Podcasts about multifactor

In this episode of The Future in Context, host Ashley Silver speaks with Cody Tyler, managing director at EXOS CYBER, about the critical cybersecurity challenges facing state and local governments. The discussion explores why government agencies are frequent targets for cyber criminals, the dual role of artificial intelligence in security, and the importance of workforce training to combat these evolving threats. SHOW NOTES Here are the top five takeaways from this episode: 1. Government agencies are prime targets for cyber criminals. Government agencies, Tyler explains, face increased cyber threats because of their critical role in maintaining essential services such as power and water, their access to sensitive data, and their reliance on outdated systems. These factors make them susceptible to ransomware, phishing and data theft, with artificial intelligence enabling more sophisticated attacks. 2. Multifactor authentication and user awareness training are essential. The conversation emphasizes that multifactor authentication can prevent most phishing attacks when paired with regular employee awareness training, including simulated phishing exercises. 3. Collaboration with cybersecurity firms is vital. Tyler reveals how partnerships between government agencies and cybersecurity firms strengthen defenses against evolving threats. These collaborations provide specialized expertise to assess vulnerabilities, implement safeguards such as multifactor authentication, and develop recovery plans to minimize damage. 4. Emerging technologies like AI offer opportunities and risks. While advanced AI can enhance cybersecurity by analyzing data and detecting threats, it also introduces new challenges, such as fully automated attacks and sophisticated phishing schemes. Tyler stresss the need for proactive and adaptive strategies to address these vulnerabilities. 5. Workforce training is key to overcoming cybersecurity challenges. Tyler underscores the importance of regular training and “defense in depth” strategies to address workforce gaps in cybersecurity. Initiatives such as workshops and phishing simulations, and layered security measures help employees adapt to emerging threats, particularly staff less familiar with modern technology. Listen to this episode on the player below or subscribe for free on YouTube or the podcast app of your choice — Apple Podcasts, Spotify, Audacy and Audible. Our editors used ChatGPT 4.0 to summarize the episode in bullet form to help create the show notes. The main image for this story was created using DALL-E 3.

In today's episode, we discuss how a developer nearly faced a $1,300 bill due to a poorly named AWS S3 storage bucket, attracting unauthorized access (https://arstechnica.com/information-technology/2024/04/aws-s3-storage-bucket-with-unlucky-name-nearly-cost-developer-1300/). We also delve into the repercussions faced by Change Healthcare after a ransomware attack due to compromised credentials and lack of MFA (https://www.cybersecuritydive.com/news/change-healthcare-compromised-credentials-no-mfa/714792/). Lastly, we explore a new Android malware named Wpeeper that utilizes compromised WordPress sites to conceal C2 servers, posing a threat to unsuspecting users (https://thehackernews.com/2024/05/android-malware-wpeeper-uses.html). 00:00 Intro 00:55 Change Health Care 04:10 The High Cost of a Naming Mistake: A Developer's AWS Nightmare 07:54 Emerging Threats: The Rise of WPeeper Malware AWS, S3, Storage Bucket, Unauthorized Access,Change Healthcare, AlphV, ransomware, cybersecurity,Wpeeper, malware, WordPress, command-and-control Search phrases: 1. Ransomware group AlphV 2. Change Healthcare 3. Compromised credentials 4. Multifactor authentication 5. Ransomware consequences Change Healthcare 6. Cybersecurity breach consequences 7. Security measures for cybersecurity breach prevention 8. Wpeeper malware 9. Android device security protection 10. Compromised WordPress sites protection Change Healthcare's CEO just testified in front of the House Subcommittee that the service they used to deploy remote desktop services did not require multi factor authentication. Which led to one of the most impactful ransomware attacks in recent history. In other news, a very unlucky developer in his personal time accidentally incurred over 1, 300 worth of charges on his AWS account overnight. What was this developer doing and how did it lead to such high charges in such a short amount of time? Wpeeper Malware is utilizing compromised WordPress sites to hide its C2 servers, posing a significant threat to Android devices, with the potential to escalate further if undetected. How can users protect their Android devices from falling victim to this malware? You're listening to The Daily Decrypt. The CEO of Change Healthcare, which is a subsidiary of UnitedHealthcare that was breached, it's been all over the news, it's all over the news. Revealed in written testimony that Change Healthcare was compromised by Ransomware Group. accessing their systems with stolen credentials. Which we all knew, but the ransomware group used these compromised credentials to remotely access a Citrix portal, which is an application used to enable remote access to desktops. And this portal did not require multi factor authentication. I don't know much about Change Healthcare's inner infrastructure, but any portal that allows remote access to other desktops should be locked down pretty hard. And the fact that just a simple username and password can grant access can grant all of these different desktops is pretty terrible. And means that this attack could have likely been avoided had they enabled multi factor authentication. So if you're brand new to cybersecurity and you're listening to this podcast for the first time, you need to know that there are a few very easy things you can do to improve your posture online. Don't reuse passwords. Step one, one of the easiest way to do that is to use a password manager and have them generate your passwords for you. Number two, enable multi factor authentication that way, if someone does come into your username and password combination, they still have to get through some sort of device based authentication, like a ping on your cell phone or something like that, to allow them to log into your account. Now, in the case of United and Change Healthcare, one thing that they also could have done To help mitigate their negligence in not enabling multi factor authentication would be to have frequent dark web scams for any password in the system or any username in the system. And this can all be automated. If a password that is being used to access any system in your network is found on the dark web, immediately revoke that password and require that user to create a new one. But, that is slightly more complicated than just requiring multi factor authentication. So, probably start there. But, the attackers who carried out this ransomware were able to use credentials they found on the dark web to infiltrate the networks, gain access to remote desktops, and launch their ransomware within 9 days of their entry. So, that's pretty fast. A few years ago, that would have taken dozens of days, if not hundreds of days. The dwell time for attackers was pretty high back then. But now, single digits. That doesn't leave much time for defenders to find this type of attack. But the CEO acknowledged this negligence and shared his deep condolences for all of the patrons of Change Healthcare. The pharmacists, the doctors, a lot of work had to be put on hold For And it's very possible that people died as a result of this breach, having to be transferred to different hospitals, etc. This is a pretty tragic thing, so if you're in the healthcare industry, if you're in a position of power, make sure that all your internal systems, and especially external, but definitely internal as well, have multi factor authentication enabled. And if you want to go the extra mile, create some sort of automatic tool that probably exists online for free, that will check the dark web on a recurring basis for any passwords in your system. A cloud developer was setting up a proof of concept for a client. And it involved creating an empty storage bucket in AWS. The project was a document indexing system. And so this developer uploaded a couple of documents and then began working in other areas of the project. Then after two days of work, went back and checked the billing costs and found 1, 300 worth of charges. Now, if you're not familiar with AWS and their pricing, S3 storage buckets are really cheap. The daily decrypt is actually hosted in the S3 storage bucket and I pay less than 10 a month for all hosting. And I'm uploading audio, which is a lot larger than documents. Okay. So this bucket should have cost less than 5 a month, but after two days, There were 1300 in charges, so I really appreciate the developer sharing this story because it's an interesting case study. What happened? Well, the developer accidentally named the bucket the same thing that an open source software uses as a placeholder in their code. So what does that mean? Some other company, let's say it's Home Depot, alright? That came up in a previous reel. Home Depot has some software that backs up their files to Amazon S3 buckets on a recurring basis. Home Depot also has a non production version of that code that has placeholders for those S3 bucket names, such as placeholder bucket 1231 or something like that, so that when it comes time to upload their files, they replace that placeholder with the actual name of their bucket. but That sample code is running, and it's not doing anything because it's attempting to backup their files to a bucket that doesn't exist. Well, this developer lucked out and created an S3 bucket with that exact name of that placeholder, and this script now all of a sudden is trying to send all of Home Depot's backup files to this bucket And news to me, but AWS charges a fee, it's like 005 cents per request. And an automated system can generate thousands of requests. Per second, like it can go very fast. So just in two days, that 0. 0005 cents per request turned into 1, 300. Now these are unexpected charges. Amazon agrees he shouldn't have to pay for this, but it just goes to show how careful you have to be when naming your S3 buckets, especially if they're going to allow for public users to place files in them. But another really important aspect of this story that I find fascinating is that the developer, once he realized what was happening, decided to open up his bucket and allow for files to be placed there. And within 30 seconds, there were over 10 gigabytes of files placed in this bucket. And these files belonged to another company. One that's pretty reputable, so probably on the same lines of Home Depot. Now this developer won't disclose that because these files are currently being backed up and there's a huge risk for data leak, but this developer now has the source code for all kinds of files that belong to a pretty big company. So as a developer, make sure you name your AWS buckets, something pretty unique and maybe even add in a little suffix of random characters after anything you name. And as developers for companies, make sure you're not having automated scripts upload to bucket names that don't exist because Maybe someday they will exist and all those files will go to that bucket. The developer did reach out to the company that was affected by this and has received no response. But we're all hoping that the company responds and fixes their practice and hopefully shells out some money to this developer because that's a pretty big bug and they deserve compensation. And finally, cybersecurity researchers have identified a new Android malware named WPeeper that utilizes compromised WordPress sites to hide its command and control servers. And if you've been listening to this podcast for a while or keeping up to date on cybersecurity news, you'll know that there's a lot of opportunity within the WordPress framework to compromise WordPress sites. And it would be a great place to host a command and control server. WPPer is a binary that employs the HTTPS protocol for secure C2 communications and functions as a backdoor. The malware disguises itself within a repackaged version of the Up to down app store for Android aiming to evade detection and deceive users into installing the malicious payload. WPaper utilizes a complex C2 architecture that involves using infected WordPress sites as intermediaries to obfuscate its actual C2 servers with as many as 45 C2 servers identified in the infrastructure. The malware's capabilities involve collecting device information, updating C2 servers, downloading additional payloads, and self deleting. And to safeguard against similar malware attacks, users are advised to download apps only from reputable sources, carefully review app permissions, and just Be careful what you click on. Stay vigilant out there against suspicious activities that may be taking place on your phone. You might notice a performance lag. You might notice weird browsers opening up. And if you do, you might just want to restart your device, reset it. And if you do get curious and install a scanning tool, antivirus, anti malware, et cetera, make sure you do it from a reputable source. This has been the Daily Decrypt. If you found your key to unlocking the digital domain, show your support with a rating on Spotify or Apple Podcasts. It truly helps us stand at the frontier of cyber news. Don't forget to connect on Instagram or catch our episodes on YouTube. Until next time, keep your data safe and your curiosity alive.

In episode 184 of our SAP on Azure video podcast we talk again about Single Sign-On. For a VERY long time when I was working at SAP, I was working alongside a very special colleague and friend, Vinayak Adkoli. He was my partner in crime for a lot of projects. In the last projects we worked together on SAP API Management and simplifying the way how customers could manage SAP APIs. Then I moved to Microsoft, Vinayak moved from India to the US and today I have the pleasure of welcoming him in our podcast. Last week we already had an amazing episode with Martin Raepple from Microsoft and Christian Cohrs from SAP about Single Sign-On and Multifactor authentications in the context of SAP GUI and today we want to focus on API based authentications. Similar like with the SAP GUI this is one of the most talked about scenarios and I am glad that Vinayak can provide us with more insights on how this is working. Find all the links mentioned here: https://www.saponazurepodcast.de/episode184 Reach out to us for any feedback / questions: * Robert Boban: https://www.linkedin.com/in/rboban/ * Goran Condric: https://www.linkedin.com/in/gorancondric/ * Holger Bruchelt: https://www.linkedin.com/in/holger-bruchelt/ #Microsoft #SAP #Azure #SAPonAzure #APIManagement #SSO ## Summary created by AI * SAP API management and Azure AD integration: Vinayak Adkoli from SAP explained how to use different authentication flows to expose and consume SAP APIs with Azure AD as the identity provider. * Single sign-on and multi-factor authentication: Holger Bruchelt from Microsoft highlighted the benefits of using the identity authentication service on BTP to federate with Azure AD and enable SSO and MFA for SAP GUI and other BTP services. * API key and custom attributes: Holger and Vinayak discussed how to use API key and custom attributes in SAP API management to correlate the client credentials of BTP services and Azure AD applications. * SAML assertion and token exchange: Vinayak demonstrated two approaches to generate and exchange SAML assertions for accessing on-premise SAP systems via cloud connector and BTP connectivity service: one using API management as a SAML issuer and one using Azure AD as a SAML issuer.

Factor multiple de autenticación. Autenticación Multifactor. Segundo factor de Autenticación. Microsoft Authenticator. Google Auth. Yubikey.

In this episode, we're diving into the realm of identity and access management in the cloud. Our guest is Dr. KVN Rajesh, a multi award-winning trainer focused on Microsoft Azure security.With a PhD in deep learning and over 10,000 individuals trained, Dr. Rajesh is a cloud security expert you won't want to miss.Dr. Rajesh explains the concept of identity and access management (IAM) and how it helps protect our digital resources.Imagine your username as your digital ID and access as your role within the organization – all controlled through IAM. IAM helps protect critical data, data privacy, and ensures compliance.Dr. Rajesh talks about creating and managing IAM users, from provisioning to authentication, authorization, lifecycle management, and continuous monitoring.He then explores the power of IAM policies. These digital blueprints govern user permissions and actions, safeguarding the principle of least privilege. Dr. Rajesh sheds light on architecture best practices of these policies and their role in maintaining the balance between security and user experience.As our episode focus pivots to cloud environments, Dr. Rajesh showcases the pivotal role of IAM in Microsoft Azure. You will learn how Azure IAM centralizes access control, leveraging Azure Active Directory and Role-Based Access Control (RBAC) for seamless user identity management.Dr. Rajesh also addresses emerging trends shaping the future of IAM.He discusses zero trust, AI integration, and blockchain-backed identity verification.But every coin has two sides.Dr. Rajesh shares some common pitfalls to avoid – from generic passwords to excessive privileges – and offers a roadmap for troubleshooting IAM issues.Dr. Rajesh recommends a comprehensive IAM strategy to enforce granular permissions, track user activities, and ensure regulatory compliance.In this ever-connected world, cloud-based IAM solutions come with scalability, centralized management, and seamless integration. Dr. Rajesh digs into common benefits and challenges with cloud IAM solutions, to help your organization identity "right fit" solutions.Dr. Rajesh also emphasizes the urgency of implementing IAM best practices because of emerging threats and the reduced barrier to entry for cyber criminals.Be sure to like and subscribe for more episodes of the

Welcome to The Nonlinear Library, where we use Text-to-Speech software to convert the best writing from the Rationalist and EA communities into audio. This is: Is Chinese total factor productivity lower today than it was in 1956?, published by Ege Erdil on August 19, 2023 on LessWrong. tl;dr: Multifactor productivity data from a famous economic dataset, used often to proxy for technological progress and innovation, might be significantly biased by poor estimates of the social returns to education, the capital share of income, and real GDP. Such estimates should be treated with caution. Introduction Total factor productivity is an economic concept that is used to quantify how efficiently a country can make use of its economic resources. It's a rather nebulous concept in general because it's not directly measurable but instead corresponds to latent variables in growth models that account for "unexplained variation" in output. If we stick to the abstract realm of growth models, there is often a clear definition: for instance, we might model a country's real GDP Y by a function such as Y=AL1-αKα where L and K denote the country's total labor force and capital stock respectively, 0

Link to original articleWelcome to The Nonlinear Library, where we use Text-to-Speech software to convert the best writing from the Rationalist and EA communities into audio. This is: Is Chinese total factor productivity lower today than it was in 1956?, published by Ege Erdil on August 19, 2023 on LessWrong. tl;dr: Multifactor productivity data from a famous economic dataset, used often to proxy for technological progress and innovation, might be significantly biased by poor estimates of the social returns to education, the capital share of income, and real GDP. Such estimates should be treated with caution. Introduction Total factor productivity is an economic concept that is used to quantify how efficiently a country can make use of its economic resources. It's a rather nebulous concept in general because it's not directly measurable but instead corresponds to latent variables in growth models that account for "unexplained variation" in output. If we stick to the abstract realm of growth models, there is often a clear definition: for instance, we might model a country's real GDP Y by a function such as Y=AL1-αKα where L and K denote the country's total labor force and capital stock respectively, 0

ETF-Papst Gerd Kommer hat endlich einen eigenen Fonds aufgelegt und dabei nicht an Buzzwords gespart: Ultradiversifikation, Multifactor, die „ETF-Revolution […] für Dein Weltportfolio“. Tobias Kramer und Christian W. Röhl diskutieren, ob das Index-Konzept hält, was das Renommee seines Schöpfers verspricht – und machen gleich mit einem anderen profilierten Verfechter des „wissenschaftlich fundierten“ Investieren weiter. Denn Dr. Andreas Beck hat nach dem erfolgreichen „Global Portfolio One“ nun einen Anleihen-Fonds lanciert und ein paar merkwürdige Narrative drumherum gestrickt. Dazu gibt's ein Update zu zwei Unternehmer-Gurus, bei denen es zuletzt nicht mehr so lief: Auf der Hauptversammlung der Deutschen Konsum (bald wohl erstmal nicht mehr) REIT hatte Christian ein denkwürdiges Wiedersehen mit Immobilien-Tycoon Rolf Elgeti. Und E-Commerce-Visionär Tarek Müller reicht schon ein positives bereinigtes EBITDA, um trotz 24 Mio. Nettoverlust die Schlagzeile „About You erreicht Profitabilität“ zu verbreiten.

In light of the latest reports from the NCSC and ACSC (National [New Zealand] and Australian Cyber Security Centre) on best practice, companies and organisations in the region are looking to amend their everyday work processes. But many smaller outfits (think fewer than 100 people) have no dedicated IT team. In many cases, these will turn to their MSP (Managed Service Provider) for advice and, ultimately, protection from hackers and malware.In this episode of the Tech Means Business podcast, we talk to Leon Friend of ConnectWise, about the software and systems that his company provides to MSPs: dedicated security systems designed from the ground up for MSPs. With each of an MSP's clients having specific requirements, configuring and managing mixed security provisions would be a nightmare with "normal" cybersecurity tools. Not so with the ConnectWise platform.We cover some of the ACSC and NCSC's recommendations and talk about going further: back up, sure, but what to back up? Multifactor authentication, great, but is SMS really secure?Learn more about improving your organisation's security posture in this episode of Tech Means Business.You can see the ConnectWise portfolio of solutions here:https://www.connectwise.com/en-au  The ACSC and NCSC are here:https://www.cyber.gov.au/  https://www.ncsc.govt.nz/  Leon Friend is on LinkedIn:https://www.linkedin.com/in/leonfriend/  And your host, Joe Green, can be seen here:https://www.linkedin.com/in/josephedwardgreen/ 

For the last episode of season 3, I thought we'd talk about something that's been in the news quite a lot recently: Authentication and Password Managers. As security professionals, we've decried the password for decades. Multifactor authentication (MFA) has started to gain popularity... but not without its own issues. Security leaders and tech teams may have once again hoped for a silver bullet, only to be disappointed to find out that crafty attackers can easily bypass MFA. We've also been touting the benefits of Password Managers for quite a while. After all, in a world where most of us have to manage upwards of 200 passwords in a year, who can keep up? No human can have great password hygiene across all those accounts. But password managers also face their own problems as illustrated by a recent high-profile incident. Our guest today is Roger Grimes. He has a multi-decade cybersecurity career and is the author of 13 cybersecurity books, countless articles, and is a highly sought-after industry luminary. ... Oh -- and he has opinions. Listen in as Roger and I discuss the current state of authentication, MFA, password managers, and more. Guests: Roger Grimes (LinkedIn) (Twitter) Want to submit a question to have answered in a future episode? If you've got a question or comment that you'd like me to try to answer or respond to, leave a voice message at https://www.speakpipe.com/8Li. Frankly, that would make it more engaging than if I just read your questions. But, if you aren't able to record a message or don't want your voice on the show, then you can email me your questions at perry@8thLayerMedia.com. I'd love to hear from you and answer any questions you have about my thoughts on security topics, creativity, online culture, podcasting… or anything else you have on your mind. Books & References: Password Managers Can Be Hacked Lots of Ways and Yes, You Should Still Use One, by Roger Grimes Roger's Password Masterclass Roger's Hacking MFA presentation Hacking Multifactor Authentication, by Roger Grimes Cryptography Apocalypse: Preparing for the Day When Quantum Computing Breaks Today's Crypto, by Roger Grimes Ransomware Protection Playbook, by Roger Grimes A Data-Driven Computer Defense: A Way to Improve Any Computer Defense, by Roger Grimes Hacking the Hacker: Learn from the Experts Who Take Down Hackers, by Roger Grimes LastPass Security Incident, December 22, 2022 LinkedIn 2FA Hacking demo by Kevin Mitnick The Humane Interface: New Directions for Designing Interactive Systems, by Jef Raskin Wired Magazine Article -- The Best Password Managers to Secure Your Digital Life Perry's new show, Digital Folklore kicked-off Jan 16. Check out the website (https://digitalfolklore.fm/) to see our custom artwork, subscribe to the newsletter, check out our merch, Patreon, and more. Want to check out what others are saying? Here's some recent press about the show: https://digitalfolklore.fm/in-the-news Perry's Books Transformational Security Awareness: What Neuroscientists, Storytellers, and Marketers Can Teach Us About Driving Secure Behaviors, by Perry Carpenter The Security Culture Playbook: An Executive Guide To Reducing Risk and Developing Your Human Defense Layer by Perry Carpenter & Kai Roer Production Credits: Music and Sound Effects by Blue Dot Sessions, Envato Elements, Storyblocks, & EpidemicSound. Artwork by Chris Machowski @ https://www.RansomWear.net/ and Mia Rune @ https://www.MiaRune.com. 8th Layer Insights theme music composed and performed by Marcos Moscat @ https://www.GameMusicTown.com/ Want to get in touch with Perry? Here's how: LinkedIn Twitter Instagram Email: perry [at] 8thLayerMedia [dot] com

A group of leading federal security officials is exploring ways agencies can break old paradigms for how employees log-in to federal networks and citizens access government services, driven by a whole-of-government mandate to adopt modern authentication practices. Multifactor authentication is a major issue in front of the federal chief information security officer council, according to Steven Hernandez, CISO at the Department of Education and co-chairman of the council. For federal employees, agencies are considering additional options beyond the Personal Identity Verification (PIV) card. But Hernandez said the PIV card will continue to be a leading authenticator well into the future.

Renta 4 Multifactor es un fondo de Smart Beta que invierte a través de factores. Esta estrategia se basa en la gestión del riesgo modulando la ponderación de dichos factores dependiendo del momento del mercado. Conoce más detalles del fondo ➡️ https://bit.ly/renta4_Multifactor -------------------------- Apúntate al Boletín de Renta 4 Gestora y sigue la actualidad de nuestros fondos de inversión ▶ https://bit.ly/boletin_R4gestora Síguenos en: ➤ Youtube: https://www.youtube.com/user/Renta4 ➤ Web Renta 4 Banco: https://www.r4.com/ ➤ Renta 4 Gestora: https://www.renta4gestora.com ➤ Blog R4: https://blog.r4.com/ ➤ Twitter: https://twitter.com/Renta4 ➤ Facebook: https://www.facebook.com/renta4 ➤ Instagram: https://www.instagram.com/renta4banco/ ➤ LinkedIn: https://www.linkedin.com/company/65291/ ➤ Ivoox: https://bit.ly/R4_ivoox ➤ Spotify: https://bit.ly/SpotifyR4

Multi-factor testing is one of the most important jobs a vendor takes on—and one of the most underrated. Testing across all possible configurations and use cases is nearly impossible. Brooks Westbrook joins Tom Ammon and Russ White on this episode of the Hedge to talk about the complexity of multi-factor testing and some of the consequences of that complexity.

Our obsession with metrics is causing damage across the board, from education and medicine, to the police, military, and foreign aid. But our guest says we can at least begin to fix the problem.Jerry Muller is professor of history at the Catholic University of America in Washington, DC, where he is a professor of history. He is the author of five books, including “Capitalism and the Jews”, “The Tyranny of Metrics,” and “The Mind and the Market: Capitalism in European Thought.” His current work focuses on the border between history, social science, philosophy, and public policy. He chats with Greg in this episode about measurability bias, metric fixation, how metrics have made baseball more boring, and surgical report cards.Episode Quotes:On metric fixationSo one of the problems with what I call metric fixation is the belief that since you are measuring in a standardized way, you are engaged in an objective scientific activity. And therefore it tends to militate against humility. That is to say, it gives you too much confidence in the metrics. Because after all you're doing science, and the other guy or gal, she's just working on her, gut or on her intuition around her so-called judgment. But I've got hard numbers and hard numbers are, that's what sent people into space. So they're going to help me figure out if this product that I have is going to work in the marketplace.Standardized metrics: Again, I can't say it often enough, standardized metrics do have a positive role. They mitigate against various kinds of prejudice and against some kinds of biases. But when you put those metrics together with reward and punishment and transparency, you often get all kinds of dysfunctions.Multifactor metrics & judgment:The more metrics you have, the more employee and management time is being put into measuring as opposed to doing. And especially since good metrics require input from the practitioners themselves, because they're actually more likely to know what's important and what's not. So it's good to have their input, but again that takes some of their time. So there's a real tension between doing and measuring and coming up with the metrics and then producing the metrics and then analyzing the metrics. Show Links:Guest Profile:Faculty Profile at the Catholic University of AmericaProfessional Profile at The American Academy in BerlinJerry Muller on TwitterHis Work: Courses on The Great CoursesThe Tyranny of MetricsCapitalism and the JewsConservatism: An Anthology of Social and Political Thought from David Hume to the Present (Annotated Edition)Adam Smith in His Time and OursThe Mind and the Market: Capitalism in Western ThoughtProfessor of Apocalypse: The Many Lives of Jacob TaubesThe Other God that Failed: Hans Freyer and the Deradicalization of German Conservatism

Learn the latest on sophisticated schemes targeting businesses like yours and what you can do to protect yourself. Melissa Jay Murphy 00:06 Hello, everyone, welcome to the Title Now Pop-up webinar. I'm Melissa Murphy with The Fund and I am relaunching these webinars after taking a fairly significant break. So, thank you for tuning in. Because it's been several months since I hosted a webinar, I thought that I would make sure that all of you know we also have a podcast I feel very modern and with it. The podcast is also called Title Now and I generally push the audio from these webinars to the podcast and will be doing that with today's presentation. The podcast is available through all of the typical channels so sign up and take advantage of all the great content that we have in the podcast. So, what are we talking about today? We're talking about cyber fraud and why cyber fraud because it is the number one threat to our industry. It's the number one threat to your business. Despite that reality I fear that so many people in the closing business have heard about cyber fraud over and over and over again and I know I nag about cyber fraud over and over again. You've become sort of resigned to it. You've made minimal gestures toward protecting yourself perhaps setting up some procedures you've made minimal efforts to really keep up to date with what's going on out there in the world of cyber fraud. You're basically rolling the dice on whether you will be the next victim and honestly in today's market, unless you have $400,000 or $500,000 set aside in your rainy-day fund, you are really taking a chance. So, I feel like because this threat to our industry has evolved over the past year. Things have changed and in who's behind this and how they're, what their business plan is, what their workflow model is. And those changes are not good for us. The criminals have figured out that preying on our industry is pretty darn lucrative and apparently not that hard. So, I thought it was a great time to revisit this topic give you an opportunity to learn more about who is behind this crime, how they view our industry and how they have identified our weak points and how they can get in. We have two gentlemen with us today that are on the frontlines of this war and yes, it's a war. They're going to share their knowledge, expertise, and advice on what the industry and you need to understand and what you need to do to address this threat. So first, I have with me, Tom Cronkright. Tom's an attorney in Michigan, but much more importantly than that Tom is in a closing business. He has a title agency Sun Title, it's a high-volume agency, and he also has a company CertifID, that's in the business of safeguarding money in real estate deals and through this process through this life experience, Tom has become one of the real estate industry's leading experts on cyber fraud and he is committed to solving the largest problem in real estate. And he's so good at this, that the Secret Service has partnered with him. We have Steven Dougherty here from the Secret Service. And as you can see from his impressive background, he's with the Global Investigations Operation Center for the Secret Service. Tom and Steven, let's get started. What's happening in the world of cyber fraud, business email fraud? What do we need to know? Tom Cronkright 4:28 Steven, I'll let you take this but Melissa, thanks for taking the time and just spreading more and more awareness on this topic. You do such a nice job, appreciate the tee up. But Steven, why don't we read you in we've had a very very active year and a half together and as far as combating BEC, or business email compromise and wire fraud. But as Melissa mentioned, a little bit more background but I'm a wire fraud victim as well. So as an attorney, title agent, I've been through this process. Unfortunately, in 2015, it cost me nearly $200,000 and ended up in a high-profile federal trial down in Tampa. So, when Melissa mentioned that I've become a subject matter expert, I just paid a lot of tuition in this realm that these are courses I did not want to take. As a title agent or lawyer, I don't remember a cyber fraud and money laundering class in law school. I remember tax and corporations secure transactions, but that's it. Steven, you could be read the group into what we're seeing at a high level and how that starts to work its way down into the real estate. Steven Dougherty 05:40 Yes, where I sit in a very unique position here. I'm at Secret Service headquarters in Washington DC. I'm in a desk here called our business email compromised mission desk, in which my unit gets in pretty much real time aggregative incidences cyber enabled financial fraud affecting every industry. These guys are threat actors are targeting every industry out there where financial transactions are taking place. You know, every industry has it, but where's it most visible? It's most visible in the real estate sector. So, they've really turned their sights on the real estate sector for the past several years and they continue to focus on it because there's so many different transactions involved in real estate transactions. You have your closing, you have your mortgage payoff, you have your earnest money deposit. All of these things are being targeted by our threat actors, and it is driven by one thing. The intersection of what I call contemporaneous and privileged information between your buyer and seller, your real estate and closing attorney they will be the only the ones you would think would have the information like the Closing Disclosure, mortgage payoff documents, anything involving the transaction, but that gets intercepted by our bad actors. And then they weaponize that against you. To get you to redirect transfers of funds, send a payment somewhere you shouldn't stuff like that. Tom Cronkright 7:03 Steven when you say that they're visible. What do you mean that real estate transactions are uniquely visible? Steven Dougherty 07:10 Just the information is out there, due to the real estate sector types of reporting information. Tom, you know, you and I have talked about this a lot about how much of open-source information is available for us to go get or for our threat actors to go find. They can use that, piece it together and then uses that to do a very, very targeted attack. That's so specific that fools even the most complex or educated individuals to spend their money. Tom Cronkright 7:38 Yeah, what we've seen I want to layer on it mostly, if you don't mind. I went two minutes on this because I think the framework of where we are right now creates unique vulnerabilities than when I was hit in 2015 as an agent. So, if we think about the multiple listing service, all of our real estate partners that feed us deals that we're codependent on have an obligation to post up activity on the MLS. That MLS has contracts with Zillow and Trulia and a realtor typically for money to syndicate or buy that data in real time. So, what's interesting is real estate, being now the largest asset of people's lives, and there's not a close second given appreciation. I don't know if you guys saw the NICU from ALTA this morning, but home prices went up another 15% last year. That not only is that the largest asset of people's lives, it's the most visible transaction that we have in the United States. Car purchasing and other high value assets those are happening between, you know, kind of behind the curtain but not real estate. Because of the open market process that a listing agent has to conduct to get highest best use or highest best value for a property and then the fraudster just mine these deal boards. Say “Oh, looks like Norma is listing her house” and “Steve is listing his house” and listing you know, my whatever it happens to be. And then through phishing strategies, these real estate agents have the security of a dumpster essentially, on a super warm day. And they're just exposing us and I'm just going to say it because look, not every time but let's just say in most cases, and then we don't know that all the information that Steven is saying contemporaneous and privileged is being scraped and analyzed overseas, to then trick a homebuyer. And again, let's talk about homeownership right now. There is no inventory. We fell below 1 million listings last month there are more licensed real estate agents in the country than there are homes for sale for the first time that they've been tracking inventory levels. Run the math. By about a few 100,000, we have 3,800 licensed real estate agents in Greater Grand Rapids. This morning we had 900 listings. So, what does it take to buy a parked property? I've got an employee right now at CertifID. She missed out on three offers. She's been through 12 homes she was high fiving me last night almost crying in a text. “Oh my gosh, we got one right.” They’re going to do anything they can to close that. When they get to the end three weeks from now and are asked to transfer money, if they're not set up for success, that buyer anxiety and that buyer fatigue, at a time when we need them more protected, I would argue creates more vulnerability because look I'm not going through that process again. So, I'm going to do whatever you need. If you're saying I don't need to bring a check anymore and I’ve got a wire funds. Tell me where to send that wire. Steven, I think you'll agree we saw that over and over and over and continue to every week that we're involved in recovery efforts. Steven Dougherty 10:56 Yes. Talking to you touch on some really good points. So, let's talk about how these compromises are actually occurring. How are they actually getting in and getting this information out? What they do is through multiple different means either through already having your password for your email account that's already on the dark web through a data breach compromise. You guys actually go to a website Have I been pwned? https://haveibeenpwned.com They've been your email address and see if that email address was involved in any of the large-scale data breach compromises. They'll take that information, find your old password, try to use that to log into your account. That's one way to do it. Another way they'll attack is through a targeted phishing email, where they'll send you an email with a document to click on for some reason. You click on it because you think you're supposed it brings you to a web page. You type in your email address and password and boom are bad actors now your email address and password. And once they have that information, they go in and they log into your email account. They only log in one time. Generally, what they do is they'll go to your settings, and they'll set up an email rule to auto forward out any email you receive. So, you get an email from your client or homebuyer saying, “Hey, I've been told to close yeah, these are the details I have. What do you have?” Now our threat actor has all that information. That's how they get it. They only log in once, they setup the email rule, and the emails are built around that. Melissa Jay Murphy 12:29 Steven, I'd had a question on the chat for you. Oh, Tom already responded to the question. He is spot on. So, we have put in the chat the website that you go to see whether or not your email has been compromised and is out there on the dark web. https://haveibeenpwned.com So that's all. Steven Dougherty 12:50 Yeah, essentially, essentially, it's a website that conglomerates a bunch of different data breaches, and you know, going back for years, so your email address was involved in one of these. It will ping that and show you. That's why it's important to really keep your passwords updated, use new passwords, and don't repeat passwords. These threat actors, they just see that information, and they just start trying it in different places and they get lucky. Tom Cronkright 13:20 Steven let's stay on email accounts because they just seem to be the genesis of all things bad when they're compromised. Not only complex password, but can you speak a little bit about the importance of email settings and analyzing email settings. I think if this industry is ever going to set up Lunch and Learns this year is training our referral partners to identify whether their email accounts have been breached. This is one way but within the email account have rules been set up where their email account is being monitored in real time. They just don't know it and how you prevent it. Steven Dougherty 13:58 So essentially, like I said, these guys log into your email account just once, they go into your settings and they set up a setting or filter to auto forward out of all your emails that way and it’s not only that, they're deleting everything that gets auto forwarded out. They can tailor it to be very specific that you'd have it say you know, any email that uses the word “wire” or “account” or “payment”. I want you to filter that out to another email account and then delete it. So, it is very targeted with that. What we recommend and what you really should be doing along with changing your passwords very regularly, as you change your password every time go in and check those settings and make sure no unauthorized settings have been set up. You can also actually automate that through different your IT groups if you have them. Your IT groups can even, especially if you're using suite like Office 365, can be set up a way to monitor all email rules that are set up on your system to prevent unauthorized roles being set up. So that's one thing is very important. You guys got to check on that just as much as you can get your password. If you do review your rules, you will be able to see the rules set up. Most of the time, these are set out as user generated rules that you can see in those settings. Pretty easy to do. Particularly in Outlook go up to the gear on the right, click that drop it down, go to Settings, go to rules and alerts if anything's been set up there. Tom Cronkright 15:56 Yeah, I mean specifically any forwarding rules, any autodelete rules, any rules that scan for keywords in emails, all of those you can see either in Outlook 365 version or a desktop or native environment. Also in Google, Yahoo. All the different platforms have essentially these rule settings. The challenge is if the rule is set up, you could change your password every single day. The fraudster is still moving that communication into other accounts. So, you just got to make sure you kick him out of that. Then you reset the password and then you enable two factor or what's called multifactor authentication. Multifactor authentication is an additional security setting. So, you have your username, you have your password. We use a complex password manager here at our all of our organizations. That is LastPass. (https://www.lastpass.com) In a complex password manager you create this super secure master password and then for every site that you link for your email accounts, they create some ridiculous password that like you'd never know it. When you enable multifactor, multifactor is one more layer of security that provides a unique code each and every time that you send in a request to access the account. This adds a little bit more friction. But again, we're balancing friction with user security and data security. As attorneys the bar for us is always higher. There's no difference in court when we're standing up and someone's on the other side saying “Let me get this straight. You didn't check a box of multifactor that could have prevented this whole thing because this seems to be the proximate cause of where we're landing here.” Either your IOLTA account or escrow account was drained. Or I've got a consumer facing the loss of life savings. So that's just the brutal truth of it guys. Then using secure email, judges really don't understand secure email, but secure email is essentially a rail that provides security layer between one server and another server. So, you're sending the email on more secure basis. What we're talking about is making sure that that destination point isn't compromised. Because if the destination point is compromised, secured email doesn't do any good at all. Okay, the secure email secures it in transit, not what they call “at rest.” So, you got to do both. Melissa Jay Murphy 18:03 So, it seems to me that these additional safeguards and procedures are all a result of the increasing sophistication and increasing numbers of attempts. So, you know, I just don't think this is somebody in a gray hoodie in a Starbucks anymore. So, who is it that's behind this now because hasn't that change? Steven Dougherty 19:13 She's stole my line or she stole our favorite line. The line is that these are not your lone wolf hackers sitting in their grandma's basement drinking Mountain Dew and eating Cheetos, their favorite lives. That's what people think when they think you know, computer hackers, cyber fraud. But no, it's definitely not these guys operate what I refer to as the enterprise business model. It's a top-down business with a C suite and all set up with people below them to work these very complex organizations. They are transnational organized crime organizations. With the C suite you have your CEOs, then they call themselves that Mr. CEO, Mr. Chairman, and they're the ones that are kind of dictate how they want to do their attacks. Then they realize okay, I need somebody to pull off my phishing attack. So, they'll go hire somebody to do that. Then they're gonna be like, “Alright, cool, the phishing attacks good. I have the good information. I know when this transaction is going to be done, and I'm going to redirect it.” So now it's redirecting to another bank account. So now they need the launder that money. They need to get that money to themselves to do that they go and set up a sort of financial director wing. That is this expansive network of global money mules that just constantly are transmitting money back and forth. This problem has gotten really bad. We're seeing a lot of money mules actually be picked from some romance scams prior. So, they are unwitting money mules. They don't know what they're doing. They're just told by someone they met online, that they're going to receive money and help them for construction project or something like that. Then afford those funds on. It is a sprawling network of money mules here. It gets even more granular you have sort of an admin team that helps maintain spoof domains that they need to carry out their attacks or monitor, maintain email addresses or pull off other types of fraud such as unemployment, insurance fraud, even ransomware is tied into this now to kind of bolster up the organization. So, you really have a robust organization you're dealing with here, and they're very complex. They're very efficient, and as they make more money from these frauds, they only get better. Now they can afford more money mules. They get afford better malware. So, it's just momentum that they've developed and it's a momentous problem. Melissa Jay Murphy 20:51 I know that they're targeting title agents because title agents are receiving and sending money, but the source of most wire diversions and claims that I am seeing amongst Fund Members involve that mortgage payoff and they're intercepting the mortgage payoff when it's being sent to the title agent? Are they sort of hoping that there's an easier way that they can get to that mortgage information and scale it up? Do you think that that's on the horizon? Steven Dougherty 21:37 Yes. Or it may have already happened, in some instances where they're getting in and they're getting pure information fed to them before it reaches its destination. Tom and I are seeing something very similar. We can't speak about specifics, but Tom if you want to touch on it. Tom Cronkright 21:55 You're exactly right. Melissa, I ran a statistic. The average open mortgage balance at the beginning of this month was just over $299,000 across the country. Okay, we haven't seen those levels ever. Again, that's because of the accelerated increase in home prices. So, a few years ago, mortgage payoff fraud really was I'm sitting in the real estate agent’s account. I'm seeing the closing attorney send over the mortgage payoff between the client they're sitting somewhere and they're obtaining the original copy of the mortgage payoff. They're taking that PDF, they're using software to doctor that up and then spoofing typically, the loan servicer or the lender saying, “Hey, we had to make a correction. Here's an updated payoff.” So, they're we're using it as kind of an updated payoff scam. But what they're realizing now is to say, “Wait a second, what if we could distribute your original payoff into the email system of the party requesting it, and it's fraudulent from the beginning, like the first one has been tampered with?” So, we saw this early on in the Nashville area mid-summer. And then we just saw in the state of Texas, where the fraudsters again appear to have compromised the electronic fax account of the title company or title companies using the fax to receive mortgage paths. Look, I'm in the industry, 98% of these come over by “fax”, but it's not the fax of days passed because that was a machine that telephonically printed out something on a piece of paper. We said we can't do that anymore. We need the fax to be converted to a PDF and an email and then have that sent into our general stream of communication. So, they figured out I call it the note of distribution. They figured out that to your point well that's that's a great phrasing. We can compromise these at scale. If we could get access to the eFax, GFI FaxMaker. It doesn't matter guys, but if they get in there, they can reroute traffic from the originating servicer where the payoffs being sent from, doctor that up, and push it right through the same rail down in the email. Fascinating scam, and we've seen them do it unfortunately at scale as recently as a couple of weeks ago. Melissa Jay Murphy 24:44 What I hear you saying is that in those situations, it doesn't matter if the criminal has put email forwarding rules in my account, or not, because they're in there before it even gets to me. So, they're not even diverting any information from my account. They, you know, they've moved on to a much more sophisticated scheme. Tom Cronkright 25:16 That's 100%, right. If you look at what 80% by definition of our disbursement obligations, sit at the mortgage payoff. We can't adequately insure it. The most insurance you're going to get is 250,000 per and that's assuming you did 15 things and a COVID test and a blood test to show them that you did everything to mitigate the insurance company's risk, which if you did that, you wouldn't have the fraud. And I think the other thing that we're seeing is, you just simply can't trust mortgage payoffs that are coming from in either direction from the fax right now, from a closing attorney that you relied upon to gather that because you're the dispersing agent, not the rep representing the seller. And if you don't mind, I'll touch on this. It comes down to essentially three things. One you have codified somewhere a trusted list of mortgage payoff information. Treasury templates are the best way to do it. That's stored on your bank server wall. So, you start to set up the wire. You type in Bank of America and all of a sudden, a bunch of known trusted accounts pop up, you compare it to what you have, you release the wire. Some people do that on spreadsheets. I've seen people that have had folders of PDFs that check, check and date. However, you do it, history can be a very, very good guide on what is true versus things that are not true. When it comes to mortgage payoffs. Calling to verify any new account information is even harder than it was before. It’s hard enough to get them to initiate the payoff. It's even harder right now to confirm just general bank account information for a wire but you have to do it or you just send a check, add some per diem, send a check but that's why it's important to get the mortgage payoff early in the process. Let's just think about mortgage payoff risk. Unless I'm sorry, this is going to breach some underwriting standard. The risk only goes down because the worst case is they made another payment. So, let's just get it out in the open. Let's get it before the fraudster has visibility to it. We can always ask for an update or they'll settle that out with the borrower at the end if for some reason they're radio silent on the verification. Know that we're in the process and we will be launching at CertifID an insured mortgage payoff database for spring market. So, we're in the process of analyzing over 300,000 trusted mortgage payoff records right now. We'll be piloting this in the next two weeks with a group and then we'll be launching this out. This is the number one threat. This is the threat guy that keeps me up at night. Because I know that any loan, commercial, there the table stakes could get large very quick where I'm out of business as a Title Agency in one single wire. We were involved last year in a 22 and a half million dollar, about $21 million commercial payoff wire recovery that landed in the money mule’s account. One wire that would have been lights out. Steven Dougherty 28:28 So, if these do happen to you, and there's a very good chance that it may just due to the threat landscape that's out there. The one thing that's extremely important here, time is money. If you discover this, you need to report it as quickly as you possibly can. There are numerous ways to report it. You can report it through any secret service field office, you can just Google “secretservice.gov and field offices.” You guys I believe are all in Florida, right for the most part. So, while our Orlando Tampa and Miami offices are all very active, very good offices, you can reach out directly to them. Or you can also go to FBI’s IC3, the IC3.gov. www.ic3.gov It’s the Internet Crime Complaint Center. You can also report it there. I'll put the link to the Secret Service field offices in the chat here in a second. But time is money, Tom, I mean, you know you get live streams of victims to you, and you get them to me and how fast have you seen money move within hours. So, we need to stress that time is money. Tom Cronkright 29:27 Yeah, what used to be touted as you know, 72 to 96 hours with the advent of cryptocurrency and just the sophistication. So, what happens in most cases is that when fraudulent wiring instructions are sent, they are typically sent from somewhere overseas. They're sent from the syndicate running the fraud play, but domestically, they have a series of money mules that either know what they're doing or wrapped up in something they're not even aware of that take money in and then quickly move it out. They can withdraw it in cashier's checks. They can withdraw it in cash. They can buy gift cards. Most insidious is that they move into crypto wallets. Then those wallets move and then they move out into other fiat currencies in different countries, and they can move those funds while the Federal Reserve is closed. So, as we're trying to digitize and make it more convenient, these rails of moving money, that are we would look at as kind of nontraditional, it's just a superhighway for them to launder funds and almost completely avoid detection. So, if you're two or three days in, and you haven't triggered a response from federal law enforcement and notified the banks, I mean the to your points Steven we've seen money move within hours. But we've also had instances where the money was in the bank branch. We notified the bank through our efforts, and they were stopped cold. I love stories like that. But it's harder. It's harder to reclaim the money after it's been stolen because they understand the gravity of how quickly they have to move the funds. Melissa Jay Murphy 31:13 So let me go back and let's try to make this really clear to our audience. The moment that you realize that either a mortgage payoff has been diverted or perhaps the sellers’ proceeds have been diverted. You contact a secret service field office, you email the IC3 website and file a notification. You must I assume contact your sending bank and the receiving bank and who do you ask to speak to at both the sending bank and the receiving bank? Tom Cronkright 31:59 So, before you answer, Steven, here's the point of this. What he's about to say needs to be done in advance. These relationships in this pathway needs to be groomed before you have an incident because what we found is that when crisis hits, people freeze and you're burning daylight, that could mean the difference between something coming back and everything being lost. So, I didn't need to step on you there Steven, but what we're about to say is do not wait. This playbook should be set in the organization before there's an incident. Steven Dougherty 32:41 The way I prioritize it is first you should actually contact your financial institution that sent the wire. They generally will on your behalf send a wire recall or a swift message that it was due to a fraudulent means or compromise. If you contact the receiving bank directly if you're not a client for them, oftentimes they won't help you because you're not their client or customer. That's just a caveat. But immediately contact your financial institution and tell them what happens and see if they can put a wire recall in. The next step is to contact federal law enforcement or local law enforcement really whatever you're comfortable with. But what Tom's point was great is you need to have an incident response plan in place before these happen. You need to know who to call to help you. Local law enforcement can help with this. State law enforcement to help and federal law enforcement. So, it's whoever you're comfortable with who you developed a relationship with. You can just Google obviously I provide the Secret Service field offices link you can also Google FBI field offices. HSI Homeland Security also plays in this space. IC3.gov is just a place to report that these happened. Even if there's an attempt, report and attempt. Even if you stop it, please report it to the IC3.gov because what that does is it now gives us meat to go after because there's still the bank account that was used to divert the funds, or the spoofed emails used to send the attack email. We can go add to that as well. So please, the biggest steps are to have an instant response plan in place where you know who to contact and how, and two report everything you can wherever you see because not only does it protect yourself it protects the entire community. Tom Cronkright 34:24 Yeah, well, what I've what I've been most surprised by when I'm most surprised, but one of the surprising things Steven I've involved in well over 100 recoveries last year for 35 to 36 million victims. And I say that because each one has a little uniqueness to it. One thing that seems to be bubbling up is if you're banking with a credit union or a community bank, maybe a smaller regional bank. You might be surprised, and you don't want to be surprised when you're going through it, that they don't have a fraud desk, they don't have somebody that understands how to send an alert through the Fed wire system or notify the receiving bank which is typically a money center bank. So, it's leaving a small bank. I mean, 9 times out of 10 it's hitting one of the big guys, because of the coordination they have globally. So, if they don't have their own incident wire fraud communication, all those channels. I mean, I had to educate bank presidents on what an indemnification and hold harmless looks like going to a money center bank, to allow the funds to come back to a victim. It's surprises me as a lawyer. So just don't be surprised. You run this. Sit down with your banker and make sure you know exactly who to call and the information that they will that will require. If they in turn, have the rails set up to protect you and get the documentation that the receiving bank is going to need to put a suspension on the account, freeze the movement of money, and hopefully work that back to you or your customer. And Melissa, it's worth noting it's not just the disbursement wires, yes, those were a direct hit to the closing attorneys. But it's the risks that buyers face when the closing attorney is spoofed. They haven't been educated. They haven't been engaged on this issue. They haven't received wiring instructions. And all of a sudden at the closing table we realize that there's no certified check in hand because their life savings was wired a few days ago. And I'm going to say this it does not matter to tell the people we don't receive wired we only receive certified checks. We have seen time and time again. The fraudster redirecting through communication the requirement that “Nope, can't have a check now because I've got an OMICRON outbreak or something's going on. I need your wire and I need your wire today.” It's just we've seen it unfortunately. Melissa Jay Murphy 37:05 It does seem to me that reverting to what we call the old-fashioned way of conducting business has some role here, has some advantages here. Some of the questions on the chat or have to deal with these new fax systems that do come straight to your computer versus more of a phone line that's sitting on the desk behind you. But is it better to use an old-fashioned fax machine to send and receive things? The problem is a buyer, the normal consumer, out there doesn’t have a fax machine sitting on their desk if they have a fax number? It's something tied to their computer, but certainly for the purpose of receiving a payoff from a lender. An old-fashioned fax machine seems like it might give you some level of protection. Then in dealing with for example, buyers that need information about where to send their cash due at closing. I don't know what the average homeownership is now, but you know, it's five to seven years, maybe. People don't do this on a daily basis the way we do and so they're not sophisticated and educated about this cyber fraud and rather than communicating with them via email it seems like a reliable form of communication is the good old-fashioned phone. Do you agree? Is that something real practical piece of advice? Steven Dougherty 39:01 You know for customers; this is not a muscle memory transaction for them. Just to put it out there, everybody puts disclaimers at the bottom of their email saying, “wire fraud is real.” Well, guess what? People don't read anything below your signature line in your email. They read the content. That's it, they're not reading and paying attention to that. So, you really have to engage your clients and customers on a very sort of vigorous basis. Tom, you agree that you should do it upfront and throughout the entire process. Let them know, this is the process, and fraud exists, this is how we combat it. Tom Cronkright 39:44 We didn't create this threat. The threat is not going away. It's only getting worse. So, what do we do in response? My argument has been to the industry, to my staff, to our community here in West Michigan primarily is that this isn't going to happen on our watch. And if it does happen, we as transaction participants as advisors, lending, real estate, title and closing that we've done everything we could. We met the standard of care as is being defined in the courts, unfortunately, federal and state as to what success looks like for a consumer to be protected. The challenge is we're not driving them to the bank. We're not over their shoulder when they're opening online banking. A lot of them are banking with an eBank and there's no bank branches. That's the other realization with this economy we're in. We're not in a good fun state. So, I don't have to take wires and if I put my title owner hat on, I don't have to take wires in for cash to close. Now don't have to send wires out, pursuant to the state of Michigan. But what I need to do is educate the consumer that this thread is out there. They can strike at any point and we're going to set you up for success. So, the first thing we do is when we issue the title commitment, we send our wiring instructions along with a wire fraud notice to every consumer. We send it through CertifID. You may even say I'm going to send it through secure email; however, you send it just make sure that you have confirmation that they're the ones that actually received it. Because in a vacuum you can say “Look, no wires only checks. Got it great. We'll see you at closing” and then they get tricked after and it's simply not enough. The other thing that we've done is educate them of the closing scheduled. “Hey, remember if you are going to wire only those instructions that were sent earlier can be trusted.” With regard to enrolling the real estate agents and the referral partners. This is the key. This is where you can multiply the message and multiply this yourself in this conversation because guess who they trust? They trust the real estate agent because they're typically the one driving the traffic. You're being fed off them. Everyone is kind of beholden or codependent on the real estate agent. There's an opportunity there that at the agency formation, this knowledge transfer takes place. So, through notices, we've provided what we call a “day zero document” that our real estate agents put in Dotloop and DocuSign that we have the customer sign because they might start working with a buyer six weeks ago trying to find houses. We've been involved in wire fraud recoveries where the purchase agreement wasn't even countersigned by the seller in the entire cash to close amount was wired to a fraudster by the buyer. Purchase Agreement wasn't even consummated yet. That's how early they can get approached. So, educating the real estate agent, you know, showing them what you're doing to protect the consumer to protect them, and then getting them as part of the lexicon of how they do their business. Wire fraud becomes this conversational piece, not something that we hide behind or act like it's not happening. That in my opinion, is how you drive sustainable engagement. You can't do it all yourself. Melissa Jay Murphy 43:16 Interesting. I think thiss has been an incredible source of information. So, thank you to Tom and Steven. I think that we might have raised some questions that we have not been able to answer and those have been reflected in the chat. So, what I am going to try to do along with my team is look at the issues and questions created by the chat. Review the information that Tom and Steven have shared with us. Try to make some organizational sense to it and try to push something out to Fund Members to update them on the best way to deal with this. Nothing about what you do when you realize there's been a crime is really different than what's on our website right now, Fund Members. We have the IC3 website. The Secret Service connection is something that's a little bit new. And so, we're definitely going to add that kind of information to our webpage. https://www.thefund.com/information-center/information-security.aspx Steven, so thank you for that. Steven Dougherty 44:35 On that website, you can actually go back to do investigations. And there's actually numerous pieces, there's PDFs, there's documents that help prepare for a cyber incident and give updated information on cyber stuff that you can definitely pull down and link to on your website. www.ic3.gov Melissa Jay Murphy 44:54 We will definitely look into that. So, with that I am going to thank Tom and Steven again. I'm going to thank all of you 190 people that participated in this webinar. Thank you so much for your time and attention. Don't forget we're going to push this out on the podcast. And so that's another way you can listen to this webinar again in the information. We will make sense of the comments and information that has been posted in the chats and push that out to you. And as I always do when I wrap up one of these is thank you above all, thank you for your support of The Fund.

Please help remind those you care about to protect their accounts & devices with Multifactor authentication everywhere. Seek out ways to stay safe, helping those who you believe dont have the knowledge or capacity. its always been urgent. Now you cant afford to wait any more. Help save others by lending a nudge, insight or knowledge. in cyber distance is an illusion and the forces are unreal with very real consequence for you.

What do you know about cybersecurity? You're probably aware that it's a threat, but if you don't know what cybersecurity threats entail or how to increase your own security, how can you really protect yourself or your organization? Listen in to this BBCon excerpt to learn about some of the basics of cybersecurity, including what the risks and threats are, steps you can take to protect yourself, and how to implement policies at the workplace that protect your company.   Topics Discussed in This Episode: What cybersecurity is and what it's for The cybersecurity threat landscape Understanding what you're up against Types of cyber threats Remote work threats Password security measures Multifactor identification Secure wifi Protecting your company Implementing security policies   Resources: Cybersecurity Tip Sheet Cybersecurity Industry Standards Security at Blackbaud Overview   Quotes:  “Additionally, 85% of the breaches that happen involve some sort of human element.” “Bottom line, social engineering takes advantage of someone going about their usual day.” “If you receive an email, phone call, or voicemail that feels odd, it probably is.”

Everyone reading this has probably heard that old rule of thumb that security and convenience are inversely proportional. In other words, increasing security comes with the cost of less convenience, while making things easier to use also means less security. This isn't just in the context of computing, by the way. An unlocked door is easier to use (more convenient) than one that is locked (more secure). A door that you can unlock with a key is easier to use (but less secure) than a door that requires both a key and a keypad code, etc.In the context of end-user computing, we all see this trade-off daily. Longer passwords are seen as more secure than shorter ones, but they're also harder to remember and type. Six-digit phone PINs are more secure but less convenient than four-digit ones. Multifactor authentication leveraging both a password and one-time code is more secure than just a password but annoying every time we have to switch over to the authenticator app to get that code. Requiring a PIN to unlock the authenticator app is more secure than not, but with the expense of additional steps and user annoyance.There's never really been any kind of standard for how this should all work and what should be used where. Different companies, policies, regulations, governance, organizational cultures, and sales rep effectiveness drive most of it, and things are different everywhere. What's been historically consistent is that more security has correlated to more hassle for the users.Finding the balance between security and convenience has always been about tradeoffs. I've always thought of the “security versus convenience” model as a sliding scale, like the one below. You can draw a vertical line anywhere you want in the diagram below to get a certain level of security for a certain level of convenience, and increasing one decreases the other, and vice versa.Host: Andy WhitesideCo-host: Erik Collett

“The good old password really has run its course,” says Dave Lewis, Cisco global advisory chief information security officer. So what replaces it? Multifactor authentication with biometrics can raise security levels, and its use is trending up, demonstrating an evolutionary step up in identity and credential management. Also in this month's podcast, Glen Kitteringham, CPP, discusses the value of academic research to security professionals and—most importantly—how to put it into practice. Paul Wood, CPP, explains how taking a proactive, empathetic approach to threat assessment can identify and address insider threats while improving organizational morale.

Is Your Firewall Actually Protecting You? What Should You Be Doing? New stats are out this week. So what's the number one vector of attack against us? Our Firewalls. And they're failing. So, what's going on. And what can you do about it? [Automated transcript follows] [00:00:16] And of course, I'm always talking about cyber security, because if you ask me that is one of the biggest problems we have in business. [00:00:27] Today. Well, yeah, you got to find employees. In fact, uh, it's almost impossible to find them in the cyber security space as well. And it's been hard for years. So I try to keep you up-to-date here. We've got boot camps that are coming up and you are really going to like them. We've been working on some supplemental materials for it. [00:00:47] And of course these boot camps are always free, so you can join it. You can have your friends come and learn the. Basics. It's not one of these high sell things. Right. I, I got a little letter in the mail this week saying, Hey, you can come and get a free steak dinner. And of course it's kind of like a timeshare, right? [00:01:09] Jay, you have to listen to the pitch. Yes. Stay over. On us. And you are going to be sitting there for four hours listening to this crazy pitch that's going on. That's not what my bootcamps are. Anybody that's been to. One of them will tell you we work on it. I explain it. You know what you have to do, how you have to do it, the wise, the winds, the wherefores. [00:01:35] So if you would like to learn more for yourself, Make sure you sign up Craig peterson.com sign up for my newsletter. And when a bootcamp is coming up, I will be sure to tell you about it in the newsletter so that you can attend. And it's important to, to understand that this is yeah. Aimed at business, the, these boot camps, but almost everything businesses have to do or shouldn't be doing the same thing applies to you in your. [00:02:08] So, if you are a small business person, if you're someone who has some it experience, and you've been assigned to worry about cyber security, this is for you. If you are a very small business and you're kind of the Jack of all trades, and you've got to worry about cybersecurity, this is for you. And I just got. [00:02:31] This week from someone on my email list who is retired and she was talking about her husband and her, they don't have any kids, no errors. They're trying to protect their financial investments. And of course I responded saying, Hey, I'm not a financial investment advisor, but I can certainly give you some cyber security input, which I did. [00:02:53] And you can ask your questions as well. I'm more than glad to hear them. And you probably, if you've sent them in, you know, I always answer them now. My big man, a few days might take me a week, but I will get around to it. And I try and respond to the emails. Sometimes I answered here on the radio show or on my podcast, but usually it's via email me. [00:03:17] At Craig peterson.com. And of course, that's also on my website, Craig peterson.com. And that's also my name Craig Peters on.com. So let's get into the firewall thing. When you have a network, you are connecting that network to your computers, maybe. To your security cameras, to your printers that you have, maybe there's a lock system. [00:03:44] Maybe there's more, all of this stuff is interconnected and it's all rather well and good. You can have a whole lot of fun with it, but it is not as particularly good if you can't get out to the internet. So what do we do? We hook our network, whether it's home or if it's business to the internet. Now, you know, all of this stuff so far, right? [00:04:06] You're following me. The internet is actually inter connected networks. In case you didn't know, there are now millions of networks that are connected on the internet. There are core networks out there. We were my company like number 10,000. I think it was, uh, a S an R a S number autonomous system. So we were fairly early on. [00:04:32] And of course, as you know, I've been on the internet in various forums since the early 1980s and helping to develop the protocols, but it is important to remember it is an interconnected network of networks. You might ask why? Well, the bottom line is you aren't connecting your network with other networks that have malicious software on them. [00:04:58] Maybe they're just poorly configured. Maybe they're causing a denial of service attack effectively because there's so badly configured. But whatever the case may be, you are still exposed. If you look at the traffic that's coming to your router. So your router is sitting at the edge of your network connected to your internet service provider. [00:05:19] So it might be Comcast or Verizon or a whole slew of others. But your network is connected via a router. Then the router knows how do I get my data from the input to the output or from the output to the input, if you will upstream and downstream data, that's what the router is for. And if you look at the data on your router and most of us can't, but if you were able to, what you will see is hundreds of thousands of internet packets coming to, and from your. [00:05:55] Router your endpoint every day. Usually these are bad guys doing what are called scans. They do port scans. They're primarily looking for services. So what do you, do you have a firewall now in many cases, you'll get a device from your Janette service provider that has a router built in and has a firewall built in, and it has wifi. [00:06:19] All of this stuff, all built in together makes life all nice and warm and fuzzy and Catalina, doesn't it. But in reality, it's not necessarily a good thing to have it all in one, because you're definitely not going to get the best of breed and router or firewall or wifi, but that's a different story. What is that firewall for that router? [00:06:41] Of course, it's getting all this internet traffic and anything that's on the internet that is. I'm trying to get to you is going to go through the. And anything that you are trying to send up to the internet, like for instance, to try and get a web page or something is also going to go up through that router. [00:07:02] So how do you protect yourself time? Was that there wasn't really much of a way to protect yourself. And frankly, there weren't a lot of reasons. To try and protect yourself. And the internet was just this wonderful open thing, lots of fun and played around a lot. Back in the early nineties, it was, it was just a joy in the late eighties to, to be connected up to the internet and then bad guys started doing bad things. [00:07:30] We took the concept of what you have in an automobile and applied it to the. If you're driving your car, your in the passenger compartment and that passenger compartment is hopefully warm in the winter and cool in the summertime. And you are protected from that big mean nasty engine that's in front of you, or if you're driving an electric car from those mean nasty batteries that are probably below you in that car and what's between you and the. [00:08:04] Of course a firewall. And the idea is to keep the nastiness of that engine, all of the heat, the oil, the grime, the wind, everything else is associated with that engine. Keep that away from you so that you can now drive that car just comfortably in that controlled climate of the passenger compartment, that concept was then applied to the inter. [00:08:30] And in fact, I designed and implemented one of the first firewalls ever made way back when and the firewall in the internet Partland is very similar to the car in the car. You have some protrusions through that fire. Don't you, you you've got a steering wheel. How does that get up to the front of the car? [00:08:53] Well, it goes through the firewall and around that steering wheel, of course there's some EBDM, some rubber type stuff that helps stop anything from coming through right next to that steering column. Same, thing's true with the brake pedal and the gas pedal. At least it used to be. Nowadays, it's so much of this as drive by wire, that the only thing going through the firewall is a wire and there's no mechanical linkage. [00:09:24] Unlike my car, which is a 1980 Mercedes-Benz diesel. Where yes, indeed. Direct linkages to everything. So the firewall in the cars protecting you from the nastiness in the engine compartment and the firewall, when it comes to your internet is doing something very similar. Think about your house for a minute, you have a house with doors and windows. [00:09:53] I would hope. And a chimney and maybe a couple of other protrusions that are going outside of the house. Well, you have some similar problems and when it comes to the internet and when it comes to the firewall, With your house, sir. Sure. You could post a guard out front, a whole series of them. You've got a dozen guards out front and they are all guarding that front door. [00:10:19] But if no, one's watching the back door, if no one's paying attention to the windows, there's still ways for the bad guys to get in. And that's what we're going to talk about. How does the internet firewall tie into this analogy of cars and the analogy of your home? Because it's a very important point when you get right down to it. [00:10:44] We need to understand this because the number one tactic reported this week by MITRE and Cisco is exploitation of public facing application. So I'm going to explain what that is. What's your firewall can do for you and what you should do for your firewall. A stick around. We've got a lot more coming up. [00:11:09] I want to invite you to go. Of course, right now, online to Craig peterson.com. Once you're there, just sign up for mind's newsletter. Simple Craig peterson.com. [00:11:25] This week, we found out what the top five tactics are that are most frequently being used by bad guys to attack us. This is done by MITRE and Cisco systems. Number one, public facing applications. What does that mean? [00:11:42] We've been talking about this report, but really what we've been delving into is how data flows on your network, whether it's a home network or maybe it's a business network, how does this whole mess work? [00:11:58] And when miters talks about the biggest problem here, 91% of the time being what's called an exploit of a public facing application, what does that mean? We went through the basics of a firewall and a router. So all of the data coming from the internet, coming into the router, then handed to the firewall. [00:12:24] Any data going out, goes into the firewall. And then the. So that's the pretty simplistic version. And of course the firewall on your network does a similar thing to the firewall in your car. It stops the bad stuff, at least it's supposed to, but your home and your car both have different ways of getting. [00:12:48] Past the firewall in the house. It's your doors and your windows in the car. Of course, it's where the steering column goes through where the brake pedal and the gas pedal go through the clutch, all of that stuff that perch, um, permeates, it goes through. That firewall. And of course, you've probably, if you're been around for awhile, you've had leaks coming through your firewall and, uh, you know, how poorest they can be sometimes. [00:13:18] Well, we have the same type of thing on our internet firewalls. Every home has doors and what we call the doors in on the internet is similar to what they call them. On the, in the Navy, on the water, the reports. So think about a porthole in a boat, or think about a, a door, a port, which is the French word for door. [00:13:45] What happens on the internet? For instance, if you're trying to connect to Craig peterson.com, you are going to connect to a specific port on my server. So the address typically, uh, is going to be resolved by DNS. And then once it gets to the server, you can connect to port 4 43. You might try and connect to port 80, but I'll do a redirect, but that's neither here nor there. [00:14:12] So you're going to connect to that port four 40. So my firewall has to say, Hey, if somebody is coming in and wants to get to port 4 43, which is called a well-known port, that's the port that all web server. Listen on. So if someone's trying to get to my port, my web server on port 4 43, let them in. But if someone's trying to get to another port, don't let them in. [00:14:48] Now there's multiple ways to respond or not respond. I can talk about that right now. That'd be for deep dive workshop, but the idea is. Each application that you are connecting to, or that your providing has. Part of the problem that we've been seen. And this is a very big problem is that people are not changing the administrative passwords on their machines. [00:15:20] So administrative passwords mean things like admin for the username and admin for the password on your firewall. So. Your firewall, if you have what's called when admin enabled, what that means is someone on the wide area network. In other words, The internet, someone on the internet or on the, when can connect to your firewall and control it. [00:15:51] This is, as you can imagine, a very big thing, and it is something that we cover in one of our workshops, explained it all and all of the details and what to do, but most businesses and most people have not properly configured their firewalls. When we're talking about number one, problem, 91% of the time being an exploit against public facing applications. [00:16:18] What that means is they could very well just be trying to connect to the administrative interface on your firewall. Unfortunately, they will often offer. Change the software on your firewall. So they won't just reconfigure. They'll just change it entirely. And they'll do all kinds of evil things. Again, we're not going to get into all of that and what to look for and what can happen. [00:16:44] But number one thing everybody's got to do, and I saw some stats this week as well, that made me want to bring the. Most people and most businesses about two thirds have not changed the default passwords on the hardware that they have. Now it can understand sometimes the kids confusing. No question about. [00:17:07] But if you don't change the password on something that's public facing, in other words, something that can be reached from the internet or again, the wide area network. I know there's a lot of terms for this, but something that someone else can get at from outside your network. And it's the default password like admin admin, you could be in a whole lot of. [00:17:35] So check that right now, please double check that triple check that because even if you have a router from a big internet service provider, again, like the Comcast Verizon's, et cetera of the world, they will almost always have it set up. So you can change that administrative password and Jewish. Now I, again, for clients, I have some different advice than I have for, for just regular users, but make sure you change that. [00:18:09] And here's the second part of the problem. What happens if you have a business and let's say you're not hosting your own website, like I've been doing for a couple of decades and how three 30 years, I guess now. Um, and so you've got your website hosted at some. Web height site, hosting place, you know, Gator or one eye and one eye and one or GoDaddy or whatever. [00:18:35] Okay. So, okay. That's fine. So let's not inside our network. Uh, w we don't worry about the security because that's the vendor's problem. Now we're talking about, okay, what happens. My users who need to work from home. This gets to be a very big problem for so many people, because work from home is important. [00:19:00] So what are you going to do? Well, basically in most cases, unfortunately, businesses are just exposing an application to the internet. So they might, they might. Terribly configured networks, where there is a direct connection that goes right to the files. So you connect to a port on their firewall and it immediately redirects it internally. [00:19:30] Remaps it to the file server. And some people are really, really clever. Alright. Or so they think, because what they'll do is they'll say, okay, well, you know, that, that normal port number. Okay. So I'm going to move. Port number. So you're going to connect to port 17, 17 on my firewall, and it's going to connect you to the file share on my file server so that people from home can just connect to port 17, 17, and ta-da, there are all the files and yeah, we're, we're using passwords, so it'll be okay. [00:20:06] It'll be fine. Um, but, uh, guess what it isn't for a few. Different reasons are we're going to be talking about those here in just a minute. Yeah, I want to encourage you right now. Take a minute. Go online. Craig peterson.com. You'll find lots of information there. I've got 3,500 articles, all searchable, Craig peterson.com. [00:20:32] But more importantly, make sure you sign up for my newsletter. Craig peterson.com/subscribe. So that you can keep up to date on everything that is important in all of our lives. [00:20:51] We're talking about firewalls at home at the office, what it means to have public facing services, really applications, people working from home. How can you make it easy for them and hard for the bad guy? [00:21:15] Many businesses had to quickly change the way their computers were set up because of course the lockdown and people working from home. [00:21:26] And, um, unfortunately. Many mistakes were made. And some of this, in fact, I'm going to talk a lot of this problem up to these managed services providers break, fix shops. My, my fellow information technology contractors, if you will, because they didn't know any. Most of these people have been computer people, their whole lives, right. [00:21:55] They played with PCs when they were young and they might've taken a course or two and wow. MCSC certified. Believe me, this is not something that a straight up MCSC or. And frankly, most of the it certifications can really understand or really handle the cybersecurity can be done, but there's so many things they overlook just like what I was just talking about, exposing a file server directly to the internet. [00:22:29] I mentioned, okay. While they thought it was going to be safe because there's a username and password, but there's a couple of huge problems here. Problem. Number one. When you're exposing a service to the internet, like for instance, the files server, you are exposing software that may have exploitable, but. [00:22:54] And again, going back to those stats from earlier this week, more than half of all of the systems that are out there are not patched to date. It's so bad that president Biden just ordered the federal government agencies to apply patches some as old as three years. So what happens now? Well, the bad guy scan, and guess what they found. [00:23:23] Port that you thought was just so clever because it wasn't the standard port number for that service. Maybe it's SMB or CIFS or something else. And, uh, they found it because they scan, they look, they see what the response is that tells them what type of a server sitting there. And then they try, well, let me see. [00:23:45] There's the zero day exploits, but why bother with those? Let's just start with the good old standard ones. And unfortunately, because so many machines are not patched up at all, let alone properly patched up. You, they end up getting into the machine. It's really that simple, just because it's not patched up. [00:24:08] How does that sound? Huh? Yeah, it's just plain, not patched up. It's not available for anyone to be able to use anybody to be able to access. Right. It there it's not restricted. So the passwords don't matter if you haven't patched your systems. And then the second problem is that. Are brute force attacks against so many servers out there. [00:24:36] And most of the time, what we're talking about is Microsoft, but, you know, there's the share of bugs kind of goes around, but Microsoft and really, they get nailed a lot more than most beet, mainly because they're probably the number one out there that's in use today, not in the server community, certainly, but certainly also in the. [00:24:59] It's been, you know, small businesses, that's all they know. So they just run a Microsoft server and more and more, you kind of have to run it because I, I get it. You know, there's so many apps that depend on the various functions that are provided by the active directory server at Microsoft and stuff. So we, we do that for our customers as well. [00:25:19] So are you starting to see why the brute force against a server will often get them in and the smarter guys figure out what the business is? And then they go to the dark web and they look up those business emails. Addresses that they have that have been stolen along with the passwords that were used. [00:25:43] That's why we keep saying, use a different password on every site because that stolen password now. Is going to be tried against your service, your, your file server. That might be there. You might be trying to have a VPN service that the people are VPN in from home. You might have remote desktop, which has been. [00:26:08] Abject failure when it comes to cybersecurity, it's just been absolutely terrible. So you might have any of those types of things. And if they've got your email address and they've got the passwords you've used on other sites, which they've stolen and they try them, are they going to work? Odds are yes, because most people, I got another set of stats this week. [00:26:36] Most people use the same password for every site out there or every type of site. So they might get a second, most common is they use one password for all of their social media sites. They use another one for all of their banking sites. So we cover this in some depth in our bootcamp so that you understand how to do the whole password thing. [00:27:03] And what I recommend is a piece of software called one password. I don't recommend that you just use one password for everything. I was misunderstood by someone the other day. You mean just w w I use one password for everything. Yeah, you do. And then I talked to them a little bit more because I thought that was an odd question. [00:27:24] And it turned out, he was thinking, you just have the one password, like, like, you know, P at sign SSW, zero RD. Right? You use that everywhere. No, there's a piece of software go to one password.com. That's what I recommend as a password manager. And I show you how to use that and how to use it effectively in my bootcamp. [00:27:48] Absolutely free. Just like the radio is free. I'm trying to get the information out to as many people as possible, but you gotta be on my list. Craig peterson.com. Make sure you go there. So I've explained the basics here of what happens. We have a door open or windows, open ports on our servers, on our firewalls at home. [00:28:15] And at work. So the thing to do, particularly if you're a business, but even if your home user is check that firewall configuration. And let me tell you something that probably won't come as a surprise. Most of these internet server. The providers are in the business to make as much money as possible. And cybersecurity is very much secondary. [00:28:40] They know they talk about it and they talk about software defined networks and things that sound really cool. But in reality, what they give you is. Configured very well and is going to expose you. So make sure you go in, they will set it up. For instance, if they're providing you with television services, they'll set it up so that they can just bypass your firewall and get into the cable box that they installed in your house. [00:29:09] Yeah. Obviously that's not something they should be doing because now they are opening you up to attack. What happens when there's a cybersecurity problem with the cable box? We've seen this problem too, with television vendors where they poke a hole out through your firewall so that they can then gather statistics and do firmer updates and everything else. [00:29:34] It's insane. It really is. These vendors are not thinking about you. They're not thinking about the consequences. It is a very, very sad situation, but now you know what to do and how to do it. Okay. I explained today, firewalls. I explained router. I explained ports, which should be open, which should not be open. [00:29:58] And the reasons why I even mentioned passwords, I get into that in a lot of detail in my bootcamp, Craig peterson.com to get on that waiting list. Craig peterson.com, just subscribe and you'll be kept up to date. [00:30:14] There has been a whole lot of discussion lately about Metta. You might've heard. In fact, you probably did that. Facebook changed its name to Metta and they're aiming for something called the metaverse. So what is it exactly and what's it going to do for or to you? [00:30:32] The metaverse oh my gosh. I had a great discussion this week about the metaverse this came out in, um, and originally anyways, in this novel called the what was it now? [00:30:47] A snow crash. That's what it was 1992, Neil. Stevenson or Steffenson. I'm not sure how he pronounces it, but in this book, which was a cyberpunk model and I've, I've always thought cyber punk was cool. Uh, is the metal versus an imaginary place that's made available to the public over the world wide fiber optics network. [00:31:13] And it's projected onto virtual reality goggles sound familiar yet. And in the. You can build a buildings park signs as well as things that do not exist. In reality, such as vast hovering overhead light show, special neighborhoods were three where the rules of three-dimensional spacetime are ignored and free combat zones where people can go hunt and kill each other. [00:31:42] Great article about this in ARS Technica this week. And, uh, that was a little quote from the book and from the article. Phenomenal idea. Well, if you have read or seen the movie ready player one, and I have seen the movie, but a friend of mine this week said the book is so much better. So I'm going to have to read that book, ready player one. [00:32:06] But in it, you have these people living in. Dystopian future where everything is badly worn down, the mega cities, people building on top of each other and they get their entertainment and relaxation and even make money in. Prison time by being inside this virtual world, they can go anywhere, do anything and play games, or just have fun. [00:32:39] One of the vendors that we work with at my company mainstream has this kind of a virtual reality thing for. I kind of a summit, so people can go and watch this presentation and I think it's stupid, but they, you walk in. And it's, uh, this is just on a screen. They're not using like those Oculus 3d graph glasses, but you walk into an auditorium. [00:33:13] So you've got to make your little avatar walked on. Dun dun, dun dun, dun, dun, dun, dun, dun, and then go to an empty seat. And then you have to make your avatar sit down. Right? I, I have never played a game like this. I never played second life. Never any of that sort of thing. It was kind of crazy to me. And then I was doing a presentation, so I had to go Dundon then, then, then the, up onto the rostrum there and stand behind the podium and, and then put my slides up on this virtual screen. [00:33:49] It was ridiculous. I have a full television production studio here in my, in my lab. Right. And that's, this is where I do the radio show. This is where I do my television appearances. This is where I do pretty much everything. Right. And so what I can do is I can split screen with my face, with the desktop. [00:34:12] You can see my desktop, I can draw on it, circle things, highlight things or whatever I want to do. Right. But no, no, no, no. I was in their virtual reality. And so all I could do is. I have the slides come up. In fact, I had prepared beforehand, pre-taped it? A, the whole presentation, but I couldn't play that video. [00:34:37] No, no, no. I had to show a slide deck, you know, death by PowerPoint. I'm sure you've been there before. It's very, very frustrating in case you can tell for me, well, we've seen this type of thing. I mentioned some of the things like that. I'm in second life. I'm sure you've heard of that before. Sims is another one you've probably heard of before. [00:35:01] These types of semi metaverses have been around a very long time. And, and in fact, all the way on back to the nineties is Habbo hotel. G I don't know if you ever heard of that thing, but it was non-line gaming and social space. I helped to develop one for a client of mine back in the early nineties. [00:35:23] Didn't really go very far. I think it was ahead of its time. It's it's interesting right now, enter. Mark Zuckerberg. Do you remember a few years ago, mark Zuckerberg had a presentation. He was going to make this huge announcement, right? They bought Oculus. What was it? It was like crazy amount of money. And then he came in the back of the hall. [00:35:50] And nobody noticed he walked all the way up to the front and nobody even saw him because they were all wearing these 3d glasses. And of course, today they are huge. They are awkward and they don't look that great, the pictures inside, but the idea is you can move your head around and the figures move as your head moves, almost like you're in the real world. [00:36:13] And that's kind of cool and people thought it was kind of cool and they didn't see Zuckerberg because they all had these things on. And the inside was playing a little presentation about what Facebook was going to do with Oculus. Well, they just killed off the Oculus name anyways here a couple of weeks ago, over at Facebook about the same time that got rid of the Facebook name and went to meta. [00:36:39] The Facebook product is so-called Facebook and it appears what they are going to be doing is taking the concept of a metaverse much, much further than anyone has ever taken it before. They're planning on there's speculation here. Okay. So, you know, don't obviously I don't get invested. I don't give investment advice, investment advice. [00:37:10] Um, but I do talk about technology and, uh, I've been usually five to 10 years. I had so take that as well. They as the grain of salt, but I think what they're planning on doing is Facebook wants to become the foundation for Mehta versus think about things like world of Warcraft, where you've got the. Gain that people are playing. [00:37:39] And it's a virtual reality, basically, right? It might be two D, but some of it's moving into the three-dimensional world. Other games like Minecraft and roadblocks, they have some pretty simple building blocks that people can use network effects and play your creativity to make your little world and the ability. [00:38:04] To exchange and or sell your virtual property. That's where I think Mr. Zuckerberg is getting really interested now because if they can build the platform that everybody else the wants to have a virtual world builds their virtual world on top of. Man, do they have a moneymaker? Now? People like me, we're going to look at this and just poo poo it. [00:38:35] I I'm sure I'm absolutely sure, because it will be another 20 years before you really think it's. You know, some of these scifi shows have talked about it. You know, you can feel someone touching you, et cetera, et cetera. Yeah. That's going to be very crude for a very long time. And now CGI is pretty good. [00:38:57] Yeah. You watch the movies. CGI is great, but that takes weeks worth of rendering time on huge farms, clusters of servers. So it's going to take quite a while. Looking at the normal advancement of technology before this really becomes real. Now there have also been us court cases over who owns what in bad happened with Eve online. [00:39:28] Second life where disagreements over player ownership of the virtual land created by the publisher, which was Linden labs. When. And I've also mentioned in the past how our friends over at the IRS have tried to tax some of the land that you own inside these virtual worlds. So ownership, do you really own it? [00:39:55] Does it really exist? What would non fungible tokens maybe it does. And these non fungible tokens are. Basically just a check, some verification, I'm really oversimplifying of some sort of a digital something rather lately. And initially it was mostly pictures. And so you had a picture of something and you owned that and you could prove it because of the blockchain behind it. [00:40:27] But I think this is where he's really interested because if he can build the base platform. Let the developers come up with the rules of what's it called it a game and come up with what the properties look like and how people can trade them and sell them and what kind of upgrades they can get. Right. [00:40:48] So let's nothing Zuckerberg has to worry about. Uh, Metta or Zuckerberg then worries about, okay. So how do we collect money for these? How do we check with the transactions? Uh, somebody wants to buy those sort of Damocles. How does that transaction work and how do we Facebook Metta? How do we get a slice of the act? [00:41:16] You got to believe that that's where things are going. And if they have the ability to make this base platform and be able to take characters from one part of a developer to another part of the developer, you could have worlds where Gandalf might be fighting bugs bunny. Right? Interesting. Interesting and Warner brothers, all these movie companies would probably be coming out with complete virtual reality. [00:41:49] So when you're watching James Bond, you're not just watching James Bond, you can look around, you can see what's happening. People sneaking up behind. And ultimately you could be James Bond, but that's decades away. I think a good 20 years. All right, everybody. Thanks for sticking around here. Make sure you go online. [00:42:11] Craig peterson.com/subscribe. Get my weekly newsletter. Find out about these free boot camps and other things that I have. So we can keep you up to date and keep you safe. [00:42:25] We already talked about Metta and their name, change the metaverse, but there's something else. Facebook did this last week that surprised a lot of users, something they started in 2010, but has been controversial ever since. [00:42:41] We had a pretty big announcement, frankly, this last week from our friends over at Facebook, not the one where they change their name and the. [00:42:51] Basically trying to create a metaverse platform. That's going to be the one platform that rules the world. Although those are my words by the way. But Facebook has announced plans now to shut down a decade old. Facial recognition system this month. We'll see what they do with this. If they follow through entirely, but they're planning on deleting over 1 billion faces that they have already gone through and analyzed. [00:43:26] You might remember. In 2010, Facebook had a brand new feature. It started announcing, Hey, did you know that so-and-so just posted your picture? Is this you? Is this your friend, is this sewn? So do you remember all of those questions? If you're a Facebook user back in the day? Well, they were automatically identifying people who appeared in digital photos and suggested that users or users tagged them with a click we're going to get to and admitted here. [00:43:57] Uh, and of course that then linked the Facebook account for. The picture that you tagged to the images and let that person know. And of course Facebook's ultimate goal is to get you to stay on long, as long online, as long as possible. Because if you're online, you are going to be looking at ads that are aimed primarily at. [00:44:18] Well, facial recognition has been a problem. We've seen it a worldwide. I just read through a restatement from the electronic frontier foundation, talking about facial recognition and the problems with it, how some people have been arrested based on facial recognition and held for over a day. We'll have cases where the police use to kind of a crummy photograph of them from a surveillance video sometimes also from a police car, in some areas, the police cars are continually taking video and uploading it to the internet, looking for things like license plates, to see if a car. [00:45:00] Parking ticket that hasn't been paid or it hasn't paid us registration all the way through looking at faces, who is this person? And some in law enforcement have kind of thought it would be great to have kind of like Robocop. You remember Robocop, not the ed 2 0 9. There was also in that movie. That's also very scary, but when they look at someone who's on a street at autonomous. [00:45:24] Pops up in their glasses, who it is, any criminal record, if there any sort of a threat to et cetera. And I can understand that from the policemen standpoint. And I interviewed out at the consumer electronic show, a manufacturer of. That technology, it was kind of big and bulky at the time. This was probably about six or eight years ago, but nowadays you're talking about something that's kind of Google glass size, although that's kind of gone by the wayside too. [00:45:54] There are others that are out there that you. Facial recognition. Technology has really advanced in its ability to identify people, but you still get false positives and false negatives. And that's where part of the problem becomes from they have been taking and they been private companies primarily, but also some government agencies they've been taking pictures from. [00:46:21] They can find them. We've talked about Clearview AI before this is a company that literally stole pitchers, that it could get off the internet. They scan through Facebook, Instagram, everywhere. They could find faces and they tied it all back in. They did facial recognition. On all of those photos that they had taken and then sold the data to law enforcement agencies. [00:46:49] There's an app you can get from Clearview AI. That runs on your smartphone and you can take a picture of someone in the street, clear view. AI will run that face through their database and we'll tell you who it is, what their, what their background is, where their LinkedIn page is their Facebook page, wherever it found them online. [00:47:13] Basically what they've been doing. Now Clearview had a problem here this last couple of weeks because the Australian government ordered them to delete all facial recognition, data belonging, to anyone that lives. In Australia. Now that's going to be a bit of a problem for clear view, because it's hard to identify exactly where people live just based on a photograph. [00:47:40] And the United Kingdom is also considering doing this exact same thing. Now, clear views have been sued. They violated the terms of service from Facebook and some of these other sites that I mentioned, but they did it anyway. And clear view was. To destroy all the facial images and facial templates they had retrieved about any Australian. [00:48:08] I think that's probably a pretty good idea. I don't like the idea of this data being out there. Well, if your password is stolen and we're going to be talking about that in our bootcamp, coming up here in a couple of weeks about how to determine if your username or your password is stolen. But, uh, and of course, if you want to get that. [00:48:29] Bootcamp and go to that. There's no charge for it, but you have to know about it. And the only way is to sign up. You have to make sure you're on my email list@craigpeterson.com. But what happens when your email address is stolen or your password, or both are stolen from a web. Oh, typically they end up on the dark web. [00:48:50] They sell personal identification for very little money. In some cases it's only a few dollars per thousand people's identities. It is absolutely crazy. So the bad guys are looking for that information, but you can change your password. You can change your email address, but if your facial information is stolen, Can't change your face. [00:49:18] If your eye print is stolen, you can't change your eye. I have a friend who's pretty excited because he got to go right through the security at the airport ever so quickly. Cause all they had to do was scan his eyeball. Well, that data is valuable data because it cannot be changed. And it can, in some cases be replicated. [00:49:41] In fact, the department of Homeland security and the transportation safety administration had the database of face print stolen from them in 2019. To about 200,000 people's identities were stolen, the face sprints. It's just absolutely crazy. And this was some, a vendor of us customs and border protection. [00:50:05] And it, it, you can't write down to it. I read the detailed report on it just now. And the report that came out of the federal government said, well, it went to a contractor who. Took the data, all of the face prints off site over to their own site. And it wasn't encrypted when they took it over there. But it does mention that it was taken from an un-encrypted system at customs and border protection. [00:50:34] So wait a minute. Now you're blaming the contractor that you hired because it wasn't encrypted and yet you didn't encrypt it yourself either. I, you know, I guess that kind of goes around, but they want to. They want your biometric information just as much as they want anything else. Think about your phones. [00:50:53] Nowadays, apple has done a very good job with the biometrics and the fingerprints and making sure that that information is only ever stored on the phone. It never goes to apple, never leaves the phone it's in what apple calls, the secure long term. And if you mess with it at all, it destroys itself, which is part of the problem with replacing a cracked screen yourself on an iPhone, because you're going to disturb that secure enclave and the phone will no longer work. [00:51:24] That is not true when it comes to many other devices, including most of your Android phones that are out there. It is. So if the bad guys have. Your face print, they, and they can create 3d models that can and do in fact, go ahead and fool it into letting you in that that's information they want. So why are we allowing these companies to like clear view AI? [00:51:52] And others to buy our driver's license photos to the federal government, to also by the way, by our driver's license photos, by them from other sites and also our passport information. It's getting kind of scary, especially when you look into. China has a social credit system. And the Biden administration has made rumblings about the same here in the U S but in China, what they're doing is they have cameras all over the place and your faces. [00:52:27] And they can identify you. So if you jaywalk, they take so many points off of your social credit. If you don't do something that they want you to do or be somewhere, they want you to be, you lose credits again, and you can gain them as well by doing various things that the government wants you to do. And. [00:52:49] And ultimately, if you don't have enough social credit, you can't even get on a train to get to work. But the real bad part are the users. This is a minority in China and China's authorities are using. Us facial recognition, technology and artificial intelligence technology. Hey, thanks Google for moving your artificial intelligence lab to China in order to control and track the users. [00:53:19] Absolutely amazing in the United States law enforcement is using this type of software to aid policing, and we've already seen problems of overreach and mistaken IRS. So Facebook to you're leading a billion of these frameworks. If you will, of people's faces biometrics. Good for them. Hopefully this will continue a tread elsewhere. [00:53:46] Well, we've talked a little bit today about firewalls, what they do, how your network is set up. If you miss that, make sure you catch up online. My podcast@craigpeterson.com, but there's a whole new term out there that is changing security. [00:54:03] It's difficult to set up a secure network. [00:54:07] Let's just say mostly secure because if there's a power plug going into it, there's probably a security issue, but it's difficult to do that. And historically, what we've done is we've segmented the networks. So we have various devices that. Maybe be a little more harmful and on one network, other devices at a different level of security and many businesses that we've worked with, we have five different networks each with its own level of secure. [00:54:38] And in order to get from one part of the network, for instance, let's say you're an accounting and you want to get to the accounting file server. We make sure your machine is allowed access at the network level. And then obviously on top of that, you've got usernames and passwords. Maybe you've got multifactor authentication or something else. [00:54:59] I'll make sense, doesn't it? Well, the new move today is to kind of move away from that somewhat. And instead of having a machine or a network have firewall rules to get to a different network or different machine within an organization. There's something called zero trust. So again, think of it. You've, you've got a network that just has salespeople on it. [00:55:25] You have another network that might have just your accounting people. Another network has your administrative people and other network has your software developers, et cetera. So all of these networks are separate from each other and they're all firewalled from each other. So that only for instance, at county people can get to the accounting server. [00:55:44] Okay, et cetera. Right? The sales guys can enter the sales data and the programmers can get at their programs. And maybe the servers that are running their virtual machines are doing testing on what was zero trust. It is substantially different. What they're doing with zero trust is assuming that you always have to be authentic. [00:56:11] So instead of traditional security, where, where you're coming from helps to determine your level of access, you are assuming that basically no units of trust. So I don't care where you're coming from. If you are on a machine in the accounting department, We want to verify a lot of other information before we grant you access. [00:56:38] So that information probably does include what network you're on. Probably does include the machine you're on, but it's going to all. You as a user. So you're going to have a username. You're going to have an ID. You're going to have a multi-factor authentication. And then we're going to know specifically what your job is and what you need to have specific access. [00:57:04] Because this follows the overall principle of least privilege to get your job done. Now you might've thought in the past that, oh my gosh, these firewalls, they're just so annoying. It's just so difficult to be able to do anything right. Well, zero trust is really going to get your attention. If that's what you've been saying. [00:57:23] But here's an example of the traditional security approach. If you're in the office, you get access to the full network. Cause that's pretty common, right? That's not what we've been doing, but that's pretty common where we have been kind of working in the middle between zero trust and this traditional you're in the office. [00:57:41] So you can potentially get it. Everything that's on the off. And if you're at home while all you have to do is access a specific portal, or as I've explained before, well, you are just connecting to an IP address in a hidden port, which won't remain hidden for. So maybe in a traditional security approach, the bouncer checks your ID. [00:58:08] You can go anywhere inside this club and it's multi floor, right. But in a zero trust approach, getting into the club, having that bouncer look at your ID is only the first check, the bartender or the waiter. They also have to check your ID before you could be served. No matter where you are in the club and that's kind of how they do it right now, though, they'll make a mark on your hand or they'll stamp it. [00:58:35] And now they know, okay, this person cannot get a drink for instance. So think of it that way, where every resource that's available inside the business independently checks whether or not you should have access to. This is the next level of security. It's something that most businesses are starting to move towards. [00:58:57] I'm talking about the bigger guys, the guys that have had to deal with cybersecurity for awhile, not just the people who have a small business, most small businesses have that flat network that. Again about right. The traditional security approach of all you're in the office. So yeah, you can get at anything. [00:59:15] It doesn't matter. And then you, you have the sales guys walking out with your client list and who knows what else is going on? Think of Ferris, Bueller, where he was updating his grades and miss days at high school, from his home computer. And you've got an idea of why you might want to secure. You are network internally because of, again, those internal threats. [00:59:40] So keep an eye out for it. If you're looking to replace your network, obviously this is something that we've had a lot of experience with. Cisco is probably the best one out there for this, but there are a few other vendors that are pretty good. If you want to drop me an email, I'll put together a list of some of the top tier zero. [01:00:02] Providers so that you can look at those. I don't have one right now, but I'd be glad to just email me M e@craigpeterson.com. We can point you in the right direction, but if you have an it person or department, or whether you outsource it to an MSP, a managed services provider, make sure you have the discussion with them about zero. [01:00:28] Now, when I'm looking at security, I'm concerned about a bunch of things. So let me tell you something that Karen and I have been working on the last, oh man, few weeks. I mentioned the boot camp earlier in the show today. And one of the things that we're going to do for those people that attend the bootcamp is I think incredible. [01:00:49] This has taken Karen so much time to dig up. Once she's done is she's worked with me to figure out what are the things that you need to keep tabs on. Now, again, this is aimed primarily at businesses, but let me tell you, this is going to be great for home users as well. And we've put together this list of what you should be doing. [01:01:15] About cybersecurity every week. And in fact, a couple of things that are daily, but every week, every month, every quarter, every six months and every year, it's a full checklist. So you can take this and sit down with it and, you know, okay. So I have to do these things this week and this isn't. Response to anything in particular, it does meet most requirements, but frankly, it's something that every business should be doing when it comes to the cybersecurity. [01:01:53] It includes things like passwords. Are they being done? Right? Did you do some training with your employees on fishing or a few other topics all the way on down to make sure you got some canned air and blew out the fan? In your workstations, you'd be amazed at how dirty they get. And he is the enemy of computers that makes them just fail much, much faster than, than 82, same thing with server. [01:02:22] So it is everything. It is a lot of pages and it is just check she'd made it nice and big. Right. So even I can read it. But it's little check marks that you can mark on doing while you're going through it. So we're doing some more work on that. She's got the first couple of iterations done. We're going to do a couple more, make sure it is completely what you would need in order to help keep your cyber security in. [01:02:50] But the only way you're going to get it is if you are in the BR the bootcamp absolutely free. So it was this list, or of course you won't find out unless you are on my email list. Craig Peterson.com/subscribe. [01:03:06] One of the questions I get asked pretty frequently has to do with artificial intelligence and robots. Where are we going? What are we going to see first? What is the technology that's first going to get into our businesses and our homes. [01:03:22] Artificial intelligence is something that isn't even very well-defined there's machine learning and there's artificial intelligence. [01:03:33] Some people put machine learning as a subset of artificial intelligence. Other people kind of mess around with it and do it the other way. I tend to think that artificial intelligence is kind of the top of the heap, if you will. And that machine learning is a little bit further down because machines can be programmed to learn. [01:03:54] For instance, look at your robot, your eye robot cleans the floor, cleans the carpet. It moves around. It has sensors and it learned, Hey, I have to turn here. Now. I robot is actually pretty much randomly drew. But there are some other little vacuum robots that, that do learn the makeup of your house. The reason for the randomization is while chairs move people, move things, move. [01:04:22] So trying to count on the house, being exactly the same every time isn't isn't exactly right. Uh, by the way, a lot of those little vacuums that are running around are also sending data about your house, up to the manufacturer in the. So they often will know how big the house is. They know where it's located because you're using the app for their robot. [01:04:47] And that, of course it has access to GPS, et cetera, et cetera. Right. But where are we going? Obviously, the little by robot, the little vacuum does not need much intelligence to do what it's doing, but one of the pursuits that we've had for. Really since the late nineties for 20, 25 years are what are called follower robots. [01:05:13] And that's when I think we're going to start seeing much more frequently, it's going to be kind of the first, um, I called it machine learning. They call it artificial intelligence who you really could argue either one of them, but there's a little device called a Piaggio fast forward. And it is really kind of cool. [01:05:34] Think of it almost like R2D2 or BB eight from star wars following you around. It's frankly, a little hard to do. And I want to point out right now, a robot that came out, I think it was last year from Amazon is called the Astro robot. And you might remember Astro from the Jetsons and. This little robot was available in limited quantities. [01:06:01] I'm looking at a picture of it right now. It, frankly, Astro is quite cute. It's got two front wheels, one little toggle wheel in the back. It's got cameras. It has a display that kind of makes it look like kids are face, has got two eyeballs on them. And the main idea behind this robot is that it will. [01:06:23] Provide some protection for your home. So it has a telescoping camera and sensor that goes up out of its head up fairly high, probably about three or four feet up looking at this picture. And it walks around your one rolls around your home, scanning for things that are out of the normal listening for things like windows breaking there, there's all kinds of security. [01:06:50] That's rolled into some of these. But it is a robot and it is kind of cool, but it's not great. It's not absolutely fantastic. Amazon's dubbing the technology it's using for Astro intelligent motion. So it's using location and mapping data to make sure that Astro. Gets around without crashing into things. [01:07:18] Unlike that little vacuum cleaner that you have, because if someone loves something on the floor that wasn't there before, they don't want to run over it, they don't want to cause harm. They don't want to run into your cats and dogs. And oh my maybe lions and bears too. But, uh, they're also using this computer vision technology called visual ID and that is used. [01:07:41] With facial recognition, drum roll, please, to recognize specific members of the family. So it's kind of like the dog right in the house. It's sitting there barking until it recognizes who you are, but Astro, in this case, Recognizes you and then provide you with messages and reminders can even bring you the remote or something else and you just drop it in the bin and off it goes. [01:08:08] But what I am looking at now with this Piaggio fast forward, you might want to look it up online, cause it's really. Cool is it does the following, like we've talked about here following you around and doing things, but it is really designed to change how people and goods are moving around. So there's a couple of cool technologies along this line as well. [01:08:35] That it's not, aren't just these little small things. You might've seen. Robots delivery robots. The Domino's for instance, has been working on there's another real cool one out there called a bird. And this is an autonomous driving power. Basically. It's a kind of a four wheel ATV and it's designed to move between the rows of fruit orchards in California or other places. [01:09:01] So what you do to train this borough robot is you press a follow button on it. You start walking around the field or wherever you want it to go. It's using, uh, some basic technology to follow you, cameras and computer vision, and it's recording it with GPS and it memorizes the route at that point. Now it can ferry all of your goods. [01:09:29] Around that path and communicate the path by the way to other burrow robots. So if you're out doing harvesting or whether it's apples out in the east coast, or maybe as I said out in California, you've got it. Helping you with some of the fruit orchards. It's amazing. So this is going to be something that is going to save a lot of time and money, these things, by the way, way up to 500 pounds and it can carry as much as a half a ton. [01:09:58] You might've seen some of the devices also from a company down in Boston, and I have thought that they were kind of creepy when, when you look at it, but the company's called Boston dynamics and. They were just bought, I think it was Hondai the bought them trying to remember. And, uh, anyway, These are kind of, they have robots that kind of look like a dog and they have other robots that kind of look like a human and they can do a lot of different chores. [01:10:33] The military has used them as have others to haul stuff. This one, this is like the little dog, it has four legs. So unlike a lot of these other robots that are on wheels, this thing can go over very, very. Terrain it can self write, et cetera. And they're also using them for things like loading trucks and moving things around, um, kind of think of Ripley again, another science fiction tie, uh, where she's loading the cargo in the bay of that spaceship. [01:11:05] And she is inside a machine. That's actually doing all of that heavy lifting now. Today, the technology, we have a can do all of that for us. So it is cool. Uh, I get kind of concerned when I see some of these things. Military robots are my favorite, especially when we're talking about artificial intelligence, but expect the first thing for these to be doing is to be almost like a companion, helping us carry things around, go fetch things for us and in the business space. [01:11:40] Go ahead and load up those trucks and haul that heavy stuff. So people aren't hurting their backs. Pretty darn cool. Hey, I want to remind you if you would like to get some of the free training or you want some help with something the best place to start is Craig peterson.com. And if you want professional help, well, not the shrink type, but with cyber security. [01:12:06] email me M E at Craig peterson.com. [01:12:10] Just in time for the holidays, we have another scam out there and this one is really rather clever and is fooling a lot of people and is costing them, frankly, a whole lot of money. [01:12:26] This is a very big cyber problem because it has been very effective. And although there have been efforts in place to try and stop it, they've still been able to kind of get ahead of it. There's a great article on vice that's in this week's newsletter. In my show notes up on the website and it is talking about a call that came in to one of the writers, Lorenzo, B cherry, um, probably completely messy and that name up, but the call came in from. [01:13:03] Supposedly right. Paid pals, uh, fraud prevention system. Someone apparently had tried to use his PayPal account to spend $58 and 82 cents. According to the automated voice on the line, PayPal needed to verify my identity to block the transfer. And here's a quote from the call, uh, in order to secure your account, please enter the code we have sent to your mobile device. [01:13:32] Now the voice said PayPal, sometimes texts, users, a code in order to protect their account. You know, I've said many times don't use SMS, right? Text messages for multi-factor authentication. There are much better ways to do it. Uh, after entering a string of six digits, the voice said, thank you. Your account has been secured and this request has been blocked. [01:13:57] Quote, again, don't worry. If any payment has been charged your account, we will refund it within 24 to 48 hours. Your reference ID is 1 5 4 9 9 2 6. You may now hang up, but this call was actually. Hacker they're using a type of bot is what they're called. These are these automated robotic response systems that just dramatically streamlined the process for the hackers to gain access into your account. [01:14:31] Particularly when you have multi-factor authentication codes where you're using. An SMS messages, but it also works for other types of one-time passwords. For instance, I suggest to everybody and we use these with our clients that they should use something called one password.com. That's really you'll find them online. [01:14:54] And one password.com allows you to use and create one time password, same thing with Google authenticator, same thing with Microsoft authenticator, they all have one-time password. So if a bad guy has found your email address and has found your password online in one of these hacks, how can they possibly get into your PayPal account or Amazon or Coinbase or apple pay or. [01:15:26] Because you've got a one time password set up or SMS, right? Multifactor authentication of some sort. Well they're full and people and absolute victims. Here's what's happening. Th this bot by the way, is great for bad guys that don't have social engineering skills, social engineering skills, or when someone calls up and says, hi, I'm from it. [01:15:51] And there's a problem. And we're going to be doing an upgrade on your Microsoft word account this weekend because of a bug or a security vulnerability. So what, what I need from you is I need to know what username you're normally using so that I can upgrade the right. So we don't, it doesn't cost us a whole bunch by upgrading accounts that aren't being used. [01:16:15] So once the account name that you use on the computer and what's the password, so we can get in and test it afterwards, that's a social engineering type attack. That's where someone calls on the phone, those tend to be pretty effective. But how about if you don't speak English very well? At all frankly, or if you're not good at tricking people by talking to them, well, this one is really great. [01:16:44] Cause these bots only cost a few hundred bucks and anybody can get started using these bots to get around multi-factor authentication. See, here's how it works. In order to break into someone's account, they need your username, email address and password. Right? Well, I already said. Much many of those have been stolen. [01:17:07] And in our boot camp coming up in a few weeks, we're going to go through how you can find out if your username has been stolen and has been posted on the dark web and same thing for your password. Right? So that's going to be part of the. Coming up that I'll announce in the newsletter. Once we finished getting everything already for you guys, they also go ahead and buy what are called bank logs, which are login details from spammers who have already tricked you into giving away some of this information. [01:17:41] But what if you have multi-factor authentication enabled something I'm always talking about, always telling you to do. Well, these bots work with platforms like Twilio, for instance, uh, and they are using other things as well, like slack, et cetera. And all the bad guy has to do with that point is going. [01:18:07] And, uh, say, they're trying to break into your account right now. So they're going to, let's get really, really specific TD bank. That's where my daughter works. So let's say you have a TD bank account. And the hacker has a good idea that you have a TD bank account knows it because they entered in your username and password and TD bank was letting them in. [01:18:32] But TD bank sent you a text message with that six character code, right? It's usually digits. It's usually a number. So what happens then? So the bad guys says, okay, so it's asking me for this six digit SMS

Multifactor authentication (MFA) is fast becoming a requirement for a secure business network. Not only that, it's becoming a requirement for a business to qualify for the added protection of cyber insurance. WatchGuard Technologies Director of Authentication Alexandre Cagnoni takes us through why multi-factor authentication is so important in the current cyber threat landscape for businesses of all sizes. He also explains why cyber insurers consider it vital. And then, he shares how WatchGuard AuthPoint makes implementing MFA simple for the organization and its employees. Hint: There's an app for that.Read a recent article on the subject by Alexandre here: https://www.securityinfowatch.com/cybersecurity/information-security/breach-detection/article/21229613/how-hackers-bypass-mfa-and-ways-to-stop-them.And find WatchGuard AuthPoint here: https://www.firewalls.com/brands/watchguard/cloud-security/watchguard-authpoint.html.In headlines, we discuss a Robinhood data theft, a discovery of breaches across key sectors, and an international ransomware bust.See the stories:Robinhood security breach compromised data of 7 million usershttps://www.engadget.com/robinhood-users-compromised-security-breach-063802932.html Hackers have breached organizations in defense and other sensitive sectors, security firm sayshttps://www.cnn.com/2021/11/07/politics/hackers-defense-contractors-energy-health-care-nsa/index.htmlRansomware crackdown spreads in U.S., Europe and Asiahttps://www.nbcnews.com/tech/security/ransomware-crackdown-spreads-us-europe-asia-rcna4829Get info on all things network security through our blog, https://firewalls.com/blog.And please do reach out, as we want to hear from you. Suggest an episode topic, ask a question, or just say hi in a review, or by emailing podcast@firewalls.com. New episodes are normally released every other Wednesday, so subscribe/follow to ensure you get the latest first - and again, please rate and review.Thanks for listening!

The need for more modern authentication techniques has never been more pressing and multi-factor authentication (MFA) is a key building block of zero trust approaches. Tom Gersic, VP of customer success at Salesforce and Garrett Bekker from the 451 security team join host Eric Hanselman to talk about what's needed. The threat landscape demands MFA, but users can be hesitant. It doesn't have to be this way. See Garrett's fireside chat at the 451Nexus conference: https://www.spglobal.com/451Nexus

Erin Dotsey and BJ Saldana-Tovar of Petronella Cybersecurity interview Jamel Lugg of Gatekeeper. Gatekeeper is a proximity token based Multifactor authentication (MFA) solution that meets compliance with regulations such as HIPAA for medical practices and CMMC for DOD contractors. Token based solutions like Gatekeeper are much more secure than SMS based MFA. PTG particularly likes the inclusion of a password manager as well as deep integration with Microsoft Windows to help humans use a PIN instead of a complex password, while retaining the utmost is cybersecurity and logging.

Fidelity is een erkende pionier in het multifactorbeleggen in credits. De asset manager maakt gebruik van een bekroonde strategie waarbij met behulp van een unieke langetermijndataset de kenmerken van de wereldwijde bedrijfsobligatiemarkt worden vastgelegd met een scherp oog voor duurzaamheid. In deze podcast legt Ilia Chelomianski, portfolio manager bij Fidelity International, de basisprincipes uit van het multifactorbeleggen in credits en staat hij stil bij de risico's en voordelen van deze systematisch benadering van de bedrijfsobligatiemarkt.Belangrijke InformatieDeze informatie is uitsluitend bedoeld voor beleggingsprofessionals en niet voor particulieren. De waarde van beleggingen kunnen fluctueren, en u loopt het risico het belegde bedrag niet terug te krijgen. Dit voorbeeld is gebaseerd op veronderstelde cijfers en is uitsluitend bedoeld ter illustratie. Dit fonds belegt op buitenlandse markten en de waarde van de beleggingen kan dan ook worden beïnvloed door wijzigingen in de wisselkoersen. Er bestaat een risico dat uitgevers van obligaties niet in staat zijn de rente of het geleende geld terug te betalen. Wanneer de rentevoeten stijgen, kan de waarde van obligaties dalen. Stijgende rentevoeten kunnen dan ook een daling van de waarde van uw belegging tot gevolg hebben. Door het hogere risico dat de emittent in gebreke blijft, is het beleggen in bedrijfsobligaties over het algemeen minder veilig dan het beleggen in overheidsobligaties. Het ETF volgt een aandelenindex en daardoor kan de waarde van het fonds zowel dalen als stijgen. De rendementscijfers zijn gebaseerd op de intrinsieke waarde (IW) van het ETF, die mogelijk afwijkt van de marktprijs van het ETF. Individuele aandeelhouders kunnen een rendement realiseren dat afwijkt van het IW-rendement. Ingenomen standpunten zijn mogelijk niet langer actueel en er is mogelijk reeds naar gehandeld. Resultaten uit het verleden bieden geen garantie voor de toekomst. Verwijzingen naar specifieke effecten mogen niet worden opgevat als advies om deze effecten te (ver)kopen.DisclaimerDeze informatie mag niet worden gekopieerd/verspreid zonder voorafgaande toestemming. Fidelity verstrekt uitsluitend informatie over eigen producten/diensten en geeft geen beleggingsadviezen die gebaseerd zijn op persoonlijke omstandigheden, tenzij anderszins specifiek vermeld door een geautoriseerde firma in formele communicatie met de klant. Fidelity International verwijst naar de groep van bedrijven die deel uitmaken van de wereldwijde beleggingsbeheerorganisatie die informatie biedt over producten en diensten in bepaalde rechtsgebieden buiten Noord-Amerika. Deze publicatie is niet bestemd voor inwoners van de VS en is uitsluitend bestemd voor personen die gevestigd zijn in rechtsgebieden waar de betreffende fondsen voor distributie zijn toegelaten of waar geen dergelijke toestemming vereist is. Tenzij anders aangegeven, worden alle producten aangeboden door Fidelity en zijn alle hier gegeven meningen en visies afkomstig van Fidelity. Fidelity, Fidelity International, het logo en het F symbol zijn geregistreerde handelsmerken van FIL Limited. Vermogen en middelen van FIL Limited per 01/09/2021. De gegevens zijn niet gecontroleerd.Investments should be made on the basis of the prospectus (in English&Dutch) and KIID, available in Dutch along with the current annual&semi-annual reports through fidelityinternational.com, from FIL (Lux) S.A., NL Branch (registered with the AFM), Zuidplein 52, 1077 XV A'dam or fidelity.nl. The fund is authorised to offer participation rights in NL pursuant to article 2:66(3) in conjunction with article 2:71&2:72 Financial Supervision Act. Issued by FIL (Lux) S.A., authorised and supervised by the CSSF. SSL21NL0901

Here's a twist on the conventional fraud conversation: It's not the payments that consumers make that put merchants at risk of the fraudsters, Nathan Wu-Falkenborg, vice president global strategy and analytics at i2c, told PYMNTS. It's not using advanced technologies that can help stop account takeovers, that puts them at risk.

00:26 In de media: Mandemakers, Kaseya en Microsoft Het heeft er alle schijn van dat hackers de druk op een slachtoffer verhogen door de impact die een ransomware aanval op de klanten van het slachtoffer heeft. Mandemakers weigerde losgeld te betalen en kwam zelf met een oplossing, maar de klanten kregen te maken met stevige vertragingen. De aanval op Kaseya was in feite een aanval op de supply chain. En de PrintNightmare bij Microsoft is zowel op servers als werkplekken gericht. De consument betaalt dus indirect de prijs. 10:15 ‘Heb ik het wel goed genoeg voor elkaar?' Salesmanager Jasper heeft veel opgestoken van de kennis van securityspecialist Martijn. Daardoor kan hij klanten nog beter antwoord geven op de vraag ‘Heb ik het wel goed genoeg voor elkaar?‘ “Het is sowieso goed om dat soort vragen als organisatie aan jezelf te stellen”, vindt Martijn. Het is natuurlijk nog beter om daar adequaat antwoord op te kunnen geven. Daarbij worden de te nemen maatregelen bij voorkeur afgestemd op het gemak voor de gebruikers. “Multifactor authenticatie maakt al een wereld van verschil!” 21:15 En als het toch gebeurt… Ga er voor de zekerheid maar van uit dat jouw organisatie echt een keer door cybercriminelen wordt aangevallen. Wie doet dan wat en is waarvoor verantwoordelijk? Het is verstandig om vooraf een crisisteam samen te stellen en met scenario's, inclusief verrassende wendingen op andere gebieden dan IT, te oefenen. Wanneer jouw organisatie ondanks alle maatregelen dan toch getroffen wordt, heb je er alles aan gedaan om onnodige schade te voorkomen. 30:30 ‘Weet je wel hoeveel jouw data waard is?' Vreemd genoeg weten organisaties vaak niet wat hun data waard is. Althans, ze vinden het lastig om dat in geld uit te drukken. Cybercriminelen hebben daar echter geen enkele moeite mee. Die weten heel goed welke waarde jouw cruciale bedrijfsgegevens hebben. Daarop baseren ze bij een ransomware aanval de vraagprijs om jouw systemen weer vrij te geven. Afgezien van het feit of je daarop ingaat, is het de moeite waard om een verzekering af te sluiten tegen de gevolgen van een digitale aanval. Het kan maar beter geregeld zijn.

In aflevering 8 van ‘Hack van de dam'(onze podcast serie over cybersecurity) nemen onze collega's - salesmanager Jasper en securityspecialist Martijn - het gemiddelde niveau van cybersecurity bij MKB'ers onder de loep. Dat mondt uit in 10 praktische tips die organisaties helpen om hun digitale weerbaarheid te verhogen. 01:05 In de media: Microsoft Exchange en kaastekort Ondanks de nodige reparatiewerkzaamheden werden er toch weer kwetsbaarheden in Microsoft Exchange ontdekt. Daar deden zowel hackers als digitale beveiligers meer onderzoek naar. En hoe kwam het dat een grote supermarktketen ineens tekort aan kaas had? Door een hack bij een logistieke partner, die dus merkbare gevolgen had voor de consument. Het zal niet het laatste incident zijn waarbij digitale schade tot fysieke consequenties leidt. ‘Het is een groeiend probleem.' 06:29 ‘Overal valt wat te halen…' Een gestolen hard disk bij de Belastingdienst. Een datalek bij een gerenommeerd bouwbedrijf. Persoonsgegevens van 3,6 miljoen klanten van een webwinkel die op straat komen te liggen. Miljoenen openbare gegevens van social media die door cybercriminelen geanalyseerd worden. Wanneer al die gegevens worden gecombineerd en gecorreleerd, ontstaan organisatie- en persoonsprofielen die doelgerichte cyberaanvallen vereenvoudigen. De gevolgen zullen nog lang nadreunen. Want: ‘Overal valt wat te halen.' 13:08 ‘Waar moeten we nou beginnen?' Organisaties die hun digitale veiligheid willen verhogen, weten vaak niet waar ze moeten beginnen. De allereerste tip die Martijn geeft, is: ‘Multifactor authenticatie! Naast de combinatie van een gebruikersnaam en een wachtwoord is dat een extra beveiliging om toegang tot een IT-omgeving of applicaties te krijgen.' Ook de veiligheid van de thuiswerkplek komt aan bod, net als het belang van updates en tijdige signalering van kwetsbaarheden. 26:23 ‘Het gaat om draagvlak en budget…' Dat antivirussoftware geen ultieme oplossing tegen cybercriminaliteit is, mag intussen duidelijk zijn. Je hebt echt aanvullende voorzieningen nodig om de digitale veiligheid van jouw organisatie te verhogen. Daarnaast vraagt het veiligheidsbewustzijn van medewerkers om structurele aandacht en moet je weten wat je moet doen als jouw organisatie ondanks alle maateregelen toch door een cyberaanval wordt getroffen. Wat daarvoor nodig is? ‘Draagvlak en budget. Cybersecurity hoort op de directieagenda te staan.'

Parce que… c'est l'épisode 0x025! Préambule Shameless plug COVID-19 21 avril au 19 juin 2021 - Québec Numérique - SéQCure 2021 Nouveau podcast - Incidences Notes Suite du piratage Facebook Microsoft's 99% solution: Multifactor authentication VirusTotal Upload is One of the SolarWinds Backdoors FBI Remotely Removed Web Shells from Infected Exchange Servers New Zoom privacy features designed for the gaffe-prone Cloud misconfigurations continue to be a weak spot Canac victime de cyberpirates OSINT Framework Collaborateurs Nicolas-Loïc Fortin Vincent Groleau Crédits Montage audio par Intrasecure inc Music Doom II: Hell on Earth “Red Waltz” par djpretzel via OverClocked ReMix Locaux virtuels par Zencastr

Welcome!   With the rapid pace of change unleashed this past week through Executive Orders, we are now a lot less secure than we were just a month ago and it is going to get a lot worse. But there are somethings you can do technologically to protect your privacy and stay a little more secure. Cloudjacking is possible mainly due to the failure to use secure passwords and a different password for every site and every application you use. Just doing that makes it almost impossible for hackers to carry out their trade. Chrome and by default Microsoft's Edge Browser have put something in their browser to help -- not alleviate but help with this problem.  You can do better by using a true Password Manager and we will get into that as well. Speaking of privacy, the US government is going around its own requirements and buying your location data and other personal information they are not allowed to collect from Data aggregators. We will get into that as well.  Then did you know that the new administration has put subliminal messaging into the White House website -- Yes they have. Well, just a taste of today's topics and there is even more so be sure to Listen in. For more tech tips, news, and updates, visit - CraigPeterson.com. --- Tech Articles Craig Thinks You Should Read: Cloud Jacking: The Bold New World of Enterprise Cybersecurity Chrome and Edge want to help with that password problem of yours Military intelligence buys location data instead of getting warrants, memo shows US administration adds “subliminal” ad to White House website Why North Korea Excels in Cybercrime Speed of Digital Transformation May Lead to Greater App Vulnerabilities Waymo CEO dismisses Tesla self-driving plan: “This is not how it works” What’s the technology behind a five-minute charge battery? --- Automated Machine-Generated Transcript: Craig Peterson: [00:00:00] Hey, there is a new company out there on the forefront of passwords. We're going to talk about that and a few weather things. Of course today. Hi everybody. Craig Peterson here.  The biggest problem, pretty much all of us have, has to do with our passwords, what we're doing with them, how often we're changing them, how we are storing them. It is being used for quite a few things out there right now. We're seeing a real emphasis on a term you might not have heard before it's cloud jacking. This is where someone gained access to your cloud services and then does nefarious things with them. What do you expect them to do now? What does this all mean? It means if you are using something thing, like maybe you're using salesforce.com, maybe you have online banking with your bank. Most people do. There are so many cloud services that we use nowadays. And cloud jacking is where someone gained access to that online account. You might ask, how do they do that? How do they gain access to it? The simplest and most common way of doing it is something called password stuffing. Now, I know I'm throwing a lot of terms out there for everybody, but basically, cloud jacking means that cloud service is being used without your permission, your cloud service. So again, think about clouds as just a word for somebody else's computer that you have no control over. Cloud services. Generally speaking, are dangerous. Now I know a whole lot of people who think I don't know much about computers. I'm probably a lot better off having some third party manage my computers for me. And so I'll just go to Amazon or I'll go to Microsoft or IBM or whomever and have them run my server for me. And in fact, that's what most companies are doing nowadays. Initially, it looked like it was going to save them money. It was going to be a big saving because you didn't have to maintain that data center anymore. You didn't have to have the personnel who know the systems who did the updates and stuff. In reality, that's turned out not to be true. Most of the slightly bigger businesses, those smaller to mid midsize are moving their stuff. Out of the cloud because of cloud jacking, because of all of the supposedly expenses that we're going to be saved, not only not being saved but because they don't have control over their computer anymore and they don't have control over the network because remember the cloud is somebody else's their computer it's their network. it's something you have very little control over, so they're moving it back into their business. I think that makes a whole lot of sense. In the meantime, we have many more businesses that are saying you cannot buy our software anymore. You have to use it in the cloud. You have to use our cloud license, which to me is just frankly, mind-boggling. Now I can see how it makes it simpler for them because they only have to have one version of the software, maybe two or three as working on the development and they can roll it out a little bit more slowly. They don't have to worry about it. People having problems with windows, which is always a nightmare. And we'll try and do support because when it comes to windows, Microsoft, themselves tell you don't run more than one app, one service on that machine. We can't guarantee it. It's not going to work. And then you have to pay them 300 bucks when there's a problem. And that 300 bucks don't go very far because they don't guarantee they'll solve that problem. So all of these things have led us to move to the cloud and now some moving back away from the cloud and our cloud servers and our cloud services that we're using on our businesses. Are being hijacked. Now I mentioned that one of the things that these hijackers are doing to take over is something called credential stuffing. Another one is fishing. We're not going to talk a lot about fishing right now, but you probably know this already. It's where you get in the email that looks legitimate. It's from somebody that looks legitimate. But in fact, it's trying to get you to do something that is going to now give them access to your systems. And in fact, that's what happened to a buddy of mine. I've talked about him before, just a couple of weeks ago. Yeah, he lost his whole paycheck. It's gone and he's not getting it back. And the company is not going to reimburse him for it, which is really a shame, frankly. So once credential stuffing, it's something that's been used for cradle quite a while. In fact, way back when. They used to use credential stuffing to try like a thousand, 10,000 most recent passwords, or, most popular passwords. Now that's a problem. Isn't it? What is it? Why are they doing it? Back when life was simpler and people use password as their password, or, ABC one, two, three, or the whole top of the keyboard. There were only a few thousand, maybe 10, 20,000 passwords that were in common use, and we've gotten way smarter since then. Haven't we. No, we haven't. And I would ask right now that you just take a minute and you go online to have I been poned.com and you can type into, have I been poned your email address? And it'll tell you if it found it anywhere. On the internet. So not just on the internet, but more or less on the dark web on the dark internet, but there's another feature on, have I been poned is spelled P w N E D. Have I been poned and that's in the passwords tab. So if you click the password. Tab here. It's saying that right now they have a database of 613 million real-world passwords that have been previously exposed in data breaches. And obviously, this exposure makes them unsuitable for ongoing use.  Why does it make it unsuitable? Let's type in right now. We're going to type in P an actually we're going to get fancy P at Sein S w zero R D. So it's a great password, right? Because it's a password with an additional sign instead of an eight and a zero instead of an O. So we're going to type this in and they hit return and let's see what it says. Oh my gosh. This password has been seen almost 55,000 times before. Okay. So it's not such a great password out there. It has been breached in data breaches and should never be used if you've ever used it anywhere before change it. And it's going through giving you this list. There are a lot of places. Yeah. 55,000 times it's been used. So check it out, go there, check it out. Make sure your password that you're using. Hasn't been used before. And the question is why? That's where we get into. Okay. Problem with credential stuffing. What they'll do is they will use your email address and your passwords that they found online. And then they'll try and log in to critical websites like your bank, for instance, we mentioned the bank, so they will try and break into your bank account because they've got your email address and they've got, or password that's what credential stuffing is all about. So they'll just try it on across all kinds of different websites until they can get in. So this ties back into our cloud jacking problem. And with cloud jacking, they just go to these online services. Again, it's like your bank or might be Salesforce to get access to your client information or QuickBooks. Maybe there's a whole lot of them are out there and they'll try and log in as you know, most of these websites have. Controls on this. So they limit the number of times you can try and log in. So the bad guys know this and they know the ways around it. And some of the ways are just to do it really fast. One of the ways are to do it from different IP addresses. And they do that using, of course, hijacked computers. We called botnets people's home computers, business computers. They use them to do their dirty work for them. And now they have control over your systems. Multifactor authentication. That's something I go into in some detail. In my improving windows security course, that's coming up. So if you need more information, that's the place to get it. If you want to find out how to sign up, make sure you just go to Craig peterson.com and sign up for the newsletter. I'll let you know when that course is ready. Karen and I are finishing it up now. There's just been too much stuff going on. So I apologize. It's been taken a little longer than I had hoped it would take. But it'll be out pretty soon, but multifactor authentication or two-factor authentication is really becoming a standard and you're foolish if you don't need it. Microsoft, Google, and others have been trying to do away with passwords entirely with some whole new technology, which is. Going back and forth. It may come into play. It might not. We'll see how it all goes. There's been some adoption, but it certainly has not been universal, but multifactor authentication absolutely. Is universally adopted. So when we get back, we'll talk a little bit more about this. What does it mean? This two-factor authentication multi-factor authentication. How can it stop our cloud accounts from getting hijacked, which is really big? Then we're going to get into Chrome and edge a brand new feature designed to help you with this very problem.   You're listening to Craig Peterson and of course, that's all you will find me online. Craig peterson.com.  We know about credential stuffing and cloud jacking, and we mentioned multi-factor authentication. So we're going to talk a little more about it, but now hi everybody. Craig Peterson here.  There are a lot of things that we have to understand and take care of when it comes to our computers. But frankly, one of the things that we have to be the most concerned about, and yet, so many of us just haven't been paying that much attention. Is our password.  We are hearing stories every week of people who have had their accounts hijacked, who have had people take their bank account money right out. We've seen that for a couple of years, but it's getting worse and worse.  I'm not exactly sure why you guys are not using unique passwords. For every one of your accounts, I really don't get it. It's easy enough to do use 1password. I don't have any money invested in these companies unless you buy 1password through me which I don't sell. I'm not going to make a dime off of it. Use 1password or LastPass, same thing there. I know the CEO of LastPass had him on the show before I don't make a dime off of it. So use them. It's just so easy to do, but yeah. Two-factor authentication. That's a little bit of a different thing. And we want to get into here in just a minute and how you can use that, how to tie it in. As I mentioned, I do go into it quite a bit of detail in my course. So if you are interested in that, the improving windows security course, we talk a lot about it. Our friends over at Google have decided they're going to help us out. And here's what they're doing. Number one, they are tying into, have I been poned.com, which you can go to yourself. You can get an alert from them. If your account shows up in any of these password dumps that are out there on the internet, very handy. So Google is going to have I been poned on your behalf. And if they notice that your account has shown up on the dark web, they're going to tell you, and they're going to recommend that you change your password. So the easy thing to do right now is. Go to Google. If you're using Chrome that is and check your security preferences. And once you're new security preferences, it'll tell you about the accounts that it knows about that you have that have been hacked. Now, when I say it's been hacked, it doesn't mean your account has been hacked, but your information has been stolen usually via some form of a hack. If you're using 1password, it has something called Watchtower, which does the same thing. I've got about 2,500 user accounts in my 1password vault. There's actually multiple vaults it's across all of those vaults. So we have some for the business person we have some other stuff that we use for our business clients because we have to maintain the highest levels of security for ourselves, because we have clients that have to have that level of security as well. So we in fact have better security than most of our clients do, frankly. And that's a little bit sad, many how. 1password will remind me as well. When one of my accounts, email addresses of passwords show up on the dark web. And it'll also tell me, for instance, if I've got my Craig peterson.com to log in and it shows up somewhere on the dark web, it will tell me that. They found Craig peterson.com out of the dark web, whether or not my password was stolen. So it's really nice. 1password can help you with that and it can generate new passwords and you can use it as well for keeping private notes. And when you are generating. Passcodes for two-factor authentication. Many times it'll give you a one-time pad. So it'll be a number of single-use passwords that you can use in the event that you don't have your two-factor device with you, as I said, but go into that in a lot of detail in my improving windows security course. But Chrome has done something else and I have to apply them for doing this. I am not a big fan, already of Google and Chrome, they make their money, their whole living off of you and your information. And I think that a little bit on the dishonest side, frankly. But that's what they do. Okay. They have added now something that's really quite nice and because Google has added it to Chrome, that means that these Chrome-based browsers will also be picking it up. What are the chromium based browsers? Of course, Google Chrome itself is a chromium-based browser, which means it's a certain codebase Microsoft's Edge browser. The latest version of Edge is not a Microsoft product anymore. They're using Google Chrome as its base. They're using chromium. So in both cases, you now have a strong password generator that you can use when you're signing up for a new account or account, or when you're changing an existing password, again, If you've heard me talk about this before that I'm not fond of having a web browser, remember your passwords because who knows, it's not designed for security. Google Chrome usually does a pretty good job. That's why it's such a popular web browser, but I much prefer an application that's specifically designed for security and they know what they're doing. And that's why I recommend the whole 1password thing. So here's what happens when you are on a web page and you are entering in a username and a password, or you're putting in a new password for your account, how it pops up and says, do you want me to save this password? Now it is giving you another option here. So rather than having to think up a password, that's really unique. That's a difficult one to guess that is not used anywhere else on the internet. You can now have the generator. Do it for you and generate a very good password. So you're going to look for the browser, suggested password dropdown in the password field, and you can select that and it's going to automatically save your new password to the browser, sync it across all of your other devices. If you are signed in to your Google account from all of those other devices so that you can use it in the future. There's another feature called password monitor and it's being added to adjuncts already there in Chrome. And it is a password monitor. Again, most of these guys are using, have I been poned would nothing wrong with that? Although have I been poned isn't being paid by these guys for doing it, but checking your passwords can be difficult. But have I been poned has free signup that you can use that will let you know if your username has shown up on any of these hacks out there. And frankly, that's all of these other people are using. They've got some very good encryption by the way, for keeping track of your passwords in Epic, they're using homomorphic encryption is what it's called. It's. Pretty new, but it allows computing on encrypted data without decrypting the data first. So that's really cool. It has this hash function that only the server knows they're doing a lot of neat stuff here and Google Chrome team. Unveiled their own version of this as well. And they've got a fuller featured password manager now built into the browser. So keep an eye out for those on your chromium based browsers. And have a look at, have I been poned P w N d.com online, if you want some more help on passwords, just drop me an email. me@craigpeterson.com or sign up for my improving windows security course.  You can keep up to date with all of the latest news courses, little training, webinars, by going to Craig peterson.com and signing up right there. Hey, I got a quick update here on secure communications. You might've heard about what happened. What's going on there and let's talk about alternatives. Hi everybody. Craig Peterson here.  You might've heard about WhatsApp, WhatsApp used to be really popular. I've had a listener before, ask me about using WhatsApp overseas. It was a family member who was serving in the military and they wanted something that was secure. They asked about WhatsApp and I said, I don't know. A little bit of moaning and groaning there that I, I don't like WhatsApp because of Facebook. Facebook, our friends over there decided that they were a couple of weeks ago going to come out with new terms of use. And that new terms of use have language that made it sound like maybe they'd be spying on us. Now that Facebook has come out and said, no, we're not going to break the end to end encryption. In other words, we won't be able to decrypt your conversations. However, we are going to start sharing your information with advertisers, et cetera. Sharing your information about using WhatsApp, which is an encrypted, supposedly secure chat app might cause some problems, right? You can imagine someone knocking on your door and saying, why are you using encrypted communications? And in fact, you have every right to, it is the best thing to do. You don't want bad guys getting their hands on it. And in some parts of the world, the governments just can not be trusted and they are trying to monitor everything that's going on. So that's why I've never been a fan of WhatsApp. And why so many people have migrated off of WhatsApp. Facebook finally realized what a mistake it was to send out that press release w wasn't as the press release, actually, it was something that came up when you used WhatsApp became right up on your screen. You hadn't to accept it. So it is concerning. Where do we go? Now I think that I suggest you use signal and we cover this quite a bit in a bit of detail in the improving windows security course. So in the course, we talk about all these different types of messengers, which ones are the best ones to use and when and why, but I want to point out something about Telegram. Telegram has picked up. I'm looking at some numbers right now, but tens they're saying tens of millions. Wow. Of people have moved over to telegram. They said that earlier in January, telegram announced it had hit a milestone of 500 million active. Monthly users and pointed to a single 72 hour period, one 25 million people had joined the service. Now, obviously, this is people who are fleeing some of these censored services that are out there. People who are fleeing from WhatsApp, because who knows where it's going. Ultimately. But I want to point out something about Telegram. So first of all, don't use it. All right. Not if you want to be secure, but here are the problems with Telegram. First of all. End-to-end encryption is what you want. So if you are talking to someone over one of these encrypted apps, you want that message, that voice conversation, that video to be encrypted from the time it leaves your device. Until it arrives on the person you're talking to his device. It's almost certainly going to go through a server or two or three or four. It's going to go through routers. There are ways to intercept it, but if it's encrypted end to end, it won't do much good to intercept in the middle. Our encryption today is really quite good. Now, if the government wants to get its hands on it, they're on your communications. There are ways around it. However, when it comes to just cast casting, a big fishing net, nothing's going to happen. And they're just going to cast a net. They're going to catch all of this stuff and there's nothing in it. We know that various intelligence agencies around the world try and keep copies of everything in case, later on, they want to go back and examine it and see what was said after the fact. Whatever, more power to them, Telegram by default does not have an end to end encryption. So by default, yes, it has encryption, but the encryption goes from your phone to their server. And once it's on the server, it is no longer encrypted. And then on the remote side for the person you're talking to, it's encrypted from the server to that person that you're talking to on the far end. See where the problem can come in here. Particularly if you are in a country that does not treat its citizens, residents, whatever you might want to call these people from serfs on up, that doesn't treat them well. They can potentially force telegram to give them a complete copy of everything that was said or done. That is a problem. That is a very big problem. You are not going to get by default end encryption. However, you can turn it on. On telegram now on Signal. It is by default. It is end to end. It's always end-to-end. Okay. So telegram only encrypt by default messages between your device and the telegram server and the telegram server and the other person on the other end. However, the group messaging feature that telegram has offers no end to end encryption at all. None. So we have a group of people. Who've got family members that you're talking, or maybe it's some investors, and you're talking about buying some more real estate for your investment trust, or you are talking with your accountant about, bank numbers and things, and yeah. You've got the attorney on, or maybe you're just talking to some friends and you don't have anything you want to share with those prying intelligence agencies in some of these countries out there, you are not secure because right in the middle, you have your messages in cleartext. So where is Telegram located? It is based in the United Arab Emirates. That is scary. When they have servers over in the United Arab Emirates, you already know that you don't have much of a sense of security over there. And you certainly don't have privacy. So don't use Telegram. If you want to be secure, we've got tens of millions of WhatsApp users who flee the service. Many of them went to Telegram. No doubt. They were attracted by Telegrams claims of heavily encrypted messaging. But in fact, it's not true. Okay. People do not want to exchange privacy for free services. Now the nice thing about Signal is it is open source and they are not trying to make money off of signal it's available freely. Anyone can grab the source code and the signal encryption methodology. Is used by WhatsApp as well, but we already expressed some of my concerns about WhatsApp.  Hey, if you want to learn more about this, more about improving windows security, more about communicating securely, I've got it all covered in my improving windows security course that's coming up in a couple of weeks.  Make sure you sign up. Just go to craigpeterson.com. You can sign up anywhere on that website or go to Craig peterson.com/subscribe. And you'll get my weekly newsletter as well.  Shortly after Joe Biden took office, we started seeing some subliminal messages right there on the White House home page. Hi everybody. Craig Peterson here. Thanks for joining me. Let me tell you I'm not trying to start some sort of a rumor here. This is absolutely true. You might've heard about Easter eggs before? No, I'm not talking about the type that you know, that little bunny comes with the colored dyed hard-boiled eggs, or maybe they're little plastic aides with candy inside. Some of that Candy's kind of yummy.  Of it's just horrific it's at least it's not as bad as mean with those little corn things that are nasty.  Anyhow Easter eggs are in movies. Have you seen them in the Marvel movies? For instance, they use them quite a bit. These are little things that are hidden away so that people who are watching super fans can find them. It might be just something on a shelf. Behind in one of the movies. So it's on a set and it's something from another movie. It might be a movie that the director loves, or maybe it's another movie. That's part of the series. Those are Easter eggs are hidden away. They're there, but they're hidden. I think those are cool to try and spot sometimes. The White House added an Easter egg, this subliminal ad to the White House website shortly after president Biden took office. It's really just absolutely amazing, but one of the most famous Easter eggs in software history and this was pretty complex as well as in Microsoft Excel 97, Microsoft Excel, that's their spreadsheet software. And this is from 20 plus years ago, 23, 24, whatever it is back in 97. You could open a new workbook, hit F five type in L 97, colon X 97, enter and then tab and then control shift, click on the chart, wizard icon. And all of a sudden you are in to. Flight simulator. You didn't have to buy a flight simulator pretty cool. And you flew using the mouse and then when you were done, you hit escape. And that was cool. I thought it was phenomenal, frankly, but this wasn't. Just a hidden, a game is hidden inside of some commercial software. There was a version of Tetris that was hidden in a spreadsheet as an Easter egg. They had something called boss mode control B. So it was quick to type and it. Popped it up, it a dubious sort of Easter egg intended as decoys, coy. And it had a spreadsheet app as well. She could pop back and forth as the boss is looking over your shoulder. No, just pop, hit a button and it's a spreadsheet. In this particular case, what happened. Someone at the White House, decided that they would add in some job information isn't this is cool. So if you were looking at the source code for the website, you would see hidden away in there, a job application, Google's done something similar before they have had some. Coded messages up on billboards, out in the San Jose area, out in California, and people that we're able to decipher it. They, it told you how to apply for a job. Obviously, they want to have a little bit of fun Microsoft edge, by the way, if you go to edge colon slash. Surf as you are AF and it's only available over on the Microsoft edge thing. You have a surfing theme game when you're offline. All you have to do is type in edge colon slash surf. And it's like the windows game ski free. And it challenges you to ride through the water while avoiding islands. Those can be tricky. Very easy to do. Marvel has an interesting one too. If you're really totally geeky, you can grab the headers from Marvel.com's website. And the hatters will have a server nickname, field, and call like she helped. Cause I don't know if or not, but Marvel is coming out with a female Hulk. And so this is a. A promotion Ford very geeky stuff. Here's another one you can go to naked security.sofos.com. And again, if you look at the headers, which you're not going to see just by going there regularly, there is a header in there. It says, if you're reading this, you should visit blah and apply to join the fund. Mention this header. This 2021 White House website added a job ad as well. Presumably they're trying to get some publicity and to attract job applicants to the US digital service. Done it. And it describes itself this USDS as part of the public service, that quote aims to use design and technology to deliver better services to the American people and its goal is to attract some of these technophiles. Yeah. That might otherwise be alerted to join the commercial big stuff out there, but you can go there online, directly at usds.gov. And there's a picture there. Fascinating picture. If you ask me because out of one, two, three, four, five, six, seven, eight, nine, 10, 11, 12, people that are in this picture, there is one white male. Half of them are females and of the males. And about half are males and of the males. Five of them are not white, which is, it's just interesting. It's such a change from what you normally see advertised online. So it's fun. Cobalt call in an older language, something, I wrote a lot of code in back in the day and you've got new. Languages out there like rust. I don't want to get into all of this right now, but it's geeky kind of fun. I also, by the way, wanted to point out going back to Telegram, which we talked about a little bit earlier in the show today. If you want to use end-to-end encryption with Telegram, you have to turn it on for each and every individual you are going to talk to. Okay. That's a real big deal here. It's what they call their secret chats feature. Every individual has to turn it on.  So be very careful in order to do what you have to. Tap the contacts name then hit more and then hit start secret chat, and then confirm one prompt asks whether you're sure. So the conversation history from the default chat does not carry over to the secret one. You have to initiate that encryption option. Every time you pick a conversation with a contact. So it isn't like you can set it once and forget it. This isn't a romp appeal thing. It's if you're using telegram every time you have to you want to start a conversation with someone, you have to go into that more menu than the secret menu, and then are you sure? Okay. Not good at all. I love this. This comparison saying that this is a guy named. Would you rather go for the car where airbags work every time you get into a crash or going to go for a car where every time you have to turn it on by typing in a pin to enable airbags, why not have them on by default? I think the idea is. Pretty obvious why they're doing that right. UAE. They're not trying to really keep secure. And speaking of security here, before the hour's up, I wanted to mention this military intelligence is buying location data instead of getting warrants. Now, this is from a memo that came out. We know Homeland security has been doing that.as well, the DIA, the defense intelligence agency, it's like the CIA, but they provide military intelligence to the department of defense confirmed in this memo that it purchases commercially available smartphone location, data to gather the information that would otherwise require the use of a research warrant. How's that for? Interesting. So they have the ability to get information on you just because you are giving it for free. He just gave it right to these app developers, to Google, et cetera. And Google has decided because of what Apple has done. Apple now has said, if you are an app and you are going to be tracking people. Apple is going to pop up a permission screen where it informs you that this Google app or whichever app it is asking for permission to track you even across other apps. And you have the ability to say no. Apparently, that really scared Google off. So Google has decided. That they're not going to play that game at all. And they changed their code Google maps and some of these others, they change their code so that it does not gather that data, but only on iOS, only on Apple devices, because they were concerned, afraid, whatever word you might want to use, that Apple's disclosure of the fact that they are tracking you. Would turn people off from Google. I think that people should have been turned off from Google a very long time ago. I go into search engines as well in my improving windows security course and how to set the right search engines for your browsers and stuff. But bottom line, I like duckduckGo. They have gotten to be very good. I've had their founder on the show before it has been, I think, a bit of a godsend because you don't have to use Bing, which of course tracks you. That's Microsoft's search engine. You don't have to use the Google search engine. Just use duck go. It's just harder to say. Yeah, I'm going to duck duck go that.  Okay. Media also, by the way, found out that customs and border patrol buys, license plate, scanner data to track individual movements. They buy cell phone location, data, they all get it. So remember if you have a smartphone or even a cell phone, that data can be sold and used by whoever cares to use it, it's really that simple. You might be in for a bit of a shock if you have been working remotely due to this whole lockdown thing. In fact, millions of us are going to have a bit of a shock coming up soon.  We have been busy here for the first hour. Talking a little bit about the Amazon bait and switch reviews. What I do when I'm online shopping and how you can help keep yourself not just safer, but make sure you don't get ripped off. We went through an article from ARS Technica about how he did get ripped off for gifts this season. We also talked a little bit about mobile endpoint security, some of the problems that frankly we've had with our mobile devices. How Jeff Bezos in fact got a massive problem. I got involved with his divorce and everything else because of his mobile device and denial of service attacks. What that is all about?  We're going to talk this hour a bit about our remote. Workforce the tax implications. We've got another arrest and jail time. So we're going to talk about bad facial recognition and what's going on there. Cyber resilience. And what can we do this year? I really want to get into these hacked home cameras used to live stream police, weight raids in what is called swatting attacks. Then Solar winds there are so many ways this massive hack could have been avoided. Our federal agencies have been compromised. Microsoft now says that due to these SolarWinds, hack somebody God into Microsoft source code. Those are the key to the kingdom. And one of the ways Microsoft realizes to stay secure is by keeping its source code secret. And of course we, no, that's work. Microsoft has never had any vulnerabilities. So we'll get into that a lot to talk about this hour. First off, let's talk about this problem with taxes. Many of us have problems, if you work in Maine and you work in Massachusetts, you could have a little bit of a tax problem, but there is a reciprocal agreement that's in place. So if you had been working in mass and you live in Maine, Okay. I can see that you're driving down to mass every day and you're living in Maine. So the reciprocity agreement covers that. But how about if you have never stepped foot in Massachusetts? How about if you started working for a company out of New York or a company out of California? Did you realize that many of these, all of them, by the way, Democrat administrations are now going to require you to pay state taxes, Connecticut, you name it. All of these, it is very concerning to me. And when we get right down to workforces and the fact that this whole lockdown has really accelerated this trend of working from home. And because of that, we've got employers who are letting their workers perform their jobs remotely from home most, if not all of the time. So where does illegal nexus tie in? So they're saying, Hey, listen, your employer. And you both knew exactly where you live and work, but the state departments of taxation can have some very different ideas about where here is. So as a result, Texas, Utah, Arkansas workers who are working for New York or Massachusetts based companies will have income taxes with health in the paychecks, even if they've never set foot in the home office. Or never set foot in this state. How about that one? The thing for New Hampshire if you live in Maine, of course. Yeah. A lot of these states that have state income taxes, will go ahead and say, okay you don't have to worry about paying our state income tax as well. Or in some cases, they look at it and say, Oh, you pay less state income tax. Then we charge our residents. I don't want to call them citizens because we are not being treated like true citizens anymore, but you pay less in your home state than our were residents pay. So you don't have to make up the difference as well. So we've gotten dozens of major companies out there all the way through little guys who have been increasing their support from working from home permanently. And I think that's great. We have businesses closing offices. Thank goodness. I don't own business space. We've lent our leases laps counting on physical distance, flexible workforce was going to reduce real estate needs. I know one of my daughters is in that boat right now. And in many ways it can be a win-win employers can save overhead costs on those expensive square footage and high-demand cities look at what's happened right now in San Francisco. For instance, they are a great example of San Francisco. The city has lost 43% of its tax revenue. So you look at it until K while they've lost a lot of tax revenue because of the lockdown and people aren't going out shopping. They're not buying stuff. No. According to the San Francisco economist and yes, indeed the city of San Francisco has its own economists. Know that a 43% drop in revenue is due to people moving out of the city. New York, San Francisco, Los Angeles, all expensive,, and people are moving to Maine, to Montana, dial in from the woods, or get a nice little place down in Florida for instance. But as far as the state's concerned, your beachside can banner might. Just as well be right in the middle of downtown Manhattan and you're going to be taxed as such. So we've had these problems for a long time, but living in one state, working in another, but typically it's been adjacent States, just like again, Maine and Massachusetts, right? DC, Maryland, Virginia, maybe Pennsylvania, West Virginia, Delaware. Kansas City itself goes across two States. You've got Kansas City, Kansas, and Kansas City, Missouri. So traveling across city limits can mean crossing state lines as well. So any major city near a border has lots of workers that go over the lines back and forth every day. And that's always been tricky from a tax perspective. Because both the state where you work and the state where you live is going to want to try and tax your income, but still typically only one state at a time has been able to tax you for your income. And most jurisdictions with a lot of overlaps have agreements, as I said, main and mass and New Hampshire doesn't really have that agreement because they don't have any state income tax or of course sales tax on almost anything. But. This is really going to be a problem, frankly. So keep in mind that if you are working for a company that is headquartered or even just has a presence in Arkansas, Connecticut, Delaware, Massachusetts, Nebraska, New York, and Pennsylvania. All of those States have convenient rules on the books that require any work performed for an employer based in their state. That it be taxed as if the worker performing the job is actually. In the state, no matter where the employee is actually located now, New Hampshire is one of the nine states that does not have an income tax. And it's right now in the process of suing Massachusetts over its convenience rules and for other States, by the way, New Jersey, Connecticut, Hawaii, and Iowa are supporting the suit. So we'll see what happens there in federal courts. As you probably already know going to court doesn't mean the right thing is going to happen. It's gotten really bad, but at any rate, something to be careful about, if you are working remotely for a company, many of these States are going to become an after you for tax dollars. We got a couple of things to get in. I want to talk right now about facial recognition. We what a year, maybe more ago talked about this company called clear view AI Clearview. And what they've been doing has been questionable. They've gone online and done searches. They've combed through social media. And they've found and downloaded every picture. They can get the grubby little paws on, and then what they've done is they've put together some facial recognition software. So they've violated laws. They've violated platform rules. It's almost like Facebook when it got started, where apparently Zuckerberg went ahead and stole. All of the records of all of the kids that were there, going to school at Harvard and including their photographs and put together this little Facebook thing, the Facebook, and had people rating other people by their looks, et cetera, and just basically stole. To get his business started Facebook. That's the allegation that's been out there. There'd been a whole movie by this, about what he did. So that's what Clearview did too. They went ahead and decided we'll just steal all of the photos we can of people. They tied facial recognition software into it, and they perform scans of these images that were scraped from the internet and created a biometric database of the images. We're going to talk about that and how we now have people being only wrongly accused, but arrested, spent jail time. It's a crazy world out there.  The allegations are that Clearview stole your picture without your consent and without the consent of the websites you put them on. Now they are being used in this biometric database by the police and others with wrongful arrests. Hey, if you want to hear the whole show or an older show, you can find them, just go online to Craig peterson.com. You'll see the podcasts there. I podcast the whole radio show, as well as my appearances on radio and television right there. So you can listen to them as podcasts there or on your favorite podcast app. There you go.  So we were talking about Clearview using these images that were scraped from the internet illegally. In some cases against obvious usage agreement, as well.   Now is that they've got this biometric database of the images and they can use that database to match an image of one person to one of these preexisting images that have been analyzed and scanned and maybe stolen, right? Depending on how you want to look at it, the allegations are all the way across the board.  Now neither you nor anybody else whose image was scraped from the internet, even know that it happened. Let alone give Clearview permission to use your image, right? They didn't get permission to take it, and they're not going to get permission to use it. So the details of these practices are not well-received by anybody out there. Even the New York Times came out about it last January, which is when I really started talking about it as well. Within three days of the New York times talking about what this Clearview company did, there was a federal class-action suit that was filed. And the complaint opened with a quote from justice Brandice that the greatest, dangerous to Liberty lurk in insidious encroachment by men of zeal well-meaning, but without understanding. So it's very interesting. There's a whole bunch of cases. I'm looking at the list of them right now. These will take a while before everything is finalized on them, but here's something we absolutely. Do know for a fact. And that is that there have been arrests that have been made due to this database. Anyone who identifies as a policeman can go ahead and download the app onto their iPhone or other devices. And can then just take a picture of someone casually on the street. There are people who are making police cameras that are constantly streaming video. And on the backend are trying to do facial recognition. I've had a couple of them on my radio show a few years back, and it's cool because it gives the policemen an idea of, is this a bad guy or not? There is this somebody who we should trust somebody we could trust. I'm not really that worried about it. Just. Think about the most dangerous thing most pleased officers do, which is a traffic stop. They have no idea who's in the car. If that person's going to try and attack them, et cetera. So having a live stream, thinking about Robocop, which didn't end that well, and what was happening there with the ed two Oh nines as well as Robocop himself, being able to see a person and be able to tell right away what this person's background is if there's any wants or warrants, et cetera, out there. That's all well and good to a certain degree, but we just had another man. This is a New Jersey man who was accused of shoplifting and trying to hit a police officer with a car. He was wrongfully arrested based on facial recognition. Now, in this case, it's a black man and these facial recognition software programs that are available. Tend to do poorly with any minority, frankly. And or do terribly with some and do poorly with any of them and also do rather poorly with the good old, regular Caucasian in phases like mine. Okay. So this is a third person who's arrested for a crime. He did not commit. He spent 10 days in jail and paid around $5,000 to defend himself. So this is a guy that had nothing to do with it. The police got lazy, they said, Oh, we got a facial recognition match. It's this guy because they ran it through some software that had scraped some photos from the internet. Do you see where I'm going with this? And those photos from the internet say it's probably this guy, Nigeria parks. And we know his social media is saying it's Nigeria parks. This is where he lives. This is where he posts most of his pictures because you remember our pictures. When we take them, Arthur smartphones have embedded GPS information. Oh, my gosh. And in this particular case, he was apparently 30 miles away from the scene of the crime. Okay. Pretty sad. Pretty sad. They dismissed the case because of a lack of evidence. Isn't that wonderful? But the department is now getting sued along with the prosecutor in the city of Woodbridge for false arrest, false imprisonment, and violation of his civil rights. I think he should absolutely win on that. 2019. And this is an article that came from the New York Times. They're saying a national study of over a hundred facial recognition algorithms found that they didn't work as well on black and Asian. Faces, as I said a little bit earlier see an ACL or attorney named Wessler believes that police should stop using facial recognition technology. I am okay with it to a degree. I don't think you should be issuing any sort of an arrest warrant based on facial recognition. I think you might get a clue from that and. From that clue, you can look at the phases and decide for yourself and interview the suspect, do some good old fashioned police work, but this facial recognition arresting people, putting them in jail and then costing them thousands of dollars plus their time and their reputation and what it does to your nerves and everything else is just absolutely insane. And bad arrests. So this article in the New York times goes through what happened. Apparently, the officers had been presented with a fraudulent driver's license, one of the officer's reports or did that. They saw a big bag of suspected marijuana in the man's prof pocket. They tried to handcuff him and that's when he ran, he had a rental car just goes on and on, but. It was a problem. And even though Mr. Parks had been arrested twice and incarcerated for selling drugs release back in 2016, doesn't mean that he's the guy that did all of this. So let's be careful. I'm not fond of what Clearview has done, obviously, just based on how I described it and who I quoted. And I don't like the idea of using this facial recognition technology to arrest people. Bottom line. So speaking about arresting people, when we get back, we're going to talk about what is called swatting attacks. I don't know if you've heard of these before. They're pretty common, unfortunately, and some of the technology that we've been bringing into our homes to keep us safer is now being used to put our lives in danger if you can believe that.  Yeah, absolutely true. We'll be talking about that.  You can also follow me online. Just go to Craig peterson.com. You can subscribe to my newsletter. I'm not an active poster in Facebook or anywhere else, so the newsletter is the best place to get my weekly show summaries. We're going to talk about how some of our technology we're bringing into our homes to keep us safe is actually ending up in killing people. Yeah. Yeah. Death by police officer. Here we go.  If you want to see my show notes, all you have to do is subscribe. Craig peterson.com. And once you're there, you'll see all of the information. That I have available my podcasts and a few articles that we've written, and you'll also have the opportunity to subscribe to my newsletter. So I'll keep you up to date with the latest, most important articles of the week. I don't send all of my show notes anymore. I found that a lot of people. Just don't open them cause it's overwhelming. So I've been lately trying to focus on one tip in particular. So we'll see how this all goes in the future and you can always let me know what you think. Just email me ME@craigpetersohn.com. I'd love to know, do prefer to get all of my show notes every week, or do you prefer what I've been doing lately, which is a deeper dive into one topic. That seems to be pretty popular, but I'm getting about a 40% interaction rate, which is really good on such a large list.  I just want to get the message out is my bottom line. We have these home cameras that we have welcomed into our homes. And one of the ones that has been getting a lot of heat lately is the ring camera. I don't know if you've seen these things. They've been advertised on television and it's basically like a little doorbell. You put it out there by your front door, side door, whatever, and it has a doorbell button. And it also has a camera and a speaker that's built into it. Then the microphone, obviously. So someone comes to the door or rings to the doorbell. There's an app that you can have on your phone. So you could be at the beach. You could be at the DMV. Someone comes to your home and hits that button. You can now converse with them and tell them to leave the package or go away or whatever it is you want to do. There have been some problems. One of them that has been rather controversial is that there are a number of police departments that are part of a program with Ring that gives them a live, real-time access to all of the Ring doorbells in neighborhoods. And the idea there is the police can patrol the neighborhoods without having to spend money on cameras that might be up on telephone poles, et cetera. And they get their feeds alive from people's doorbell cams, these ring doorbell cams. So that could be considered good. It could be considered bad, just like about almost anything. Now we're seeing that they have been hacked. Yes, indeed. There is a hack that's out there that has been used and hijackers have been live streaming people's Ring, doorbell cameras. Now where this gets really dangerous and where it hasn't been really dangerous is something called swatting. You probably know about SWAT teams, the police have, and unfortunately, most federal agencies have their own SWAT teams, which just constantly blows my mind because of why. Does this little department or that little department need of full SWAT team, it should really be a police department of some sort, but at any rate, the whole idea behind a SWAT team is they have special weapons and tactics that they can use in a situation where there might be a hostage or maybe there's a report of a bomb or something else that they have to take care of. And thank God these teams exist in, they do drills. They'll do drills in schools. I know my police department does that fairly frequently and I was involved with some of those when I was a volunteer on the ambulance squad here in town. All make sense, but what has happened on a number of occasions and far more than we like to talk about is that there are. The bad guys or people who don't like their neighbors and call in hoaxes. Okay. Yeah. Yeah, exactly. So there here's an example in Wichita, Kansas, this happened a couple of years back where a man had been arrested after allegedly swatting a prank led police to shoot dead 28-year-old man. So this guy, 28 years old, Wichita, Kansas, please surrounded his home. After they received a hoax emergency call from a man claiming to have shot dead his father and taken his family hostage. And this call apparently stemmed from a kind of a battle between two online gamers playing call of duty online. The way these games work is you can talk back and forth. You can have teams and you or your team members can be from almost anywhere around the world. And you sitting there with headphones on and talking back and forth. You've got these teams and in some cases, this is just one person against another. Apparently, they believe the report was an act of swatting where somebody makes a false report to a police department that causes the police to respond with a SWAT team. Now the audio of this emergency call had been made public, a man can be heard telling the authorities. This is according to the BBC that he had shot his father in the head and claimed to have taken his mother and siblings hostage. The color also said he had a handgun and had poured fuel over the house and wanted to set the property on fire. Sounds like the perfect thing for. A SWAT team to come to. Please say they surrounded the address. They called her given and we're preparing to make contact with the suspect reportedly inside. When Mr. Finch came to the door, they said one round was released by the officers after the 28-year-old failed to comply with verbal orders to keep his hands up. Why would he, what did he do wrong? Obviously. The police ordered you to put your hands up. You probably should put your hands up. They said he appeared to move his hands towards his waist multiple times when she probably did. Please say Mr. Finch was late found to be unarmed and was pronounced dead at a local hospital. A search found four of his family members inside. None of them were dead, injured or taken hostage. His family told local media, he was not involved online gaming. Gaming is a little different than the call of duty and stuff. Gaming typically is gambling. Now we're finding that the hackers are out there who do this swatting maneuver on somebody. Then they have the hacked Ring camera at that house and they watch the SWAT team respond. Can you believe that? The FBI is saying that this is the latest twist on the swatting prank, some prank, right? Because victims had reused passwords from other services when setting up their smart devices. How many times do I have to warn about this? My buddy, I was just telling you guys about a couple of weeks ago, he's done that His revenue, his pay from the work he was doing, delivering food to people's homes was stolen by a hacker because he was using the same email address. Yes, to log in and the same password as had been stolen before. Absolutely incredible. There's also been reports of security flaws in some products, including the smart doorbells that have allowed hackers to steal pet network passwords, et cetera. In one case in Virginia. Police reported hearing the hacker shout helped me after arriving at the home of a person they had fought might be about to kill himself. That's swatting that using technology you've brought into your home, it causes death, many examples of that, and we're still reusing passwords. Give me a break. We were busy trying to defend the election this year and had the, what did they call it? The most secure election in history, which baffles me.  But anyway our businesses and government got broken that's what we're going to talk about right now. Let's get into our big problem here this week. And this has been continuing for what now about two or three weeks we've known about it? This is a hack of a company called SolarWinds. This hack apparently allowed intruders into our networks for maybe a year and a half. But certainly, since March of 2019, this is. A huge deal. We're going to explain a little bit about that here. Who got hacked? What does it mean to you there? And I'm going to get into it just a little bit of something simple. It could be, haven't been done, right? That I have been advising you guys to do for a long time. Does this, like earlier I mentioned, Hey, change your passwords, use different passwords. And in fact, That's a big problem still, but we'll talk about this right now. SolarWinds is a company that makes tools to manage networks of computers and the network devices themselves. And my company mainstream was a client of SolarWinds. Sorry. I want to put that on the table. However, about a year and a half to two years ago, it's probably been about two years. We dropped SolarWinds as a vendor, and the reason we dropped them and we made it very clear to them as we had found security. Vulnerabilities in their architecture, the way they were doing things. We reported these security vulnerabilities to SolarWinds a couple of years ago, and they wouldn't do anything about it. So we said goodbye, and we dropped them as a vendor. Yeah, we were customer SolarWinds. We were using their stuff, but then we abandoned them when they wouldn't follow what we considered to be basic security guidelines. It turns out they weren't and we got it as a country. This has been called the Pearl Harbor of American information technology. Because the data within these hack networks, which included things like user IDs, passwords, financial records, source code can presume now to be the hand of a Russian intelligence agent. This is from. The United States of America's main security guide general Paul NACA sewn. It's just incredible what he's admitting here. He said SolarWinds, that company that the hackers used as a conduit for their attacks had a history of lackluster security for its products. What did I tell you, making it an easy target with current and former employees suggest it was slow to make security a priority even as its software was adopted by federal agencies expert note that our experts noted that it took days after the Russian attack was discovered before SolarWinds websites stopped offering the client the compromised programs. Microsoft by the way said that it had not been breached and initially here, but now this week it discovered it had been breached and resellers of Microsoft software had been breached too, and we've got intelligence officials now very upset about Microsoft not detecting it. It's just absolutely incredible here. This wasn't something like we had with Pearl Harbor, but this attack may prove to be even more damaging to our national security and our business prosperity. This is really fast. I love the fact. I'm not going to say I told you because I, I didn't tell you guys this, but I do love the fact that I was right again. How unfortunately I'm right too often when it comes to security and it is very frustrating to me to work with some clients that just don't seem to care about security. And I want to jump to an opinion piece here from our friends over at CNN. This is an opinion piece by Bruce. Schneider. You've probably seen him before. He is also, I think he writes for the Washington post. But remember when this came out the word about the SolarWindss hack, president Joe Biden said we're going to retaliate which I don't know that makes a whole lot of sense in this particular case for a number of reasons. Not the least of which we're not a hundred percent sure it's the Russians, but how are we going to retaliate? Cyber espionage is frankly business as usual for every country, not just the North Korea, Iran, Russia, China, and Vietnam. It's business as usual by us as well. And that it States is very aggressive offensively. In other words, going out after other countries in the cyber security realm. And we benefit from the lack of norms that are in cybersecurity, but here's what I really liked. The Bruce said. And I agree with entirely. I'm glad he must listen to the show. The fundamental problem is one of the economic incentives. The market rewards, quick development of products. It rewards new features. It rewards spying on customers, end-users collecting and selling individual data. Think of Facebook when we're saying this, our Instagram, or any of these services that we're using all the time. So back to the quote here, the market does not reward security, safety, or transparency. It doesn't reward reliability past a bare minimum, and it does not reward resilience at all. And this is what happened with SolarWinds. SolarWinds ended up contracting software development to Eastern Europe where Russia has a lot more influence and Russia could easily subvert programmers over there. It's cheaper for Russia, not just for SolarWinds short-term profit. That's what they were after here was totally prioritized over product security, and yet their product is used to help secure it. It just drives me crazy out there. Just absolutely crazy what some people are doing. I read a little quote down. I'm looking here to see if I've got it handy on my desk and I just don't see it. But they are prioritizing everything except. Security. And that is, I think, frankly, completely in excusable, right. Inexcusable. So this is happening with SolarWindss right now, but it's going to be happening with other places out there. We have probably 250 federal government agencies that were nailed by this. Can you imagine that? The man who owned SolarWinds is a Puerto Rican born billionaire named Orlando Bravo. His business model is to buy niche software companies, combine them with competitors, offshore work, cut any cost he can and raise prices. The same swapping corrupt practices that allowed this massive cybersecurity hack made Bravo a billionaire. Another quote here. This is from Tech Beacon. Hey, this is just crazy. Okay. So we know. Okay. I've established it. Craig, stop the stop. The monotonous. Okay. But I got to mention, we've got the US treasury department was hacked the US Department of Commerce's national telecommunication infrastructure administration, department of health, national institutes of health, cybersecurity, and infrastructure. Agency. SISA the department of Homeland security, the U S department of state, the department of justice, the national nuclear security administration, the US Department of energy, three US state governments, the city of Austin, many hundreds more including Microsoft, Cisco, Intel, VMware, and others. I use two of those. We use Cisco and VMware. We use Intel, but only peripherally and we actually prefer other processors. So this is a real problem. How are we going to change it? I don't know that we can, you and I, but I can tell you what you can do. Just like I keep reminding everybody - use a password manager and I will have a course on that this year. Absolutely guaranteed using a password manager, use a password manager and generate different passwords for every website using the password manager, use the manager to log in. Okay. So that's step number one. That's the best thing you can do right now for your cybersecurity next to keeping all of your soccer up to date. The

Chuck is a great guest to join us as we kick off 2021!Chuck Brooks is a true "cyber influencer" who has managed to retire into fulltime career from Homeland Security into teaching at Georgetown University as well as writing for Forbes.We discuss a wide variety of topics that pose a threat in 2021 to both enterprise as well as service providers. Multifactor authentication, threat actors, new cyber warfare environment, many different directions we could have taken with this one.Support the show (https://www.patreon.com/somethingsomethingcyber)

Episodio Bonus UnPensieroSicuroCon del 6 Gennaio 2021 - In questo episodio di UnPensieroSicuroCon AKirA Trimarchi parleremo della #SicurezzaInformatica nei #videogame #online.

Understand the problem with a security code through a text message, and what to do about it.

The days of forgetting your password and worrying about your data are all over. LastPass is a savior to over 25 million people. Randy Fahrbach, Director, North American Channel, LogMeIn explains LastPass to Don Witt of The Channel Daily News, a TR publication. The product addresses 80% of the business data breaches accounting for $3.9 million dollars per breach. With work-from-home a now well-established part of current and future business, attempts to breach security is up by 148%.  Businesses cannot ignore this issue and must take corrective action to avoid the “not if” but “when” the intrusion will occur. Randy Fahrbach Leading in security - As a password manager, their first priority is safeguarding your data. They’ve built LastPass so that they never have the key to your account. Strong encryption algorithms - They’ve implemented AES-256 bit encryption with PBKDF2 SHA-256 and salted hashes to ensure complete security in the cloud. You’ll create a password manager account with an email address and a strong master password to locally-generate a unique encryption key. Local-only encryption - Your data is encrypted and decrypted at the device level. Data stored in your vault is kept secret, even from LastPass. Your master password, and the keys used to encrypt and decrypt data, are never sent to LastPass’ servers, and are never accessible by LastPass. Multifactor authentication adds extra security to your LastPass account by requiring a second login step before authorizing access to your vault. For more information, go to: https://www.lastpass.com/channel-partners or call 480-253-5826

Welcome! Craig fills you in the Best Security Practices for Passwords and What is absolutely required by anyone who is contracting with the US Military. For more tech tips, news, and updates visit - CraigPeterson.com --- Read More: What Government Contractors Need to Know About NIST, DFARS Password Reqs --- Automated Machine-Generated Transcript: Hey, does your business make something that might be used all ultimately by a government contractor? Did you know that all of the requirements that they have rolled downhill right into your lap? That's what we're going to talk about. [00:00:22] Hey everybody. Welcome. This is Craig Peterson. I'm so glad you guys are here. There are so many things to understand in this whole world of security and technology is frankly, it's just very, very confusing. It's impossible to catch up on. I'll give you that. And it's very hard to keep up on. So what I've been trying to do here on the show, and then. [00:00:44] And in the webinars that I've been putting on is to help you guys understand it, turn it into English, make it something that's workable. I had quite a week last week, very, very eyeopening to me because I've been working with a few different companies this justice last week that had major security problems and were completely unaware of it. To me, that is just completely unreasonable, right? Well, I shouldn't say they weren't unaware of them. One of them was the pizza shop that I mentioned, and they knew something was up because the payment card industry guys knocked on their door and say, it said, Hey, we got to do an audit. [00:01:27] And they came in, took one, look at the equipment that they had. Back in the, you know, computer room, if you want to call it that, you know, where the server is and immediately failed them. That's all they had to do was see that links us Rotter is sitting up on the wall because the link says is not good enough for businesses to keep your data safe. [00:01:49] And frankly, the same thing is true for many of the other products out there. Now there's a lot of other levels that go beyond where. The payment card industry is requiring. And one of those is for government subcontractors. I have quite a few clients that are government subcontractors, and I think every one of them came to me because they had. [00:02:14] Problems there they were trying to solve something was wrong. It was, it was, computers were slow emails. Weren't getting routed properly. Some of their customers were getting emails that actually weren't sent by them and yet had their return address on them. Right. Those sorts of problems. So we got involved and had a look and figured things out. [00:02:36] And you've heard a few of those stories here. Well, this week was interesting because one of the listeners for the show reached out to me. He got a job. Helping out a business that is a small business. It is, you know, by small, small business standards, it's a decent-sized business, but they make components that are used by the federal government, by the military. [00:03:03] And they were not doing what needed to be done. Not at all. And they think that they should be able to be ready in the next 18 months for the lowest level. And maybe they will, but based on what they do, uh, they got to get a lot more ready, a lot higher. Right. That's the basic definition here. Is, if you make something that either goes boom or at attaches to something that goes, boom, you have to comply with something called DFARs. [00:03:40] And I tar now DFARs is the defense federal acquisition regulation supplement much easier to just say DFAR is isn't it. And this is a set of standards that apply to civilians. And defense agencies in the United States, ITAR gets even higher level and it requires compliance, but I tar basically means yeah. [00:04:04] Yeah. Things go, boom. Okay. So if you make a component, so I have clients that make something as simple as power supplies. And those power supplies are used by military contractors and they go into various types of devices, another client, we went out to them and to help them out, they decided not to spend the money they needed to spend. [00:04:28] I have no idea what they ended up doing, but they make cable harnesses that are used in military systems. And they weren't even close to being compliant, which is, you know, the typical thing that we see. So here's your problem, frankly, because of the new teeth that are in place now where they've taken and they moved it to something called CMMC and the CMMC is requiring them to do. [00:04:58] Even more and it has even more teeth on it. It's absolutely amazing. So we've, this is in place to help protect federal contract information. And a lot of these manufacturers say, Hey, you know, it's not going to happen to me. I make power supplies. I make screws. I make assemblies. And in some cases they make much more fancy stuff, but. [00:05:23] It does. It applies to all of you and organizations that failed to comply with these rules can get hit badly with massive fines, class, oxygen, lawsuits, and also jail time for the owners of the business, for the people who are supposed to be running the business. Real jail time. We're talking about 10-year terms for some of these things. [00:05:50] So we have to be careful. We have to look at what we're doing and we have to understand if what we're doing is the right thing. So how does this apply to you? Well, if you are just a regular civilian, I think you should be happy that finally the federal government. Is trying to protect our information. [00:06:14] Right. We've had the Chinese attacking us and we've been in these businesses where the Chinese had backdoors installed. And what does that mean? What's a backdoor while he imagines that your computers that contain your proprietary information are directly accessible by the Chinese. So that means whether or not it's military, your computer, the information on it is now in the hands of the Chinese. [00:06:44] And in the case of one of our clients, what that means is all of his designs. All of his clients lists all of everything that he has worked his whole life for. He now gets to compete against a Chinese manufacturer that has been given all of that stuff. So imagine that happened to you. What does that mean? [00:07:05] It, it means that our military isn't as secure as we had hoped it'd been. And we could go through all kinds of stories here. I, I really want to kind of stay focused, but what this means is we need to make sure, especially in this kind of post COVID world, that all of our systems are up to date. All of our systems are properly secured. [00:07:31] So this, this company, this week, one of these companies this week, they had put in VPNs and they had used some slightly higher-end equipment. You can't just go and buy SonicWall off of the shelves over at staples, but it does not meet any of these federal guidelines. And what really, really upsets me here is that. [00:07:57]They do a search online for the model of hardware, software, whatever it is they're using. And they're looking for an instance for compliance and it says, yeah, we're DFARs compliant when they are not compliant. It just. Ah, I don't know what to do about it. Maybe it's just me, right? Maybe I'm just a little bit too uptight here, but they're conning people. [00:08:24] They're conning you. And if you've attended my webinars, you know how these VPN companies are, conning is how these privacy protection companies are. Conning how the antivirus vendors are calling you. And I'm also seeing this for our, our military subcontractors. All of them that I've been involved with have been conned. [00:08:46] And now that's not true with the really big ones. Right. I deal with small businesses, 500 employees, and smaller, but. Man. They don't even know what they don't know. And that's part of the problem. Right? That's always part of the problem. So there are a few things I want you guys to, to understand and know, cause this applies to everybody. [00:09:09] First of all. Nest. This is a government organization that comes out with standards. It's a national Institute of standards and technology. And remember, they used to advise that you have these super-duper fancy passwords that are hard to remember and a different password on every machine. And you had to change them every month or two. [00:09:32] Well, they have relaxed that now, and they follow the same guidance that I've been preaching for years, which is. Have a passphrase, a set of words that you remember that you're not going to forget and that you can type in pretty quickly, but it may be 30, 40 characters long. And then use that in conjunction with a good password manager, like one password that is going to keep all of the passwords for you. [00:09:59] So you have the one big, really good master password and then a whole bunch of. A password stored in your password manager. Now let's see multifactor authentication is the next one I have on my list. And it is not what it used to be. Unfortunately, a multifactor authentication. Now a lot of people are looking at it as well. [00:10:22] Uh, it's just a text message. I'm gonna need a text message. Well, okay. That's, isn't that wonderful, but that is not true. Multifactor authentication, you know, multifactor authentication means something that, you know, along with something that you have, like a mobile app or security key. So be careful with this. [00:10:41] And again, if you're government contractor, you've got to use. Special types of key chain storage like TPM or TEA. If you need more information, by all means, reach out to M E me@craigpeterson.com. But if you're looking at getting some of this federal government money, By being a contractor, or if your devices are used or materials are used by military contractors realize that your neck is really on the line. [00:11:13] Now with CMMC long jail term, backbreaking fines, it will put you out of business. If you get audited, or if you lose some of this data, Hey, when we come back, we're going to talk about a lawsuit and, and I think this one's going somewhere. Google got sued for at least $5 billion because Incognito mode is not the incognito mode they've been advertising. [00:11:42] Hey, how sad for fun? Make sure you sign up. You get all of the information for business for home. Craig peterson.com/subscribes to crown. I'll be right back. --- More stories and tech updates at: www.craigpeterson.com Don't miss an episode from Craig. Subscribe and give us a rating: www.craigpeterson.com/itunes Follow me on Twitter for the latest in tech at: www.twitter.com/craigpeterson For questions, call or text: 855-385-5553

In Episode 21 of Mapletronics Tech Talk Podcast, Jordan discusses 2 Factor Authentication and why it is an important added step to help protect your and your business' accounts. 

In today's Modern Digital Enterprise, the digital transformation podcast from Anexinet, Steve and Glenn talk with Takeda Data Security Risk Advisor, Jason Marchant on the most-pressing security issues today's organizations face.   This episode also answers the following questions: What are the largest internal security issues facing today's teams? How do we create a Security Scorecard as a path to remediation? How does Anexinet's Policy Characteristics Matrix compare with Scenario-Based Control Requirements? What are some 2-Factor (and multi-factor) Authentication Best Practices? How secure is 2-Factor Authentication, anyway? What are the implications of posting personal data to Social Media (health, etc.), and how responsible are they for protecting that data? Does HIPAA still apply? What are the security determinants for moving to the Cloud? Does the move make a company's data more or less secure? How effective is data-masking? What threats to AES encryption are beginning to emerge? What is the greatest security threat organizations face today? What about the role of AI/Machine Learning/Quantum Computing? How much of a risk do they pose? What are the risks of increased surfaced area (IoT proliferation) and morphing malware? What are Sans Institute's "Top 20 Critical Security Controls"? How does Trust & Verify compare to Zero Trust in terms of Risk-Management Practices? How do you determine your ideal Risk-Management Strategy? Links in the episode: Sans Institute Top 20 Critical Security Controls  

Welcome!   Today there is a ton of stuff going on in the world of Technology and we are going to hit a number of topics from being aware of fake sexual harassment claims being used to mask malware to the advantages and disadvantages of future military technology, and why everyone should be using multi-factor authentication -- so stay tuned. For more tech tips, news, and updates visit - CraigPeterson.com --- Related Articles: Don’t Take The Bait - Fake Sexual Harassment Claims Can You Detect A Phishing Attempt? Vulnerability in Popular Anti-Virus Program Bots Losing Panache as Cybercriminals Hire In Third World Not If, But When -- Don’t Think You Are Not A Target Big Tech Has Your Private Medical Records -- Through Hospital Partnerships    Future Defense and Military Tech Best Practices in Authentication Still Mostly Ignored By Businesses --- Automated Machine-Generated Transcript: Craig Peterson 0:05 Hello everybody! Craig Peterson here. Welcome. Welcome, you are listening to me on WGAN and online at Craig Peterson dot com. Thanks for joining me. Today we are going to be talking about some of the most important things that are happening in technology as we do every week and more particularly what's going on in this security realm. We'll talk about how you can detect if it's a phishing site that you have gone to, New malware from TrikBot here, a brand new one. Some complaints here about McAfee. Every piece of anti-virus software McAfee makes has vulnerabilities. We'll talk about that major, major security problem. We've got an accounting fraud here and how it's getting harder to detect and Why we have breaches? You know, I talked to so many people, I have a lot of customers, a lot of business customers. And they're sitting there saying, Well, you know, this is all inevitable. So what should I do about that? We'll talk about that. Google, you might have heard of project Nightingale. We'll get to that today as well. Defense firms are on track to make some very, very scary hardware. We'll talk about that as well as some of the myths of multi-factor authentication. And there are a lot of myths out there about all kinds of this security stuff, frankly, but let's start with our friends at Microsoft. I bet you thought I was going to say Apple, didn't you? Well, we had a big patch day, Patch Tuesday, and it fixed 13 critical flaws this week, and one zero-day vulnerability. Let's start by explaining what a zero-day is. In this case, we're talking about a zero-day attack, which refers to a vulnerability that is undetectable by any current antivirus software or anti-malware software that has seen this particular problem before. Now you noticed that made a difference a distinction between anti-virus and anti-malware, right? Because anti-virus software behaves in a certain way. Anti-malware behaves well, frankly, a little bit differently. So what are the pros? What are the cons? What's the difference between antivirus and anti-malware? Well, as a general rule here, anti-virus is a subset of anti-malware. Anti-virus is something that we're doing now will probably continue to do forever. Still, it does not catch me. Most of the nastiness that's out there today, anti-virus is you know, at best release Some people would say zero percent effective, but I give it the kind of the benefit of the doubt. And it's about 20% effective. So if you have antivirus software, it's only useful about 20% of the time against all of these different types of attacks, it's probably close to 10%. If you pull in the human element into all of this, anti-malware software behaves a lot differently than antivirus software. Some of it is whitelisting, where it knows this is a legitimate piece of software that was not modified. So it allows it to run that on one side. These are quite difficult to keep up to date because you have to continually monitor what's going on in what the software upgrades are. What the checksums of that new version of the software are, their libraries, are they all legitimate all those DLL files and everything else they're using. It gets pretty darn complicated from the whitelist listing side. And there's a couple of companies that do whitelist. Some of them, frankly, do better than others. Craig Peterson 4:07 Some of them, in reality, isn't even really doing whitelisting when you get right down to it. And then there is the next level up, which is the anti-malware software. And anti-malware is software that looks at the behavior typically of what's going on. And there are there's software out there right now malware this designed to fool the anti-malware software to so it looks at it and says, Okay, this just installed Wait a minute, started opening a bunch of files. Wait a minute, is writing to a bunch of files. Wait a minute, and it's changing all these file names. That's the type of behavior that would be typical of ransomware. Good anti-malware software looks at the behavior of a program as it is opening all kinds of part the TCP/IP packets, that are trying to use a network to get to all of these other computers that are out there on the network. What is it doing? How is it doing? Why is it doing all of that? That's good anti-malware software. So it will do all of that it looks at checksums, it looks at just all kinds of things. And it typically has about a 10% performance penalty on your computer, and it can be a little bit higher than that. But it's they're busy looking at everything, examine everything trying to figure out what to do. So we have anti-malware software out there, as well as anti-virus. Those are the two significant types of software you'll put on to your computers. And frankly, anti-malware like well we use has multiple layers of software, and it ties into external databases and, and Cisco Telos to get updates and everything else. So that's what we use us what we do. So, in this case, we're talking about a zero-day Hack against some of this Microsoft software. So what does that mean? Well, that means that we're as of right now, none of the antivirus software knows how to detect this as a virus, none of it. That's zero-day, it's day zero. So tomorrow will be zero-day plus one, right? So day one of this out in the wild. And Microsoft, with their Patch Tuesday, decided they would plug 73 security vulnerabilities in their software products, including 13 of them, given the top level of a critical security vulnerability. And I guess it's kind of fortunate that this month only one of the flaws is known to be exploited. And this is a CV, that's what they're called that scripting engine vulnerability and Internet Explorer, and the sooner they get rid of Internet Explorer entirely, the better off everybody lives. Everybody's lives will be IE; they built it into the kernel so that they could have more control over it. You might remember the lawsuit against Microsoft saying, Oh, you can't ship a web browser that's integrated right into the kernel. Because now, you make it so that none of the other web browsers can work on internet XP on Windows, which was right in the very beginning. And you're blocking us out of there, and thereby it's anti-competitive, you know, it's all true. Now, IE because it's inside all these versions of Windows, these vulnerabilities can affect users who are no longer even using Internet Explorer at all. In other words, you don't have to launch the browser. You don't have to go out to the internet. You could get nailed on it right away. Okay. Now Microsoft Office is using the same rendering engine that has this vulnerability that internet access Laura has, and it can be embedded and in fact, triggered by an active x control on a booby-trapped web page. Active x is one of the worst things Microsoft could have ever done. It's right up there with some of the vulnerabilities and flash and Java. You know, are you kidding me you allow a web page to run code on a machine. And they at least they have markers on it, but it can be Mark now was safe for installation. The whole thing's crazy. I still don't understand Microsoft, and what they're doing here. Craig Peterson 8:36 So bottom line, make sure you do your update. I checked right before I went on air, and there aren't any significant problems that have been found with the updates here for November from our friends at Microsoft. They're often are. We also had this week, and some more patches come out from our friends, my friends, and yours from Intel. Now Intel makes a lot of the computer chips that are inside our computers, mainly for using a Windows machine. But Macs use Intel chips to, although they don't have to, I don't know why Apple went with Intel, you know, my guess was it was less expensive. And Intel also had some outstanding power performance numbers saw, you know, I can't blame them. But we have a bunch of patches that came out from Intel, that make all of their CPUs almost every processor they've made in the modern era is entirely vulnerable. Craig Peterson 9:39 And that's a terrible thing, including vulnerable not just on your desktop, but vulnerable in all kinds of operating systems and data centers. So, if you think hey, listen, I went ahead, and we moved all of our stuff to the cloud. They are just taking care of because it's in the cloud. Microsoft knows what they're doing. The answer to that is, well, they kind of know what they're doing. But they're stuck with this Intel vulnerability. There will be more patches coming out according to the people that found these vulnerabilities in every model of Intel CPU, Major, major, vulnerabilities. According to these people, there are more than Intel hasn't passed on yet for whatever reason. It's really, it's kind of crazy, frankly. So we got Microsoft patches for some major ones. This week. We've got Intel patches, some major ones this week, we've got Adobe patches that are out as well. So make sure you do the upgrades. I'm not going to go into all the details here. Man Adobe light set of patches this month only 11 security vulnerabilities from Adobe and Adobe Bridge, animate illustrator, and Media Encoder. Two months in a row where there are no patches for Flash Player. I'm not sure what that's about if they keep happening with flash player or if something else is going on. All right, stick around. We're going to be right back. You, of course, listening to Craig Peterson here on WGAN, make sure you visit me online at Craig Peterson dot com. We've had a few pop-up-trainings already. I'm doing some Facebook Lives and getting information out, and you'll only find out about them if you're on my regular email list. Craig Peterson dot com slash subscribe, and all of today's articles are up there as well. And there's a sign up right there too. So make sure you sign up to find out about all of the latest that you need to know. Craig peterson.com, when we come back, we're going to talk about chick bought something new going on out there trying to get us to do something we just shouldn't be doing. Stick around. We'll be right back. Craig Peterson 12:02 Hey, welcome back, everybody. Craig Peterson here, little beach music. I was out for the last week and a half out at a conference in Phoenix, Well I guess isn't exactly near the beaches is it, but it was sure nice and warm. And then I got back home, and you know what's happening up here in the northeast? Yeah, a little bit of cold weather. Some of it's a little too cold for my liking. You know, it just came on so fast. We were like in the 60s and 70s. And then all of a sudden it's like the 30s and 40s. I don't know what's going on. Well, let's talk about this TrikBot. It is a new malware that's out there. I've spoken to many times here on the show about what the FBI has been warning businesses, which is the business email compromise. You probably heard of that before bc we're talking about something that's cost businesses. Well over 10 billion, I think it's over $14 billion now. And we're not just talking about a little waste of time. No, we're talking about these guys and gals going right after our business bank accounts. And the way they do it is they're kind of sneaky about it, they get and get you to, to basically for the money, right to wire the money to do other things that are going to hurt your business. You may not realize it at the time, and they're just trying to fool you. Right. So how do you fool someone? And I know I know you can't fool an honest man. I've heard that so many times in the past, and there's a lot of truth to that. But here's what they're starting to do now. And you might have gotten one of these. I have had several listeners reach out to me. I and quite a few saying hey, I just got this email chain that, you know it's it's got a video of me visiting this, this nasty website out there right so you guys are probably heard about that one before it's been around a little while. Well, now what's happening is they are sending an email that appears to come from the US Equal Opportunity Commission. This email is saying that wait a minute here, and we have a sexual harassment complaint against you. Now I understand as a business owner, how this can be kind of crazy. And I owned a building, a business office that I had my business running out of, little more than 20 years, maybe a little longer. Ago now. And that business office, I put in doors, and all of the doors were floor to ceiling glass because I didn't want anybody saying that I was harassing somebody or doing something illegal. Now, of course, I, you know, we didn't have microphones and cameras and things. But I just wanted everyone to feel reasonably comfortable that no one was going to corner anybody. And, you know, I think I was kind of mostly successful about that one of these days or forever sitting down having a beer, you might want to ask me what happened there. But anyway, this is something called Trikbot, and it's a banking Trojan. And it's going after employees of large companies. And it's trying to scare these employees into thinking that the US equal Equal Employment Opportunity Commission EOC is coming after them. And they are trying to get them to and are being reasonably successful in having them handing over sensitive information. And they're using a bunch of different social engineering techniques, including malicious payloads or redirecting them to fraudulent sites they control by emails that look like coming by somebody they trust, etc. Okay? Now, these spearfishing emails, and I'll read you the text in one here in just a minute here. But they, what they end up doing is dropping a malicious payload on to your computer. And as part of this campaign, these malware operators use the information they've collected from people, such as their names that company they work for job titles, phone numbers, to customize these phishing emails to make them a lot more convincing. Now think about your business and your business's website and other information that you're making available to the public. Digital website has, who the officers of the corporation are. Craig Peterson 17:04 Now I know that all of us for our businesses, we have to file with the state chapter file with the IRS and various other things. But when it comes to the state, those records tend to be public. So people can go online, they can find out who the President is, who the officers of the corporation are, who the Registered Agent is, etc., etc. Right? And so now a bad guy can go online and find out almost anything they want to find out about a smaller company because it's right there on the website. Now is that easy or what? Now let's go into one of these pieces of email. Everything from the email subject This is from bleeping computer dot com. Everything from the email subject and the message content to the malicious attachment. Each of these mouse spam email Males comes containing the potential victim's name. Now I'm looking at it here. It's got a form, and it seems like it's legit. It has the logo of what I assume is the US Equal Employment Opportunity Commission because it looks official enough to me, and the title at the top is the U.S. Equal Opportunity employment commission harassment complaint. Then the complete submission of a complainant form has initiated an intake interview with an EOC officer. Okay, this is what they're sending out right now. It looks very, very legitimate. And they use the name of the victim with a grievance raised against you. That's a subject for each of the phishing emails, and they're trying to get you to pay attention. They also have a customized email body to instill a sense of urgency. So it'll say, dear name of the victim, private and confidential. One of your co-workers has lodged a complaint with the EEOC. Now on top of it, all the malicious attachments, drop TrikBot payloads also have customized names. And again, it's the name of the victim-dash harassment complaint letter, and it's got a phone number on it. The entire purpose is to get you to open that attachment. And by adding this personal touch to the phishing emails, they've been increasing their chance of people opening them. Now, you know, I do a little bit of marketing for some of the courses that we offer and, and for some of the other services, you know, like the security services that we offer the businesses, so I've studied some of the marketing stuff that's out there. And I can tell you right now, most people, if you get an email that looks like that are not opening it. If you're concerned about a particular email and you have listened to my show for the last 20 plus years. You're very, very worried about it and legitimately so. Craig Peterson 20:10 So I'm not sure just how effective this is, you know, spam emails right now have an open rate of about, well, it's less than 1%. Legitimate emails have an open rate of, you know, as much as 15 to 20%. So I don't know how well they're doing. But when they're sending out 10's or hundreds of millions of emails, we're talking about some pretty darn serious stuff here. A lot of potential victims. These are highly targeted and regularly updated. That goes into some of the problems with antivirus software we will talk about later on. And that is if it hasn't seen that before, it's going to get tricked. This spear-phishing campaign delivers the malware payload. It's evolving. It's a banking Trojan. The purpose is to get you to give some banking information out. And apparently, it's been pretty successful. By the way, it's been in the wild since October 2016, one of the most aggressive pieces of malware that are out there right now. Stick around. When we come back, we'll be talking about McAfee's antivirus software and what's going on with that. Especially as it relates to some of the malware that's spreading out there in the world, right now. Make sure you are on my email list. So you keep up to date with everything that's going on. Craig Peterson comm slash subscribe. I'll let you know about the pop-up-trainings. I want you to pay close attention because I'm not going to hound you about this stuff. And we've had a lot of people attending them. They're free. Usually, they have two-hours worth of content and questions and answers. Stick around. We'll be right back. Craig Peterson 22:05 Hey, everybody, welcome back. Hey, did you see this? It was an announcement by one of the investment firms saying that Tesla might be missing the boat when it comes to electric cars? You know, we've all thought Tesla was the leader in the in that isn't so many ways right and built their battery factory. They've been just doing all kinds of amazing things, but it looks like they might be losing a little bit of an edge when it comes to the overall electric car business. Because now you've got Ford and GM, the major US manufacturers, I think Chrysler as well. I know Ford and GM both have some major stuff going on, as well as the Japanese firms like the Nissan LEAF. That's been all-electric for a long time, although Nissan stops making the thing some of these us manufacturers are definitely in the middle of it all. And you probably heard me a couple of weeks ago talking about some of the real risks when it comes to Tesla electric cars, particularly in the event of an accident. It's a scary thing. Frankly, it's a frightening thing being involved with the MS for all of those years to think about it. Well, we spoke a little bit in the last segment about this TrikBot malware using fake sexual harassment complaints as bait. We started off the hour talking about Patch Tuesday, and 13 critical fixes for Microsoft software, this critical fixes out for Adobe software, you got to apply these patches. According to the stats I've seen. There are, on average, about 65% of Windows computers that do not get updated at all. If this is you if you're one of those people, I urge you to spend a few minutes, let's make sure that the machines are updated. I know some people that say forget about it. I'm just going to replace my computer when it's just so far out of date. I know some people have done that with cars, too. I had a good friend I haven't talked to in years. But he was telling me that his dad did the math, back in the day, many many years ago. His dad did the math, and he figured that if he paid for oil changes throughout the life of an engine just wasn't worth it. So he said, Hey, listen. What did an engine cost back in the day it was a couple of grand for a boxed engine, and he was a mechanic he could quickly put in a new engine. And if I pay for oil, filters and my time to change the oil I will pass the break-even point at about 30,000 miles. So, in 30,000 miles, it was cheaper to replace the entire engine, than to pay for years of oil changes. Can you imagine that? So I did some quick mental math, and I agreed with him. He said, Listen, it's not as though I don't have oil in the engine. The engine will run off this known oil in it. But all I do is add oil when it needs oil added, and he never changed his oil. And at about 50 to 80,000 miles, you'd have to replace his engine. So he figured he was ahead of the game. Nowadays, with these new engines and filters and oils and the oil is just so thin. Nowadays. They're saying 10,000 miles give or take between oil changes, so it's not anywhere near as bad. Plus, some of the cars today will tell you, hey, I know Need an oil change? So you don't even have to keep track of the miles, you know, used to be 3000 miles. Do you remember you might not be old enough to remember, but the oil did not have the cleaners in it now, nowadays they have been detergents because your engines would get all sludgy? And what a mess ever take one of those apart, even just the head of the engine, the mess that was in there, we don't have those problems nowadays. Well, some people have taken that whole idea of, hey, it's cheaper to change the engine than it is to change my oil. They've taken that to the extreme. But you know, it is not like that when it comes to computers. You can't just have the laptop sitting on your desk or under your office and leave it there for years to come and say, Hey, listen, when it breaks down, I'll replace it. I'm not going to bother doing upgrades of my software won't work because it's running Windows XP, or whatever some old version of Windows, I'll go out to one of these, big-box retailers, and buy another computer and throw this one away. Craig Peterson 27:14 That is a very, very bad idea. Craig Peterson 27:16 And I suspect that's where some of the 65% of people come in, that are not maintaining their computers. Now you have to keep them because unlike your car, your computer is continuously under attack. So, that means you have to not just upgrading and updating windows but all of the software that's on your computer. You know, I talked a little bit earlier about Internet Explorer, and only Internet Explorer alone having it on your computer will cause other programs on your computer to get infected and allow hackers access. It's just plain old, not worth it. Well, let's talk about Anti-virus doctrine. Oh, you remember I said antivirus software? Yeah, I convinced myself that it's, it's about 10% effective at no more than that guaranteed. And we can go through all the numbers again, if you want to buy me a beer sometime we'll sit down and go through all the numbers, and how virus software does not work. Craig Peterson 28:19 Well, Let's talk about some software that doesn't work. McAfee antivirus software. In an article from ZD net, has a code execution vulnerability, a severe security flaw that can bypass the self-defense mechanisms built into McAfee antivirus, very, very big deal. Safe breach labs, their cybersecurity team. It is one of the groups that go around and test software, tries to find vulnerabilities, and then lets the manufacturer know so they can take care of it. But they're saying that this particular vulnerability can be used to bypass McAfee self-defense mechanisms and could lead to further attacks on a compromised system. Now, this vulnerability exists because of a failure by McAfee's programmers to validate whether or not these DLL's it's loading have been signed, let alone appropriately signed. Remember, I even mentioned that in the first segment today. These self-defense mechanisms are essential, and they need to be in place, even though the antivirus software is going to be at best 10% effective at least you would have 10% effectiveness right. So because they can bypass the self-defense mechanisms and leading to further attacks on a compromised system. It needs to get fixed right away. See an arbitrary unsigned DLL that gets loaded into multiple services that run is NT authority, backslash system. Craig Peterson 30:06 Now, the only good news is that attackers need to have administrative privileges to take advantage of it. However, I rarely walk into a business where everyone isn't running with, with, frankly, administrative privileges. The companies do that, and I understand why they do it. It's a bad thing to do should never do it. Right. But I know why they do it. They do it because, oh, it's just so much easier if I have to install software right or to call the IT person. And the IT person is the Assistant to the owner. And she's always busy. He's still running around doing stuff. I don't have the time, and I can't keep asking for permission to do things. So, everybody gets administrative authority. There are three main ways and which is why vulnerability gets exploited according to the Safebreach lab. Anti-virus software might not detect the binary, and it loads it without any verification against it. Impacted software includes McAfee total protection, anti-virus plus AVP from McAfee, and Internet Security up to and including the version 16.0 point 22. You must get the latest software. So, if you have McAfee update, pronto. And as I said, you should update, anyways. And don't use antivirus. I recommend getting a robust anti-malware stack of software. Craig Peterson 31:39 So what are people doing? Vendors doing? They're just renaming their stuff is anti-malware stacks. Yeah, yeah, that'll fix the problem. Your listening to Craig Peterson on WGAN stick around. We'll be right back. Craig Peterson 32:02 You know, it's funny how you get used to the weather, whether it's hot or cold. You're listening to Craig Peterson here on WGAN. And online at Craig Peterson dot com. You'll find my Facebook page by going to Craig peterson.com slash Facebook. And I've started posting some stuff up there. Well, I do that actually, every day. My wife is the one that's putting the articles up that I come up with every week, every day. But you are also starting to find I'm doing Facebook Lives and YouTube lives, and just you know, I'm getting a little better at some of this stuff. And there are a lot of possible angles here. By the way, you know, I mentioned I was at this conference, and I was learning a little bit more about marketing and product development out there. Product development is what I kind of love doing, Right. We can do it quickly. We know what we're doing. We know how to do it. So we're trying to figure out how can we produce a very inexpensive product that is going to help a lot of people when it comes to security. And I think we've got the answer. I don't want to be, you know, mean and nasty about this, but we're working on it. And we should have something in a couple of weeks from now, that I think is going to change lives. I think this is going to be earth-shattering. If we do this the right way, it is going to change everything for anybody that decides that this is for them. So we'll be talking about that in a couple of weeks from now. But it's an idea from another industry that in fact, it's the tennis, tennis training business, and I think it's like the world's most perfect idea. Here when it comes to us, so we'll be talking more about that. But you can find that you can find information on the articles that I have every week, you can see all of that stuff you can find out about the free pop up classes, the pop-up-trainings that I've been doing, you can find out about some of these Facebook Lives and YouTube Live. All of these are free training. I'm just trying to get this information into your hands. You know, the Whats, the Why, and the Hows, all of that stuff. And there's only one way to get it. And that is to sign up, go to Craig Peterson dot com slash subscribe, and I will make sure that we send you every week just a quick summary of the stuff that's going on. I'm going to have a special sign-ups for these pop-up-security-trainings, So no, I'm not going to send you a lot of emails unless you ask me to write by default. We got a great article from Joan over at darkreading.com. Dark reading dot com is one of those websites, one of many to which I pay quite a bit of attention. They do have some great, great content. In this article, they're talking about fraud and how it has changed. You, I'm sure, are familiar with our friend, the Nigerian prince, and all the things he did and how he tried to get his money out of the country. And all he needed was to use your US-based account, and you could keep some of that money. You remember that right then, it's just full of misspellings. It was just terrible, and there are reasons for the misspellings, there are reasons for the way they do things. No doubt about it. Well, things have changed. Now economics have changed. And they are swamped, making a whole lot of money. And they're doing it in different ways. They've done it before. You know, we've got tools now to detect and mitigate some of these attacks. And the easiest way to do that we have some software that all the email flows through, and it's looking for patterns look, make it look like it's a bot that sending out these emails. And when we put those this particular filter in place, in fact, it's and AI bought itself. That right the Battle of the AI that's coming to, but you know, the amount of spam these things dropped by 90 plus percent. It's just it's dramatic, how much it helps. Craig Peterson 36:58 Well, what has happened now is the bad guys have found that labor is getting cheaper and cheaper in some of these developing nations out there. And they're able to get people in Venezuela, for instance, where they are starving to death where they are picking through garbage because of their socialist government. And man, I saw this thing the other day, it just shocked me, they were using a sharpie to write on people's forearms a number, so they knew when they could get food. Yeah, when they could get food from the grocery store. That's how bad it is in Venezuela. So you have to wait in line. You have to obtain a number one thing. God is not a tattoo. It's a sharpie, but you have to get a number there on your forearm, and then you can get Food. And if you can't wait, and if you don't get enough food for your family, you're going to have to go through the garbage. It's just absolutely insane. Well, cybercriminals are hiring workers in Venezuela now, where the hourly wage has gone way down compared to other currencies. I am not sure if you remember, but Venezuela used to be the wealthiest nations in Central and South America by far and is now one of the poorest countries in the world thanks to their socialist government. Well, the hourly wage is so low that it now makes economic sense to pay people to manually carry out the fraud to write these fraudulent emails to research to get the stolen account data instead of using bots like they have been doing before. So, here's a quote straight from the article. "attackers are giving people a script and saying here's a quota you have to hit, criminals are always trying to figure out what is the lowest hanging fruit as merchants and companies evolve with defenses, these attackers evolved, humans just happened to have become the flavor of the month." So, these human-driven attacks are increasing quickly and exponentially. Now, the most recent fraud report that came out covering q3 2019. So. just this last month, found that attacks carried out directly by humans, both loan perpetrators who are trying to get money to support their families in third world countries, and organized criminal groups increased 33% over the previous quarter, nearly one in every five fraud attacks are manual now rather than automated. Craig Peterson 39:57 Now, of course, their goal is to look as legitimate as possible. Having humans involved does increase your chance of success. And so many people worldwide speak English because English is the international language of business. And it's causing a problem. This quarterly report that came out from our coasts looked at 1.3 billion transactions spanning account registrations, logins, and payments in the financial services, e-commerce, travel, social media, gaming, and entertainment industry's overall fraud increased 30%. In q3, and bought driven account registration fraud is up 70% as cybercriminals test stolen credentials, in advanced of what in advance of the US holiday season. Isn't that amazing? But now every third attack on financial services is manual. Attacks are coming from fraudsters now with access to stolen identity information. They're using the latest tools. Over half of the attacks that originate from Russia and China are now human-driven. It is changing everything. The data highlights that the entire attack incentive for countries across the globe is economically based. We've got some substantial economic things happening here in the US. If a nation's currency is worth only a fraction of the US dollar, then the incentive of a criminal in that country to defraud an American business is very high, because they've got that multiplier based on the value of their currency compared to the value of the US dollar. So, it's incredible what's going on. You've got to watch it. You got to be careful that There are a lot of bad guys out there that are looking to get their hands into your accounts. And we've got this shopping season right in front of us now. So what I would suggest to everybody is, check with your bank, depending on your bank, some of the banks and doesn't matter if it's visa or if it's MasterCard visa sent tends to be pushing this a lot more than MasterCard is. But whether it's Visa or MasterCard, you're going to find that they have virtual card numbers that you can use. And the idea behind these virtual card numbers is that you have a one-time card number that you can use when you are buying something online. So, instead of having your regular credit card number that you're using, that's sitting there in a merchant database, that may or may not be configured appropriately or secured. Remember, a secure server doesn't mean that their servers secure; it just means that your data going to it is protected in transit. Instead of giving them your real credit card number, and having that stored in a potentially insecure database, now all you have to do is give them that temporary credit card number. Go to your bank, and you can usually check on the website before you start buying stuff online for Black Friday. And we're going to have some Black Friday deals to or Cyber Monday, or you know, whatever it is for Christmas, for Hanukkah, for whatever you're celebrating. We have birthdays to over this holiday season. Get your bank to give you access, and this will be online access to get a different virtual credit card number every time you do a transaction online. It's cheaper for them to do that than It is for them to issue new credit cards when compromised or stolen. It keeps happening. All right, stick around. We will be back. We got one hour to go. We're going to talk about Google's project Nightingale and see if that's scary enough for you. We are concerned here about some of the defense firms, multi-factor authentication. I will run through how you can tell right what's the best way to do it. And how to detect a phishing site. We'll get to all of that. In the next hour. You're listening to Craig Peterson on WGAN and online, Craig peterson.com. Stick around. We'll be right back. Craig Peterson 44:52 Hello, everybody, Craig Peters on here on WGAN and online at Craig peterson.com. Hopefully, you join me there and sign up for my email list. I get you in my newsletter. You can do that by just going to Craig peterson.com slash subscribe and subscribing to my newsletter. Every Saturday, we are here and talking about some of the latest in technology and security. The things that frankly you don't hear about, at least not the right answers in the general media out there. It's just amazing to me how many things they get wrong, again and again, and again. I try never to attribute to malice what can be easily attributed to incompetence. Is that a terrible thing to say about some new people in the media? You know, if you get right down to it, they have so many things that they have to know about and be semi experts on to write some of the articles, so I guess I really can't blame them for well for least Some of that. Well, let's talk about the chaos here for a couple of minutes. We are in the new normal. Now I'm not talking about with President Obama said the new normal was, which is people high, you know, unemployed, high levels of unemployment and stagnant economy and stuff. I'm talking about a recent survey that was conducted by a security company out there that showed that 86% of 250 top security officials who participated in this survey believe that cybersecurity breaches are inevitable. Now that opens up a whole can of worms because it's unavoidable, does that mean there's nothing you can do about it? I think by definition, it does. It is inevitably going to happen no matter what you do. So why do anything? Many people have done nothing. Remember, in the last segment, and if you've been listening in the previous hour, I talked a little bit about how 65% or so of computers never were upgraded. That's, that's a bad thing, right? And nowadays, when we get right down to it, and we're talking about these 250 professionals, people that know what's going on. We're talking about people who realize that the complexity of today's cybersecurity in businesses makes it so that it's almost inevitable. Now, when we think about cybersecurity, and we're thinking about companies. Obviously there is some truth to this for home users and, and that's why we did this security summer you know, I had that hundred and 50 pages of cheat sheets that we gave away to everybody. Who participated in this. And it was designed to help you understand what you had to do in different circumstances. And hopefully, you got all of those I start, you know, they were all sent out well, by the end of September, because, you know, summer doesn't end until September 21. So I little extra time as my team and I delved into that labor of love out there. But there are a lot of pieces moving parts to this puzzle, and it makes it very, very difficult. Nowadays, we're making our lives even worse because of cloud adoption. We're using cloud services. We're using hybrid environments spread across physical machines, different locations, different teams, various cloud providers, and now businesses are using something called containers. I remember when I first heard about them, I was thinking about, well oil container on Okay, so we're talking about the types of things you put on a truck and then put on a ship right or, or you can rent while you are making the improvements like I did in my kitchen. Craig Peterson 49:11 I got one of these little containers, one of these small pod containers, and loaded it up with all of our stuff while we were working on it. Yeah, that's not what the containers at the businesses are using. These dedicated containers perform a specific purpose, like running a website, or a database or something else. It's just getting very, very difficult to keep track of it all. And frankly, that's why we're seeing some of the major breakdowns. Now we do not see in these in breakdowns like Equifax. What was that? It was, Oh, yeah, a username of admin with a password of admin rights. Stuff like that is just plain old, stupid, but because of everything so complicated and were not tested thoroughly, they broke in. Now, if you are in a business-like, for instance, a shipbuilder, you are thinking about failures. Because if you're out in that open ocean and you get a rogue wave that comes in, hit you on the side, your ship is going to flip over. Now obviously, you don't want to name your ship, Concordia. Another one just ran aground this week over Norway. Of course, the big Concordia running the ground was in Italy, and what a mess. But shipbuilders realize that ultimately, ships are going to fail. There is going to be that rogue wave, or it is going to run aground or the propulsion systems going to go down. And the extremes are like submarines where you have all the compartments, and the idea is that a breach might occur in one compartment, but the other compartments will not. So we're spending billions of dollars, and we're likely preventing a lot of bad stuff. The number of high profile breaches is just increasing and causing devastating damage to us as consumers. It's going to last for decades. And why? Well, like so many other industries, people in the security business are not preparing to fail. And companies are not preparing to fail. It's like what I teach in my backup course, the three to one backup methodology, and I should do another pop-up-training on that. Frankly, you've got to have multiple copies of backups numerous generations of backups on various types of media, in numerous sites, because of Smith's commentary. Now, you might not be familiar with Smith's commentary, but Smith's commentary on Murphy's Law is that Murphy was an optimist. And of course, Murphy's Law is, if anything can go wrong, it will. So shipbuilders have engineered the systems, they have segments in the halls, they have multiple hulls, double triple hulled ships so that if it's carrying oil or something else, if there is a penetration to the hull, the ship won't dump oil or whatever, into the ocean. It's been done this way since the 15th century. And it's been done in today's modern vessels as well. Even the Titanic had some of these things in place, although it had some other problems. I don't know if you've seen some of the more recent studies, by the way, on the Titanic. It's fascinating. But it looks like what happened was, there was a fire in the Titanic's hold coal fire that they couldn't put out. And they had been smoldering and caused a weakening of the ship's hull. And that's why when it hit that iceberg it tore open. But that's another story here. So let's talk about some principles here security principles that they use in shipbuilding that we need to look at in modern IT. Shipbuilders assume that at some point, the ship will suffer leak. So how do you protect against that? How can you fix that? Well, they create holes that prevent a single leakage from sinking the whole ship. So, in the same way, you have to assume there might be a breach in your corporate environment and segment your network so that it doesn't spread. There's a lot of details we could discuss, and maybe I should do some Facebook lives on these things. Craig Peterson 53:52 Your staff who's responsible for maintaining the ship's hull is monitoring for leaks. They're watching for leaks, and they're regularly patching. They're painting they're scraping right to get rid of the rust and to make sure that there isn't a major flaw in the ship's surface, or you know, hull, they're trying to keep the ship safe. So, in the same way, our modern security teams have to be vigilant about monitoring and patching. To prevent these cracks in the perimeter, as well as the interior. We just last week had a client who had an internal breach. They were using a VPN to allow our remote office to get into their primary network. That remote office was breached and was used as a launching pad to get onto their primary network. And then once on one machine on the main network that they could breach, they now we're able to spread within the main network. We got to watch this. The ship's most sensitive equipment is in the engine room. And in the tape game you know in the case of a business you got to venture critical IT assets are considered ships that staff lookouts 24 seven to make sure there is a good watch, we need to do something similar with our data. Keeping the crew from accessing the bridge is an important safety measure. We got to make sure that our user identities get set up correctly and their employees, contractors, remote users can only get data they should be getting to. And we could go into attack after attack after attack. But the bottom line is when you're designing your security, you have to anticipate a breach. You've got to patch everything, keep it patched and up to date. And you've got to segment your networks. And if you need to be secure, the newest types of networking are called zero trust networks where nothing can talk to anything else on the network. Unless it's explicitly allowed because we can't trust it. So the very least segment out your Internet of Things devices, make sure your sales guys are on a different network than your accounting people. Right? Break it all down in the business space. When we get back, we're going to talk about us in the consumer world and Google's Project Nightingale, man, is this a scary project, but you know, heck, it's Google, but not can do anything wrong right here listening to Craig Peterson right here on WGAN. Craig Peterson 56:43 Hello, everybody. Welcome back. Craig Peterson here after the top of the hour. And we are talking about the latest in security and technology. What's going on out there? We cover in some depth here some of the things that you need to understand. Some of these things are specific questions that I've gotten from you. So if you have a question of any sort you'd like me to answer on the air or maybe answer directly, email me. It is ME at Craig peterson.com. I am glad to do it, or you can drop it on my Facebook page. Now I have to say that I get thousands of emails a day. So sometimes it can take me a while to get around to it. So don't feel bad if I don't answer your question right away. But I am pretty good about answering most of the questions that people ask and particularly if you email them me at Craig Peterson, dot com that's so that's what I monitor kind of the most. Some of my team helps you track that too, which is a very, very good thing. Mountain View, California dateline. It is a scary story. And you know, we just had Halloween, but here's what's going on. You might not be aware of it. HIPAA is a law put in place, oh, decades ago now, I think maybe even as much 20 years ago. The most significant part of HIPAA is this whole concept of portability. Now, you may not realize it, the bill was certainly not advertised as being this way, but it is this way. Here's the problem. Before HIPAA went into place, what was going on if you had your medical records, and those medical records had to be kept private, they could not share them with anything and what HIPAA did was. It defined the rules for sharing, among other things. Before HIPAA, your medical records were considered private and kept secret. After HIPAA went into place, your medical records could now be shared anywhere almost in the medical community. And of course, with portability, the idea is, well, you've got your medical records, you want to go to Florida for the winter. So you want the doctors in Florida to be able to have access to your medical records, which is all well and good. It makes a lot of sense. However, other things going on in there still are. If I want the medical records of every patient in hospital x or health plan, why? And I say, Hey, listen, I'm going to buy the company. I'm thinking about buying the company. I'm thinking about purchasing that hospital. The hospital has the right to give me all of your records. That's the bottom line. Scary. And that's been happening. Our medical records have been shared and traded like trading cards. So, one of the largest health systems here in the United States is called Ascension Health. And you might have heard of it before, mainly if you are at all involved in the Catholic nonprofit health system. The Catholic Church has taken care of millions of patients for free, much of the time, you know, no charge to the patient. But the Catholic Church has been behind many of these medical hospitals and medical treatment that has been out there that we have used for generations, frankly, and you know, good on them. It has been wonderful. And they've kept costs under control reasonably right. By right by where I live. There's a Catholic medical center that is renowned in the region for its cardio care. And like many other hospitals that are out there, they will also provide charitable care for those people who can't afford it. So Ascension partnered is with Google Now ascension is, again, the largest health system here in the country. And it partnered with Google. And Google now has access to detailed medical records on 10s of millions of Americans according to a report by the Wall Street Journal, and It is code-named Project Nightingale, I'm sure you can figure out why they call it at night and Gail. And it has enabled at least 150 Google employees to see patient health information that includes diagnosis laboratory test results, hospital records, and other data. Now, remember before HIPAA, man, you could have sued and won if your medical data got shared without your knowledge, let alone your permission. Now, some of the negative results of those HIPAA regulations are coming to light, where the largest health system in the United States, Ascension, shared your medical data with Google. That is a very, very big, big deal. Now, this is reported by the Wall Street Journal, and it's according to internal documents and the newspapers other sources in all the data amounts to complete medical records and contains patient names and birthdates according to The Wall Street Journal. Now, this is a move by Google to try and get a strong grip on the medical business, the sprawling healthcare industry. In November, Google announced a deal to buy Fitbit that has gone through. I'm sure you've seen that. So now, it has access to all the sensitive health data that amassed from Fitbit. How much information have you been giving them? They've got all kinds of health records. They've got what have you put into those things? And we have Google, Microsoft, Apple, and many others competing to get access to all of our medical records and to be the storehouse so that when you go to Florida today, your records are there because you shared them on purpose. Neither Google nor Ascension, according to The Wall Street Journal journal, neither Google nor the country's largest health system Ascension has notified patients or doctors about the data sharing 2600 hospitals, doctors' offices, and other facilities across 21 states and the District of Columbia. So Google's ultimate goal is to develop the searchable cloud-based tool, but here's what I found particularly interesting, and that is about transforming care. In a statement from Ascension, the VP of strategy and innovations, Eduardo Conrato said, "as a healthcare environments continue to evolve rapidly, we must transform to meet better the needs and expectations of those we serve, as well as our caregivers and providers." So what are they doing? Here? Well, it turns out that apparently, they're having the hospitals enter in your data to these healthcare records, uploading them, analyzing them, and helping the doctors come up with diagnosis as well as prognosis frankly. They're hoping to improve outcomes, reduce costs, and save lives ultimately, and you know what they probably will. But the issue at hand here goes back to the HIPAA act of 1996. And should we be able to control our medical records? That's the big question. It looks like the answer to that is no and has been for 30 years. Thirty ish years not quite 25. All right. When we get back, we're going to talk about Rola robots of the killer variety. What is going on with some of these government contractors out there? Man is a scary show, isn't it today well after compensate next week, you're listening to Craig Peterson here on WGAN and Tune on Wednesday mornings at 738 with Ken and Matt, and I'll be online there too. Craig Peterson 1:06:38 Hey, Craig Peterson here. WGAN. Online Craig Peterson dot com. We are nearing the end of the show here. We only got two more segments together. But that's enough time to cover a couple of these articles I want to get to today. Let's start with this one first here, which is the Robots. You know, I have long been concerned about robots as have many other people. Some people much smarter than I have been very concerned about them. Take a look at what ElonMusk has been saying. That's part of the reason he wants to move us to Mars is artificial intelligence and robotics. Think back wow, even to the like the early 1990s with iRobot. And, and that Russian author, I can't remember what his name was, but it's been a concern for a very long time. Now, things changing rapidly. In an article from QZ.com, a new report is out from Pax, a nonprofit based in the Netherlands that's campaigning for peace around the world. And of course, Pax is the word for peace in many languages, and they're warning about this new potential trend that's coming out. I don't know if you've seen some of these moves. Movies where there are swarms of drones. And those drones swarm in on something. There was a recent one, and I think it was Angel has fallen with Gerald Butler. And the President is tagged by the attack by this swarm of drones. We had the same thing happened. I think it was only one or two drones in South America trying to take out a president down there. Well, our militaries are looking at some of this newer technology to conduct war. And you know, frankly, they have to because the bad guys, the other guys, whoever our ultimate future opponents are, are looking at this as well. China has spent a lot of time on it. And if you look at something like these drones, you could easily have killer drones out there. These drones have to have an ounce of high explosives in them, get close to a combatant, and explode themselves in Kill the combatant. That's all it takes. We're worried about what's being called this third revolution in warfare. The first revolution was gunpowder. You know, you could argue right bows and arrows and various things, but the gun powder was a considerable revolution in warfare. And then you had the atomic bomb, which was not too long afterward. The Chinese invented gunpowder. But now activists and military leaders are calling for international regulations kind of like what we have with the Geneva Convention where we defined how wars get fought. They want to govern all-new weapons systems that have a type of artificial intelligence in them, a type of machine learning. They don't want life or death decisions to be made on their own by these intelligent systems. And they're looking to ban them outright. Key governments, including the US and Russia, have resisted it so far, and I understand right. Craig Peterson 1:10:18 But what are you going to do? nears we can tell militaries have not yet deployed killer robots on the battlefield? At least offensively? What are you going to do with a robot that makes life or death decisions and gets it wrong or gets it right heaven forbid, either way, where you've got a robot out there that it doesn't have to think twice about pulling the trigger to kill someone because it doesn't think twice about it. It's almost like having some of our troops sitting in Virginia, flying a killer drone in the air that's over a site 5000 miles away. And just pulling the trigger and off that missile goes. That is not a life or death decision made by that missile. That is a life or death decision made by a human that has to pull that trigger. That's frankly a very, very big deal. The big difference between the two. Now this organization called PAX has identified at least 30 Global arms manufacturers that don't have policies against developing these types of automatic life or death, killer weapon systems. And apparently, they're doing it at a rate that's outpacing regulation. Now, this is normal when it comes to technology. I've talked about this so many times. Technology always leads any regulation, and it's still in front of the laws. It's still outpacing the regulatory ability of governments, but we're talking about companies that include Lockheed Martin, Boeing, Raytheon. We've got some Chinese state-owned conglomerates like a Vic cask, Israeli firms IAIL bit Raphael, Roz tech of Russia, Turkey's STM. It is a very, very big deal. So what are we going to do about it? It's, it is a very, very good question and courts are trying to address it. You will see this article if you're interested in it up on my website as well at Craig Peterson, dot com. Still, activists don't believe that the military use or some degree of artificial intelligence is problematic in itself. The problem or the systems that are designed with AI to select and engage targets, right? The terminology that's used is acquired, identify, and engage targets. And they're able to do it at least three times faster than any human. Today, we use those types of systems, but a human still has to authorize it. So I'm I'm concerned about this packs is more concerned about the potential deployment of artificial intelligence and offensive systems, the systems that are used to go after people that will select and attack targets on their own without human oversight. I think that all makes sense. And the question is, are we going to get regulations are we going to have a Geneva convention that covers this type of technology out there? Who's accountable if an autonomous atomic weapon broke existing international law or some of these future laws or regulations, and we're talking about lives on the lines? We're not talking about weapons destroying weapons. So I'm very, very concerned, defense firms. According to courts, they're not building these weapons in a vacuum. The PAX guys are saying companies believe that's what militaries want in the Arsenal's and I'm not sure the wrong about that. Google and Amazon have both face public criticism about what they have been doing for the military. Although I have to say both of them have been to face about it, notably Google who is developing artificial intelligence at three facilities in China with the involvement of the Chinese government. And they're not doing it here in the US and yet at the same time, they won't do minor things that are designed to help protect us in that it states you know, Google I just don't get it. Understand this stuff. But there's a whole list here of weapons that are existing now. These little loitering munitions, kind of like land mines that sit in the area they wait, like maybe loiter in the area for hours before they attack a target, small or cheap that can be easy to produce. Craig Peterson 1:15:17 And there there's just a whole lot of them. They've got STM This is a Turkish state-owned defense company that produces an AI-equipped loading munitions got facial recognition, kind of like again Angel has fallen can automatically select an attack targets using coordinates pre-selected by an operator they're looking to use Turkey is Kamikaze drones and Syria. There's harpy a fire and forget luxury munition manufactured by Israeli aerospace industry ranges 62 miles tail off for two hours. What's next, right, what are we going to do? All right, stick around. We're going to talk about the mess of multifactor authentication. How did he tech, a phishing site when we get back? You're listening to Craig Peterson, right here on WGAN. And of course online, Craig peterson.com. Stick around. We'll be right back. Craig Peterson 1:16:25 Hey, welcome back, everybody. Craig Peterson here, Happy Saturday weekend. Whenever you're listening to this, of course, we podcast this show as well. And with more than 20 million podcasts, there's bound to be an episode that you're interested in as well. You can listen to that by just going to your favorite podcast streaming site that you'd like to, and you can sign up under iTunes or Spotify. I'm on TuneIn. I'm kind of all over the place, and we've had a lot of good Great people downloading it, which makes me happy as well. You will find all of that. The easiest way is to go to Craig Peterson com slash iTunes, I should put a special page up that just gives all the podcast info, but for now, slash iTunes. And I'd really appreciate it if you would subscribe because that's what really helps drive up our numbers. And that's what helps get people to notice. And in fact, if we had a whole bunch of people sign-up at once or you know, over a week, then the algorithms would notice that, and they would get promoted a little bit more. So I would love it if you do that. But you know, that's up to you. Again, Craig peterson.com slash iTunes. Hopefully, I've earned a five-star rating from you. Or you can just with the TuneIn app, which by the way, you can listen to WGAN on the TuneIn app as well. And you can listen to me on Wednesday mornings at 738. with Matt and can on the TuneIn app so even if you're on the road anywhere in the world, you can listen to this station you can listen to me, and my podcast is also here on tune in. All right, an app, and a website. We got some how's here, you know, I talk a lot about the what and the why. And I give you some how's as we go through the show and a lot of the How is really left for trainings when I do courses and trainings. But we got two articles that I really want you guys to understand a little bit better. And one is from sigh where ones from dark reading. And we're going to start with this first one which is which is the myths of multi-factor authentication. Now without multifactor authentication also called two-factor authentication. In one employee, employees leave, they can quickly get back on if you don't change their passwords, but if you take their token, their physical token back, then life's a little safer. If people lose passwords, if you are a home user, and your password is stolen or compromised, someone can log into the websites. So let's talk about what this is. The best type of basic security is something you have, along with something that you know. So something that, you know, that would be an example of, for instance, your username and your password. So you put them together. And that's something that you know, your username and your password. And then something that you have might be, for instance, a token a digital token. I don't know if you've seen these. We use the type with a lot of our customers that aren't very, you know, technically advanced, that have had like a little six-digit number that keeps churning Gene on the token. So when they go to log in, so for instance, they will use this for a defense contractor or a doctor's office where they have to keep information safe. And when they log in, they're going to put it in their username, and they're going to put in their password. And then they're going to look at their token. And they're going to type in that number that changes every 60 seconds or so. Now you can do this type of two-factor authentication in several different ways. You can do it with your cell phone, a lot of people do it that way, where you get a text message from the website, giving you a code that you can type in. Craig Peterson 1:20:46 Now that's cutesy, Don't you love that I get my code on my phone. That is eminently hackable. One of the articles that I found this week, but I'm not going to share with you guys because it's you I don't have enough time. But it's, it's all about this guy that just lost $20 million in Bitcoin because he was using two-factor authentication, but he was using his phone, and then somebody sim-jacked them. And that's where a cybercr

Welcome! I was on with Mr. Heath again this morning per usual. His show keeps expanding. It's really kind of cool. He's had on a number of presidential candidates. In fact, usually, they all come through his studio. That's one of the advantages of being here in New Hampshire. So this morning, I talked with him about stolen intellectual property billions of dollars worth it looks like and what the FBI is urging businesses to do right now. Something, in fact, that will help you as a regular consumer as well. So here we go with Mr. Heath. These and more tech tips, news, and updates visit - CraigPeterson.com ---  Related articles: It is People and Shortcuts Not MFA that’s the Issue and Biometrics is not the Answer Nation-State Cyber Theft May Cause US Aerospace Downfall   ---  Automated Machine-Generated Transcript: Craig Peterson  Good morning, everybody. Craig Peterson here. I was on with Mr. Heath again this morning per usual. His show keeps expanding. It's really kind of cool. He's had on a number of presidential candidates. In fact, usually, they all come through his studio. That's one of the advantages of being here in New Hampshire. So this morning, I talked with him about stolen intellectual property billions of dollars worth it looks like and what the FBI is urging businesses to do right now. Something, in fact, that will help you as a regular consumer as well. So here we go with Mr. Heath. Jack Heath Craig Peterson, our tech talk guy this morning. We had some great technology tips and thoughts. Good morning, correct. Craig Peterson Hey, good morning, Jack. We certainly do. And this first one is from our friends at the FBI. They are strongly urging businesses to start using biometric factors for two-factor authentication. Our data has been stolen from business, and just to show that that's actually the fact, China has now released an airplane that they'll start selling in a couple of years, called the C 919. And this is all put together as it turns out, it looks like from a Chinese government back cyber espionage group. Looking into this with some real detail, one of the security experts says the bottom line pretty much every part of the design of this Chinese terrible jet came from the United States and was stolen from our companies here our intellectual property and is now going to go up for sale now. It was stolen from Boeing and Airbus various parts of it. And in about two years, our aviation industries here in the left are going to be competing against their own designs being manufactured in China. And you know, jack, I've even seen this right here in New Hampshire with small businesses. But now that the FBI is coming out and making sure businesses realize that they need to pull up their socks, and one of the quickest, easiest ways to do it for businesses, or for individuals, is to use two-factor authentication. In other words, something you know, along with something you have.  In so in many cases, you've got your username and your password for a website, for instance. But you also might get a text message, which isn't the best way to do it, but it's a start, right? So you get a text message, you enter the number that you're sent. And that helps to make sure that people like the Chinese government here, don't get access to your business information and do everything from stealing your intellectual property through taking the money that is sitting in your operating bank account. Jack Heath Good information. People want to learn more, or can they go to your site or how do they go to about this. Craig Peterson Absolutely. The easiest way to do it if you go to Craig Peterson dot com you'll see these articles. It's part of my newsletter that I send out every week. So, if you subscribe to that newsletter, you'll get about six or eight different articles with tips on what to do what's going on right now. Craig Peterson dot com Jack Heath I appreciate it very much you make it a good Monday enjoy it. And we'll catch you again next Monday, and of course, your show airs Saturdays on right here on news-talk stations. Tech Talk. Thank you, Craig. Craig Peterson Take care. All right, we come back Chuck Zodda Jack Heath All right, we come back Chuck SATA what's going on the financial side of things Transcribed by https://otter.ai   ---  More stories and tech updates at: www.craigpeterson.com Don't miss an episode from Craig. Subscribe and give us a rating: www.craigpeterson.com/itunes Message Input: Message #techtalk Follow me on Twitter for the latest in tech at: www.twitter.com/craigpeterson For questions, call or text: 855-385-5553

Welcome Back!   The big buzz word is Two-Factor or Multi-Factor Authentication when it comes to privacy, but there is a dirty little secret. In this segment, I will explain what is going on and why Biometrics is not the answer. For more tech tips, news, and updates visit - CraigPeterson.com --- Related Articles: It is People and Shortcuts Not MFA that’s the Issue and Biometrics is not the Answer --- Automated Machine-Generated Transcript: Craig Hello everybody quick waves everybody watching on video. Of course, we're are out on Facebook and YouTube. You can find me online Just go to Craig Peterson comm slash YouTube if that's what you want or slash Facebook, you'll see me there as well. Making sure all the equipment's working right, it looks like we are all set there. So let's get this whole thing going. There's the way there we go. Alright, so first up here, we were talking about some of the big problems that we have when it comes to encryption and the government's encroachment on the encryption. And it shouldn't come as a surprise to anybody because frankly, governments have been trying to monitor the people for a long time and that's why we have some of the laws and rights in the Constitution. And as I mentioned, I put an article wrote an article and put it up on my site at Craig Peterson dot com about all of this Well, now we're going to talk about the FBI. For those that aren't aware, I'm a member of something called the FBI infra guard program. And this is a program the FBI put together many years ago that's designed to help the FBI work with the critical infrastructure here in the US. And that means businesses that might be involved in financial transactions might be involved in manufacturing. In my case, I'm involved because of course, I do the security stuff. Hey, and if you're interested in working with me, let me know just me at Craig Peterson dot com, but you should be a member of FBI in regards to if you can pass a pretty simple background check near as I can tell, the background check is have you murdered anyone recently? Now this is not the normal FBI background check at all, but they want to make sure you're legit, you have a legitimate need to get this information and that you are going to participate in the program. So I have been involved with that for a while I get a lot of information from the FBI and from some other sources. I'm signing up also for some state of New Hampshire and, and mass and main sources to we'll see how that all goes. But the bottom line is, we need to know as the people who are the de facto security people in our organization or maybe we are trained security people, we need to know what's going on right now. So being a member of the info guard, and you can just go to info guard infragard.org enough regard as an infrastructure Guardian, I guess. infra guard.org you can sign up right there on the website. You can join your local chapter, there are chapters in pretty much every state. Some of them meet quarterly some of the monthly I was running for a couple of years. The FBI is online training the FBI infra guard webinars. As well as doing training for people. And of course, I continue to do a lot of that training. That's what this free training is that you guys sign up for and participate in. And then this week, of course, I've been doing the whole training on VPN. Next week, we're going to talk about mobile devices and then moving on to Wi Fi. And then we're moving on to security compliance for people might have compliance issues. But that's what I've been doing. And I've frankly, I've been really enjoying and helping out a lot of different people and businesses. So right now we have the FBI cyber Task Force, releasing what they call a pin now you'll get all of these pins as an infra garden member. Pin stands for private industry. Notice now these pins have different levels grades on them. A green means space that he can share with anybody and then it gets to yellow which is kind of a need to know basis. And then there's probably other colors that they just don't let me see or other infra garden members because they're not stupid. KC, but that that's what these pins are private industry notices. And they came out with one telling businesses to adopt biometric factors. Now, this, frankly, is a very big deal. And when we're talking about the biometric factors that we need to be worried about, they are basically saying, Hey, listen, when you log in to a site, or when you have a way to authorize yourself, the best thing to do is have something you know, and something you have, well, something you know, would be a password. Something you have might be like what we use internally, it is called DUO.  In order to verify who we are, and it's a one-time password thing and it works great. But there might be something else too. And that is the biometric thing. So in some cases like on my MacBook Pro My laptop has a fingerprint reader that I can use to unlock things. Plus, I have a thumb key a USB key that I can stick into it that I have. And again, that's something I have. So biometric is really good for multifactor authentication. It's not perfect. It depends, right? We already know, to not use some of the older Samsung fingerprint readers because they can be easily defeated. But and there are problems as well with some of these facial recognition systems. But multifactor authentication is really where they're going. So this is an article from the Czech Republic that I have up on Craig peterson.com. And he's saying that Microsoft's group program manager for identity protection, Alex Weiner. So this is a guy that should know he's working for Microsoft, they have to keep their data You know, quiet, they have to keep it private. They want to keep their customer's data private. So this is a guy in the know, he said accounts that are using multi-factor authentication, we're more than 99.9% less likely to be compromised. Now, this is kind of interesting, because when we're going into Microsoft, and we're talking about Microsoft, there's something else that you might want to know. And that is that many managed services providers, and this includes some break, fix shops and things, but they are selling their customers office 365. And this includes huge companies, right? A lot of people go and buy from the big guys because then it's safer, right? And it's a bigger throat to choke and if something goes wrong, they can sue them and get the money out of them. All of which I disagree with entirely, right? Because the big guys don't care about you. They care about their bottom line. They have to, of course, keep their stock cool. Happy, there are smaller guys are paying more attention. But the IC the problem with most of the smaller guys is they don't keep up with these FBI pins, these private industry notices, they don't keep up with the latest in security. They're not moving their customers from one platform to another because they're selling them software as opposed to really selling them a service. So what we do and what I recommend you look for out there in a vendor is we have a monthly fee. And we will change the software that we're using to protect you will change to the hardware that we're using. If we're finding that there's something that's a lot better or if we find that there is a hole, we will fill that hole with new technology versus what normally what happens which is Okay, here you go. Here's the bill. Here's hardware, it's installed, See you later. The same thing over and over again. It's true with the, you know, anti-malware stuff, people are selling you, the Norton or the Symantec or some other sort of antivirus software, which, frankly, just plain old just doesn't work, right? It doesn't work well enough. So you got to be very, very careful. Google made a similar claim, by the way, in a blog post in May. So here's what happened. A huge, huge managed services provider got hacked. How did they get hacked? Well, it turns out they weren't using multifactor authentication, I already told you about how we are using multiple layers of multifactor authentication to protect our stuff, including we're using multifactor authentication for all of our Microsoft software and services that we're selling like the office 365, etc. So we're better than 99.9% less likely to be compromised, then these other guys and these big guys, what Microsoft has done now is they're forcing most these so-called managed services providers and people are just hanging up a shingle saying the managed services providers, and they can't manage services. They just don't know what they're doing. This is too complicated for them, but they hang up a shingle anyways. So Microsoft said, Okay, well, we're not going to stop them from selling our software because we want to make money. We're going to go ahead and force them to use multi-factor authentication. So there you go. FBI has a big warning out Microsoft is now forcing people to start using multifactor authentication, for very, very good reasons. Sim swapping there. There's a whole bunch of stuff. Do you want to learn more about this? You can find this article up on my website that Craig Peterson dot com, stick around. When we get back, we're going to be talking about cyber theft. And, you know, if you think your data is not a target, you're wrong, and we'll explain why when we get back, you're listening to Craig Peterson and WGAN and online, Craig Peterson dot com Transcribed by https://otter.ai   --- More stories and tech updates at: www.craigpeterson.com Don't miss an episode from Craig. Subscribe and give us a rating: www.craigpeterson.com/itunes Follow me on Twitter for the latest in tech at: www.twitter.com/craigpeterson For questions, call or text: 855-385-5553

On this episode, #31, we've actually got some GOOD news about ransomware- for once! Texas recently got hit and took care of business; we'll tell you how they did it and what you can do to have the same success. Then, it's all about multi-factor authentication- why this small hassle should become fully rote for your maximum security. Then, we're getting into a story about a woman who implanted her car key in her arm. Yes, really.  Catch this episode and more on our website, www.teamnerdtechshow.com  Follow us on Facebook: https://facebook.com/TeamNerdTechShow Check us out on Twitter: https://twitter.com/terrapindottech SUBSCRIBE, RATE, REVIEW ON: iTunes https://tntiny.com/2kjw2eE Stitcher https://tntiny.com/2kbCFzs Google Podcasts: https://tntiny.com/2lMrRZh 

Cisco Security Technical Solutions Architect Katherine McNamara joins Bryan Young and Joey D to discuss zero trust. We cover the definition of zero trust, where it should be applied, and how to take the first steps in going down the path of implementing a zero trust architecture.  Links: Katherine's Blog: http://cs.co/9008E2EZu ISE Helpdesk Troubleshooting Guide: http://cs.co/9009E2EZR ISE High Level Design: http://cs.co/9000E2EZr Google's Beyond Corp: http://cs.co/9001E2EZT Demystifying Zero Trust Cisco Live Presentation: https://www.ciscolive.com/global/on-demand-library.html?#/session/1538529748838001SblZ

A non-antimicrobial soap was benchmarked against 2 reference soaps for microbial removal and skin compatibility, key factors in soap effectiveness and usage. The non-antimicrobial test soap removed more Staphylococcus aureus (P = .024) when applied to nonwetted hands and showed no difference in skin barrier function compared with the reference soaps (P = .736). Bingham J, Cartner TJ, Mays Suko PA, Leslie RA. Multifactor Assessment of Non-Antimicrobial Soap Performance. Open Forum Infect Dis. 2019;6(5):ofz151. Published 2019 Mar 20. doi:10.1093/ofid/ofz151 This is an Open Access article distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted reuse, distribution, and reproduction in any medium, provided the original work is properly cited. Sections of the Abstract, Introduction, and Discussion are presented in the Podcast. Access the full-text article here: https://www.ncbi.nlm.nih.gov/pmc/articles/PMC6499895/

While there are many ways to gain individual exposure to the value, size, quality, momentum and low volatility factors, multifactor strategies combine exposure to all of them. Choosing the right one for client portfolios is incredibly difficult.

Brad hosts another great UNSECURITY Podcast episode with Evan. This week, they discussed information security book writing, day-to-day security challenges, the new Modlishka 2FA proxy tool (hacking 2FA), El Chapo’s chats, Zurich claiming “act of war” while refusing to payout for NotPetya, and another third-party data breach. While Brad’s back home, Evan tries to make this podcast work from a Starbuck’s in Cancun. Everything goes fine for a while until a bunch of kids show up to play Fortnite. Entertaining as usual. Be sure to tune in next week, after Brad and Evan tackle the audio issues!

First look at the unified admin experience for Microsoft 365 which gives you a common entry point for Windows, Office 365 and Enterprise Management + Security. We’ll show you updates to the Admin Center, where you can customize your view with tasks, insights, and usage reporting, a more streamlined user-centric management experiences with your most common tasks and most user controls available per user in one consolidated view. See intelligent recommendations to guide you through first-time setup and ongoing configuration of Microsoft 365 and related services. Session THR2318 - Filmed Wednesday, September 26, 11:20 EDT at Microsoft Ignite in Orlando, Florida. Subject Matter Expert: Brian Besand has been empowering admins to optimize their everyday tasks, dive deep on the details, make data driven decisions, and deliver the best possible end user experience.

ETF Trends publisher Tom Lydon discussed the John Hancock Multifactor Emerging Markets ETF (JHEM) on this week’s “ETF of the Week” podcast with Chuck Jaffe on the MoneyLife Show.

PCI DSS requiress two factor authentication (also known as multifactor authentication) - something you know and something you have. For IBM i users, this usually means a password and an authentication code provided to a token or mobile device. However, tokens are expensive and are frequently lost - and SMS messages to mobile devices have become a deprecated method. Join Patrick Townsend, Founder and CEO of Townsend Security, as he discusses the PCI recommendations, how to meet 2FA compliance requirements with a mobile based solution, and how Townsend Security is helping IBM i users meet the latest two factor authentication compliance requirements. Download this podcast to learn about: PCI DSS and NIST requirements for two factor authentication Protecting critical data on the IBM i with two factor authentication Mobile based authentication with Twilio's Authy Introduction to Alliance Two Factor Authentication

Often in the information security industry, professionals can be accused of spreading fear, uncertainty, and doubt with cybersecurity concerns. However, considering the implications of integrity attacks, it is essential to pay close attention to them. As more organizations move to cloud storage, user authentication compromises are increasing. If an organization has sensitive information that can be accessed from anywhere online by simply using a username and password, that information is at risk, and organizations should make an effort to make their networks more secure.   In this podcast, LBMC Information Security’s Jason Riddle and Mark Fulford discuss the growing concerns with data integrity and how to avoid being a victim of attacks.   Listen, and discover these key takeaways: Feedback heard from the cybersecurity field The need for two-factor or multi-factor authentication The ability for integrity attacks to impact financial markets How integrity attacks could be more effective than availability attacks and confidentiality attacks The need to increase cybersecurity efforts to prevent integrity risks and attacks

Vertrouwt u nog al die inlognamen en bijhorende paswoorden die u elke dag wel gebruikt om diverse diensten op internet te gebruiken? Hebt u schrik dat die ooit gecompromitteerd zouden geraken? Geraden worden? Of zelfs gehackt? Dan bieden we u met deze aflevering alvast een oplossing aan die deze risico's ontzettend verkleint. Het onderwerp van vandaag: Mic en Joris bespreken multifactor authenticatie. Daarmee voegt u een extra beveiligingslaag toe aan het inlogproces op internet. Mic gebruikt het niet en vindt het lastig. Joris probeert hem te overtuigen dat het een noodzaak is.

Vertrouwt u nog al die inlognamen en bijhorende paswoorden die u elke dag wel gebruikt om diverse diensten op internet te gebruiken? Hebt u schrik dat die ooit gecompromitteerd zouden geraken? Geraden worden? Of zelfs gehackt? Dan bieden we u met deze aflevering alvast een oplossing aan die deze risico's ontzettend verkleint. Het onderwerp van vandaag: Mic en Joris bespreken multifactor authenticatie. Daarmee voegt u een extra beveiligingslaag toe aan het inlogproces op internet. Mic gebruikt het niet en vindt het lastig. Joris probeert hem te overtuigen dat het een noodzaak is.

Implementing multi-factor authentication isn't just about a second factor.  There are many considerations that need to be included.  One in particular, how do you handle the user losing their means of that second factor.  James talks about thinking this through. For more info go to https://www.developsec.com or follow us on twitter (@developsec). Presented by Jardine Software Inc. (https://www.jardinesoftware.com) Jardine Software provides application security consulting and training to add value to your application security program. Contact us today to see how we can help.  Check out our 30 day advantage.

Should we use Multi-factor Authentication for our Enterprise? Find out whether you should have a 2FA or not, here on Enterprise Security Weekly! Full Show Notes: http://wiki.securityweekly.com/wiki/index.php/ES_Episode20 Visit http://securityweekly.com/esw for all the latest episodes!

Should we use Multi-factor Authentication for our Enterprise? Find out whether you should have a 2FA or not, here on Enterprise Security Weekly! Full Show Notes: http://wiki.securityweekly.com/wiki/index.php/ES_Episode20 Visit http://securityweekly.com/esw for all the latest episodes!

Prior to version 3.2 of the PCI Data Security Standard (PCI DSS), remote users were required to use multi-factor authentication for access to all systems processing, transmitting, or storing credit card data. With version 3.2, this is now extended to include ALL local users performing administrative functions in the cardholder data environment (CDE). Download this podcast to learn about: What PCI DSS 3.2 means for IBM i administrators Why it is harder to identifiy an administrative user on the IBM i Challenges IBM i customers are facing regarding multi-factor authentication How Townsend Security is helping organizations meet PCI DSS 3.2 with multi-factor authentication

Over the past year, we have seen an increase in hack attempts and in security breaches from inside and outside the organization. Standard methods of user authentication are no longer enough to protect an organization's data. Multifactor authentication technology can help! See how you can secure access to SharePoint using on-premises and Windows Azure federation services combined with multifactor authentication. Whether on the premises or in the cloud, these powerful tools can create a secure mechanism for your users to access SharePoint.

Describe a multifactor model.

Lawyers consistently tell us that LinkedIn is the social media platform that makes the most sense for lawyers and other legal professionals. They like the professional and business focus of LinkedIn as compared to the "personal" focus of Facebook and other platforms. However, lawyers also always tell us that they wish they could use LinkedIn better than they do now. In this episode of The Kennedy-Mighell Report, Dennis Kennedy and Tom Mighell and special guest Allison Shields discuss the new book, LinkedIn in One Hour for Lawyers, how lawyers can make better use of LinkedIn, and some practical tips lawyers and others can implement right away with LinkedIn.

Multifactor Models in Excel