ClearChannel Radio's Number One Weekend Tech Show in the Boston Market -- More Than 20,000,000 Podcast Downloads! Craig interviews top industry insiders and explains the technology secrets everyone needs to know. www.CraigPeterson.com
How Private is Crypto? What About WhatsApp and Signal? Cryptocurrencies were thought to be like the gold standard of security, of having your information stay private. Maybe you don't want to use regular currency and transactions. It's all changed. [Automated transcript follows.] [00:00:14] We have had such volatility over the years when it comes to what are called cryptocurrencies. [00:00:21] Now I get a lot of questions about cryptocurrencies. First of all, let me say, I have never owned any cryptocurrencies and I do not own any crypto assets at all. Most people look at crypto currencies and think of a couple of things. First of all, an investment. An investment is something that you can use or sell, right? [00:00:42] Typically investments you don't really use. It's like a house. Is it an investment? Not so much. It's more of a liability, but people look at it and say listen, it went from what was a 10,000. Bitcoins to buy a pizza to, it went up to $50,000 per Bitcoin. There's a pretty big jump there. [00:01:03] And yeah, it was pretty big. And of course, it's gone way down and it's gone back up and it's gone down. It's gone back up. But the idea of any kind of currency is can you do anything with the currency? You can take a dollar bill and go and try and buy a cup of coffee. Okay. A $10 bill and buy a cup of coffee in most places anyways. [00:01:26] That sounds like a good idea. I could probably use a cup of coffee right now and get a tickle on my throat. I hate that. But if you have something like Bitcoin, where can you spend it? You might remember Elon Musk was saying, yeah, you can use Bitcoin to buy a Tesla. Also Wikipedia would accept donations. [00:01:45] Via Bitcoin, there were a number of places online that you could use. Bitcoin. In fact, there's a country right now in south central America that has Bitcoin as its currency. That's cool too. When you think about it, what is, so what are you gonna do? Latin American country? I'm trying to remember what it is. [00:02:05] Oh yeah. It's all Salvador. The first country in the world to adopt Bitcoin is an official legal tender. Now there's a number of reasons they're doing that and he can do it basically. If you got a dictator, you can do almost anything you want to. So in El Salvador, they've got apps that you can use and you can go and buy a tree taco using Bitcoin using their app. [00:02:31] So there you go. If you have Bitcoin, you can go to El Salvador and you can buy all of the tacos and other basic stuff you might wanna buy. But in general, No you can't just go and take any of these cryptocurrencies and use them anywhere. So what good are they as a currency? we already established that they haven't been good as an investment unless you're paying a lot of attention and you're every day buying and selling based on what the movement is. [00:02:59] I know a guy that does exactly that it's, he's a day trader basically in some of these cryptocurrencies, good for. But in reality, is that something that makes sense in a long term? Is that going to help him long term? I don't know. I really don't because again, there's no intrinsic value. [00:03:18] So some of the cryptocurrencies have decided let's have some sort of intrinsic value. And what they've done is they've created what are generally known as stable coins. And a stable coin is a type of cryptocurrency that behind it has the ability to be tied to something that's stable. So for instance, one that really hit the news recently is a stable coin that is tied to the us dollar. [00:03:46] And yet, even though it is tied to the us dollar and the coin is a dollar and the dollar is a coin. They managed to get down into the few pennies worth of value, kinda like penny. so what good was that, it has since come back up, some are tied to other types of assets. Some of them say we have gold behind us. [00:04:09] Kinda like what the United States used to do back when we were on the gold standard. And we became the petrol dollar where countries were using our currency are us dollars, no matter which country it was to buy and sell oil. Things have changed obviously. And we're not gonna talk about. The whole Petro dollar thing right now. [00:04:30] So forget about that. Second benefit. Third benefit is while it's crypto, which means it's encrypted, which means we're safe from anybody's spine on us, anybody stealing it. And of course that's been proven to be false too. We've seen the cryptocurrencies stolen by the billions of dollars. We've seen these cryptocurrencies lost by the billions of dollars as well. [00:04:58] That's pretty substantial. We get right down to it, lost by the billions because people had them in their crypto wallets, lost the password for the crypto wallet. And all of a sudden, now they are completely out of luck. Does that make sense to you? So the basic. Idea behind currency is to make it easier to use the currency than to say, I'll trade you a chicken for five pounds of nail. [00:05:25] Does that make sense to you? So you use a currency. So you say the chicken is worth five bucks. Actually chicken is nowadays is about $30. If it's a LA hen and those five pounds of nails are probably worth about $30. So we just exchanged dollars back and forth. I think that makes a lot of sense. One of the things that has driven up the value of cryptocurrencies, particularly Bitcoin has been criminal marketplaces. [00:05:53] As you look at some of the stats of ransoms that are occurring, where people's computers are taken over via ransomware, and then that person then pays a ransom. And what happens when they pay that ransom while they have to go find an exchange. Pay us dollars to buy cryptocurrency Bitcoin usually. And then they have the Bitcoin and they have to transfer to another wallet, whether or not the bad guys can use the money. [00:06:25] Is a, again, a separate discussion. They certainly can than they do because some of these countries like Russia are going ahead and just exchanging the critical currencies for rubs, which again, makes sense if you're Russia. Now we have a lot of criminals that have been using the Bitcoin for ransoms businesses. [00:06:49] Publicly traded businesses have been buying Bitcoin by the tens of millions of dollars so that they have it as an asset. In case they get ransom. Things have changed. There's a great article in NBC news, by Kevin Collier. And Kevin's talking about this California man who was scammed out of hundreds of thousands of dollars worth of cryptocurrency. [00:07:15] Now this was a fake romance scam, which is a fairly common one. It. It tends to target older people who are lonely and a romance starts online and they go ahead and talk and kind of fall in love. And it turns out she or he has this really almost terminal disease. If only they had an extra, a hundred thousand dollars to pay for the surgery. [00:07:45] You, you know the story, so he was conned out of the money. What's interesting to me is how the investigation and investigative ability has changed over the years. Probably about five years ago, I sat through a briefing by the secret service and. In that briefing, they explained how they had gone and very, quite cleverly tracked the money that was being sent to and used by this dark web operator who ran a site known as a silk road. [00:08:22] And that site was selling illegal things online. Oh, and the currency that they were tracking was Bitcoin. Yes, indeed. So much for cryptocurrency being secure it, five years ago, the secret service was able to do it. The FBI was able to do it and they couldn't do a whole lot about it. But part of the problem is all of your transactions are a matter of public record. [00:08:52] So if someone sends you a fraction of a Bitcoin. That is now in a ledger and that ledger now can be used because when you then spend. Fraction of a Bitcoin somewhere else, it can be tracked. It is tracked is a hundred percent guaranteed to be tracked. And once it's tracked government can get in. [00:09:15] Now, in this case, a deputy district attorney in Santa Clara county, California, was able to track the movement of the cryptocurrency. Yeah. So this district attorney, okay. Deputy district attorney, not the FBI, not the secret service, not the national security agency, a local district attorney in Santa Clara county, California, not a particularly huge county, but. [00:09:44] She was able to track it. And she said that she thinks that the scammer lives in a country where they can't easily extradite them. And so they're unlikely to be arrested at any time soon. So that includes countries like Russia that do not extradite criminals to the United States. Now getting into the details. [00:10:03] There's a great quote from her in this NBC news article, our bread and butter these days really is tracing cryptocurrency and trying to seize it and trying to get there faster than the bad guys are moving it elsewhere, where we can't. Grab it. So she said the team tracked the victim's money as it bounced from one digital wallet to another, till it ended up at a major cryptocurrency exchange where it appeared the scammer was planning to launder the money or cash out, they sent a warrant to the exchange. [00:10:35] Froze the money and she plans to return it to the victim. That is a dramatic reversal from just a few years back when cryptocurrencies were seen as a boon for criminals. Amazing. Isn't it? Stick around. We get a lot more to talk about here and of course, sign up online Craig peterson.com and get my free newsletter. [00:11:01] There have been a lot of efforts by many companies, Microsoft, apple, Google, to try and get rid of passwords. How can you do that? What is a password and what are these new technologies? Apple thinks they have the answer. [00:11:17] Passwords have been the bane of existence for a long while. And if you'd like, I have a special report on passwords, where I talk about password managers, things you can do, things you should do in order to help keep your information safe, online things like. [00:11:34] Bank accounts, et cetera. Just email me, Craig peterson.com and ask for the password special report and I'll get it to you. Believe me it's self-contained it's not trying to get you to buy something. Nothing. It is entirely about passwords and what you can do again, just email me, firstname.lastname@example.org and we'll get right back with you. [00:11:56] Give us a couple of days, passwords are a problem. And over the years, the standards for passwords have changed. I remember way back when some of the passwords might be 2, 3, 4 characters long. and back then, those were hard to crack. Then Unix came along. I started using Unix and when was that? [00:12:16] Probably about 81. And as I was messing around with Unix, I. They used to had a couple of changes in how they did passwords. They added assault to it. They used basically the same cipher that the Germans used in world war II, that enigma cipher, which again was okay for the times today, we have much more powerful ciphers and the biggest concern right now, amongst real cybersecurity people. [00:12:43] Government agencies is okay. So what are we going to do when these new quantum computers come along with their artificial intelligence and other things, that's going to be a bit of a problem because quantum computers are able to solve problems in fractions of a second. Even that traditional computers cannot solve it. [00:13:10] It's a whole different thing. I want you to think. Something here. I, if you have a handful of spaghetti now we're talking about hard spaghetti, not cooked spaghetti and they all dried out and they are a varying links. How could you sort those into the smallest to largest, if you will, how could you find which ones were the longest, perhaps? [00:13:37] Which ones were the shortest? There's an analog way of doing that and there's a digital way of doing that. So the digital way for the computer would be. To measure them all and compare the measurements and then identify how long the longest one was. And then maybe you'd have to go back and try and find that. [00:13:55] So you can imagine that would take some time, the analog way of doing that. Cuz there still are analog computers out there and they do an amazing job in certain tasks, but the analog way of doing that is okay. So you take that bundle of various length spaghetti and you slam it on the table. What's gonna happen while those pieces of dried spaghetti are going to self align, right? [00:14:22] The shortest ones are going to be down at the bottom and the tallest one's gonna be sticking out from the top. So there you go. There's your tallest, your longest pieces of spaghetti, and it's done. Instantly. So that's just an idea here, quantum, computing's not the same thing, but that's a comparison really of digital and analog computers, but it's the same type of thing. [00:14:45] Some of these problems that would take thousands of years for digital computer. To work out, can just take a fraction of a second. It's absolutely amazing. So when we're looking at today's algorithms, today's programs for encrypting things like military information, secret telegrams, if you will going back and forth in inside the secretary of state embasies worldwide. [00:15:10] Today they're considered to be quite secure, but with quantum computing what's gonna happen. So there are a lot of people out there right now who are working on trying to figure out how can we come up with an algorithm that works today with our digital computers and can be easily solved by quantum computer. [00:15:34] We have a pretty good idea of how quantum computers are going to work in the future, how they work right now, but this really gets us to the next level, which is cool. Franklin. That's a little bit here about cybersecurity. How about you and your password? How does this all tie in? [00:15:51] There are a few standards out there that people have been trying to pass is it's no longer the four character password you might remember. Oh, it needs to be eight to 10 characters, random mix of upper lowercase, special digits, character numbers. You remember those? And you should change it every 30 days. [00:16:09] And those recommendations changed about three or four years ago when the national Institute of standards and technology said, Hey guys pass phrase is much better than the, what we've been doing because people are gonna remember it and it can be longer. So if you are using I have some past phrases I use that are 30 characters or more. [00:16:33] And I mix up the case and I mix up mix ins on special characters and some numbers, but it's a phrase that I can remember and I have different phrases for different websites. Cause I use a password manager right now. I have about 3,100 entries in my password manager. That's a lot. And I bet you have a lot more passwords or at least a lot more websites and accounts than you realize. [00:17:03] And so that gets to be a real problem. How do you make all of this work and make it easy for people? One of the ways that that. They're looking at using is something called the Fido alliances technique. And the idea behind Fido is actually similar to what I do right now. Cause I use one password.com. [00:17:24] I have an app on my phone and the phone goes ahead and gives me the password. In fact, it'll. Put it in. I have plugins in my browsers. It'll put it right into the password form on the website. And then it'll ask me on my phone. Hey, is that really you? And I'll say yes, using duo and TA I'm logged in it's really quite cool. [00:17:48] Fido is a little different than that, but the same, the whole idea behind Fido is you registered a website and the website will send a request to the Fido app. That's on your phone. So now on your phone, you'll use biometrics or maybe one time pass key, those six digit keys that change every 30 seconds. [00:18:13] And so now you on your phone, you say yeah. That's me. That's good. That's me. Yeah. Okay. And then the app will exchange with the website using public key cryptography. A public key and it's gonna be unique public key for that website. So it'll generate a private key and a public key for that website. [00:18:35] And now TA a, the website does not have your password and cannot get your password. And anytime you log in, it's going to ask you on your smartphone. Is this. And there's ways beyond smartphones. And if you wanna find out more about passwords, I've got, again, that free, special report, just Craig peterson.com. [00:18:59] Email me, just email email@example.com and I'll make sure we send that off to you and explains a lot about passwords and current technology. So Fido is one way of doing this and a few different companies have gone ahead and have invested some. Into final registration, because it requires changes on the websites as well in order to. [00:19:25] With Fido. Now you might use a pin, you might use the biometrics, et cetera, but apple has decided they've come up with something even better. Now there's still a lot of questions about what apple is doing, but they are rolling it into the next release of iOS and also of Mac operating system. And you'll be able to use that to secure. [00:19:48] Log into websites. I think Apple's gonna get a lot of traction on this and I think it's gonna be better for all of us involved here. We'll see. There's still a lot of UN unanswered questions, but I'll keep you up to date on this whole password technology stick around. [00:20:08] There are ways for us to communicate nowadays easy ways, but are the easy ways, the best ways, the question here, frankly. And part of this answer has to do with WhatsApp and we'll talk right now. [00:20:23] Many people have asked me about secure messaging. You probably know by now that sending text messages is not secure. [00:20:34] In fact, it could be illegal if you have any personal information about. Patients or maybe employees, you just can't send those over open channels. So what apple has done for instance is they've got their messaging app and if the message is green, it's just reminding you that this is a text message. Now they stuck with green because that was the industry's standard. [00:21:01] Green does not mean safe in the apple world when it comes to iMessage. Blue does. So they've got end to end encryption. So if the message is blue, that means the encryptions in place from side to side, there are on the other end of the spectrum. There are apps like telegram, which are not. Particularly safe. [00:21:22] Now, telegram has pulled up it socks a little bit here, but in order to have end to end encryption and telegram, you have to manually turn it on. It is not on by default. I also personally don't trust telegram because of their background, things that they've done in the past. Avoid that. [00:21:43] WhatsApp is something I've been asked about. I had a family member of a service member who was overseas, ask if WhatsApp was safe for them to communicate on cuz they didn't want third parties picking. Private messages, things you say and do online with friends and family are not necessarily things there are for public consumption. [00:22:06] So the answer that I gave was yeah, you might remember Facebook getting WhatsApp. They bought it and deciding they were going to make some changes to the privacy settings in. now that was really a big mistake. They said we're gonna add advertisements. How are you going to effectively advertise? [00:22:27] If you don't know what we're talking about, have you noticed advertising platforms? If you look up something or someone else in your house looks up something, if your neighbors are looking up, they assume that you might be interested in it as well. So what do they do? They go ahead and show you ads for that brand new pair of socks that you never really cared about, but because the algorithms in the background figured yeah, that's what you've been talking about. [00:22:55] Let's pass out your pair of socks. So if Facebook is going to. Add into WhatsApp, what's going to happen. Are they going to be monitoring what you're saying? And then sending you some of these messages, right? These ads, because of that, a lot of people started looking for a more secure. Platform and that's frankly, where Moxi Marlin spike comes in a fun name, the bloom in this case, but he started a company called signal. [00:23:30] He didn't just start it. He wrote the code for it, the server code, everything. And the whole idea behind signal was to have a guaranteed safe end to end way to communicate. A third party with a friend, a relative, et cetera. So signal is something that I've used in the past. And I used from time to time now, as well, depending on who I'm talking to. [00:23:56] And it does allow you to send messages. It does allow you to talk. You can do all kinds of stuff with it. So now there's an issue with signal. It's disappointing. Moxi has stepped down from running signal. There's a company behind it in January, 2022. And he said, the company's begin off. They can run themselves. [00:24:19] He's still on the board of direct. And the guy who's currently the head of signal is also a very privacy focused guy, which is really good too signal by the way is free. And you can get it for pretty much any platform you would care to have it for a very nice piece of software. I like what they've done. [00:24:38] Now the problem is that some of those people at signal have decided that they should have a way of making payments inside signal. So a few months ago, they went ahead and added into signal, a piece of software that allows you to send. Payments online. Now this is a little concerning and the let's talk about some of the reasons for the concern. [00:25:09] Basically what we're seeing is a cryptocurrency that Moxi himself helped to put in place now, I guess that's good cuz he understands it. It's supposedly a cryptocurrency that is privacy. Focused. And that's a good thing. What type of crypto is it? That's privacy focused. And how good is it going to be? [00:25:34] Those are all good questions, but here's the biggest problem. I think that comes from this. We've got our friends at Facebook, again, trying to add crypto payments to their various messenger and other products. We're seeing that from a lot of these communication systems, cuz they can skim a little off the top legally, charge you a fee and then make their money that way. But. What happens when you put it into an encrypted messaging app? Bottom line, a lot of bad things can happen here because now all of a sudden you come under financial regulations, right? Because you are performing a financial. Function. So now potentially here, there could be criminal misuse of the app because you could have ransomware and they say, reach us on signal. [00:26:33] Here's our signal account. And go ahead and send us crypto. it's called mobile coin by the way, this particular cryptocurrency. So now all of a sudden you are opening up the possibility of all kinds of bad things happening and your app signal, which was originally great for messaging now being used nefariously. [00:26:57] I think that's a real problem. Now, when it comes to money transfer functions with cryptocurrencies to say that they're anonymous, I think is a hundred percent a misnomer because it's really pseudo anonymous. It's never completely anonymous. So now you've increased the legal attack surface here. So now the various regulators and countries around the world can say, Hey. [00:27:26] This is no longer just a messaging app. You are using it to send money. We wanna track all money transactions. And so what does that mean? That means now we need to be able to break the encryption or need to shut down your app, or you need to stop the ability to send money. So the concern right now with signal is we really could have some legal problems with signal. [00:27:53] And we could potentially cause some real life harm. On the other side of, this is what Moi Marlin spike has been really driving with signal over the years, which is we don't want anyone to be able to break into signal. So there's a particularly one Israeli based company that sells tools that you can buy that allow you to break into smartphone. [00:28:20] And they're used by everybody from criminals. You can even buy some of these things on eBay. And they're used also by law enforcement agencies. So he found that there was a bug in one of the libraries that's used by this Israeli soft. To where that causes it to crash. And so he puts some code into signal, at least he threatened to that would cause any of the scanning software that tries to break into your smartphone to fail to crash. [00:28:53] Yeah. Yeah. Cool. Greg Peterson here, online Craig peterson.com and really you are not alone. [00:29:09] I got some good news about ransomware and some bad news about B E C business email compromise. In fact, I got a call just this just this week from someone who had in fact again, had their operating account emptied. [00:29:27] Ransomware is a real problem, but it's interesting to watch it as it's evolved over the years. [00:29:36] We're now seeing crackdowns driving down ransomware profits. Yes, indeed. Ransomware's ROI is dropping the return on investment. And so what we're starting to see is a drive towards more. Business email compromise attack. So we'll talk about those, what those are. And I have a couple of clients now that became clients because of the business email compromises that happened to them. [00:30:10] A great article that was in this week's newsletter. You should have received it Tuesday morning from me. If you are signed up for the free newsletter. Craig peterson.com/subscribe. You'll get these usually Tuesday morning. It's my insider show notes. So you can get up to speed on some of the articles I'm talking about during the week that I talk about on the radio. [00:30:38] And of course talk about here on the radio show and podcast and everything else as well. So what we're seeing here, according to dark readings, editor, Becky Bracken is some major changes, a pivot by the bad guys, because at the RSA conference, they're saying that law enforcement crackdowns try cryptocurrency regulations. [00:31:05] We've been talking about that today and ransomware as a service operator. Downs are driving the return on investment for ransomware operations across the world all the way across the globe. So what is ransomware as a service? I think that's a good place to start because that has really been an Albert Cross around our next for a long time. [00:31:30] The idea with ransomware is they get you to download some software, run some software that you really should not be running. That makes sense to you. So you get this software on your computer, it exfil trades files. So in other words, it takes files that you have sends them. Off to the bad guys. And then once it's done that, so it'll send like any word files, it finds Excel, other files. [00:32:00] It might find interesting once it's done that, then it goes ahead and encrypts those files. So you no longer have access to them and it doesn't just do them on your computer. If you share a drive, let's say you've got a Gdrive or something else on your computer that is being mounted from either another computer or maybe a server. [00:32:24] It will go ahead and do the same thing. With those files. And remember it, isn't just encrypting because if you have a good backup and by the way, most businesses that I've come into do not have a good backup, which is a real problem because their backups fail. They haven't run. I had one case where we helped the business out and it had been a year and a half since they had a successful backup and they had no. [00:32:52] They were dutifully carrying home. These USB drives every day, plug in a new one in, and the backups were not running. Absolutely amazing. So anyhow, ransomware is a service then. So they've encrypted your files. They've exfiltrated. In other words, they've taken your files and then they demand a ran. [00:33:14] So usually it's like this red screen that comes up and says, Hey all your files are belong to us and you need to contact us. So they have people who help you buy Bitcoin or whatever they're looking for. Usually it's Bitcoin and send the Bitcoin to them. And then they'll give you what's hopefully a decryption. [00:33:38] Now what's particularly interesting about these decryption keys is they work about half of the time. So in other words, about half of the time, you'll get all your data back about half the time. You will not, it's just not good. So if you are a small operator, if you are just a small, bad guy and it's you and maybe somebody else helping you, you got your nephew there helping you out. [00:34:03] How are you going to. Help these people that you're ransoming by the cryptocurrency. How are you going to threaten them with release of their documents online? Unless you have a staff of people to really help you out here? That's where ransomware's a service comes in. The whole idea behind RA is. [00:34:25] You can just be a one man shop. And all you have to do is get someone to open this file. So you go ahead and register with the ransomware service provider and they give you the software and you embed your little key in there, so they know it's you. And then you send it off in an email. You might try and mess with those people to get them to do something they shouldn't do. [00:34:49] And. That's all you have to do because once somebody opens up that file that you sent them, it's in the hand of these service guys and ransomwares the service guys. So the, these ransomwares of service people will do all of the tech support. They'll help people buy the Bitcoin. They'll help them pay the ransom. [00:35:11] They'll help them recover files, to a certain extent. Does this make sense to you? Yeah, it's kinda crazy. Now I wanna offer you, I've got this document about the new rules for backup and again, it's free. You can get it. No problem. Just go ahead and email me, firstname.lastname@example.org email@example.com because the backups are so important and. [00:35:38] Just like password rules have changed. The rules have changed for backups as well. So just drop me an email firstname.lastname@example.org and ask for it and we'll make sure we send it off to you and is not trying to sell you more stuff. Okay. It's really is explaining the whole thing for you. I'm not holding anything back. [00:35:54] These ransoms, the service operators, then get the payment from you and then pay a percentage anywhere from 80% to 50%, sometimes even lower to the person who ransom due. Isn't that just wonderful. So our law enforcement people, as well as in other countries have been going after the ransomware as a service providers, because if they can shut down. [00:36:21] These RAs guys just shutting. One of them down can shut down thousands of small ransomware people. Isn't that cool works really well. So they have been shut down. Many of them there's one that just popped its head back up again. After about six months, we'll see how far they get, but it is a very big. [00:36:46] Blow to the whole industry, ransomware really because of these O as a service operators has become a centralized business. So there's a small number of operators responsible for the majority of these thousands of hundreds of thousands of attacks. Really. It's probably worse than. So couple of dis big groups are left the KTI group and lock bit, and they've got more than 50% of the share of ransomware attacks in the first half of 2022. [00:37:18] But now they're going after them. The feds. And I think that makes a whole lot of sense, because who do you go for while you go for the people who are causing the most harm and that's certainly them. So I expect they'll be shut down sometimes soon, too. Ransomware had its moment over the last couple of years, still a lot of ransomware out there, still a lot of problems, but now we're seeing B C business, email compromise tactics, and I did a. [00:37:50] At television appearance, where I was working with the the newsmaker or whatever they call them, talking heads on that TV show and explaining what was happening. And the most standard tactic right now is the gift card swindle. I should put together a little video on this one, but it was all, it's all about tricking employees into buying bogus gift cards. [00:38:18] So this good old fashioned Grif is still working. And what happened in our case is it was actually one of the newscasters who got an email, supposedly from someone else saying, Hey we wanna celebrate everybody. And in order to do that, I wanna give 'em all gift cards. So can you go out and buy gift cards? [00:38:42] And so we messed around with them. It was really fun and said, okay what denomination, how many do you think we need? Who do you think we should give them to? And of course we knew what we were doing. Their English grammar was not very good. And it was really obvious that this was not. [00:38:59] The person they were pretending to be. So that happens and it happens a lot. They got into a business email account, the email account of that newscaster. So they were able to go through their email, figure out who else was in the business, who was a trusted source inside of the business. So they could pretend that that they were that newscaster and send emails to this trusted source. [00:39:31] And today these business email compromise attacks are aimed at the financial supply chain. And once these threat actors are inside, they look for opportunities to spoof vendor emails, to send payments to controlled accounts. And the worst case I know of this is a company that sent $45 million. To a scammer. [00:39:57] And what happened here is the, this woman pretended to be the CEO who was out of the country at the time and got the CFO to wire the money to her. An interesting story. We'll have to tell it to you sometime, but it's a real problem. And we just had another one. We've had them in school districts, look, 'em up online, do a duck dot, go search for them and you'll find them right. [00:40:24] Left and center because social engineering works. And frankly, business email compromise is a clear threat to businesses everywhere. I, as I mentioned, we had one listens to the show, contact us just last week. Again, $40,000 taken out of the operating account. We had another one that had a, I think it was $120,000 taken out of the operating account. [00:40:53] And another one that had about $80,000 taken outta the operating account. Make sure you're on my newsletter. even the free one. I do weekly free trainings. Craig peterson.com. Make sure you subscribe now. [00:41:10] Facebook's about 18 years old coming on 20 Facebook has a lot of data. How much stuff have you given Facebook? Did you fall victim for that? Hey, upload your contacts. We'll find your friends. They don't know where your data is. [00:41:26] It's going to be a great time today because man. This whole thing with Facebook has exploded here lately. [00:41:35] There is an article that had appeared on a line from our friends over at, I think it was, yeah. Let me see here. Yeah. Yeah. Motherboard. I was right. And motherboards reporting that Facebook doesn't know what it does with your data or. It goes now, there's always a lot of rumors about different companies and particularly when they're big company and the news headlines are grabbing your attention. [00:42:08] And certainly Facebook can be one of those companies. So where did motherboard get this opinion about Facebook? Just being completely clueless about your personal data? It came from a leaked document. Yeah, exactly. So I, we find out a lot of stuff like that. I used to follow a website about companies that were going to go under and they posted internal memos. [00:42:38] It basically got sued out of existence, but there's no way that Facebook is gonna be able to Sue this one out of existence because they are describing this as. Internally as a tsunami of privacy regulations all over the world. So of course, if you're older, we used to call those TIAL waves, but think of what the implication there is of a tsunami coming in and just overwhelming everything. [00:43:08] So Facebook internally, they, their engineers are trying to figure out, okay, so how do we deal? People's personal data. It's not categorized in ways that regulators want to control it. Now there's a huge problem right there. You've got third party data. You've got first party data. You've got sensitive categories, data. [00:43:31] They might know what religion you are, what your persuasions are in various different ways. There's a lot of things they might know about you. How are they all CATA categorized? Now we've got the European union. With their gen general data protection regulation. The GDPR we talked about when it came into effect back in 2018, and I've helped a few companies to comply with that. [00:43:56] That's not my specialty. My specialty is the cybersecurity side. But in article five, this European law mandates that personal data must be collected for specified explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. So what that means is that every piece of data, like where you are using Facebook or your religious orientation, Can only be collected and used for a specific purpose and not reused for another purpose. [00:44:34] So there's an example here that vice is giving in past Facebook, took the phone number that users provided to protect their accounts with two factor authentication and fed it to its people, feature as well as. Advertisers. Yeah. Interesting. Eh, so Gizmoto with the help of academic researchers caught Facebook doing this, and eventually the company had to stop the practice. [00:45:01] Cuz this goes back to the earlier days where Facebook would say, Hey, find out if your friends are on Facebook, upload your contacts right now. And most people. What did you know back then about trying to keep your data private, to try and stop the proliferation of information about you online and nothing. [00:45:21] I think I probably even uploaded it back then thinking that'd be nice to see if I got friends here. We can start chatting, et cetera. According to legal experts that were interviewed by motherboard who wrote this article and has a copy of the internal me memo, this European regulation specifically prohibits that kind of repurposing of your phone number of trying to put together the social graph and the leak document shows that Facebook may not even have the ability to limit. [00:45:53] how it handles users data. Now I was on a number of radio stations this week, talking about this and the example I gave, I is just look at an average business from the time it start, Facebook started how right. You scrape in pictures of young women off of Harvard universities. Main catalog, contact page, and then asking people what do you think of this rate? This person rate that person and off they go, trying to rate them. Yeah. All that matters to a woman, at least according to mark Zuckerberg or all that matters about a woman is how she looks. Do I think she's pretty or not ridiculous what he was doing? [00:46:35] I, it just, oh, that's Zuckerberg, right? That's. Who he is not a great guy anyways. So you go from stealing pictures of young ladies asking people to rate them, putting together some class information and stuff there at Harvard, and then moving on to other universities and then opening up even wider and wider. [00:47:00] And of course, that also created demand cuz you can't get on. If you're not at one of the universities that we have set it up for. And then you continue to grow. You're adding these universities, certain you're starting to collect data and you're making more money than God. So what do you do? You don't have to worry about inefficiencies. [00:47:20] I'll tell you that. One thing you don't have to do is worry about, oh, GE we've got a lot of redundant work going on here. We've got a lot of teams working on basically the same thing. No, you've got more money than you can possibly shake a stick at. So now you go ahead and send that money to this group or that group. [00:47:41] And they put together all of the basic information, that, that they want. They are. Pulling it out of this database and that database, and they're doing some correlation writing some really cool sequel queries with some incredible joins and everything else. And now that becomes part of the main code for Facebook. [00:48:02] And then Facebook goes on to the next little project and they do the same thing. Then the next project, then the next project. And then someone comes along and says Hey, we. This feature, that feature for advertisers and then in that goes, and then along comes candidate Obama. And they, one of the groups inside Facebook says yeah here we go. [00:48:25] Here's all of the information we have about everybody and it's free. Don't worry about it. And then when Trump actually bought it and hired a company to try and process some of that information he got in trouble. No but the Obama. The whole campaign could get access to anything they wanted to, again, because the data wasn't controlled, they had no idea who was doing what with the data. [00:48:50] And according to this internal memo, they still don't know. They don't even know if they can possibly comply with these regulations, not just in Europe, but we have regulations in pretty much all of the 50 states in the us Canada of course, has their own Australia, New Zealand think about all the places. [00:49:12] Facebook makes a lot of money. So here's a quote from that we build systems with open borders. The result of these open systems and open culture is well described with an analogy. Imagine you hold a bottle of ink in your hand, the bottle of ink is a mixture of all kinds of user data. You pour that ink into a lake of water. [00:49:34] Okay. And it flows every. The document red. So how do you put that ink back in the bottle, in the right bottle? How do you organize it again? So that it only flows to the allowed places in the lake? They're totally right about that. Where did they collect it from it? Apparently they don't even know where they got some of this information. [00:49:58] This data from reminds me of the no fly list. You don't know you're on it and you can't get yourself off of it. It is crazy. So this document that we're talking about was written last year by. Privacy engineers on the ad and business product team, whose mission is to make meaningful connections between people and businesses and which quote sits at the center of a monetization strategy. [00:50:22] And is the engine that powers Facebook's growth. Interesting problems. And I see this being a problem well into the future for more and more of these companies, look at Twitter as an example that we've all heard about a lot lately. And I've talked about as well along comes Elon Musk and he says wait a minute now. [00:50:41] Now I can make Twitter way more profitable. We're gonna get rid of however many people it's well over a thousand, and then we are going to hire more people. We're gonna start charging. We're gonna be more efficient. You can bet all of these redundancies that are in Facebook are also there on Twitter. and Twitter also has to comply with all of these regulations that Facebook is freaking out about. [00:51:09] It, for really a very good reason. So this document is available to anybody who wants to look at it. I'm looking at it right now, talking about regulatory landscape and the fundamental problems Facebook's data lake. And this is a problem that most companies have not. As bad as Facebook does, but most companies, you grow. I have yet to walk into a business that needs help with cybersecurity and find everything in place as it should be, because it grew organically. You started out with a little consumer firewall, router and wifi, and then you added to it and you put a switch here and you added another switch behind that and move things around. [00:51:54] This is normal. This is not total incompetence on the part of the management, but my gosh, I don't know. Maybe they need an Elon Musk. Just straighten them out as well. Hey, stick around. I'll be right back and sign up email@example.com. [00:52:13] Apparently looting is one of the benefits of being a Russian soldier. And according to the reports coming out of Ukraine, they've been doing it a lot, but there's a tech angle on here that is really turning the tables on these Russian looters. [00:52:30] This is really something, we know in wars, there are people that loot and typically the various militaries try and make sure, at least recently that looting is kept to an absolute minimum. [00:52:45] Certainly the Americans, the British, even the Nazis during world war II the the socialists they're in. Germany they tried to stop some of the looting that was going on. I think that's probably a very good thing, because what you end up with is just all of these locals that are just totally upset with you. [00:53:10] I found a great article on the guardian and there's a village. Had been occupied for about a month by Russian troops and the people came back, they are just shocked to see what happened. They're giving a few examples of different towns. They found that alcohol was stolen and they left empty bottles behind food rappers, cigarette butts, thrown all over the place in apartments and homes. [00:53:39] Piles of feces blocking the toilets, family photographs torn, thrown around the house. They took away all of the clothes. This is a code from one of the people, literally everything, male and female coats, boots, shirts, jackets, even my dresses and lingerie. This is really something. It, the Soviets didn't do this, but now Russian. [00:54:02] Military apparently does. So over the past couple of weeks, there've been reporting from numerous places where Russian troops had occupied Ukrainian territory and the guardian, which is this UK newspaper collected evidences suggests looting by Russian forces was not merely a case of a few way, word soldiers, but a systematic part of Russian military behavior across multiple towns. [00:54:29] And villages. That's absolutely amazing. Another quote here, people saw the Russian soldiers loading everything onto Euro trucks, everything they could get their hands on a dozen houses on the villages. Main street had been looted as well as the shops. Other villagers reported losing washing machines, food laptops, even as sofa, air conditioners. [00:54:53] Being shipped back, just you might use ups here, they have their equivalent over there. A lady here who was the head teacher in the school. She came back in, of course, found her home Lood and in the head teacher's office. she found an open pair of scissors that had been jammed into a plasma screen that was left behind because if they can't steal it, they're gonna destroy it. [00:55:19] They don't only leave anything behind. They found the Russians had taken most of the computers, the projectors and other electronic equipment. It's incredible. So let's talk about the turnaround here. A little. You might have heard stories about some of these bad guys that have smashed and grabbed their way into apple stores. [00:55:38] So they get into the apple store. They grab laptops on iPads, no longer iPods, cuz they don't make those anymore. And I phones. And they take them and they run with them. Nowadays there's not a whole lot of use for those. Now what they have been doing, some of these bad guys is they take some parts and use them in stolen equipment. [00:56:03] They sell them on the used market, et cetera. But when you're talking about something specific, like an iPhone that needs specific activation. Completely different problem arises for these guys because that iPhone needs to have a SIM card in order to get onto the cell network. And it also has built in serial numbers. [00:56:26] So what happens in those cases while apple goes ahead and disables them. So as soon as they connect to the internet, let's say they put 'em on wifi. They don't get a SIM card. They don't. service from T-Mobile or Verizon or whoever it might be. So now they disconnect to the wifi and it calls home, cuz it's gonna get updates. [00:56:45] So on download stuff from the app store and they find that it's been bricked. Now you can do that with a lot of mobile device managers that are available for. All kinds of equipment nowadays, but certainly apple equipment where if a phone is lost or stolen or a laptop or other pieces of equipment, you can get on the MDM and disable it, have it remotely erased, et cetera. [00:57:11] Now, police have had some interesting problems with that. Because a bad guy might go ahead and erase a smartphone. That's in the evidence locker at the police station. So they're doing things like putting them into Fairday cages or static bags or other things to try and stop that. So I think we've established here that the higher tech equipment is pretty well protected. [00:57:36] You steal it. It's not gonna do you much. Good. So one of the things the Russian stole when they were in it's called I think you pronounce it. Mela me pole which is again, a Erian city is they stole all of the equipment from a farm equipment dealership and shipped it to Chenia. Now that's according to a source in a businessman in the area that CNN is reporting on. [00:58:06] So they shipped this equipment. We're talking about combines harvesters worth 300 grand a piece. They shipped it 700 miles. and the thieves were ultimately unable to use the equipment, cuz it had been locked remotely. So think about agriculture equipment that John Deere, in this case, these pieces of equipment, they, they drive themselves. [00:58:33] It's autonomous. It goes up and down the fields. Goes any pattern that you want to it'll bring itself within a foot or an inch of your boundaries, of your property being very efficient the whole time, whether it's planting or harvesting, et cetera. And that's just a phenomenal thing because it saves so much time for the farmer makes it easier to do the companies like John Deere. [00:58:58] Want to sell as many pieces of this equipment as they possibly can. And farming is known to be a, what not terribly profitable business. It certainly isn't like Facebook. So how can they get this expensive equipment into the hands of a lot of farmers? What they do is they lease it. So you can lease the equipment through leasing company or maybe directly from the manufacturer and now you're off and running. [00:59:26] But what happens if the lease isn't paid now? It's one thing. If you don't pay your lease on a $2,000 laptop, right? They're probably not gonna come hunting for you, but when you're talking about a $300,000 harvester, they're more interested. So the leasing company. Has titled to the equipment and the leasing company can shut it off remotely. [00:59:51] You see where I'm going with this so that they can get their equipment in the hands of more farmers cuz the farmers can lease it. It costs them less. They don't have to have a big cash payment. You see how this all works. So when the Russian forces stole this equipment, that's valued. Total value here is about $5 million. [01:00:11] They were able to shut it all. And obviously, if you can't start the engine, because it's all shut off and it's all run by computers nowadays, and there's pros and cons to that. I think there's a lot of cons, but what are you gonna do? How's that gonna work for you? It. Isn't going to work for you. [01:00:32] And they were able to track it. It had GPS trackers find out exactly where it was. That's how they know it was taken to Chenia and could be controlled remotely. And in this case, how'd they control it. They completely. Shut it off. Even if they sell the harvesters for spare parts, they'll learn some money, but they sure can be able to sell 'em for the 300 grand that they were actually worth. [01:00:57] Hey, stick around. We'll be right back and visit me firstname.lastname@example.org. If you sign up there, you'll be able to get my insider show note. And every week I have a quick five. Training right there in your emails, Craig Peter san.com. That's S O N in case you're wondering. [01:01:22] If you've been worried about ransomware, you are right to worry. It's up. It's costly. And we're gonna talk about that right now. What are the stats? What can you do? What happens if you do get hacked? Interesting world. [01:01:38] Ransomware has been a very long running problem. I remember a client of ours, a car dealership who we had gone in. [01:01:49] We had improved all of their systems and their security and one of their. People who was actually a senior manager, ended up downloading a piece of ransomware, one of these encrypted ones and opened it up and his machine, all of a sudden TA, guess what it had ransomware on it. One of those big reds. [01:02:12] Greens that say pay up is send us this much Bitcoin. And here's our address. All of that sort of stuff. And he called us up and said, what's going on here? What happened? First of all, don't bring your own machine into the office. Secondly, don't open up particularly encrypted files using the password that they gave. [01:02:33] and thirdly, we stopped it automatically. It did not spread. We were able to completely restore his computer. Now let's consider here at the consequences of what happened. So he obviously was scared. And within a matter of a couple of hours, we actually had him back to where he was and it didn't spread. [01:02:59] So the consequences there they weren't that bad. But how about if it had gotten worse? How about if they ransomware. Also before it started holding his computer ransom, went out and found all of the data about their customers. Would, do you think an auto dealership would love to hear that all of their customer data was stolen and released all of the personal data of all of their customers? [01:03:25] Obviously not. So there's a potential cost there. And then how long do you think it would take a normal company? That thinks they have backups to get back online. I can tell you it'll take quite a while because the biggest problem is most backups don't work. We have yet to go into a business that was actually doing backups that would work to help restore them. [01:03:52] And if you're interested, I can send you, I've got something. I wrote up. Be glad to email it back to you. Obviously as usual, no charge. and you'll be able to go into that and figure out what you should do. Cause I, I break it down into the different types of backups and why you might want to use them or why you might not want to use them, but ransomware. [01:04:15] Is a kind of a pernicious nasty little thing, particularly nowadays, because it's two, two factor, first is they've encrypted your data. You can't get to it. And then the second side of that is okay I can't get to my data and now they're threatening to hold my data ransom or they'll release. So they'll put it out there. [01:04:38] And of course, if you're in a regulated industry, which actually car dealers are because they deal with financial transactions, leases, loans, that sort of thing you can lose your license for your business. You can U lose your ability to go ahead and frankly make loans and work with financial companies and financial instruments. [01:05:00] It could be a very big deal. so there are a lot of potential things that can happen all the way from losing your reputation as a business or an individual losing all of the money in your operating account. And we, again, we've got a client that we picked up afterwards. That yes, indeed. They lost all of the money in their operating account. [01:05:24] And then how do you make payroll? How do you do things? There's a new study that came out from checkpoint. Checkpoint is one of the original firewall companies and they had a look at ransomware. What are the costs of ransomware? Now bottom line, I'm looking at some stats here on a couple of different sites. [01:05:44] One is by the way, KTI, which is a big ransomware gang that also got hacked after they said we are going to attack anyone that. That doesn't defend Vlad's invasion of Ukraine, and then they got hacked and their information was released, but here's ransomware statistics. This is from cloud words. First of all, the largest ransom demand is $50 million. [01:06:11] And that was in 2021 to Acer big computer company. Now 37% of businesses were hit by ransomware. In 2021. This is amazing. They're expecting by 2031. So in about a decade, ransomware is gonna be costing about $265 billion a year. Now on average Ransomware costs businesses. 1.8, 5 million to recover from an attack. [01:06:41] Now that's obviously not a one or two person place, but think of the car dealer again, how much money are they going to make over the year or over the life of the business? If you're a car dealer, you have a to print money, right? You're selling car model or cars from manufacturer X. And now you have the right to do that and they can remove that. [01:07:03] How many tens, hundreds of millions of dollars might that end up costing you? Yeah. Big deal. Total cost of ransomware last year, 20 billion. Now these are the interesting statistics here right now. So pay closer attention to this 32% of ransomware victims paid a ransom demand. So about her third paid ransom demand. [01:07:27] Last. It's actually down. Cuz my recollection is it used to be about 50% would pay a ransom. Now on average that one third of victims that paid a ransom only recovered 65% of their data. Now that differs from a number I've been using from the FBI. That's a little bit older that was saying it's little better than 50%, but 65% of pain victims recovered their data. [01:07:55] Now isn't that absolutely amazing. Now 57% of companies are able to recover the data using a cloud backup. Now think about the different types of backup cloud backup is something that can work pretty well if you're a home user, but how long did it take for your system to get backed? Probably took weeks, right? [01:08:19] For a regular computer over a regular internet line. Now restoring from backup's gonna be faster because your down link is usually faster than your uplink. That's not true for businesses that have real internet service ours. It's the same bandwidth up as it is down. But it can take again, days or weeks to try and recover your machine. [01:08:39] So it's very expensive. And I wish I had more time to go into this, but looking at the costs here and the fact that insurance companies are no longer paying out for a lot of these ransomware attacks, it could be incredibly expensive for you incredibly. So here you. The number one business types by industry for ransomware tax retail. [01:09:13] That makes sense. Doesn't it. Real estate. Electrical contractors, law firms and wholesale building materials. Isn't that interesting? And that's probably because none of these people are really aware, conscious of doing what, of keeping their data secure of having a good it team, a good it department. So there's your bottom line. [01:09:40] Those are the guys that are getting hit. The most, the numbers are increasing dramatically and your costs are not just in the money. You might pay as a ransom. And as it turns out in pretty much every case prevention. Is less expensive and much better than the cure of trying to pay ransom or trying to restore from backups. [01:10:06] Hey, you're listening to Craig Peterson. You can get my weekly show notes by just going to Craig peterson.com. And I'll also send you my special report on how to do passwords stick around will be right back. [01:10:24] You and I have talked about passwords before the way to generate them and how important they are. And we'll go over that again a little bit in just a second, but there is a new standard out there that will eliminate the need for passwords. [01:10:40] I remember, I think the only system I've ever really used that did not require passwords was the IBM 360. [01:10:49] Yeah, 360, you punch up the cards, all of the JCL you feed the card deck in and off it goes. And does this little thing that was a different day, a different era. When I started in college in university, we. We had remote systems, timeshare systems that we could log into. And there weren't much in the line of password requirements in, but you had a username. [01:11:18] You had a simple password. And I remember one of our instructors, his name was Robert, Andrew Lang. And his password was always some sort of a combination of RA Lang. So it was always easy to guess what his password was. Today, it has gotten a lot worse today. We have devices with us all of the time. [01:11:40] You might be wearing a smart watch. That requires a password. You of course probably have a smart phone. That's also maybe requiring a password, certainly after boots nowadays they use fingerprints or facial recognition, which is handy, but has its own drawbacks. But how about the websites? You're going to the systems you're using when you're at work and logging in, they all require passwords. [01:12:10] And usernames of some sort or another well, apple, Google, and Microsoft have all committed to expanding their support for a standard. That's actually been out there for a few years. It's called the Fido standard. And the idea behind this is that you don't have to have a password in order to log. Now that's really an interesting thing, right? [01:12:37] Just looking at it because we're so used to having this password only authentic. And of course the thing to do there is make sure you have for your password, multiple words in the password, it should really be a pass phrase. And between the words put in special characters or numbers, maybe mix. [01:12:59] Upper lowercase a little bit. In those words, those are the best passwords, 20 characters, 30 characters long. And then if you have to have a pin, I typically use a 12 digit pin. And how do I remember all of these? Cuz I use a completely different password for every website and right now, Let me pull it up. [01:13:21] I'm using one password dot com's password manager. And my main password for that is about 25 characters long. And I have thirty one hundred and thirty five. Entries here in my password manager, 3,100. That is a whole lot of passwords, right? As well as software licenses and a few other things in there. [01:13:48] That's how we remember them is using a password manager. One password.com is my favorite. Now, obviously I don't make any money by referring you there. I really do like that. Some others that I've liked in the past include last pass, but they really messed. With some of their cybersecurity last year and I lost my faith in it. [01:14:08] So now what they're trying to do is make these websites that we go to as well as some apps to have a consistent, secure, and passwordless sign in. and they're gonna make it available to consumers across all kinds of devices and platforms. That's why you've got apple, Google, and Microsoft all committing to it. [01:14:32] And you can bet everybody else is going to follow along because there's hundreds of other companies that have decided they're gonna work with the Fido Alliance and they're gonna create this passwordless future. Which I like this idea. So how does this work? Basically you need to have a smartphone. [01:14:50] This is, I'm just gonna go with the most standard way that this is going to work here in the future. And you can then have a, a. Pass key. This is like a multifactor authentication or two factor authentication. So for instance, right now, when I sign into a website online, I'm giving a username, I'm giving a password and then it comes up and it asks me for a code. [01:15:14] So I enter an a six digit code and that code changes every 30 seconds. And again, I use my password manager from one password dot. In order to generate that code. So that's how I log into Microsoft sites and Google sites and all kinds of sites out there. So it's a similar thing here now for the sites for my company, because we do cyber security for businesses, including regulated businesses. [01:15:41] We have biometrics tied in as. so to log into our systems, I have to have a username. I have to have a password. I then am sent to a single sign on page where I have to have a message sent to my smart device. That then has a special app that uses biometrics either a face ID or a fingerprint to verify who I am. [01:16:06] Yeah, there's a lot there, but I have to protect my customer's data. Something that very few it's crazy. Actual managed security services providers do, but it's important, right? By the way, if you want my password. Special report, just go to Craig peterson.com. Sign up for my email list. [01:16:29] I'll send that to you. That's what we're sending out right now for anyone who signs up email@example.com. And if you'd like a copy of it and you're already on the list, just go ahead and email me M E. At Craig peterson.com and ask for the password special report where I go through a
Using Punchlists to Stop Ransomware I really appreciate all of the emails I get from you guys. And it is driving me to do something I've never done before now. I've always provided all kinds of free information. If you're on my email list, you get great stuff. But now we're talking about cyber punch lists. [Automated transcript follows] [00:00:16] Of course, there are a number of stories here that they'll come out in the newsletter or they did, excuse me, go in the newsletters should have got on Tuesday morning. [00:00:26] And that's my insider show notes, which is all of the information that I put together for my radio appearances radio shows. And. Also, of course, I sent it off to the hosts that these various radio stations. So they know what taught because, oh, who really tracks technology, not too many people. And I get a little off-put by some of these other radio hosts, they call themselves tech people, and they're actually marketing people, but. [00:00:57] That's me. And that's why, if you are on my list, you've probably noticed I'm not hammering you trying to sell you stuff all the time. It's good. Valuable content. And I'm starting something brand new. Never done this before, but this is for you guys. Okay. You know that I do cybersecurity. As a business and I've been doing it now for more than three decades. [00:01:22] I dunno if I should admit that right there. Say never say more than 17 years. Okay. So I've been doing it for more than 17 years and I've been on the internet now for. Oh, 40 years now. Okay. Back before it was even called the internet, I helped to develop the silly thing. So over the years, we've come up with a number of different strategies. [00:01:43] We have these things that are called plan of action and milestones, and we have all kinds of other lists of things that we do and that need to be done. So what we're doing right now is we're setting up. So that you can just email me M firstname.lastname@example.org. And I will go ahead and send you one of these punch lists. [00:02:09] Now the punch lists are around one specific topic. We've got these massive. Punch lists with hundreds and hundreds of things on them. And those are what we use when we go in to help clean up the cybersecurity and accompany. So we'll go in, we'll do scans. We will do red team blue team, or we're attacking. [00:02:30] We do all kinds of different types of scans using different software, trying to break in. We use the same tools that the hackers use in order to see if we can. Into your systems and if the systems are properly secured, so we do all of this stuff and then it goes into all of the paperwork that needs to be done to comply with whatever might be, it might be, they accept payment cards. It might be that they have. But information, which is healthcare information. And it might be also that they're a government contractor. So there are hundreds and hundreds of things that they have to comply with. Most of them are procedural. So we have all of this stuff. [00:03:13] We do all of this stuff. And I was talking with my wife here this last week about it and said, yes, That's so much of this could be used by small companies that can't afford to hire my team to come in and clean things up. And I don't want them to suffer. So here's what we're doing. We're starting this next week. [00:03:36] We have a punch list for you on email. So what are the things you can do should do for email? Just very narrow on email so that you can recognize a Fisher. Email, what you might want to do to lock down your outlook, if you're on windows or your Mac mail. So we're taking these massive spreadsheets that we have and we're breaking them up. [00:04:03] So the first one that's available to you guys, absolutely. A hundred percent free. Is the one on email. So just send me an email. Me M email@example.com. Now, remember I am, my business is a business to business, but almost everything in these various. Punch lists applies to individuals as well. [00:04:27] So I got an email this last week from a guy saying, Hey, I'm 80 years old and retired and I don't know much about computers. And that's what got us thinking about. No, we need to be able to help him. We need to be able to help you out. Okay. And if you're a small business and we've dealt with a lot of them over the years, and as a small business, you just don't have the funds to bring in an expert, whether it's me or somebody else, although yeah. [00:04:56] You want the best anyways. It it is going to allow you to do it yourself. Okay. So absolutely free. All of these punch lists on all of these topics. We're probably going to end up with more than a hundred of these punch lists. And all you do is email me M firstname.lastname@example.org. Just let me know in there what you're interested in. [00:05:19] So even if we haven't got that punch list broken down for you yet, we will go ahead and put that on the. To do right. We need the priorities. What kind of a priority should we have as we're putting these things together for free for people. And the only way we know is if you ask, so the first one's on email, you can certainly ask for email. [00:05:39] We've got, as I said, more than a hundred others, that we think we're going to be able to pull out of the exact. Plan of action worksheets that we use so that you can go through this yourself, whether you're a home user or you are a small business or even a big business, we were talking with a gentleman who's probably listening right now, who has a business. [00:06:06] They have three offices, they have some requirement because of the military contracts for high level. Cybersecurity. And they would work for him too. All right. So they, this is all of the punch list stuff. He probably know what a punch list is. It's used in the construction industry a lot, but in our case, it's indeed to do this. [00:06:27] You need to do this, you need to do this. Okay. So that's what that's all about. So enough rambling on that. It's going to take us some time to get them all together. I'm also. And then her do more video stuff again, training. So just like on the radio show where we're talking about what's in the news, we're going to talk about watch what's in the news. [00:06:49] When it comes to small businesses, what you should be paying attention to with of course, an emphasis on cyber security and. Putting those up on my email@example.com. In fact, we've already got some up there already, and then we are going to also be putting them on YouTube and rumble. So if you don't like YouTube and Google, then you can certainly go to rumble. [00:07:14] You'll see them there. But if you're on the email list, Starting to put links in the bottom of the emails. So you can go and watch those videos. If you're a video type person that you know, more visual. So it's, I think all good. And it's good news for everybody. And this is what happens, I think, as you get more mature, In the business. [00:07:36] As I said, I've been on the internet for more than 40 years, helped develop some of that software that some of it's still in use today and now it's time to do more give back. And I really am trying to give back, okay, there's this isn't. This isn't a joke. No joke. So go ahead. Email me at Craig Peterson. [00:07:57] Tell me which punch list that you would like. And I can also put you on my email list so that you get my insider show notes, and you can just do that yourself by going to Craig Peterson. Calm. You'll see right up at the top of the page. If you scroll down a little bit, it'll pop up. It's a big red bar that goes across the top. [00:08:17] I try not to be too intrusive and you can sign up there for the newsletter. So you'll get some of these trainings automatically. You'll get my insider show notes, all of this stuff. It's absolutely free. Okay. This is my give back to help you out. It really is. Okay. As I mentioned at the very beginning. [00:08:37] Peeve by some of these people that represent themselves as tech experts. And in fact, all they are marketers. We've got a client that decided that I was too expensive. My team. So they went out and shopped around, tried to find the cheapest company they could. And so now the company that they're bringing in is saying, you're saying Hey so how does this work? [00:08:59] How do you do zero trust? Why do you have a firewall here? Why do you bother to have a direct fiber link between the offices? All this stuff? Because they need it. Okay. I get it. You use. Barracuda spam firewalls and Barracuda firewall holes it, yeah, this is a different league. Okay. So you're going to be getting these punch lists from me that are really going to help you understand and secure your systems. [00:09:29] This isn't your average run of the mill, managed security services provider or managed services or break fix shop. You're getting it from the guy that the FBI. InfraGuard program went to, to do their trainings. That was me. Okay. So for two years I set up the program. I ran it. And if we ever sitting down and having a coffee or a beer, sometimes I'll tell you why I left. [00:09:53] Okay. But think about FBI and I think you might have a clue as to why I decided not to do that anymore. I trained thousands of businesses, government agencies, state local. Federal, you name it. So you're getting what you really need, which is another problem. I keep hearing from people, you do a search for something on YouTube or Google and you get what a million, 5 million pages, as supposedly that it says are available and they give you, okay, then here's the top one. But what you need is an integrated, single. To do things where everything works together. And that's what I'm trying to do for you guys, because there's so many little products, different products that just don't work so well together. [00:10:46] So we'll be covering that as well in these, but you gotta be on that email list. Craig peterson.com. Craig Peterson, S O n.com/subscribe. We'll take you right to the subscription page and I'll keep you up to date. This is not my paid newsletter. All right, stick around. We'll be right back. And I promise I'll get to Russia. [00:11:12] Some of the high-tech companies and others pulled out of Russia after the Ukraine invasion, but one stayed Google. What is going on with Google? And now they're in big trouble with the Russian government. Wow [00:11:28] here's the list of companies according to seeing that, that have. Out of Russia because you remember Russia invaded !Ukraine, February 24, we had Adobe, these are the guys that make Photoshop, Adobe reader. Airbnb has an interesting story too in Ukraine because a number of quite a number of Airbnb customers went ahead and rented rooms and homes from Ukrainians, even though they had no intention of going and they told the Ukrainians, Hey. [00:11:59] The I'm not going to show up, just take this money. I'm sure you need it. Can you imagine that? But that's fantastic. Good for them, Amazon. They suspended shipments of all retail products at customers in Russia and Bella ruse and also suspended prime video for users. Apple stopped selling its product in rushes. [00:12:21] It's halting online transactions, including limiting apple pay. It's also disabled. Some apple map features in Ukraine in order to protect civilians, Amazon web services. They don't have data centers or offices in Russia, but it stopped allowing new signups for the service in Russia. BMW for GM, huh? I have all scaled back their operations or stopped them. [00:12:49] Ford suspended its operations in Russia effective immediately until further notice. GM is suspending business in Russia. Honda has a suspended exports to Russia, Disney halted, all theatrical releases in Russia, including the new Pixar film, turning red, also pause content DJI. The drone company that has gotten in trouble here in the U S for some of its practices of sending GPS information to China while they're not doing it over there. [00:13:20] Electronic arts. They make a bunch of very popular games, epic games, and other one Erickson, FIFA body band Russia from this year's world cup formula one canceled its plan planned Russian grump, pre Fujitsu, Goldman Sachs. Now Google that's where I want to go. We'll stop at Google here for a minute. [00:13:44] Google. Suspended their ad network in Russia. And the idea was okay. We're not sure how payments are going to work because Russia of course has had this kind of this lockdown by foreign countries on their banking system. We're not sure we can get the money out. That's what they're apparently doing now. [00:14:08] They're still there. Google's YouTube it search engine on and on still running in Russia. Now that is really disturbing. If you ask me, why did they not pull out? It doesn't make sense. So Google did stop accepting new customers for Google cloud in March. YouTube said is removing videos at denier trivial trivialize, the Russian invasion, but what finally got. [00:14:42] Out of Russia, Russia seized their bank accounts. They froze them. They transferred their money out of the main bank account in Russia. We're talking about a $2 billion per year business, Google Russia, that really upsets me. So I did a little more research online about all of this, and I was really surprised to see that you crane now has given the Ukraine peace prize to Google. [00:15:12] And it says, quote, on the behalf of Ukrainian people with gratitude for the support during this pivotal moment in our nation's history. So what is it? I'm not sure. So they're one of their foreign ministers, and Karen. I think I said, thank you. From the beginning of the war, Google has sought to help power. [00:15:35] However we can through humanitarian support of our tools, we'll continue to do as long as needed. So I dug in a little more and tried to figure out what's up. Russia or Google left its Russian search engine online and YouTube online and was using it in Russia in order to. Control the narrative in Russia. [00:15:59] Now, unlike what they've done here in the U S where Google hasn't been caught, many times controlling the narrative in various elections and taking certain ads and not taking others and taking certain business and not taking others, apparently in Russia, it has been. Blocking a lot of the stuff that Russia itself has been putting out. [00:16:23] So the federal government there in Russia. Interesting. Hey, so they also have helped you crane out by providing them with mapping GPS and rumor has it satellite services. Yeah, interest in it to track Russian troop movements. All also Ukraine saying the Google news component has also been tremendously valuable. [00:16:51] Google's also helping to raise money for the cause of Ukraine. Like many companies are doing right now to help people displace due to the war and Poland. Wow. They've been doing yeoman's work and bringing. People in, by the millions, into Poland from Ukraine or reminds me when I lived in Calgary, Alberta, my Cub, one of the Cub masters Cub troop leaders was a woman who came from Poland many years ago. [00:17:18] This was back during Soviet occupation. Poland. And I remember talking to her about what was happening over there. Why did she leave? And it was just so impressive. The polls have done so much impressive stuff over the years. So they're also saying that Google has done a lot of other things in order to. [00:17:39] Help protect Ukraine, including Google's blocked domains. They've prevented phishing attacks against Ukraine. They warned targeted individuals that they are being targeted. It's really something what they've done. So my first knee jerk was why is Google? Still doing business in Russia while now it's become clear because they have a special page for Russians that gives correct information, at least, Google is claiming it's correct. [00:18:13] I don't know which fact-check teachers checkers they're using. That gives Russians real information about the war what's going on in Ukraine. What's happening with the Russian soldiers. Did you see this? Just this last week, the apparently Russia removed the age limit for volunteers for the military. [00:18:35] It used to be, I think it was 40 years old. If you were a Russian citizen and 30 years old, if you are a foreign national, now the Russian military will take any. At any age from anywhere. In other words, Russia has really getting hard up if they want people like me to fight their wars. [00:18:54] I'm sure they don't really want, I don't know. Maybe they do want me, that every war needs cannon fodder. So it is fascinating to see good job Google. I am quite impressed. I did not expect them to be doing that. They've also. Provided over $45 million in donations and grants to various groups. [00:19:18] They've done pro bono work for various organizations over there. So this is really cool. So that's it. That's what's happening over there? Yeah. Crane and Googled, you can of course, find out a lot more. Get my insider show notes. So you had all of this on Tuesday morning. You could have digested it all and be ahead of everybody else out there. [00:19:43] And then also don't forget about my new offer here. Free, absolutely free for anyone. Asks by emailing firstname.lastname@example.org. I'll go ahead and send them to you, which is I think a pretty cool thing now. What am I going to send you? You got to ask first, right? You got to ask. And what we're going to be doing is taking what I have been using for years to help secure my customer. [00:20:14] And we're making available for free my cyber punch lists. Craig peterson.com/subscribe. [00:20:22] Bit of a hub-bub here. Biden's infrastructure bill $1.2 trillion. And it's in there is this thing that Bob Barr's calling an automobile kill switch. I did some more research and we'll tell you the facts right now. [00:20:39] What are you supposed to do? If you are trying to pass a bill to stop drunk driving deaths, and you've got all of the money in the world, Joe I guess 1.2 trillion, isn't all of the money in the world. What are you going to put in there? I did a search on this and I'm chuckling because this is craziness. [00:20:59] This is the AP associated press. And they've got this article claiming. President and Joe Biden signed a bill that will give law enforcement access to a kill switch that will be attached to all new cars in 2026 APS assessment false. Okay. So we've got fact checkers here while the bipartisan infrastructure bill Biden signed last year requires advanced drunk and impaired driving technology to become standard equipment in cars. [00:21:31] Experts say. Technology doesn't amount to a kill switch. Let me see. So I can't start the car. If the car's computer thinks I might be drunk or impaired in some other way, but that's not a kill switch. What is that? Then if I can't start the car, because I have a disagreement with the computer. How about these people that I don't know, maybe their eyes can't open all of the weight. [00:21:59] Maybe they have problems with eyes on nystagmus though. Eyes jittering back and forth. And then now what are they going to argue with the computer? That's a kill switch. I can't believe these crazy people that are like AP here, coming up with fact checking on things. So yeah, I'm sure there some distortions in some articles out there, but they contradicted themselves and to bear graphs, I guess they figure people are just going to see false. [00:22:30] Okay. I'm done. And they're not going to bother reading the rest of the article. Ah, Kind of crazy, isn't it? So according to an article written by member, former us representative Bob BARR in the infrastructure bill, is this kill switch. Now the big question is what is the kill switch? How far does it. [00:22:55] So I decided let's look up something I remember from years ago and that is GM has the OnStar system it's yet another reason I won't buy GM, there are a number of reasons, but this doesn't, it. OnStar system, they've got an advisors and that grade, and if your car is in a car accident, a crash that advisor can hop on and ask if you're okay. [00:23:22] And if you want emergency services coming, they'll come OnStar. We'll call them. And if you are just fine, they won't bother calling. If there's no answer at all, they'll call emergency services and let them know where the vehicle is because the vehicle has with OnStar built-in GPS. One of the features of OnStar is that it can send a signal to disable cars, engines, and gradually slow the vehicle to an idle speed to assist police in recovering the vehicle. [00:23:58] Now they will only do that at least right now for vehicles that have been reported stolen and have been confirmed by the police. So in reality, that's cool, right? It slows down. Hopefully the bad guy, if he's on the highway, makes it over to the side of the road and while the car slows down and eventually stops. [00:24:22] So all of this stuff sounds good. This kill switch. Sounds good. Doesn't it? Because we're going to keep drunk drivers off the road. Now in reality, of course, they're not going to be able to keep drunk drivers or other impaired drivers off the road. I really don't care what kind of technology they put in. [00:24:44] And they're not talking about putting in one of these blow in the tube, things that checks your blood alcohol level. They're talking about having a camera facing you as the driver and probably other occupants of the vehicles and that internally facing camera. Is going to evaluate you. It's going to look at you. [00:25:07] It's going to look at your face. If something droopy, or are you slow to respond? It might have a little test to that. It has you take right there. The law is very loosey goosey on any details. There really aren't any, so it's going to be up to the manufacturer. So they put this in the car step. [00:25:28] Just like OnStar, step one, put it in the car and they'll tell you when to turn you remember how cool that was the GPS with OnStar. And you tell ya, I want to go to this address. And then the assistant goes ahead and sends programming to your car. And now you can go. And if you lock your keys in the car, they can unlock the car for you. [00:25:51] All kinds of cool stuff. And then next up what happened. But they can stop the vehicle. So there's another technology story related to OnStar. And this is from 2009 from Kelly blue book, OnStar stolen vehicle slowed down Fort it's first carjacking. So again, doesn't that sound fantastic. And this was a Tahoe OnStar. [00:26:18] And the driver and his passenger forced out of the vehicle robbed by a shotgun wielding perp who then drove off in the SUV. And the OnStar dispatcher was able to locate the vehicle using GPS advice please, of exact location. And as soon as the police establish visual contact, the stolen vehicle slowdown system is activated available on a number of GM cars and trucks. [00:26:43] So this was over a decade. That this happened, but the technology's evolved. Yeah. So we initially have all of these car companies trying to decide, okay, so we've got this kill switch law, which AP says is not a kill switch law because they talk to experts just the, what was it? 52 people heads of intelligence. [00:27:08] Committees and agencies said that this wasn't a collusion hope, right? So they talked to experts who said no, this isn't a kill switch, but that's today you can argue, it's not a kill switch. I would completely disagree with you. Day one. It's a kill switch. Cause you can't start your car. It's a kill switch. [00:27:25] I kill switch is often something you hide somewhere on the car so you can kill the engine. So it can't be stolen. It's a kill switch. Come on. People fact checkers aside, but this could potentially allow law enforcement again, to shut down your car. Remotely track the cars, metrics, location, maybe the passenger load, because remember now cars are tracking all of this. [00:27:51] They've already been. Tickets issued by police. The did not see anyone speeding. The car was not caught on a traffic camera, but they hook up a device to your cars port that talks to its computer. And the computer says, yeah, he was doing 80 miles an hour, five minutes. And all of a sudden you got a ticket, right? [00:28:12] Massachusetts wants to go ahead now and say, ah yeah. Let's charge by the mile that you drive in mass. Because of course you're not getting enough revenue from gasoline because of the electric cars, electric cars are not paying their fair share when it comes to road taxes. So let's do it that way. [00:28:32] So how are they going to collect the information while. And they're going to hook up to your car's computer. The next thing coming down the road in it's already in most cars is wireless data connectivity, or you might've found already. If you have a Nissan, a Honda, many other cars. You have to get a major, upgrade it very 600 bucks up to a few grand for an expensive car, but the two G data network. [00:29:02] And we talked about this on the show already is being completely shut down by the end of the year. So they've got to replace it and switch you over. To the L G E data network, which of course eventually will go away as well, or at least three G what happens once it's all hooked up? The next easy step is just feed all of that information straight to the government. [00:29:26] Craig peterson.com. [00:29:30] If you've been afraid of ransomware before, I've got a good example for you where a whole country now has been ransomed. Absolutely crazy. So we'll talk about that. What is the state of ransomware? And the NSA is asking us to trust them again. [00:29:47] Of course staying up to date means that you get my insider newsletter pretty much every Tuesday morning. [00:29:54] And the only way to get that is to go to Craig Peterson.com/subscribe. And I will keep you up to date. You'll get even more insight information. The Costa Rican government has declared a state of national emergency. And to the best of my knowledge, this is the first time a government has done this because agencies of the Costa Rican government have been hit so badly by the Conti rants. [00:30:24] That the new incoming president immediately declared a state of emergency. So now the country has expanded law enforcement powers and they are trying to go after the Conti ransomware group. No between you and me. Good luck on that one. They are based in Russia. There's a number of different articles out this week. [00:30:47] This one from ADV Intel at tech target. But according to their research, the Conti ransomware groups attack on Costa Rican government was part of a rebranding effort. So this ransomware gang has seen a lot of their payments, just dry up. Because it's harder to get the money in. And what are you going to do with cryptocurrency? [00:31:11] If you're the Conti group, can you turn it into anything useful? It depends on the country you're in, but for most people, no. Okay. Absolutely. No. So we were able to knock the Conti ransomware groups website. Offline. And we talked about that before here. The U S government did that, but now this is marking a new chapter for the cybercrime landscape. [00:31:38] Interesting. Isn't it? So there are some investigations that have been going on. They've been trying to figure out what happened. What was the cause of the downfall of the Conti ransomware group? Are they really gone? Why did they pull their website offline and. They declared publicly support for Russia in its invasion of Ukraine. [00:32:02] And so now the Conti ransomware group got hacked and held ransom. They suffered major league. As a consequence. So other hackers went after Conti, which is a hacking group and they showed here from internal documents that were stolen, that the Conti ransomware gangs primary Bitcoin address, which was found in the leak, showed that they had taken in over $2 billion in cryptocurrency over the last five. [00:32:35] Isn't that just amazing and anonymous leaker has published more of the gangs communications, that can help the mass for sure. But you think with that much money, they'd be able to protect themselves right now on top of it, because of the hack of Costa Rica and the major damages, because the U S government has offered a couple of bounties here. [00:33:00] Against the Conti ransomware group. So there's $10 million available. If you can provide the feds with information about the leaders of the Conti ransomware group and $5 million that you can get leading to the arrest of anyone involved with a Conti ransomware attack. Isn't that something. So ransomware has been really out of control for years. [00:33:25] There's no signs that things are actually slowing down. Definitely been enhanced law enforcement efforts to track them down. But I'll ultimately here, the core members of these groups have been escaping these law enforcement activities. They've been using mules like 2000 mules. Have you seen that movie? [00:33:46] But the idea is they get people primarily in the U S because that's where most of the money comes from. They do rent. Of people and businesses information here. In fact, last year, it's estimated that 60%, six, 0% of small businesses were hacked, which is just crazy. No wonder has got $2 billion. Okay. [00:34:07] What are we supposed to do? What are they doing to really come after us? They're doing many of the same things. These mules will be hired saying, Hey, I just need to use your PayPal account. And all you have to do is transfer some money. 5%, 10% of the money I put in there. And they've always got these excuses, think that I, Jerry, an email scams from years past, and frankly still go around a little bit here, but large bounties are really becoming a part of the toolbox, a law enforcement's been using in the us and abroad to try and track them down. [00:34:44] And that's really what they're hoping for down in Costa Rica, because what are they going to do? Frankly, really what are they going to do? I don't know. And they obviously are relying on the United States to help them out with this. And the internal structure of the Conti group has been highly organized. [00:35:03] They've got the same type of structure of legitimate corporation would have it takes it to work that needs to be done. They hire contractors that may not even know who they're actually working for to write small pieces of a code here that gets tied. So it's not too surprising that a Conti affiliate is going to go far enough to cause a national emergency to be declared. [00:35:30] One of the things that Conti has done and some of these other ransomware companies have done companies gangs. They have ransomware as a service. So there's all of these people that are affiliated with Conti and all you have to do is get the Conti ransomware onto someone's computer and ta-da, they will pay you. [00:35:54] It's really that simple. They've got tech support for the people that are ran through there. They got ransomed to help them supposedly pay, right? How do I buy Bitcoin? And they'll walk you through. And then they will help you with restoring your files. Hopefully they can be restored. They are, they can't always be restorative. [00:36:15] I think right now the latest number I saw. How about 60% of people who have their data encrypted and ransomed are in fact able to get that data, but there's 60% of the data back. So that's not too big a deal, but Conti operates on affiliate. And this affiliate that went ahead and grandson and our friends in Costa Rica is called UNC 1 7 5 6, uncles, 7 56. [00:36:51] They're also suspected in other attacks on government servers, including a theft of intelligence materials. Peru. And this attacker has already leaked information stolen from Costa Rica and it's on the Conti ransomware dark web portal, which is online. And after the former president of the country refused to pay a $10 million ransom demand, they started leaking the data. [00:37:17] So in this case, focus has been on the national government agencies. They are potentially looking at what might you might call espionage, but these Conti ransomware affiliates have become famous for really quickly exploiting new vulnerabilities as they're published and being indiscriminate in who they attack, because $2 billion. [00:37:39] And then the other part that I think is really interesting here. W we're talking about money, we're talking about real money, obviously, Conti deals almost exclusively in Bitcoin, which can be hard to turn into hard currencies, but that our friends in Costa Rica have said, no we're not going to. [00:37:59] Knowing what has been stolen and what they no longer have access to. In fact, the president said that the company, the country Costa Rica is effectively at war. Now, they got a foothold Conti did in 27 agencies at different levels of the. And the yeah. Okay. So Conti is say, I'm looking at an article in the register here. [00:38:26] Conti is apparently has made more than 150 million from a thousand plus victims while we know it's actually 2 billion, but it depends on the timeframe that they're talking about. And the Conti says that they are determined to overthrow the government by means of a cyber attack. We've already shown you all the strength and power. [00:38:45] You have introduced an emergency. It's really quite something. Now I mentioned earlier today that I am. Taking all of the cyber security stuff that we have been using here over the years. Things like our plan of action and milestones documents and all of this stuff we use to run our projects for our customers. [00:39:11] It's the real stuff, people. And remember, I've been doing the cyber securities. Since the early nineties, so we know what we're doing, I know what I'm doing and I'm making it available for free. Okay, guys, you just have to send me an email email@example.com. So the first cyber punch list that we have that available, and all you have to do is ask for it again. [00:39:37] Me, M firstname.lastname@example.org is the. Email punch list. So with this punch list, I go through the things that you need to do. In order to secure your email and be more or less secure in your email. Now, I don't know about you. I do not like these long diatribes. I have a book behind me that is hardening windows 10 and it is in a four inch binder. [00:40:14] Cited. There are thousands of recommendations in there from Microsoft. There's a lot that needs to be done. So what I've done is boiled it down to the most important things. And as I said, it's available for absolutely. Free for you. It really is. If you're a listener, just email me M email@example.com. [00:40:38] You can ask me to add you to my insider show notes and my little three minute trainings that we do every week. You can also ask for a cyber punch list that you might need. So it's just, okay, we need to do this. You need to do that. You need to do this. You need to do that. So it makes it very straightforward. [00:40:57] I'm trying to. To be, to see about any of this, but we have had amazing feedback on this from companies over the years, and now it's available to you for $0. Okay. So make sure you check it out. Craig peterson.com and you can always email me M firstname.lastname@example.org as well. Thanks for taking a little time with me today and look for me online. [00:41:24] Look for my emails and if you would please. Thumbs up on your favorite podcasting platform, YouTube or rumble or subscribe. Thanks. [00:41:37] We're going to talk about the Senate bill that has big tech scared, really scared. I'll talk about a new job site problem for a number of different industries because of hackers and cloud, the cost and reliability. [00:41:53] This tech bill. It has the Senate really scared. [00:41:57] He is frankly, quite a big deal for those of you who are watching over on of course, rumble or YouTube. I'm pulling this up on this screen. This is an article. ARS Technica and they got it originally from wired it's it was out in wired earlier in the month. And it's pointing out a real big problem that this isn't just a problem. [00:42:23] This is a problem for both the legislature. In this case, we're going to talk about the Senate and a problem for our friend. In big tech. So let us define the first problem as the big tech problem. You're Amazon. You are Google. Those are the two big targets here of this particular bill. We're going to talk about, or maybe your Facebook or one of these other Facebook properties, et cetera. [00:42:50] If you are a small company that wants to compete with any of these big guys, What can you do? Obviously you can do what everyone's been telling us. Oh, you don't like the censorship, just make your own platform. And there've been a lot of places and people that are put a lot of money into trying to make their own platform. [00:43:12] And some of them have had some mild successes. So for instance, I'm on. You can watch my videos there. And there have been some successes that rumble has had and making it into kind of the competition to YouTube. But YouTube is still the 800 pound gorilla. Everybody wants to be where the cool kids are. [00:43:32] So for most people. That YouTube. They look at YouTube as being the popular place. Thus, we should be, we are obviously saw the whole thing with Elon Musk and Twitter, and the goings on there. And Twitter really is the public square, although it's died down a lot because of this censorship on Twitter. [00:43:52] Interesting. So as time goes forward, these various big companies are worried about potential competition. So how do they deal with that? This is where the real problems start coming in because we saw Amazon, for instance, in support of an internet sales tax. You remember that whole big deal. The internet had been set aside saying, Hey, no states can tax the internet and that's going to keep the internet open. [00:44:21] That's going to help keep it free. And people can start buying online. And that worked out fairly well. A lot of people are out there, why would Amazon support a sales tax on the internet? They are the biggest merchant on the internet, probably the biggest merchant period when it comes to not just consumer goods, but a lot of goods, like a staples might carry for business. [00:44:45] So they'd have to deal with what they're 9,000 different tax jurisdictions in the United States. And then of course all these other countries, we're not going to talk about them right now, but the United States 9,000 tax jurisdictions. So why would Amazon support an internet sales tax when there's 5,000 tax jurisdictions? [00:45:10] The reason is it makes life easier for them when it comes to competition. So if you are a little. And do you want to sell your widgets or your service? Whatever it might be online. You now have to deal with 9,000 tax jurisdictions. It's bad enough in the Northeast. If you are in New Hampshire, if you live in New Hampshire and you spend more than, I think it's 15% of your time south of the border and mass, then mass wants you to pay income tax for that 15% that you are spending your time there. [00:45:48] Now they do that with the. Baseball teams with football teams, hockey, you name it, right? So the big football team comes into town. The Patriots are paying the New York jets or whatever it might be. The Patriots have to pay New York state taxes, income tax now because they stepped foot in New York heaven forbid that they try and do business there and help New York state out. [00:46:12] And they now have to pay income tax. Now they only have to pay income tax for, or for the amount of time. They're more New York. Various states have various weirdnesses, but if you're only playing 1, 2, 3 dozen games a year, It isn't like your normal work here, which is 2080 hours. We're talking about their plane to New York and they're only spending maybe 10 hours working in New York, but that represents what percentage, 10, 20, 30% of their income, depending on how many games they play and how they're paying. [00:46:45] And so they got to keep track of all that and figure it out. Okay. We played in New York, we played in New Jersey. We're in mass. We were they weren't in New Hampshire, certainly the Patriots plane, but they got to figure it all out. Guess what? Those big pay. Football players, hockey, baseball. [00:47:03] They can afford to have a tax accountant, figure it all out and then battle with them. I had a booth one time at a trade show down in Connecticut. Didn't say. Thing it was terrible trade shows, man. They aren't what they used to be. And they haven't been for a long time. This is probably a decade plus ago, maybe even 20 years ago. [00:47:26] So I had a little booth, we were selling our services for cybersecurity and of course, nobody wanted to bother pain for cybersecurity who needs it. I haven't been hacked yet. Although there's an interesting article. We'll talk about next week based on a study that shows. Small businesses are going out of business at a huge rate because of the hacks because of ransomware. [00:47:49] And if you're worried about ransomware, I've got a really great little guide that you can get. Just email me, email@example.com. I'll send it off to you, right? It's a free thing. Real information, not this cruddy stuff that you get from so many marketers, cause I'm an engineer. They'll go out of business. [00:48:10] So they figured I haven't got a business yet, not a big deal. And so no body. There's big trade show. And I was so disappointed with the number of people that even showed up for this silly thing. So what happens next while I get back to the office and about a month to two months later, I get this notice from the state of Connecticut they're tax people saying that I haven't paid my Connecticut taxes yet. [00:48:37] And because I was in connected. I should be paying my income tax for that day that I spent and wasted in Connecticut. Oh. And plus every company in Connecticut that I'm doing business with now, I need to collect their taxes and pay them the taxes that I'm collecting for those Connecticut businesses are resident. [00:48:59] I didn't sell a thing. You know what it took almost, I think it was three or maybe four years to get the state of Connecticut to finally stop sending me all of these threatening notices because I didn't get a dime from anybody in Connecticut. So I'd love the internet from that standpoint saying you don't have to collect taxes in certain cases, certain states, et cetera, unless you have a legal nexus or a legal presence there in the state. So back to Amazon, Amazon loves the idea of having everything on the internet packs. They love the fact that there's 9,000 plus tax jurisdictions. When you get right down to city, state county Lilian, either local taxes, or you look at those poor residents of New York state, or they're poor residents out in Washington state that have to worry about that, right? [00:49:52] There's county taxes, state sales tax. City sales tax, and income taxes are much the same, the, all of these crazy cities and states around the country. Yeah. The ones that are in serious trouble right now, they are those same ones. Those particular jurisdictions are hard to deal with. So from Amazon standpoint is just like the Patriots football players. [00:50:17] We've got plenty of money. We've got teams of lawyers. We have all kinds of accountant. We can handle this and you know why Amazon really loves it because it provides another obstacle for any competitors who want to enter the business. That's the real reason, so many big businesses don't go ahead and charge you serious money so that they can use that money against you. [00:50:48] Okay. You see where I'm going with this? Because if you want to start a business that competes with Amazon, if you want to have a doilies, you're making doilies. My grandmother used to make them all the time and she had them on the toilet paper in the bathroom, little doily holders. Doilies everywhere. [00:51:06] And then of course, the seashells shells on top of the toilet paper holders. If you want to do that and sell it, how are you going to deal online with 9,000 tax jurisdictions? All what you're going to do is you're going to go to Etsy, or you may be going to go to Amazon marketplace and sell your product there. [00:51:25] An Amazon marketplace. So Amazon is taking its cut out of it at is taking it's cut off. And you still ultimately have some of that tax liable. Amazon loves it. It's the same reason you see these groups forums, right? Barbers saying, oh, we've got to be regulated. Really you need to have a regulation in place for barbers. [00:51:49] You need to have licensing for barbers. Why do they do that? They do that. Not just barbers, right? It's all of these licensures and various states. They do that really to keep people. To keep their prices high. That's why they do it because someone can't just put up a sign and say, Hey, I am now a barber. [00:52:10] Come get a haircut. And if you don't like the barber, if they do a lousy job, you go elsewhere. We don't need all of the bureaucracy on top of this to enforce licensure. Anyways, when we get back, let's talk about that Senate. It's a big deal. And I am coming down in the middle of this thing. Hey, visit me online. [00:52:30] Sign up right now. Craig peterson.com and get my special report on passwords. [00:52:38] We just talked about why big business loves regulation. It helps protect them from up and coming small business, frankly, let's look at this bill, the Klobuchar and Grassley just introduced in the Senate. [00:52:54] I am coming down in the middle of this bill. And let me tell you why we really do have a problem with some of these big businesses. [00:53:04] For those of you who were watching here on rumble or YouTube, I'm going to pull this up. This is an article that was originally in wired and is in ARS Technica, great website. They got lots of good information and the title of the bill is a Senate bill that has big texts. So the question is why now are ours technical? [00:53:27] I'm going to scroll this down so you can see what they are saying. They're claiming that this is really apocalyptic that frankly the people who are pushing against this bill are obviously the wrong people and everything else. But I love this point here. This is from a senior VP of policy at Yelp. [00:53:50] You can see this on my screen. Luther Lowe. And he's talking about this bill. Actually one of two. Antitrust bills is what they're called in the us. There's voted out of committee by a very strong bi-partisan vote. And the other bill is to regulate app stores and there's issues with that too, that we won't really be talking about today, but they have to do with protecting you the consumer. [00:54:19] If you can load any app you want from any app store on the internet, on your iPhone, is your iPhone still? Versus having to get it from apple. We're not talking about that one right now. This is Congress's shot here to stop big tech companies from abusing what they're calling a gatekeeper status. [00:54:42] So we're going to talk about that. What is this gig key keeper status? What does that mean? So Luther low back to him, VP of policy at Yelp long time ago. Antagonist says it, the ball game. That's how these guys stay big and relevant. If they can't put their hand on the scale that it makes them vulnerable to small and medium-sized companies eating their market share. [00:55:11] Isn't that what I was. Protecting themselves, protecting themselves against the small startups. And if you've got government regulation on your side, you can just hammer them with the fact that, Hey, you guys aren't compliant, right? If you've got some major government regulation to just look at what happened with Elon Musk, when he said I'm going to buy Twitter, all of a sudden his. [00:55:40] And he, his Twitter account has problem. All of a sudden what w what his money has prompted. All of a sudden when Elon Musk's that I'm going to buy Twitter, the government started investigating Tesla. It's amazing. How these people work and how they think. It's just, it's absolutely amazing. [00:56:00] So they use these big companies, use government to beat other people over there. It's like my example of the barbers, right? Do we really need licensing for barbers? Do we really need to have a barber board that oversees barbers? If someone harms you, there are laws against that. No. When I was, for 10 years, I was in EMS. [00:56:26] I was a volunteer EMT. You guys know that emergency medical technician and my wife was. And if we were to cut someone's hair without their consent, that would be considered assault, even battery in some cases. So there's laws on the book to protect your hair. Okay. Need laws about barbers? We don't need laws about so many things. [00:56:52] The government sticks its fingers in. And so what is it? Stick his fingers in here. What are they trying to do? Let me pull that up on this screen for you. Senators Amy Klobuchar and Chuck Grassley, CR grassy, I should say, who were our, excuse me. So are the top Democrat and Republicans on the Senate judiciary committee are saying, Hey, we need to regulate how Amazon, how Google and these others can use their position in order to. [00:57:30] Keep their fingers off the scale. So bottom line, that, that sounds like a pretty good idea to me. And that's the thing that fits on the bumpers bumper stickers, stop Google from putting their thumb on the scale. Stop Amazon from putting the thumb on the scale because we have. [00:57:47] Actual problems with this. We have seen where people who are using Amazon marketplace to sell their stuff. Why would they do that? Obviously they've got to pay a percentage to Amazon plus depending on how your business operates, you have to pay Amazon to warehouse. You're good. Just for you. You have to pay Amazon for all the logistic services for shipping, for moving around between Amazon warehouses and then for selling it, it can get pretty darn expensive. [00:58:20] Okay. Amazon charges, that seems pretty fair to me, right? The libertarian mindset. Where's the problem. I don't see the problem, Craig. The problem is that Amazon has. Own products that they want to sell more than half of what's on the Amazon store is actually sold by third parties. And we've talked about that before. [00:58:42] We talked about problems with that before, but that means that what almost half of it is sold by Amazon. So Amazon has a number of brands. Last I checked, it was a few dozen brands that don't look like they're Amazon. There's a home services brand. There's a place that sells couches or Chesterfields depending on where you're from. [00:59:06] There's a whole bunch of different businesses, clothing, businesses, et cetera, that are actually Amazon who might've bought a company or they saw. That accompany was doing really well in their marketplace by selling item X. So what do they do? They go ahead and say, okay we're going to start making an item X, see where the problem comes in. [00:59:29] So Amazon is using these small businesses that put everything on the line, right? They might have their house leveraged to the max. They might have sold their house and living with somebody else, apartments are too expensive. The cash to get their business going. They scraped the money together. [00:59:46] Maybe they had to pay $5,000 to have a mold made injection mold, and then they have the stuff made in the U S or in China, or there they're trying to print it on a 3d printer for the. Concept. And they'd go through a number of different iterations of trying to make that product work and consumers to like it. [01:00:07] And consumers give them feedback saying, what, if this was a quarter in smaller or moved over there on the product, that would just be so much more useful. So they add that they had the engineering time, they've invested quarter million dollars. Easily to get the product off the floor to get it out there and people start buying it. [01:00:29] Where are they selling it? They got to really sell it on Amazon marketplace because who else are you going to go to for logistics, sales, support, everything else. And not to mention the tax jurisdictions that want to collect money from you. And then Amazon comes out with a competing. Is that enough to drive you crazy. [01:00:51] Now we've seen this forever in the software industry. Microsoft has done this for years. Apple does it to I'm looking at a screen right here in front of me. I hooked up to an apple mini. Some of the side card functions and stuff. They were developed by a third party that spent their blood, sweat, tears, and money on developing it. [01:01:16] And then along comes a big guy and you're out of business. We've got to finish this up. We will do that. When we get back, what's a Senate doing actually here. And what does it mean to you and me? Hey, visit me online. Craig peterson.com. Get my insider information for free. [01:01:38] We just talked about how big business uses its advantages to crush potential competition. Crush them. And it's a shame and it's happened to me and many people I know, and now the Senate's getting involved and making things worse. [01:01:55] This happened to me a number of years ago, and I will never forget it. [01:02:00] It was a really big lesson for me. I had designed and written a computer system that would take the code that it was written for a much older system. And run it for much less money. So bottom line here, this was a system called Cade computer assisted data entry that was made by Sperry way back in the day. [01:02:25] Yeah. I've been in there for that long and they had little programs, so they would not punch cards, but punch right on two tapes, those big nine track tapes and that information would then be used for processing later on then. People, big businesses grocery stores, you name it. We're using that Sperry system. [01:02:48] And I designed a system that would take their COBOL is what it was. It was a form of COBOL code from this cage system. And you could use my code to compile it and run it on a Unix system. So the cost involved here was that it would be cheaper to buy a whole new Unix computer and buy new terminals and do some slight training changes. [01:03:18] But the key punch operators would be exactly the same keystrokes as they were already used to. Okay. So you know how fast they were, so it wouldn't slow than none at all. And their cost would be. Then just the maintenance contract on the old Sperry cage. Very cool stuff. And I worked really well. [01:03:38] Then I worked with a couple of sales guys at spirit because Barry had a Unix tower system. It was a mini computer that was Unix space. And I had one, I had saved up my money. We bought this thing. It was a lot of money nowadays. It'd be about a hundred thousand dollars I spent on that system and it was really great. [01:04:00] Cool. So some grocery stores started using it. They used it to build the space shuttle to design it and send it into space. RCA, Astro space used it, my system, which is all really cool. So Sperry was interested in it saying, okay let's do this. Now. I had flown myself across the country too, because I was in California at the time to do some of this work for. [01:04:25] The for RCA Astro space for the space program and help make sure it was working and get it installed, help them configure it and everything else. So I had a lot of time, a lot of money, a lot of effort into this. It was a big venture. So Sperry invited me down to their headquarters down in blue bell, Pennsylvania to talk about this. [01:04:50] And I was so excited because their sales guys wanted to sell it. They gave me some free space in a booth in Las Vegas. So I was in the Sperry booth with them and, say, yeah, you can buy this. And you're using the Sperry, the new Sperry hardware. And I went down there and talked with them. [01:05:10] They never did anything with me, or, here's a huge investment young guy. And all of this stuff just worked and they had proof of concept. They had a couple of customers already using the system and it never materialized. And then about a year and a half later, I found out Sperry had tried to duplicate my system and had messed it up terribly. [01:05:35] It wasn't keystroke compatible. So anyone using the new Sperry system, they had to learn. Okay. So I got to hit this and I got to go over here and I got to click on this. Are you kidding me using a mouse? Aren't you not? These are data entry operators. They just go all day long, just typing and. [01:05:52] They had stolen my ideas. They messed it up. They didn't do as good a job as I did, which turns out it's pretty common. And they had stolen it. They stolen years of my life. So I've seen that before with me. I've seen Microsoft do that with friends of mine, and I've seen apple do it with various products that they've decided to release. [01:06:17] They all do it. Why do you think these businesses can not spend money on research and development, and yet at the same time, stay in business as technology's continuing to move forward? Why? The reason is. They don't have to do, or why would we do T wait a minute. Now, all we have to do is either buy the company or steal the product just re-engineer. [01:06:44] Oh. And if we want to buy the company, we can do what Microsoft has been accused of doing again and again, which is. We'll just Microsoft. Let's see here. I like that database is pretty darn cool. So here's what we're going to do. So Microsoft announces, Hey, we're going to have a competitor to that in coming out soon. [01:07:03] And then they sit there and they wait and they say, okay, how many people are going to ask about, oh wow. A lot of people asking for it. In the meantime, that company that had that great little database soft. Trying to sell it. And people are saying, wait, Microsoft is going to come up with a version of this. [01:07:18] I'm just, I'm going to wait. We can wait a few months. Let's see what Microsoft. So that poor company is now seriously struggling because this big company came out and made the announcement that they're going to do something like this. And then that small company gets a knock on the door. Hey, we're Microsoft or company X. [01:07:41] And we like your product. Wow. Okay. So we're going to do a buyout. We're going to we're just, oh, this is going to be fantastic. I might have to sign what a two year contract non-compete and help them manage it. Okay. We can deal with this. And then they find out that company X says Your company is not worth that much anymore. [01:08:02] Your sales look at their sales here, man. They've gone way down. Okay. So let me see let's do a nickel on every dollar evaluation you had a year ago. This happens every day, worldwide in America, it should never happen to anyone. And as you can tell, it upsets me. So what are Klobuchar and Grassley doing here? [01:08:30] Amy, when she was running for president, she made this big deal. I'm going to pull us up on my screen. Those of you who are watching on rumble or YouTube. And you can find all of that in my website, Craig peterson.com can see here. So they are trying to protect the American consumer, right? Yeah. [01:08:49] Yeah. That's it. They're gonna protect us. And so what they're doing is saying that. Would a rule ruin Google search results because that's what Google says. Is it going to bar apple from offering new features, useful ones on the iPhone? How about Facebook? Will it stop them from moderating content? So the legislation's core idea is we will just. [01:09:17] The marketplace take care of things. We're not going to let Amazon put their products in the product listings before third parties, but how are you possibly going to be able to regulate that stuff you can't, you can regulate it talking about a bureaucracy. You'd probably need one about as big as the federal government is right now. [01:09:41] And the federal government needs to be cut back in a major way. There's this two months. How about the 150 million Americans? This article brings that up to that are currently using Amazon prime, even though the price one hump. And they have it free to prime members. It's this is a big deal. [01:10:00] The bill doesn't mention prime. Doesn't mention Google by name, Amazon. But this is going to be a nightmare to enforce the bill is not specific enough. It should be voted down. And between you and me, I don't know what can be done about this other than to have additional marketplaces show up online. And you know what the conservative social media sites are starting to win. [01:10:29] So maybe there's hope. [01:10:32] We've got two things we're going to talk about right now. One of them is tech jobs. And man, is there a lot of scamming going on there as you might expect in the second is cloud, are you looking at cloud services? Hey, a home or business. [01:10:48] You can see this. I'm going to pull this up on my screen for those watching on rumble or on YouTube, but this is a big problem. [01:10:58] And we've seen this again and again right now, they're going after certain workers in the chemical. The sector, but it isn't just the chemical sector. What we've seen is the bad guys going after anyone that's applying for a job. So let me give you a few tips here. First of all, you should not be pain to apply for a job. [01:11:25] We see that all of the time when it comes to the head hunting firms, what. Is, they will charge the business who is looking to hire someone that makes sense to you. They'll hire they'll charge the business. So oftentimes it's a percentage of the annual salary committee where from usually 20% up to a hundred percent or more, depending on the position. [01:11:49] And boy can, they make a lot of money, but they don't necessarily place. People, but you know how it is right now, there, there can be quite a few. So people have been applying for jobs to make a lot of money and not realizing that fee that supposedly they have to pay is illegitimate. So remember that. [01:12:10] Okay. The second thing has to do with this particular scam, because what they're trying to do is. Into some of these companies. So they will send a thing out saying, Hey, on my head hunter, I'm here for you. We're going to get you this job you need to apply. Are you interested in a new job now? I've seen some stats online saying that somewhere around 30 plus percent of people are looking or at least open to. [01:12:45] Take getting a new job, which means a lot more are looking for jobs. Now I have to add to that, that the people who have jumped ship over the lockdown period really are not happy. The majority of them wish they had stayed where they were at. So keep that in mind too. But what they'll do is they'll say, Hey, listen. [01:13:07] Oh, there's this new feature on LinkedIn. By the way, you can say y'all are, I'm interested in looking for a job. I forget exactly what it says, but it goes around your picture and I have it up there because I'm a contractor, I go to businesses and I'm. To harden their cybersecurity. And we usually start slowly, especially with some of these startups we're doing work with right now where they won't, they go from a completely flat network and it's all engineers and I don't want anything hindering anything. [01:13:39] And so you got to work with them and it's just, we had a time sort of a thing. Okay. I just had this one thing this week. And then move on to one thing next week as well. So that's what I do for a living. And a lot of people are looking on LinkedIn and other places to find people who can be a chief information security officer. [01:14:01] So I'm what you call a fractional chief information security officer. I do this under contract and I've been doing contracts and contract work for. I don't know if I shouldn't be on the air, but my gosh it's been now I guess it's 40 years right now. So I've been doing this for a long time. [01:14:22] So I'm familiar with some of these scams, so they didn't take my word on some of this stuff. So what they do is they say, Hey, we've got a potential job opening. Are you in interested now? When we talk about 30 plus percent of people polled say that they're looking interested in a new job, the numbers are probably a little higher. Not that everyone's going to jump ship. Some people will, but there are a lot of people that if they get this email, they're going to open it up. And so what'll happen now is this group out of North Korea called the Lazarus group? And we've talked about them before. [01:15:00] We'll go ahead and say yeah, the here's, what's going to happen here. Let's just send you this thing. You can open it up. You can look at it and see if it's really a fit for you. I love this graphic that they have. This is from dark reading. I have it up on the screen again. Rumble and YouTube. [01:15:19] What should we do now? Should I open this up? Should I not open it up? It turns out that what's happening is that Symantec and Broadcom, both have noticed this and stated in an advisory a couple of weeks ago. Be very careful because what it's going to do is install a Trojan horse on your computer. [01:15:40] So let's think about this. You're talking about the chemicals
Facebook Has No Idea Where Your Data Is and What They Do With It?! Facebook's about 18 years old coming on 20 Facebook has a lot of data. How much stuff have you given Facebook? Did you fall victim for that? Hey, upload your contacts. We'll find your friends. They don't know where your data is. [Following is an automated transcript] [00:00:15] This whole thing with Facebook has exploded here lately. [00:00:20] There is an article that had appeared on a line from our friends over at, I think it was, yeah. Let me see here. Yeah. Yeah. Motherboard. I was right. And motherboards reporting that Facebook doesn't know what it does with your data or. It goes, no, there's always a lot of rumors about different companies and particularly when they're big company and the news headlines are grabbing your attention and certainly Facebook can be one of those companies. [00:00:57] So where did motherboard get this opinion about Facebook? Just being completely clueless about your personal. It tamed from a leaked document. Yeah, exactly. So we find out a lot of stuff like that. I used to follow a website about companies that were going to go under and they posted internal memos. [00:01:23] It basically got sued out of existence, but there's no way that Facebook is going to be able to Sue this one out of existence because they are describing this as. Internally as a tsunami of privacy regulations all over the world. So Gores, if you're older, we used to call those tidal waves, but think of what the implication there is of a tsunami coming in and just overwhelming everything. [00:01:53] So Facebook, internally, their engineers are trying to figure out, okay. So how do we deal with. People's personal data. It's not categorized in ways that regulators want to control it. Now there's a huge problem right there. You've got third party data. You've got first party data. You've got sensitive categories, data. [00:02:16] They might know what religion you are, what your persuasions are in various different ways. There's a lot of things they might know about you. How were they all cat categorize now we've got the European union. With their general data protection regulation. The GDPR we talked about when it came into effect back in 2018, and I've helped a few companies to comply with that. [00:02:41] That's not my specialty. My specialty is the cybersecurity. But in article five this year, peon law mandates that personal data must be collected for specified explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. So what that means is that every piece of data, like where you are using Facebook or your religious orientation, Can only be collected in use for a specific purpose and not reused for another purpose. [00:03:19] As an example here, that vice has given in past Facebook, took the phone number that users provided to protect their accounts with two factor authentication and fed it to its people, feature as well as. Advertisers. Yeah. Interesting. Hey, so Gizmodo with the help of academic researchers caught Facebook doing this, and eventually the company had to stop the practice because, and this goes back to the earlier days where Facebook would say, Hey, find out if your friends are on Facebook, upload your contacts right now. [00:03:54] And most people. What did you know back then about trying to keep your data private, to try and stop the proliferation of information about you online then nothing. I think I probably even uploaded it back then thinking it'd be nice to see if I got friends here. We can start chatting, et cetera. [00:04:12] According to legal experts that were interviewed by motherboard who wrote this article and has a copy of the internal memo this year, PN regulation specifically prohibits that kind of repurposing of your phone number of trying to put together the social graph and the leaked document shows that Facebook may not even have the ability to live. [00:04:37] How it handles user's data. Now I was on a number of radio stations this week, talking about this. And the example I gave is just look at an average business from the time it start, Facebook started how right? Wildly scraping pictures of young women off of Harvard university. Main catalog, contact page, and then asking people what do you think of this? This person, that person. And off they go, trying to rate them. Yeah. Yeah. All that matters to a woman, at least to Courtney, to mark Zuckerberg girl, all the matters about a woman is how she looks. Do I think she's pretty or not? [00:05:15] It's ridiculous. What he was doing. It just, oh, that's zackerburg who he is not a great guy anyways. So you go from stealing pictures of young ladies asking people to rate them, putting together some class information and stuff there at Harvard, and then moving on to other universities and then open it up even wider and wider. [00:05:42] And of course, that also created demand because you can't get on. If you're not at one of the universities that we have set it up for. And then you continue to grow. You're adding these universities, certainly starting to collect data and you are making more money than God. So what do you do? You don't have to worry about any efficiencies. [00:06:02] I'll tell you that. Right? One thing you don't have to do is worry about gee. We've got a lot of redundant work going on here. We've got a lot of teams working on basically the same thing. No, you've got more money than you can possibly shake a stick at. So now you go ahead and send that money to this group or that group. [00:06:24] And they put together all of the basic information, that they want. Pulling it out of this database and that database in there doing some correlation, writing some really cool CQL queries with mem credible joins and everything else. And now that becomes part of the main code for Facebook. [00:06:45] And then Facebook goes on to the next little project and they do the same thing. Then the next project, then the next project. And then someone comes along and says, Hey, we. This feature, that feature for advertisers and then in that goes, and then along comes candidate Obama. And they, one of the groups inside Facebook says, yeah here we go. [00:07:09] Here's all of the information we have about everybody and it's free. Don't worry about it. And then when Trump actually bought it and hired a company to try and process some of that information he got in trouble. No but the. The whole campaign could get access to anything they wanted to, again, because the data wasn't controlled, they had no idea who was doing what with the data. [00:07:34] And according to this internal memo, they still don't know. They don't even know if they can possibly comply with these regulations, not just in Europe, but we have regulations in pretty much all of the 50 states in the U S Canada of course, has their own Australia and New Zealand think about all the places. [00:07:57] Facebook makes a lot of. So here's a quote from that we build systems with open borders. The result of these open systems and open culture is well-described with an analogy. Imagine you hold a bottle of ink in your hand, the bottle of ink is a mixture of all kinds of user data. You pour that ink into a lake of water and K and it flows every year. [00:08:22] The document read. So how do you put that ink back in the bottle? I, in the right bottle, how do you organize it again? So that it only flows to the allowed places in the lake? They're totally right about that. Where did they collect it from? Apparently they don't even know where they got some of this information. [00:08:43] This data from reminds me of the no fly list. You don't know you're on it and you can't get yourself off of it. It's crazy. So this document that we're talking about, it was written last year by. Privacy engineers on the ad and business product team, whose mission is to make meaningful connections between people and businesses and which quote sits at the center of our monetization strategy. [00:09:06] And is the engine that powers Facebook's growth. Interesting. Interesting problems. And I see this being a problem well into the future for more and more of these companies, look at Twitter as an example that we've all heard about a lot lately. And then I've talked about as well along comes Elon Musk and he says wait a minute. [00:09:29] I can make Twitter way more profitable. We're going to get rid of however many people over a thousand, and then we are going to hire more people. We're going to start charging. We're going to be more efficient. You can bet all of these redundancies that are in Facebook are also there. And Twitter also has to comply with all of these regulations that Facebook is freaking out about it for a really a very good reason. [00:10:00] So this document is available to anybody who wants to look at it. I'm looking at it right now, talking about regulatory landscape and the fundamental problems Facebook's data lake. And this is a problem that most companies have not. As bad as Facebook does the button. Most companies you write, you grow. I have yet to walk into a business that needs help with cybersecurity and find everything in place as it should be because it grew organically. [00:10:32] Do you started out with a little consumer firewall router, wifi, and then you added to it and you put a switch here and you added another switch behind that and move things around. This is normal. This is not total incompetence on the part of the management, but my gosh, I don't know. Maybe they need an Elon Musk. [00:10:52] Just straighten them out as well. Hey, stick around. I'll be right back and sign up firstname.lastname@example.org. [00:11:02] Apparently looting is one of the benefits of being a Russian soldier. And according to the reports coming out of Ukraine, they've been doing it a lot, but there's a tech angle on here that is really turning the tables on these Russian Looters. [00:11:19] We know in wars, there are people that loot and typically the various militaries try and make sure, at least recently that looting is kept to an absolute minimum. [00:11:32] Certainly the Americans, the British, even the Nazis during world war II the the socialists they're in. Germany they tried to stop some of the looting that was going on. I think that's probably a very good thing, because what you end up with is just all of these locals that are just totally upset with you. [00:11:57] I found a great article on the guardian and there's a village. I hadn't been occupied for about a month by Russian troops and the people came back. They are just shocked to see what happened in there. Giving a few examples of different towns. They found that the alcohol was stolen and they left empty bottles behind food wrappers, cigarette butts, thrown all over the place in apartments in the home. [00:12:26] Piles of feces blocking the toilets, family photographs torn, thrown around the house. They took away all of the closes as a code from one of the people, literally everything, male and female coats, boots, shirts, jackets, even my dresses and laundry. This is really something. The Sylvia's didn't do this, but now Russia. [00:12:49] The military apparently does. So over the past couple of weeks, there have been reporting from numerous places where Russian troops had occupied Ukrainian territory and the guardian, which is this UK newspaper collected evidence to suggest looting by Russian forces was not merely a case of a few way, word soldiers, but a systematic part of Russian military behavior across multiple towns. [00:13:17] And villages. That's absolutely amazing. Another quote here, people saw the Russian soldiers loading everything onto your old trucks. Everything they could get their hands on a dozen houses on the villages. Main street had been looted as well as the shops. Other villagers reported losing washing machines, food laptops, even as sofa, air conditioner. [00:13:41] Being shipped back, just you might use ups here or they have their equivalent over there. A lady here who was the head teacher in the school, she came back in, of course, found her home looted and in the head teacher's office. She found an open pair of scissors that had been jammed into a plasma screen that was left behind because if they can't steal it, they're going to destroy it. [00:14:07] They don't wanna leave anything behind. They found the Russian to take in most of the computers, the projectors and other electronic equipment. It's incredible. So let's talk about the turnaround here. You might've heard stories about some of these bad guys that have smashed and grabbed their way into apple stores. [00:14:27] So they get into the apple store. They grab laptops on iPads, no longer iPods, because they don't make those anymore. And I phone. And they take them and they run with them. Nowadays there's not a whole lot of use for those. Now what they have been doing, some of these bad guys is they'd take some parts and use them in stolen equipment. [00:14:52] They sell them on the used market, et cetera. But when you're talking about something specific, like an iPhone that needs specific activation. Completely different problem arises for these guys because that iPhone needs to have a SIM card in order to get onto the cell network. And it also has built in serial numbers. [00:15:15] So what happens in those cases while apple goes ahead and disables them. So as soon as they connect to the internet, they didn't say they put them on wifi. They don't get a SIM card. They don't. Service from T-Mobile or Verizon or whoever it might be. So now they just connect to the wifi and it calls home. [00:15:33] Cause it's going to get updates and download stuff from the app store and they find that it's been bricked. Now you can do that with a lot of mobile device managers that are available for. All kinds of equipment nowadays, but certainly apple equipment where if a phone is lost or stolen or a laptop or other pieces of equipment, you can get on the MDM and disable it, have it remotely erase, et cetera. [00:16:00] Now, please have had some interesting problems with that. Because a bad guy might go ahead and erase a smartphone. That's in the evidence locker at the police station. So they're doing things like putting them into Faraday cages or static bags or other things to try and stop that. So I think we've established here that the higher tech equipment is pretty well protected. [00:16:25] You steal it. It's not going to do you much. Good. So one of the things the Russian stole when they were in a it's called a, I think you pronounced. Melad Mellott DePaul which is again, a Ukrainian city is they stole all of the equipment from a farm equipment dealership and shipped it to check. Now that's according to a source in a businessman in the area that CNN is reporting on. [00:16:56] So they shipped this equipment. We're talking about combine harvesters were 300 grand a piece. They shipped it 700 miles. And the thieves were ultimately unable to use the equipment because it had been locked remotely. So think about agriculture equipment that John Deere, in this case, these pieces of equipment, they, they drive themselves. [00:17:23] It's atonomous it goes up and down the field. Goes to any pattern that you want to it'll bring itself within a foot or an inch of your boundaries, of your property being very efficient the whole time, whether it's planting or harvesting, et cetera. And that's just a phenomenal thing because it saves so much time for the farmer makes it easier to do the companies like John Deere. [00:17:49] Want to sell as many pieces of this equipment as they possibly can. And farming is known to be a what not terribly profitable business. And certainly isn't like Facebook. So how can they get this expensive equipment into the hands of a lot of farmers? What they do is they use. So you can lease the equipment through leasing company or maybe directly from the manufacturer and now you're off and running. [00:18:16] But what happens if the lease isn't paid now? It's one thing. If you don't pay your lease on a $2,000 laptop, right? They're probably not going to come hunting for you, but when you're talking about a $300,000 harvester, they're more interested. So the leasing company. Has titled to the equipment and the leasing company can shut it off remotely. [00:18:41] You see where I'm going with this so that they can get their equipment in the hands of more farmers because the farmers can lease it. It costs them less. They don't have to have a big cash payment. You see how this all works. So when the Russian forces stole this equipment, that's valued, total value here is about $5 million. [00:19:02] They were able to shut it all off. And th the, obviously if you can't start the engine, because it's all shut off and it's all run by computers nowadays, and there's pros and cons to that. I think there's a lot of cons, but what are you going to do? How's that going to work for? Isn't going to work for you. [00:19:22] And they were able to track it and had GPS trackers find out exactly where it was. That's how they know it was Tara taken to Chechnya and could be controlled remotely. And in this case, how did they control it? They completely. Shut it off, even if they sell the harvesters for spare parts to learn some money, but they sure aren't gonna be able to sell them for the 300 grand that they were actually worth. [00:19:48] Hey, stick around. We'll be right back and visit me email@example.com. If you sign up there, you'll be able to get my insider show notes. And every week I have a quick. Training right there. New emails, Craig Peterson.com. [00:20:05] If you've been worried about ransomware, you are right to worry. It's up. It's costly. And we're going to talk about that right now. What are the stats? What can you do? What happens if you do get hacked? Interesting world! [00:20:20] Ransomware has been a very long running problem. I remember a client of ours, a car dealership who we had gone in. [00:20:31] We had improved all of their systems and their security, and one of them. People who was actually a senior manager, ended up downloading a piece of ransomware, one of these encrypted ones and opened it up and his machine all of a sudden, guess what it had ransomware on it. One of those big. Green's that say, pay up and send us this much Bitcoin, and here's our address. [00:21:00] All of that sort of stuff. And he called us up and said, what's going on here? What happened? First of all, don't bring your own machine into the office. Secondly, don't open up as particularly encrypted files using a password that they gave. And thirdly, we stopped it automatically. It did not spread. [00:21:20] We were able to completely restore his computer. Now let's consider here the consequences of what happened. So he obviously was scared. And within a matter of a couple of hours, we actually had him back to where he was and it didn't spread. So the consequences there, they weren't that bad. But how about if it had gotten worse? [00:21:47] How about if the ransomware. Also before it started holding his computer ransom, went out and found all of the data about their customers. What do you think an auto dealership would love to hear that all of their customer data was stolen and released all of the personal data of all of their customers? [00:22:08] Obviously not. So there's a potential cost there. And then how long do you think it would take a normal company? That thinks they have backups to get back online. All I can tell you it'll take quite a while because the biggest problem is most backups don't work. We have yet to go into a business that was actually doing backups that would work to help restore them. [00:22:35] And if you're interested, I can send you, I've got something I wrote up. Be glad to email it back to you. Obviously as usual, no charge. And you'll be able to go into that and figure out what you should do. Cause I, I break it down into the different types of backups and why you might want to use them or why you might not want to use them, but ransomware. [00:22:58] Is a kind of a pernicious nasty little thing, particularly nowadays, because it's to two factor, first is they've encrypted your data. You can't get to it. And then the second side of that is okay I can't get to my data and now they're threatening to hold my data ransom or they'll release. So they'll put it out there. [00:23:22] And of course, if you're in a regulated industry, which actually car dealers are because they deal with financial transactions, leases, loans, that sort of thing you can lose your license for your business. You can, you lose your ability to go ahead and frankly make loans and work with financial companies and financial instruments. [00:23:45] It could be a very big. So there are a lot of potential things that can happen all the way from losing your reputation as a business or an individual losing all of the money in your operating account. And again, we've got a client that we picked up afterwards. That yes, indeed. That lost all of the money in their operating account. [00:24:09] And then how do you make payroll? How do you do things? There's a new study that came out from checkpoint. Checkpoint is one of the original firewall companies and they had a look at ransomware. What are the costs of ransomware? Now bottom line, I'm looking at some stats here on a couple of different sites. [00:24:29] One is by the way, Conti, which is a big ransomware gang that also got hacked after they said we are going to attack anyone. That doesn't defend Plaid's invasion of Ukraine, and then they got hacked and their information was released, but here's ransomware statistics. This is from cloud words. First of all, the largest ransom demand is $50 million. [00:24:55] And that was in 2021 to Acer big computer company. 37% of businesses were hit by ransomware. In 2021. This is amazing. They're expecting by 2031. So in about a decade, ransomware is going to be costing about $265 billion a year. Now on average. Ransomware costs businesses. 1.8, $5 million to recover from an attack. [00:25:25] Now that's obviously not a one or two person place, but think of the car dealer again, how much money are they going to make over the year or over the life of the business? If you're a car dealer, you have a license to print money, right? You're selling car model or cars from manufacturers. And now you have the right to do that and they can remove that. [00:25:48] How many tens, hundreds of millions of dollars might that end up costing you? Yeah. Big deal. Total cost of ransomware last year, $20 billion. Now these are the interesting statistics here right now. So pay closer attention to this 32% of ransomware victims paid a ransom. So about a third Peter ransom demand. [00:26:12] Lastly. It's actually down because my recollection is it used to be about 50% would pay a ransom. Now on average that one third of victims that paid a ransom only recovered 65% of their data. Now that differs from a number I've been using from the FBI. That's a little bit older that was saying it ends it a little better than 50%, but 65% of pain victims recovered their. [00:26:41] Now isn't that absolutely amazing. Now 57% of companies were able to recover their data, using a cloud backup. Now think about the different types of backup cloud backup is something that can work pretty well if you're a home user, but how long did it take for your system to get back? Probably took weeks, right? [00:27:05] For a regular computer over a regular internet line. Now restoring from backups is going to be faster because your downlink is usually faster than your uplink. That's not true for businesses that have real internet service like ours. It's the same bandwidth up as it is down. But it can take again, days or weeks to try and recover your machine. [00:27:28] So it's very expensive. And I wish I had more time to go into this, but looking at the costs here and the fact that insurance companies are no longer paying out for a lot of these ransomware attacks, it could be credibly expensive for you incredibly. The number one business types by industry for ransomware attacks, retail. [00:27:59] That makes sense. Doesn't it. Real estate. Electrical contractors, law firms and wholesale building materials. Isn't that interesting? And that's probably because none of these people are really aware or conscious of doing what a, of keeping their data secure of having a good it team, a good it department. [00:28:24] So there's your bottom line. Those are the guys that are getting hit. The most, the numbers are increasing dramatically and your costs are not just in the money. You might pay as a ransom. And as it turns out in pretty much every case prevention. Is less expensive and much better than the cure of trying to pay ransom or trying to restore from backups. [00:28:52] Hey, you're listening to Craig Peterson. You can get my weekly show notes by just going to craig peterson.com. [00:29:00] You and I have talked about passwords before the way to generate them and how important they are. We'll go over that again a little bit in just a second, but there's a new standard out there that will eliminate the need for passwords. [00:29:16] Passwords are a necessary evil, at least they have been forever. I remember, I think the only system I've ever really used that did not require passwords was the IBM 360. [00:29:31] Yeah, 360, you punch up the cards, all of the JCL you feed the card deck in and off it goes. And does this little thing that was a different day, a different era. When I started in college in university, we. We had a remote systems, timeshare systems that we could log into. And there weren't much in the line of password requirements. [00:29:58] And, but you had a username, you had a simple password. And I remember one of our instructors, his name was Robert, Andrew Lang, and his password was always some sort of a combination of RA Lang. So it was always easy to guess what his password was. Today. It has gotten a lot worse today. We have devices with us all the time. [00:30:22] You might be wearing a smart watch. That requires a password. You course probably have a smartphone that also maybe requiring a password. Certainly after it boots nowadays they use fingerprints or facial recognition, which is handy, but it has its own drawbacks. But how about the websites? You're going to the systems you're using in you're at work and logging in. [00:30:49] They all require password. And usernames of some sort or another well, apple, Google, and Microsoft have all committed to expanding their support for a standard. That's actually been out there for a few years. It's called the Fido standard. And the idea behind this is that you don't have to have a password in order to. [00:31:15] Now that's really an interesting thing, right? Just looking at it because we're so used to have in this password only authenticate. And of course the thing to do there is to make sure you have for your password, multiple words in the password, it should really be a pass phrase. And between the words put in special characters or numbers, maybe. [00:31:41] Upper lower case a little bit. In those words, those are the best passwords, 20 characters, 30 characters long. And then if you have to have a pin, I typically use a 12 digit pin. And how do I remember all of these? Cause I use a completely different password for every website and right now, Let me pull it up. [00:32:03] I'm using one password dot coms, password manager. And my main password for that is about 25 characters long. And I have thirty one hundred and thirty five. And trees here in my password manager, 3,100, that is a whole lot of passwords, right? As well as software licenses and a few other things in there. [00:32:30] That's how we remember them is using a password manager. One password.com is my favorite. Now, obviously I don't make any money by referring you there. I really do like that. Some others that I've liked in the past include last pass, but they really meant. With some of their cybersecurity last year and I lost my faith in it. [00:32:51] So now what they're trying to do is make these websites that we go to as well as some apps to have a consistent, secure, and passwordless. And they're going to make it available to consumers across all kinds of devices and platforms. That's why you've got apple, Google, and Microsoft all committing to it. [00:33:15] And you can bet everybody else is going to follow along because there's hundreds of other companies that have decided they're going to work with the Fido Alliance and they're going to create this passwordless future. Which I like this idea. So how does this work? Basically you need to have a smartphone. [00:33:33] This is, I'm just going to go with the most standard way that this is going to work here in the future, and you can then have. Passkey, this is like a multi-factor authentication or two factor authentication. So for instance, right now, when I sign into a website online, I'm giving a username, given a password, and then it comes up and it asks me for a code. [00:33:57] So I enter in a six digit code and that code changes every 30 seconds. And again, I use my password manager from one password. In order to generate that code. So that's how I log into Microsoft site and Google sites and all kinds of sites out there. So it's a similar thing here now for the sites for my company, because we do cyber security for businesses, including regulated businesses. [00:34:24] We have biometrics tied in as. So to log into our systems, I have to have a username. I have to have a password. I then am sent to a single sign-on page where I have to have a message sent to my smart device. That then has a special app that uses biometrics either a face ID or a fingerprint to verify who I am. [00:34:49] Yeah, there's a lot there, but I have to protect my customers. Something that very few it's crazy. Actual managed security services providers do, but it's important, right? By the way, if you want my password. Special report, just go to Craig peterson.com. Sign up for my email list. I'll send that to you. [00:35:13] That's what we're sending out right now for anyone who signs up firstname.lastname@example.org. And if you'd like a copy of it in you're already on the list, just go ahead and email me. At Craig peterson.com and ask for the password special report where I go through a lot of this sort of thing. So what will happen with this is you go to a website and I might come up with a QR code. [00:35:37] So you then scan that QR code with your phone and verify it, authorize it on your phone. You might again to have it set up so that your phone requires a facial recognition or perhaps it'll require a fingerprint. And now you are. Which is very cool. They fix some security problems in Fido over the last few years, which is great over the coming year. [00:36:02] You're going to see this available on apple devices, Google Microsoft platforms, and it really is simple, stronger authentication. That's sort of Fido calls it. But it is going to make your life a lot easy, easier. It is a standard and the passwordless future makes a whole lot of sense for all of us. Now, I want to talk about another thing here that just bothered me for a long time. [00:36:30] I have a sister. Who is in the medical field and gives prescriptions, doctor thing. And I think she's not quite a doctor. I can't remember what she has. She's an LPN or something. And anyhow, so she. We'll get on a zoom call with someone and they'll go through medical history and what's happening right now and she'll make prescriptions. [00:36:57] And so I warned her about that saying, it is very bad to be using zoom because zoom is not secure. Never has been, probably never will be right. If you want secure. To go and pay for it from one of these providers like WebEx, that's what we use. We have a version of WebEx that is set up to be secure. [00:37:20] So I talked to her about that and said, Hey, listen, you can't do this. You've really got to go another way here. And so she started using one of these mental or. Medical health apps. What I want to talk about right now specifically are some checks that were just performed some audits on mental health apps. [00:37:45] That's why I messed up a second ago, but what they looked at is that things are a serious problem there. And then fact, the threat post, just calling it a. Frankly, just plain old creepy. So they've got some good intentions. They want to help with mental health. You've probably seen these or at least heard them advertise. [00:38:06] So you can get on the horn with a mental health professional, a doctor or otherwise in order to help you here with your psychological or spiritual wellness. And people are sharing their personal and sensitive data with third parties and have 32 mental health and prayer mobile apps that were investigated by the open source organization. [00:38:32] 28, 28 of the 32 were found to be inherently insecure and were given a privacy not included label, including others here. So this is a report. That was released here by the open source organization, tied into Mozilla. Those are the Firefox people. They have what they call their minimum security standards. [00:38:56] So things like requiring strong passwords, managing security, updates, and vulnerabilities, et cetera. 25 of the 32 failed to meet. Even those minimum security standards. So these apps are dealing with some of the most sensitive mental health and wellness issues people can possibly have, right? Depression, anxieties, suicidal fonts, domestic violence, eating disorders. [00:39:23] And they are being just terrible with your security Mozilla researchers spent 255 hours or about eight hours per product pairing under the hood of the security, watching the data that was going back and forth, right between all of these mental health and prayer apps. It was just crazy. So for example, eight of the apps reviewed, allowed weak passwords, that range. [00:39:52] One digit one as the password to 1, 1, 1, 1, while a mental health app called a mood fit only required one letter or digit as a password. Now that is very concerning for an app that collects mood and symptom data. So be very careful. Two of the apps better help a popular app that connects users with therapists and better stop suicide, which is a course of suicide prevention app have vague and messy, according to Mozilla privacy policies that have little or no effect on actual. [00:40:30] User data protection. So be very careful. And if you're a mental health, professional or medical professional, don't just go and use these open video calls, et cetera, et cetera, find something good. And there are some standards out there. Again. Visit me online, get my insider show notes every week. Get my little mini trends. [00:40:56] And they come up most weeks. Just go to Craig peterson.com. And I'll send you my special report on passwords and more. [00:41:06] We know the Russians have been attacking us. I've talked a lot about it on the radio station, all kinds of stations. In fact, here over the last couple of weeks, and I am doing something special, we are going through the things you can do to keep safe. [00:41:23] Last week we started doing something I promise we would continue. [00:41:27] And that is how can you protect yourself when it comes to the Russians, right? When it comes to the bad guys, because the Russians are definitely the bad guys. There's a few things you can do. And there's a few things, frankly, you shouldn't be doing. And that's exactly what we're going to talk about right now. [00:41:45] So last week he went over some steps, some things that you can look at that you should look at that are going to help protect you. And we are going to go into this a whole lot more today. And so I want you to stick around and if you miss anything, you can go online. You can go to Craig peterson.com, make sure you sign up there for my email. [00:42:08] And what I'm going to do for you is. Send you a few different documents now where we can chat back and forth about it, but I can send you this. Now I'm recording this on video as well as on audio. So you can follow along if you're watching either on YouTube or. Over on rumble and you can find it also on my website. [00:42:32] I've been trying to post it up there too, but right now let's talk about what we call passive backend protections. So you've got the front end and the front end of course, is. Stuff coming at you, maybe to the firewall I've mentioned last week about customers of mine. I was just looking at a few customers this week, just so I could have an idea of their firewalls. [00:42:59] And they were getting about 10 attacks per minute. Yeah. And these were customers who have requirements from the department of defense because they are defense sub subcontractors. So again, Potential bad guys. So I looked up their IP addresses and where the attacks were coming from. Now, remember that doesn't mean where they originated because the bad guys can hop through multiple machines and then get onto your machine. [00:43:28] What it means is that all, ultimately they ended up. Coming from one machine, right? So there's an IP address of that machine. That's attacking my clients or are attacking my machines. That just happens all the time. A lot of scans, but some definite attacks where they're trying to log in using SSH. [00:43:48] And what I found is these were coming from Slovakia, Russia, and Iran. Kind of what you were expecting, right? The Iranians, they just haven't given up yet. They keep trying to attack, particularly our military in our industry. One of the things we found out this week from, again, this was an FBI notice is that the Russians have been going after our industrial base. [00:44:15] And that includes, in fact, it's more specifically our automobile manufacturers we've already got problems, right? Try buying a new car, try buying parts. I was with my friend, just this. I helped them because he had his car right. Need to get picked up. So I took him over to pick up his car and we chatted a little bit with this small independent automotive repair shop. [00:44:40] And they were telling us that they're getting sometimes six, eight week delays on getting parts and some parts. They just can't. So they're going to everything from junkyards on out, and the worst parts are the parts, the official parts from the car manufacturers. So what's been happening is Russia apparently has been hacking into these various automobile manufacturers and automobile parts manufacturers. [00:45:10] And once they're inside, they've been putting in. A remote control button net. And those botnets now have the ability to wake up when they want them to wake up. And then once they've woken up, what do they do? Who knows? They've been busy erasing machines causing nothing, but having they've been doing all kinds of stuff in the past today, they're sitting there. [00:45:31] Which makes you think they're waiting, it's accumulate as much as you possibly can. And then once you've got it all accumulated go ahead and attack. So they could control thousands of machines, but they're not just in the U S it's automobile manufacturers in Japan. That we found out about. [00:45:50] So that's what they're doing right now. So you've got the kind of that front end and back end protections. So we're going to talk a little bit about the back end. What does that mean? When a cybersecurity guy talks about the backend and the protections. I got it up on my green right now, but here's the things you can do. [00:46:10] Okay. Remember, small businesses are just getting nailed from these guys, because again, they're fairly easy targets. One change your passwords, right? How many times do we have to say that? And yet about 70% of businesses out there are not using a good password methodology. If you want more information on passwords, two factor authentication, you name it. [00:46:37] Just email me M email@example.com. I want to get the information out now. You got to make sure that all of the passwords on your systems are encrypted are stored in some sort of a good password vault as you really should be looking at 256 bit encryption or better. I have a vendor of. That I use. So if you get my emails every week, when them, there's the little training. [00:47:06] And so I'll give you a five minute training. It's written usually it's in bullet point for, I'm just trying to help you understand things. That provider of mine has a big database and there's another provider that I use that is for. So the training guys use the database of my provider. [00:47:27] In using that database, they're storing the passwords and the training providers putting passwords in the clinics. Into the database, which is absolutely crazy. So again, if you're a business, if you're storing any sort of personal information, particularly passwords, make sure that you're using good encryption and your S what's called salting the hash, which means. [00:47:53] You're not really storing the password, just joining assaulted hash. I can send you more on this. If you are a business and you're developing software that's, this is long tail stuff here. Configure all of the security password settings so that if someone's trying to log in and is failing that, and you block it, many of us that let's say you're a small business. [00:48:15] I see this all of the time. Okay. You're not to blame. You, but you have a firewall that came from the cable company. Maybe you bought it at a big box retailer. Maybe you bought it online over at Amazon, as hurricane really great for you. Has it got settings on there that lets you say. There's 20 attempts to log in. [00:48:38] Maybe we should stop them. Now, what we do personally for our customers is typically we'll block them at somewhere around three or four failed attempts and then their passwords block. Now you can configure that sort of thing. If you're using. Email. And that's an important thing to do. Let me tell you, because we've had some huge breaches due to email, like Microsoft email and passwords and people logging in and stealing stuff. [00:49:06] It was just a total nightmare for the entire industry last year, but limit the number of login retries as well as you're in there. These excessive login attempts or whatever you want to define it as needs to lock the account. And what that means is even if they have the right password, they can't get in and you have to use an administrative password in order to get in. [00:49:31] You also want to, what's called throttle, the rate of repeated logins. Now you might've gotten caught on this, right? You went to your bank, you went to E-bay, you went to any of these places and all of a sudden. And denied you write it blocked you. That can happen when your account is on these hackers lists. [00:49:51] You remember last week we talked about password spraying while that's a very big deal and hackers are doing the sprain trick all of the time, and that is causing you to get locked out of your own account. So if you do get locked out, remember it might be because someone's trying to break. Obviously you have to enforce the policies. [00:50:16] The capture is a very good thing. Again, this is more for software developer. We always recommend that you use multifactor or two factor authentication. Okay. Do not use your SMS, your text messages for that, where they'll send you a text message to verify who you are. If you can avoid that, you're much better off. [00:50:36] Cause there's some easy ways to get around that for hackers that are determined. Okay. A multi-factor again, installed an intrusion. system. We put right at the network edge and between workstations and servers, even inside the network, we put detection systems that look for intrusion attempts and block intrusion attempts. [00:51:02] A very important use denied lists to block known attackers. We build them automatically. We use some of the higher end Cisco gates. Cisco is a big network provider. They have some of the best hardware and software out there, and you have to subscribe to a lot of people complain. I ain't going to just go buy a firewall for 200 bucks on Amazon. [00:51:24] Why would I pay that much a month just to to have a Cisco firewall? And it's like praying pain for the brand. I've got by logo chert on here. Oh, I wouldn't pay for that. No, it's because they are automatically providing block lists that are updated by the minute sometimes. And then make sure you've got an incident response plan in place. [00:51:50] What are you going to do when they come for you? What are you going to do? [00:51:55] Now we're going to talk about prevention. What can you do an order to stop some of these attacks that are coming from Russia and from other countries, it is huge. People. Believe me, this is a very big problem. And I'm here to help. [00:52:12] We've reviewed a number of things that are important when it comes to your cyber security and your protection. [00:52:20] We talked about the front end. We talked about the backend. Now we're going to talk about pure prevention and if you're watching. Online. You'll be able to see my slides as they come up, as we talk about some of this stuff and you'll find me on YouTube and you'll also find me on rumble, a fairly new platform out there platform that doesn't censor you for the things you say. [00:52:44] Okay. So here we go. First of all, enabling your active directory password protection is going to. Four's password protection all the way through your business. Now I've had some discussions with people over the months, over the years about this whole thing and what should be done, what can be done, what cannot be done. [00:53:09] Hey, it's a very big deal when it comes to password protection and actor directory, believe it or not, even though it's a Microsoft product is pretty darn good at a few things. One of them is. Controlling all the machines and the devices. One of the things we do is we use an MDM or what used to be a mobile device manager called mass 360. [00:53:34] It's available from IBM. We have a special version of that allows us as a managed security services provider to be able to control everything on people's machines. Active directory is something you should seriously consider. If you are a Mac based shop. Like I am. In fact, I'm sitting right now in front of two max that I'm using right now, you'll find that active directory is a little bit iffy. [00:54:04] Sometimes for max, there are some work around and it's gotten better mastery. 60 is absolutely the way to go, but make sure you've got really good. Passwords and the types of passwords that are most prone to sprain the attacks are the ones you should be banning specifically. Remember the website? Have I been poned? [00:54:28] Yeah. It's something that you should go to pretty frequently. And again, if you miss anything today, just email me M firstname.lastname@example.org. Believe me, I am not going to harass you at all. Okay. Now, the next thing that you should be doing is what's called red team blue team. Now the red team is a group of people, usually outside of your organization. [00:54:54] If you're a big company they're probably inside, but the red team is the team that attacks you. They're white hat hackers, who are attacking you, looking for vulnerabilities, looking for things that you should or shouldn't be doing. And then the blue team is the side that's trying to defend. So think of, like war games. [00:55:12] Remember that movie with Matthew Broderick all of those decades ago and how the, he was trying to defend that computer was trying to defend that it moved into an attack mode, right? Red team's attack, blue team is defend. So you want. To conduct simulated attacks. Now w conducting these attacks include saying, oh my let's now put in place and execute our plan here for what are we going to do once we have a. [00:55:44] And you darn well better have a breach plan in place. So that's one of the things that we help as a fractional chief information security officer for companies, right? You've got to get that in place and you have to conduct these simulated attacks and you have to do penetration testing, including password spraying attacks. [00:56:04] There's so many things you can do. The one of the things that we like to do and that you might want to do, whether you're a home user, retiree or a business is go and look online, you can just use Google. I use far more advanced tools, but you can use Google and look for your email address right there. [00:56:23] Look for the names of people inside your organization. And then say wait a minute, does that data actually need to be there? Or am I really exposing the company exposing people's information that shouldn't be out there because you remember the hackers. One of the things they do is they fish you fish as in pH. [00:56:47] So they'll send you an email that looks like. Hey let me see. I know that Mary is the CFO, and I know that Joe's going to be out of town for two weeks in The Bahamas, not a touch. So while he's got. I'm going to send an email to Mary, to get her to do something, to transfer the company's funds to me. [00:57:06] Okay. So that's what that's all about. You've got to make sure, where is our information? And if you go to my company's page, mainstream.net, you'll see on there that I don't list any of the officers or any of the people that are in the company, because that again is a security problem. [00:57:24] We're letting them know. I go to some of these sites, like professional sites lawyers, doctors, countenance, and I find right there all, are there people right there top people or sometimes all of them. And then we'll say, yeah, I went to McGill university, went to Harvard, whatever my B. It's all there. So now they've got great information to fish you, to fish that company, because all they have to do is send an email to say, Hey, you remember me? [00:57:56] We're in Harvard when this class together. And did you have as a professor to see how that works? Okay. You also want to make. That you implement, what's called a passwordless user agent, and this is just so solely effective. If they cannot get into your count, what's going to, what could possibly go wrong, but one of the ways to not allow them into the count is to use. [00:58:24] Biometrics. We use something called duo and we have that tied into the single sign-on and the duo single sign-on works great because what it does now is I put in, I go to a site, I put it into my username and. Pulls up a special splash page that is running on one of our servers. That again asks me for my duo username. [00:58:48] So I've got my username for the site then to my dual username and my duo password single sign on. And then it sends me. To an app on my smart device, a request saying, Hey, are you trying to log into Microsoft? And w whatever it might be at Microsoft, and you can say yes or no, and it uses biometric. [00:59:11] So those biometrics now are great because it says, oh, okay, I need a face ID or I need a thumb print, whatever it might be that allows a generalized, a password, less access. Okay. Password less. Meaning no pass. So those are some of the top things you can do when it comes to prevention. And if you use those, they're never going to be able to get at your data because it's something you have along with something, it works great. [00:59:45] And we like to do this. Some customers. I don't like to go through those hoops of the single sign-on and using duo and making that all work right where we're fine with it. We've got to keep ourselves, at least as secure as the DOD regulations require unlike almost anybody else in industry, I'm not going to brag about it. [01:00:09] But some of our clients don't like to meet the tightest of controls. And so sometimes they don't. I hate to say that, but they just don't and it's a fine line between. Getting your work done and being secure, but I think there's some compromises it can be readily made. We're going to talk next about saving your data from ransomware and the newest ransomware. [01:00:36] We're going to talk about the third generation. That's out there right now. Ransomware, it's getting crazy. Let me tell ya and what it's doing to us and what you can do. What is a good backup that has changed over the last 12 months? It's changed a lot. I used to preach 3, 2, 1. There's a new sheriff in town. [01:00:58] Stick around Craig peterson.com. [01:01:02] 3, 2, 1 that used to be the standard, the gold standard for backing up. It is no longer the case with now the third generation of ransomware. You should be doing something even better. And we'll talk about it now. [01:01:19] We're doing this as a simulcast here. It's on YouTube. It is also on rumble. [01:01:27] It's on my email@example.com because we're going through the things that you can do, particularly if you're a business. To stop the Russian invasion because as we've been warned again and again, the Russians are after us and our data. So if you missed part of what we're talking about today, or. [01:01:50] Last week show, make sure you send me an email. firstname.lastname@example.org. This is the information you need. If you are responsible in any way for computers, that means in your home, right? Certainly in businesses, because what I'm trying to do is help and save those small businesses that just can't afford to have full-time. [01:02:15] True cyber security personnel on site. So that's what the whole fractional chief information security officer thing is about. Because you just, you can't possibly afford it. And believe me, that guy that comes in to fix your computers is no cyber security expert. These people that are attacking our full time cybersecurity experts in the coming from every country in the world, including the coming from the us. [01:02:44] We just had more arrests last week. So let's talk about ransomware correctly. Ransomware, very big problem. Been around a long time. The first version of ransomware was software got onto your computer through some mechanism, and then you had that red screen. We've all seen that red screen and it says, Hey, pay up buddy. [01:03:07] It says here you need to send so many Bitcoin or a fraction of a Bitcoin or so many dollars worth of Bitcoin. To this Bitcoin wallet. And if you need any help, you can send email here or do a live chat. They're very sophisticated. We should talk about it some more. At some point that was one generation. [01:03:29] One generation two was not everybody was paying the ransoms. So what did they do at that point? They said let me see if they, we can ransom the data by encrypting it and having them pay us to get it back. 50% of the time issue got all your data back. Okay. Not very often. Not often enough that's for sure. [01:03:49] Or what we could do is let's steal some of their intellectual property. Let's steal some of their data, their social security number, their bank, account numbers, et cetera. They're in a, in an Excel spreadsheet on their company. And then we'll, if they don't pay that first ransom, we'll tell them if they don't pay up, we'll release their information. [01:04:10] Sometimes you'll pay that first ransom and then they will hold you ransom a second time, pretending to be a different group of cyber terrorists. Okay. Number three, round three is what we're seeing right now. And this is what's coming from Russia, nears, everything we can tell. And that is. They are erasing our machines. [01:04:31] Totally erasing them are pretty sophisticated ways of erasing it as well, so that it sinks in really, it's impossible to recover. It's sophisticated in that it, it doesn't delete some key registry entries until right at the very end and then reboots and computer. And of course, there's. Computer left to reboot, right? [01:04:55] It's lost everything off of that hard drive or SSD, whatever your boot devices. So let's talk about the best ways here to do some of this backup and saving your data from ransomware. Now you need to use offsite disconnected. Backups, no question about it. So let's talk about what's been happening. [01:05:17] Hospitals, businesses, police departments, schools, they've all been hit, right? And these ransomware attacks are usually started by a person. I'll link in an email. Now this is a poison link. Most of the time, it used to be a little bit more where it was a word document, an Excel document that had something nasty inside Microsoft, as I've said, many times has truly pulled up their socks. [01:05:45] Okay. So it doesn't happen as much as it used to. Plus with malware defender turned on in your windows operating system. You're going to be a little bit safer next step. A program tries to run. Okay. And it effectively denies access to all of that data. Because it's encrypted it. And then usually what it does so that your computer still works. [01:06:09] Is it encrypts all of you, like your word docs, your Excel docs, your databases, right? Oh, the stuff that matters. And once they've got all of that encrypted, you can't really access it. Yeah. The files there, but it looks like trash now. There's new disturbing trends. It has really developed over the last few months. [01:06:31] So in addition to encrypting your PC, it can now encrypt an entire network and all mounted drives, even drives that are marrying cloud services. Remember this, everybody, this is really a big deal because what will happen here is if you have let's say you've got an old driver G drive or some drive mounted off of your network. [01:06:57] You have access to it from your computer, right? Yeah. You click on that drive. And now you're in there and in the windows side Unix and max are a little different, but the same general idea you have access to you have right. Access to it. So what they'll do is any mounted drive, like those network drives is going to get encrypted, but the same thing is true. [01:07:20] If you are attaching a U S B drive to your company, So that USB drive, now that has your backup on it gets encrypted. So if your network is being used to back up, and if you have a thumb drive a USB drive, it's not really a thumb drive, right? There's external drive, but countered by USP hooked up. [01:07:45] And that's where your backup lives. Your. Because you have lost it. And there have been some pieces of software that have done that for awhile. Yeah. When they can encrypt your network drive, it is really going after all whole bunch of people, because everyone that's using that network drive is now effective, and it is absolutely. [01:08:10] Devastating. So the best way to do this is you. Obviously you do a bit of a local backup. We will usually put a server at the client's site that is used as a backup destiny. Okay. So that servers, the destination, all of the stuff gets backed up there. It's encrypted. It's not on the network per se. It's using a special encrypted protocol between each machine and the backup server. And then that backup servers data gets pushed off site. Some of our clients, we even go so far as to push it. To a tape drive, which is really important too, because now you have something physical that is by the way, encrypted that cannot be accessed by the attacker. [01:09:03] It's offsite. So we have our own data center. The, we run the, we manage the no one else has access to it is ours. And we push all of those backups offsite to our data center, which gives us another advantage. If a machine crashes badly, right? The hard disk fails heaven forbid they get ransomware. We've never had that happen to one of our clients. [01:09:29] Just we've had it happen prior to them becoming clients, is that we can now restore. That machine either virtually in the cloud, or we can restore it right onto a piece of hardware and have them up and running in four hours. It can really be that fast, but it's obviously more expensive than in some. [01:09:51] Are looking to pay. All right, stick around. We've got more to talk about when we come back and what are the Russians doing? How can you protect your small business? If you're a one, man, one woman operation, believe it. You've got to do this as well. Or you could lose everything. In fact, I think our small guys have even more to lose Craig peterson.com. [01:10:16] Backups are important. And we're going to talk about the different types of backups right now, what you should be doing, whether you're a one person, little business, or you are a, multi-national obviously a scale matters. [01:10:32] Protecting your data is one of the most important things you can possibly do. [01:10:36] I have clients who had their entire operating account emptied out, completely emptied. It's just amazing. I've had people pay. A lot of money to hackers to try and get data back. And I go back to this one lady over in Eastern Europe who built a company out of $45 million. By herself. And of course you probably heard about the shark tank people, right? [01:11:07] Barbara Cochran, how she almost lost $400,000 to a hacker. In fact, the money was on its way when she noticed what was going on and was able to stop it. So thank goodness she was able to stop it. But she was aware of these problems was looking for the potential and was able to catch it. How many of us are paying that much attention? [01:11:34] And now one of the things you can do that will usually kind of protect you from some of the worst outcomes. And when it comes to ransomware is to backup. And I know everybody says, yeah, I'm backing up. It's really rare. When we go in and we find a company has been backing up properly, it even happens to us sometimes. [01:11:59] We put them back up regimen in place and things seem to be going well, but then when you need the backup, oh my gosh, we just had this happen a couple of weeks ago. Actually this last week, this is what happened. We have. Something called an FMC, which is a controller from Cisco that actually controls firewalls in our customer's locations. [01:12:26] This is a big machine. It monitors stuff. It's tied into this ice server, which is. Looking for nastiness and we're bad guys trying to break in, right? It's intrusion detection and prevention and tying it into this massive network of a billion data points a day that Cisco manages. Okay. It's absolutely huge. [01:12:48] And we're running it in a virtual machine network. So we. Two big blade. Chassies full of blades and blades are each blade is a computer. So it has multiple CPU's and has a whole bunch of memory. It also has in there storage and we're using something that VMware calls visa. So it's a little virtual storage area network. [01:13:15] That's located inside this chassis and there are multiple copies of everything. So if a storage unit fails, you're still, okay. Everything stays up, it keeps running. And we have it set up so that there's redundancy on pond redundancy. One of the redundancies was to back it up to a file server that we have that's running ZFS, which is phenomenal. [01:13:40] Let me tell you, it is the best file system out there I've never ever had a problem with it. It's just crazy. I can send you more information. If you ever interested, just email email@example.com. Anytime. Be glad to send you the open source information, whatever you need. But what had happened is. [01:13:57] Somehow the boot disk of that FMC, that, that firewall controller had been corrupted. So we thought, oh, okay, no problem. Let's look at our backups. Yeah, hadn't backed up since October, 2019. Yeah, and we didn't know it had been silently failing. Obviously we're putting stuff in place to stop that from ever happening again. [01:14:27] So we are monitoring the backups, the, that network. Of desks that was making up that storage area network that had the redundancy failed because the machine itself, somehow corrupted its file system, ext four file system right then are supposed to be corruptible, but the journal was messed up and it was man, what a headache. [01:14:51] And so they thought, okay, you're going to have to re-install. And we were sitting there saying, oh, you're kidding me. Reinstalling this FMC controller means we've got to configure our clients, firewalls that are being controlled from this FMC, all of their networks, all of their devices. We had to put it out. [01:15:07] This is going to take a couple of weeks. So because I've been doing this for so long. I was able to boot up an optics desk and Mount the file system and go in manually underneath the whole FMC, this whole firewall controller and make repairs to it. Got it repaired, and then got it back online. So thank goodness for that. [01:15:33] It happens to the best of us, but I have to say I have never had a new client where they had good backups. Ever. Okay. That, and now that should tell you something. So if you are a business, a small business, whatever it might be, check your backups, double check them. Now, when we're running backups, we do a couple of things. [01:15:57] We go ahead and make sure the backup is good. So remember I mentioned that we h
Did You Hear How the FBI, NSA, and CIA Got Tracked Because of Their Smartphones? How About You? You're worried about surveillance. Hey, I'm worried about surveillance. And it turns out that there's a secretive company out there that to prove their mustard tracked the CIA, and NSA yeah. Fun thing. [Following is an automated transcript.] [00:00:16] This is a company that is scary. We've talked before about a couple of these scary guys. [00:00:22] There's this Israeli company called NSO group. And this it is, so group is absolutely incredible. What they've been doing, who they'll sell to these. Guys are a company that sells cell phones, smart phone exploits to its customers. And there are alleged to have sold their software to a variety of human rights abusers. [00:00:53] We're talking about NSO group coming up with what we would term a zero day hack against I-phones against Android phones against pretty much anything out. So in other words, I hacked that no one ever seen before and then use that in order to get into the phone and find information, they views things like the, I think it was what's app and video that was sent and usually. [00:01:22] To hack Saudi Arabian phones. You might remember Chris Shogi this journalist. I guess he was who apparently was murdered by them. Big problem. So this Israeli group. Yeah. Yeah. They sell to anybody that's willing to pay. At least that's what the allegations are. I've never tried to buy their stuff, but yeah, they're assisting government with hacks with. [00:01:48] Ultimate in surveillance. Another one clear view. We've talked about them on the show before this is a company that has done all kinds of illegal stuff. Now some of it's technically not illegal. They're against the terms of usage, what Clearview has done. And now they've gotten involved in this Russian Ukrainian. [00:02:12] War that's been going on here and they've gotten involved with a number of legal cases in the us. What they did is they said, okay great. Let's do something. You remember Facebook, right guys. So you've heard of that before. And how Facebook got started. Mike Zuckerberg. MK went ahead and stole the pictures of the women that were in Harvard's cattle. [00:02:41] And I will, when I'm, when I say catalog, okay, this isn't like a catalog of women, order one mail order type thing. We're talking about their index, their contacts, there is a catalog of all of the students that are there in the school. So Zuckerberg goes and grabs those against policy. [00:03:00] Okay. Maybe it wasn't strictly against policy at the time. And then he puts up some. Called the Facebook where people can look at a picture of a girl and decide whether or not she should get a five or a 10 or a one. Yeah. That sort of stuff, abusing people that really is abuse. I can't imagine. [00:03:19] The way people felt, I had seen their ratings by people that didn't know them, that somehow their Def definition of beauty really defined who they are. It's crazy what the stuff he did. So he started his business by stealing stuff. Microsoft started his business by. By going ahead and misrepresenting, some would say lying to IBM about what he had as far as an operative system goes right, again and again, we're seeing dishonest people getting involved, doing dishonest things to get their companies off of the ground. [00:03:54] And I have a friend who's an attorney who says, and Craig, that's why you will never be wealthy because you just wouldn't do any of that. So Clearview is another example of these types of companies. In this case, clear view, went to Facebook and crawled any page. It could get its little grubby crawlers on. [00:04:18] So it found your public fake Facebook page. It went. Over the internet. There's a number of websites. Some are out of business now, but the, you upload your pictures to you. People can rate them, can share them. You can share them. Hey, you got your own photo gallery here that you can share with friends and a million other people. [00:04:39] I'm right. That's what ended up happening. That's how those guys made the money. They're selling you on, Hey, you can look at how convenient this. And you can have your own little photo gathered at gallery and you can take that full load photo gallery and share it with your friends. And then if you read the fine print at T and we'll make money off of showing your pictures and showing ads well, Ah, Clearview went and scanned every website. [00:05:08] It could get its grubby little scanners on crawled through the mall, downloaded pictures of any face that it could find. And then went ahead and digitized information about people's faces. So it spent years scraping and then it put together its technology, facial recognition technology, and went to the next level, which is, Hey, please department, get my app so you can get the clear view. [00:05:41] And do you encounter someone? You can take a picture of them and upload it, which now gives them another face. Doesn't it. And then once it's uploaded, it'll compare it. It'll say, okay. Found the guy here. So with the Russia Ukrainian war, what they were doing is taking pictures of dead and injured, Russian soldiers, running them through this database online of all of these spaces, found out who they were and went so far as to use. [00:06:14] Stolen data online. Now this is war, right? The whole thing is crazy, but the stolen database online find out who their mothers were, the phone numbers for the mothers, and to have people all over the world, sending text messages to mom about their dads. Yeah. Okay. So Clearview sells it to police departments. [00:06:38] They sell it to pretty much the highest bidder they say, Hey, listen, we don't do that. Come on right now. There's other data brokers. And I've had a few on my show in the past who are using harvested information from phone apps to provide location data. To law enforcement so that they can then circumvent. [00:07:03] What you have a right to privacy. Don't you it's codified right in the bill of rights. I was first 10 amendments to the U S constitution and it was all defined by the Supreme court's carpenter decision. So we have protections in the constitution, natural, right? That were confirmed by the Supreme court that say, Hey, the federal government, you cannot track all of the citizens. [00:07:31] You can't track what they're doing. You can't harvest their information. And yet at the same time, They go to the data brokers that have put together all of these face pictures, figured out who your friends are, you sign up for Facebook and it says, Hey, you want me to find your friends? [00:07:49] See if they're already on Facebook. Just hit. Yes. Here, not blowed your contact list. So I'll go. Facebook says, oh, look at all your friends. Or we found isn't this exciting. And in the meantime, in the background, Facebook is looking at all of this data and saying, we now know who your friends are. And so many people have wondered I wait a minute. [00:08:10] I didn't talk about. I didn't do a search for product X online, and yet I'm getting ads for product X. Well, did you mention it to a friend who might've done a search for it? Because these search engines, these companies like Facebook know who your friends are, what they're interested in, and they'll sell ads to people who are going to promote to you the same items they're promoting to your friends. [00:08:35] It's absolutely crazy. So this company. It's called and they're very quiet, very low key. The website doesn't say anything at all, but they took their software. That's pulling all of this data together and compiling it. Yeah. And ASX pointed all of this technology towards the national security agency and the C I a and Jews, their own cell phones against them. [00:09:08] Now, why did they do this? They didn't do it to prove something about how, you shouldn't allow this sort of thing to happen and they didn't do it to prove that man, we've got to have tighter controls because look at what we can do. If we can do it, other people can do it. No. According to audio, visual presentations and recordings of an ACX presentation reviewed by the intercept and tech inquiry. [00:09:36] claimed that it can track roughly 3 billion devices in real time. That's equivalent to a fifth of the world population. You're not going to find anything out about Asics it's called anomaly six. Good luck online. If you find it, let me know firstname.lastname@example.org. I'd love to know more about these guys. The only thing on a website for them as an email address and a six anomalies six in that presentation showed the nation spooks. [00:10:13] Exactly what knew about. All right. Apparently is also ignoring questions from journalists and will only respond to emails from people in upper levels of federal agencies, which means, and maybe this is a supposition from our friends over at tech dirt. I don't know. But then what that means is they're looking to sell your information in real time. [00:10:43] To the feds to get around the carpenter decision and the constitution just absolutely amazing. Hey, go online right now. Craig peterson.com. I'll send you my special report on passwords and my two other most popular Craig peterson.com. Stick around. [00:11:06] Have you ever wondered about search engines? Which one should you be using? You're not alone. It's probably the number one question I get from people. What should I use? Google is falling behind, but we're going to talk about the top engines and the why. [00:11:23] Google has been an amazing company moving up. Of course, we're just talking about the cheats. [00:11:31] So many companies have taken over the years and Google has certainly had its share of cheat. I haven't seen anything about them just doing completely underhanded things to get started. I think. They were pretty straightforward. They had a great idea back in the beginning, where they were just looking at links, how many sites linked into this one particular site? [00:11:57] And that gave this concept of a page rank. Very simple, very easy to do. Of course, are problems with. Because you would end up with pages that are older, having more links to them, et cetera. And they have over the years really improved themselves, but we also have some other problems right now with Google. [00:12:22] If you do searches on Google for a number of different. And you'll see that really Google search quality has deteriorated in recent years. We've talked before here about some of the problems with Google and elections and how they have obviously gone out of their way to influence the election. [00:12:43] There is study down in, done in orange county, California, or at least about orange county, California, and an election down there showed that Google had a major influence on that election and also tilted it a certain way on purpose. Absolutely amazing. So that's one way Google has fallen behind, but you can. [00:13:06] At all kinds of searches and hope you're going to get a great response. And you don't have you noticed that it's gotten worse and then on top of it, you're starting to see more ads squeezed in it is not great. I have used. Of course for programming in years past, before that I liked alter Vista, which was a digital equipment corporation product out there. [00:13:32] Vista was pretty darn good. And you could use Boolean logic with it. Google says you can use Boolean with us, but it's not the same as Google's is very simple. But at any rate they have not made any. Leaps here going forward. It's been absolutely amazing. So let's go through the search engines. [00:13:53] I'm going to give you right now, the pros and cons to some of these search engines out there. So we started with. It is 800 pound gorilla. And in case you didn't know the number two overall search engine is YouTube. Okay. But let's stick with straight searches, not video searches. So what is great about Google? [00:14:19] One of the big things is they like fresh content. So if you're looking to do search engine optimization for your business, you are best off having some Keystone pages. So having these pages that are. Kept up to date. So you might have a page on whatever it might be hacking VPNs, right? And you make sure you update it because Google does favor the fresh content. [00:14:45] They rank blogs and. Services, which is really nice and they're accessible in any device. They have apps that work well on a browser. And I'm right now, I'm email@example.com on the best search engine. So you'll see some of this information there. They don't like about it is the same thing you don't. [00:15:09] Right? Which is, it collects all kinds of data on you. They also have hidden content that, that might damage your ranking as a business or someone who has a website and the search delivers. Too many results, millions of results. Yeah, there probably are millions of results for a single search, but what I want are the really relevant ones and Google learns over time. [00:15:38] What kind of results that you want, which is kudos to them, but they are tone deaf sometimes, frankly as well. Okay. Our number two on our list of topics. Is duck go. Now I've been talking about them for quite a while and some people have been disparaging talk, talk, go lately. And the reason is they say, what. [00:16:03] And those search results maybe are a little wrong, right? They are maybe student little sensory, not as much as Google does, but some, at first duck go.com is where you'll find them online named after that kids game. Is a privacy search engine. So it is not tracking or storing any information about you. [00:16:29] That's a very big one. There are searches are very fast, but they're backed. The actual backend search engine is. Which is Microsoft. We're going to get to that in a couple of minutes here. That means that if Microsoft is deciding to do some weighting on search results, based on their political views, then that's going to show up in duck go, but it's nowhere near as bad. [00:16:54] And I've talked about it on the show before we'd done some examples. So it is also now giving you the option to restrict your searches to the last month worth of results, which is really nice. That keeps a little more up to date. They also aren't great at image searches, no personalized results, and it is free, which is nice. [00:17:17] You might also want to look at quant Q w a N T. If you look at. A private or privacy browser. Quanta's a French company, but it does leave English as well. Okay. English results. They like the older and well-established web pages, they rank home pages. They do not rank blogs. They crawl all kinds of hidden content and non hidden, equally, unlike Google, which is really great being as not great at forums. [00:17:50] As I mentioned, blogs, they're not as fast as Google. And they have some seriously heavy search results screened. Dogpile they've been around for quite a while. You might want to check them out. They have something called fetches and favorite fetches. So you can have a home screen when you go to dog pile and you'll see right there. [00:18:14] Your favorite searches and they're right there for you. You can just keep going to them. They use multiple databases so they can get broad results, multiple backend search engines, and there's no home screen personalization available. And lots of sponsored results, which isn't a real big deal, but you'll find them firstname.lastname@example.org, Google scholar search. [00:18:38] I've used this a number of times. If you're looking for scholarly articles, it is really good. You can get citations in various styles. If you are working on your master's PhD, whatever. B and they're imposing a style in the document that you're writing. So you can put it into the bibliography and a, they got a lot of great stuff. [00:19:02] Google scholar you'll find online at scholar dot, google.com. Wearable PDs, sir. It focuses on technical terms and applications, which is good, friendly to non-tech users. And it is only searching the web well, PD is 10,000 word and phrase database. So that's pretty. To to understand to Yahoo search, they have a home screen, has news trending topics. [00:19:33] I've used y'all who? Of course it's not what it used to be, but it does have everything right there. Even your horoscope. And the ads are not marked out clearly. And then there's the internet archive search. This is actually a site that I fund. I donate money to them every month and you'll find email@example.com, but it is really cool. [00:19:58] You can search based on timeframes again, if you are doing papers, if you're a journalist. You can find what was the internet like? Or was this webpage? What was it like around a hurricane Katrina in 2005, right there. We will find it firstname.lastname@example.org. Hey, stick around. We'll be right back. [00:20:23] You already know that hackers are coming after you we've talked about how they are out there, scraping web pages, putting together stuff. I want to bring up again, the Ukraine, Russian war and Russia leaking data like a sieve . [00:20:39] It is, of course in the news again, it seems like it has been in the news for how long now, six years, maybe longer in this case, we're going to talk about what the hackers are doing because they're not just doing it to Russia. [00:20:56] They're doing. Us. And it's a problem. We're going to explain why you've heard of doxing before D O X I N G two docs, someone which is basically to find documentation about people and to release it. That's really a part of it. So you've seen some political operatives who have gone online and doxed people. [00:21:22] For instance one of them is libs of tick talk. You might've heard of that one, and this is where they take all of these crazy things that crazy people on tick talk, go ahead and publish and just put excerpts of them together. They don't cut it up to make them look crazy. No. They let them be crazy. [00:21:42] All by themselves and put it online. So some libs decided, Hey, we don't like this. And journalists who had been complaining about doxing before that shouldn't be done and it's unethical. It should be illegal. Yeah. What does she do? She goes and docks. The lady that was running libs of tick talk. [00:22:07] And I, it just blows my mind here. How can these people be so two faced, they really are just crazy to face. So she went ahead and did what she said should never be done. And I'm sure she had some form of justification for it and put it out online. So I went online, comes this lady's home. Address her name. [00:22:31] Kinds of stuff and that's available online right now. Now you might want to try and do something that I've done before, which is, if you go to one of these data brokers, ads for these things, right? Do a search for yourself with us. And have a look at how accurate that information is. When I looked last time I looked cause I had a few data brokers on the radio show. [00:22:58] I would say less than a third of the information that they claimed was information about me was actually accurate less than a third, frankly. And I don't think that's a particularly, what's the word I'm looking for, but Unique situation. Let me put it that way. I don't think it's unique at all. I think they get a lot of it wrong because remember, they're trying to piece together this piece together that and put it all together. [00:23:27] So you can't a hundred percent rely on any of that stuff. And as I said, for me, it wasn't particularly accurate. Now let's move into. Ukraine has claimed to have doxed Russian troops as well as FSB spies. Do you remember them from the Soviet union? They still exist, and hacktivists actually have official scheduled meetings and are leaking private information from various Russian organizations in Russia. [00:23:59] So we're talking about things like their names, birth dates, passport numbers, job titles, and the personal information that they have released about these Russian companies. And people goes on for pages here. It looks like frankly, any data breach, you'll find a great article about this that I'm referring to in wired.com, but this particular data. [00:24:25] Can change personal information on 1600 Russian troops who served in bootcamp, a Ukrainian city, that's been attacked by Russia. And by the way, you've probably seen these things. There were all kinds of accusations here of multiple potential war crimes. What was going on over there? So this data sets not the only one. [00:24:50] There's another one that legislature legislation. Allegedly contains the names and contact details of 620 Russian spies who are registered to work at the Moscow office of the F S B. That is Russia's main security agents. Now this information wasn't released by hackers in North Korea or hackers in the us or Russia, because we already know Russian hackers. [00:25:22] Don't attack Russia. They're not stupid. Okay. They don't want boudin coming after them, but this was published by Ukraine's intelligence service. So all of these names, all of these personal details, birth dates, passport numbers, job titles, where they're from all kinds of stuff. I'm freely available online to anyone who cares to look now, Ukrainian officials wrote in a Facebook post as they publish the data that every year peon should know their names. [00:25:56] So you got to bet, there are a lot of people freaking out over there. Absolutely freaking out in Russia that is. Since the Russians invaded Ukraine, there have been huge amounts of information about Russia itself, the Russian government activities and companies in Russia. These, all the guards that are over there and it's all been made public. [00:26:21] So it's very interesting because these are been closed off private institutions in the us. Yeah, we do some hacking of potential adversaries, but they don't release. All right. Not at all, but there's really two types of data here. First of all, you've got the information that the Russian authorities are publishing. [00:26:42] Their allies are publishing, and then you've got the hacktivists, these companies, these groups, I should say. Anonymous hundreds of gigabytes of files and millions of emails have been made public, including some of the largest companies within Russia. The big guys, oil and gas companies or lumber companies, et cetera, et cetera. [00:27:08] So there's a former British Colonel in the military intelligence. Wired is quoting here, his name's Phillip Ingram. And he said, both sides in this conflict are very good at information operations. The Russians are quite blatant about the lies that they'll tell we're used to that aren't we, and much of the Russian disinformation has been debunked, but they say. [00:27:36] They have to make sure that what they're putting out is credible and they're not caught telling out right. Lies in a way that would embarrass them or embarrass their international partners. So it's really quite interesting. We've started seeing the stuff coming out in March 20, 22. Of course. And it's hard to tell how accurate the data is. [00:28:00] Looks probably pretty accurate. It has been scooped up as I mentioned on the show before, but. Some activists, one of whom has put together an app that anyone can download. And that allows you to send texts to the mothers of Russian soldiers, some alive, some dead, and it automatically translated into Russian. [00:28:24] I assume it's a crude translation, but whatever. So you can. Harass some bore a babushka over there in Russia, whose grandson is out there fighting. This is just incredible. We've never seen anything like any of this before, but doxing very toxic online behavior. And when it comes to war, the gloves are off. [00:28:48] And by the way, these groups that I mentioned, these hacktivists have official meetings, Tuesday mornings on telegram, and they talk about who the next target is. Absolutely amazing. Make sure you visit me online. Craig Peter sawn.com and don't go anywhere because we've got more coming up here about organizations in general, here in the us breaches are up stolen data or. [00:29:17] And the number of bankruptcies are up because of it. [00:29:23] Hacks or up no, you know that we've known that for awhile, but did you know that is not necessarily the number one reason businesses are suffering breaches. So we're going to talk about that right now. What else you have. [00:29:39] We've talked before about some of the websites that I keep an eye on. [00:29:44] One of them is called dark reading and they've got a lot of good stuff. Some of the stuff I don't really agree with, who agrees with everybody or another person, just one, even a hundred percent of the time. Like no one. Okay. So in this case, we're talking to. Organization suffering a breach. [00:30:03] And the stat that they're quoting here is that more than 66, 0% of organizations have suffered a breach in the last 12 months. That's huge. And the breaches have gotten more expensive. Global average breach cost is $2.4 million. And if you are unprepared to respond to a compromise, that price tag increases to $3 million. [00:30:36] Yeah. That's how bad it is. That's what's going on out there right now. But the point that really they're trying to make here, a dark reading in this article by Robert Lim. Is that organizations are focused too narrowly on external attackers when it's insiders third parties and stolen assets that cause many breaches. [00:31:02] That's what this new study is showing from Forrester research. Now I had them on the show a few times in the past, you might be familiar with them. They are a research company. The charges a lot for very little information, they've got the research to back it up right there. They're really one of the leading, if not the leading research company out there. [00:31:26] So last month they came in. With the 20, 21 state of enterprise breaches report. And they found that the number of breaches in the cost of breaches varied widely, depending on where the organization is based. And. The big one that you have control over is whether they were prepared to respond to breaches. [00:31:53] Now, companies in north America had the largest disparity between the haves and have not listened to these numbers. They're bad for businesses, these numbers, and they're worse for individuals. The average organization required 38 days. 38 days over a month on average to find eradicate and recover from a breach, but companies that were not prepared for security challenges took 62 days. [00:32:28] Now the good news here is that this is down. It used to take nine months on average, and now we're down to two months, but here's the big question. Can you, or can a company survive 62 days or is it going to be out of business? Do you have enough money to make payroll for the next two months? That's where the problem. [00:32:55] Really starts to come in. That's why small businesses that are hacked small businesses that are using things like Norton or some of the other real basic software without having a good firewall and good security practices. And same thing with individuals here. You are going to be out of business. [00:33:17] That's of the showing right now. And your insurance policy that you have for cybersecurity insurance will not pay out. I did a presentation for an insurance industry group. This was in Massachusetts and it was a statewide group. And we'd talked about how the. Are not paying out the companies. [00:33:41] Aren't right. And why, and if you are not prepared, if you are not doing the right things and I can send you a list of what you need to be doing, if you'd like, just email email@example.com. Be glad to send it to me. M E at Craig Peterson, P E T E R. So when Dr. And just to ask for it and I'll respond to you or we'll get married or someone else to forward it to you because I've already got it. [00:34:07] Okay. This isn't a big deal for me. Okay. It's ready to go. But that list is an important list because if you don't meet the standard. That the insurance industry has set forward and you are a hack. They're not going to pay you a dime, even if you Sue them. And we've seen this with very large companies as well, where they're trying to recover tens of millions of dollars from the insurance policy, and they didn't get a dime. [00:34:36] They had to also pay who knows how many millions to lawyers to Sue the insurance companies. And they lost. Okay. It's a very big deal. So there's a huge misalignment, according to Forrester, between the expectation and the reality of breaches on a global scale, there's a big disparity of above $600,000 between those. [00:34:59] Paired to respond to a breach and those who are not. And we can talk about that as well, because there's things you need to do obviously backup, but backup means you've got to check the backup. You've got to make sure it's valid. You should be spinning up the backups on, in a virtual environment in order to make sure the backups are good. [00:35:22] There's a lot of things you should be doing. Okay. And that's just a part of it. Plus, do you have your PR people ready? Are you able to respond to the state requirements? A lot of states. Now, if you are hacked require you to report it to the state, in some cases in as little as 72 hours. So do you have that paperwork ready? [00:35:46] Do you have the phone numbers of all of the people that are on the team? Okay. All of these things now, the threats are not just the external hack. Anybody who's trying to protect their data is focused on obviously the external hackers. That's where we tend to focus part one part two is we focus in on the people that are working inside. [00:36:13] The company, right? It's a zero trust narrative here. Why is this guy in sales, trying to get into the engineering files? Why are they trying to get into payroll? You understand where I'm going with this, you buy and what I'm selling. You don't want them to have access to stuff that they don't need access. [00:36:37] Attacks that Forrester found were spread over external attacks, internal incidents, third party, and supply chain attacks, which is really big nowadays and lost or stolen. Assets globally. Half of companies consider external attacks to be this top threat, but in reality, only a third of the incidents come from external actors. [00:37:04] Nearly a quarter of them are traced back to an internal event. 23% consisted of lost or stolen assets and 21% involved with third. Partner. Interesting. Hey, so we've got to keep an eye on this. These external attacks are a very big deal and that's where they have success with what are called zero day attacks. [00:37:31] But your internal people can be a problem. Now I have. Put together in 2022, this is something really important. What we call a POA and M it's a plan of action and milestones of what you need to be doing. For your cybersecurity. Okay. This is available absolutely free. You have to email me M firstname.lastname@example.org. [00:38:00] But the idea behind this is it's a spreadsheet that you can use in numbers on a Mac or Excel on windows. And it has all of the key items. Now we follow what's called the. 801 71 standard. This is the national Institute of standards and technology, and they've laid out all of the different things. That you should be doing now. [00:38:26] We've broken them down into eight cybersecurity activators as what we called them. And we have, you should have already gotten an email this week from me. If you're on my email list, just talking about, cause we're starting now getting into those cybersecurity activators. I'm showing you. To do about each one of them. [00:38:46] So you can do it yourself. So many of us are stuck with being the CTO or the guy or gal in charge of it just because we like computers or we know more than somebody else. So if you're on my email list, you will be getting these things off. We're going to be going through them in the weeks. I had little quick mini micro trainings, if you will, but you gotta be on the email list in order to get them. [00:39:12] These are also appropriate for home users right now. You're going to have to make your decisions as to what you're going to do, but home users have the same exposure, the same basic problems that they have in bigger organizations out. So I follow the national Institute of standards and technologies. [00:39:34] They have broken it down into a number of different sections. They actually require it. And if you are compliant with this new standard you are going to be able to recover your money from the insurance company. If you are hacked, I don't know. I was going to say it for a win, but hopefully you won't get hacked because of this. [00:39:58] So it's an important thing to follow. So make sure you go to Craig peterson.com/subscribe right now and get subscribed. A lot of stuff for home users. My business is focused on securing businesses. Particularly regulated businesses, right? If you have intellectual property, you don't want to have stolen a few do government contracts where they're requiring you to be compliant with this new standard or some of the others, but it's. [00:40:27] Basic stuff that every business should be following. So just email me, M email@example.com with your questions. We've been really good at answering them. We've probably lately been averaging about a dozen a day. Which is quite a few, but so it might take us a little bit to get back to, but we've gotten much better. [00:40:48] Mary her number one responsibility right now is making sure that we answer all of your emails. We'll send out this plan of action and milestone spreadsheet for you. So you know what to do. This is updated. This is 2022. Everything you need right there. Me at Craig Peterson dot. Alright, you'll also find my podcast there. [00:41:14] Craig peterson.com. And I want to point out that I'm not doing the show on video anymore. Just wasn't getting enough traction with, if it just takes too long. Anyways, Craig peterson.com. [00:41:29] This is one of the top topics I've had people ask about lately, and that is protecting yourself and your business against Russian hacker. So I've got a presentation. We're going to run through it. We're going to talk about what you can do. [00:41:46] This has been a long time coming. I have been doing a lot over the years of webinars of online meetings, trying to help people understand what's going on, what can be done. [00:41:58] And I got a great email this week from one of the listeners. Who's been man on my email list now for years, I'm not even sure how many years. And he was saying, Hey, thanks for giving all of this information for free for small businesses. I can't afford it. And I got to thinking, because there've been a lot of requests lately, for instance, backups how should I be doing them? [00:42:22] What should I be doing? And a number of other topics that really all go together into the, how do I protect myself? My business. From ransomware from these Russian hackers. So that's what we're going to be talking about today. We're going to go through a few of these. This is going to be a series. [00:42:41] We're going to continue this here and weeks ahead, and I appreciate all your feedback. And if you miss part of it, make sure you email me just M. Craig peterson.com. Let me know, and I'll be glad to send some of it to you. Now I'm recording this on video as well. So it's great when you're driving around and listening in picking up some tidbits. [00:43:04] And if you do want to see the recorded version again, dropping them in an email to firstname.lastname@example.org or search for me on YouTube or on one of the other sites that are out there like grumble and you'll. This as I release it. Cause this is going to take a few weeks to really get into the whole thing. [00:43:26] So let's get started. I'm going to pull this up here. Full screen. For those watching at home and what this is called today, we're talking about protecting your business and your self from Russian hackers because they have been out there. They have been causing just all kinds of problems, but there's a few things that you can do. [00:43:48] And I have them up on the screen here. Let me pull them up, but I want to get into the background first. Russian ransomware group. They're a bunch of bad guys and it's called Conti. Now. Conti has been around for a long time. These are the guys that have been ransoming us. They're the guys who in rants. The businesses they've been rants. [00:44:10] Government, you might've heard them. They've got into hospitals. They have been all over the place and they've raised a whole lot of. For the Russians. I'm also going to tell you about a couple of things you can do here. Cause there's a real neat trick when it comes to keeping Russians out of your computers, but Conti decided, Hey, listen, we are all for Russia and president and Putin. [00:44:34] So they came out with an official warning, oh, I want to read this to it says if anybody. We'll decide to organize a cyber attack or any war activities against Russia. We are going to use our all possible resources to strike back at the critical infrastructures of an enemy. Yeah, no, not the best English, but much better than my Russian. [00:44:55] I got to say that I know two words or so in Russian, but they said that they were announcing full support for president. That's a pretty bad thing. If you asked me, they also have ties to Russian intelligence intelligence, but what are we talking about really? Think of the KGB. [00:45:13] The FSB is what they're called nowadays, but directly tie. China and North Korea, Iran, or also now tied in with Russia to varying degrees, but all of them are a little bit concerned about getting into it a little too much, but we're going to talk about their tactics. That's what's important today. What are they doing? [00:45:35] Why are they doing it? What can you do about. So the first thing is password sprain. This is big deal. I've got a nice big slide up here. I like that color blue. I don't know about you, but I think it's pretty, but password sprain is something we all need to understand a little bit better. It's a brute force attack that has been really hurting. [00:46:00] Many of us. Let me see if I can get this to work. For some reason it has decided it just doesn't want. Let me see here. What is up? Oh, is something isn't it's just, I'm getting a white screen, but it's a brute force attack targets users who have common passwords. Now this is a problem. When we're talking about passwords. [00:46:25] If you have a password that has been breached in any of these breaches that have gone on over the last, however long, right? 30 years plus now that password is known to the bad guy. So what they'll do is they'll take that common password and they'll start to try it. So password sprain is where they will go to a bank site or they'll go to Google. [00:46:51] The, oftentimes they're trying to get at your email accounts. So if you have Google email or Yahoo or Hotmail, they'll try it. Use passwords that they have found against accounts that they have found on those various sites that ends up being quite a big problem for everybody out there. Okay. I got that screen back here. [00:47:12] So I'll put that up for those people who are well. But they will send multiple times attacks using variations of these passwords. And it's known as a low and slow method of password hacking because if they were to go bam, and send all of these passwords and login attempts. [00:47:35] They'd get caught. The automated systems would say, Hey, wait a minute. This is not good. We're going to cut you off. In fact, that's what I do for my client. We have remote access using SSH, which is a an encryption session so that we can have a terminal session. And if you try and log in three times, We automatically zap you, right? [00:47:58] We shut you down. So they take a very slow approach to this password sprain technique. And they're also going after volume, which makes a whole lot of sense. And there are right now, billions of passwords usernames, email addresses that have been stolen that are sitting out in the dark. So you've got to make sure that you are not reusing passwords. [00:48:24] How many times have we talked about that? You've got one common password that you're using over and again, while that's a problem, but they're not going to keep hacking your account. They're going to switch from one account to another because they don't want to get locked out. [00:48:39] Just like I lock out somebody who's trying to get in. So if someone's coming from that same. IP address that same internet site. And they're trying to log into that same account multiple times. Bam. They are gone. So with path's word sprain, they're trying to get around the problem of you noticing they're trying to get into a bunch of different accounts and they try and leverage it. [00:49:04] So they'll oftentimes use multiple computers that they've stolen access to. We've talked about that before too. It gets to be a real big. Now they're also targeting these single sign-on and cloud-based applications, because once they're on. Using one of these federated authenticated authentication protocols, they can mask the malicious traffic. [00:49:30] We've heard some of these hacks lately where they're using a token that they managed to pick up from somebody's email, I account, or they got onto Microsoft and they got into the email account on Microsoft. That happened recently. In a supply chain attack, solar winds. You heard about that 20, 21, right? [00:49:52] So they're going after these email applications, including Microsoft or Microsoft has done they're going after routers and internet of things, devices for a very good reason, those IOT devices, which are things like your smart lights, they can be. Controlling the cameras outside, they go on and on there's thousands, millions of them. [00:50:14] Now I actually all the way through your microwave, they tend to not be very well protected. So that's a real big target for them. So step. They want to acquire a list of usernames. Step two, they're going to spray the passwords. Where do they get those passwords in those usernames? Or they get them from breaches. [00:50:36] So again, if you have an account that's breached at some online shopping site, a big one, a small one, it doesn't really mean. That particular breach is now well known and they can, will and do gain access to your account which is step three, gain access to it. It gets to be a serious problem. [00:50:57] Okay. How do you know if you are under attack? Number one? There is a spike in failed. Log-ins this is where having a system and there's technical terms is tough for this. I'm trying to avoid a lot of those terms, but this is where the system is watching logins, noticing that there's a problem and going ahead and stopping it, not just noticing it, but stop. Very important to do. There are a high number of locked accounts, which means what it means that again, someone's been trying to log in. You should make sure that your account, if there are invalid, lock-ins automatic. Locks it out after some number of attempts and five attempts is usually considered to be okay. [00:51:44] I know on my phone, for instance, I have a higher number of the neck, cause sometimes the grandkids get at it. But when it comes to your business account, when it comes to your bank account, you probably don't want to have a whole bunch of attempts, and then in known or valid or invalid, I should say use. [00:52:04] Attempt again, why are they trying to log in with a username that just doesn't exist? Yeah, it can be a problem. Hey, when we come back. We're going to talk about some steps. Like you can take here to really remediate, maybe even stop a password spraying attack. I've already given you a few ideas here, but what are some act of things that you can do, particularly for a small business to really protect yourself? [00:52:33] Hey, stick around. We'll be right back. Craig peterson.com. [00:52:39] Russia has, been hacking our computers, Russia's continuing to hack our computers and this is a real problem. So we are going to talk right now about how to stop some of these things. We already talked about password sprain. How do you stop it? [00:52:56] There are a lot of things we have to pay attention to, and that's what I'm going to be doing in the weeks ahead. [00:53:03] We're going to be going through some of the things you need to do to keep yourself safe. Keep your business safe in this really dangerous online. There are so many things going on. So many people that are losing their retirement businesses, losing their operating accounts. We've seen it before with clients of ours while you know their clients now. [00:53:29] And it was just a devastating thing to them. So I don't want that to happen to you now, if you are interested. All of this is recorded and I am doing this as video as well. We've got slides and you can find out more about it. Just email me M email@example.com. It's really that simple. And I didn't let me know. [00:53:54] And I'll be glad to send it off to you. Okay. This is available to anybody I'm trying to help. And we've had a lot of emails recently about some of these things. So th this is covering everything from the password spraying we're talking about right now through backups and other things that you need to do. [00:54:14] Let's get going on our sprain problem. So w what are the steps that we need to take in order to really remediate against one of these password spraying attacks? And frankly, it is. Oh, a lot to do. It has a lot to do with our users and what we do, if you're a business, if you are an individual, we need to be using longer passwords. [00:54:43] Now we're not talking about all of these random characters that we used to have. I remember having to have my password be at least four characters, long APAC, when didn't even have to have a username, it was just all based on the password. And things changed over the years, the latest standards that are out there right now come from this too, which is the national Institute for science and technology. [00:55:07] They are the guys that put together, all of the guidelines said federal government and businesses need to follow. And they're telling us that a longer passwords means elaborate pass phrase. So you should use 15 character passwords. I had an article just a couple of weeks ago saying that an eight character password can be cracked almost instantly, certainly within an hour, any eight character password. [00:55:39] So if you're still using that, you've got to make a change. And obviously nine characters is a lot more possibilities, takes a lot longer to crack. I don't have those numbers right in front of me, but 15 is the ideal. So use pass phrases instead of single words. So phrases like I don't know secretary of one, the Kentucky. [00:56:04] There you go. There's a phrase. So what you would do is put, maybe dashes between each one of the words. Maybe you would go ahead and use a comma, put some numbers in there, put some special characters in upper lowercase, right? So it's basically on uncrackable at that point. And that's what you want. [00:56:24] Next one. When we're talking about rules for your passwords, the best passwords are the passwords that you can remember without writing them down and words that don't make sense to anyone else's. I remember taking a memory course a few years back and they had random words and you had to remember them. [00:56:49] And the whole idea was okay, visualize this happening. And as I recall, man, it's been a lot of years I won't say decades, but it hasn't been. Since I did this, I still remember a part of it, it was first word was airplane. Next was all envelope. The next one was paper clip. Next one was pencil. [00:57:08] So I visualized an airplane flying into an all envelope and that all envelope then goes into a paper clip and a pencil writes on the outside. Like it's addressing it to someone. That is a good little password, actually airplane or envelope, paperclip, a pencil with a mixed case and maybe a number two or special symbol thrown in. [00:57:35] Those are the types of rules that we're talking about. The types of rules that really. Next up here. Oops. Wrong keyboard. Stay away from frequently used passwords. We've talked about this many times. If you're using one of the better password managers, like for instance, one password, you will automatically have any passwords that you are there in Shirin or that it creates you'll have them checked via a website out there. [00:58:07] It's called. Yeah. Okay. It's called. Have I been poned I, and I hated to say this because how do you spell it? It's all one big, long word. Have I been poned to.com and poned is P w N E d.com. It will tell you if a password that you're trying to use is a known password. If it has been found out in the wild, okay. [00:58:32] Use unique passwords for every site you visit, I can't stress this enough. We were talking about password sprain. If you use the same password and email address on multiple sites, you're in. Because all they have to do is try your email address and your password for whichever site it is that they might want to try out. [00:58:58] Remember, many of them are trying to get into your email and they have done that successfully. With Microsoft email, if you have their Microsoft 365 service and you might want to read the fine print there very carefully, because Microsoft does not guarantee much of anything. You make sure you back it up yourself. [00:59:20] Make sure you do all of these things because Microsoft just plain, isn't doing them for you. Next one here. Next up is our password manager. And I mentioned this before installing and using a password manager is phenomenal. It automates the generation of passwords. If you have. Integrated with your web browser. [00:59:45] It now allows your web browser to work with your password manager. So when you go to a site, you can have it pull up your passwords. How could it be much easier than that? It's really rather simple. That way it's keeping track of your logins. And again, One password.com is the one I recommend and people get confused. [01:00:06] When I say that, when I'm saying one password, I don't mean only have one password used for everything. One password is a name of a company.