May 31, 2019
I am planning a Security Summer for my listeners. I will have some free courses. I will also introduce you to some of the software that I use for my clients and how you can use it too. So watch out for announcements on those.
Is our society changing? What part is social media playing? Listen in today for more on this.
What can Open Source do for you? Why Open Source may change your life. More on this today.
Are we really ready for Autonomous Cars? or Is the technology expected to perform faster than it is actually ready? Interesting questions we will be discussing today.
What is going on with Google? G-Suite and Titan are both having issues.
Microsoft has another problem and it is a big one. More on this.
Do you have a Mortgage? You need to hear this!
For more tech tips, news, and updates visit - CraigPeterson.com
Below is a rush transcript of this segment; it might contain errors.
Airing date: 06/01/2019
Cyberbullying, Security summer free courses, First American Hack, Google Bluetooth titan hijacking
Hello, everybody, Craig Peterson here. We have ignition and boy do we have a show for today and then some.
You know a little bit about cyberbullying, I am sure.
Well, I'm going to tell you about something that I experienced this weekend, something that your kids may be experiencing in a much more critical way.
You know, we mentioned last week about the suicides and tied into this Netflix show. Well, we'll get into this a little bit more.
For those of you who are wondering how software is getting developed, nowadays and what you might want to do for your business for software development. We'll talk a little bit about GitHub and this whole open source revolution and how It has come into the mainstream, now.
We have some security warnings from our friends at Google. A massive hack. I don't think I saw this anywhere. Frankly, we'll talk about what Krebs on security had to say about this.
Tesla. Got to throw this in because what's a week without talking about Elon Musk. Consumer Reports is calling the automatic lane change feature on Tesla's navigate on autopilot, far less competent than a human driver. So, it kind of makes you wonder, should we be messing with this? Is this the right thing to do? Frankly, I think it's an excellent question.
Well, I commented last weekend in one of the articles up on the website, and as you know, I post articles every week. It's usually just a real quick synopsis of like the first couple of sentences from the article, and then I'll give you a link to it.
However, this last week, really, for the first time in a couple of years, we sat down and wrote some articles. We had mentioned something because again, I select the pieces that I am going to cover. I go through what the strategy is with my team and talk about the salient and essential points, and then they go off and write the article. So, this particular one was about anonymous, and it's still up on the website. And we take those articles, and we tweet them, we put them up on the social media sites as well. Well, the guy that we had mentioned in the web article claimed to be part of the hacking group Anonymous. He spent time in prison because of some of his activities, and he was a little miffed with me.
So I got a little bit of a whiff of him not being pleased about me and what I said in that article. I thought that it was rather interesting because this is the first real hater I've had in quite a while, frankly. Well, I've got to tell you, this feeling I had in my gut was, you know, people describe this, this feeling of butterflies and things and here, I was wondering, what did I do? What did I do to hurt this guy's feelings? Or, what, right. I can only describe it as a Wow thing. Well, in reading a little bit further into what he had said was that the that he remembers, I think it was in his warrant, it mentioned the FBI infragard program. And I'm an infragard member. He probably looked me up, and I'm easy to find after seeing the article, which was perhaps triggered by a Google search or maybe a Twitter search or something. And that made me feel a little bit better.
But man, brought back all the feelings of the first time there was an attack on my systems. And that was again, you might remember in the early 90s. And I had these questions running through my mind, what should I do? How do I do it? How do I respond? What? What's going on? I remember when I discovered the hack, who do I call, right? What do I do? And what's going to happen, Right? In my case, it's what's going to happen to everything that I have built, right? Here I am sitting there with a company that I had founded years before, and remember it's the early 90s and I was still a relatively young guy. But I'd been working on this company for over a decade by that point in time. And that feeling I had could only be described as horrendous.
It was quite something, and it reminded me of this by having this guy from anonymous, you know, going after me kind of the cyberbullying thing, right? Hey, they're not sitting there trying to wait around for any logic or reasoning or anything else. It is a type what you feel without thinking reaction.
Think about people that you've had to deal with probably yourself before. So what do you do? Well, that made me do a little bit of re-evaluation, you guys know, if you listen to the show, for a long time that I do a lot of training, I offer a lot of free training for people on cybersecurity. And just thinking back again, made me remember helped me and let me just put it that in perspective.
Remember, that feeling I had in my gut when my first hack attack occurred. When I realized someone had violated my trust, someone had broken in. Someone was potentially going to take my entire business away from me. How helpless I felt, and I had no idea what to do. Questions like: What should I do?, How can I do it?, Who do I call?, What's going to happen to my business?, What's going to happen with my clients?. Of course, that was almost 30 years ago now. But this brought all those feelings back.
