Sep 29, 2020
Good morning, everybody. I was on WTAG this morning with Jim Polito. He had a few questions about VPNs, seems like it is a little confusing for people to understand that they were designed for something completely different than what people are using them for today and that is where the problems are coming from. Then I broke some big news about the Federal Register changes and DOD contractors and sub-contractors that went into effect last night at 5 pm. Then we got a little light-hearted with a brief discussion about Love and Zoom. Here we go with Jim.
For more tech tips, news, and updates visit - CraigPeterson.com
Automated Machine Generated Transcript:
Craig Peterson: [00:00:00] We're giving you an emergency regulation, right now you have 48 hours notice and you have to actually secure your systems by December 1st. We now have people who can audit you, who have secret clearances or better and they're going to start that audit December 1st.
Hey, good morning everybody. Craig Peterson here. Mr. Jim Polito was in his studio for the first time in many months. He sounds much better there in the studio. We got into VPNs. What is the problem? What is this whole thing called zero-trust, and how's that going to be affecting us here in days, weeks, months ahead. Also huge, huge, huge, huge announcement. Federal register. If you do anything for anybody that does anything for the Department of Defense, including mowing their lawns. A big change in the federal register. You are now in serious trouble. If you don't meet these guidelines, that has been published for a couple of years. This NIST 800-171, but anyhow, I mentioned that is Whoa!
So here we go with Mr. Polito
Jim Polito: [00:01:16] A great Tuesday segment, it would be a great segment any day of the week. He is our good friend and tech talk guru. Craig Peterson. Good morning, sir.
Craig Peterson: [00:01:28] Hey, good morning, Jim. How are you?
Jim Polito: [00:01:31] I'm good. I'm good. I'm actually, I never thought the day would come and this will be the second topic, but I never thought the day would come that Craig Peterson and I would be talking about dating. We're going to talk about dating. We're going to talk about dating in the age of COVID, but before we get to that, you have some really big news you provided me with. Okay. So I understand the concept of a VPN. A VPN so that you can work securely from home or another remote location, and yet still have access to everything.
Every computer, every little bit of hardware you have in software and drives that you have to say your business now. Thank God Danny has this, uh, my former producer now. Program director, because Danny can, uh, if I need something VPN in from home and do it or fix it or whatever, uh, now you're saying that VPN, what? Isn't the. Gold standard anymore. What's going on?
Craig Peterson: [00:02:46] We have to remember where VPN came from in the first place. You know, it's been over 20 years ago, but I had three megabits worth of internet here at the house and it was costing me, 20 years ago, about $6,000 a month to have three megabits worth of internet. Yeah, exactly. So I had internet here at the house so I could work at home and that network was then routed through, of course, the phone company had all of those lines and that they went to the office and then the whole VPN concept came along. What we could do now is run a virtual network link.
So rather than paying the six grand a month, for me to be able to connect to the office or my house. I could now connect the two networks together, just over the internet. So my cost went from about 6,000 a month to about 150 to $200 a month back then. It was a huge win. Yeah. That's what they're designed for is for the networks to connect together. And that is the problem. If you connect your home network to the office network, you now have a huge problem because all of the attack surfaces, all of the computers in your home, that really cool internet coffee pot that you bought that is really a computer that happens to make coffee is now gained access to your network at the office. That's where the problem is.
This is the internet of things that you often talk to me about, right?
Yeah. It's the internet of things, plus if you've got teenage boys, where are they going online? Right. What are some of the worst, the worst places you can think of? And so now all of these computers that are infected can now spread laterally out there and, and that's just a huge problem.
So, yeah, VPN, as you said is no longer the gold standard. In fact, I've got to make a quick announcement here in just a second about their defense the national register just had an emergency update as of 5:00 PM yesterday, but this all ties in.
Because what we're moving towards now is what is called a zero-trust network.
It's a way different concept than most people are used to than businesses are using, But the idea is why should you connect your home network to the office network? Because that's dangerous as heck. Okay. A zero-trust network as any device that wants to speak to another specific device has to be approved to not only does that device have to be approved to talk to the other device, but the protocol it is using has to be approved.
So it has gotten very very different in this world today because of all the hacks going on and the zero-trust is what you're going to start seeing a right, left and center here over the next year or two. Moving away from just the concept of an open VPN.
Jim Polito: [00:06:05] Wow. We're talking with our good friend, Craig Peterson, tech talk guru, and all about all things technical.
Now. The VPN in terms of security as you were talking, I mean, it was the gold standard. Isn't this just a race every time we turn around. So this new system that you're talking about, won't it have a shelf life, won't it at some point be useless against the bad guys.
Craig Peterson: [00:06:38] You can have a great point.
It's always been a game of oneupmanship between the defenders and the attackers. That's why zero-trust comes into play. Yeah. There are going to be problems with the implementation. The biggest problem we see is stuff being misconfigured. Businesses are completely misconfiguring the VPNs. Heaven forbid they have to try and figure out zero-trust. That's where we're going to see the biggest problems is with misconfiguration. But the whole concept behind zero trust says basically, no, there is no one that's going to shift because everything has to be approved and what we're trying to do with this is stop the lateral movement.
So if your business gets infected with something, Nowadays, it ultimately ends up being ransomware much of the time, but it gets infected. The bad guys if they've got ransomware in your machine, don't do what they used to do a few years ago. What they do right now, Jim and these guys are smart. Right? What does that make money doing? The good stuff.
Jim Polito: [00:07:44] Yeah,
Craig Peterson: [00:07:44] But what they're doing is, they've got ahold of Jim Pollito's son's computer. Yeah. And so they don't immediately encrypt it. They don't immediately pop up a notice saying, Hey, you've got ransomware. Like they used to do.
What they're doing now is they spread laterally inside your network. So their software looks for files that have interesting names, it uploads them to the bad guys. So they can have a look at that. The bad guys might hop onto your computer now and poke around saying, Hey, wait a minute.
Your Jim Polito's son works for this health management company and it looks like they might have some assets. So now the bad guys are looking at your computer. I mean the bad guy's actual intelligence, not programming. So these people are looking at it saying, Oh, wait a minute. Here, we've got medical records, we've got all of this stuff and now they evaluate, okay.
So what do we think this is worth. We're into the town of Worcester's computer network. What should we do now? Well, let's infect some more machines because we're in now. So they start spreading to other desktops here. You know, Jim Polito's his son's girlfriend's computer, who also works there in the town.
Now they have visibility into everything, but they've also copied many of these files out of your network. So this might go on for weeks and businesses aren't even noticing this because they don't track any exfiltration of data. Most businesses. So they're pulling all of this data out and now what they do is they encrypt everything on your computers and they pop up a notice saying you have one of two choices.
You can either pay us X dollars. And if it's a town it's probably more along the lines of $10 million dollars
Jim Polito: [00:09:38] Yeah.
Craig Peterson: [00:09:38] You can either pay us that and we'll give you the decryption keys. By the way, they have a help desk now where you can contact the help desk and they'll help you out. Or what will happen is we'll just release all of the tax records of everybody in the town, or all of the medical records of everybody in your medical office or all of the records of all of your customers? Yeah, it's crazy.
Jim Polito: [00:10:01] Yeah.
Craig Peterson: [00:10:01] You know, I've been saying businesses aren't doing this, and this is where the federal register thing comes in. There was an emergency order. If you will, last night here.
On the defense acquisition regulation system from the department of defense. Finally, finally. They basically said all of you contractors out there, the DOD subcontractors, we know you've been lying to us about your compliance with these rules that have been out for two years and so we're giving you an emergency regulation right now.
You have 48 hours' notice. You have to actually secure your systems by December 1st. We now have people who can audit you, who have secret clearances or better. They're going to start that audit on December 1st.
