  to do custom training for all of my companies and we buy these things in blocks and I have extra licenses. We buy them a thousand at a time. So if you'd like to offer some security training for your employees, that's primarily focused in on the whole concept of fishing and what they should be doing, what they shouldn't be doing. Social engineering even goes so far as to inbound phone calls. Let me know, just drop me a line. me@craigpeterson.com and I'll be glad to get back to you. We can make some arrangements to help you out there.

Cause I know a lot of companies just don't know where to go and you can't afford these expensive trainings. We have some extra licenses, so we can definitely help you with some of that stuff. So just email me@craigpeterson.com. If you'd like to get a little bit of that training and I can probably do it too for a home users, if you're interested, let me know. I'll see if I can't just drop you into one of these classes with one of my business clients, that, again, it's a nice little series of training. I think they do a really good job. I should be able to squeeze some people in here and there. So let me know.

That's how most of the time bad guys are getting into our networks. They send an email, it looks like it's legitimate. It looks like not only is it legitimate, but it's something you need to open and you need to open it right now. These guys have gotten really good at that sort of a thing. Then you click on it and they have your information or they have you running a program for them.

Now, many times these programs are called RATS, which is a remote access Trojan. If they can get a RAT onto your network, it's over for you if you don't know it's there. That's why we always suggest and there's a few companies that have these, I like Cisco, but there are some other good ones out there that we work with, that have the ability to detect these Trojans. They're  watching them calling home. Where are they going?

A remote access Trojan on your network means they can remotely get onto your network right through your firewall. Right through it and then start doing whatever they want to on their network, anytime they want. That's part of the reason I really strongly urge everyone to use umbrella and you can find it,  just umbrella.com. We sell the professional version of this for enterprises, but they have free versions as well. That are simple as just changing your DNS server IP addresses. They've got them right there on the homepage. Two, two Oh (860) 722-2222.  It explains it all. If you just go to umbrella.com.

The idea is you use the Cisco umbrella software for your DNS server and if there is a Remote Access Trojan, when it tries to call home to give the bad guys access to your network, it is foiled in its attempt.

It doesn't block it per se, but it's like hopping in an UBER and saying take me to one, two, three main street and the Uber driver says, I don't know where that is. That's kind of the equivalent here, you ain't getting to one, two, three main street if the car or the driver doesn't know where that is or how to get you there. That's what umbrella does for you. There's free versions of it.

If you're a business you should use one of the higher level ones. What we sell the enterprise version is tastic for businesses because it allows it all to be customized as well. Umbrella has family stuff too, that you can use and the family stuff is great too. You can keep the kids from stumbling on websites that they probably shouldn't be stumbling on bottom line.

This paper that was released, showed that they had done a forensic investigation.  I'm looking at this Reuters story, that goes into it and they found something called the Kim Jong rat. Which is a back door. It is a remote access Trojan and it had a source code leaked.

I haven't checked lately on the dark web, but it used to be a little buy tools like this for 20 bucks. They're not expensive.

So problem number one, the bad guys got into Louisiana's government networks. Problem. Number two, they installed a remote access Trojan in the network. Very common. Usually within a week to two weeks after that  been installed, they will have examined your network and they are going to be digging in even deeper.

What did they do here? Wow. They installed the Trojan. Now I've talked about this before. We've seen attacks involving EmoTet, it was found also in the networks of these government victims, according to Reuters. The EmoTet Trojan can also load other malware and it's like a worm. It propagates all by itself through the networks, onto the file servers and onto the desktops and laptops.

It also, by the way, is just as happy to spread through a VPN connection. Do you know what I think about VPNs? They have their place. I use them, but as a rule, VPN's not a good idea.  For most very small businesses, not at all. Okay. So this is a problem. 

We now have the national guard in Louisiana called in according to Reuters to protect the systems, when we're in the middle of election season. Isn't that fun? 

Before we get to that, I want to talk about this email. That concludes that Iran was behind sending these very threatening emails out to Democrats. How could that have happened? What should you be looking for? We got answers.

There have been some emails that are very scary out there. There were supposedly from this pro-Trump group called the Proud Boys and they have a very scary message. The messages say that they are in possession of all your information. By the way, that if you really want it and you're willing to pay a few bucks on the dark web you can probably get anybody's information on almost anything, okay.

But in there in possession of all your information and they've instructed voters to change their party registration and cast their ballots for Trump and I quote here from the emails, and this is an article from the Washington post. Yes. It says you will vote for Trump on election day, or we will come after you. So pretty, scary stuff.

Some of these were in a hotly contested swing States in the upcoming presidential election. It's going to be one heck of a season here. Let me tell you. But the U S official said privately that through the post that the operation was not terribly sophisticated and they said it was disclosed before it could have any major impact.

The cybersecurity researchers that they spoke with said little about the operation.  They're thinking there wasn't a large scale deception. We'll see what happens. It was first divulged Tuesday by local law enforcement and election officials in Florida and Alaska, and people rightly reported them. For FBI reporting, it is IC three.gov online. If you get an email like this, or you get another threatening email or something that you think the FBI might. Want to know about because they do investigate these things.

I am involved in a couple of their investigations, that revolve around China and Chinese espionage. Anything like this, you can report, just go to IC three.gov. I C three as in internet crime complaint center. I C three.gov. Okay.

This is a real problem. In 2016, it took months for the Obama administration to publicly point the finger Moscow for the hacks and leaks of democratic e-mails despite the intelligence community, having determined Russian culpability early on. So there you go. The Russia story continues at the Washington post, but this came up from a disclosure by the Director of National Intelligence, the DNI, John Ratcliffe.

I like the fact that president Trump has, I'm not going to say strong armed, but he certainly has convinced our intelligence agencies to be more open with the public. Be more open with business, this FBI InfraGard thing that I'm involved with and did a lot of training, meaning over the years for, it's been around for a very long time. Let me see. 1996 it's been around. So it's a partnership for protection. It's a nonprofit, they have a lot of volunteers like myself that are involved with it. So the cooperation between the fed and business is nothing new. 96 was a long time ago. That would have been what President Clinton, that did that, but it actually started in Ohio and one of the field offices, as I recall.

President Trump here has taken this to the next level and we have had disclosures from the NSA. Remember NSA, we used to joke is true for no such agency because it was just so secretive. The NSA has even released information about vulnerabilities in our systems. So it's a huge deal.

On Thursday, by the way, Iran, some in the Swiss Envoy in Tehran, and Switzerland is who handles affairs for the US there, because the U S doesn't have an embassy or anything really there in Iran. Other than probably the CIA. They were condemning the baseless accusations of meddling in the U S election.  They said the Iran has no interest into freeing interfering in the US election. It's the old habit and there's a new name for it, but the old habit of keeping information from people. You might remember in World War Two, right? If you tell a big lie often enough and you tell it with absolute rigor, people will believe you nowadays, they call it gaslighting and it's been very effective. So that's the Iran is trying to do. So be careful with those emails.

So that kind of leads us into this whole thing on spear phishing.

If you miss it today, I'm going to have that up on my website, along with IT job wages and pretty much everything else. I try and get it all up on Craig Peterson.com. I send out my weekly newsletter and we've also sent out some that people are really interested in. If you didn't get it this last week, you might just drop me a note.

We don't automatically send it to people who sign up new. So if you are going to go to Craig peterson.com/subscribe right now, you'd only get future newsletters. You wouldn't get the past ones. This past weekend I put together a really great newsletter. And it talked about taking your computer in for repairs.

I used this fictitious character called Hunter. Who took his Mac book into a computer store to have it repaired for water damage.  I came up with all of the main things you should do step-by-step before you take a computer in for water damage.  I think if our fictitious character Hunter had done all of this, he wouldn't be in all of this big trouble with this daddy, but I can send that to you, if you're interested. We talked about it a little earlier this week as well, but just email me at Craig Peterson dot com. And let me know you want the Hunter email. I'll be glad to send that to you.

Also, if you sign up, I am going to be sending you some of my most popular special report. The stuff you need to know, because everybody needs to understand how to do a security reboot.

I've got some very in-depth courses, but let's just start you with a simple checklist. I don't want to confuse anybody. So it's easy enough for me to just reply to you when you sign up and send you this stuff I have at this point about 60 different six zero different special reports.

