Jan 26, 2019
I know you have heard of SpearPhishing - but it has nothing to do with how fishing is done in the South Pacific. It is a targeted attack and you need to understand how it happens and why it is so effective - Listen in as I discuss this in detail.
There is a lot of cover-up going on for the malfeasance in DC these days. Who better to blame than the Big Bad Russians. With the DNC who can't seem to protect their systems, whenever something happens they immediately blame the Russians. Well, not so fast. Listen in today and I will tell you that it is not always the Russians especially when it comes to the DNC.
Do you know what the Largest Data Breach Ever is? I will cover that in today's show!
The Global Data Privacy Regulation went into full effect in May last year and they have now snared their first big fine against a company who failed to comply. Listen in and I will tell you who it was and why they were caught.
These and more tech tips, news, and updates visit - CraigPeterson.com
Below is a rush transcript of this segment, it might contain errors.
Airing date: 01/26/2019
What Is Spear Phishing Really - DNC Says Russians Attacking Them Again - Largest Data Breach Ever - GDPR Snares First Big Fine
Craig Peterson: 0:00
Hey, good morning, everybody. Craig Peterson here with our new bumper music. As I said last week, I'm gonna like this. It's kind of cool. It's a, it's called bound and determined and I got the licenses to use this. So, you probably hear it again, that's for sure. Hey, show number 991, almost 1000 weeks of shows. How's that for a long time. And of course, we've been podcasting now one of the longest podcasters out there, but I've never really done any the heavy promotion so, all of you who have found the show either on the radio or heard me as a guest or see me as a regular on TV, etc. and found this as a podcast. Welcome to you and everyone listening over the air. Hey, hi. Howdy everybody, of course, I am on every Saturday at this same time we're having to cut it back a bit. I had a three hour show for many, many years and that was kind of fun and I had a lot of different guests on and it just got to be all-consuming because it was taking us, my wife was helping out and of course I was doing a lot of work and I would say it probably was in the order of two to three full days a week to put together a three hour show on Saturday. Because you know me, right, I like to do the research like to have great guests when I do have guests and try and put everything in order so a whole lot of work and we cut it back in the stations had some paying customers that wanted the time I was on and a chance for them to make some more money from some other people really good thing so I'm not paid for this I do this out of love this is definitely a labor of love and I have had so many wonderful emails from everybody, not everybody, but from so many people out there it was everybody but so many people out there just thanking me for it because they realize the amount of effort I put in some you know some just been too kind. It's been phenomenal, so thanks, to everyone that's reached out and said hello. Everybody who has rated the podcast over on iTunes. We keep trying to follow up with Iheart to get it on their podcast platform and it just hasn't happened. It's just weird. So, I'm on a number of other platforms out there platforms and want me to pay to be on them hey I'm not there I do you have a content provider. I use Libsyn because I was hosting at myself for a lot of years and Libsyn has some better stats and statistical programs and things that are you know useful for us because that way we can see who's listening where they're listening and everything and I find that interesting and get to see trends in the shows and whether or not it really makes sense for me to keep it up so for now anyways it's making sense because there's just so many wonderful people saying wonderful things about it and we may go back to an hour I'm not sure depends on what happens on these radio stations that I'm on but I am on every week as well on iHeart. I am covering pretty much just didn't New Hampshire with Jack Heath every Monday morning at about 730 and of course we're discussing the latest in security and technology topics but I'm on with him at 730 on a whole bunch of stations in fact a few different chains of stations that I'm on. And I am on Tuesday mornings in Mass in Worcester and in Springfield but two second biggest and third biggest cities in the state of Mass. And I'm on with the Jim Polito show there. And on Wednesdays. I'm on in Maine up on WGAN and their affiliate stations throughout the state of Maine.
So I'm probably gonna keep doing those. I don't see why wouldn't do those. And I want to keep doing this radio show as well because it is helping a lot of people. And that's our goal. Yesterday afternoon, we had a special seminar you should have gotten and I'm not going to harp on you anymore. I've sent like three or four emails to everybody. You should have gotten my free special report on how to keep your information safe from hackers because they got it right. There's no two ways about it. You're right. You know, you've got to have been part of that one of these hacks. I'm going to talk today about another big hack that was uncovered just in the last week or so. So, if you have been hacked and you have had your accounts taken or credit card compromised, it's not your fault. Okay. It really isn't. It's a fault of these companies and government organizations because the feds have been hacked to who just have not cared enough about your security. And really, they don't care. They could hire someone like me, internally, to take care of their security. Heck, they could hire me, but they just don't care. They don't. Right, you are to them a bottom line figure you're expendable if your information was stolen, they look at it and say, Well, how much is it going to cost us if we have to go to court on this. And they figure, well, it's going to be cheaper because most people aren't going to sue and even if they do maybe we can turn it into a class action. And then that'll be cheaper for us, right on and on and on on who hasn't heard this stuff before. It just happens too much and has happened to all of us. And I think that's just a crying shame. So that's what that special report for not remind you to can about it. But if you didn't get it, make sure you check your email because there's no charge for any of this stuff. And yesterday afternoon, I had a walk through some people wanted me to spend some time with them. So we split them up into small groups and did walk and everything with them. So that happened yesterday as well. So shout out to everybody that was on yesterday. glad you were able to join us.
Now today, we have a lot to talk about looks like the DNC and the Russians, or again, this huge email breach. We're going to talk about some scams, it gets kind of technical. And I get into the very technical stuff when I do the webinars for the FBI in regard program. And I'm not going to get real technical with you guys. But I want you to understand a little bit about what's going on. So if you are a business person, you can talk security with your security people and make sure they are covering this very interesting backstory here on Khashoggi and how they may have been able to find him and where did that recording come from? And the surveillance capitalism, great article from The Guardian and the EU privacy law. You've heard me talk about GDPR, and we've helped a lot of companies with that summer concern. I gotta tell you, almost no companies are concerned about it. Well, it looks like Google might be concerned they just got nailed for violating that new law. So let's get going here. Let's talk about what's been happening with these Russian hackers.
You know, I've always wondered just what did the Russians do? Did they do much of anything, they seem to like to just kind of mess around just like we to frankly, you know, it's not as though we are not out there looking at trying to use technology as a first strike capability or defensive capability. We're continually probing other people's networks and monitoring what's going on. So, to hear that the Russians, for instance, are trying to break into something, It's not as though they are our mortal enemies, The fact that they're trying to get in, doesn't mean they are mortal enemies, it does mean that the very least they're trying to get our information and probe our infrastructure, right. Can we agree on that? Now, when it comes to the political side of things, I think things get a little bit different because frankly, I think in those cases, the Russians are trying to do something different. I think in those cases, the Russians are trying to find information about our policies or politics, just like that might try and get into the State Department or get into the NSA or FBI or something else, just like they have forever, just like we have forever. Have you ever watched a spy movie, right? It's been going on forever. Ethan Hunt, right? What does he do the Tom Cruise character? He's trying to get into things. He's trying to influence things. He's trying to get information to protect informants and everything out. So what has changed isn't the desire of the various nations to get it our information or get it everybody else's information. But what has changed is just the way they're doing it. They don't have to have women trying to seduce like they used to have, they don't have to have so many of these things, because all they need to do is get someone to click on a link. We know about Podesta again, the DNC link where he went ahead, and he clicked on it, a phishing email. Well, was that aimed at him because of his tie to the Clinton campaign, the Obama government or just because he had an email address? The results the same, they got the information, the big question is, did they use it? And what did they use it for?
So now we have a story that came out this last week from the Democratic National Committee. And apparently, they're there, according to this article, and seen it written by Edward Moyer trying to come back and hack them some more. Now. I don't know what's going on. I'm sure the Russians are trying to infiltrate I look at now look at my firewalls right at my home, I look at the firewalls at our office, I look at the firewalls. We are maintaining, you know, managing for businesses all over the world — some of the huge businesses, some of them very small businesses. And I asked myself, what's going on here because I'm seeing attacks, I don't have a server that I can think of that isn't being at least probed almost every second and some of them multiple times a second. So they're being probed. Is that an attack? They're trying to log into these servers. Is that the attack? They may? In my case, they haven't been able to get in, at least not that I've been able to tell, but they try and go to the next level. Is that an attack? Where is the attack? What is the attack vector? When is it an attack? So when the Democratic National Committee says that, following the midterm elections last year, Russian hackers again started going after them. What does that mean? So here's the quote from them. In November 2018, dozens of DNC email addresses were targeted at a spear phishing campaign. Although there is no evidence the attack was successful. The DNC said in court documents filed Thursday What does that mean?
That's the big question, and when you hear about these sorts of attacks from in the political realm you've got to step back and think about a little bit let's talk about the terms, they're using their let's try to make a little bit of sense about it. Because this is a security thing fishing campaigns are where someone sends out an email trying to get you clicked on it. And typically phishing on this case it's about PH is a giant G, but it's the same concept of throwing a fishing line in and see what bite now you might use a lower that you know is good for carp or lower. That's great for rainbow trout of your up in the Pacific Northwest. But that doesn't mean that you're necessarily going to hook one of those and the same things true. You go off the coast of Boston, you're doing deep sea fishing, and you're hoping to catch what may be, hey, I made man catch up to now. Or maybe I can catch a swordfish or you know, the list goes on and on. So you use a lure to get the fish that you want. And hopefully, you'll catch it. The same thing with a phishing attack online; you write a letter, you write an email that looks attractive to the types of fish the types of people you want to catch. So if you want to catch people who are political activists on the left, maybe you send out an email saying, you know this, that this is about to explode underground and credible information about President Trump, and I can't believe it and got to click here. Contrarywise, on the left, you can't believe what Chuck and Nancy just did, right. And they try and get people to click on it. So that's kind of a still a general fishing campaign. But what's this spearfishing campaign, a spear phishing campaign is where again, think about how the South Pacific where you've got an Islander Pacific Islander out there, and they've got a spear maybe it's one of those Trident Spears, you know, the one that has the three tips on it. Have you seen those before, and you can make those yourself probably seen them on survivor, and they're watching in the water. And they see in the water I just under the surface of fish they want to get. So they stab it, they grab that fish, now they've got it, and life is good. They captured that fish. So they were aiming for that fish. And they caught that fish that spearfishing. And in the in the security business when we say spearfishing. We typically mean the going after an individual.
Now there are regular phishing attacks that some educated people might call spear phishing, for instance, they might have your name and email address from a vulnerability. So let's say they got all your information from our friends over at the credit reporting agency last year. So now they've got your name and your email address, and they send out 200 million emails. And each one of them, of course, is going to an individual email address, and it includes the name of the person. And it's including the name of the person that was in the breached record, so is that spearfishing. It's aimed at one person, but a lot of people will call it spearfishing. But security professionals are not going to call that a spear phishing attack. That is a phishing attack. That's like casting a net or dropping a line in and hoping you're going to get them, but it's a little more personal. So instead of the net that you might have had five years ago with phishing attacks, where it's just a generic Nigerian prince type scheme, it moves on to we're going to use a specific type of lower that might work. That's still a phishing attack to now where we're going to make that lower very attractive because we're going to include your name, we're going to make it look legit.
So they might send it out as though it's from Bank of America. And it's got your name in it. And it's got a number in it looks like an account number. It looks like a Bank of America. So you click that is technically not a spear phishing attack. Now, I fought these types of battles forever. Yeah, you know, for instance, what's a hacker versus a cracker. I was a hacker as a kid, that didn't mean I was trying to break into anything. I just hacked it programming because I wasn't a professional. I hadn't been trained; I didn't have enough experience. A hacker was not a bad guy. A hacker was just somebody who was semi-professional. And frankly, in today's world, I would say 90%, maybe 95% of all programmers are hackers. They're not professionals. They don't understand the whole system. They're just taking a drag and drop the component from a Microsoft Visual Basic or C sharp or Java; they're using the just this generic component that they don't understand anything about other than if I feed it this. Hopefully, I'll get that out. That's called hacking. That's the classical definition of hacking. So you try it does it work on doesn't work. Okay, so let's try something else. Let's try and figure this out. That's a hacker.
A cracker is someone who goes in. No, I'm not a cracker. Okay, I'm a white guy. But in crackers. Somebody goes in and tries to break into something tries to crack in just like a Safecracker. So you have programmers that are crackers. And I've been fighting this for 20, 30 years, trying to help people understand there is a difference. And the majority of people out there that call themselves programmers are actually hackers. They're not professionals. They don't have enough experience. They don't understand the whole flow, and all of the implications and side effects of everything they're doing, and you don't want in most cases, that's fine. In most cases, that's all you need your small business, you're trying to build a little database, who cares if you're a professional programmer, doesn't matter. It matters when course is now live, start getting involved, Monday starts getting involved. But even at that, you know, the, there's a lot of hackers working for companies that are taking their our lives into their hands. Anyways, now I'm fighting this next door, I don't know, maybe I should give up on it. Maybe it's a lost cause for me.
But this next world war is phishing campaigns, I look at it and say there's a number of different types of fishing you've got the guys cast and big nets, little catch anything, hopefully, you got the guys that are are using a lower to try and catch up a specific type of person, and then you got the guys that are going after one person and that's spearfishing, and based on this article, I would say that the democrats are misleading people or the whoever is the spokesperson doesn't know what spearfishing is, which is probably the most most likely option here. You know, I try not to put too malice what can easily be attributed to stupidity or ignorance, right.
And in this case, it's probably ignorant. Because if you look at this article on seeing that it says spear phishing is sending bogus emails disguises legitimate ones to full recipients. Well, no, not true. That's only a part very small part of it. Because it also has to do with who you are going after.
Now, I mentioned this a little bit earlier. Let's get into a couple of details on it. I don't know if this was the biggest, biggest breach ever. Obviously, we don't know everything about every breach that's occurred. We know there's been huge breaches of the IRS and huge ones over at the Federal Department of what do they call it, the where all the employees federal employees go through, including background check information, everything, there's just been huge ones out there. And we know about Equifax. We know about so many of these others. This is being called collection number one, because it's thought to be a collection made from multiple hacks that have occurred over who knows how long
So, Troy Hunt, he's a researcher, security researcher down in Australia. And he goes around, and he cruises the dark web. And he's got friends on it. And he kind of comes up with some, I think, some good data, some good information that people should be aware of. And that's why I'm bringing it up right now. And it's kind of a security thing, right? He's a total security geek. And he is he's in love with this stuff. And he makes some money from it, too, which is good. I think he supports himself from that very thing. Well, this collection is one that he found. And they're thinking that it may contain data from as many as 2000 sources, 87 gigabytes of data in all and it has information on some 773 million accounts. So that's three quarters of a billion email addresses and passwords. While it's got about 21 million passwords. As part of this, it's been for sale amongst hackers could be used for credential stuffing. This is a technique where the bad guys are trying multiple email addresses and passwords on as many different apps and services they possibly can. So people are taking lists like this that have email addresses have a password and trying to figure out, figure out where else they might work. And again, this goes back to you are hacked. Okay, that's got to be one of my new solo pins, right? It isn't a security thing anymore. It's an everybody thing you have been having, don't worry about it, you've been hacked, okay, you have to worry about your data and how it's going to be used. But this just reinforces that, frankly, European privacy law, the GDPR French regulators have now fined Google 50 million euros. That was on Monday for via violating the European Union GDPR. Now that's not a lot when you look at Google and how much money that they made, which was like, I think alphabet was about $33 billion in revenue in its most recent quarter, okay, but a lot like the US $2.7 billion fine against Google for anti trust in 2017, which was a record the fine maybe less important than the changes that Google is going to have to make to its privacy and not just for people who are clearly in the European Union but people world why the so there may be some some dramatic actions here against a number of us tech giants. And I think that's going to be good for all of us. Frankly, these GDPR date which is the general data protection regulation, those rules went into effect a few years ago they gain teeth in May of 2018 to almost a year now and this is big this is really big we're seeing GDPR equivalent legislation being worked on in mass in California federal in fact the GDPR had some basis on some guidelines that mass was publishing so this is just one country France and they ruled the Google violated it because they hadn't properly gained consent from users to use their personal data for online advertising now if you signed up for my email list basically anytime in the last few years but it's been very obvious for about six years you've probably noticed so if you go to http://CraigPeterson.com/subscribe meaning by the way, if you do that go to slash subscribe on my website you will get all of my show notes every week and you'll also get information about hacks that are occurring occurring in real time you'll get information also about the free master classes I have and everything else okay so if you haven't already you should do it. http://CraigPeterson.com/subscribe.
But if you do that, you'll notice now that there's two checkboxes on there that you have to click that acknowledge that I can send you an e-mail. So you're consenting to that and that I can promote to you because I might send you an email where I say hey, this is the best thing since sliced bread you got to get this software and whether I make a dime off it or not. That's considered a marketing email even if I'm trying to help you out so you have to click both those boxes before I will allow you to subscribe and then on top of it you hit subscribe and you're not subscribed yet I will send you an email right away saying hey thanks for signing up but you got to click here because I got to confirm you are who you are so that you know some guy that doesn't like you and wants to subscribe to every email list known to man can't just go to my site and the thousand other sites and sign you up so you're not going to get any emails from me unless you double opt in and you also confirm that you really want them on that page now this is something as well that you should be doing if you have a business and you have a website you have to be doing this. And if you want more tips on this let me know just email me@CraigPeterson.com. That might be a great topic for one of our master classes what you need to do in order to comply with these new privacy laws. But let me know know right, I don't know unless you tell me you can either text me back if you're on the SMS list or you can respond to my email if you're on my email list and just let me know that you want to know more about your business website what you should do to comply with GDPR to be glad to let you know okay, I don't charge for this stuff. This really is something I want you guys to know about. You need to know about. So we're going to run through really quickly a few little flashes one looks like a hacked phone may have led the killers to Khashoggi very, very big deal. And apparently, it was software from this company called Pegasus and Israeli based cyber company that makes acting tools that are sold to evil governments worldwide as well as to lessee for governments worldwide. The goal is to automate us welcome to the age of surveillance capitalism you're going to want to read this again it's up on my website http://CraigPeterson.com This is from the guardian and the notes by the way, listen to a podcast all of this is in my show notes as well on popular WordPress plugin was hacked by an angry former employee. I've got that up on there. If you're using multi lingual WordPress, you've got to check that out again on my website. It's all right there and who is checks keep an eye on your domain if you own your own domain as a business because there are scams going on. All right all of that to http://CraigPeterson.com. Make sure you subscribe. http://CraigPeterson.com/subscribe, you'll see it all there. Have a great week and keep an eye on your email box because I got a phenomenal thing coming up here. And I'm going to be starting to send out some emails about it this week. Little bit of training is going on. Have a great week. Take care and we'll chat again next week. And I'll have my next podcast out on Monday. Bye Bye. Thanks for joining us.
More stories and tech updates at:
Don't miss an episode from Craig. Subscribe and give us a rating:
Follow me on Twitter for the latest in tech at:
For questions, call or text: