Welcome!  

Today there is a ton of stuff going on in the world of Technology and we are going to hit a number of topics from being aware of fake sexual harassment claims being used to mask malware to the advantages and disadvantages of future military technology, and why everyone should be using multi-factor authentication -- so stay tuned.

For more tech tips, news, and updates visit - CraigPeterson.com

---

Related Articles:

Don’t Take The Bait - Fake Sexual Harassment Claims

Can You Detect A Phishing Attempt?

Vulnerability in Popular Anti-Virus Program

Bots Losing Panache as Cybercriminals Hire In Third World

Not If, But When -- Don’t Think You Are Not A Target

Big Tech Has Your Private Medical Records -- Through Hospital Partnerships   

Future Defense and Military Tech

Best Practices in Authentication Still Mostly Ignored By Businesses

---

Automated Machine-Generated Transcript:

Craig Peterson 0:05
Hello everybody! Craig Peterson here. Welcome. Welcome, you are listening to me on WGAN and online at Craig Peterson dot com. Thanks for joining me. Today we are going to be talking about some of the most important things that are happening in technology as we do every week and more particularly what's going on in this security realm. We'll talk about how you can detect if it's a phishing site that you have gone to, New malware from TrikBot here, a brand new one. Some complaints here about McAfee. Every piece of anti-virus software McAfee makes has vulnerabilities. We'll talk about that major, major security problem. We've got an accounting fraud here and how it's getting harder to detect and Why we have breaches? You know, I talked to so many people, I have a lot of customers, a lot of business customers. And they're sitting there saying, Well, you know, this is all inevitable. So what should I do about that? We'll talk about that. Google, you might have heard of project Nightingale. We'll get to that today as well. Defense firms are on track to make some very, very scary hardware. We'll talk about that as well as some of the myths of multi-factor authentication. And there are a lot of myths out there about all kinds of this security stuff, frankly, but let's start with our friends at Microsoft. I bet you thought I was going to say Apple, didn't you? Well, we had a big patch day, Patch Tuesday, and it fixed 13 critical flaws this week, and one zero-day vulnerability. Let's start by explaining what a zero-day is. In this case, we're talking about a zero-day attack, which refers to a vulnerability that is undetectable by any current antivirus software or anti-malware software that has seen this particular problem before. Now you noticed that made a difference a distinction between anti-virus and anti-malware, right? Because anti-virus software behaves in a certain way. Anti-malware behaves well, frankly, a little bit differently. So what are the pros? What are the cons? What's the difference between antivirus and anti-malware? Well, as a general rule here, anti-virus is a subset of anti-malware. Anti-virus is something that we're doing now will probably continue to do forever. Still, it does not catch me. Most of the nastiness that's out there today, anti-virus is you know, at best release Some people would say zero percent effective, but I give it the kind of the benefit of the doubt. And it's about 20% effective. So if you have antivirus software, it's only useful about 20% of the time against all of these different types of attacks, it's probably close to 10%. If you pull in the human element into all of this, anti-malware software behaves a lot differently than antivirus software. Some of it is whitelisting, where it knows this is a legitimate piece of software that was not modified. So it allows it to run that on one side. These are quite difficult to keep up to date because you have to continually monitor what's going on in what the software upgrades are. What the checksums of that new version of the software are, their libraries, are they all legitimate all those DLL files and everything else they're using. It gets pretty darn complicated from the whitelist listing side. And there's a couple of companies that do whitelist. Some of them, frankly, do better than others.

Craig Peterson 4:07
Some of them, in reality, isn't even really doing whitelisting when you get right down to it. And then there is the next level up, which is the anti-malware software. And anti-malware is software that looks at the behavior typically of what's going on. And there are there's software out there right now malware this designed to fool the anti-malware software to so it looks at it and says, Okay, this just installed Wait a minute, started opening a bunch of files. Wait a minute, is writing to a bunch of files. Wait a minute, and it's changing all these file names. That's the type of behavior that would be typical of ransomware. Good anti-malware software looks at the behavior of a program as it is opening all kinds of part the TCP/IP packets, that are trying to use a network to get to all of these other computers that are out there on the network. What is it doing? How is it doing? Why is it doing all of that? That's good anti-malware software. So it will do all of that it looks at checksums, it looks at just all kinds of things. And it typically has about a 10% performance penalty on your computer, and it can be a little bit higher than that. But it's they're busy looking at everything, examine everything trying to figure out what to do. So we have anti-malware software out there, as well as anti-virus. Those are the two significant types of software you'll put on to your computers. And frankly, anti-malware like well we use has multiple layers of software, and it ties into external databases and, and Cisco Telos to get updates and everything else. So that's what we use us what we do. So, in this case, we're talking about a zero-day Hack against some of this Microsoft software. So what does that mean? Well, that means that we're as of right now, none of the antivirus software knows how to detect this as a virus, none of it. That's zero-day, it's day zero. So tomorrow will be zero-day plus one, right? So day one of this out in the wild. And Microsoft, with their Patch Tuesday, decided they would plug 73 security vulnerabilities in their software products, including 13 of them, given the top level of a critical security vulnerability. And I guess it's kind of fortunate that this month only one of the flaws is known to be exploited. And this is a CV, that's what they're called that scripting engine vulnerability and Internet Explorer, and the sooner they get rid of Internet Explorer entirely, the better off everybody lives. Everybody's lives will be IE; they built it into the kernel so that they could have more control over it. You might remember the lawsuit against Microsoft saying, Oh, you can't ship a web browser that's integrated right into the kernel. Because now, you make it so that none of the other web browsers can work on internet XP on Windows, which was right in the very beginning. And you're blocking us out of there, and thereby it's anti-competitive, you know, it's all true. Now, IE because it's inside all these versions of Windows, these vulnerabilities can affect users who are no longer even using Internet Explorer at all. In other words, you don't have to launch the browser. You don't have to go out to the internet. You could get nailed on it right away. Okay. Now Microsoft Office is using the same rendering engine that has this vulnerability that internet access Laura has, and it can be embedded and in fact, triggered by an active x control on a booby-trapped web page. Active x is one of the worst things Microsoft could have ever done. It's right up there with some of the vulnerabilities and flash and Java. You know, are you kidding me you allow a web page to run code on a machine. And they at least they have markers on it, but it can be Mark now was safe for installation. The whole thing's crazy. I still don't understand Microsoft, and what they're doing here.

Craig Peterson 8:36
So bottom line, make sure you do your update. I checked right before I went on air, and there aren't any significant problems that have been found with the updates here for November from our friends at Microsoft. They're often are. We also had this week, and some more patches come out from our friends, my friends, and yours from Intel. Now Intel makes a lot of the computer chips that are inside our computers, mainly for using a Windows machine. But Macs use Intel chips to, although they don't have to, I don't know why Apple went with Intel, you know, my guess was it was less expensive. And Intel also had some outstanding power performance numbers saw, you know, I can't blame them. But we have a bunch of patches that came out from Intel, that make all of their CPUs almost every processor they've made in the modern era is entirely vulnerable.

Craig Peterson 9:39
And that's a terrible thing, including vulnerable not just on your desktop, but vulnerable in all kinds of operating systems and data centers. So, if you think hey, listen, I went ahead, and we moved all of our stuff to the cloud. They are just taking care of because it's in the cloud. Microsoft knows what they're doing. The answer to that is, well, they kind of know what they're doing. But they're stuck with this Intel vulnerability. There will be more patches coming out according to the people that found these vulnerabilities in every model of Intel CPU, Major, major, vulnerabilities. According to these people, there are more than Intel hasn't passed on yet for whatever reason. It's really, it's kind of crazy, frankly. So we got Microsoft patches for some major ones. This week. We've got Intel patches, some major ones this week, we've got Adobe patches that are out as well. So make sure you do the upgrades. I'm not going to go into all the details here. Man Adobe light set of patches this month only 11 security vulnerabilities from Adobe and Adobe Bridge, animate illustrator, and Media Encoder. Two months in a row where there are no patches for Flash Player. I'm not sure what that's about if they keep happening with flash player or if something else is going on. All right, stick around. We're going to be right back. You, of course, listening to Craig Peterson here on WGAN, make sure you visit me online at Craig Peterson dot com. We've had a few pop-up-trainings already. I'm doing some Facebook Lives and getting information out, and you'll only find out about them if you're on my regular email list. Craig Peterson dot com slash subscribe, and all of today's articles are up there as well. And there's a sign up right there too. So make sure you sign up to find out about all of the latest that you need to know. Craig peterson.com, when we come back, we're going to talk about chick bought something new going on out there trying to get us to do something we just shouldn't be doing. Stick around. We'll be right back.

Craig Peterson 12:02
Hey, welcome back, everybody. Craig Peterson here, little beach music. I was out for the last week and a half out at a conference in Phoenix, Well I guess isn't exactly near the beaches is it, but it was sure nice and warm. And then I got back home, and you know what's happening up here in the northeast? Yeah, a little bit of cold weather. Some of it's a little too cold for my liking. You know, it just came on so fast. We were like in the 60s and 70s. And then all of a sudden it's like the 30s and 40s. I don't know what's going on. Well, let's talk about this TrikBot. It is a new malware that's out there. I've spoken to many times here on the show about what the FBI has been warning businesses, which is the business email compromise. You probably heard of that before bc we're talking about something that's cost businesses. Well over 10 billion, I think it's over $14 billion now. And we're not just talking about a little waste of time. No, we're talking about these guys and gals going right after our business bank accounts. And the way they do it is they're kind of sneaky about it, they get and get you to, to basically for the money, right to wire the money to do other things that are going to hurt your business. You may not realize it at the time, and they're just trying to fool you. Right. So how do you fool someone? And I know I know you can't fool an honest man. I've heard that so many times in the past, and there's a lot of truth to that. But here's what they're starting to do now. And you might have gotten one of these. I have had several listeners reach out to me. I and quite a few saying hey, I just got this email chain that, you know it's it's got a video of me visiting this, this nasty website out there right so you guys are probably heard about that one before it's been around a little while. Well, now what's happening is they are sending an email that appears to come from the US Equal Opportunity Commission. This email is saying that wait a minute here, and we have a sexual harassment complaint against you. Now I understand as a business owner, how this can be kind of crazy. And I owned a building, a business office that I had my business running out of, little more than 20 years, maybe a little longer. Ago now. And that business office, I put in doors, and all of the doors were floor to ceiling glass because I didn't want anybody saying that I was harassing somebody or doing something illegal. Now, of course, I, you know, we didn't have microphones and cameras and things. But I just wanted everyone to feel reasonably comfortable that no one was going to corner anybody. And, you know, I think I was kind of mostly successful about that one of these days or forever sitting down having a beer, you might want to ask me what happened there. But anyway, this is something called Trikbot, and it's a banking Trojan. And it's going after employees of large companies. And it's trying to scare these employees into thinking that the US equal Equal Employment Opportunity Commission EOC is coming after them. And they are trying to get them to and are being reasonably successful in having them handing over sensitive information. And they're using a bunch of different social engineering techniques, including malicious payloads or redirecting them to fraudulent sites they control by emails that look like coming by somebody they trust, etc. Okay? Now, these spearfishing emails, and I'll read you the text in one here in just a minute here. But they, what they end up doing is dropping a malicious payload on to your computer. And as part of this campaign, these malware operators use the information they've collected from people, such as their names that company they work for job titles, phone numbers, to customize these phishing emails to make them a lot more convincing. Now think about your business and your business's website and other information that you're making available to the public. Digital website has, who the officers of the corporation are.

Craig Peterson 17:04
Now I know that all of us for our businesses, we have to file with the state chapter file with the IRS and various other things. But when it comes to the state, those records tend to be public. So people can go online, they can find out who the President is, who the officers of the corporation are, who the Registered Agent is, etc., etc. Right? And so now a bad guy can go online and find out almost anything they want to find out about a smaller company because it's right there on the website. Now is that easy or what? Now let's go into one of these pieces of email. Everything from the email subject This is from bleeping computer dot com. Everything from the email subject and the message content to the malicious attachment. Each of these mouse spam email Males comes containing the potential victim's name. Now I'm looking at it here. It's got a form, and it seems like it's legit. It has the logo of what I assume is the US Equal Employment Opportunity Commission because it looks official enough to me, and the title at the top is the U.S. Equal Opportunity employment commission harassment complaint. Then the complete submission of a complainant form has initiated an intake interview with an EOC officer. Okay, this is what they're sending out right now. It looks very, very legitimate. And they use the name of the victim with a grievance raised against you. That's a subject for each of the phishing emails, and they're trying to get you to pay attention. They also have a customized email body to instill a sense of urgency. So it'll say, dear name of the victim, private and confidential. One of your co-workers has lodged a complaint with the EEOC. Now on top of it, all the malicious attachments, drop TrikBot payloads also have customized names. And again, it's the name of the victim-dash harassment complaint letter, and it's got a phone number on it. The entire purpose is to get you to open that attachment. And by adding this personal touch to the phishing emails, they've been increasing their chance of people opening them. Now, you know, I do a little bit of marketing for some of the courses that we offer and, and for some of the other services, you know, like the security services that we offer the businesses, so I've studied some of the marketing stuff that's out there. And I can tell you right now, most people, if you get an email that looks like that are not opening it. If you're concerned about a particular email and you have listened to my show for the last 20 plus years. You're very, very worried about it and legitimately so.

Craig Peterson 20:10
So I'm not sure just how effective this is, you know, spam emails right now have an open rate of about, well, it's less than 1%. Legitimate emails have an open rate of, you know, as much as 15 to 20%. So I don't know how well they're doing. But when they're sending out 10's or hundreds of millions of emails, we're talking about some pretty darn serious stuff here. A lot of potential victims. These are highly targeted and regularly updated. That goes into some of the problems with antivirus software we will talk about later on. And that is if it hasn't seen that before, it's going to get tricked. This spear-phishing campaign delivers the malware payload. It's evolving. It's a banking Trojan. The purpose is to get you to give some banking information out. And apparently, it's been pretty successful. By the way, it's been in the wild since October 2016, one of the most aggressive pieces of malware that are out there right now. Stick around. When we come back, we'll be talking about McAfee's antivirus software and what's going on with that. Especially as it relates to some of the malware that's spreading out there in the world, right now. Make sure you are on my email list. So you keep up to date with everything that's going on. Craig Peterson comm slash subscribe. I'll let you know about the pop-up-trainings. I want you to pay close attention because I'm not going to hound you about this stuff. And we've had a lot of people attending them. They're free. Usually, they have two-hours worth of content and questions and answers. Stick around. We'll be right back.

Craig Peterson 22:05
Hey, everybody, welcome back. Hey, did you see this? It was an announcement by one of the investment firms saying that Tesla might be missing the boat when it comes to electric cars? You know, we've all thought Tesla was the leader in the in that isn't so many ways right and built their battery factory. They've been just doing all kinds of amazing things, but it looks like they might be losing a little bit of an edge when it comes to the overall electric car business. Because now you've got Ford and GM, the major US manufacturers, I think Chrysler as well. I know Ford and GM both have some major stuff going on, as well as the Japanese firms like the Nissan LEAF. That's been all-electric for a long time, although Nissan stops making the thing some of these us manufacturers are definitely in the middle of it all. And you probably heard me a couple of weeks ago talking about some of the real risks when it comes to Tesla electric cars, particularly in the event of an accident. It's a scary thing. Frankly, it's a frightening thing being involved with the MS for all of those years to think about it. Well, we spoke a little bit in the last segment about this TrikBot malware using fake sexual harassment complaints as bait. We started off the hour talking about Patch Tuesday, and 13 critical fixes for Microsoft software, this critical fixes out for Adobe software, you got to apply these patches. According to the stats I've seen. There are, on average, about 65% of Windows computers that do not get updated at all. If this is you if you're one of those people, I urge you to spend a few minutes, let's make sure that the machines are updated. I know some people that say forget about it. I'm just going to replace my computer when it's just so far out of date. I know some people have done that with cars, too. I had a good friend I haven't talked to in years. But he was telling me that his dad did the math, back in the day, many many years ago. His dad did the math, and he figured that if he paid for oil changes throughout the life of an engine just wasn't worth it. So he said, Hey, listen. What did an engine cost back in the day it was a couple of grand for a boxed engine, and he was a mechanic he could quickly put in a new engine. And if I pay for oil, filters and my time to change the oil
I will pass the break-even point at about 30,000 miles. So, in 30,000 miles, it was cheaper to replace the entire engine, than to pay for years of oil changes. Can you imagine that? So I did some quick mental math, and I agreed with him. He said, Listen, it's not as though I don't have oil in the engine. The engine will run off this known oil in it. But all I do is add oil when it needs oil added, and he never changed his oil. And at about 50 to 80,000 miles, you'd have to replace his engine. So he figured he was ahead of the game. Nowadays, with these new engines and filters and oils and the oil is just so thin. Nowadays. They're saying 10,000 miles give or take between oil changes, so it's not anywhere near as bad. Plus, some of the cars today will tell you, hey, I know Need an oil change? So you don't even have to keep track of the miles, you know, used to be 3000 miles. Do you remember you might not be old enough to remember, but the oil did not have the cleaners in it now, nowadays they have been detergents because your engines would get all sludgy? And what a mess ever take one of those apart, even just the head of the engine, the mess that was in there, we don't have those problems nowadays. Well, some people have taken that whole idea of, hey, it's cheaper to change the engine than it is to change my oil. They've taken that to the extreme. But you know, it is not like that when it comes to computers. You can't just have the laptop sitting on your desk or under your office and leave it there for years to come and say, Hey, listen, when it breaks down, I'll replace it. I'm not going to bother doing upgrades of my software won't work because it's running Windows XP, or whatever some old version of Windows, I'll go out to one of these, big-box retailers, and buy another computer and throw this one away.

Craig Peterson 27:14
That is a very, very bad idea.

Craig Peterson 27:16
And I suspect that's where some of the 65% of people come in, that are not maintaining their computers. Now you have to keep them because unlike your car, your computer is continuously under attack. So, that means you have to not just upgrading and updating windows but all of the software that's on your computer. You know, I talked a little bit earlier about Internet Explorer, and only Internet Explorer alone having it on your computer will cause other programs on your computer to get infected and allow hackers access. It's just plain old, not worth it. Well, let's talk about Anti-virus doctrine. Oh, you remember I said antivirus software? Yeah, I convinced myself that it's, it's about 10% effective at no more than that guaranteed. And we can go through all the numbers again, if you want to buy me a beer sometime we'll sit down and go through all the numbers, and how virus software does not work.

Craig Peterson 28:19
Well, Let's talk about some software that doesn't work. McAfee antivirus software. In an article from ZD net, has a code execution vulnerability, a severe security flaw that can bypass the self-defense mechanisms built into McAfee antivirus, very, very big deal. Safe breach labs, their cybersecurity team. It is one of the groups that go around and test software, tries to find vulnerabilities, and then lets the manufacturer know so they can take care of it. But they're saying that this particular vulnerability can be used to bypass McAfee self-defense mechanisms and could lead to further attacks on a compromised system. Now, this vulnerability exists because of a failure by McAfee's programmers to validate whether or not these DLL's it's loading have been signed, let alone appropriately signed. Remember, I even mentioned that in the first segment today. These self-defense mechanisms are essential, and they need to be in place, even though the antivirus software is going to be at best 10% effective at least you would have 10% effectiveness right. So because they can bypass the self-defense mechanisms and leading to further attacks on a compromised system. It needs to get fixed right away. See an arbitrary unsigned DLL that gets loaded into multiple services that run is NT authority, backslash system.

Craig Peterson 30:06
Now, the only good news is that attackers need to have administrative privileges to take advantage of it. However, I rarely walk into a business where everyone isn't running with, with, frankly, administrative privileges. The companies do that, and I understand why they do it. It's a bad thing to do should never do it. Right. But I know why they do it. They do it because, oh, it's just so much easier if I have to install software right or to call the IT person. And the IT person is the Assistant to the owner. And she's always busy. He's still running around doing stuff. I don't have the time, and I can't keep asking for permission to do things. So, everybody gets administrative authority. There are three main ways and which is why vulnerability gets exploited according to the Safebreach lab. Anti-virus software might not detect the binary, and it loads it without any verification against it. Impacted software includes McAfee total protection, anti-virus plus AVP from McAfee, and Internet Security up to and including the version 16.0 point 22. You must get the latest software. So, if you have McAfee update, pronto. And as I said, you should update, anyways. And don't use antivirus. I recommend getting a robust anti-malware stack of software.

Craig Peterson 31:39
So what are people doing? Vendors doing? They're just renaming their stuff is anti-malware stacks. Yeah, yeah, that'll fix the problem. Your listening to Craig Peterson on WGAN stick around. We'll be right back.

Craig Peterson 32:02
You know, it's funny how you get used to the weather, whether it's hot or cold. You're listening to Craig Peterson here on WGAN. And online at Craig Peterson dot com. You'll find my Facebook page by going to Craig peterson.com slash Facebook. And I've started posting some stuff up there. Well, I do that actually, every day. My wife is the one that's putting the articles up that I come up with every week, every day. But you are also starting to find I'm doing Facebook Lives and YouTube lives, and just you know, I'm getting a little better at some of this stuff. And there are a lot of possible angles here. By the way, you know, I mentioned I was at this conference, and I was learning a little bit more about marketing and product development out there. Product development is what I kind of love doing, Right. We can do it quickly. We know what we're doing. We know how to do it. So we're trying to figure out how can we produce a very inexpensive product that is going to help a lot of people when it comes to security. And I think we've got the answer. I don't want to be, you know, mean and nasty about this, but we're working on it. And we should have something in a couple of weeks from now, that I think is going to change lives. I think this is going to be earth-shattering. If we do this the right way, it is going to change everything for anybody that decides that this is for them. So we'll be talking about that in a couple of weeks from now. But it's an idea from another industry that in fact, it's the tennis, tennis training business, and I think it's like the world's most perfect idea. Here when it comes to us, so we'll be talking more about that. But you can find that you can find information on the articles that I have every week, you can see all of that stuff you can find out about the free pop up classes, the pop-up-trainings that I've been doing, you can find out about some of these Facebook Lives and YouTube Live. All of these are free training. I'm just trying to get this information into your hands. You know, the Whats, the Why, and the Hows, all of that stuff. And there's only one way to get it. And that is to sign up, go to Craig Peterson dot com slash subscribe, and I will make sure that we send you every week just a quick summary of the stuff that's going on. I'm going to have a special sign-ups for these pop-up-security-trainings, So no, I'm not going to send you a lot of emails unless you ask me to write by default. We got a great article from Joan over at darkreading.com. Dark reading dot com is one of those websites, one of many to which I pay quite a bit of attention. They do have some great, great content. In this article, they're talking about fraud and how it has changed. You, I'm sure, are familiar with our friend, the Nigerian prince, and all the things he did and how he tried to get his money out of the country. And all he needed was to use your US-based account, and you could keep some of that money. You remember that right then, it's just full of misspellings. It was just terrible, and there are reasons for the misspellings, there are reasons for the way they do things. No doubt about it. Well, things have changed. Now economics have changed. And they are swamped, making a whole lot of money. And they're doing it in different ways. They've done it before. You know, we've got tools now to detect and mitigate some of these attacks. And the easiest way to do that we have some software that all the email flows through, and it's looking for patterns look, make it look like it's a bot that sending out these emails. And when we put those this particular filter in place, in fact, it's and AI bought itself. That right the Battle of the AI that's coming to, but you know, the amount of spam these things dropped by 90 plus percent. It's just it's dramatic, how much it helps.

Craig Peterson 36:58
Well, what has happened now is the bad guys have found that labor is getting cheaper and cheaper in some of these developing nations out there. And they're able to get people in Venezuela, for instance, where they are starving to death where they are picking through garbage because of their socialist government. And man, I saw this thing the other day, it just shocked me, they were using a sharpie to write on people's forearms a number, so they knew when they could get food. Yeah, when they could get food from the grocery store. That's how bad it is in Venezuela. So you have to wait in line. You have to obtain a number one thing. God is not a tattoo. It's a sharpie, but you have to get a number there on your forearm, and then you can get Food. And if you can't wait, and if you don't get enough food for your family, you're going to have to go through the garbage. It's just absolutely insane. Well, cybercriminals are hiring workers in Venezuela now, where the hourly wage has gone way down compared to other currencies. I am not sure if you remember, but Venezuela used to be the wealthiest nations in Central and South America by far and is now one of the poorest countries in the world thanks to their socialist government. Well, the hourly wage is so low that it now makes economic sense to pay people to manually carry out the fraud to write these fraudulent emails to research to get the stolen account data instead of using bots like they have been doing before. So, here's a quote straight from the article. "attackers are giving people a script and saying here's a quota you have to hit, criminals are always trying to figure out what is the lowest hanging fruit as merchants and companies evolve with defenses, these attackers evolved, humans just happened to have become the flavor of the month." So, these human-driven attacks are increasing quickly and exponentially. Now, the most recent fraud report that came out covering q3 2019. So. just this last month, found that attacks carried out directly by humans, both loan perpetrators who are trying to get money to support their families in third world countries, and organized criminal groups increased 33% over the previous quarter, nearly one in every five fraud attacks are manual now rather than automated.

Craig Peterson 39:57
Now, of course, their goal is to look as legitimate as possible. Having humans involved does increase your chance of success. And so many people worldwide speak English because English is the international language of business. And it's causing a problem. This quarterly report that came out from our coasts looked at 1.3 billion transactions spanning account registrations, logins, and payments in the financial services, e-commerce, travel, social media, gaming, and entertainment industry's overall fraud increased 30%. In q3, and bought driven account registration fraud is up 70% as cybercriminals test stolen credentials, in advanced of what in advance of the US holiday season. Isn't that amazing? But now every third attack on financial services is manual. Attacks are coming from fraudsters now with access to stolen identity information. They're using the latest tools. Over half of the attacks that originate from Russia and China are now human-driven. It is changing everything. The data highlights that the entire attack incentive for countries across the globe is economically based. We've got some substantial economic things happening here in the US. If a nation's currency is worth only a fraction of the US dollar, then the incentive of a criminal in that country to defraud an American business
is very high, because they've got that multiplier based on the value of their currency compared to the value of the US dollar. So, it's incredible what's going on. You've got to watch it. You got to be careful that There are a lot of bad guys out there that are looking to get their hands into your accounts. And we've got this shopping season right in front of us now. So what I would suggest to everybody is, check with your bank, depending on your bank, some of the banks and doesn't matter if it's visa or if it's MasterCard visa sent tends to be pushing this a lot more than MasterCard is. But whether it's Visa or MasterCard, you're going to find that they have virtual card numbers that you can use. And the idea behind these virtual card numbers is that you have a one-time card number that you can use when you are buying something online. So, instead of having your regular credit card number that you're using, that's sitting there in a merchant database, that may or may not be configured appropriately or secured. Remember, a secure server doesn't mean that their servers secure; it just means that your data going to it is protected in transit. Instead of giving them your real credit card number, and having that stored in a potentially insecure database, now all you have to do is give them that temporary credit card number. Go to your bank, and you can usually check on the website before you start buying stuff online for Black Friday. And we're going to have some Black Friday deals to or Cyber Monday, or you know, whatever it is for Christmas, for Hanukkah, for whatever you're celebrating. We have birthdays to over this holiday season. Get your bank to give you access, and this will be online access to get a different virtual credit card number every time you do a transaction online. It's cheaper for them to do that than It is for them to issue new credit cards when compromised or stolen. It keeps happening. All right, stick around. We will be back. We got one hour to go. We're going to talk about Google's project Nightingale and see if that's scary enough for you. We are concerned here about some of the defense firms, multi-factor authentication. I will run through how you can tell right what's the best way to do it. And how to detect a phishing site. We'll get to all of that. In the next hour. You're listening to Craig Peterson on WGAN and online, Craig peterson.com. Stick around. We'll be right back.

Craig Peterson 44:52
Hello, everybody, Craig Peters on here on WGAN and online at Craig peterson.com. Hopefully, you join me there and sign up for my email list. I get you in my newsletter. You can do that by just going to Craig peterson.com slash subscribe and subscribing to my newsletter. Every Saturday, we are here and talking about some of the latest in technology and security. The things that frankly you don't hear about, at least not the right answers in the general media out there. It's just amazing to me how many things they get wrong, again and again, and again. I try never to attribute to malice what can be easily attributed to incompetence. Is that a terrible thing to say about some new people in the media? You know, if you get right down to it, they have so many things that they have to know about and be semi experts on to write some of the articles, so I guess I really can't blame them for well for least Some of that. Well, let's talk about the chaos here for a couple of minutes. We are in the new normal. Now I'm not talking about with President Obama said the new normal was, which is people high, you know, unemployed, high levels of unemployment and stagnant economy and stuff. I'm talking about a recent survey that was conducted by a security company out there that showed that 86% of 250 top security officials who participated in this survey believe that cybersecurity breaches are inevitable. Now that opens up a whole can of worms because it's unavoidable, does that mean there's nothing you can do about it? I think by definition, it does. It is inevitably going to happen no matter what you do. So why do anything? Many people have done nothing. Remember, in the last segment, and if you've been listening in the previous hour, I talked a little bit about how 65% or so of computers never were upgraded. That's, that's a bad thing, right? And nowadays, when we get right down to it, and we're talking about these 250 professionals, people that know what's going on. We're talking about people who realize that the complexity of today's cybersecurity in businesses makes it so that it's almost inevitable. Now, when we think about cybersecurity, and we're thinking about companies. Obviously there is some truth to this for home users and, and that's why we did this security summer you know, I had that hundred and 50 pages of cheat sheets that we gave away to everybody. Who participated in this. And it was designed to help you understand what you had to do in different circumstances. And hopefully, you got all of those I start, you know, they were all sent out well, by the end of September, because, you know, summer doesn't end until September 21. So I little extra time as my team and I delved into that labor of love out there. But there are a lot of pieces moving parts to this puzzle, and it makes it very, very difficult. Nowadays, we're making our lives even worse because of cloud adoption. We're using cloud services. We're using hybrid environments spread across physical machines, different locations, different teams, various cloud providers, and now businesses are using something called containers. I remember when I first heard about them, I was thinking about, well oil container on Okay, so we're talking about the types of things you put on a truck and then put on a ship right or, or you can rent while you are making the improvements like I did in my kitchen.

Craig Peterson 49:11
I got one of these little containers, one of these small pod containers, and loaded it up with all of our stuff while we were working on it. Yeah, that's not what the containers at the businesses are using. These dedicated containers perform a specific purpose, like running a website, or a database or something else. It's just getting very, very difficult to keep track of it all. And frankly, that's why we're seeing some of the major breakdowns. Now we do not see in these in breakdowns like Equifax. What was that? It was, Oh, yeah, a username of admin with a password of admin rights. Stuff like that is just plain old, stupid, but because of everything so complicated and were not tested thoroughly, they broke in. Now, if you are in a business-like, for instance, a shipbuilder, you are thinking about failures. Because if you're out in that open ocean and you get a rogue wave that comes in, hit you on the side, your ship is going to flip over. Now obviously, you don't want to name your ship, Concordia. Another one just ran aground this week over Norway. Of course, the big Concordia running the ground was in Italy, and what a mess. But shipbuilders realize that ultimately, ships are going to fail. There is going to be that rogue wave, or it is going to run aground or the propulsion systems going to go down. And the extremes are like submarines where you have all the compartments, and the idea is that a breach might occur in one compartment, but the other compartments will not. So we're spending billions of dollars, and we're likely preventing a lot of bad stuff. The number of high profile breaches is just increasing and causing devastating damage to us as consumers. It's going to last for decades. And why? Well, like so many other industries, people in the security business are not preparing to fail. And companies are not preparing to fail. It's like what I teach in my backup course, the three to one backup methodology, and I should do another pop-up-training on that. Frankly, you've got to have multiple copies of backups numerous generations of backups on various types of media, in numerous sites, because of Smith's commentary. Now, you might not be familiar with Smith's commentary, but Smith's commentary on Murphy's Law is that Murphy was an optimist. And of course, Murphy's Law is, if anything can go wrong, it will. So shipbuilders have engineered the systems, they have segments in the halls, they have multiple hulls, double triple hulled ships so that if it's carrying oil or something else, if there is a penetration to the hull, the ship won't dump oil or whatever, into the ocean. It's been done this way since the 15th century. And it's been done in today's modern vessels as well. Even the Titanic had some of these things in place, although it had some other problems. I don't know if you've seen some of the more recent studies, by the way, on the Titanic. It's fascinating. But it looks like what happened was, there was a fire in the Titanic's hold coal fire that they couldn't put out. And they had been smoldering and caused a weakening of the ship's hull. And that's why when it hit that iceberg it tore open. But that's another story here. So let's talk about some principles here security principles that they use in shipbuilding that we need to look at in modern IT. Shipbuilders assume that at some point, the ship will suffer leak. So how do you protect against that? How can you fix that? Well, they create holes that prevent a single leakage from sinking the whole ship. So, in the same way, you have to assume there might be a breach in your corporate environment and segment your network so that it doesn't spread. There's a lot of details we could discuss, and maybe I should do some Facebook lives on these things.

Craig Peterson 53:52
Your staff who's responsible for maintaining the ship's hull is monitoring for leaks. They're watching for leaks, and they're regularly patching. They're painting they're scraping right to get rid of the rust and to make sure that there isn't a major flaw in the ship's surface, or you know, hull, they're trying to keep the ship safe. So, in the same way, our modern security teams have to be vigilant about monitoring and patching. To prevent these cracks in the perimeter, as well as the interior. We just last week had a client who had an internal breach. They were using a VPN to allow our remote office to get into their primary network. That remote office was breached and was used as a launching pad to get onto their primary network. And then once on one machine on the main network that they could breach, they now we're able to spread within the main network. We got to watch this. The ship's most sensitive equipment is in the engine room. And in the tape game you know in the case of a business you got to venture critical IT assets are considered ships that staff lookouts 24 seven to make sure there is a good watch, we need to do something similar with our data. Keeping the crew from accessing the bridge is an important safety measure. We got to make sure that our user identities get set up correctly and their employees, contractors, remote users can only get data they should be getting to. And we could go into attack after attack after attack. But the bottom line is when you're designing your security, you have to anticipate a breach. You've got to patch everything, keep it patched and up to date. And you've got to segment your networks. And if you need to be secure, the newest types of networking are called zero trust networks where nothing can talk to anything else on the network. Unless it's explicitly allowed because we can't trust it. So the very least segment out your Internet of Things devices, make sure your sales guys are on a different network than your accounting people. Right? Break it all down in the business space. When we get back, we're going to talk about us in the consumer world and Google's Project Nightingale, man, is this a scary project, but you know, heck, it's Google, but not can do anything wrong right here listening to Craig Peterson right here on WGAN.

Craig Peterson 56:43
Hello, everybody. Welcome back. Craig Peterson here after the top of the hour. And we are talking about the latest in security and technology. What's going on out there? We cover in some depth here some of the things that you need to understand. Some of these things are specific questions that I've gotten from you. So if you have a question of any sort you'd like me to answer on the air or maybe answer directly, email me. It is ME at Craig peterson.com. I am glad to do it, or you can drop it on my Facebook page. Now I have to say that I get thousands of emails a day. So sometimes it can take me a while to get around to it. So don't feel bad if I don't answer your question right away. But I am pretty good about answering most of the questions that people ask and particularly if you email them me at Craig Peterson, dot com that's so that's what I monitor kind of the most. Some of my team helps you track that too, which is a very, very good thing. Mountain View, California dateline. It is a scary story. And you know, we just had Halloween, but here's what's going on. You might not be aware of it. HIPAA is a law put in place, oh, decades ago now, I think maybe even as much 20 years ago. The most significant part of HIPAA is this whole concept of portability. Now, you may not realize it, the bill was certainly not advertised as being this way, but it is this way. Here's the problem. Before HIPAA went into place, what was going on if you had your medical records, and those medical records had to be kept private, they could not share them with anything and what HIPAA did was. It defined the rules for sharing, among other things. Before HIPAA, your medical records were considered private and kept secret. After HIPAA went into place, your medical records could now be shared anywhere almost in the medical community. And of course, with portability, the idea is, well, you've got your medical records, you want to go to Florida for the winter. So you want the doctors in Florida to be able to have access to your medical records, which is all well and good. It makes a lot of sense. However, other things going on in there still are. If I want the medical records of every patient in hospital x or health plan, why? And I say, Hey, listen, I'm going to buy the company. I'm thinking about buying the company. I'm thinking about purchasing that hospital. The hospital has the right to give me all of your records. That's the bottom line. Scary. And that's been happening. Our medical records have been shared and traded like trading cards. So, one of the largest health systems here in the United States is called Ascension Health. And you might have heard of it before, mainly if you are at all involved in the Catholic nonprofit health system. The Catholic Church has taken care of millions of patients for free, much of the time, you know, no charge to the patient. But the Catholic Church has been behind many of these medical hospitals and medical treatment that has been out there that we have used for generations, frankly, and you know, good on them. It has been wonderful. And they've kept costs under control reasonably right. By right by where I live. There's a Catholic medical center that is renowned in the region for its cardio care. And like many other hospitals that are out there, they will also provide charitable care for those people who can't afford it. So Ascension partnered is with Google Now ascension is, again, the largest health system here in the country. And it partnered with Google. And Google now has access to detailed medical records on 10s of millions of Americans according to a report by the Wall Street Journal, and It is code-named Project Nightingale, I'm sure you can figure out why they call it at night and Gail. And it has enabled at least 150 Google employees to see patient health information that includes diagnosis laboratory test results, hospital records, and other data. Now, remember before HIPAA, man, you could have sued and won if your medical data got shared without your knowledge, let alone your permission. Now, some of the negative results of those HIPAA regulations are coming to light, where the largest health system in the United States, Ascension, shared your medical data with Google. That is a very, very big, big deal. Now, this is reported by the Wall Street Journal, and it's according to internal documents and the newspapers other sources in all the data amounts to complete medical records and contains patient names and birthdates according to The Wall Street Journal. Now, this is a move by Google to try and get a strong grip on the medical business, the sprawling healthcare industry. In November, Google announced a deal to buy Fitbit that has gone through. I'm sure you've seen that. So now, it has access to all the sensitive health data that amassed from Fitbit. How much information have you been giving them? They've got all kinds of health records. They've got what have you put into those things? And we have Google, Microsoft, Apple, and many others competing to get access to all of our medical records and to be the storehouse so that when you go to Florida today, your records are there because you shared them on purpose. Neither Google nor Ascension, according to The Wall Street Journal journal, neither Google nor the country's largest health system Ascension has notified patients or doctors about the data sharing 2600 hospitals, doctors' offices, and other facilities across 21 states and the District of Columbia. So Google's ultimate goal is to develop the searchable cloud-based tool, but here's what I found particularly interesting, and that is about transforming care. In a statement from Ascension, the VP of strategy and innovations, Eduardo Conrato said, "as a healthcare environments continue to evolve rapidly, we must transform to meet better the needs and expectations of those we serve, as well as our caregivers and providers." So what are they doing? Here? Well, it turns out that apparently, they're having the hospitals enter in your data to these healthcare records, uploading them, analyzing them, and helping the doctors come up with diagnosis as well as prognosis frankly. They're hoping to improve outcomes, reduce costs, and save lives ultimately, and you know what they probably will. But the issue at hand here goes back to the HIPAA act of 1996. And should we be able to control our medical records? That's the big question. It looks like the answer to that is no and has been for 30 years. Thirty ish years not quite 25. All right. When we get back, we're going to talk about Rola robots of the killer variety. What is going on with some of these government contractors out there? Man is a scary show, isn't it today well after compensate next week, you're listening to Craig Peterson here on WGAN and Tune on Wednesday mornings at 738 with Ken and Matt, and I'll be online there too.

Craig Peterson 1:06:38
Hey, Craig Peterson here. WGAN. Online Craig Peterson dot com. We are nearing the end of the show here. We only got two more segments together. But that's enough time to cover a couple of these articles I want to get to today. Let's start with this one first here, which is the Robots. You know, I have long been concerned about robots as have many other people. Some people much smarter than I have been very concerned about them. Take a look at what ElonMusk has been saying. That's part of the reason he wants to move us to Mars is artificial intelligence and robotics. Think back wow, even to the like the early 1990s with iRobot. And, and that Russian author, I can't remember what his name was, but it's been a concern for a very long time. Now, things changing rapidly. In an article from QZ.com, a new report is out from Pax, a nonprofit based in the Netherlands that's campaigning for peace around the world. And of course, Pax is the word for peace in many languages, and they're warning about this new potential trend that's coming out. I don't know if you've seen some of these moves. Movies where there are swarms of drones. And those drones swarm in on something. There was a recent one, and I think it was Angel has fallen with Gerald Butler. And the President is tagged by the attack by this swarm of drones. We had the same thing happened. I think it was only one or two drones in South America trying to take out a president down there. Well, our militaries are looking at some of this newer technology to conduct war. And you know, frankly, they have to because the bad guys, the other guys, whoever our ultimate future opponents are, are looking at this as well. China has spent a lot of time on it. And if you look at something like these drones, you could easily have killer drones out there. These drones have to have an ounce of high explosives in them, get close to a combatant, and explode themselves in Kill the combatant. That's all it takes. We're worried about what's being called this third revolution in warfare. The first revolution was gunpowder. You know, you could argue right bows and arrows and various things, but the gun powder was a considerable revolution in warfare. And then you had the atomic bomb, which was not too long afterward. The Chinese invented gunpowder. But now activists and military leaders are calling for international regulations kind of like what we have with the Geneva Convention where we defined how wars get fought. They want to govern all-new weapons systems that have a type of artificial intelligence in them, a type of machine learning. They don't want life or death decisions to be made on their own by these intelligent systems. And they're looking to ban them outright. Key governments, including the US and Russia, have resisted it so far, and I understand right.

Craig Peterson 1:10:18
But what are you going to do? nears we can tell militaries have not yet deployed killer robots on the battlefield? At least offensively? What are you going to do with a robot that makes life or death decisions and gets it wrong or gets it right heaven forbid, either way, where you've got a robot out there that it doesn't have to think twice about pulling the trigger to kill someone because it doesn't think twice about it. It's almost like having some of our troops sitting in Virginia, flying a killer drone in the air that's over a site 5000 miles away. And just pulling the trigger and off that missile goes. That is not a life or death decision made by that missile. That is a life or death decision made by a human that has to pull that trigger. That's frankly a very, very big deal. The big difference between the two. Now this organization called PAX has identified at least 30 Global arms manufacturers that don't have policies against developing these types of automatic life or death, killer weapon systems. And apparently, they're doing it at a rate that's outpacing regulation. Now, this is normal when it comes to technology. I've talked about this so many times. Technology always leads any regulation, and it's still in front of the laws. It's still outpacing the regulatory ability of governments, but we're talking about companies that include Lockheed Martin, Boeing, Raytheon. We've got some Chinese state-owned conglomerates like a Vic cask, Israeli firms IAIL bit Raphael, Roz tech of Russia, Turkey's STM. It is a very, very big deal. So what are we going to do about it? It's, it is a very, very good question and courts are trying to address it. You will see this article if you're interested in it up on my website as well at Craig Peterson, dot com. Still, activists don't believe that the military use or some degree of artificial intelligence is problematic in itself. The problem or the systems that are designed with AI to select and engage targets, right? The terminology that's used is acquired, identify, and engage targets. And they're able to do it at least three times faster than any human. Today, we use those types of systems, but a human still has to authorize it. So I'm I'm concerned about this packs is more concerned about the potential deployment of artificial intelligence and offensive systems, the systems that are used to go after people that will select and attack targets on their own without human oversight. I think that all makes sense. And the question is, are we going to get regulations are we going to have a Geneva convention that covers this type of technology out there? Who's accountable if an autonomous atomic weapon broke existing international law or some of these future laws or regulations, and we're talking about lives on the lines? We're not talking about weapons destroying weapons. So I'm very, very concerned, defense firms. According to courts, they're not building these weapons in a vacuum. The PAX guys are saying companies believe that's what militaries want in the Arsenal's and I'm not sure the wrong about that. Google and Amazon have both face public criticism about what they have been doing for the military. Although I have to say both of them have been to face about it, notably Google who is developing artificial intelligence at three facilities in China with the involvement of the Chinese government. And they're not doing it here in the US and yet at the same time, they won't do minor things that are designed to help protect us in that it states you know, Google I just don't get it. Understand this stuff. But there's a whole list here of weapons that are existing now. These little loitering munitions, kind of like land mines that sit in the area they wait, like maybe loiter in the area for hours before they attack a target, small or cheap that can be easy to produce.

Craig Peterson 1:15:17
And there there's just a whole lot of them. They've got STM This is a Turkish state-owned defense company that produces an AI-equipped loading munitions got facial recognition, kind of like again Angel has fallen can automatically select an attack targets using coordinates pre-selected by an operator they're looking to use Turkey is Kamikaze drones and Syria. There's harpy a fire and forget luxury munition manufactured by Israeli aerospace industry ranges 62 miles tail off for two hours. What's next, right, what are we going to do? All right, stick around. We're going to talk about the mess of multifactor authentication. How did he tech, a phishing site when we get back? You're listening to Craig Peterson, right here on WGAN. And of course online, Craig peterson.com. Stick around. We'll be right back.

Craig Peterson 1:16:25
Hey, welcome back, everybody. Craig Peterson here, Happy Saturday weekend. Whenever you're listening to this, of course, we podcast this show as well. And with more than 20 million podcasts, there's bound to be an episode that you're interested in as well. You can listen to that by just going to your favorite podcast streaming site that you'd like to, and you can sign up under iTunes or Spotify. I'm on TuneIn. I'm kind of all over the place, and we've had a lot of good Great people downloading it, which makes me happy as well. You will find all of that. The easiest way is to go to Craig Peterson com slash iTunes, I should put a special page up that just gives all the podcast info, but for now, slash iTunes. And I'd really appreciate it if you would subscribe because that's what really helps drive up our numbers. And that's what helps get people to notice. And in fact, if we had a whole bunch of people sign-up at once or you know, over a week, then the algorithms would notice that, and they would get promoted a little bit more. So I would love it if you do that. But you know, that's up to you. Again, Craig peterson.com slash iTunes. Hopefully, I've earned a five-star rating from you. Or you can just with the TuneIn app, which by the way, you can listen to WGAN on the TuneIn app as well. And you can listen to me on Wednesday mornings at 738. with Matt and can on the TuneIn app so even if you're on the road anywhere in the world, you can listen to this station you can listen to me, and my podcast is also here on tune in. All right, an app, and a website. We got some how's here, you know, I talk a lot about the what and the why. And I give you some how's as we go through the show and a lot of the How is really left for trainings when I do courses and trainings. But we got two articles that I really want you guys to understand a little bit better. And one is from sigh where ones from dark reading. And we're going to start with this first one which is which is the myths of multi-factor authentication. Now without multifactor authentication also called two-factor authentication. In one employee, employees leave, they can quickly get back on if you don't change their passwords, but if you take their token, their physical token back, then life's a little safer. If people lose passwords, if you are a home user, and your password is stolen or compromised, someone can log into the websites. So let's talk about what this is. The best type of basic security is something you have, along with something that you know. So something that, you know, that would be an example of, for instance, your username and your password. So you put them together. And that's something that you know, your username and your password. And then something that you have might be, for instance, a token a digital token. I don't know if you've seen these. We use the type with a lot of our customers that aren't very, you know, technically advanced, that have had like a little six-digit number that keeps churning Gene on the token. So when they go to log in, so for instance, they will use this for a defense contractor or a doctor's office where they have to keep information safe. And when they log in, they're going to put it in their username, and they're going to put in their password. And then they're going to look at their token. And they're going to type in that number that changes every 60 seconds or so. Now you can do this type of two-factor authentication in several different ways. You can do it with your cell phone, a lot of people do it that way, where you get a text message from the website, giving you a code that you can type in.

Craig Peterson 1:20:46
Now that's cutesy, Don't you love that I get my code on my phone. That is eminently hackable. One of the articles that I found this week, but I'm not going to share with you guys because it's you I don't have enough time. But it's, it's all about this guy that just lost $20 million in Bitcoin because he was using two-factor authentication, but he was using his phone, and then somebody sim-jacked them. And that's where a cybercriminal takes over your phone number so that when they try and log in, in this case to his Bitcoin account, I'm simplifying this I know. But when they go to log into his bit calling account, it sends a text message, and then he types it in, and then he's in Okay, so using your smartphone with SMS with text messages is not very smart because it's easy enough to get around. So use something like we use dual DUO. It ties right in with one password, which we also use. It's fantastic for your business. Now, if you're home, you User look at Google Authenticator. That's what it's called Google Authenticator. It's free. And when you go to a website, and you sign up, and you go to your settings and your security settings, you'll find there that it often has Google Authenticator as one of the two-factor authentications. So you install this app on your phone, you're going to scan a little code that comes up on the screen using your phone, a short QR code, or maybe you're going to type something in the URL, etc. And it will set you up. Now when you go to that website, later on, to log in, you're going to put in your username, you're going to put in your password. You can open up your phone, the Google Authenticator app, and you're going to go to the authenticator app section for that website is going to give you this six-digit code. You're going to type it in, and it knows that it's you. That is an excellent way of doing it. Mike Soft, of course, being Microsoft has to do differently than everyone else. And Microsoft has its authenticator app that you can use to authenticate their websites. I don't think anybody uses Microsoft authenticator other than Microsoft, but I could be dead wrong there. So that's the easiest, cheapest, and best way to do multifactor authentication, not using text messages.

Craig Peterson 1:23:28
Now the myths are that large enterprises only should use MF phase multifactor authentication, absolutely false and home users should as well. Retirees should, in fact, use it. It is more critical for small businesses or home users to use MFA than it is for the large enterprise because you probably don't have all of the other security defenses and staff in place. It's only used to protect privileged users again, wrong. You don't want your bank account emptied. It's not working Perfect, which is true, but it's darn close, mainly if you're not using text messages. And it doesn't disrupt users' productivity. Because multifactor authentication usually, you only have to use it maybe once a day.
In some cases, you have to use it more or less. Some sites, it's only once a week that you have to use it. Now let's move on to our next one. It is how to detect a phishing site. Now we're talking about the pH fishing. And this is where the bad guys are trying to con you out of giving your information. So here are the main tips for detecting whether or not you are on a phishing site. Number one is to check the connection type. Make sure that the address bar shows a lot on it or and or has an HTTPS tag. Now that doesn't guarantee that it is who you think it is. If you want to dig into more, if you click that lock that's up on that URL bar, click that lock it, you can scroll through, and you can get more details, it'll tell you who signed this certificate and who the company is, that is using their certificates. So, you can usually make sure that it is who you think it is, okay? Most legitimate websites have valid SSL certificates issued by an authorized provider. In other words, you don't have to install some certificate on your browser. And they also indicate who the actual company is. Look closely at the URL. They, these phishing sites have URLs that are very similar to the real ones. So it might be micro snot. Instead of Microsoft, something that's easy enough for you to overlook. So look at them very carefully, make sure it is legit. They might be doing something like using.net instead of com or.edu or some other extension co look at it closely. There are online resources you can use. There's something called the whois database. It's been around for a long time part of the In fact, the whole internet structure that came into effect in the early 90s. You can do what's called a whois lookup if you're on a Mac Linux machine, you just use the whois command if you're on Windows, or a Mac, you can or Linux, you can use a web browser and just say who is space and the website that you're interested in. And usually, the search engines will send you to one of the main whois servers that are out there, and you can see where their site supposed to be, what it is, what they are, what the real domain name is. Website content setting up a website. It's a massive project that takes a lot of time, a lot of energy. If there's a lot of grammatical mistakes, low-resolution pictures, a lot of advertising, you're probably on a phishing site. Look for the privacy policy, contact information, those types of pages. Those are usually pretty much dead giveaways of a legitimate website versus a phishing site. So be careful when you're going online. Another tip is one that I've seen far too many times. Many people, instead of typing in the URL into the browser, they'll type it into a search engine which continually amazes me people do it all the time.

Craig Peterson 1:27:59
I have a Client whose accountant, their lead accountant, was going to Google and typing in the website address of the bank including.com. And Google would come up with the search results, and you click on the top one kind of blindly, right, not paying attention. Well, that's a great way that if the Google database is poisoned. An excellent way for the bad guys to get you to click on their website instead of the legitimate bank website. You might want to use a bookmark once you've got the correct URL, and then just double check when you log in that it is a secure server, and that it does have the right certificate. All right, everybody. Hey, thanks for being with us today. We'll be back next Saturday, same time 1:00 pm on WGAN. And I'm releasing these podcasts. They also go out on Saturday. So if you subscribe, you'll get all of this for Free, plus more subscribe Craig Peterson com slash subscribe. Easy enough, go to Craig peterson.com you can subscribe to my mailing list there, my newsletter, and you'll get all of this and more

Transcribed by https://otter.ai

---

More stories and tech updates at:

www.craigpeterson.com

Don't miss an episode from Craig. Subscribe and give us a rating:

www.craigpeterson.com/itunes

Follow me on Twitter for the latest in tech at:

www.twitter.com/craigpeterson

For questions, call or text:

855-385-5553