So when you ask a question, oftentimes I can just send you a special report on it. Oftentimes if I don't have a special report, I will write one. because if you're interested, other people are entrusted too.

So make sure you sign up and you can just do that by going to Craig Peterson.com/subscribe. I'd be glad to do that for you.

We also have a couple of things, that I really want to cover quickly here when it comes to the election and election technology. I think as a whole, our election is pretty safe from a technology standpoint, right? I'm not saying anything about people printing their own ballots and sending them the in. About gathering ballots about bribing people to vote a certain way. That's not what I'm talking about. Obviously, all of that's easy enough to manipulate. We've seen post carriers who are dropping ballots into gullies and ditches and trash cans. That's one thing.

On the other side, there's the technology. I am pretty confident that in most of our States here where we are using these paper ballots and they're more like a light cardboard, right? What a hundred pound stock give or take 80 pound where we fill in that oval. Then we take it up to the machine. We put it into the machine, which reads it, optically and tallies. It I'm pretty confident those machines are in good shape.

One of my sons, who works with me and he's a Cisco fire jumper certified guy. He is also one of these election overseers. He had a look at machines that were shipped off from the Secretary of State's office, and even though some of the seals were broken, The seals that really counted, which are the seals over that little memory card inside that optical reader. Those seals were all intact. So that does my heart. Good. I'm also pretty confident that the people who are working the local polls and tabulating are being supervised and there tend to be Republicans and Democrats and independently minded people who are overseeing the process. So those tallied numbers that are then sent off to the Secretary of State's office, I think are likely to be correct.

Then the Secretary of State's office, puts them up on their website and then the Feds are going to look at them. That's where I'm the most worried about it. Emails sent to the Feds with tallies. The feds visiting a hacked website.

We just went through the major ransomware and remote access Trojan problem that they're having down in Louisiana. That is a very big problem because that could be a weak point that would be exploited by people who wanted to change our votes.

If you are involved in oversight in this stuff, make sure everything is double checked with the human. Get on the phone, call somebody, call the Secretary of State's office to verify. If you're working at a local polling place, verify that the Secretary of State's office has the right numbers.  Then make sure the right numbers are on the Secretary of State sites website.

The rest of this is going to be an absolute disaster. What can I say.

Craig Peterson (2): [00:38:49] You've probably heard about spear phishing. I did a little phishing myself online and looked at some of these companies, like Barracuda that are saying that they stopped spear phishing attacks using AI. Hey, I've never been a fan of Barracuda.

Now spear phishing is by definition and this is from CSO online.com,  is the act of sending an email to specific and well-researched targets while purporting it to be a trusted sender.

Now you've seen phishing. If you've been on the internet for the last 10 or 20 years, you've probably seen what's called the Nigerian Prince scam. That's an idea that has really perpetrated into every bad guy's mind over the years. The idea is, Hey, if we can send an email out to people and find the gullible people, maybe we can make some money.

It's fishing just like you might be out in a boat and you're casting a net to catch a certain type of fish. You hope that the gill size is right on that net and you're always catch some other things, right?  Dolphin, tuna, and some of these other things, but, you don't really care.

What we're talking about here with regular phishing, which is spelled P H I S H I N G. We are talking about bad guys casting a huge net. This net is out there to try and catch anybody, anything there will go ahead and get caught in that net.

So the Nigerian Prince scam is, Hey, I am a Prince in Nigeria and I need to move my family's $1 million worth of wealth and the only way I can do that and get it out of US banks is if I have a US bank account. So if I could go ahead and I'll transfer in this $10,000 that I need to move. I'll let you keep 2000. So I'm going to transfer 10,000 into your account, and then you're going to wire me $8,000 of that money and you can keep the $2,000.

Now, there are many forms of this scam. The Nigerian Prince scam is one of them. Of course what's happened here is they say they wired the money in, and that money may show as pending in your account coming from an overseas account. So you look at, and you say, Oh yeah the $10,000 is there. The Nigerian Prince contacts you and says, Hey, I sent you that $10,000. I really need that 8,000 now, or I'm not going to be able to get my mother out of jail or something along those lines, kidney for my best friend on and on. People look at the account, look at that, there's that $10,000. Now they go to the bank and they wire the $8,000 to this account overseas and off goes your $8,000. When you wire that money out, it is gone.

What happens is a few days later, it can take a anywhere up to basically two weeks for the bank to clear the money. I know about the check 22 laws, that's all down the tubes. It's eight days to two weeks usually, especially for international transactions and they can take three weeks or longer sometimes. That transaction where he wired the money in is canceled on his side because he's got an inside thing going on with the bank. So you thought you had 10,000 that he had put into your account. You wired out 8,000. Net 2000, that's not so bad.

But then a week or two, or maybe even three weeks later, your bank contacts you for insufficient funds because that $10,000 transfer that he was putting into your account, actually never finalized and never really happened. So you have now sent him $8,000 of your own money. So that was the Nigerian phishing scam.

There are a lot of scams that are based on that are still out there today.

One of the big ones that the FBI just a few months ago arrested a dozen or so people out in California for is a mule scam.

I don't know if you saw this latest Clint Eastwood movie. I thought it was pretty good. I've liked Clint Eastwood for very long time, but he has a movie out called The Mule, came out in 2018. This is a 90 year old, horticulturalist and Korean war veteran that turned into a drug mule for Mexican cartel. A very interesting movie, rather believable, a lot of movies that just totally rip apart. but I enjoyed this enough to allow it to be believable. He was hauling money for the Mexican cartel.

What these people in California were doing is they were money laundering and that's typically called a mule, they're moving money around.

They would get some money from somebody. It much like this scam. I was just talking about with the Nigerian Prince scam. So they say, Hey, we're going to wire some money into your PayPal account, for instance, or we're going to route wired into your bank account. And then we want you to use PayPal to send us the 90% of the money.

In this case, these mules, we're not getting ripped off. They would actually get the $10,000 in to the bank account and then they would send $9,000 via PayPal and the bad guys were happy cause that money is laundered, it came from a more legitimate looking source.

I had some really great trainings that I did on this for the FBI InfraGard program with some think it was a secret service guy, and they tracked a lot of this down. There were some arrests here a couple months back.

We have to be very careful about this and how we're transferring money around and whether or not we do it for one of these people. Because we're getting tricked.

What's happening is these people who are doing the spear phishing are doing research on us.

We had a great example of another spear phishing thing. There was a company in the UK that was purchased by a German company. They knew all of the basics about this German company and they got a phone call one day from the CEO of the German company. The CEO told them to wire some funds to this particular bank account, and they did. It sounded like the CEO. They used some technology to impersonate, the guy's voice. They went ahead and wired the money.

Then we got Barbara Cochran who is one of the sharks on shark tank. Her assistant went ahead and wired, I think it was like $400,000. Another assistant of hers, her executive assistant, caught it, noticed it, because she was CC'd on the response, freaked out. They managed to stop the transfer from happening. So good news on that one.

These scams are out there and they're out there big time.

I have another one where a lady was going on line and doing research about business owners. She found a couple of business owners, actually quite a few. She wanted to narrow it down. So she researched them. She found some of these business owners had Facebook pages. She went to the Facebook pages and while on those pages, she found those business owners that said that they were going on vacation. She followed them a little bit and found out about where they were going when they were going. Then she managed to trick the email providers. Into letting them into the actual email account, which she did in this one case, where she got more than $40 million out of the company.

She finds out who the CFO is and then when the owner is on an airplane or is in Bermuda in cannot be contacted. She then sent off an email to the CFO saying, Hey, we've got this new provider, a supplier we've had for three months and we've never paid any of their invoices. Here's the invoice on the bottom of the invoice or statement the bottom of the statement it says, or to wire the money to, I need you to wire right now, or we're going to be out of business next month because we've never paid this new supplier that, and it's critical. The CFO wired the money because she had done her research and that's what it takes.

They want to send you an email that is really coded up for you.

That fake email that you got represents a huge industry and that industry is undergoing some amazing changes. They are using artificial intelligence for evil. So we're going to tell you about it right now.

Now, these types of phishing, where they are going after a specific person, after doing a bunch of research are called spear phishing attacks.

It's not like those from the mid nineties where you had the Nigerian Prince out there sending emails and just waiting for anybody to respond to them. These are aimed at someone individual.

Here's an example that was in Dark Reading this week, where it says:

Hey, I'll see you at nine for our four hour call. You're going to kill it today. See the dial in details for the call attached. Cheers, Al.

Now most people would not question the legitimacy of this email. It's kinda laid back. They might've done some research on Al. They might have cracked Al's machine. Somehow gotten a list of all of his contacts and sent this to everybody in his contact list that worked at the same company.

This is happening all of the time, everybody. So be careful of this.

So you get it. Looks legit. Everything about it smells legit. You're going to open it up because heck I'm going to kill it today in our nice little conference call, right? Yeah. That's what you're going to do.

But what could well be happening here is that email attachment that they said, Hey, you need to click on this, could well have a malicious payload. So you have to be careful and it may not have a malicious payroll payload on it. Maybe it went through the email filters looked pretty good, but maybe the website it's pointing to, or even the file on the website it's pointing to is malicious is a malicious pay load.

So you've got to be very careful and you could lose your job in total embarrassment. You could really the harm the company by opening this. But it's getting worse.

It's going to get even worse right now. There is something called offensive artificial intelligence. This is ushering in a whole new era of phishing attacks that are going away from these more simple ones, the broad phishing attacks, even the spear phishing attacks, where they do some research about your company.

I've picked up a few clients, unfortunately, that have had these attacks worked successfully. And then we had to put in some really great software to make it even work better for them.

Artificial intelligence can go out and start looking around, can figure out what's going on. For instance, blue.ai, found a cluster of pneumonia cases around a market in Wuhan, China, it flagged it and found it nine days before the World Health Organization found it.  It's now being used to look at all of this health literature from around the world about COVID 19, the Corona virus, that we have this novel one and figure out what's going on and it's even comparing it to DNA. AI can be absolutely wonderful.

We use it for monitoring and protecting various types of networks, but inevitably AI now has opened the door for sophisticated cyber attacks.

It is really crazy what's going on right now. Cause it's not just these phishing attacks, it's going to agument every type of cyber attack. It's using adaptive decision-making capabilities based on what it finds inside your network.

This is scary as heck because once it gets inside your network, think of Skynet, right? That's really what it's going to ultimately be like, maybe not with Androids out there trying to shoot us, but trying to steal everything we have.

Our email boxes are just going to be used as a stepping stone to get into the business network.

The only way to really compete with this is to fight AI with AI. That's what's happening with some bigger companies out there.

I did a little searching of my own online and I got a little upset because I came across an article.

At the top an ad for Barracuda. Now, I've known these guys for a long time. They have used open source, freely available firewall software and other software to build their business and, good for them. There's nothing wrong with it. That's our open source software is for.

But there seem to be some misrepresentation that are out there. That's where it gets scary.

Right there on their website, Barracuda Sentinel, get AI based protection from phishing and account takeover. You read down a little bit further block threats already in your email, in your inbox. Stay a step ahead of attackers with AI based threat detection. Stop wasting time managing static security rules. I agree with that one. I think the problem that we have is we're putting a lot of trust in these companies.

This is Barracuda. I have had clients who've used it before, and I've had nightmares trying to fix problems with it, but that's me.  I could tell you about them if you wanted.

On the other side, there are other systems, like from Aruba, Cisco, which is what I use and sell,  these are not a panacea. There are all kinds of things that you have to look at and you have to be tying them together.

We're no longer just dealing with the perimeter. It's no longer just having a good firewall or trying to have a good email filter. Now we really are talking about this Zero Trust model because AI is being used by the bad guys. It is getting into our systems. We have to make sure that none of the data, what we call in the biz, east-west or west-east traffic, east-west traffic, none of that internal data, internal communications is going somewhere it shouldn't, or is being used incorrectly.

Spear phishing is difficult to detect. It is very difficult for AI detect it. It is much easier for person to detect it. You need to do training on this. Have your people get some training. I think it's just that important.

This whole business email compromise thing that the FBI has been talking about. That's all tied into spear phishing. So we gotta be very careful.

Harvard business school has a really interesting article out right now about wages in IT of course, information technology. We used to call it MIS management information systems, way back when.

Hey,  it's bringing back memories of when I was a professor out at Pepperdine university. MIS 422? That class anyways.

Harvard has been of course helping people in all kinds of aspects of business, which includes things like the law, IT and General business, as well. But they've come out with something that has really surprised a whole bunch of people and it has to do with IT job wages.

I have talked about getting jobs in cybersecurity and how many open jobs there are. I think the biggest problem people have is getting into cybersecurity and then getting the support they need, once they're in cyber security. Over just the last few weeks, I've had a couple of listeners who have sent me an email and I asked a little bit about it and I pointed them in a couple of different directions and even pulled another listener into one of the conversations who has moved into IT security. Exceptional wages were the norm in computers for a very long time. You got paid good money, if you were good in it whether it's in management or in coding.

I made good money for a lot of years as a kernel programmer. Writing the operating system itself and device drivers and implementing internet protocols and designing new protocols. I made one of the world's very first centralized security systems for computers and computer networks. Way back when. So it has been around a while and it has paid very well. Their jobs have always been stable, the fast rising within the organization and made a lot of money. Back in the nineties, you had the dotcom boom.

It really bothered me, all of these people that started hanging up shingles saying,  I'm an IT person.  I design websites. I do these and they've never really had any real experience with IT.

To this day still bemoan.Microsoft products. Because it seems like it's a chimpanzees throwing darts at boards, as far as trying to make sure their systems work and inter-operate and don't even conflict with each other. It's so frustrating. Since I've been in the Unix side for so long and the mainframe side as well, the systems that work well and work consistently.

It turns out the things have changed a bit now when it comes to the wages that are being paid in information technology. In all, but the largest cities, according to Harvard wage growth in IT jobs has become relatively moderate following the dotcom boom.

They're saying that these wages in IT are a lot more like wage patterns that have been seen in the broader STEM space. STEM being science, technology, engineering, and mathematics. So some of those like mathematics are well known for really having terrible wages, right? You got a PhD in math and wow, you can get a $60,000 a year job. So IT has changed. IT really has leveled out.

In some geographical regions where there's fierce competition for IT talent, superstar performers do not earn the same high premium they once did over average performing programmers and other IT professionals. So in short, IT wages are still relatively high compared to most other occupations, but they have lost what Harvard says is their exceptional luster.

The IT wage premiums today, have more to do with where you are working then with rewarding, specific skills that you have for the job. So keep that in mind.

This paper, if you want to look it up, it's called the digital labor market in equality and decline of IT exceptionalism. It was written in Harvard business school post-doctoral researcher was involved with this at the Martin Marshall professor of business administration. So there's a whole lot to chart the rise and fall of the salaries. They examined 142 of the largest urban areas in the us between 2000 and 2018, and of course we've had crazy change over those 18 years in IT. We've seen  the major rise of the internet and apps, which didn't really exist until the last 10 years, these mobile phone smartphone apps. We've also had two pretty darn big recessions over that period of time. In smaller cities and rural areas, which is what we're talking about here for most of my listening area were excluded because of missing data for at least one year. They use the data from the Bureau of labor statistics. They parsed both the broad difference in wages against other lower paying jobs, STEM professionals. Salaries they found in five places, Silicon Valley, San Francisco, Seattle. Washington DC and New York climbed as there was more competition for talent.  I will interject there that I think that places like New York city are going to see a continued Exodus of IT professionals since there's so many people working from home. That  is going to have an absolutely major impact on all of us IT workers in the rest of the country just didn't get the same bump.

Let's see. So they're saying there's two distinct and competing forces on the one hand, the advantage of tech hubs and urban metropolises, especially the combination of dense population and vigorous innovation increasingly leads to higher it wages making some regions more attractive to skilled talent.

On the other hand, this is not Ronald Reagan's, ideally economist, right? On the other hand, wage spread narrowed within advantaged areas, moving the top, 10% of IT wages into convergence with other STEM occupation. So they're saying, yeah. The highest paying IT job category that they examined, which was a research scientist paid between 140 and 170,000 per year in the Bay area. So that's almost a minimum wage out there considering how much it costs for a house, et cetera. 45% more than a typical region such as Indianapolis in contrast, in those with biochemists, they earn about the same wage in the Bay area as they do in Indianapolis on average. Isn't that scary? So it goes on and on. Superstars are not super paid anymore.

There's major implications for organizations. If you're looking at IT wages. You need to use the same sort of reasoning you would have used for other skilled labor markets. There are HR people who are used to this. When you get into the rare parts of STEM, how rare are they really? How many openings are there?

This is an interesting time and it's changing more and more at because of people working from home and the lock downs and you saw France just locked down. I think it was Switzerland just locked down. Belgium apparently is about to lock down. We've even got Vermont locking down saying, don't go into these two counties in New Hampshire, which is right across the river because of higher COVID rates. Now I'm not going to get into all of it cOVID rates versus death, right? What morbidities and other things, but it's really tough.

People are moving out of the big cities, including IT professionals that are moving way out. We've had a lot of people moving into New Hampshire and other areas that are more rural. So I suspect IT jobs as well as other STEM jobs just are going to continue to go down.

We just talked about AI in the last segment and its effect. I think AI is going to have a huge effect on the whole IT industry, but it's going to take a few years before it really hits.

We were just talking about wages. We're going to talk right now about another reason those wages have gone down something I've seen personally that has caused harm to my business and that President Trump has been trying to crack down on.  We're going to talk about cloud native apps too.

Hi everybody. Craig Peterson here.

Let's get into this guest worker program problem that we have.  It's very upsetting to me because I have lost business. I have lost contracts because of this program. What's been going on, and I took advantage of this program back in the nineties. I had a company with about 40- 50 employees. They were all IT people and I needed somebody with a very specific skillset.

I needed a couple of people and so I hired an attorney and what they did is they worked to show the federal government that we had indeed tried to get people to work for us with these skillsets and we couldn't find anybody.

We needed to bring in a foreign worker and that was under what's called an H1B visa. We brought them into the country and gave them the jobs and the work and off they go. Eventually I ended up having to pay for the airline tickets to send them on back home because we didn't need them anymore after the whole dot com boom thing.

It was a really, quite a mess back then. This whole H1B visa thing has been a real problem. We have some extremely large consulting companies that have been bringing in thousands of foreign workers in the IT space, tens of thousands of them. They then bid against US American companies.

Some of these companies, even though they're supposed to pay prevailing wages, with H1Bs, we're not. What we've ended up with now is a clamp down on this.

We bid on, we had proposals, where there was absolutely no way in heck that we could have matched the price of this other consulting firm using people that were paid about a fifth of what we were paying.

We found this out, of course, after the fact. We'd dug into it, trying to figure out why, we were the obvious choice, why didn't they use us? President Trump has come to the realization that Americans need the jobs in America, first. He has put a bit of pressure onto this whole H1B program.

The Daily Caller has an article out this week called Corporations use the STEM shortage myth to abuse tech worker programs that President Trump's announcement really sent shockwaves through the whole tech sector. He suspended most of these guest worker visas through the end of the year.

The big guys in tech were all condemning this. You've got Google, Amazon, Facebook, Microsoft, all individually condemn the moratorium. It affects these H1B visas, that these big tech firms use to hire the foreign workers that they don't really need. Tim cook who's a head of Apple said he was deeply disappointed. Twitter called it short-sighted. Overall, they may reduce the cost of things that are produced here in the US because they work for much less money. However, The quality isn't there.

I looked into, when I was bringing some people into the country, I looked into their backgrounds and found these people claiming PhDs and they have their certificates. Yet their background was basically a high school education. It was shocking to me. Shocking. Then what I also found is that some of these companies found somebody they were going to hire from overseas that would work for cheap money. As I said, a fifth of what we had to pay US wages and they crafted the advertisement and they crafted the language in the application to the state department, et cetera, specifically for that person.

So they took the resume and they said, we need someone with these exact qualifications three and a half years in this technology two years in that technology, a degree in this and degree and that a five years experience in this so that they could then justify it because you post that ad somewhere and Americans are going to look at it and say, no, I don't have that exact qualification. Then they took those applications and they got the foreign workers that got them to come into the US. They were able to pay them a fraction of what they would normally have to pay a US worker. So that's where I'm coming from. Okay.

I think that's pretty obvious these companies, Google, Amazon, Facebook, Microsoft, as well as these big consulting companies. I mentioned earlier. I didn't give names, but you've probably heard of them. they were all actually worried about their bottom line. That's got to be the sole thing that they were worried about here.

Congress created this H1B program back in 1990 to help companies recruit skilled foreign workers, where there was a shortage of qualified workers in the US. But the companies have circumvented the H1B programs safeguards. They're weak. It's crazy.

They've been bringing in cheaper and less qualified foreign workers, even when there's plenty of qualified workers here now. When we've got an unemployment rate above 10 or so, it's ridiculous to be bringing these people in. We have people in the US that can take these jobs that they just don't want to pay because they want to pay foreign workers.

Now, we had problems before where they were shipping jobs overseas to again unqualified companies. People in the US were forced to train their replacements overseas. You've heard these stories before. I know people that were forced to do this in the tech industry. I's all fake. That's exactly what they're saying right now. Rutgers professor Hal Salzman testified in Congress that this whole idea of a science technology, engineering, mathematics, employee mathematics, employee shortage, this desperate lack of people trained in these fields is a myth.

Rutgers professor Salzman said that they graduate about twice as many STEM students as there are STEM jobs for them each year. He said, in fact, Minneapolis, Federal reserve bank president Neel Kashkari dismiss the whole concept of STEM shorter worker shortage. Noting that skills gap is just a euphemism for, we want skills at lower wages.

So if there's no shortage of graduates and Americans are willing to do the work, why are these big tech companies so obsessed with H1B visas?  It really comes down to money. Let's see. There's a lot more detail in this article.

I think Harvard did a great job Harvard business school on this, but man, we've got to be hiring Americans. We've got to.

I'm great with people coming into the country. I'm an import, right? I've been here for many years. I got my US citizenship and I think it's a wonderful thing because we need new blood. We need talented blood. We need bright people. Bringing in these people for just cheap labor or outsourcing our jobs because it's a lot cheaper is going to hurt these companies in a long run. It's hurting the United States in the short run. There's no doubt about it.

We are all looking at cloud apps. We probably use them every day. If you've got an iPhone or an Android phone, you're definitely using the cloud. Many businesses have looked at the cloud as a way to save money. Sometimes save a whole lot of money.

A lot of organizations have decided that the cloud is this panacea that they can use. Because of the pandemic, why not shift the worker's functions to the cloud and get rid of our local computer room, data center closet, wherever it is, you might have your file server, et cetera.

We have a huge security fallout now because of this sprint to set up employees home offices, because it's not just about vulnerable end points in home networks anymore. We've now rushed into adopting cloud-based technologies that have not been secured. It's absolutely nuts. We've got this hybrid physical cloud-based IT infrastructure and it is altering the landscape. Obviously it's already altered in 2020, but 2021 and beyond it is going to be just changed forever. So how do you manage it? How do you put up guardrails?

Look at what's happened with Amazon web services, with their S3 data storage and how many security breaches there have been with S3. These buckets being wide open. Salesforce, Slack Service now, and others have all had hacks.  We've got major potential for vulnerabilities because we're tying together systems that were never even designed to be working together in the first place. Certainly weren't designed for security in the first place. So this is just a hint of things that are to come. Okay. It's very easy to mess up cloud security. Now there's a number of startups right now that are out there trying to address this. Jupiter One came out of stealth mode here. They had $19 million in series a funding that tells you how much these investors are thinking they're going to make off of this. This service automatically finds and keeps updated online, physical and virtual devices and assets and organization, including cloud native services. That doesn't seem like it's that hard to do, but man, the misconfiguration of all of the Software as a Service, or Cloud Native is common and it's mainly due to human error.

So if you are using cloud services, I really would suggest that you, if you're a business, you assign someone to look into this or you look into it yourself. You're using Dropbox. You're using Microsoft O three 65. What are they doing to secure their data? A lot of these services don't even guarantee that they'll back it up and just had a huge data loss a because it wasn't being properly backed up,

Hey, if you have any questions, just email me@craigpeterson.com.

---

More stories and tech updates at:

www.craigpeterson.com

Don't miss an episode from Craig. Subscribe and give us a rating:

www.craigpeterson.com/itunes

Follow me on Twitter for the latest in tech at:

www.twitter.com/craigpeterson

For questions, call or text:

855-385-5553