Jim Polito: [00:10:54] Wow.
Craig Peterson: [00:10:54] So just we're talking about, um, you know, company X that make power supplies for DOD contractors, right? This is the power supply. There are no smarts in there. They now have to comply with these new, which are called CMMC rules that are out there. These are just the set of compliance stuff. And they said you have to do it now. Quit. pencil whipping the forms because we're going to be taking a close look.
Oh, and by the way, It's only federal prison time as much as 10 years and millions of dollars worth of fines. Okay. So finally, the feds are getting upset about all of this and, and you've asked me before, what are we going to do about it? How can we make happen? Well, let me tell ya when we get some CEOs going to prison, Jim.
Ears are going to get a little bigger. I think as people listen with these auditors coming in with their sharp pencils, having a good look at the security. So again, here I am on a soapbox. Sorry.
Jim Polito: [00:12:01] No, it's okay. It's okay. It was, it was a complete story. Yeah, it's gotta be done now quickly before we leave, on the lighter side, Zoom. Is the new singles bar. Is that what you're trying to tell me? Because, by the way, I know you have concerns is about Zoom and the security associated with Zoom for businesses to lose proprietary information over Zoom. But Zoom is new, Hey, what's your sign, you know, is the new singles bar.
Craig Peterson: [00:12:36] Yeah, I love this. If this is absolutely amazing here. People are getting married later in life, or not getting married at all. Our fertility rates have plummeted to 1.7. Now, this is going to make it even worse. But businesses and now roof dating groups, you know, we used to have the fast dating. You remember George doing that on Seinfeld? Like 30 seconds eight? Yup. It's. So now. Yeah, speed dating. So now all of this is happening on Zoom businesses or having happy hour. Some of them are sending out little bottles of wine and all of the employees do Zoom. You have to see each other getting drunk and it's spreading into dating more and more and more. It's a fascinating thing. Really changed South here, Jim.
Jim Polito: [00:13:33] Wow. Well, you know, I mean, come on. It's the age of COVID and, maybe that's more effective. You get a look at the person, you can hear them talk, you know, you don't have to give them your personal number. It's just a Zoom thing. If the man or woman is a loser, while you're all set, it's like, yo, I gotta go. I gotta go. I'm all set. I gotta, I ain't gotta go, you know, uh, That's a good thing that you and I aren't out there anymore.
That's a good thing. Yeah. Craig Peterson folks now, uh, Craig, I think I got a correction from Danny. It's 11 o'clock on Sundays. On WHYN, WTAG. That's what he's telling me now. Craig Peterson show. That's what he's telling me.
So we'll have to, we'll have to make sure about that, but in the meantime, how can folks more information from the tech talk guru?
Well, you can always go to my email@example.com. But if you have specific questions, especially now, I can send you guys, if you drop me in a line the information here on the changes to the federal register.
If you make anything that is bought by any DOD, contractors, your business just changed at 5:00 PM last night. Just email me M E @craigpeterson.com. I'll send you some of these articles that are out there. The changes by the DOD. Just email me and with any question, I answered dozens a week, just
All right, Craig, we'll talk to you next week. Always a pleasure, always some great surprises.
Craig Peterson: [00:15:18] Thanks, Jim. Take care.
Jim Polito: [00:15:20] Bye-bye.
Craig Peterson: [00:15:21] Hey, I got to get busy right now because there are a lot of companies that need some help and I gotta make sure everybody knows, and I am finishing up right now our first little three- minute videos.
It's taking me a long time, first time around, right. It always does, but things will go a lot swifter here in the future.
We're planning on doing this every Tuesday and Thursday. So keep an eye on your emails for that.
Take care, everybody. Bye-bye.
More stories and tech updates at:
Don't miss an episode from Craig. Subscribe and give us a rating:
Follow me on Twitter for the latest in tech at:
For questions, call or text: