Mar 23, 2019
That last tweet or facebook picture may raise your insurance rates? We will explore why?
Extortion and the Internet. Now even normal people are the targets of these tactics? Unpacking the trend in Virtual Kidnapping.
Whose watching us? Why? Yes, it is time to talk more deeply about Surveillance.
For all this and more tech tips, news, and updates visit - CraigPeterson.com
Below is a rush transcript of this segment; it might contain errors.
Airing date: 03/23/2019
Using Social Media Posts For Insurance Rates - Virtual Kidnapping - The Surveillance State
Craig Peterson 0:00
This has kind of become my theme music, hasn't it? Over the last couple of months.
I like it. I've been using it all of my training videos and just all over the place.
And it's nice because I have the rights to use it, right? I don't have to worry about getting banned on YouTube or some other place because I'm using music I don't own right? Copyrighted stuff. But it's crazy when people do that. And just, I guess just don't know. Well, we have a bunch to talk about today.
Also, I don't know if you caught it this week. But make sure you catch my podcast at http://CraigPeterson.com/iTunes. But I talked about two business problems. This week, we got a huge aluminum manufacturing giant over in Norway. It's not just basic manufacturer, I mean, these guys are huge. It's called Norsk Hydro, they also provide power and other things, had to shut down because they were nailed with ransomware. So I went through what happened there, what the whole thing was about some pros and cons, some things that we as business people can kind of keep an eye out for.
And then I also talked a little bit about this, Michael, in fact, quite a bit about this Michael Cohen investigation and triggerfish, and what that is all about? And yeah, I thought that they had pretty much stopped using triggerfish and some of these other technologies. But as it turns out, no, that is not the case. So, that's what I talked about this week. It's a Security Thing. And right now, of course, we are live on the radio. And we're going to talk about a half a dozen other things that we just never managed to have quite enough time to get to, right. We're going to be talking about HR departments and the problem we have right now, with the huge high employment rate, how some of them are turning to artificial intelligence and how you might too. The guy who founded WhatsApp has a warning for us about Facebook, and I don't know this guy, come on, you made your money you got out and now you're upset. Bizarre malware is disabling some safety systems that industrial plants. And it's an interesting, quote, ethical line, unquote, for hackers, because historically, they have avoided things that would cause problems with public safety. But now they are no longer doing that. I talked a bit about that as well. This week, it's a security thing. On my podcast again, http://CraigPeterson.com/iTunes, a massive database leak. And we know we're seeing these almost every week but this one's more interesting, because it turns out, it's surveillance on Chinese citizens by China. So what are they doing over there in China's digital surveillance state and what's coming here because these companies that are providing them with the tech are based in the US? And life insurers can now use social media posts to determine your premiums. That's an interesting one.
And we will start up with two virtual kidnapping scams that occurred within 24 hours this week over in Laguna Beach. And it's something that I have a bit of a personal tie to, not in Laguna Beach, but these virtual kidnapping scams. One of the ladies that work with me, her friend had one of these happened to her. In fact, I think she got called out, this lady that works with me. And man, Maria, the thing that happened. It was just absolutely amazing. This is an article from the Orange County Register on California, it's up on my website, http://CraigPeterson.com. Two virtual kidnap cases within 24 hours, have led please to alert all local schools. Both these incidents were similar phone calls who were made to potential victims, with the color demanding a large sum of money or threatening to harm a loved one. Quote, we definitely believe these incidents are connected and said Sergeant Jim Kota, who last summer spearheaded assistance for Laguna mother who sought help after receiving a threatening call. They are happening and surrounding cities and all appear to be connected to the same group. All of them want money transferred to an account in Mexico. And they are directing victims outside of the city to withdraw money. It's like they've been there before. They're sending them all to Costa Mesa to make this payment.
So they had a report on March 7, and the victim here of this scam had already paid $5,000. And the article goes into some detail. But the here's the bottom line on it.
The FBI got involved about a week ago. And of course, they investigate the scams, and they work with local law enforcement agencies. So if something like this happens to you, you can call your local police department. But what it is these virtual kidnapping scams, and what happened to the lady that works with me is that they call you up pretending they have kidnapped a loved one. Now, usually, they found out a little bit about you, they might have gone on to your social media to figure out who you are or what you're doing or where you are, etc. who your friends are. And so many of us have that information out in public on Facebook and elsewhere. So they reach out to you, they say I'm holding so and so hostage. And unless you make this payment, I am not going to release, I'm gonna kill them or whatever it is. So these are virtual kidnapping cases. Now in the case of a lady that works with me, she got a call about a friend she has. And sometimes these are, hey, they're out of the country, they need money to get back in, and I'm with the government, and we're holding them because they did something wrong, etc. There's all kinds of these scams. But she was smart enough to call up that person and found out that yeah, that's not me, I don't know what's going on, I'm fine. There's nothing going on at all. So that's something to keep in mind, too, that you can call, do a little research on your own and follow up because these people are not necessarily really smart or thorough in what they're doing. So keep that in mind as well. But Laguna police department is warning people that it's happening on a wider basis right now.
Next up, we have this questionable practice by life insurers; you know that many life insurance companies use your credit rating, to come up to the premium. They do that for all kinds of things now. They do it for health, they do it for employment, looking at your credit rating. And we've also talked before about how in some countries like China, they're using your social credit now to determine whether or not you're worthy for a loan, etc. You know, five years ago, we wouldn't have thought twice about this, who would have thought this is crazy. It's not likely to happen. You guys haven't because we've been talking about this for what 10 or 15 years. But New York's Department of Financial Services has released new guidelines that will allow the life insurance company to use data from customers social media posts to determine their premiums. And experts are saying these rules could potentially extend to other states and you know, some of these federally chartered companies and agencies. So the new guidelines are suggesting that companies can use the data from other nontraditional sources as well, though insurers will have to prove the information doesn't unfairly discriminate against protected groups.
There's a bunch of really press release stuff here in the article if you're interested that that's up at http://CraigPeterson.com.
The National Association of insurance commissioners released a white paper back in 2012, from what they call their social media working group that address the ways that insurance companies couldn't use social media in their marketing, and also ways to use it to monitor customers. And they're saying that as of 2012, they are already using it. So we've warned everybody for a very long time, do not post things online that you don't want to have shown up later on. Because that's one of the first things that police do when they start investigating someone now, they'll go to your social media; they'll search for you online. Right? Google is their first line of investigation. And it looks like even for this dossier they've been using to go after President Trump and try to show Russian collusion, that even that dossier was put together from online searches on the CNN website of posts people had put up. Man, I heard that this week, I have no idea about the validity of that. But what we say online, reflects us to some degree. And if you do say it online, it can and will be used against you. Now, you know, I like Apple, and I love the way they handled privacy, they don't give all kinds of information out to third parties. They're not trying to mine that information themselves to have some sort of a significant advantage about you or in what you're doing and what you're going etc. So Apple's pretty good about that. But remember that Apple too, if they have a subpoena, that's obviously legitimately issued, they will give up information about you. And they have turned over iCloud accounts and other things. So just because you have things online that you've posted, that are considered private and you shared with your best friend or your family, remember that law enforcement can certainly get at it. Bad guys can get at it, they're always cracking into Facebook accounts, and your friend or family has it and could possibly reshare it at which point now it's no longer private, right? They could repost it; they could save it, they can put it away for a rainy day when they want to play blackmail you. So, be very, very careful about what you say online because much of that can and will be used against you in the court of public or company opinion. And I think New York might have done us a bit of a favor here too. Because it's not just about going on to social media, you know, Facebook, or Twitter or whatever. It really goes to the next level. You know, we've seen deep fakes, we've talked about them here before, one of the big ones is this plane that's kind of flipping around, and it's a big ass jet, that passenger jet. And it was a total fake, and it was shared millions of times online. So you've got that. But you also have legitimate stuff. But I think part of the favor they're doing here is putting something on the record that can be challenged. These life insurance, actuarial tables, the car insurance that you buy, that is based at least partially on your credit rating, how do they work? What are the parameters that go into these? How is the program written? What bugs are there in that program? You don't know they won't tell you. And that's part of the problem I have with what California is doing with getting rid of the bail bondsman. They say well; we can trust this algorithm. No, we can't. How many times have we talked about having computer programs fail on us?
So there are are no states right now that have any rules or regulations about how life insurance and the automobile insurers and the bondsman can populate the data for their algorithms for their programs. There's no rules, there's no regulations, you can't challenge them in court. They'll bring in some professional that says some mumbo jumbo that's beyond the judge. It's beyond the jury, and is beyond the truth, right, all in one. But you don't know that. We do know that. They're currently using public records like home ownership data, credit information, education level that you had in college or high school, any civil judgment, any licenses you have anything they can find that's public, and even your internet use in the history of they can get their hands on it. And now this is an extra step and people are freaking out. And I get it; I understand that I would too. And but now we can get the legal system into action. And I hope they do. And I hope that there's a good precedent set and not some lousy precedent. So you know, I just, you see that too much when you have judges, juries, and you know, defense attorneys and prosecution attorneys that really don't understand what's going on. And so then you end up with bad judgments, right? Bad dicta in the cases, from the judges, etc., etc.
We got this massive database leak, and I found out about it over the Electronic Frontier Foundation, I put their article up on my site at http://CraigPeterson.com. Earlier this month or security researcher found and disclosed and exposed an unexposed database.
And this database was online that these things happen all of the time, people are building software, they don't understand the implications of what they're doing. And I talked about it in my It's a Security Thing, podcast this week.
They just don't understand. And because they don't understand, they're just messing everybody up. And I see this almost everywhere. You know businesses, when you have a new product or designing when you have a product you're using, even when you're using a third party software as a service that you might trust, have a true security professional look it over. And there are security professionals available. I know there are almost 3 million job openings in our security world out there. But they are available, pay them you can't pay them enough to come and have a serious look at this.
You'll pay to have an attorney come in at hundreds of dollars an hour, some of these attorneys are over $1,000 an hour to look at something to look at the legality because well, you might save tens of thousands or even a million dollars in a lawsuit.
Well, the same thing is true with security.
If your data is breached, you could easily face it more than a million dollars and find and no judge or jury is going to protect you from that. These are fines that are levied by the regulating agencies. And there's basically nowhere to turn; then on top of it, you could have your customers suing you, you could have consumers, so we knew because their information got out. And you could end up with hundreds of millions of dollars and judgment against you. But no, what are you going to do? Oh, you're just going to trust your IT guy who was a programmer who has his bachelor's or even masters or doctorate in computer programming from some University.
No. You need a specialist just like you go to a specialist law firm. You need a true specialist. And the people just aren't doing it. So here's an example of this security researcher. And yeah, we're talking about China here. But China has hired some American companies to build this. So in this case, this database owned by a company called SenseNets. It's a private artificial intelligence company that advertises facial recognition, crowd analysis technologies. So you'd think that they would have some modicum of understanding about security, but they didn't. And they didn't hire a security expert to come in.
And what's that going to cost you? 100,000? 200,000? Half a million maybe? And instead of that, they'd rather just lose the whole business because they don't see that as a real risk. Well, let's talk about this risk because we'll get to this Chinese company here in just a second. But let's talk about the risk.
There was a cyber security firm that just released a little report saying that they found at least 468 Mongo DB servers exposed to the public internet. Almost 500. Well, what's a Mongo DB server? These are database servers, the main technology group is called No Sequel, but typically used for huge databases. So what is this database that this company SenseNet have in them? SenseNets, excuse me, having it?
Well, it turned out all it had was DNA samples, voice samples, fingerprints, iris scans, and much, much more. These were all residents between the ages of 12 and 65 that were from Xinjiang. And they had been questioned about their use of mobile and internet tools. Over there, just having WhatsApp or Skype installed in your phone is classified as subversive behavior. Remember that China is a socialist country, I don't know. But most people I get it, most people don't want to mention the fact that they're Communist or socialist, or they are just incredibly under the thumb of the government. Heaven forbid, you know, we want that here, right in the United States. Right? Yeah. Okay. And since 2017, the authorities and China have told all of the Xinjiang mobile phone users, they have to install the spyware app, to prevent them from accessing terrorist information. That's a quote. Okay.
So we've got evidence now of mass detention centers, newly erected surveillance systems, that China has been bulldozing whole towns because of subversive behavior. All the systems in China that are has been pouring billions of dollars into physical and digital means of, of substantial surveillance in Xinjiang and other regions over there in China. So it's been unclear to a lot of researchers and human rights activists, just what extent these projects as they're operating, you know, heaven forbid, that happened in our country. Oh, wait a minute. It did. Right. We did have surveillance going on. The NSA is scrapping some of those programs; maybe it wasn't the same. Perhaps we haven't been putting people into detention centers. But come on, guys. We're already at a place where five years ago, we didn't think we would be, right? We just discussed that ten years ago, where are we going to be in five or 10 years from now? Hopefully, civil libertarians are out there. Indeed, the major parties have been stepping up; the Democrat Party really hasn't been looking at what Obama did with significant increases in surveillance. I kind of get it after 911 that maybe we want to have a look or look see and figure out what's going on because it kind of hit us from the middle of nowhere in some ways. But that has to go away; it looks like it is going to go away this year under President Trump. And hopefully, the democratic house is going to go along with it as well.
But now we have found out we found out more because of this data leak that happened with this security company, I'd laugh and laugh about that, over in the US helping China.
So in addition to some of the biometric and other information, this database of 2.6 million people includes their national ID number think social security number, which our government obviously has on us as well. Ethnicity. Well, you know, we've been giving that to our government for years and forms that we fill out. Our nationality, our government has that. Phone number, our government has that. Date of birth, our government has that. Home addresses, our government has that. Employer, our government has that. And photos, our government has that.
So all of these same things, types of records that our government has, were found on this database online, from a company that's selling technology to track citizens to the Chinese government. Now over 24 hours, this database collected, just one day, 6.2 million individual GPS coordinates linking these citizens of this province over in China, of this area in China, connecting them to various public camera streams all automatically where they're tracking them in the streets, and identification checkpoints. You love that idea of inspections right? Like Checkpoint Charlie, for those of us that are old enough to remember that.
Checkpoints associated with location tags such as hotels, mosques, police stations, the GPS coordinates, all located within Xinjiang where they're doing this service.
My gosh, so Givers of he reported a second open database tracking the movements of millions of cars and pedestrians violations, like jaywalking speeding, going through a red light are detected. They trigger the camera to take a photo and ping a WeChat app, presumably to try and tie the event to an identity.
It goes on and on. So this database exposed to anyone with an internet connection for the last six months. Oh, by the way, some of these other 468 database servers that were found on the open Internet that were open, contain detailed information about remote access consoles owned by China General Nuclear Power Group, and through GPS coordinates of bike rentals. So there you go with the surveillance state, they're in China.
They're tolerating poor engineering, that is getting crackdown on by the way, in western countries, Europe, the United States, companies are getting sued over this. We were helping out a company that, small practice, this is a doctor's office, they're trying to upgrade. Trying to secure things trying to do the right thing. And it was just shocking when we looked into all of these medical apps that are supposedly HIPAA compliant. We did not find a single app; they claimed it was HIPAA compliant, that was HIPAA compliant. Nothing being done about data at rest, and just on and on from there. It's nuts. How bad most of the programming, most of the software is out there. So I feel sorry for a lot of companies because you're stuck. You are stuck. But you've got to find and hire security experts to review what you have in place if they're willing to do it because you know, good guys, I don't run out willy nilly and, and look at networks and look at security setups and everything else. There's just too much for me to do. There's too much business out there. But you still got to do it. And you've got to investigate the people that are working for you that say they have a security background because they may or may not. That leads us to our last story we're able to get to today. Well, I'll get I'll just do this really briefly because I want to hit one other topic, but HR department, now, according to The Wall Street Journal are turning to artificial intelligence to try and find talent because good people are disappearing off the market almost instantly. They're using AI by getting into Microsoft's databases. Remember, they bought LinkedIn, so they've got all kinds of information about people. It's combing through the profiles of more than 610 million members tens of thousands of skills and titles and the looking at behavioral data. And going on and on what jobs candidates are applying for. Citizens Bank launches an AI-powered career coach named Myca, which is short for my career. IBM has a chat box that has AI built into it. And you may have to do that yourself. If you're looking to hire. It's getting more and more difficult to get excellent talent, especially in the IT space and more specifically in the computer security space. And WhatsApp, you probably heard about that if you're not using it. But what tap is a company that was purchased and became part of the Facebook group? And man, the guy that sold it made some clear money. I can't remember what it is offhand. But I think it was in the billion plus range. Well, the founder of WhatsApp is warning people. He's saying you need to delete Facebook immediately. And this article from the Daily Mail over in the UK talks about why all of the reasons why you should and how the disclosure of your information is just it's rampant over at Facebook anyhow.
Have a great week we are finishing up our DIY cybersecurity course. This week will be our last week of coaching calls. So shout out to everybody and a big thanks to everybody that's been involved in asking questions. And we've been answering all kinds of questions from everybody. This week. It's getting busier. You can text me 855-385-5553 anytime or just email me@CraigPeterson.com. Hey, have a great week. Bye-bye.
More stories and tech updates at:
Don't miss an episode from Craig. Subscribe and give us a rating:
Follow me on Twitter for the latest in tech at:
For questions, call or text: