Tech Articles Craig Thinks You Should Read:

Google Removed Shady Android VPN App That Allowed MiTM Attacks

Don't use VPN services.

Kazakhstan spies on citizens’ HTTPS traffic; browser-makers fight back

Twitter repeals retweet roadblocks, Facebook follows suit

2021 Cybersecurity Predictions: The Intergalactic Battle Begins

Russia’s hacking frenzy is a reckoning

FBI says DoppelPaymer ransomware gang is harassing victims who refuse to pay

Intel falls on report Microsoft plans to design own chips for PCs and servers

Facebook Repays News Industry It Destroyed With Print Ads Begging You to Hate Apple

---

Automated Machine-Generated Transcript:

Craig Peterson: [00:00:00] I mentioned on the air earlier this week, a friend of mine who got hacked, he's trying to make some money. He's retired doing a little grub hub type delivery service, and all of his money was going to a bad guy. So we're going to get into that.

Hi everybody. This of course is Craig Peterson. Oh, I hope you guys are having a great week weekend. Hopefully a few have the week off next week. And we'll get back to it after the first of the year.

The hacking frenzy is just not, I talked about it last weekend, where we've got now the bad guys, assuming it's the Russians.

There seems to be a lot of speculation that it really is. However, I want to explain why you never really know who does a hack. There are. Tools out there that are used by hackers. And most of these tools are just shared within their little community out on the dark web. And you can go right now if you know how to get onto the dark web and which site to go to you can go right now and grab almost any of those tools that the hackers are using to break into your computer, Mike and beater.

Everybody's computer out there. That is a problem. And it's a problem with trying to identify who's doing the hack because if you are using the tool that is usually used by China, for instance, there's a whole bunch of tools that are named after pandas because that's China. And it's just, the name is the name.

It's doesn't necessarily have a whole lot of significance. Okay. But the tools China uses the techniques they use are used potentially by other countries as well. So Russia could be using tools that are usually used by the North Koreans. And, so how do you know by the tool you don't and then on top of it, you have the problem.

Of people hopping around. You've seen that before. Remember war games, Matthew Broderick, man, when was at 80 sometimes sometime, and it was showing how it was hopping through different machines. And different modem banks in order to get where it wanted to go. And you've certainly seen that in bond movies and everything else where they're hopping from server to server.

And so they're trying to trace who is this? Where are they coming from? Because we're going to go catch them. And they'll show a little graphic up on the screen and it shows, okay. Boom. Okay. Argentina, and then it's Brazil. And then it went over to Moscow and then over to Beijing and then over to Montreal.

And then you can't do that, that, that technology does not exist. There's no way for you to know. Because if you don't have control or access to all of these servers that are all over the world, how can you know, you just can't and then to make matters, even worse, the bad guys have compromised, small business computers and home computers as well.

That really creates some problems because now what we're talking about is the bad guys getting on to your home computer and using that as a base of operations. We've had many times where someone's home computer was used to attack the Pentagon and it had nothing to do with that poor person whose computer was being used.

We've talked before on the show about how some of these terrorists have been taking over. Business servers, just regular web servers. Hey, it's my server. And I use it for whatever might be e-commerce nowadays. And didn't realize that Al-Qaeda was using my server to share a video of Americans being beheaded.

That has happened. So if China wanted to attack the US would they necessarily want the US to know it was China, might they want the US to think it's Russia? All of these bigger countries have that ability and now even smaller company countries. We're seeing Vietnam now. One of these nation-state hackers.

And we're seeing, of course, as you already know, North Korea and China and Russia have been hacking for a long time and it seriously looks like they interfered potentially even directly in our elections because this big hack, these solar winds hack that happened solar winds software that was used to penetrate.

All kinds of federal agencies, businesses, infrastructure, et cetera. Also penetrated the election systems in some States. It also penetrated the company that makes the election software for most of our elections here in the United States, it is really that bad. So we can't say for sure that this was Russia.

It might be, it might not be the full assessment of what even happened from that hack is still probably months or frankly years away. We know the department of Homeland security. Commerce treasury state, all founded their systems had been breached and they're saying it was Russian hackers and it may well be Russian hackers.

I don't have access to any of the hard data to be able to tell you for sure that's who it was, but. These hackers, Russia or whomever, it might be we're in our government systems for months, including some of our election systems. Now, is that a big deal or what now? We're thinking that this is Russia's cozy bear. And they are basically turning business software into a Trojan. And that's what the solar winds thing hack was all about. They had software that is used in networks to monitor and control networks, and it had been turned into a Trojan. Now a Trojan is like a Trojan horse. It's a piece of software that looks like it's something other than what it is.

That technique has been used for many years, but what did they do while they were in these networks? It's absolutely crazy to look at FireEye, which is the company that discovered this was using solar wind software. They discovered the hack on their own networks and the networks as some of them.

Clients as well, FireEye is a three and a half billion dollar security company. They are huge. And they said that they had been hacked by a nation-state, and it goes through what the software was. It's a Ryan, which is one of the SolarWinds products. We have used their products before we stopped using them because of some security problems that we had found in their software.

So we stopped using solar winds 18 months or so ago, and now it has come out that one of the people inside solar wind warned the company about the way they built the software and distributed it and that their software could be used for hacks, which is. In fact, it absolutely was, but this is really bad news because since March they've been in some of these systems, government, and otherwise they've been in our election systems.

I saw this study. I don't know if you've seen it. That was reported out of, I think it was Michigan, where they had been looking at what's happened with the voting systems. One of the systems was given to a security team who looked into it and found, yeah. There are some serious problems here. It was misattributing votes and it was rejecting.

What was it like 35% or more of the ballots that should not have been rejected and just open to everything up to total hacking? It's very bad. So are we at war with Russia? Because they have gotten into things like our water systems as part of this hack, our critical infrastructure, our government agencies.

What's going on? There is a system in place that the federal government's been using is called Einstein patrols. Yeah. Just that Einstein. And what it does is it looks on the networks to see if they're being hacked, but just our software that so many of us use that we should not be using anymore.

That is the antivirus. That's looking for signatures. Einstein only is effective at identifying known threats. So it's like a bouncer. If you go to a nightclub that has a list of people not to let in, and yet he, he lets him all of these people with knives and guns who are swearing. They're going to kill everyone inside because they're not on the list.

All right. So this is very inadequate. This Einstein system that the federal government's using in the face of these types of sophisticated hack attacks, and they use these hackers that solar winds or Orion backdoor to gain access to these networks, they wanted access to one of the things that we are trying to get really moving here for smaller businesses is.

Logging, because if you're not logging, what's going on, you don't know what the bad guys got access to. And you got to keep those logs. Those logs have to be searchable. And if your security company is doing their job, they should be keeping all of the logs from all of these machines for at least two weeks, if not months.

And you might want to ask them that. Because what happens, frankly, with these things is there's a lot of retrospective work that goes on. Just like with my buddy who got hacked, just trying to make a few bucks over at grub hub. We'll talk more about his specific case in a few minutes, but. I had to spend hours going through forensic information. I can get my hands on him to figure out exactly what happened and what do we need to do to mitigate this problem for him.

We're going to talk about that exactly. On one guy, trying to make some bucks gets hacked. What can you do to stop it?

So how did my buddy get fooled or what happened here? That his accounts got hacked. He was locked out and the money that he was trying to make from driving for GrubHub just disappeared. We're going to get right into that.

So let's get into this problem and it is a problem. It's a very big problem with hackers.

We've been talking a lot about the nation-state stuff that's been going on, and frankly, the way this latest hack. Hit us all frankly, is very hard to address. This is like the attacker beams themselves into the business's network. But what about my friend?

What happened to him? How did this all work? He has, and I understand this man. He has not been following all of my advice and I'm sure this is true for most people out there because much of this is confusing. And I'm thinking I should probably do a little bit of training on this one as well for you guys.

And if you're interested, I need to know. And the only way I'll know is if you email me [email protected] and let me know, you're interested in protecting your online account. I'd be glad to put something together, believe me, and we can have a little bit of free training available for you guys. So again, [email protected], but this was a wake-up moment for so many people.

In the case of my friend, here's what happened. He was expecting a payment from GrubHub and it could be anybody, it doesn't have to be GrubHub and it was going to go straight into his bank account. How does the configure where he's paid his password, his username, his email address? All of those are configured either in the app or on the website for GrubHub.

All well and good. Isn't it. It should be pretty easy to do. And in fact, it was, and that's exactly what he did now. Let's talk about the mistake he made. He got an email with a link in it to GrubHub, and he clicked on that. You are you getting what's going on here now? So he clicked on the link for supposedly GrubHub and it wasn't GrubHub. But that's all he had to do. Cause now what he did is he confirmed that people are in fact, or that he in fact had a grubHub interest or GrubHub account. Now sometimes what'll happen is you click on it. It'll take you to a website of a bank or GrubHub in this case, and it's not the real website.

It'll ask you to verify your username and your password, and you'll type it in. Between you and me, I think he probably did that, but he wouldn't admit to it. So what'll happen is that point is they now have your username and password. Cause you just typed it in and they'll will oftentimes say invalid password, please try again.

They'll just. Automatically redirect you to the real website, assuming that you gave them your proper username and password, but they can still get you in many cases, even if you don't give your username and password. Rule number one. Remember when you are on your email account and you're looking at the emails and somebody says Hey, you've got to click here in order to verify something, or someone's trying to break into your account.

So click here so that we can get, get things straightened out and taken care of and blah, blah, blah, rule number one, don't click on that. Rule number two is in. And if you do click on it, don't give any information about yourself, like your username and password, but by clicking on it, you gave a little bit of information.

So here's what happens. The bad guys send out these. These are like Nigerian scam emails. They have a list of over right now. I think it's about three or 4 billion email addresses. So they'll send out emails to this list of addresses and people will randomly respond, even though they know they should not be responding.

So they randomly respond to the email by clicking on it. Now they know that my buddy's email address is a valid email address and he was clicking through to do something like it. Might've said, Hey GrubHub, you got to verify your account information or your delivery route or something. Something that's compelling to people who deliver for GrubHub to click on.

And frankly, even if you don't deliver, if you have a GrubHub account and you have a credit card, a credit card tied into it it might be worthwhile for them to steal that credit card information. Okay. So you collect and that's all you did was you clicked on that email. What happens next is then our friends will have the bad guys we'll say, Oh, okay.

So that was email account [email protected] and that's where his account email account was [email protected]. Okay, great.  Let's have a look online. So I took my body to a website that I recommended you guys use many times and it's called, have I been poned.com? So I want you right now, whether you're on your phone or in front of a computer, go to have I been poned.com and that's spelled like you'd expect it to be it's.

Have I been B E N P w N E d.com. Have I been polling.com and then type in your email address, I'm going to type in his right now. So this is the email address he was using. I'm not going to tell you exactly what it is. His email address don't embarrass him, but yeah. It says that he was postponed in eight data breaches and found no pastes.

So here's what that means. Data breaches are where his data was Nolan from a third party. In his case, I'm [email protected] and it says for him, Adobe and October 23rd, Teen 153 million Adobe accounts were breached. Okay. Funny. And so the compromised data from Adobe in 2013 was email addresses, password, hands, passwords, and usernames.

Now they were, the passwords are encrypted, but it was done very poorly and easy to resolve back to plain text. Okay. So Adobe had his username and his password. And again, between you and me. He has not changed his password in at least 10 years. Okay. So that means they had his email address and his password from the theft from Adobe.

Oh. But there's more, they also got his email address and password along the way with the email addresses and passwords of 164 million other people from LinkedIn in May, 2016. Oh, and by the way, LinkedIn was hacked also in 2012. So data's out there. It's you can just buy it. Let's see. Aluminum PDF. I don't use that, but apparently he does.

It was hacked last year, 15 and a half million records of user data appeared for download. Included authentication tokens, which means they don't even have to log in. They can just hack it using a special web browser code, email addresses, genders names, passwords spoken languages and usernames river city media spam list 1.4 billion.

Records that was in January, 2017 and share this 2018 41 million sTraffic it's a Israeli Mark marketing company at a database, 140 gigabytes of personal data, all kinds of stuff. And it goes on and on. So we'll tell you why clicking on that email is bad when we get back and how they use that. Along with this data that's available out there on the dark web.

We were talking about our hack, a friend of mine whose account got hacked. His paycheck got stolen and he could not get anything back. So we're going through what happened, why and what I did about it.

Don't forget, you can also go online. Craig peterson.com. Subscribe to my newsletter, get all of my show notes and warnings and information about trainings, all of that stuff. Craig peterson.com.

We established that my friend had his information stolen multiple times within in fact, the last year online.

Now that's a bad thing, frankly, especially when they've got your email address and your passwords. So they sent an email to him and he admits that they did, and that email had a link in it to click on and he admits that he clicked on it. And as I mentioned before, just clicking on that email becomes a problem.

Because now all they have to do is they track who it is that collect. So they know it was [email protected] because it's tracked. If you look at most links and emails, including the emails I send out, it actually doesn't take you to the ultimate destination. It takes you to another site that is tracking.

What you're doing is tracking the. Number of clicks and what people are interested in. And that makes sense for people like me, where I'm trying to find out what are you guys interested in so that I can help you out and give you more of that type of information? In the case of the bad guys, they now know that X, Y, [email protected] clicked on this email about the drivers for grub hub.

All they have to do is look into one of these online databases of stolen identities and find the email address the email for in this case, right? X, Y, [email protected] is that email in there. And the answer is going to be, yes, the email is in there and then they say, okay, X, Y, [email protected]. What's the password and they've got the password right in there.

So now all they had to do is use his email address and his password over at grub hub. So now they're in there in his account or grub hub, and these people were smart enough to know. All they have to do now is go to the account information pages and change the deposit to account. And that's exactly what they did.

So they changed the deposit to account. So his payment for delivering all of these different things that GrubHub delivers from local restaurants, et cetera, that payment is now. In their bank account and they have what are known as money mules. I don't know if you saw that mule movie with Clinton sword.

It was absolutely fantastic. But these money mules are people in the us that fall for the scam of hay. We have a few accounts and we can't have a us bank account. So what we're going to do is we're going to wire you the money in, let's say PayPal, and then I want you to split it up and wired into these other accounts.

So now you are mule. You are money laundering for them. And a lot of people have fallen for that scam and the FBI and the secret service have arrested a lot of these ringleaders over this type of nastiness that they've been really perpetrating against all of us. So it's a bad thing. So what happens now is he goes to log in to his account.

It still works. They didn't change his password. Life was still good for him. And he's able to do his work still. However, he notices that his money didn't show up and GrubHub says, yeah, we deposited the money in your account. No problem. So he goes in, he looks at a double-check see, count, just being thorough.

And he finds, Whoa, wait a minute. This is not my account number. So now we start to get a little bit worried and that's when he calls me up and he comes over and we spend about four hours tracking this down and fixing it. What the bad guys ended up doing is he had changed his password. So now what can they do?

They're out of luck, right? No, they're not because remember they still have access to who is X, Y, [email protected]. Email. All they do is go to grub hub and say, forgot password and grub hub dutifully sends a password reset to his Hotmail account who has access to his Hotmail account. They do. And so he then says, Oh my gosh, I can't get into my GrubHub account anymore.

So we go back and forth on this. Ultimately the bad guys. Turned on two factor authentication on his Hotmail account, which is Pinedale by Microsoft outlook.com nowadays. And with two factor authentication, you have to have an authentication app in order to. Change passwords, or even in sometimes now in his case, he was lucky because he was still logged in to outlook to his Hotmail account.

And we were able to use that to get around some problems. I'm not going to get into all of the gory little details of it, but we managed to reset everything. Thank goodness. So he's now getting his money from grub hub, but ultimately what I ended up having to do is set him up with a one password account.

Now I have done this for him before, and he has never used it because it is confusing. You gotta really pay attention when you're doing this stuff, because I had to do two or three times with some of these online services that he uses and his banks. But one password is what I recommend. He bought the family version, which is $5 a month.

There's a one week free trial.  I don't get any money from this. One password doesn't pay me anything. Give me anything, nothing. They don't even acknowledge. I exist. All right.  We do use it for some of our clients as well, and we do use it for some of our internal stuff too, but what happened is, I got one password set up. We set it up to use two factor authentication.

One password will act as an authenticator now. I like one password. It just spelled literally one, the digit one password.com. You'll find them online. With the two factor authentication, what happens is when you go to log in, you're going to give you a password.

And then it's going to ask you for six digit number and that six digit number changes every 30 seconds, which is really a good thing, frankly.  We obviously changed his passwords. Now he was very concerned because he doesn't want to have to remember a different password for every website. That's what one password is there for.

And we use one password to generate fairly memorable passwords, at least easy enough to type in for all of his websites who went through them. One by one, we changed the passwords. On those website, we using one password, had one password. Remember them, those websites that could use nothing indicator for verification, we set up the two factor authentication and now he's cruising along.

Everything is reset. He has good passwords, different ones on each one of his accounts. And he only has to remember one password, which is that. The password, which is really a passphrase that he uses to get into one password. It makes life much, much easier. And an automatic automatically synchronizes between his iPhone and his desktop computer.

It also runs on Android and windows and stuff too. So it's very good software. Check it out. If he had done this a few months ago. He would be in pretty good shape as it turns out he didn't, but thank goodness we were able to recover. And by the way, if he didn't have the two factor authentication, because remember the bad guys set it up, he'd have to wait 30 days.

Another warning and a deletion from the Google play store this week for a VPN service. We're going to tell you about that as well as explain why you should not be using VPN services in most, but not all cases.

Craig, Peterson here. You can visit me [email protected].  Hey, thanks for joining me today.

VPNs, I think are one of the least understood technologies that many of us use almost every day. VPNs are used for us to connect to the office. Many people use VPNs to try and keep their information private. It's not as though there's anything to hide in most of these cases, it's just that it's nobody else's business.

It's not something that people want to share. So they do use VPN. So how do they work? How do they not work? What are the issues involved? That's a little bit about what we're going to cover right now, but let's start with Google. There's a VPN called super VPN free. Now this is a VPN client and the way VPNs work is you have a server, which you can think of as the end point, and you have your client.

So the client resides on your computer or your mobile device, and it connects to the server. If you're a business and you are trying to use a VPN in order to allow your no, usually not customers, but suppliers or employees to connect into the office. I hope that you're using a model called a zero trust model because what it is really is an Excel.

to your network. So you're extending that employee's home network or that provider's network office network, you're extending it into yours and you're joining them together, which is obviously a very scary thing to do and can be a very bad thing to do and allow. Some of the malicious software to spread onto the networks.

Okay. So we've talked about that a lot over time. In this case, the super VPN free VPN client. Has something that is called man in the middle. Now, the way this works is just think of broken telephone. If you've ever tried to play that before we used to do it with a cans, tin cans and strings. Between the cans.

And so you'd have three people and one person would talk into the can and the person in the middle would hear the message and then would relay it through another can to another buddy who's down that piece of string. And that allowed us to go greater distances. It wasn't, it was a lot of fun. And then of course the old broken telephone game.

That we used to play the, you might have 10 or 20 people and you try and pass a message from one person to the next and not mess it up. Now, some people of course would mess it up on purpose, but you really can have some fun with those games. In this case, the man in the middle was the VPN server.

Cause you remember the data's going from your device over an encrypted, hopefully secure connection over the internet. And then it arrives at the VPN server and what this server was doing. And unfortunately, what far too many VPN servers was we're still doing is known as a man in the middle attack. Yeah, the data is going from your device to their server.

It is encrypted and hopefully using good encryption. And then the next stage is it's decrypted at their server. So you're trying to go to the bank, you're entering account information. And, but that VPN server in the middle of this whole conversation is monitoring everything you're doing. So it gets onto their server.

They can see your usernames, they can see your passwords, they can see your account numbers, and then it opens a connection from their server to your bank. Yeah. Dangerous. So if you had. This shady VPN app from the Google play store called super VPN free. You might want to remove it, but this is a more generic problem than just one single VPN app.

This problem is in fact very common. So I want to run through some other reasons why you probably don't want to use VPN services. Remember number one. There might be a man in the middle attack going on and we've even got countries doing that. Now China does that, so they can monitor everything. Even when it's encrypted, we've got cows Exton right now, spying on citizens, HTTPS encrypted traffic.

And it's a, it's a bad thing. Bottom line VPNs that we're normally using. Now, this does not mean a VPN. That's a private network. That's used internally inside of businesses, but the types of VPNs that consumers are buying, and unfortunately, far too many businesses are buying unknowingly.

Number one logging, many of these VPN say that the services, Hey, we don't log, which somehow is supposed to make you feel better about it. Some of them say we only logged for 30 minutes. Remember that it's rare for the VPN servers themselves to be in a data center. That's owned by that VPN provider.

So we have other servers on that same network and that provider that's giving or leasing or renting of that VPN server. Space in that data center is going to be logging all that. So remember, it's in the VPN providers best interest to log their users. It lets them deflect blame to the country. If the customer's doing something that's illegal, if they get a DMCA, take down notice, et cetera, et cetera.

So if the VPN provider is logging, now, they. If they got into legal trouble would have a little bit of a leg stand on. Even if you're paying $10 a month for the vPN service, it doesn't even pay for their expenses. Most of these VPNs are making money off of you. Okay. Bottom line. And there's a number of ways they're doing it.

I have a whole webinar on VPNs. And if you want, I'll send you a link. To the copy of my last VPN webinar. Be glad to let you know a little bit more about that. Now there are some VPNs that servers and services that have gone out of business. Recently, one of them is called hide my ass. They went out of business and they gave up all of the information about their users years ago.

And this was w. We talked about, in fact, on my radio show, this was a G almost 10 years ago. And they handed over evidence that resulted in the arrest of some some of their clients, frankly, who were doing some things that were pretty nasty. Guess what? That provides us with another reason not to use VPN services because we are being lumped in with.

Every type of evil person you can think of, right? There are the majority of these VPN users. They might be like you and me, and just trying to keep prying eyes from our ISP, from Comcast, from whomever, keep those prying eyes away from our. Our systems, our data is none of their business, and I don't want to share it with them.

However, the criminals that are out there, the arch criminals that are out there, they are using these VPN services. So the IP addresses of most of these VPN services are actually blacklisted. By some of these providers that are out there and blacklisting is bad because have been using the VPN services or services like tore, for instance, in the onion network are you're going to be blocked at, in quite a number of different banks and other websites.

We block them routinely for our. Clients as well, because we can't really tell, are you a bad guy? Are you a nation state like China or Russia trying to hack in or are you just using a VPN to try and stay safe? Okay. So there's another reason not to use VPNs. And you might say, Hey, listen, I'm paying anonymously.

I'm using Bitcoin, whatever might be in order to pay for it. You remember, you're still connecting to the VPN service using your own internet address, and they can log that and it can be traced. VPNs. Don't provide security. Frankly, they are what we call in the business of proxy. And that means that you connect to a server that connects to another server and there might be cashing proxies, et cetera, in order to cut down on their bandwidth.

But that's what they are. They just are not providing more security. If you think you want more privacy, remember VPNs, don't provide privacy with a few exceptions. They are, again, just a proxy. They're effectively a middleman. Sometimes you're even using this man in the middle attack. We talked about early, earlier.

If somebody wants to tap your connection, they can still do it. They just have to do it at a different point. Now, remember that the VPN service you're using does not take you to that bank website that you want to go to. That VPN service takes you to some point in the U S or Italy or Sweden, wherever it might be.

And at that point, now it's out on the open internet. If they want to tap your connection, they can still do it. They just do it a different point. And these major nation States that are trying to spy on people, they also rent. Server time and data from the exact same places that these VPN services are renting from.

So they then launch attacks against the VPN servers so they can get it, all that information. They can decode. They can do the man in the middle attacks, whatever they want to do. So you're not getting more privacy because all they have to do is monitor at a different point. And although your internet service provider might be tracking where you're going online and selling some of that information, most of these VPN services are doing that exact same as well.

Now, if you think that you want more encryption and that's why you're going to do it well, you know what? Just using HTTPS on your web browser, that is enough security for almost anything you might be doing. So make sure you using HTTPS colon slash. The websites you want to go to because that website is now connected to you via a VPN provided by that server, like your bank or wherever it is, you may be going online.

I'm going to do more about VPNs after the first of the year, drop me an email [email protected], if you'd like to find out more.

You are probably fairly familiar with all of the normal tips about shopping online. We're going to get into little more detail here and what you should do while you're shopping and after your view have been shopping.

You can find almost all of this stuff up on my [email protected]. And if you are not subscribed to my newsletter or my podcast, please take a minute to do that on your favorite podcasting application.

There are a lot of tricks they're going on right now when it comes to online shopping things that we have to be very aware of. And you've probably heard about many of them before. There are, of course, all kinds of nasty people out there that are trying to trick us into maybe given a credit card where we shouldn't and I want to.

Play it a little bit of audio as well from my daughter. And this is really sad, but she got this phone call and it came through on regarding some fallbacks activities in the state of Washington. Do we need to talk to you as soon as possible? This call is from social security administration.

I'm literally trying to apartment (509) 524-9631. I think it's (509) 524-9631. Thank you. Now I usually don't play the phone number when someone leaves a message. But in this case, I don't know. I, if I was you, I probably would not call it. Cause now they know that you are a person who is potentially going to be open for fraud.

So don't call those numbers. I think that's an important thing for us all to remember. But in case you couldn't quite make it, how it was the social security administration calling and they were calling because they saw some fraudulent activity in Washington. And so they wanted to follow up with you and you, they wanted you to call back.

So obviously. Don't do that. My daughter got this phone call just this Thursday and it was in her voicemail. Don't call these people back. I have a friend who he will see a phone number coming in, right call come in. Oh, I don't recognize that call. And so he'll just let it go to voicemail and he doesn't listen to the voicemail.

He just calls the number back. Hi, you called. Don't do that. And there's a couple of reasons. One is in the, in most of these cases, they are trying to get information about you so they know you'll call them. So they might be able to trick you. But in most cases, that caller ID is fake. So they're sending you a caller ID and it says some phone numbers.

Sometimes they even use phone numbers of police departments, which is really funny. There's a video online of a police captain getting one of these fraud calls and she keeps this fraudster on the phone and who's telling her that he's going to report her to the local police. They're going to come by and arrest her unless she pays him right now.

And she's just doing everything she can to not laugh because she's the chief of police. Are you kidding me? And she knew it was a fraudster. So we have to be very careful with these people. And so many of us, particularly the older generations are trusting, and that can be a bad thing, but it's not just them.

It's the young people too. I am shocked at what they will do, what they'll get away with and how they just don't. Care about cybersecurity. Really don't care. I had a discussion with one of my, one of my sons and he didn't care. He was just, he was pushing back as hard as he possibly could. So maybe it's a dad thing.

Cause I'm his dad and I'm into cybersecurity. It's what I've done for a living for decades. And he is just rebelling. And he's how old is he now? He's probably 24 or something like that, but I know a lot of us rebel and push back against this stuff. Just like I talked about earlier with the printers, we know we should be keeping our firmware up to date, but we just don't.

So watch out for those scammers. One time I was. On the floor of a trade show. And I was actually exhibiting there at the trade show and talking with people and everything back and forth. And I thought it was going pretty well. And then I got a phone call and I answered it and it was a lady from the IRS or at least that's what she said she was.

And I knew it was just totally fake because the IRS doesn't just call you out of the blue, the social security administration. Doesn't just call you out of the blue. They will send you a letter. It's really that simple. So I hung up on her and she called back like six times and I told her, listen, this is a scam.

I know it's a scam she was asking for. I think it was Apple gift cards were really Apple gift cards. I can see Amazon gift cards, but Apple's a little more limited, I don't know. I don't know. Maybe they'd just buy. Apple phones with those gift cards and then sell them on the gray market or the black market once they got the hands on.

I just don't know. So it is happening and it is going to happen even more this year. And many people ask why would someone do that? Right there? In many cases, they don't really know what they're doing. They're just calling from a call center and they've got a script to read and they are told that it's legitimate, right?

In another cases. And of course the people who are running this scam know it's not legitimate. And then other cases, they're an active participant, but they're making money. And it's the only way they know how to make money is rip people off, which is just a shame. And. Between you and I see this all the time in the it world, where there are a lot of businesses out there that are scam artists, they put up a shingle saying I'm a managed services provider, or I'm an it professional because there's money in it.

And they're not, we have a client. This was absolutely fantastic on Thursday this week. One of our texts. One of our senior texts, one, one of my sons in fact, was out there. And he said that we were the best, it support people he has ever seen. And he's been in business for about 40 years and he was just ever so grateful.

I was at to everything that we're doing for him and his. Team his company, helping him to grow and solving all of these it problems. He doesn't even have to think about them. He doesn't even hear about them because many times we solve them before they even know about it. But we're right on top of it.

And we're helping them, we get the right equipment. So he doesn't have to. Buy it again, when it breaks and he doesn't have to do with the downtime that you always have to deal with when something breaks or something fails. So he is very grateful. And so am I frankly, for what he's done for us, which is pay his bill it's right.

So yeah. They're very good people and made me feel very good about that. But anyhow okay. So I am going on and on here, but let's talk about the online shopping and the safety for online shopping. There is a great article that I picked up from Cece. Which is a federal government agencies called the cybersecurity and infrastructure security agency.

C I S a.gov is where you'll find a lot of this online, but let's go through some of the tips. The first one is the best defense there is, frankly, which is be aware. Before you do anything, stop and look. And I do that all of the time. I get an email from someone. It might be a legitimate email. It might be legit from Amazon or from Walmart or whatever online store.

So I always stop and look at it. And number one thing to look for is the grammar. Good English grammar, at least good enough. English grammar that you think that they're probably a native English speaker. Okay. Now you say, great. And there's all kinds are wonderful people who aren't here, English speakers in.

That's true. Okay. There are multiple things to look at. We're just talking about one of them here right now, which is, are they native English speaker or is this very poor or grammar? Because most businesses are not going to send out an email. They're just full of grammatical mistakes or spelling mistakes.

Does that make sense to you? They're not going to do that because frankly it just reflects very badly on them. And that's not something that you want to have happen. So that's the first thing to do next. Double check all of the URLs. So that email from address should be absolutely correct. Is it absolutely amazon.com or is it AMA dash Z O n.com or is it a M Z O n.com?

Any of these. Misspellings common misspellings, things that you might just overlook normally, does that email contain any of those types of things? That's all a part of awareness. And what we're trying to prevent here are what are called phishing attacks, or even spear phishing attacks, where they are sending us something that looks legitimate on its surface, but obviously.

Is not when you get right into it. So in most cases, when I get an email from somebody, what whomever they might be, I look at it and say, is this a legitimate communication? Am I expecting it? And if it's from a bank of mine or some other vendor, I rarely ever click on the link in there. I usually go to their website directly.

There's usually most banks have the. Messages thing and you can right there in that messages say, yeah, okay, no problem. Here it is this the same message that they sent me via email. And if you do that, then, it's legit. It's just You don't call back a phone number. If they say they're calling from the local police department, you look them up in the book and yet, and you look them up online, right?

Who has books anymore? You call that number, not the number that they gave him. All right.

Now that we know the basics, let's get into the details of what are some of the things you can do. In addition, we're going to get into multi-factor authentication and much more. So here we go.

Let's talk about these devices that we're going to be buying this year and in next year. 2020 is going to come to an end. I'm really hoping some of this stuff's going to spill over into next year. There's a few things you really should be doing, especially with your bank or Amazon, anywhere where you have financial data. And one of those things is called multifactor authentication.

A lot of these businesses have this called also two factor authentication. You might see it abbreviated as. To FFA or MFA, but what that allows you to do is have something, and combine that with something you have. That's always been the best practice when it comes to security. Now, obviously there's even more stringent stuff that you could potentially do, but that's your basics of the best stuff.

So what is this two factor authentication? In many cases, businesses are using a text to message that they'll send you when you log in. So you go into your account. Normally it's where you would set your password and you'll see something there about multi-factor authentication or two factor authentication.

You'll go to that. And in most cases, they'll ask for your. Phone number and they'll send you a text message to verify it. And. You're off and running. So now the next time you go to log into that site, it's going to want your username or email address, and it's going to want also your password. And hopefully you're using a different password on every website out there.

And then it's going to send you a text message and that text message will have a number that you can then type in on the website. And then this is okay. This is really you. Now you gotta be careful with this because there are a number of people who have been bamboozled by this. One of the ways they got bamboozled was where yes, indeed.

People stole their phone number. So an attacker knows that you have something valuable, they want to get into your bank account, or maybe it's get into your Bitcoin account, whatever it might be. And they find out what your cell phone number is. And then they call up your cell phone provider and they say, Hey, I've got a new phone.

And then they give the, all of the information for the new phone and they can bamboozle them. To get them to switch. And before you know it, cause you're not getting to notice, Hey, I just didn't get any phone calls. Not a big deal. In fact, it's wonderful that people haven't been bothering me on the phone, but what has actually ended up happening is they now have your email address.

They have assumed. I assume that they have your password because most people use the same password on multiple sites, or it's an easy to guess password, easy enough to find the breached passwords on the dark web. I do it all of the time when I'm looking for dark web stuff for my clients, but now they have your phone number.

So when they go to log into that bank account, They've got the email address. They got your password. Cause you, you have used that same password elsewhere. And when the bank sends a text message to your phone, it doesn't go to your phone and you don't even know it went to your phone. So here's an important tip.

Contact your cell provider and have them use a pin or a password with you so that when you call up, they're going to ask you what's the password for the account. Now this is going to be a different password than you'd use on the website. But it's going to be a password. In some cases, it's a pin. So come up with something that you don't use anywhere else and set it up with your cell phone provider.

All right. So that way, if they are going to hijack your SMS or text messages, it doesn't matter because even then they can't get through, but there's a better way. Okay. There's a better way to do all of this. There are some paid and some free two factor authentication apps. What I use personally, and what we use with our customers is called duo D U O.

We've been using them for years. Cisco of course bought them because they were the best in the business. That's what Cisco does. So duo allows you to have a different type of two factor authentication. You can also use Google authenticator, which is free. You can use last pass. In fact, I got an email this week from one of the subscribers to my email list, thanking me for the recommendation for last pass.

And by the way, if you want a copy. I have my special report. I'd be glad to send it to you. That talks about passwords talks about one PA password and last pass and what you should do a little bit about two factor authentication. So I use duo. I also have Google authenticator, although I don't really use that at all.

I tend to use Google or do I should say. What happens with that is they'll display a QR code when you're setting up the two factor authentication. That's one of those square things that has all of the little squares inside of it that you can use to go to a website is typically what you'd use it for in this case, it then syncs up a special Countdown a few old 30 seconds, and it'll give you a six digit code that you can use.

And that code is only good for 30 seconds. So now when you go to login, you're going to give you username or email. You're going to give your password. And then it's going to ask you for that. Code so you can use again with duo, I have adjust automatically. It comes up, it's integrated with my one password as well.

So I can now log in and I know it's extra safe because even if someone steals my phone number, It's not going to do them any good because I do not use my phone for verification for two factor authentication. Now there's one more trick that you could play if you wanted to. And I have done this more than once.

Some websites do not allow you to use an authenticator app. Yeah, I know behind the times, aren't they? So you have to use SMS. If you want to use two factor authentication, other words, you have to have a text message sent to you. So what I do with those sites is I have a phone number that isn't a real phone.

So I have a phone number that I got years ago from a company that Google bought nowadays, Google calls it Google voice. So I have a Google voice number and I will give them that number. Now, why would I give him that number? First of all, I can filter calls that are coming in and text messages and everything out.

And then Google will forward the text message to my phone. And remember it's Google. So it's not terribly private, but that's okay because those numbers are usually only good for a number of minutes. Okay. So it's not a very big deal, but the reason I use. Something like Google voice is it's not a real phone number, so they can't call up T-Mobile or Verizon or whoever you have your phone through pretending to be you and get them to transfer that phone number.

Because they can't and they won't. Okay. It's very important. The, the SIM card that you have in your phone nowadays, some of these devices have virtual SIM cards. That SIM card that's in your phone can not be stolen or duplicated or anything else either if you're using one of these Google voice numbers.

So some really important tips there. I hope you took some notes.

If you didn't, you can find this online. I post these as podcasts that you'll find right on my website @craigpeterson.com. You can listen to them, take notes. My wife even provides a transcription of these things most of the time. Bless her heart she spends a lot of time doing that and she'd appreciate it. Check it out online craig peterson.com.

We're talking about how to keep your devices safe that you're buying this year things you're getting for family, for friends, maybe for yourself as well. And we're going to get into it more. Now we've got some real surprising things for you guys.

One of the things that we have to do, and this is again, over and over again, but better than 60% computers have windows, computers are not up to date. Remember we're buying nine devices that are basically computers. Do you remember that whole Barbie thing from not too long ago?

I, in fact, was on TV with this thing and it was sending audio up to the internet and we were able to intercept it. We did a whole thing on television about this. Obviously it's a very big problem because it's your kid's information. Voices being sent up in the Barbie was interacting. Dope now Mattel cleaned some of that stuff up and that's always a good thing.

But the point behind this whole computer in a toy or other device thing is that their computers we're talking about mobile phones. And Android phones, just not getting security updates. If you're going to insist on using an Android phone, make sure you get the latest model every two years, because even Samsung only supports their phones.

They're top of the line phones for two years. Okay. Versus your iPhone, which is good for five or more years. So keep those phones up to date. In fact, when you first get the phone, probably the first thing you should do is check for a software update. Computers are the same thing. Whether you're getting one of these Chromebooks, which are very good in generally speaking, I'll remember it's Google.

Okay. But the Chromebooks tend to be kept up-to-date because it's pretty much automatic. And I know a lot of security researchers. Use Chromebooks and use them exclusively because they don't have the same security problems as windows. What's one of the reasons apples don't get attacked as much as windows computers.

Don't because the Macs frankly, are not as common. They're only about 8% of the market out there, depending on whose numbers you're listening to. So why would they go after it? Plus it's a little more hardened than windows is. In fact, it's a lot more hardened than windows is. And Microsoft is starting to FY fall in behind Apple's lead, which I think is a good thing.

So those computers update them immediately. If you're still running windows seven, make sure you get 10 cause seven. Isn't getting the updates anymore. If you're running windows eight, 8.1, make sure again, you upgrade to windows 10, but brand new computers. Shouldn't come with those. Another quick word of warning about computers that you're buying the home edition of windows does not have the same features as the business additions or enterprise additions of windows.

So you might want to, when you're buying something, look for windows professional, it has more options. And one of the options that could save your bacon is the ability to put off update. Now, you're I hear you saying Craig, you're always telling us to update. Early and update often. Yeah, that's very true because many times when you get that patch, it's because there is something going on in the wild, bad guys are actively using it to exploit you to exploit your fault.

Okay. So there's some very good reasons to stay up to date, but. Hey, here's a problem. I had a law office call me up because right in the middle of them, putting together some documents for the court that were due in less than two hours windows and they were running home edition, decided it was going to force them to do an update.

You can imagine the trouble that ensued because they weren't going to be able to get the paperwork filed with the court in time. Very big problem. But even if you're not an attorney, you're not dealing with the court. When the windows professional does give you the option to schedule the. Dates, you can push them off for a week and then you can get into the more advanced stuff too, with the device management, MDM type stuff where you can now manage that device and make that device secure most, if not all of the time.

Okay. So let's move on to the next tablets again. You look at something like the Amazon Kindle, the firearms and the here's my watch talking hit the Siri button accidentally. So the Amazon Kindle fire that is an Android tablet. Now, one of the advantages is it is updated by Amazon automatically. It gets all of these security updates and other things.

Yeah. That's a very good thing, and it gets them for a fair length of time and they are cheap. You can get them for 50 bucks, 70 bucks brand new from Amazon. And I got one a year or two ago, probably a couple of years ago. And it wasn't well packaged and it's shipping and the. The front screen was just cracked all the way down.

So I returned it, they shipped me another one and that one wasn't cracked. So that's good, but I've kept an eye on it and it has been very good. And I also got with the Amazon fire tablet, one of these stands that you can put it in, it's a charging stand, but when you place it in the charging, stand it then becomes an Amazon Alexa.

So a little kids come over grandkids, and they want me to play baby shark, which is an annoying song that the grandkids, every generation has this. I remember a slightly older grandchild. A granddaughter who used to love ah, jeepers. What was a gummy bear? That's what it was. Gummy bear.

Remember that song was incredibly annoying too. And he, in fact, I ended up getting the guy who wrote the sock on radio show with me to talk a little bit about it. It was fun actually. Those of us who needed to be kept up to date all of those tablets, because they are real computers, but nowadays we're buying appliances.

Like I remember five years ago, I think it was out of the consumer electronics show. I saw a, another one. Before, your home that you put into your home and it had an Android operating system in it, it connected to wifi and it allowed you remotely to say, Oh, you know that steak or Rosa told you to cook in the oven at 5:00 PM, I'm going to be late.

Okay. So you just go online and I type it into my phone and ta-da, I am now all set. There we go. And it's not going to start cooking it until six 30. That's all well and good, but that appliance has a computer in it and it's sent into wifi. I have you updated it. And does it self update and for how long are they going to be providing updates for that oven?

Or, I'm sure my now five years later, there's no more updates for it. So you now have a, an appliance, a device that is frankly dangerous on your network, because if somebody, again, they come over to your house, they've got a laptop, they connect to your wifi and it now infects your appliance.

Okay. Whether it's your washer or your dryer. Those are the two most common, I think right now that are internet connected or your oven or your microwave or your garage doors or your security system or your lights, those can all get infected. And now they are used as launching points to infect everything else.

You network. Check the update, make sure everything's up to date. And in some cases it's pretty hard to update, but it's worth it. You have to do it even your children's toys. One of the things I do is I put them on a network segment that has no access to anything else. I have an IOT wifi network, internet of things.

All right. You're listening to Craig Peterson. Make sure you visit me online at craig peterson.com and sign up for my newsletter.

We've talked about, multi-factor authentication, we've talked about, of course, protecting your devices by keeping your software up to date and that's everything nowadays, really, and how to do that. What's up for that. Now we're going to go into a couple more good points.

So we did talk about multifactor or two factor software update. Now, once you've purchased an internet connected device, no matter what it is, if it's a router or firewall, if it's a Barbie doll, change the default password.

Now, in most cases you can connect to the device, just using a web browser that makes it very simple. So you use the web browser, you connect to the device. Most of them have web servers on them. If you can imagine that, a little doll with a web server on it, but yeah, that's what happens. Your refrigerator probably has one of his internet connected and your washer dryer, a almost every even light bulbs have little web servers built into them and you want to connect to them and change the default password.

So look up the manual. It's probably not going to tell you how to do it with. The information that's in the packing, but if you go online and search for that device, you can find out how to change it and use this is just normal recommendations, right? Use different passwords for every device and always use complex passwords.

Now complex doesn't mean that it has to have special symbols in this upper case, that lowercase, et cetera, it can just be. Three or four words strung together. That's all it needs to be. You might want to throw a digit or two in there, maybe a special character too, but a phrase is the best. And in order to do that, you're probably best off.

Using a password manager to help out. So that means using something like one password or last pass. And once you've got that in place, it'll generate these passwords for you automatically it'll remember them. It keeps them encrypted. So you only have to remember one password and that's the password you have set for.

The password manager now, in my case, I've got it set up with duo again. So I'll go into one password and one password is going to ask me for my password and it's also going to authenticate me via duo on my smartphone. So there's a multifactor three factor authentication. Okay. So important for all of these devices that connect to the internet.

Also check the devices, privacy, and security settings. And a lot of times the manufacturer will. Let you set up an account on their website. And from there, you can tell it what information you want to share and don't want to share. Now, remember what I was talking about in the last hour with Apple, they are being very good about this and they are now demanding that all of the app developers disclose to you.

That you have in deed, given consent for this information or that information to be used by that app developer and sold. But you can go to the Mattel website, set up an account for your device or the Samsung or whatever it might be. And right there, you can examine. Your privacy settings and what do I want to allow the vendor to gain access to?

Okay. Make sure you're not sharing more information. Yeah. Then you absolutely need to provide, they're not going to ask you for social security numbers or other things. There's no reason to write that stuff that the bank or the IRS is going to want. Not these guys, at least, hopefully. Make sure you're enabling automatic software updates, wherever you can.

The latest version of the software. Usually tells you that it has the latest security fixes. Hopefully it does, but it also helps to ensure the manufacturer still support it. Because if you've got automatic updates and they're sending updates to you and a hundred thousand of your closest friends who also have the same device, they're going to continue to support it.

And that way, the latest patches are going to be out there, but if you're not getting the updates and nobody else is the manufacturer is not going to have a lot of incentive to give you security updates, then there's the normal stuff about, don't use public wifi. Yeah. That's generally a good idea.

But if you're using a secure server connection, That's that little lock up in the URL bar. Then you are effectively creating a VPN between your web browser and that remote server, and that's going to be quite safe. So purpose personally, I don't worry so much about that. I do worry about my machine being attacked, but I also have a very good firewall turned on and I have all of the services that I don't need to have shared.

Turned off and I am going to do. Class on this, a little course on hardening windows. In fact, we've got it all written. We've got slides together. We'll probably be doing that after the first of the year. So keep an eye on your email for that. Cause anybody who gets my newsletter, I'll tell you about that.

How to harden windows, so that even if you are on a public wifi somewhere, you're going to be relatively safe and the same. Thing's true. If you're. Using your phone for instance, and you're sharing your phone's network connection with your computer. It could still be used by bad guys to try and get into your phone.

These ISP internet service providers are not completely on top of all the security. Okay. All of the basic stuff don't provide personal information, financial information. I tend to use. These one time, if you will use credit card numbers. So every time I, if I go to a site and I want to buy something let's say I'm on GoDaddy buying a domain or I'm on Walmart side or Amazon site.

Each one of those, I use a different credit card number with, so check out your credit card provider, all of the major ones, visa and MasterCard. They have the ability to create virtual credit card numbers. And that way that credit card number can only be used on that website. So you give this, you create this credit card number.

It's very easy to do. It's usually a plugin in your browser. You create a credit card number and it's for amazon.com. And now if somebody were to get that credit card number from Amazon and try and use it somewhere else, it will not work. It will only work on amazon.com. Isn't that cool. And then the other advantage is if someone starts to miss using it, then you can just turn off that virtual credit card number.

It's really that simple. So have a look at that. Then one time use credit card numbers or these virtual credit card numbers, which is what I like. Where you can use it multiple times on that site, you don't have to create a new one every time, a available from most banks and all major credit card companies.

Okay. Also be careful with the websites. You're going to make sure you type that URL correctly. As I said before, I always spend a few extra seconds. Whenever I'm on a website, I'm going to a website. I'm reading email, just making sure that it is correct. I spelled Amazon Houghton, or the email address that sent it to me.

Is legitimate. I can't believe how many times I get an email. It's a phishing email and it's from [email protected]. And that's a word of warning too, to the small businesses that are trying to do online stuff. Make sure you have your own domain. That you're not using Gmail or Hotmail or Yahoo.

I've seen so many people doing that got even proton mail. Proton mail is quite secure and it's really nice the way they're doing it. It's hosted in Switzerland. Check them out by the way. I put something about that in my newsletter bought a month ago. With what that's all about. And if you want it, just let me know, just email [email protected] and in the subject line mentioned proton mail or something, and I'll forward you that newsletter so that you have it, but you can always search.

If you don't delete my newsletters, you can always search for that information, but you can have proton mail set you up with your own domain. So it's from Bob's country store.com instead of Bob's country store, gmail.com. Okay. It looks much more legitimate. Let's see offers obviously be careful with those don't click links or download attachments, unless you're.

Really confident. Again, I tend to go to the website as opposed to click on the email that I got, there always this warning or that other thing, just go to their website, make sure that it's all being encrypted again. That's that little padlock, if it's closed or your information's encrypted, which is really good.

If you can use a credit card. Don't use a debit card there's laws to limit your liability for fraudulent credit card charges, but you don't really have quite the same level of protection when you're using a debit card and the money will be taken out of your account with a debit card. If a bad guy. Is using your debit card and then you have to file a police report and then you have to file with the company that gave you the debit card.

And then you have to wait for the money to be credited back to your account. And in the meantime, your checks are bouncing or. If you use the debit card for other things, it is being Denine. Okay. So be very careful with that. Insufficient funds are always going out there. So there's a lot of it's of other things.

And I would urge you to just be very careful, very cautious, just like Santa Claus, checks his list and checks it twice to the same thing all the time when you're online. Hey, if you don't get my free newsletter right now, make sure you sign up. I have all kinds of tips. That's what it's about. You also get all of my podcasts segment that you can just click on right there in the emails makes your life easy and helps to keep you safe.

Online. Just visit me online. Craig Peterson.com. You can go look at anything you want. If you scroll down on the homepage, there's a little form you can fill out. If you have an explicit question for me, always glad to answer them. And then at the bottom of the page, a little subscribe box will show up as well.

Take care, have a great weekend. Join me again next week.

---

More stories and tech updates at:

www.craigpeterson.com

Don't miss an episode from Craig. Subscribe and give us a rating:

www.craigpeterson.com/itunes

Follow me on Twitter for the latest in tech at:

www.twitter.com/craigpeterson

For questions, call or text:

855-385-5553