Nov 24, 2018
Did you rush to finish Thanksgiving Dinner to rush to the sales? Did you go out on Black Friday? Are you shopping today and tomorrow? How about on-line Cyber Monday? Well if any of these apply to you listen in for some tips on how to stay safe while you shop and where to get the best deals.
If you have been listening in to prior shows you know I have been talking about China and their different hacking activities. Well, they are at it again and hacking even more. Listen in as I tell you some of the ways they are doing it now.
You know that I am a fan of Two Factor Authentication when it is done right. But unfortunately, sometimes it is not done with much thought and it fails. Today, I will talk about one type of two-factor failures.
How readily do you install apps, plugins, etc? Today we will discuss why millions are installing hacks at the same time.
Did you hear about the government employees who caused a network compromise? When you hear how they did it you might be surprised. Or maybe not.
These and more tech tips, news, and updates visit -CraigPeterson.com
---
Transcript:
Below is a rush transcript of this segment, it might contain errors.
Airing date: 11/24/2018
Safe Shopping Online - China Hacking Even More - Two Factor Authentication Failure - Millions Are Installing Hacks - Porn Watching Leads To Network Compromise
Craig Peterson: 0:00
Hey hello everybody. Craig Peterson here. Got a lot today as usual, make sure you visit me online. http://CraigPeterson.com. I've got some great information out there when it comes to online shopping tips, of course, right? That's this time of year when we have to deal with that. So pros & cons. In fact, there's 10 different tips that we have out there on the website. And we're going to cover some of those today as well. We finished getting everything else set up, right, there's always something you forget to do. So let's get going safer online shopping.
Craig Peterson 0:44
Well. we all shop online. This year, of course, we're going to set
another record not only for travel but for what people are buying
online how much money they're spending. I've got 10 tip top of my
website at http://CraigPeterson.com, that you might want to pay
attention to the first tip. And this is a really big one. I think
most people might know about it. Some people might have forgotten
about it. But it has to do with how you are paying the first part
of this tip, skip the debit card, do not use the debit card. In
fact, you can go one step further, if you'd like some of the
companies are already offering you on an alternative. For instance,
you know, you can use Apple Pay, you can use Samsung Pay, depending
on where you are. Apple pay is very safe. Samsung Pay seems to be
quite safe as well.
Craig Peterson 1:39
So if you have to use a debit card if you don't have a credit card,
and I want 20 years without a credit card. So I know what you're
feeling here. What's your thinking. And all I had was a debit card,
put that debit card behind another payment system, such as Apple
Pay, or Samsung Pay if you have a debit card, otherwise, don't use
it. Okay, that's kind of the bottom line here. Because debit cards
will cause you to know, end of grief of that information is stolen,
right. So remember that there's another new trick that's out
there that's been available for a few years, depending on whose
credit card you have, you have to have a credit card, not a debit
card in order to do this. And that is getting a temporary credit
card. They'll give you a number that only works once in some cases.
Visa has this MasterCard has their own program. But it only works
one time because it's only working that one time.
Craig Peterson 2:41
If someone steals a number, who cares, right, just because you have
a secure server, which that with that HTTPS and that little lock up
in the corner doesn't mean that your data is secure, other than
when it's in transit. So rule number one, skip the debit card, use
Apple Pay if you can use Samsung Pay if you have to. And you know
how, what I feel about some of the Android devices and the software
they have. I'm not a big fan of that, right. So use those or use a
temporary credit card number to shop on secure sites. Now,
what does that mean? I've had a lot of people ask over the years,
hey, listen, this isn't a secure site, I don't want to enter
information into it. You could have your information intercepted.
And we've talked to my show before about how Russia and China both
have routed internet traffic from the US from businesses to the
foreign offices of the spy agencies and have
Craig Peterson 3:47
gathered information. So if you're using a secure server, you are
thwarting the Chinese hackers, the Russian hackers etc. And that's
a very good thing. So make sure you are using a site that the URL
begins to https. Okay, so secure site. This is an obvious one,
right? And yet, every time we go into a business we see this isn't
being paid attention to but update all your software, make sure
your operating systems up to date and make sure your browser is up
to date. Use the best technology out there. A lot of people have
switched to using Firefox. Now it's fast. It's designed to be
rather safe and secure. They're updating it constantly. So Firefox
seems to be the number one choice for security-conscious web
browsers safaris quite good Chrome is quite good. Although Google
I'm kind of shaking my head. If you watch this on video, Google is
a company that they keep our information right there, they kind of
sell our information to other people, but make sure your software
is up to date. And you might want to use one of these tablets that
are going to be a little more secure. We'll talk about that in just
a second.
Craig Peterson 5:08
Now, email scams, who talked about these before a lot. And business
email compromise has cost us companies over $12 billion over the
last two years. Can you believe that $12 billion, that's a lot of
money? And that money comes from these business email compromises
the scams, where they get you to click on something that you
shouldn't be clicking on. So what's the easiest way to deal with
that I've got a solution. The simplest way to deal with business
email compromise scams is to use a different email when you're
online shopping. That's what I do. I've been using different email
addresses for the last 30-40 years almost. Now those business email
addresses that I'm using, I use a different one for every
website.
Craig Peterson 6:02
So, I know now emails coming in. And it's being directed at an
address that I know I've only ever used on site x. And yet it's
purporting to be from PayPal It ain't right thing right. This is
not them. This isn't PayPal because it's coming in from site x that
I want to sell. For instance, I sign up for something on Cnet.com I
use a different email address now there's a trick here you might
not know and that's the use of the plus sign depending on your
email system you may be able to put a plus sign so for instance if
you send an email to me@craigpeterson.com. It's going to go to me
if you send email to me+radioshow@craigpeterson.com.
It's still going to go to me and it's going to show that
it's sent to craig+radioshow@craigpeterson.com.
So I have filters in place, so I know about it. But use a different
email address for your online shopping at least have to write maybe
more. Maybe another one for your banking. I even go so far as to
recommend that you use a different computer. For some of your
online shopping. And certainly for your online banking.
Craig Peterson 7:20
Just say no to clicking links. Never click a link. Just go up to
the web browser, menu bar, and right in there, type in the URL of
where you want to go. Don't follow those links. but beef up your
passwords. You know, I have a special report on passwords. I can
send that to you if you email me@craigpeterson.com. How about this.
Did you like my last tip? Well, why don't you try and send it to
me+password@CraigPeterson.com. And that allows me to track and say
yeah, you want password stuff. And I'll be glad to send that to
you. That's normally paid special report. But I'll make it
available to you for free. $97 gift to you. But brief them up.
Craig Peterson 8:08
And when you beat them up. The best way to do that, frankly, is to
use a password manager because they can generate some of the best
passwords. We're not going to go into and what that means, But
that's in the special report. You know how you should generate them
what they should consist of it to deeper right now, but beef them
up, okay, never give more information than is absolutely necessary.
I think that's a really big deal. So if they're asking for your
name and address and various other things, you might want to
consider doing something I've done as well for more than 40 years
and that uses a kind of a fake name now you're not trying to commit
a crime here this isn't fraud but you can now track who's using it
so I will spell my name differently or use part of another name
like mine I even very frequently will use the website name as my
name.
Craig Peterson 9:07
So again, if the website saw that, it might put seen that Peterson
for instance, and then my address so they can ship the stuff to
me.
Craig Peterson 9:17
Now I know something comes to an email that says hey, seen that
well, who I know where they got my email address from. And I know
that nothing that's in there is stuff that you know, maybe I asked
for, maybe I didn't write, but its marketing material at the best
and the worst. It's someone that stole CNET's database and is now
trying to defraud me on something. So don't give any more
information than needed.
Craig Peterson 9:44
Another really good tip here. These are some great ones, I got them
up on my website. http://safewise.com has these, of course, I'm
adding some more in as I go. But don't use free hotspots. They're
like manna, right? Everybody uses them unless you have the right
kind of VPN. And I gotta say, most people have no idea what that
VPN is really doing. Most of the free VPN and the cheap VPN are
stealing your data. Now, they're not necessarily stealing it to
have your credit card and use your credit card against us. Some of
them are, but they are stealing your data. So be careful with that
public networks just plain aren't secured. Other people can also
connect to your computer. And many times a bad guy will set up a
fake little wireless network and make it look like hits for the
coffee shop or for the story are in and when you connect to it.
You're really connecting to them. And they're stealing your data.
Be smart about the shopping apps that you're using.
Craig Peterson 10:49
If you're an Android, particularly people only use apps from the
Play Store that does not guarantee that they're safe, by the way,
because the Google Play Store is not meticulous about making sure
that all of the apps are safe that they're not doing something
nefarious Apple's store Apple's App Store much better about doing
that. But again, you're not necessarily safe. Okay? Don't let your
computer or your device remember your credit card number. You
probably don't want them to remember passwords and things again,
that's why you should use a password manager.
Craig Peterson 11:27
Does that make sense to you? Bottom line is is that something that
you think you should be doing is it obvious I think it is so if you
want that password manager information, just email
me@craigpeterson.com, you'll find this article and others right
there online. http://craigpeterson.com. Alright, and next up here,
we're going to be talking about what China is up to.
Craig Peterson 12:00
Well, you can't think that I would do a whole show just on Cyber
Monday. And shopping over the holidays. Do you think China has
taken the gloves off when it comes to the theft of
US technology? Now, you might call this a great microchip
heist, we've seen China breaking into computer systems. In fact,
right here locally, we've picked up a new security client where I'm
I'm acting as their data security officer. And we found Chinese
backdoors on it. But there's a great article from the la times I've
put up on http://CraigPeterson.com, and
it's talking about this stunning microchip heist. Our computers
have memory in them. There's different types of memory, one of
those types is called DRAM. It's very important memory. It's kind
of typically it's the main memory for your computer. Right, not the
hard disk, not the SSD. But the main computing memory that's in it,
what we've been tracking this for a while. And it turns out that
the US federal government has been tracking for the last couple of
years Beijing.
Craig Peterson 13:11
Now, I'm not going to get into all of the details, you might want
to read this article up on http://CraigPeterson.com, but it's
talking about China and how they've prioritized stealing
intellectual property. And they really wanted to be able to
manufacture these DRAM chips.
Craig Peterson 13:27
So they managed to get this information. And believe me, they're
doing it by hook or by crook, the small-medium businesses are the
most attacked, they're the most vulnerable and they have the most
to lose. So the Special Agent in Charge of the FBI, San Francisco
office, John Bennett is saying that out there in Silicon Valley,
and they've been going double time, the quote is, they don't care
if they get caught, or people go to jail, as long as it justifies
there. And they are not going to stop. And of course, the Trump
administration has been increasing some of its rhetoric when it
comes to the Chinese and what the Chinese have been doing. So it's
been a big deal all the way around. It's kind of a scary thing,
frankly. So that's our little bit of a china story here. When we
come back, we're going to talk about some more leaky data out
there.
Craig Peterson 14:26
Alright, so next up, this is kind of interesting, because all of us
have SMS, right? You have a phone, SMS is the simple messaging
system, a gay texting, right that you're used with your phone. And
we all have these, we all use these. And we talk a lot about
two-factor authentication with our clients. And I've talked about
it on the on the show here before, you've got to have the ability
to not only know of password but have something the best security
is something you know, along with something you have so many
websites have decided that the easiest way to have a two factor
authentication is you've, you've got your cell phone, right, that's
something you have along with something, you know, which is your
password. So what do they do when you try and log in, or maybe once
a week, when you try and log in, they'll send a text to you. And
then that text is used to do what that text is used to send you a
number so that you log in with your username and password. And then
you enter that number. That's a type of two-factor authentication.
And that works great except when it doesn't. So there are bad guys
out there who have been very busy trying to do a couple of things
to us. One is they will do sim hijacking, which is a real problem
nowadays. Or in this case, we've got a massive security lapse.
Craig Peterson 15:58
This is a massive database containing tens of millions of text
messages, including password reset links to factor code, shipping
notifications, and more. So let that sink in. Have you ever used
your phone to identify yourself I've ever used your phone to get a
password reset link? Now, some of these companies that send it to
your phone or are pretty smart, they realize hey, listen, that's
your phone, the stuff like this could happen. And at that point,
your data is exposed, right which is a very bad thing. So they put
a limit on it. It's only good for maybe 510 minutes. Some of them
though are good for a very long time the expose server belongs to a
company called box ox and it used to be called tell centrist
they're out of San Diego, California their communications company
and they lost a huge number was it I'm trying to the number here in
this article 26 million. Here you go text messages
year-to-date.
Craig Peterson 17:05
So what was found by TechCrunch in looking at this they found
passwords sent in plain text to a phone number from a dating app
called battle several Booking. com customers are sent their
six-digit to factor codes to log into the company's corporate
network Fidelity Investments, fidelity, right, they're located
right here in my town
also sent six-digit security codes to one number in Chicago. Many
messages included two-factor verification codes for Google account
all over the world, including Latin America, Mountain View,
California credit union, it goes on and on shipping notification
text sent by Amazon. That's a little less troublesome. Unless you
are someone who is trying to steal some of these Amazon packages we
must before but it goes on and on Huawei ID, verification phones,
etc. Very, very bad. But this goes to the point of two-factor
authentication. And using your phone for two FA two factor
authentication. If you can avoid it, avoid it, what I do is I use
an app and it's called duo. Let me pull it up here for you. Right
now. If you're watching this on video, you can see my phone. If
not, you're going to have to kind of imagine.
Craig Peterson 18:30
But this is my duo app. And you can see I've got my mainstream
protected login, my Craig Peterson login, Facebook, Amazon, and
more right here. So what happens with this is this is a special app
to run on smartphones ties into these applications.
Craig Peterson 18:48
And if I am trying to log in, particularly if I'm logging into a
system that has our customers data on it, it will go ahead and send
notification sorry for the little coughing fit there and hit the
cough button.
Craig Peterson 19:06
But it'll send a notification to my phone that the app activates.
And I now have to authenticate to the app. So it uses passcodes.
But it also uses biometric identification. So I'm logging into a
system that has climbed information on it, obviously, that's
critical, right? That's something we have to watch for. So we're
logging into the system,
Craig Peterson 19:32
I am now authorized to access it. Because I've given the password
I've given bio information thumbprint or face print, etc.
Craig Peterson 19:42
And so now that application knows, it really is me. So think about
that use something like duo it was just bought by Cisco. It's
funny, all of these companies that we've been using that Cisco ends
up buying it's good because you know, we're part of the Cisco
ecosystem are pretty high up actually in the Cisco installing
reseller's space, but they bought it, it's now integrated. And you
can expect more and more of these things as time goes forward. But
these are the leaks that we worry about. This is one we found out
about how many of them did we not find out about? That's what's
next here. We're going to tap can talk right now about the hack
Craig Peterson 20:20
that millions of people are installing themselves. Yeah, yeah,
really. And you might be doing this to this is something we're
always cleaning up for customers.
Craig Peterson 20:37
Now, you are using a web browser, right? Who doesn't use web
browsers nowadays, you go on, I just did some banking this morning,
using my web browser. Now, again, I use a different web browser for
banking than I do for other things. And I often will use a
different machine kind of depends on what accounts I'm messing
around with. But the internet browser is the gateway from your
world to the internet world. And many of us just don't pay the type
of attention, we should pay to our internet browsers. Now, everyday
users.
Craig Peterson 21:10
According to this study that was done here. Very recently,
information that was released from Google, nearly half of all users
of Chrome on the desktop use browser extensions. Now, they can be
very handy. In fact, a Chrome browser is essentially an operating
system in and of itself, right. But some of these are now these
browser extensions are being used to hack into people's computers
by the millions.
Craig Peterson 21:43
Now simple things like unwanted advertisements is one thing. But
they've been stealing passwords, they've been siphoning other
sensitive information, they've been using some of these browser
plugins to mind for cryptocurrency, which means your machine is now
going to overheat as it's looking for cryptocurrency, which by the
way, will make them money, but will cost you a lot more in only
your electric bill. Why is it getting hot because it's burning all
that electricity? Okay, so this is a prime target for hackers, you
might not want to use them, avoid them. When possible, I do use a
few. And what I tend to do is activate an extension when I need
it.
Craig Peterson 22:28
So if I'm trying to figure out a Facebook Pixel, I'll turn on the
Facebook Pixel extension. If I want to add something to instant
paper or my pocket account so that I can use it and follow up in
some of the webinars I do or this radio show. I turn it on when I
need it because it's giving these devices privileged access.
And that's something frankly we just don't want to do. Okay,
well, I'm a million users here, just for one Chrome extension. This
is getting to be a very, very big problem.
Craig Peterson 23:04
Now we're going to talk about something that is also a big problem
and cost the federal government of a whole lot of money. Most of us
are smart enough, right. And we were just talking about extensions
to Chrome and other web browsers and how that can really cause some
havoc with your security. Most of us are smart enough not to go to
online porn sites or gambling sites.
Craig Peterson 23:31
Those are the two worst right now when it comes to malware. Well,
this is kind of interesting because the Interior Department has
this watchdog and they found that the US Geological Survey had been
the source of a massive breach. And I mean, massive breach, the
agency's inspector general traced malicious software to a single
unnamed you USGS employee. That's US Geological Survey employee.
Now, that employee reportedly used a government-issued computer to
visit some 9000 tall websites. So this is according to a report
that was published about a month ago, many of these prohibited
pages were linked to Russian websites containing malware, which was
ultimately downloaded to the employee's computer and use to
infiltrate Geological Survey networks. Now that this is according
to the auditors that went in afterward, the investigation found the
employees saved much of the pornographic material on an
unauthorized USB drive and personal Android cell phone, both of
which were connected to their computer against agencies. protocol,
by the way, the employee's cell phone was also infected with
malware.
Craig Peterson 24:52
Well, what can we learn from this? Has this happened to you in your
business? Have you got first of all in place policies and
procedures that say employees cannot should not do that? And then
secondly, do you have any method in place to stop them from doing
that, even if they're breaking the policies, right? The policies
are there, but that doesn't mean that they're going to be obeyed.
So do you have the proper filters at the network edge that are
going to stop people from breaking out into the internet How about
on the local computers have you turned off the USB ports and you
know, a lot of places do that you can turn them off in the BIOS and
then the employee goes in and turns them back on which means of
course, you should have at very least protected BIOS is on those
machines of course nowadays and not using bio says, but the same
concept applies many businesses and government agencies have
decided that they have to completely disable those ports which are
too bad because employees are taking their phones right the Android
phone a hook it up, plug it in, let me see. Oh, look at this. I've
got a charging cable right here. I think I'm going to plug my phone
in. Right, and they do that now. Viruses come out from their phones
that go into the computers they spread through the networks the
phones become infected by infected computers so they're putting
epoxy into those ports on the computers and I've had more than one
client that had their employees your walk around you see all of
these cables whether they're like this for an apple or regular USB
cables you know micro USB or now USB C cables and we recommend that
they all be removed and so we remove them all and employees get
upset because they know they want to hear from their family from
time to time they're not necessarily on their phone all day
long.
Craig Peterson 26:49
How do you deal with that right that's a problem and then add on to
that the fact that they're on your network or on your business
network is it being controlled is being controlled properly right?
All great questions so keep an eye on this one porn watching
government employee introduced a massive problem for the US
Geological service How about for you in your business right. Think
about it for a minute put those in place if you want more
information reach out to me@craigpeterson.com got some great
employee handbook sections that we can share with you we've got all
kinds of good information there on the website again http://CraigPeterson.com. Make sure
you sign up and that's easy enough to do and I would love for you
to rate my show and my podcast. Go to http://CraigPeterson.com/iTunes.
http://CraigPeterson.com/iTunes.
That will take you right to my podcast on iTunes where you can
subscribe and I'd really appreciate it if you did because those
numbers really help us reach more people out there. And while
you're there, hopefully you'll give me a five star rating. I'd
appreciate it. http://CraigPeterson.com/iTunes. Have a great week
ahead and we'll talk with you again soon. Bye bye.
---
Related articles:
10 Cybersecurity
Tips for Online Shopping
The Security Hack
Millions of People are Unknowingly Installing Themselves
China ‘Has Taken the Gloves Off’ in its Thefts of U.S. Tecnology Secrets
Forget the New iPhones: Apple’s Best Product is now Privacy
The New YUBIKEY
Will Help Kill the Password
This Windows File May
be Secretly Hoarding Your Passwords and Emails
Healthcare.gov Breach Included Social Security Numbers and, reportedly, Children’s Info
Porn-watching
Employee Infected Government Networks with Russian Malware, IG
says
---
More stories and tech updates at:
Don't miss an episode from Craig. Subscribe and give us a rating:
Follow me on Twitter for the latest in tech at:
For questions, call or text:
855-385-5553