Mar 27, 2020
This week is a replay of the show aired originally on 7 Mar 2020
Welcome!
We are going to hit a number of topics today from the world of Technology. I am quite disappointed with Mozilla, they are letting marketers and politicians define their technology. Listen in to find out why I feel that way. Compliance is an issue for many companies and I have some solutions that will help you and it includes a diet but probably not the kind you are thinking. Do you ever get nostalgic for "the good old days?" Well, I have something that might help, listen in to find out more. I will tell you happened to one of the Sharks from Shark Tank? How you can prevent it from happening to you and more.
For more tech tips, news, and updates visit - CraigPeterson.com
---
Related Articles:
Donโt Store Data You Donโt Need
Cryptocurrencies and Insurance Increases Ransomware Profitability
Are you Secure -- Depends on Many Things
You Donโt Have Much Time To Stop An Attack
Hackers Target Large Databases
Anyone Can Be A Victim - Business Email Compromise Does Not Play Favorites
DNS over HTTPS (DoH) is not the Panacea the Marketers Are Leading you to Believe
---
Automated Machine Generated Transcript:
Hello everybody, Craig Peterson here on WGAN and, of course, online at Craig Peterson, dot com and heard streaming all over the world on your favorite streaming site. I'm so glad to be here today and be able to talk with you a little bit about what are the top news stories this week? How can you keep safe that's kind of one of my themes because I freaked out when my company got attacked some years ago. You know, just a regular business guy trying to run a small business and man did hurt me bad back in the day. I'm just trying to get all of the information I've put together over the years and learn, and I continue to study this stuff and continue to look at what are the best ways to defend ourselves. I try and get all of that and put it together into neat packages for you. One of them, of course, is the radio show. I also get on with Facebook Lives. YouTube lives, and also do various types of pieces of training and tutorials and things out there. Where in fact, for the next course I have coming up, we're going to have implementation calls, where we are talking specifically about what to do when you do it. So you try and implement something, you have some issues. I'm going to get on the phone with you guys. So I think that's going to be great. And then the upcoming class here in a few weeks. And then, of course, the tutorials leading up to that class where I'll take your questions live, sometimes those little tutorial sessions on, you know what it's webinar technology. On these webinars, sometimes we go a couple of hours so I can answer all of your questions. That's what it's about here. All right, because I understand most people, not I know I'm this way too. I get contacted by somebody, and they're trying to sell me something that happened just over the weekend. Last weekend somebody knocked at the door, trying to sell windows, right. I think it was like Renewal by Andersen or something like that. And they were walking around knocking on doors. I see you know, immediately just knee jerk said, No, No thanks, my windows are fine. It got me to thinking about the whole situation in the security realm. Because that's what we do, right? What we've been doing for years decades, sometimes we have the antivirus software, every once in a while when we hear about a real big vulnerability, we go ahead and apply patches. You know, it's been the same old, same old, but we just can't do that anymore. And because really, we see huge, huge problems and businesses going out of business because of them. So that's what this is all about. So if you're a new listener, welcome. If you've been listening to me for a while, of course, Welcome, Welcome to you too. And I want to get this information out. So one of the best ways to make sure you have all of the latest information you need is to go online go to Craig Peterson dot com slash subscribe, and that'll get you on my email list. Then once you're there, you will be able to keep up on up to date on things I do, try and get those out. I have a newsletter that's every Saturday morning. Then when I'm doing training, I'll send something that's a little out of the band if I'm doing a live or various other things. I thought because of the way it works with the emails I send out, if you want to unsubscribe, you will be guaranteed to never hear from me again. Maybe that's a great thing that is right for some people. But for other people, I came to realize that perhaps they didn't care about the training, they just wanted the newsletter, or perhaps they wanted the pieces of training but didn't want any emails. Some wanted on courses but not other courses, etc., etc. So I'm going to try and do something a little bit different right now, and there's a pretty nasty warning as a footnote. If you unsubscribe, I can't send you anything anymore. I won't send you anything even if you want a course, you'll not hear from me again, because you unsubscribed and marked as somebody that doesn't ever want to hear from me again. That's fine. I know we all have our lives, and maybe you think you're safe enough. Perhaps you're going to reach out to me when everything falls apart around you. At which point, I can't respond to you because I will have your email blocked. That is because I don't want to bother you. I want to comply with the can-spam app act. Although, you know, most people don't seem to care about that as well as the GDPR. Also, The New California regulations, the Massachusetts regulations, and new federal regulations that are going into effect. They all place requirements on when and where I'm not supposed to contact you. If you say No. Then No means no, right. I'm going to change things a little bit with these upcoming training and courses that I'm going to be doing. I'm going to make it so you can just unsubscribe from those, so you're not going to lose contact with me. I've had some people complain, and in the end, it becomes a bit of a pain to try and add them back in. We're going to try and make this a little bit easier for you guys, so keep an eye out for that. You already know right based on what I'm saying, as well as what I've done in the past that I won't spam you guys, I don't sell your name to other people your email address. Most of you I know are kind of the older generations, the younger guys they don't care we've already talked about that. They will sell their email address and name for a donut. But us older folk were a little bit more cautious about it. I think that's probably a good thing. We're less likely to get ripped off the senior population in some ways less likely to get ripped off, and other ways more likely get ripped off. It's interesting. Again, we tend to trust phone calls more. You know what I have, frankly, I don't answer my phone anymore. It just goes to voicemail. And I have somebody else look at it because there are so many scams coming in. But we tend to trust the phones more in the generation, you know, the men and women older than me, other baby boomers, they are a little bit more susceptible to those types of scams. So be careful with those types of scams as well just you know, be careful all the way around, frankly. And that brings us to our first story of the day today. And this is something I found that I thought was cool. So I thought I'd share it with you. It's a tech thing. I was just a few weeks ago talking on the radio. One of the radio shows I appear on as a guest. And we were talking about Betamax versus VHS. And I knew I knew that the radio host I was talking to there's no way he just loves tech. There's no way he did not have Betamax. And he did. He had hundreds, apparently of beta tapes in his closet. But this is all about that Era of the 1990s. I'm sure you guys had VCRs right back in the day. And of course, the winner of that war was VHS, and it wasn't because it was better technology, but we're not going to delve into that right now. And those VHS tapes, at this point, about 20,000 of them have been put into an online vault. Now, if you've never used the Wayback Machine, you have to check it out. You can find it online. At archive.org, that's the name of it. It is an Internet Archive, and it shows web pages going way back, you can look at my web page from back in the very, very, very early days of the Internet. When you know, love the not the Internet, but of when the whole web thing came about, which was 9293 is when it started to go. I didn't have a webpage back in 85. When I first registered my domain that's been around for a while. And then, of course, I was using other domains. Before that, I've used my ham radio call sign is my domain. And before that, but the Wayback Machine is this archive, you can browse the history of any major site, many miners sites that are out there. They have used it in court cases. It's used by me, just for kind of memories of things as the way they were. Now you can use it for something brand new. I didn't know that they had, and that is They've got something out there on the Wayback Machine that's called the VHS vault V-H-S just like the VHS tapes that we had or that ken didn't have because he had Betamax. Right now, I'm looking at says there are almost 21,000 results. So they've taken these VHS tapes that were submitted, and they have effectively ripped them. They've turned them into digital video, right. And some of these are just amazing, like a warm-up to Traci Lords. It's an exercise program. Of course, Traci Lords was involved in some adult films back in the day. Man, I love this mystery science theater. 3000 Timothy Leary is a guest on MTV with John Lennon, Les Miserables from 1935, rush to judgment. There are some many cool things The Lion King in full VHS tapes. Now some of this information is probably still copyrighted, but as a general rule, archive.org doesn't get nailed for copyright violations.
SpongeBob SquarePants Oh, this is the Fairy Fairy Godmother I think is what this cartoon was called and trying to remember my kids used to like it. Some bootleg tapes, everything, but you can find it online I think you would have a gas looking through these. I want you to go to archive.org as you're listening to the show, or maybe some other time during the week, you're sitting there watching some TV with your smartphone or your computer. Archive.org and look for the VHS vault. The actual URL is archive.org slash details slash VHS vault. You will see all kinds of fun stuff that's in there. They have many different collections
You can search this you can go in by year when They did it. They have Flemish dog collection. There's another one. There are collections I've used in some of the training videos I put together. There are collections of old black and white art, and pencil art, and engineering diagrams that are well, well auto copyright and you'll find all that stuff@archive.org Check it out, I think you will have a gas checking it out. If you're like me, it's certainly brought back a lot of memories.
When we get back, we're going to be talking about something that you should be doing, whether you're a home user or business user. You know, the things that we have to be worried about are the things that can be stolen from us, right, in the online world. Okay, this is what we will be talking about. What can be taken from us, but also what can be used to kind of hold our feet to the fire in ransomware. So we're going to talk about how to reduce your risk with Craig Peterson here on WGAN Stick around. We'll be right back.
Hey everybody Craig Peterson back here on WGAN online, and of course, at Craig Peterson dot com. Yeah, you know it by now, right? Well, hopefully, you had a chance to look@archive.org, definitely check it out. It's called the Wayback Machine, at least that was its original name. And they may still have that domain, the Wayback machine.com. But now it's known as archive.org. It is a wonderful, wonderful trip down memory lane, at least for me. If, if you are a little bit older, you might remember the Internet back in the days fun looking at some of the original search pages at AltaVista. Man, I miss AltaVista. I used to like to use the Boolean algebra that you could do in AltaVista. By the way, if you are a geek like me when it comes to searching and you want to be able to dig into it. There's a tool I use, and I think that you'd like it also. It's not cheap, that's for sure, but not that expensive either, but it's called DEVONthink, D-E-V-O-N T-H-I-N-K. It allows you to set up searches using all kinds of Boolean constructs, which is very, very, very handy, at least as far as I'm concerned. You can set it up to do automatic search sets every day looking for different things. It's one of the tools I use to find the information that we talk about here on this show because so much of it just isn't generally speaking, available. It certainly isn't spoken about by the mainstream media, right? You know that right. That's why you listen to the show and why you follow me. I am on LinkedIn. I'm on Facebook. I'm on Twitter, YouTube, and my website as well. I appreciate all you guys who do follow and who comment. Now, if you're a business person, this is for you, but there are some things that you can do as an individual as well that are going to make a big difference for yourself and your safety online. Businesses are concerned about the GDPR, which we've talked about on the show before. That's the European privacy regulation. We're also very concerned right now with CCPA. I just had a company that makes optics. I use their optics here in the studio if you have ever seen me on a webinar or one of these videos or pop up training or anything. I'm in the studio, and my cameras here the lenses use the glass made by this company. I had no idea, but they reached out to us due to their operations in California. They have a sales operation there because, again, they're selling their optical glass for use in lenses, and all kinds of other devices. They reached out because they were concerned about what is happening, what could happen with these new California privacy regulations? Is it going to mess up their business? How is it going to mess up their business? How is it going to make things better or worse? I think they had some outstanding questions. So they called us in, and they paid us to do an audit of the systems they have. How are the systems working? What is it that we need to be worried about? You know, it's something that takes a few weeks and a couple of on-site visits in New York? New York State, which by the way, is going to have their own set of privacy regulations that are going to affect them pretty dramatically. But basically, what it came down to was if they were compliant with the European regulations, they were probably most of the way towards the California regulations. So they think that they're compliant. But when we got in and started having to look at it, it turned out No, no, no. They are not anywhere near compliant with either set of regulations. Even though their IT people told them they are because they have full-time programmers who are programming their systems. They thought, Oh, no, no, we're fine. We're fine. No, they weren't. So what do you do if your regular business? Enough moaning and groaning about the optical manufacturer, who has fantastic optics, which is why I use them. Let's talk about you. Let's talk about your business, your small business, your larger business, this is true, you should be paying attention if you are a medium or large business as well. One of the best things you can do, and it is hard to get through to a lot of CEOs and other business owners. But one of the best things you can do to reduce your risks is to reduce the data that you are maintaining. Right? If you want to reduce the chance of getting shot at, don't go out in the streets where they're shooting, right? If you want to reduce the risk of having your data stolen, then don't have the data out there for them to steal. If you don't want to get nailed by one of these new regulations, that says, hey, personally identifiable information has to be maintained in this way and that way. If someone asks you what data do you have on me? Do you realize now you only have one week to respond? You must provide that data to them. If you have any sort of a California Nexus or European Nexus, in other words, doing business in either one of those places. Now, it's down to I think five days it's not a week to respond, saying, Here's all of the data that we have about you. That's what you have to be able to do. We have to be able to do it right now. You also have to be able to tell them, here are all of the people within my organization as well our contractors that saw your data and had access to your data. That is a very, very big deal, frankly. The landscape is constantly changing your obligations for that data, and the data disclosure and the data-keeping keeps getting more strict. What's the right thing for you to do? Ultimately, well, it's to get rid of the damn data, right? It's a very, very solid first step in reducing your risk. Now I'm going to be publishing next week, a little guide that you can use yourself, right, you don't have to have me involved, or anything else is just for you, that you can use to do an inventory of all of the data that you have in your business. What we've done is we've gone through and looked at different parts of the businesses that we've worked with over the years and evaluated the kind of data they often have. You have to do that first, right? You must identify what your risks are. You must determine what data you have. I'll make that available for those people on my email list. It will be part of this ramp-up here, a precursor to the pieces of training that I will be doing. There will be different free pieces of training and tutorials in my ramp-up to my courses. You don't have to be in the course to participate in the free tutorials, okay? You don't have to buy anything from me. It is all free, no hype or anything else. Okay. I'm not trying to hard-sell anybody I want to help you. That is the first step -- doing this inventory the data you have, and it is one of the best things you can do. Put your company on a data diet. Now, you know, last week we had Barry Friedman on the show, talking about a sugar diet. Right. It's a lot like that, and it's getting rid of these addictive pieces of data that we keep on our clients on our prospects, everything else that's out there, right. Let's look at it as a lens. When you're looking at your data when you're doing an inventory of these data assets, ask yourself, do I need this? Will this provide what I need? Think about maybe like a food diet as Barry does with sugar? Do I need sugar? We know is sugar going to provide us the nutrients that we need? The answer to that is no. When it comes to sugar, right. We found that out from Barry last week. But we need to work to minimize sensitive data and ask ourselves, do we need this sensitive data to conduct business right now? And will we need this sensitive data to conduct business in the future? If the answer's no, securely dispose of that data. It is the only way to comply with these regulations that are already in place here in the US and Europe as well. All right, when we get back, we're going to talk about how did we get here? How did we? How did ransomware grow to be a multi-billion dollar industry? What did we do to get here? What should we do to try and get beyond all of this? You're listening to Craig Peterson on WGAN. And of course online at Craig Peterson. dot com, live on youtube, live on Facebook everywhere out there. Stick around. We'll be right back.
Hey, welcome back, everybody, Craig Peterson here on WGAN, and of course online at Craig Peterson dot com. In case you missed it. We've been busy today talking about the internet archives VHS vault. Again, that's archive.org. Check it out. It is kind of cool. We just talked about reducing risk using the cheapest mechanism possible. Data minimization will save you money and help you be compliant. Now I'm going to talk about ransomware. We've been warned recently about ransomware's rise. Many people thought it's kind of past. In some ways, it has. 2018 was kind of the banner year for the standard ransomware that out there, but it is back, and it is back with a vengeance. We talked about some of the statistics about a month ago and showed how it had gone up a bit almost doubled just between the third and fourth quarters last year, which is just absolutely dramatic. I had a course before, where we talked a little bit about backups. I've certainly talked about it here on the show before, and how backups help stop ransomware. Let's just spend a couple of minutes on that right now, although it's not 100% accurate anymore. It is essential to do for just a whole plethora of reasons. Backups are kind of the very first stage of what you need.
I read an article yesterday from a guy who is in some of the highest circles in the country. He had the phone numbers, the direct cell numbers of presidents and you name it, really just anybody who's anybody was on his phone. It was an Android phone. He had assumed that it was backed up into the cloud or something. His phone broke. He got a new phone and realized at that point that his phone had that never, ever, ever, been backed up. He lost the phone numbers from all of these people. Good luck getting them back, cell phone numbers, other contact information. Think of all the things that are on our phones nowadays. Losing your phone, having a hard disk crash on your laptop, or your desktop computer. Losing those can be devastating, no question about it. If you're a larger business and you think that you're doing backups, double-check them. I'd say three times quarters of the time, and I can't think of an exception to this, your backups will not work correctly for that business. I've never seen a case where all backups are working correctly, ever, ever going into a business. I know you, Craig, you're just crazy. It's silly. You're trying to build a business and scare people. No, I have never walked into a company and found their backups to be working correctly. We see things like, and I don't mean, they're not working in a way that is ideal or optimal for the business. Right? Certainly that on top of it. I mean, they weren't working.
We had one company that we went into, and they were dutifully doing backups, and the operations manager had five external hard disks. Every day he brought a hard drive in, he plugged it into the server and took it home at the end of the day. So we had Monday through Friday, hard disks that you brought back home with them. So they were off-site, which is, you know, great idea, by the way. The server itself had a RAID configuration on it and is called a raid five. It had three hard disks so that if a drive failed, they wouldn't lose all of their data. We went in because they wanted to do some upgrades. They hoped to move over to Apple infrastructure, where people could use iPads and iMacs on their desks to have a better working environment for everyone by moving away from windows. By the way, this is an excellent idea. They still had some Windows software that they had to run, so we helped them with that and got that all working running correctly. The backups you know, they were trying to do the right thing. But you know, you know what, there were a couple of problems one, their server had not written to any of those external disks for the last 18 months. They went a year and a half without ever having had a good backup. Think about that. What would happen to that business? What would happen to your company? After 18 months of no good backups and losing all your data?
Oh, and their server, an HP server, that cute little HP server had that RAID array, right a raid five where you can lose a disk and not lose data. Well, they had lost a drive. We were estimating based on the logs about a year before. There they were with no backups and no redundancy in their server disks on their server. That's an example right now, and I could go on and on. We had a company division of a Fortune 100 company that had paid for backups, and they had a dedicated data line. We put some next-generation firewalls in place that monitored the data and watched for data exfiltration to make sure that the plans and designs and social security numbers and bank accounts and everything were not being stolen or taken off off-site, right.
Guess what we found there? After six weeks of monitoring everything that's been going on because that's the first step right. Let's make sure we understand what the normal operations are. Didn't you tell us that you had an off-site backup of your mini computer going to another backup site? Oh, yeah, yeah, we do. It gets backed up in real-time. We're paying for the backups to go off-site. If something were to happen to our facility here, or to our computer, which is a big server, then they'd take over immediately we'd be off and running during those six weeks that we were in there we hadn't been involved with these operations.
Ultimately, we were in there for decades. Guess what we found? Yeah, exactly. None of the backups were occurring. They were paying for all of these things, right? They were paying for them. What we ended up doing is we came in, and we made sure that backups were happening. Unfortunately, they didn't have us do those backups. The company doing it for them was incompetent. And yet they decided to have them continue to do it. It doesn't make sense. We took over the rest of the backups. We had equipment on site, which we do at most of our clients. In case there's a problem, there are failovers that can occur. In this case, we'd have them back online in four hours, a requirement of publicly traded companies and their divisions. Again, they're just not doing anyways. Ramble. Ramble.
Wow, we've only got a couple of minutes left here in this segment. When it comes to backups, here's what you have to be careful of, and that is, make sure they are happening. Check the backups. Try and restore from your backups. Now, we're talking about ransomware. It is a seven and a half-billion-dollar industry. They are coming for you, and one of the best things you can do is have a backup. Still, there's another side to ransomware, nowadays, that backup won't help you with, and that is that they have your data, and they hold a ransom saying, if you don't pay us, we're going to release this onto the Internet. Then you're in real trouble. If you have personally identifiable information, or if you have your intellectual property out there, and it gets out to the Internet because you don't pay that ransom, you are in real trouble, plus if they encrypt your data, you'll need that backup.
All right, stick around. We will be right back. And we're going to be talking about our next topic for the day, which is how do you answer a non-technical executive, who asks, how secure are we? Your listening to Craig Peterson on WGAN and online at Craig Peterson dot com. Hey, have you ever been asked that question? Well, we'll tell you about how to answer it, coming right up.
Hey, welcome back, everybody, Craig Peterson here on WGAN and online, of course at Craig Peterson dot com. No surprise there.
Our next one is an interesting article and poses an interesting question. It is one that I'm sure you ask or have been asked, right? How secure are we? You are the Calvary, is the bottom line. You're the person who your family comes to, or the business owner comes to, the business asks whenever they have a tech question, right? You wouldn't be listening otherwise. It is how you get ahead. It is how you learn. You listen to me and others, read articles. You are the Calvary. How does the Calvary answer that question, when you're asked, How secure are we? You know, there's the obvious answer. Well, you know, we got this, and we got that. We have an Anti-virus, and we have a firewall. Those, frankly, are buzzwords that many of us use just to obfuscate the real answer to that question. I know that many times when we go into a business, and we secure it, we put together a proposal. Most of the time, our recommendations are not accepted. Most of the time, when we go into a business, and we say, here's what you need.
Here's what you need to do to stay secure, they say No, thank you, and prefer to run with blinders. Hopefully, they won't stumble in the middle of the night get or tossed by that horse, of just kind of ignoring it, right. Blinders or maybe you might want to call it ostrich-ing and to put their head in the sand or whatever, you want to call it, But most of the time, in reality, the businesses just don't do anything. Sometimes they do, right. That's how I stay in business. I stay in business because of the companies that want to remain secure. I stay in business because of the people that are the Calvary. They're like you who want to buy my courses to understand more to get step by step instructions know, not just the stories behind things, but the strategy in the exact tactics that they have to take. And that's you, I suspect, right? I think you're probably a lot like me in that way. That's how I like to learn, and that's how I teach as well. Well, this article is from our friends over Dark Reading. And the question is, uh, how secure are we? And how should we answer that? There's a great response by Kurtis Minder, the CEO, and Co-Founder of GroupSense. He says it depends. You've got to look at your executive team and qualify their level of understanding. Answering the question with the answer of well, we have antivirus, we have a firewall, and we have mail filters. You know, a lot of people nowadays say, "well, we're in the cloud," and there's nothing to worry about, which we already know, isn't true, right?
There's way more to worry about if you're in the cloud than if you have a local server. For those of you who are the kind of computer security people for your organization addressing this requires finding out where they are coming from who they are comparing. For instance, is it to what the Payment Card Industry PCI-DSS says we're supposed to do? Are we supposed to compare ourselves to the HIPAA-HiTech regulations? In other words, we have some medical data, which by the way, every company does, if you have any sort of a Health Insurance Program, right? Are we supposed to compare ourselves to the NIST 171 standard? There's, even more, there is the CMMC. There's, there's a lot of different criteria that are out there. You must understand the HOW before you answer this question. How secure we compared to similar companies in our industry? Or companies that are similar in size to us? No matter how you're going to answer that question, when the boss comes a-knockin or the kids or your wife comes a-knockin saying, How secure are we? No matter who it is you're talking to, I think the one thing you have to make sure of is that they understand that the whole security threat landscape is fluid. It's always changing, and your security programs need to be fluid as well. That's the reason I have consulting clients, right. That's the reason I have a membership program. The people who are the Calvary can follow and understand what it is they need to know. Now I want to hop over to this other guy here. His name is Matt Combs. And he is a global cybersecurity practice leader for an executive recruiter called Russell Reynolds Associates. It is absolutely a phenomenal interview on CIO.com. He's saying many companies were blissfully unaware t, especially those that don't have credit card information. How many times have I said that, right? It takes at least six months for the average company to figure out a breach occurred. Why did Matt say, especially those that don't have credit card information? It's because if they have credit card information, that information is likely to be sold on the open market very quickly. Once sold, the credit card companies are going to notice, right? Many companies have only learned that a breach occurred after the FBI came knocking on the door and told them they had a problem. Look at Home Depot. What happened? The FBI traced the dots. Home Depot, was compromised through their point of sale equipment. Can you believe that? people sitting in the parking lot of Home Depot hacked them? They didn't even know it until the FBI knocked on the door. That's a pretty big deal, on a pretty big company. I think they are the second-largest retailer in the country? When it comes to dollar-to-dollar value? Are you sold? Okay. If you don't have the credit card information, how would you even know that a breach happened? It goes ties back into the fluidity of security. It seems so obvious. Now when you look back at Home Depot and say, What were they thinking? I look at the target the TJX companies, and their hack they had security equipment, and that security equipment was quite good. It was alerting them, "whoa, wait a minute, guys, we've got a breach, okay." Did they take care of it? No, because they didn't know how to read the output, and they didn't have enough people to look at the logs, which is something else we keep telling you all. You have to watch the logs. You have to watch them closely. It's a full-time job. It's a highly skilled job, a highly trained job. It is not cheap, okay. I know a hotel company with 500 hotels in the United States, of course, you can look that up to find out who it is. They have a chief information security officer who is an information security group of one. Think about that 500 hotels, just the business itself, all of the data that they have, the liability that they have, and he doesn't have anyone working for him. Not even a support person. He has to beg, borrow, and steal help from it, and from the CIO, the Chief Information Officer. So when the executive asks you how secure are we, you have to say, Hey, listen, you know we can lock down the doors, we can lock down the windows, but the odds are if someone wants to breach us, they will be able to. However, make sure you are locking down the doors and locking down the windows. You got to close it all up. There was one other thing I think you should do when this non-tech executive asks you about how secure we are. That is, what's your nightmare, Mr. Executive? Which systems? Are you most concerned about being compromised? You should go back to the question I asked a little bit earlier, which is, what data do we have that maybe we shouldn't have? What data do we have that we are most concerned about losing? What are the Family Jewels in our organization? What is the data that if we were to lose it, we'd be in a lot of trouble, either because we could not conduct business anymore, or maybe we would get nailed by the regulators out there? Anyway, a lot of really, really good questions to ask because you're never 100% secure. All it takes is for one employee to click on the wrong link on an email. What I was just talking about will come up a little later on today. I talked about it this week on several radio stations. What happened with Barbara Cochran, an investor from Shark Tank. Stay tuned as we'll talk about it a little bit later on. All it takes and frankly, employee negligence such as accidental loss of data, accidental clicking on things. Employee negligence is still the main cause of data breaches. In a report from ShredIT now, of course, they're in the business of shredding documents of getting rid of these things. Shredding hard disk drives when you take them out of a computer. Remote workers and external vendors are also now a major cause of the increase in data breaches. That's one of the things we're going to be covering here in my course coming up in a couple of weeks, and that is the upstream-downstream risk. And the US military is totally into this now, because they had two or three major breaches last year that came through vendors. So hackers are no match for human error when it comes to sheer numbers. You also have the insider threats of people who are stealing from you. So they can get a better job, take it with them to another job. You have people who are upset with you and are just making an absolute mess of things on the way out the doors. So be very careful about that because it's huge data breaches cost an average of $3.6 million globally average that was in 2017. Some of those prices have gone up. The faster you respond to a breach, the more money that you'll save. They found that if you can respond to a breach within 30 days, on average, you'll save over a million dollars. Think of that. The odds are good that you will get breached. You will save, on average, a million dollars. Yet you're not funding the security people either by going to an external contractor, like me, to take care of it for you. Or you don't provide the resources to the internal people they need to do it. It is a huge, huge job. All right, top of the hour course, on the radio stations, we've got the news, traffic, weather, all that sort of stuff coming up. Then when we get back, we're going to talk about a new metric in security. The next-gen security metrics. Stick around, and you are listening to Craig Peterson on WGAN and online.