So here's what I'm going to do for everybody out there. Because I know I'm not alone. Some of you are maybe 30-40 years behind me on this journey. I admit I was a pioneer out there. I got arrows in my back, right? I was out there on the Internet early, getting people online, when it was first legal to do so. I was one of the very first people.
You weren't, Okay, I understand. You were running a business, and maybe you were not even born yet, okay. But I am committing now to build what I'm calling a security summer. And the idea is that throughout the summer, and I'm probably not going to be able to start this until late June, early July. But throughout the summer, I'm going to offer a course. So you know you know what to do, and you'll know how to protect yourself, right?
Because you have to start at the beginning, before the bad guys get in, how to detect it, once they are in what to do about it, the forensic analysis that you're going to have to do after the fact, to clean this thing up, right?
I don't want you to have that feeling in your gut that I had before. Thirty years ago, when my first hack happened. I've had a couple of times since and not nearly as dramatic, okay. Because I had dealt with it before and I knew what to do. I had moved into a position where I was pretty much at the forefront at the time in security. But then I went on to run my business.
But I don't want you to have that feeling your gut. Right? What do you do? I am sure some of you have had it before. I know you've come into the office in the morning, the computers aren't working. And your first reaction is there in your gut. Your first thought is -- Oh my gosh, what do I do now? Then that turns into anger. It's anger towards your vendors. Right?
Well, I have Norton. I bought that Sonic wall. How did this happen? I should be all set, right. And so now you get on the phone, and you start yelling at vendors, you start yelling at your people who are supposed to be taking care of the IT side. I don't want you to feel that way.
We're going to have some free pieces of training this summer. If you're interested, send me an email, and let me know what security subject you're particularly interested in having me cover. That I can make sure we have some free training for you on that during the summer. I want to make it a summer of security. It's our security summer. Brought to you by Craig Peterson, my team and I am getting to work on it, as we speak.
My wife is going to put her heart and soul into this effort. I think I know what you need, and I think I know what you want, but it is essential to hear from you so that I can give you what you feel you need.
So, email me at Craigpeterson.com Craig Peterson. com.
We're also going to be talking about it on this radio show on these podcasts and on YouTube side, etc., etc.
I got my first real hater this week in a long time. And it brought back memories and made me more determined to help you guys out.
So, What was one of the first things I did. I shut down my website and made sure everything was patched up, right? Because I didn't want him to try and hack into my site. After all, anonymous is a hacktivist group, and that's what they do.
So, that's what I'm going to do for you guys. We're going to have a security summer this year.
Okay, so let's get into a couple more of these articles before I run out of time.
This one, I thought it was just totally appropriate. I got a couple of articles that are appropriate for this week, and you'll see those up on my website, and one or two of these articles were written up with my team. My wife does a lot of this stuff too. So, kudos to her.
You will find these up on craigpeterson.com, This is from an article that initially appeared in Pro Publica, and I found it on Ars Technica myself. It is a fascinating article and written by a couple of people here, Renee Dudley and Jeff Cow.
It's talking about the some of these companies here in the US that you can hire to help you out of ransomware, tight spot. Think about some of these we have read about, lately, The city of Atlanta, Georgia, Newark, New Jersey, the Port of San Diego, Hollywood Presbyterian Medical Center in LA. Atlanta, online water service requests and billing systems were down for over a month. Colorado Department of Transportation, they called in the National Guard, all because of cyber attacks. Apparently what has happened here is that the companies and in these cases, government institutions and hospitals, went to professionals and said, hey, what should we do now? The response from the FBI from the government, in general, is don't pay ransoms.
Well, guess what happened here? The FBI said that the criminal actors were out of the reach of US law enforcement. But they were not apparently and out of the reach of this American company called Proven Data Recovery out of Elmsford, New York. It appears that these guys regularly made ransom payments to Sam Sam ransomware hackers over more than a year, according to Jonathan Storfer, who is a former employee who dealt with these ransom payments.
Now, Bitcoin transactions are somewhat anonymous and difficult to track. But I know in talking with some secret service agents that they have tracked people through public records and got convictions because of being able to track down some of these Bitcoin coin payments. Pro Publica was able to trace four of these payments, and this article goes on and on.
Another US company, Florida based company, Monster Cloud also professes to use their data recovery method, but turns out they were paying ransoms sometimes without informing law enforcement or the victims, this is bad.
Again, from Pro Publica, both of these companies charge their victim's substantial fees on top of the ransom amount, and they offer other services such as sealing breaches to protect against future attacks.
Well, that's what I do for a living, Right? I don't try and do the recovery and no do I pay any ransom. There are many pieces of free recovery software out there that work in most cases. But, sometimes if you don't have a good backup, you're just out of luck. So, keep that in mind. Going to one of these companies, if you have ransomware on your computer is not going to solve the problem of ransomware. Because, some of these account companies, at least two of them in this case, according to Pro Publica, are making deals with the ransomware criminals, which is, in my opinion, not right.
So, we talked a couple of weeks ago about our friends over at Equifax and how they took a huge hit here. It cost them over a billion dollars, probably I would guess close to one and a half billion, but I don't know for sure. They haven't disclosed all of the numbers. This week, they did reveal that they had to do a bit of a write off of about a little more than half a billion dollars. But there's another one out there, and It is crazy.
It is the one, I mentioned, from Krebs on security, concerning the website for First American Financial Corp, a Fortune 500 real estate, title insurance giant. I mean giant, billions of dollars in annual revenue. First, America Corp leaked hundreds of millions of documents related to mortgages going back to 2003. Krebs on security found this leak, and they went ahead, and they fixed it. Isn't that nice of them, after the horses got out of the barn. So, these are digitized records that included bank account numbers, bank statements, mortgage statements, tax records, social security numbers, wire transaction receipts, driver's license images, were all available without authentication to anyone with a web browser. I find that incredibly unbelievable that a company that employs 18,000 people, you'd think they'd have some security people on staff. And they brought in more than 5.7 billion. There you go. That's the number from Krebs article. Now Krebs found out a bit about it because of a real estate developer, out in Washington state, who said he'd had little luck getting a response from them.
It just goes on and on, just like last week with what happened with Intel. And the reports of their colossal security problem. And they, it sounds like, literally tried to buy off the people who reported this massive bug in the Intel chips. It's just amazing. So it goes on and on the earliest document number available on the site wasn't document number 75. The dates and documents get closer to real-time each forward increment in the record number. I have the article up on my website, we've got a link to it if you want to see it. It's it is just stunning. So, who knows what happened has happened here, again, we have an example of a company that did not keep track of the security problems. And what do you want to bet they did not keep track of data x filtration, and what the criminals stole? Big deal. Big problem.
Now Google's got a couple of warnings out this week too. Is this getting old to anybody? I hope you're learning from this, and I hope you can apply it in your own life and your businesses. Take time to learn from these things. But, Google exposed that their G Suite, which is the Google suite where you as a business, you can pay for Google Docs, Google Sheets, etc. If you're a business and you're trying to use it, they want you to pay for it. That's what the city of Atlanta found out when they got hacked. All of their email accounts were down, and they couldn't do spreadsheets, they couldn't do anything.
So, they all signed up for Gsuite accounts. Google promptly shut them down two weeks ago for doing that, because they're supposed to pay. Then Google worked out a deal with them. However, it turns out they were storing plain text passwords on its servers for the last 14 years. It is a very, very big deal. So Google is saying that they have fixed the issue and that they've seen no other improper access or misuse of the affected passwords. They've got reasons why they did it. No, everybody makes mistakes in security, okay. I'm giving you that. But these two cases are for companies that should know better, they have big enough department, and they are going to lawsuits.
And like Equifax, it's probably going to cost our friends over at First American Financial Corp over a billion dollars. It is something that they can maybe afford to pay a billion dollars in fines and fees.
But how about you as a small business. So we've talked about two-factor authentication many times on my show. And we always set up two-factor authentication when it comes to our clients to keep their data safe. You know, some of them have to have to fall under the rules that are in place for federal military contractors, federal contractors, HIPAA records, etc., etc. So you have to have the right kind of two-factor authentication in place, you have to have the correct type of training, the right kind of databases, etc.
And the people are getting ripped off right, left and center, these companies that are selling some of these things, they don't care. They are just trying to sell you something another point product and other point security, that is not going to help you out. Can you tell I am getting a little pissed today? Excuse, My French.
But here's what's happening. Google has something they call Titan, and we've talked about it on the show before. It is a security key. It was leading edge, and I'm glad they did it. They've been using it internally for all of their logons. So, it's something you have along with something, you know.
Now, you know. I have been promoting Yubikeys. I don't have an investment in any of these companies. We do use them when we are trying to get a company secured. The idea behind the Yubikey and Titan security keys is that it's a little USB fob, you plug it into your computer, you type in your password, you're off and running. Okay?
Well, Google's warning that for the Bluetooth Low Energy version of the Titan security keys it sells for two-factor authentication are vulnerable to hijacking by nearby attackers. Google says if you have them, contact them. And they'll give you a free replacement device that fixes the vulnerability. It has to do with Bluetooth pairing protocols, and that means that anybody within 30 feet can carry out an attack, against you. These are $50, which is about the same cost as a Yubikey. I, personally, would go with the Yubikey. But there now you know about the Google Titan. There is nothing particularly wrong with it, except that it's one version is susceptible to hack. If you check the back of your Titan key, if you pull it out right now, it's probably on your key ring, it's a nice, small thing looks like your USB thumb drive, almost. If it starts with a T1 or T2, it is susceptible to attack and eligible for a free replacement.