Hey everybody, welcome back. Craig Peterson here, on WGAN and, of course, online at Craig Peterson dot com. We have already covered a bunch today. I would refer you over to my website. If you'd like to find out a little bit more, of course, I'm also on the streaming services. You can find it there. We've covered the internet archive. They've got this cool, new VHS vault. We discussed ways to reduce your risk of data loss. It's all about identifying your data. and then minimizing your data, how we enabled ransomware to become a multi-billion dollar industry. And I also gave some good advice on backups and the fact that 100% of the businesses I've ever walked into have had a failed backup strategy and failed in a bunch of different ways. It is big for all of us who are out there who are members of the Calvary, who are trying to help our friends, our family with their computer issues, and the businesses for whom we work. Then we got to how to answer questions that we get that have to do with our level of security? How secure are we? How secure is the business? That's what we have covered so far today. I love our next topic. It's phenomenal. It's from Thread Post.com. But they're talking about different types of security metrics. Now, metrics, of course, our measurements, or the ways we measure things. We always have to measure progress to be able to know have we gotten to where we need to be, right. Progress can be difficult to measure. There are a lot of different types of measurements when it comes to our security. Say for Microsoft Windows, one of the big things is, are you ready every Patch Tuesday. Then a little bit more, as Microsoft sometimes comes with out-of-cycle patches. They got nailed a few years ago, through criticisms about them releasing new patches, like constantly, because they needed to release them. And so instead of fixing their problem, which would be almost impossible to do, and that is rewriting windows and making it much more secure design, they decided they would just go ahead and release patches once a month. And that way, of course, you're not getting them every day. So who's getting noticed that in fact, there are a whole lot of vulnerabilities and Windows. So that was another measurement that we had. Did you get your Patch Tuesday stuff done? That's been around a very long time? Well, we've got a new metric here, and it's called hardening. Now, I don't know about you guys, but my wife thinks that most people don't know what the name hardening is. So I'll explain it a little bit. Hardening is where we close holes in our networks and our Windows computers. That's really what our emphasis is going to be coming up here next week when we start our whole hardening series. By the time you finish this series and the courses, you'll be able to lock down any Windows or Mac computer yourself. You are going to be able to lock down your small business network, and you're going to stop worrying about being the victim of the bad guys. We're also going to train you on how to test everything yourself. That you can make sure that they can't get in, right. If not tested, how will you know it works. It's like I was talking about with backups. How do you know they are working? How do you know it's effective? How effective is it? So we're going to teach all of that, and I think that's just going to be amazing for you guys, man. We're looking to do something you guys are going to love. Hardening in the case of our computers includes our computers, browsers, firewalls, and routers. In other words, there, we're using all of the options, all of the available software to make sure that bad guys are not easily going to get in is our Windows Firewall harden on our computers? Did you even know you had a firewall on a Windows computer? Well, it's almost useless. Because Windows has a firewall, it is turned on by default, but they have all kinds of services turned on and available to be used. All of these things are kind of crazy. When we get down to it, there are things we can do. That's what we're going to be covering starting in about a week with some of these tutorials. And with our great course that we have coming up. Now, let's talk about what's holding us back and what mean time to harden means. We're looking at vulnerabilities, when we're talking about a zero-day-attack, it is one that no one has seen before and where there is not a patch or workaround for it. It's really kind of a nasty thing. When it comes to hardening, you want to make sure that you have as few services as possible on your computer, firewall, and browser. That again makes your attack surface smaller. But when we're talking about those types of zero-day attacks, it typically takes an organization 15 times longer to close a vulnerability than it does for the attackers to weaponize that vulnerability and exploit it. So basically, we're talking about one week for the bad guys to take a vulnerability one of those zero-day things. It takes one week to weaponize it, and it takes us about 102 days to patch it. Let that sink in for just a minute here. Once vulnerabilities get disclosed, It's a time-race here to either secure this hole before the bad guys to exploit it. Now we saw that with the Equifax breach where here's a major, major breach against a major company out there, and only happened because they hadn't applied the patches that they needed to apply. It's just really that simple. Microsoft has a patch let's give an example right now, BlueKeep. BlueKeep is a way to break into Microsoft machines. Microsoft released patches for BlueKeep in the May 2019 Patch Tuesday security fixes. Microsoft released it in May, and as of December 2019, seven months later, there were still over 700,000 machines at risk. Let me see here now May to June July, August, September, October, November, December. That, to me, sounds like seven months. That's huge. Sophos has some security software. In their recent report about WannaCry, which is ransomware. The patch against the exploit WannaCry was using has not been installed on a countless number of machines. Still despite being released more than two years ago. It's crazy, isn't it? Do you guys agree with me? Am I just being kind an alarmist? Now the average time to weaponize this is seven days. Many weaponization comes in less than seven days. Like the infamous ApacheStruts vulnerability. You have effectively 72 hours to harden new systems. Now the numbers are even worse. When we're talking about incident response. There's a new rule out from a company called CrowdStrike. You might have heard of them before, they've been in the news for some political stuff as well. But they are a security company. They do a lot of investigations after the fact and try to figure out what happened and try and clean things up. CrowdStrike has a new rule. It's called the 1-10-60 rule. And it's based on what they call breakout time. So here's what that is.
Most nation-state actors, in other words, the more advanced hackers out there, move laterally from an initial attack within two hours on average. In other words, if there is a country that's coming after you say, for instance, China. Most say now it isn't like China is going to go after me. I'm not Military and not a military contractor. China comes after you to steal your intellectual property. Once they have gotten inside of your network, they will move around inside your system. What this means is it gives defenders of a network one minute to detect a breach, 10 minutes to understand what has happened and that it was a breach and one hour to contain that breach from the initial incursion. That is huge. Now, this is part of this meantime to hardening and goal response that we're trying to achieve. If you're a regular business, and it's six months before you even notice that a hack occurred, if you ever even notice, which is par for the course, and one that we see that quite frequently. We will come in and look for signs of hacking. Many times, companies don't want to know. They just want to know if there are any openings that they should be closing right now. Why? If you see a hack occurred, there are specific legal responsibilities that you have. Companies say, Listen, don't tell me, I don't want to know. Without monitoring and watching what our organizations are doing, if we're not at the very least, patching and hardening, we're in real trouble. Now, I know you guys know how to patch it's not that difficult to do. We're not going to spend a lot of time on that in the upcoming tutorials or courses, but we are going to spend a lot of time in the course on Hardening because it is one of your best defenses. It's kind of like having a package on the front porch that was just delivered by Amazon people, right? If there is no package on the porch, the porch pirates are not going to show up and to steal the box. It's the same type of thing here. If you do not have services available on your machines inside your network, there is no way for the bad guys to move laterally. There's no way for them to get in remotely. That is our goal in our hardening courses, how to harden your Windows machine. That's coming up in about a week, week and a half. So make sure you are on my email list. You get all of that free training. You can find out about the courses as well that we are putting together for this. All of that at Craig Peterson dot com slash subscribe. You're listening to me here on WGAN. You can always send questions to me -- me at Craig Peterson dot com.
Hey, welcome back, everybody, Craig Peterson online at Craig Peterson dot com and right here on WGAN. I am also putting these up on Facebook and making them available on YouTube. For those that are interested.
I want to talk a little bit right now about Clearview AI. You know, again, I've said so many times that we've got to be careful with our data online. Clearview AI is this company that we talked about a few weeks ago, that has been scraping all of the information it could get online, mainly related to photographs. All of the pictures that you posted on Facebook or that you put up on any photo sharing sites, all of that stuff, Clearview scraped. Now, they have this app that allows you to take a picture, and then it will do facial recognition to find all of the places online that that picture appears. And it has been used by looks like more than 2200 different organizations, many of them police department to track people down. So if you have a picture, even if it's not a great picture, that picture can then be put into the clear view AI app. And it'll show you here you go, here's where we found this guy or gal online. And even if you didn't take the picture, and you are in a photograph, it is going to show up in clear view is going to find it. Now, Clearview AI grabbed all of these photographs online without asking permission of anyone. I don't think they asked your permission, did they? They didn't get my permission. They scraped them from Twitter, who they didn't ask permission. They scraped them from Facebook. They scraped them from all over the internet. They ended up with billions of photographs. They logged it all along with where they found them online. That way, if the police department is looking for this person, they have a photo of them. They can put it into the Clearview AI app and can authenticate where online it was found. And then the police department just goes there and says, Oh, well, that's a Mary Jane's homepage. Here's more about Mary Jane, where she lives and everything else and now off they go to get Mary Jane. Now remember, of course, first off, these things are not 100% accurate. They could be false. There are false positives, although in many cases, they have been very successful at identifying people, and they have helped to solve some crimes, which is I guess a good thing, right. I think that's what you might want to say, okay. In a notification that The Daily Beast reviewed, Clearview AI told them that there had been an intruder that gained unauthorized access to its list of customers, and they got access to many accounts they've set up and the searches they have run.
Now, this disclosure also claimed that there was no breach of Clearview AI servers and that there was no compromise of Clearview AI systems or networks. That puzzles me makes me wonder, well, maybe they were using a cloud service, and they had it stored up there, and that's how it got stolen. It's hard to say. Clearview AI went on to say that it patched the unspecified hole that let the intruder in and that whoever was didn't manage to get their hands on their customer's search histories. Now there's a release from a Clearview AI attorney, and his statement said that security is Clearview AI top priority, which is total crap, right? They did everything they could to breach ethics and security of the user agreements from all of these websites from which they scraped our information. Unfortunately, data breaches their attorney says are part of life in the 21st century. Our servers were never accessed. We patched the flaw and continue to work to strengthen our security. All of this is in a report on naked security dot com. Now, this, frankly, is very concerning to me from several different standpoints, right. First of all, Clearview AI had this massive database of facial images that they had sold to hundreds of law enforcement agencies.
In many cases, it wasn't like the overall agency. It was just a police officer themself that subscribed. It may be a detective, etc. The New York Times ran a front-page article in January, saying that Clearview AI may end privacy as we know it and man, is that ever true. They have been quietly selling access to these facial images and facial recognition software to over 600 law enforcement agencies. Now with this data breach, it looks like it's more than 2200. Although we have not seen the list posted online yet, we may end up seeing the posted online. It depends on who did this and if it was a nation-state, which is entirely possible. They are trying to find out a little bit more about us or whether it was somebody else.
It reminds me of a lot about the founding of Facebook and why I've been against Facebook over the years, right? Facebook had a very unethical at its start. They stole all the photos of women going to Harvard University and then had people be able to go to their little website and rate the women, right? Rate them? Yeah, on their looks using all stolen photos. That's the allegation behind it all. It certainly seems to be true. Microsoft, that's another reason I just, I don't use the word hate very often believe me, but I do hate Microsoft and the way they started. They unethically sued people and play games with trying to buy them by lying about the rights that they had. Bill Gates outright lying to IBM and others, back in the early days. I have a good friend of mine who says Craig if you didn't have any ethics, you would be one of the wealthiest people in the country. Your ethics kept you from doing them, yet you bent over backward to help people. Companies, like these need to go out of business and need to go out of business fast, it's crazy. We've got the Biometric Information Privacy Act that Clearview AI has violated.
ClearView AI has also been told by Twitter, Facebook, Google, and YouTube to stop scraping. Those companies have ordered it to stop that. It is against the policies. The Times noted that there's a strong use case for ClearView AI technology finding the victims of child abuse. News. It makes a lot of sense. One, retired Chief of Police said that running images of 21 victims of the same offender returned nine or 14 miners identifications, the youngest of whom was 13. So where do we draw the law watch line, I should say, what should we be doing here? It goes back to the whole fruit of the poisoned tree principle that exists in the law. That you've seen on TV and in movies many times, any evidence illegally obtained can't be used nor anything that comes of that evidence. It is why some Federal investigators play games with where did you get this evidence? Russia? Did it come from Christopher Steele? Should we have something similar In this case, and I think that we should if they stole information from these companies, which they did. It's, frankly, intellectual property theft at the very least. That means it is of no use in any sort of a police case that started an investigation and any legal matters that follow. That's my opinion. I don't know what yours is. I'd love to hear from you email Me at Craig Peterson dot com. Thank God they were able to find some of these victims of child abuse. But at the same time here, we should have some rights to privacy. It may already be too late. I guess we'll know. Soon enough.
Hey, when we get back, we're going to talk about Barbara Cochran. She's the star of Shark Tank, and she just lost 400 grand in a scam will tell you all about it. You are listening to Craig Peterson and WGAN. And make sure you sign up online at Craig Peterson dot com.
Hi, everybody. Yeah, that means we're back. Craig Peterson here on WGAN.
We're going to talk right now about a TV show that I have enjoyed watching over the years. There are a few shows that I watch pretty regularly. Of course, there are some sci-fi shows we won't talk about those right now. But a couple of them are The Profit I enjoy that show. I like the guy who is the main character on that show, and his name is Marcus Lemonis. He owns a considerable interest in Camping World, as well as GoodSam Club, and he invests in small businesses. I disagree with him almost 100% on politics, but he does try and help people out which I think is fantastic and, and he goes into these businesses that are struggling, that are trying to figure out how do we move to the next step or how do we even survive? Then he helps him out, and he frequently invests in them. When he invests, he takes a good chunk, usually enough so that he has a controlling interest in other words 51% sort of a thing. Then he's often running, and he helps build them into real successful companies. Now, I guess it goes back to the question of, would you rather have a small slice of a massive pie as an owner, or would you rather have 100% of a tiny pie, that may end up collapsing in on itself at some point in time. That's kind of the decision these people have to face as they are talking with him and trying to figure it out. So I like that show. He had a good episode, recently that I found very, very fascinating. Check that one out, The Profit. Another one that I've enjoyed over the years is Shark Tank. Now Shark Tank is if you haven't seen it, it is a show, and there are a number of them. It's called Dragon's Den overseas. There's one in the UK. There's a shark tank in Canada, and there's a shark tank in Australia, all called slightly different things. The idea behind Shark Tank is you go in there you make a pitch to these investors, and the investors decide if they're going to throw some money at you. They will make a deal saying okay, I'll give you 20% for 20% of your company, I'll give you this much money, or you know, I'll bring in people to help out, but I want controlling interest or whatever it is. Well, one of the business moguls on there that part of this whole judging team on Shark Tank just last week lost nearly $400,000. It was disclosed that the 400 grande loss came through an email scammer. Now, if she had been listening to this show, she would have known about it. She would have known what's happening. She has enough money that she kind of brushed it off. Oh well, she thinks that she'll never get the money back. And you know what? She's probably right. We've seen that happen many times, even with the FBI getting involved most of the time that money never, ever comes back to you. According to media reports, a scammer who was posing as Barbara Cochran's executive assistant forwarded to her bookkeeper an invoice requesting that payment. I'm looking at the email right now. Barbara released it, which is great as that way people can see what happened. It's an email it's from, Jake somebody. Sent on Friday, February 21, and addressed to Emily carbon copy Michelle. The subject was forward Invoice 873, and it's got the name of a German company. It begins, Hello Emily. Please see the attached invoice below for payment. We are ready to proceed, and we are shipping next week. Please ensure the invoice is paid on time, shipping charges are additional. It appears like a little real invoice. It's got the due date on it, which was due on the 27th, and the amount was $388,700 and 11 cents. And it looks as I said kind of like a standard invoice. Dear customer. Please see the attached invoice. Wire transfers should be directed to FFH concept GMbH address in Berlin, Germany. Bank details include the bank name, the account name, bank address As the IBN number, the swift number, thank you for your business, we appreciate it very much.
The truth was, this email did not originate from Barbara Cochran's executive assistant. Instead, what happened here is that the scammers and created an email address that looked the same as her executive assistant. It had one letter different in it. At first glance, it seems legitimate, yeah, this is from the Executive Assistant. You and I look at 400,000 and say, Whoa, wait a minute now. I don't even have that much. In this case, Barbara Cochran, this was pretty normal for her. There's not only this amount because she is involved in so many real estate deals. That's how she made her money was in real estate. She gets these invoices from these companies all over the world. It did not look that strange. All the bad guys, in this case, had to do was a little bit of research. They found out what the executive assistant's name, they found out what the email address was. The bookkeeper did not spot this little spelling error, if you will, in the email address. When she asked questions about the purpose of the payment, all communication went straight to the scammer's and not to the assistant. What did she do? She hit reply, and the response went straight to the scammers, and the scammers gave him what looked to be or gave her what appeared to be a reasonable answer, right. On Tuesday last week, seemingly satisfied by the answers she'd received by the scammers posing as Barbara Cochran's executive assistant. The bookkeeper transferred almost $400,000 into the bank account contract controlled by the scammers. It was only one the bookkeeper manually CC'd Cochran's assistant directly with confirmation that the invoice had was paid. It became clear what happened. So, again, that tells you don't respond to emails, right? Look it up, use a contact list, use your autocomplete to try and reach out to somebody to verify it. I always go one more step further, and that is to get on the phone and confirm the transaction. Now in speaking to people magazine, Barbara Corcoran again apparently was pretty okay about the theft. She says quote, I lost the 400,000 as a result of a fake email sent to my company. It was an invoice supposedly sent by my assistant to my bookkeeper, approving the payment for real estate renovation. There was no reason to be suspicious. I invest in quite a bit of real estate. I disagree with that there was reason to be suspicious.
Anyhow, I was upset at first, but then remember, it's only money good for her. Frankly, she posted on Twitter about it. Lesson learned. Be careful when you wire money. She retweeted something from TMZ about her getting hooked in this scam. I'm glad she has a positive attitude about it. It's very unlikely, as I said earlier, that she'll ever recover a dime from these fraudsters because of the way the money was wired. Ninety seconds later is all it takes for the cash to be gone and out of reach. And they probably went ahead and transferred it from German banks to other banks, and it continues to move the money around. It's kind of like what happened in Eastern Europe and Ukraine, with a billion dollars in aid that we sent that ended up bouncing around between multiple companies in multiple countries to hide whose pocket it ended up. It's just kind of crazy. It can happen to anyone, and it can happen to any of us. Every last one of us, business person or otherwise, needs to be on guard. Don't reply to emails. Always make sure you enter in the email address if it's anything that might be of concern. Remember that banks and other places are unlikely, including the IRS tax time, to be sending you emails about some of this stuff. Just double-check and phone them, look them up online, and phone that number. Ask a question from their help people over on their website.
Well, we've got one last segment here, and we're going to be talking about new security features from Firefox that means insecurity to you. This is Craig Peterson on WGAN, and you know, I like Firefox, right?
Hey, welcome back, everybody, Craig Peterson, here on WGAN and online Craig Peterson dot com. Well, that's Peterson with an -On dot com.
Hey, thanks for joining us today we've had a great day, we've talked about where you find a little bit of nostalgia online over at the Internet Archive. We talked about reducing the risk through data minimization. I described how ransomware became a multi-billion dollar industry. We talked about the changes that have recently happened with ransomware that will require you to make a change in what you're doing to stop becoming a victim. Then we got into how should you answer a non-technology related executive who asks you, how secure are we? How do you answer that question to your family as well? Because we are all the Calvary, right? We're the people that our friends, family, our people from church, the business people, they all come to us. So I wanted to make sure we covered that the next generation here of security metrics, how long does it take to harden your systems, and we've got a course coming up on that here in a couple of weeks and a bunch of tutorials to help you out. The company that we talked about clear view AI, very, very bad guys, frankly, very unethical. They just lost their entire database of Facebook buying clients to hackers. And then they brushed it off like it's no big thing.
Hey, you know, everybody gets hacked nowadays. Man is talking about a company with no ethics at all. We talked about them, and then, of course, most recently, we just talked about business email compromise. We gave you a specific example here of Barbara Corcoran. She is one of the business moguls over on Shark Tank. How she lost almost $400,000 in a scam, and what you can do to help protect yourself. And we gave away some actual clues here precisely what the bad guys are doing to try and get that information or get us to to to do that, right? What kind of information are they gathering about us?
Well, I want to talk about Firefox here for a few minutes, all web browser thing. And this has to do with security. And this is an article over on we live security.com that made me think about what is going on with Firefox and Mozilla. Now, if you've been on any of my training courses, you know, the browser you absolutely should never use ever, ever, ever unless there is a gun to your head, and then it's okay. Is Internet Explorer is just one of the worst browsers ever? You know, it's just terrible. It's right up there with the original browser, the NCSA Mosaic, but at least it was changing the industry. Internet Explorer was just a huge security hole. I mean crazy. The things that allowed programmers to do, and it was such an avenue for hacking. You know that right, don't ever use Microsoft's Internet Explorer. Then they came out with the Edge browser, and they had problems with that, so now they've scrapped the Edge browser for the Edge browser. Yes, I said that. Microsoft, you know how it goes with them, right I used to get so upset, and I just let it go. You know, they call the database server SQL Server as though they invented sequel. IBM created that decades ago, but no, no, they took the copyright for it. Okay.
Man, now they've got their new power shell as though it's a new concept. Are you kidding me? We have been using shells in the computer business since forever, since the 60's certainly, in the Unix world. Anyhow, on and on and on and on. So they threw out their Edge browser. And they started to use Mike or not Microsoft, Microsoft started to use Google's Chrome browser, chromium as the base for the New Edge browser. And there are still some problems with it. We're having some issues with the Edge browser and a couple of our customer's sites, mainly dealing with updates and getting it to update correctly. I don't know if any of you guys are having that problem. It's interesting because the machines that have regular windows ten on them that were factory installed Windows 10 and then cleaned up afterward. Those are the ones that are having trouble updating the Edge browser. And the machines that are using an image that we built from scratch, which is what we usually like to do for our customers is working just fine. If you're having issues with the Edge browser, let me know, I'd love to know.
Next, down near the bottom of the list is Google's Chrome. Now, Chrome is pretty secure, generally speaking. There are a few extensions that you want to use with any browser, including Chrome. We'll be covering them starting next week guaranteed, so keep an eye on your email box. These will be free tutorials. I'm not selling you, blah, blah, right? These extensions are ones you're going to want to use. The biggest problem I have with Chrome is Google collecting all of the information in the world and selling it to the highest bidder. Okay, that's the biggest problem I have with Chrome. And then I use either Firefox or opera. Those are my two go-to browsers for the most part. Firefox has been very, very good, and if you're a Facebook user, Firefox has some fantastic features. Firefox does fencing on Facebook so that Facebook cannot look at the other tabs that you have on your machine. It cannot look at the cookies your computer has that are set by other sites. It puts a fence up around Facebook's website, which is fantastic, right? Good for you and Firefox, probably the best browser out there when it comes to using this type of fencing technology for fire for our friends over at Facebook. Opera is known to be very fast, which is kind of their claim to fame. They also adopted Google's chromium base, but they've done a lot of good stuff on top of it. Those are the two I've been recommending and talked about them frequently, basically for a few years now. Those are the two you want to use. Well, Firefox is now turning on something called DNS over HTTPs. It's turning it on by default for US users. I want the Calvary to be aware of this. The Calvary is you guys. It's everybody that people come running to when there's a problem. Okay? So I want you guys to be aware of this. Why? It breaks security systems. Now, you might stop and say, Well, wait a minute. My wife said, What do you mean, Craig, this is contradictory. You're usually saying the opposite.
HTTPS is, you know, is the Secure Sockets version of web browsing online and is based on TLS. It's SSL, right? All of these things. It is security, and the thinking behind this short name is DoH, which is DNS over HTTPS. The reasoning behind this is when you are at home, and you are going to a website, you have to turn the name into an IP address because you can remember the IP address. You're going to ask your internet service provider, what's the IP address for this? Or maybe you're going to ask a third-party for the conversion of the name to an IP address. When you ask for it, it gets sent in the clear, and it is possible to deflect it.
Some ISPs do intercept now, but it isn't necessarily nefarious. Some manipulate it to insert a little crap into it. Some of them play those types of games, which I disagree with, but it's not necessarily nefarious. So the idea is if they use encryption to make that DNS request to a DNS server, then that problem goes away. No one in the middle can sit there and watch your DNS requests to know where you're going online. They can't muck with them either, right? That's the other side of this idea. So here's what you guys in the Calvary need to know. That is, if it is encrypting DNS by default, which Firefox is starting to do, it means that we can not any longer use third-party DNS services without making some configuration changes on our user's computers. Whether it's a family, whether it's a business, whatever it might be. So coming up here, in a couple of weeks, I'm going to be having a webinar on how to use particular DNS services to stop the spread of ransomware hackers and everything else, right, I'm going to walk you through what the strategy is, what are the tactics are behind it. What are you going to do? How are you going to do that? Why you should do it. This type of thing that Firefox is going to do is a double-edged sword. There is no privacy added by DNS over HTTPS. Okay, absolutely none. It's a lie that the marketers and proponents are trying to tell to cover up the real motives. The DNS over TLS offers the same privacy. They both rely on TLS here, right? But it can have amazingly negative implications for security. How do you now identify malware communicating because it can masquerade as regular HTTPS traffic on the networks? There are multiple ways to deal with the changes. I'll be adding this into my course coming up as this is going to be a bit of a big deal. When we're talking about these DNS services that you can use the free ones and the paid ones, and I'm going to show you how to use them to improve your security dramatically. The free ones are great for a small office, home office, or for families. I'll tell you how to do all of that. I'm a little concerned and more than a bit disappointed by our friends over at Mozilla for doing this. I have mixed feelings again, but because you're the Calvary. I thought you needed to know, and so I am telling you right now, so that's a wrap up for today's show.
I want to encourage everyone if you do not get my Saturday morning newsletter, that you sign up for it right away. I have links to these articles and other articles that you need to handle. Also, some of the security patches as they come out, the most critical patches. I tell you about them and give you links to install them. It is free, and you can get that by just going to Craig Peterson dot com, slash subscribe. You'll also find out about the tutorials I have coming up and some of the training that we have, our implementation calls and guides. We have playbooks, we've got so much cool stuff to help you guys out. It is part of my give back. For many of you, it will be the turning point in your security, in business, and at home. Craig Peterson dot com slash subscribe listening on WGAN and online.
Transcribed by https://otter.ai
---
More stories and tech updates at:
Don't miss an episode from Craig. Subscribe and give us a rating:
Follow me on Twitter for the latest in tech at:
For questions, call or text:
855-385-5553