We're not going to have time to get into the rest of these things. So let's get into cyberbullying. I think this is an important one. And I want to talk about internet mobs because that's kind of what happened this week to me. And because I was reported on some security stuff, right, and they, they use almost anything they can against you.
And recently we've seen real problems with cyberbullying against kids. According to a survey and a completed study, It reported online bullying affected 43% of kids. One in four has said that happened more than once. 70% of students reported seeing frequent bullying online. Over 80% of teens use a cell phone regularly. I think these numbers are probably higher than what this study showed, in 2014, I bet you they come close to 100%.
Now, most of the teens ignore it. You know I talked about that terrible Netflix show "13 Reasons Why" where a teenage girl committed suicide and left behind 13 cassette tapes explaining her 13 reasons for killing herself. It has led to a 30% increase in teen suicides in the 30 days after that show came out. So there, there's been a correlation drawn on that it did not, by the way, affect adults, it was mainly the 10 to 18-year-olds that it touched. But, we have kids that are thinking about suicide and committing suicide because of cyberbullying. There have been well-publicized criminal cases about this.
Now, how about an internet mob? How about if one of these groups decides to come after you, and the group is just the cheerleaders at school? There's a great story that CNN shared this week about a young lady, named Dominique Mora. She's from Southern California and went to school in St. Paul, Minnesota. She is 23 years old and was attending on a softball scholarship. So she thought it would be great to take a job at Chipotle to help make ends meet. Well, she was working at the store, and a group of teenagers came in ordered food, went to pay for it, and their debit card didn't work. That group of teenagers ran out of the restaurant with the food. They stole it, right. The manager gave them a little coaching and told them here's what they should do. What happened next was another day a group of teenagers came in, and she recognized two of them as being part of the group who had ordered food with the bad debit card before running off with the food. They never paid for it. They called the police and explained that these two teenagers were there and they did not want to serve them. We want them evicted from our store. Here is this young woman, 23 years old, and she asked them to pay first. They pulled up a cell phone, and she didn't realize they were videotaping her and started accusing her of racism because she was a white person caught in the act of doing something labeled racist. Which obviously, there's no racism involved in this at all, they had stolen food from this store, and it was on video, there's surveillance video, it had these two guys on it, according to what CNN is reporting. They dumped this video of her as a racist "B" online. The video of her November confrontation was watched at least 7 million times retweeted at least 30,000 times within two days, and media covered it. Chipotle fired her after it went viral. Now here she is, having done nothing wrong, the police not responding in a reasonable amount of time. It sounds like they never really did respond. It is a case of confirmation bias, these black guys were calling her a racist and the video they presented made it look like she may have been. It is now being used to paint her falsely as a racist. She lost her job and now is worried about what will happen, what she could or should do, and what she should not do. Those are the same questions I opened the show with today that went through my mind 30 years ago and ran through my mind again this week.
Very, very, big deal. I think w have got to spend some time with our kids talking about this. Helping them understand the whole act of bullying, what cyberbullying is. That they should report it to the authorities at school, report it to your teacher, report it to the principal, I guess the vice principal is the one who's usually dealing with these types of things. The most common places where it's happening, and this is from stopbullying.gov, they have a lot of great information. Social media like Facebook, Instagram, Snapchat, Twitter, SMS, you know, your text messages, instant messaging, which includes email provider, app services, social media, and of course, email at self. We've got to be careful because the content that we share online, you can get these internet mobs, this mob mentality where everyone jumps on board and starts attacking people. It can drive not just our teens, but almost anyone to suicide, and we don't want that to happen. Sit and talk with them. You know, I was severely bullied as a kid as well. But you know, I could leave it alone. It was happening on the way to school, at school, on the way back from school. At least there were brackets or definitions surrounding it. But nowadays, there aren't.
All right, I want to send you to my website Craigpeterson.com, because you will find more information about all of these topics today.
A very, interesting one on hackers. About anonymity that was once critical and how that's now changing. I might try and get into that next week. A little bit more here on the show.
Also, the Consumer Reports thing about Tesla. Don't count on their autopilot people. Be very careful. The automatic lane change feature is reported to be far less competent than a human driver. So, don't use it.
Be concerned about cyberbullying.
I'm working here this summer. I'm going to make this a security summer. I'm going to be doing some free courses. We're going to help you guys out with lots of free information.
I give these little webinars. They're not I'm not trying to upsell you or anything else. I'm trying to inform you so make sure you attend. Let me know if you're interested and what topics you think I should cover.
So if you are interested, email me. firstname.lastname@example.org That is P-E-T-E-R-S-O-N Peterson with an O.
Until next week, everybody.
Have a great week.
More stories and tech updates at:
Don't miss an episode from Craig. Subscribe and give us a rating:
Follow me on Twitter for the latest in tech at:
For questions, call or text: