Do You Know How Hackers are Spoofing You? All About Email spoofing!
Release Date: 01/29/2022
Craig Peterson - America's Leading CyberSecurity Strategist
Saving 79% on PrescriptionsMicrosoft Outlook Attack in Progress! Does Your Business Use eMail? FBI Warning About one-third of Americans are taking a prescription drug -- And this is kind of the scary part. The average person who is on a prescription has four prescriptions and we're paying dearly for it. But mark Cuban has an answer. [Following is an automated transcript] Well, you know, I do a lot of stuff in cybersecurity and I've got a few different courses coming up. [00:00:22] And of course, we do a little bit of weekly training for anybody who's on my email list, you know, on the free...info_outline Been to a Hospital Website Lately? Facebook May Have Your Personal Information!
Craig Peterson - America's Leading CyberSecurity Strategist
Been to a Hospital Website Lately? Facebook May Have Your Personal Information! Hey, Facebook isn't the only company doing this, but there's an article from the markup. They did a study and caught Facebook. This is absolutely crazy -- receiving sensitive medical information. We're gonna talk about that right now. [Automated transcript follows] This is really concerning for a lot of people. And, and for good reason, frankly, I've been talking about this. [00:00:22] I, I think the first time I talked about it was over a decade ago and it has to do with what are called pixels. Now, marketers...info_outline How Private is Crypto? What About WhatsApp and Signal?
Craig Peterson - America's Leading CyberSecurity Strategist
How Private is Crypto? What About WhatsApp and Signal? Cryptocurrencies were thought to be like the gold standard of security, of having your information stay private. Maybe you don't want to use regular currency and transactions. It's all changed. [Automated transcript follows.] [00:00:14] We have had such volatility over the years when it comes to what are called cryptocurrencies. [00:00:21] Now I get a lot of questions about cryptocurrencies. First of all, let me say, I have never owned any cryptocurrencies and I do not own any crypto assets at all. Most people look at crypto currencies and...info_outline Using Punchlists to Stop Ransomware
Craig Peterson - America's Leading CyberSecurity Strategist
Using Punchlists to Stop Ransomware I really appreciate all of the emails I get from you guys. And it is driving me to do something I've never done before now. I've always provided all kinds of free information. If you're on my email list, you get great stuff. But now we're talking about cyber punch lists. [Automated transcript follows] [00:00:16] Of course, there are a number of stories here that they'll come out in the newsletter or they did, excuse me, go in the newsletters should have got on Tuesday morning. [00:00:26] And that's my insider show notes, which is all of the information...info_outline Do You Know How Crypto's Nose-dive Will Even Hurt Your 401K?
Craig Peterson - America's Leading CyberSecurity Strategist
Do You Know How Crypto's Nose-dive Will Even Hurt Your 401K? Hey, it looks like if you did not invest in "Crypto," you were making a smart move! Wow. We got a lot to talk about here. Crypto has dived big time. It's incredible. What's happened? We get into that and more. [Following is an automated transcript] Hi everybody. Craig Peterson here. Appreciate your joining me today. Spend a little bit of time with me. It's always a fun thing to do thanks for coming in. And Thanks for sticking around. [00:00:29] Crypto currencies. It's a term for all kinds of these basically non-government...info_outline Facebook Has No Idea Where Your Data Is and What They Do With It?!
Craig Peterson - America's Leading CyberSecurity Strategist
Facebook Has No Idea Where Your Data Is and What They Do With It?! Facebook's about 18 years old coming on 20 Facebook has a lot of data. How much stuff have you given Facebook? Did you fall victim for that? Hey, upload your contacts. We'll find your friends. They don't know where your data is. [Following is an automated transcript] [00:00:15] This whole thing with Facebook has exploded here lately. [00:00:20] There is an article that had appeared on a line from our friends over at, I think it was, yeah. Let me see here. Yeah. Yeah. Motherboard. I was right. And motherboards reporting that...info_outline Did You Hear How the FBI, NSA, and CIA Got Tracked Because of Their Smartphones? How About You?
Craig Peterson - America's Leading CyberSecurity Strategist
Did You Hear How the FBI, NSA, and CIA Got Tracked Because of Their Smartphones? How About You? You're worried about surveillance. Hey, I'm worried about surveillance. And it turns out that there's a secretive company out there that to prove their mustard tracked the CIA, and NSA yeah. Fun thing. [Following is an automated transcript.] [00:00:16] This is a company that is scary. We've talked before about a couple of these scary guys. [00:00:22] There's this Israeli company called NSO group. And this it is, so group is absolutely incredible. What they've been doing, who they'll sell to these....info_outline How Does Big Government Collaboration With Big Tech Raise the Costs of Everything?
Craig Peterson - America's Leading CyberSecurity Strategist
How Does Big Government Collaboration With Big Tech Raise the Costs of Everything? We're going to talk about the Senate bill that has big tech scared, really scared. I'll talk about a new job site problem for a number of different industries because of hackers, the cloud, the cost and reliability. [Following is an automated transcript] This tech bill. It has the Senate really scared. He is frankly, quite a big deal for those of you who are watching over on of course, rumble or YouTube. I'm pulling this up on this screen. This is an article. ARS Technica and they got it originally from...info_outline Did You Hear About the Latest Rip-Off? Non-Fungible Tokens! How Law Enforcement Tracks Bitcoin!
Craig Peterson - America's Leading CyberSecurity Strategist
Did You Hear About the Latest Rip-Off? Non-Fungible Tokens (NFTs) Are Already Losing Steam! [10:54] How Law Enforcement Tracks Bitcoin! It is Absolutely NOT Anonymous [20:05] The FBI Is Actively Removing Malware From Private Machines -- Without The Owner's Permission [29:10] Why and When You Shouldn't Trust QR Codes [41:08] Cybercrime in Russia Tracked to a Single Office Building in Moscow! [52:29] The Newest Phishing Scams [01:01:32] Using Wordpress? How Supply Chain Attacks are Hurting Your Business Website [01:10:43] Cybersecurity Tools You Should Be Using! Jam packed today. We're going...info_outline Are You Ready For Data Wiping Attacks?
Craig Peterson - America's Leading CyberSecurity Strategist
Are You Ready For Data Wiping Attacks? Yet another warning coming out from the federal government about cyber security. And this one is based on what's been happening in Ukraine. So we're going to talk about that situation, the whole cyber security over there and why it's coming here. [Automated transcript follows] CISA is the cybersecurity and infrastructure security agency. How's that for a name it's not as bad as what does that shield right over from the Marvel universe, but the cybersecurity and infrastructure security agency is the agency that was created to not just protect federal...info_outline
Do You Know How Hackers are Spoofing You? All About Email spoofing!
We just got an email this week from a customer and they're saying, "Oh no, my email has been hacked." What does that mean? Was it really hacked? We're going to talk right now about email spoofing, which is a very big deal.
[Following is an automated transcript]
[00:00:15] Email spoofing is being a problem for a long time, really? Since the 1970s. I remember when I got my first spoofed email back in the eighties and there was really a little bit of confusion.
[00:00:30] I went into it more detail, of course, being a very technical kind of guy, and looked behind the curtains, figured out what was going on. Just shook my head. I marveled at some people. Why would you do this sort of thing? The whole idea behind email spoofing is for you to receive an email, looks like it's from someone that it's not now, you've all seen examples of this.
[00:00:55] Everybody has. And those emails that are supposedly from the bank, or maybe from Amazon or some other type of business or family friend, this is part of what we call social engineering, where the bad guys are using a little bit about what they know about you, or maybe another person in order to. Frankly, fool you.
[00:01:19] That's what spoofing really is. There were a lot of email accounts that were hacked over the last what, 30, 40 years. And you might remember these people sending out an email saying, oh, my account got hacked because you just got emails. Back in the day, what people were trying to do is break into people's email accounts and then the bad guys after having broken in now knew everybody that was in the contact list from the account that was just broken into.
[00:01:54] Now they know, Hey, listen, this person sends an email. Maybe I can just pretend I'm them. Days it, the same thing still happens. But now typically what you're seeing is a more directed attack. So a person might even look in that email account that they've broken into and poke around a little bit and find out, oh, okay.
[00:02:16] So this person's account is a purchasing manager at a big company. So then they take the next step or maybe this tab after that and try and figure out. Okay, so now what do I do? Oh, okay. So really what I can do now is send fake purchase orders or send fake requests for money. I've seen in the past with clients that we've picked up because the email was acting strangely where a bad guy went ahead, found.
[00:02:49] Invoices that have been sent out by the purchasing person and the send the invoices out and changed the pay to information on the invoice. So they took the PDFs that they found on the file server of the invoices went in and changed them, change the account that they wanted, the funds ACH into. And once they had that happen, they just sent the invoice out again saying overdue.
[00:03:18] Off goes in the email and the company receives it and says, oh okay, I need to pay this invoice. Now. Sometimes it marked them overdue. Sometimes they didn't mark them overdue. I've seen both cases and now the money gets sent off and that invoice gets paid and then gets paid to the wrong person.
[00:03:38] Or maybe they go ahead and they don't send the invoice out, but they just send a little notification saying, Hey, our account has changed. Make sure you. Direct all future payments to this account. Instead. Now you might be thinking wait a second here. Now they send this email out. It's going to go into a bank account.
[00:03:57] I can recover the money while no, you can't. Because what they're doing is they are using mules. Now you've heard of meals before. He might've even seen that recent Clint Eastwood movie. I think it was called. But typically when we think of mules, as people we're thinking about people who are running drugs well, in this case, the bad guys use mules in order to move money around.
[00:04:24] And now sometimes the people know what they're doing. The FBI has had some really great arrests of some people who were doing this, particularly out in California, some of them cleaned. Yeah. I didn't know what was happening. It was just somebody, asked me to send money. It's like the Nigerian scam where the Nigeria in the Nigerian scam, they say, Hey I'm, I'm Nigerian prince, you've heard of these things before. And I need to get my money out of the country. I need to place to put them. And so if you have a us account, I'm going to transfer money into it. You can keep a thousand dollars of that 5,000 and I'm going to wire in just as a fee. Thanks for doing this. I, this is so important and it's such a hurry and I'm going to send you the.
[00:05:11] What they'll often do is send you a money order. It couldn't be a bank check, could be a lot of things, and then you go ahead and you cash it and oh, okay. Or cash just fine. And then you wire the $4,000 off to the bad guy. The bad guy gets the money and is off. Running in the meantime, your bank is trying to clear that bank check or that money order.
[00:05:38] And they find out that there is no money there because frankly what might've happened? I, this is one I've seen, I'm telling you about a story w we helped to solve this problem, but I had taken out a real money order from a bank, and then they made copies of it. Basically, they just forged it. And so they forged a hundred copies of it.
[00:06:01] So people thought they were getting a legitimate money order. And in some cases, the banks where the money order was, you mean deposited, did conf confirm it? They called up the source bank. Oh yeah. Yeah. That's a legit money order and then they all hit within a week or two. And now the, you are left holding the bag.
[00:06:22] So that's one thing that happens. But typically with these mules, the money comes to them in that account. They are supposed to then take that money and put it in their PayPal account and send it off to the next. And it might try jump to through two or three different people, and then it ends up overseas and the bad guys have gotten so good at this and have the cooperation of some small countries, sometimes bigger countries that they actually own.
[00:06:54] The bank overseas of the money ultimately gets transferred into. And of course there's no way to get the money back. It's a real. So with spoofing, they're trying to trick you into believing the emails from someone that you know, or someone that you can trust. Or as I said, maybe a business partner of some sort in most cases, it's some sort of a colleague, a vendor or a trusted brand.
[00:07:22] And so they exploit the trust that you have, and they ask you to do something or divulge information. They'll try and get you to do something. So there's more complexity tax. Like the ones that I just explained here that are going after financial employees, there might be some, an accountant, a bookkeeper, or bill payer and receivables payables.
[00:07:48] I've seen CFO attacks, but the really the spoofed email message looks legitimate on the surface. They'll use the legitimate logo of the company that they're trying to pretend that they're from. For instance, PayPal. Phishing attack. They have a spoofed email sender and typical email clients like you might be using for instance, on Microsoft outlook.
[00:08:13] The sender address is shown on the message, but most of the time nowadays the mail clients hide the actual email address, or if you just glance at it, it looks legit. You've seen those before these forged email headers. Yeah, it gets to be a problem. Now we use some software from Cisco that we buy.
[00:08:38] You have to buy. I think it's a thousand licenses at a time, but there were some others out there, Cisco again, by far the best and this, the software. Receives the email. So before it even ends up in the exchange server or somewhere else online, that email then goes through that Cisco server. They are comparing it to billions of other emails that they've seen, including in real time emails that are.
[00:09:06] Right now. And they'll look at the header of the email message. You can do that as well. With any email client, you can look at the header, Microsoft and outlook calls, it view source. But if you look at the email header, you'll see received. Headers that are in there. So say, receive colon from, and they'll give a name of a domain and then you'll see another received header and give another name of a machine.
[00:09:33] And it'll include the IP address might be IVF IPV four of your six, and you can then follow it all the way through. So what'll happen is partway through. You'll see, it took a hop that is. Not legitimate. That's where it comes in. Nowadays, if you have an email address for your business, man, a domain, you need to be publishing what are called SPF records.
[00:10:01] And those SPF records are looked at there compared to make sure that the email is properly signed and is from. The correct sender. There's a SPF records. There's a mother's too, that you should have in place, but you'll see that in the headers, if you're looking in the header. So it gets pretty complicated.
[00:10:24] The SPF, which is the sender policy framework is a security protocol standard. It's been around now for almost a decade. It's working in conjunction with what are called domain based message, authentication, reporting, and conformance. Heather's D mark headers to stop malware and phishing attacks. And they are very good if you use them properly, but unfortunately when I look, I would say it's still 95% of emails that are being sent by businesses are not using this email spoofing and protection.
[00:11:00] So have a look at that and I can send you a couple articles on it. If you're in trusted Craig Peterson.com.
[00:11:07] So we've established that email spoofing happens. What are the stats to this? And how can you further protect yourself from email spoofing? Particularly if you're not the technical type controlling DNS records, that's what's up right now.
[00:11:24] There's so much going on in the cybersecurity world. It affects all of us. Now, I think back to the good old days 40 years ago where we weren't worried about a lot of this stuff, spoofing, et cetera.
[00:11:38] But what we're talking about right now is 3.1 billion domain spoof. Emails sent every day. That's a huge thing. More than 90% of cyber attacks. Start with an email message. Email spoofing and phishing have had a worldwide impact costing probably $26 billion over the last five years. A couple of years ago, the FBI, this is 2019.
[00:12:09] Reported that about a house. A million cyber attacks were successful. 24% of them were email-based and the average scam tricked users out of $75,000. Yeah. So it's no wonder so many people are concerned about their email and whether or not those pieces of email are really a problem for them. And then anybody else.
[00:12:36] So a common attack that uses spoofing is CEO fraud, also known as business, email compromise. So this is where the attacker is spoofing or modifying, pretending to be a certain person that they're not they're impersonating an executive or owner, maybe of a business. And it targets. People in the financial accounting or accounts payable departments or even the engineering department.
[00:13:03] And that's what happened with one of our clients this week. They got a very interesting spoofed email. So even when you're smart and you're paying attention, you can be tricked the Canadian city treasurer. Tricked into transferring a hundred grand from taxpayer funds, Mattel tricked into sending 3 million to an accountant, China, a bank in Belgium, tricked into sending the attackers 70 million Euro.
[00:13:33] It happens and I have seen it personally with many businesses out there. So how do you protect yourself from email? Spoofing now, even with email security in place, there's some malicious email messages that are still going to get through to the inboxes. Now we're able to stop better than 96% of them just based on our stats.
[00:13:56] In fact, it's very rare that one gets through, but here are some things you can do and watch out for whether you're an employee responsible for financial decisions, or maybe you're someone who is. Personal email at work. Here's some tricks here. So get your pencil ready. Number one, never click links to access a web.
[00:14:20] Where you're asked to log in, always type in the official URL into your browser and authenticate on the browser. In other words, if you get an email from your bank or someone else, and there's a link in there to click that says, Hey oh man, here's some real problems. You got to respond right away.
[00:14:44] Don't do that go to paypal.com or your bank or your vendor's site, just type it into your browser, even though you can hover over the email link and see what it is. Sometimes it can be perfectly legitimate and yet it looks weird. For instance, when I send out my emails that people subscribe to that right there on Craig peterson.com, the links are going to come from the people that handle my email lists for me, because I send out thousands of emails at a time to people that have asked to get those emails.
[00:15:24] So I use a service and the services taking those links, modifying them somewhat in fact dramatically. And using that to make sure the delivery happened, people are opening it and that I'm not bothering you. So you can unsubscribe next step. You can, if you want to dig in more, look at the email headers.
[00:15:47] Now they're different for every email client. If you're using outlook, you have to select the email, basically in the left-hand side. Okay. You're going to control, click on that email and we'll come up and you'll see something that says view source. So in the outlook world, they hide it from you.
[00:16:07] If you're using a Mac and Mac mail, all you have to do is go to up in the menu bar email and view, header and cut off. There it is. I have many times in the past just left that turned on. So I'm always seeing the headers that reminds me to keep a look at those headers. So if you look in the header, And if the email sender is let me put it this way.
[00:16:33] If the person who is supposed to have sent it to you is doing headers proper, properly. You're going to see. A received SPF section of the headers and right in there, you can look for a pass or fail and response, and that'll tell you if it's legit. So in other words, let's use PayPal as an example, PayPal has these records that it publishes that say all of our emails are going to come from this server or that server of.
[00:17:06] And I do the same thing for my domains and we do the same thing for our clients domains. So it's something that you can really count on if you're doing it right, that this section of the headers. And that's why I was talking about earlier. If you have an email that your sending out from your domain and you don't have those proper headers in it, there's no way.
[00:17:33] To truly authenticate it. Now I go a step further and I use GPG in order to sign most of my emails. Now I don't do this for the trainings and other things, but direct personal emails from me will usually be cryptographically signed. So you can verify that it was me that sent it. Another thing you can do is copy and paste the text, the body of that email into a search engine.
[00:18:05] Of course I recommend duck go in most cases. And the chances are that frankly they've sent it to multiple people. That's why I was saying our Cisco based email filter. That's what it does, it looks for common portions of the body for emails that are known to be bad, be suspicious of email from official sources like the IRS, they're not going to be sending you email out of the blue most places. Aren't obviously don't open attachments from people that you don't. Special suspicious ones, particularly people we'll send PDFs that are infected. It's been a real problem. They'll send of course word docs, Excel docs, et cetera, as well.
[00:18:56] And the more. I have a sense of urgency or danger. That's a part of the email should really get your suspicions up, frankly, because suggesting something bad is going to happen. If you don't act quickly, that kind of gets around part of your brain and it's the fight or flight, right? Hey, I gotta take care of this.
[00:19:19] I gotta take care of this right away. Ah, and maybe you. So those are the main things that you can pay attention to. In the emails, if you are a tech person, and you're trying to figure this out, how can I make the emails safer for our company? You can always drop me an email as well. Me, M [email protected]
[00:19:45] I can send you to a couple of good sources. I'll have to put together a training as well on how to do this, but as individually. At least from my standpoint, a lot of this is common sense and unfortunately the bad guys have made it. So email is something we can no longer completely trust. Spoofing is a problem.
[00:20:07] As I said, we just saw it again this week. Thank goodness. It was all caught and stopped. The account was not. It was just a spoofed email from an account outside the organization that was act Craig peterson.com. Stick around.
[00:20:26] The value of crypto coins has been going down lately quite a bit across the board, not just Bitcoin, but the amount of crypto mining and crypto jacking going on. That hasn't gone down much at all.
[00:20:50] hi, I'm Craig Peter Sohn, your cyber security strategist. And you're listening to news radio, w G a N a M five 60 and FM nine. Point five, you can join me on the morning drive every Wednesday morning at 7 34, Matt and I go over some of the latest in news. You know about crypto coins, at least a little bit, right?
[00:21:18] These are the things like Bitcoin and others that are obstensively private, but in reality, aren't that private. If you receive coins and you spend coins, you are probably trackable. And if you can't spend that, the crypto currencies, why even bother getting it in the first place. One of the big drivers behind the price of these crypto currencies has been criminal activity.
[00:21:50] We've talked about that before. Here's the problem we're seeing more and more nowadays, even though the price of Bitcoin might go down 30%, which it has, and it's gone down in bigger chunks before. It does not mean that the bad guys don't want more of it. And what better way to mine, cryptocurrency then to not have to pay for.
[00:22:18] So the bad guys have been doing something called crypto jacking. This is where criminals are using really ransomware like tactics and poisoned website to get your computer, even your smartphone to mine, cryptocurrencies for. No mining, a Bitcoin can cost as much in electric bills that are in fact more in electric bills.
[00:22:45] Then you get from the value of the Bitcoin itself. So it's expensive for them to run it. Some countries like China have said, no, you're not doing it anymore because they're using so much electricity here in the U S we've even got crypto mining companies that are buying. Old power plant coal-fired or otherwise, and are generating their own electricity there locally in order to be able to mine cryptocurrencies efficiently, effectively so that they can make some profit from it.
[00:23:20] It's really quite the world out there. Some people have complained about their smartphone getting really hot. Their battery only lasts maybe an hour and it's supposed to last all day. Sometimes what's happened is your smartphone has been hijacked. It's been crypto jacked. So your smartphone, they're not designed to sit there and do heavy computing all day long.
[00:23:47] Like a workstation is even your regular desktop computer. Probably isn't. To be able to handle day long mining that has to happen. In fact, the most efficient way to do crypto mining of course is using specialized hardware, but that costs them money. So why not just crypto Jack? All right. There are two primary ways.
[00:24:11] Hackers have been getting victims, computers to secretly mine. Cryptocurrencies one is to trick them into loading. Crypto mining code onto their computers. So that's done through various types of fishing, light tactics. They get a legitimate looking email that tricks people into clicking on a link and the link runs code.
[00:24:32] Now what's interesting is you don't, even for cryptocurrency crypto jacket, you don't even have to download a program in. To have your computer start mining cryptocurrencies for the bad guys. They can use your browser to run a crypto mining script. And it runs in the background. As you work right, using up electricity, using up the CPU on your computer.
[00:25:00] They also will put it into ads. They'll put it on a website and your browser goes ahead and runs the code beautifully. So they're really trying to maximize their returns. That's the basics of crypto jacking what's been particularly bad lately has been the hackers breaking into cloud account. And then using those accounts to mine cryptocurrency, one of the trainings that I had on my Wednesday wisdoms has to do with password stuffing and my Wednesday wisdoms, you can get by just subscribing to my email over [email protected]
[00:25:46] But what happens here is they find your email address. They find. Password on one of these hacks that is occurred on the dark web. You weren't on the dark web, but your username or email address and password are there on the dark web. And then they just try it. So a big site like Amazon, or maybe it was your IBM also has cloud services can be sitting there running along very well, having fun.
[00:26:19] Life's good. And. Then they go ahead and try your email address and password to try and break in. Now, you know how I keep telling everybody use a good password manager and this week I actually changed my opinion on password managers. So you know, that I really like the password manager that you can get from one password.com.
[00:26:46] It really is fantastic. Particularly for businesses, various types of enterprises, one password.com. However, where I have changed is that some of these browsers nowadays, particularly thinking about Firefox Google Chrome safari, if you're particularly, if you're on a Mac, all have built in password managers that are actually.
[00:27:12] Good. Now they check. Have I been poned, which is a site I've talked to you guys about for years. To make sure that your accounts are reasonably safe than not being found on the dark web, the new password that it came up with or that you want to use. They check that as well. Make sure it's not in use. So here's an example here.
[00:27:34] This is a guy by the name of Chris. He lives out in Seattle, Washington, and he makes mobile apps for local publishers. Just this year, new year's day, he got an alert from Amazon web services. Now Amazon web services, of course, cloud service. They've got some really nice stuff, starting with light ship and going up from there, I've used various services from them for well, since they started offering the services over very many years and.
[00:28:06] They allow you to have a computer and you can get whatever size computer you want to, or fraction of a computer. You want to, he got this alert because it said that he owed more than $53,000 for a month's worth of hosts. Now his typical Amazon bill is between a hundred and 150 bucks a month. My typical Amazon bell is now 50 to maybe $80 a month.
[00:28:36] I cannot imagine getting a $53,000 bill from our friends at Amazon. So the poor guy was just totally freaking out, which is a very big deal. So I'm looking at an article from insider that you can find a business insider.com. They were able to confirm that, yes, indeed. He got this $53,000 bill from Amazon and yes, indeed.
[00:29:02] It looks like his account had been hacked by cryptocurrency miners. So these guys can run up just incredibly large charges for the raw computing power. They need to produce some of these digital cryptocurrencies, like Bitcoin there's many others out there. But this isn't new. This is happening all of the time.
[00:29:26] Google reported late last year, that 86% of account breaches on its Google cloud platform were used to perform cryptocurrency mining. So make sure you are using a good password manager that generates good passwords. And I have a special report on passwords. You can download it immediately when you sign up for.
[00:29:50] My email, my weekly email [email protected] and it tells you what to do, how to do it. What is a good password? What the thinking is because it's changed on passwords, but do that and use two factor authentication. Multi-factor authentication as well. And I talk about that in that special report too.
[00:30:13] And visit me online. Sign up right now. Craig Peterson.com.
[00:30:18] We're moving closer and closer to completely automated cars, but we want to talk right now about car hacks, because there was an interesting one this week that has to do with Tesla. And we'll talk about some of the other hacks on cars.
[00:30:34] Connected cars are coming our way in a very big way.
[00:30:40] We just talked about the shutdown of two G and 3g in our cars. We, it wasn't really our cars, right? Two G 3g. That was for our cell phones. That was. Years ago course now for four GLTE 5g, even 10 G is being used in the labs. Right now. It's hard to think about some of those older technologies, but they were being used and they were being used by cars, primarily for the navigation features.
[00:31:15] Some cars use these data links, if you will, that are really on the cell phone network in order to do remote things like remote start. For instance, I have a friend who's Subaru. Of course was using that. And now she's got to do an upgrade on her car because that 3g technology is going away depending on the carrier, by the way, some of it's going away sooner.
[00:31:43] Some of it's going away later, but it'll all be gone at the end of 2020. What are we looking at? As we look into the future, I'm really concerned. I don't want to buy one of these new cars at the same time as I do, because they are cool, but I don't want to buy one of those because of the real problem that we could have of what well of having that car.
[00:32:09] I need an upgrade and not been able to do it. I watched a video of a guy who took a Tesla that hadn't been damaged badly in a flood, and it was able to buy it for cheap. Why? Because Tesla will not sell you new motors and a new batteries for a car like that. So he got the car for cheap. He found a Chevy Camaro that had been wrecked, but its engine and transmission were just fine.
[00:32:39] He ripped everything out of the Tesla and went ahead after that, cause you got to clean that out, and water damage. You spray wash all to the inside. He got right down to the aluminum, everything that wasn't part of the core aluminum chassis was gone. And then he built it back up again. He managed to keep all of those Tesla systems working, that, that screen that you have upfront that does the temperature control, cruise maps, everything out.
[00:33:11] He kept that it was able to work. The, automated stuff, cruise control type stuff. And now he had a very hot car that looked like a Tesla. He took it out to SEMA, which is pretty cool. I'd love to see that, but it was a Tesla with a big V8 gasoline engine in it. He's done a, quite a good job on it.
[00:33:35] It was quite amazing to see it took them months. It was him and some of his buddies. These new cars are even more connected than my friend Subaru is they get downloads from the. Some of them are using Wi-Fi and 5g. Really one of the big promises of 5g is, Hey, our cars can talk to each other because now you can get a millisecond delay in going from one car to another versus what you have today, which can be a half a second or more, which can be the difference between having a rear end collision and being able to stop in time when it comes to these automated system.
[00:34:17] So they are more connected. They connect to the wifi in your homes. They connect to obviously the 5g network, which is where things are going right now. But what's happening with the hackers because really what we're talking about, isn't a computer on wheels. Oh no. Dozens of computers inside that car and your car has a network inside of it and has had for many years, this can bus network and even fancier ones nowadays that connect all of your systems together.
[00:34:52] So your entertainment system, for instance, is connected to this network. And that was used. You might remember a couple of years ago on a Chrysler product where the bad guy installed. Or using the thumb drive onto that entertainment system and had a reporter drive that car down the road. This is all known.
[00:35:16] It was all controlled. And was able to the bad guy right there, the demonstration in this case, I guess you'd call them a white hat hacker. He drove that car right off the road while the reporter was trying to steer otherwise because cars nowadays don't have a direct linkage between anything in any.
[00:35:38] That's why I love my 1980 Mercedes TESOL. You turn the steering wheel. It isn't actually connected to the wheels to that front end of the car. All it's doing is telling the computer you want to turn and how much you want to turn that brake pedal. Doesn't actually. Compress hydraulics and cause the brakes to engage that fuel pedal doesn't actually move the throttle on the car.
[00:36:03] The throttle is really being controlled and moved by the computers. So the car is completely electronic. It feels like a regular car, right? We're not talking about the Tesla's of today or tomorrow. We're talking about Volvos that have been sold for more than a decade. We're talking about a lot of different cars.
[00:36:24] So now you have a platform on wheels that can be dangerous because it can be, in some cases, remotely controlled, it can have software that may be crashes. We know that part of the infrastructure quote, unquote bill, which contains almost no infrastructure. It's amazing how they named these things. Isn't it.
[00:36:45] And what is it like 6% it actual infrastructure and the infrastructure bill? One of the things in there that is not infrastru. Is a demand, a law that says the car manufacturers have to include a remote. Button, if you will, so that a police officer could go ahead and say, okay, I'm pursuing this car and they're not stomping.
[00:37:11] I don't want to risk people's lives. As this bad guy tries to elude me here in backstreets. Kids can get hit, et cetera. So they push the button and the car stops that all sounds great. The problem is that you could potentially be opening some security problems by having this remote stop button that can be used by anybody really right.
[00:37:40] Since when is it going to be limited to just law enforcement? Isn't that a problem? According to Caren driver, I'm looking at their magazine right now. They're saying that there were at least 150 automotive cybersecurity incidents in twenty nineteen, a hundred and fifty incidents, part of a 94% year over year increase since 2016.
[00:38:05] In other words, every year. The number of automotive, cybersecurity and incidences has doubled. And that's according to report from a company called upstream security. So we're lost. So looking at what w maybe ransomware for a car. So that your car gets hacked. You can't hack my 1980 Mercedes diesel.
[00:38:28] It is impossible to hack into an unconnected car, but if you are driving a vehicle it's likely at risk from some sort of digital true. We've even seen from some of the bugs. We've seen cars from Japan that have decided to drive into the Jersey barrier because it misunderstands exactly what it is. We've seen cars from Tesla.
[00:38:57] Drive right into the back of a parked fire truck mentioned doing that at speed, right? And cause a fire truck full of water, et cetera. I've actually seen that one happened personally. So the more sophisticated the system is, the more connected your vehicle is. The more exposed you are in Detroit free press has a great little article on that right now.
[00:39:23] And in there he's saying we have taken. Whatever model car you think of. And we hack them through various places. I can control your steering. I can shut down and start your engine. Control your brakes, your doors, your wipers, open and close your. There's a lot of people who are trying to break into these cars.
[00:39:46] And there's a lot of people who are trying to protect them. That hacker duo back in 2015, who took control of that Jeep Cherokee, just think about that sort of. There's an Israeli based automotive cybersecurity company who told the free press that he expects the current trend of hackers, holding digital data on computers for ransom to also move to cars.
[00:40:12] So when this happens, the driver will not be able to start the vehicle until they pay off the rant. Or suffer the consequences, which could be wiping the cars systems operating systems could be Kenning the car to catch on fire. Think of what can happen with each generation with those batteries.
[00:40:32] There's no way around it. You're going to have to get it towed and get all of the software reloaded in the company. And now this week, it comes out that in 19 year old kid said that he was able to hack into over 25 Teslas that he tried via a bug in a popular. It's an open source tool that people are using to link into their Teslas to do various types of remote control.
[00:41:01] And he posted a tweet on this guy's name's David Colombo. You'll find them on Twitter, went viral and he reported the vulnerability to the people who are maintaining the software and they fixed it. In fact, the very same day and Tesla also pushed updates to their vehicle. That invalidated the signatures and the key exchanges that we're having.
[00:41:28] So this is a 19 year old researcher. He's able to hack into cars in 13 countries, 38, 13 countries. Yeah. Worth of Teslas without the owner's knowledge. No, he says I, I can not. Doors, I can turn off the security system. I can open windows. I keyless start and things turn on the stereo, honk the horn view, the cars location, and if the driver was present, but he doesn't think he could actually move the vehicle remotely, but that's a 19 year old.
[00:42:02] What's going to happen when we implement the law that was just passed that says our cars have to be remotely controllable by anybody basically. Yeah. It's scary. Hey, I want to invite you guys to take a minute, go to Craig peterson.com. Make sure you sign up for my newsletter there, and I'll keep you up to date on all of this stuff and you'll even get my show notes.
[00:42:28] Craig peterson.com.
[00:42:30] The hacker world got turned upside down this past week as Russian president Putin decided to crack down on the hackers. Now, this is a very big change for Russia. We're going to talk about my theories. Why did this happen?
[00:42:56] hi, I'm Craig Peterson, your cyber security expert. And you're listening to news radio, w G a N a M five 60 and FM 98.5. Hey, you can join me. Wednesday morning, did 7 34 on the morning drive. As we keep you up to date, russian hackers have long been known to go after basically whoever they want. They have really gone after the United States and other Western company countries.
[00:43:30] And as part of what they've been doing, they have been making a lot of money and keeping Vladimir Putin pretty darn happy. He's been a happy because they're bringing more. Into mother Russia, he's happy because they are causing confusion amongst Russia's competitors out there, particularly the United States.
[00:43:55] But there's one thing that Putin has been absolutely steadfast. And that is not allowing any of the hackers to go and hack any of the countries that are part of their little pact over there. Think of the old Warsaw pack they got that band back together. So as long as they didn't harm any Russian or, a affiliated country, They could do basically whatever they wanted and they did.
[00:44:29] And they have caused a lot of trouble all over the world. So Friday Russia. As security agency announced that it had arrested members of the cyber gang called reveal. Now we have talked about them for a long time. They have come and gone. The FBI and other countries have shut down their servers.
[00:44:56] So reveal disappears for awhile. Then pops his head up again. And Russia said that they arrested members of revival who were responsible for massive ransomware crimes against us companies the last year. So why would they do that? I'm looking right now at the Russian website here, that's part of the FSB.
[00:45:26] And it's saying that the Russian federal security service in cooperation, the investigation department of the ministry of internal affairs of Russia in the cities of Moscow St. Petersburg, Leningrad lips. As, I guess it is regions. They stop the illegal activities, a members of an organized criminal community and the basis for the search activities was the appeal of competent U S authorities who reported on the leader of the criminal community and his involvement in an encroachment on the information, sir, resources of foreign high tech companies by drusen militia software, encrypting information and extorting money for its decreased.
[00:46:11] Now that all sounds like the stuff that Vlad has been just a happy about in years past. So why did this happen? What brought this about nowadays in this day and age? What is he doing? I've got a little bit of a theory on that one because there have been some interesting development. One of them is this hacker.
[00:46:38] In Belarus. Now, Belarus is one of those countries that's closely affiliated with Russia friend of Russia, right? Part of the old Warsaw pact. And you might remember that Bella ruse is right there by you. And of course, we've got this whole issue with Ukraine and whether or not Russia is going to invade president and Biden said something incredibly stupid where he said, yeah a moral response is going to depend upon what Russia does, if it's just a minor invasion.
[00:47:17] You're you remember? The president Biden's saying that just absolutely ridiculous. And then of course, the white house press secretary and various Democrat operatives tried to walk the whole thing back, but it's a problem because Russia has, what is it now like 120,000 troops on the border.
[00:47:37] Now, if you know anything about history, you know that the military army. March on their stomachs, right? Isn't that the expression you've got to feed them. You have to have a lot of logistics in place. In fact, that's what really got a lot of the German military in world war two. Very nervous because they saw how good our logistics were, how good our supply chain was.
[00:48:03] We were even sending them. They cakes to men in the field that they discovered these cakes in great shape. And some of the German armies, particularly later in the war, didn't even have adequate food to eat. What do you think is happening with the Russian troops that are sitting there?
[00:48:20] They need food. They need supplies, including things like tanks, heavy artillery, ammunition. All of that sort of stuff. So how do they do that? They're moving it on rail, which they have done in Russia for a very long time. You might remember as well in world war II, the problems with the in compatibility between the German rail gauge and the Russian rail gauge as Germany tried to move their supplies on Russian rails and Soviet rails, ultimately, but on Russian rails and just wasn't able to do.
[00:48:57] So hacktivists in Bella ruse right there next to Ukraine said that they had infected the network of Bella Russa's state run railroad system with ransomware and would provide the decryption key. Only if Bella Reuss president stopped. Russian troops ahead of a possible invasion of Ukraine. So this group, they call themselves cyber partisans wrote on telegram.
[00:49:30] Now I got to warn everybody. Telegram is one of the worst places to post something. If you want some privacy, excuse me, some privacy, some security it's really bad. Okay. No two questions. So they have, apparently this is according to what they wrote on telegram. They have destroyed the backups as part of the pec low cyber campaign.
[00:49:55] They've encrypted the bulk of the servers, databases and work station. Of the Belarus railroad, dozens of databases have been attacked, including, and they name a bunch of the databases. Automation and security systems were deliberately not affected by a cyber attack in order to avoid emergency situations.
[00:50:20] They also said in a direct message that this campaign is targeting specific entities and government run companies with the goal of pressuring the Belarus government to release political prisoners. And stop Russian troops from entering Bellaruse to use its ground for the attacks on Ukraine. Now, this is frankly fascinating from a number of different angles.
[00:50:46] One is, it is very easy nowadays to become a cyber hacker. And in fact, it's so easy. You don't even have to do anything other than send N E. And it's been done, frankly. It's been done people who are upset with a, an ax, for instance upset with a particular company, you can go onto the dark web and you can find companies.
[00:51:13] And this revival company was one. That will provide you with the ransomware and they will do everything for you except get that ransomware onto a computer. So you could bring it in to an employer. You can send it by email to the ax. As I mentioned, you can do a lot of stuff. And then the. Ms. Cyber hacker guys, the bad guys will go ahead now and they will collect the ransom.
[00:51:43] They'll even do tech support to help the people buy Bitcoin or whatever currency they want to have used. And then they take a percentage. So they might take 30% of it. There's a whole lot. We can talk about here too, including trust among thieves and everything else. It is easy to do this. So to see an organization like these cyber partisans, which I'm assuming is an organization, it could be as little as one person taking ransomware, going into specific computer systems breaking in.
[00:52:18] Because again, even here in the U S how many of us have actually got their computer systems all patched up to date? The answer to that is pretty close to zero. And they can now go after a government, they can protect their friends. It's really something. When you start thinking about it, right? No longer do you have to be North Korea or China or Russia in order to hack someone to the point where they commit.
[00:52:51] And in this case, they're not even after the money, they just want these political prisoners freed and they want Russia to stop shipping in troops supplies, into the area in Belarus next to or close to. Very fascinating. There, there is a whole lot of information about this online. If you're interested, you can read more about it.
[00:53:15] It's in my newsletter, my show notes. I have links to some articles in there, but it really is a tool for the under. We've never really seen this before. It's quite an interesting turn in the whole ransomware narrative. It's just in crazy. That's a quote from a guy over at Sentinel one. Alright.
[00:53:40] Lots to consider and lots to know and do, and you can find out about all of the. One way, subscribe right [email protected] I promise. I'm not going to her Hess. You stick around.
[00:53:55] We've heard a lot about automated cars. And of course we talked about them a lot here too, but that original vision of what we would have, it's gone now. It's fascinating. We're going to talk about that journey of automated cars.
[00:54:12] For years, automakers have been telling this story about how these automated cars are going to drive themselves around and do just wonderful things for us.
[00:54:24] And as part of that, they've decided that. The way it's going to work. And I remember talking about this, cause I think it's a cool idea is that there will be fleet of these vehicles think about maybe an Uber or Lyft where you get on the phone and you order up a card and it says, Hey that driver will be here.
[00:54:45] Here's the license plate, the driver's name and picture. It's really cool, but general motors and Lyft haven't gotten there. They signed in agreement. To have electric autonomous cars as part of Lyft's fleet of drivers. They did a back in 2016, a long time ago. Ford promised what it called robo taxis and that they would debut by 2021 Dimeler of course, the company that makes Mercedes-Benz said it would work with Uber to deploy fleets of their car.
[00:55:27] And the logic was really financial and it made a lot of sense to me, which is why I was so excited. I have car outside. You know about my Mercedes, you. How often do I drive that 40 year old car? Most of the time it's sitting there parked, most of the time, because I don't go very many places very often.
[00:55:50] What would it be like then to just be able to have an Uber or Lyft type app on my phone that says, okay, tomorrow I have a 10 o'clock meeting in Boston and I want a car to take me there. So the. Checks with the servers and figures out. Okay. At 10 o'clock meaning, that means you're going to have to leave at eight 30 in order to get around the traffic that's normally happening.
[00:56:18] And so we'll have a car there for you. So all I have to do is walk out the apple, probably remind me, my butt out of bed and get outside. Cause the car is about to arrive. So the car pulls into my driveway or maybe just stops on the road and the app reminds me, Hey, the car's there I go out. I get in.
[00:56:37] And on the way down, I can work on getting ready for the meeting, getting some things done, just really kicking back, maybe having a nap as we go. And I'm there on time for my 10 o'clock. Just phenomenal. And from a financial standpoint, nowadays, how much is a car costing you? Have you ever done the math on that?
[00:56:59] How much does a typical car loan run you per month? And I also want to put in how about these leases? How many of us are leasing cars? My daughter leaves to Gargan believe she did that. Didn't leave to me. It didn't make financial sense, but maybe that's just because I've been around a while. But looking right now at some statistics from credit karma, they're saying us auto loans, new cars, your average monthly payment is $568.
[00:57:32] For an average loan term of 71 months. Good grief used cars, about $400. A month payment and average loan term, 65 months. I can't believe that I've never had a car loan for more than three years. Wow. That's incredible. So we're talking about six year notes on a new car. Wow. I guess that's because people buy cars based on the monthly payment, right?
[00:58:04] So figure that out. If you're paying $500 a month, how about just paying a subscription service? $500. You can get so many rides a month and you don't have to maintain the car. You don't have to buy insurance. You don't have to make any fixes. You don't have to do anything. And the car will just show up.
[00:58:23] That's what I was excited about. And it had some just amazing implications. If you think about it, it city dwell over dwellers and people who were directly in the suburbs, it'd be just phenomenal. And you could also have the robo taxis for longer trips. You can abandon that personal car. Really alternate.
[00:58:46] So now it's been about a decade into this self-driving car thing that was started. And, we were promised all of these cars, it reminds me of the fifties, we're all going to be driving, flying cars by. George Jetson one, when was he flying around the cities, but that's not happening.
[00:59:07] Okay. The progress on these automated vehicles has really slowed automakers and tech companies have missed all kinds of self-imposed deadlines for the autonomy. Look at what Elon Musk has promised again and again, it's. Basically in 2020, late 2020, it was going to have fully autonomous cars even calls itself dry.
[00:59:30] When it isn't really self-driving, it certainly isn't fully autonomous it more or less drives. It stays in the lane as it's driving down the highway. But the tech companies are looking for other ways to make money off of self-driving tech. Some of them have completely abandoned. There's self-driving cars, the sensors like the LIDAR, and I've had the LIDAR people on my show before they've all gotten cheaper.
[00:59:55] It doesn't cost you $50,000. Now just for one LIDAR sensor, think about what that means to these cars. So some of these manufacturers of these future autonomous cars are shifting to a new business strategy. And that is selling automated features directly to customers. In other words, you're going to buy a car, but that car isn't going to do much.
[01:00:24] Think about the golden key that the tech companies have used for years, right? IBM well-known for that, you buy a mainframe or from IBM or a mini computer from digital equipment corporation, and you have the same computer as someone that has this massive computer. But in fact the difference is that they turn off features and we're seeing that right now.
[01:00:49] I'm, I've mentioned that Subaru before where they are charging people for upgrades, but some of the companies are charging you monthly to use a remote start feature for instance, and many others. So what's happening is a major change. We have the consumer electronic show, right? January 20, 20 and general motors CEO, Mary Barra said that they would quote, aim to deliver our first personal autonomous vehicles as soon as the middle of this decade.
[01:01:22] So again, it slipped, right? I'm looking at it, a picture of what they're considering to be. The new Cadillac car that should be out next year. Maybe thereafter. It is gorgeous. Absolutely gorgeous. But this announcement, right? Yeah. We're going to have autonomous vehicles, middle of the 2020s. She had no specific details at all.
[01:01:48] And apparently this personal robo car project is completely separate from this robo taxi fleet that's been developed by GM's cruise subsidiary. And cruise said it has plans to launch a commercial service in San Francisco this year. So they're going after multiple paths. The logic here is financial.
[01:02:11] The reasoning has changed and they're offering autonomy as a feature for the consumer market. Tesla, Elon Musk, they've been charging $10,000 now for the autopilot driver assistance feature. They're planning on raising it to $12,000 here early 2022 Tesla technology. Can't drive a car by itself.
[01:02:37] But he's going to charge you if you want it. And I expect that's going to be true of all of the major manufacturer that's out there. And by the way, they're also looking at customization, like color changing cars and things. They're going to charge them as features. Hey, stick around. Visit me online.
[01:02:58] Craig peterson.com.
[01:03:01] how secure are our smartphones. We've got the iPhones, we've got Android out there. We've talked a little bit about this before, but new research is showing something I didn't really expect, frankly.
[01:03:23] hi, I'm Craig Peter sawn, your cybersecurity strategist. And you're listening to news radio w G a. A M five 60 and FM 98.5, like to invite you to join me on the morning, drive Wednesday mornings at 7 34, Matt and I always discussing the latest in cybersecurity technology. And, Matt always keeps you up to date.
[01:03:50] We've got some new research that wired had a great article about last week that is talking about the openings that iOS and Android security provide for anyone with the right tools. You're probably familiar at least vaguely with some cases where the FBI or other law enforcement agencies have gone to apple and tried to have.
[01:04:17] Old break into iPhones. Apples, refuse to do that one in particular, down in Southern California, where they tried to get apple to open up this I phone and tell them who was this person talking to after a shooting of foul of fellow employees at a. It was really something, there was a lot of tense times and we've seen for decades now, the federal government trying to gain access to our devices.
[01:04:51] They wanted a back door. And whenever you have a back door, there's a potential that someone's going to get in. So let's say you've got a. And your house has a front door. It has a backdoor, probably has some windows, but we'll ignore those for now. Okay. And you have guards posted at that front. All in someone needs to do is figure out to how to get into that back door.
[01:05:18] If they want to get into your house, it might be easy. It might be difficult, but they know there's a back door and they're going to figure out a way to get in. And maybe what they're going to do is find a friend that works for that security company, that post of the guards out front. And see if that friend can get a copy of the.
[01:05:39] That'll let them in the back door. And that's where we've had some real concerns over the year years here, a decades, frankly, our first, I remember this coming up during the Clinton administration, very big deal with the. That they were pushing. This was a cryptographic chip that they wanted every manufacturer to use if they wanted to have encryption and the white house and every gov federal government agency, and probably ultimately every local agency had the ability to break any encryption that was created by the clipper.
[01:06:17] In fact, we were able to track Saddam Hussein and his sons and his inner circle. Because he was using some encrypted phones that were being made by a company in England. And that company in England did have a back door into those encrypted phones. And so we were able to track them and we could listen in, on all of their communications back and forth.
[01:06:44] And it's really frankly, oppressed. When that sort of thing happens. So what do you do? What are you supposed to do? How can you make it so that your devices are safe? There are some ways to be relatively safe, but these cryptographers over Johns Hopkins university, Use some publicly available documentation that was available from apple and Google, as well as their own analysis.
[01:07:14] And they looked into Android and iOS encryption and they founded lacking. So they studied more than a decades worth of reports. How about which mobile security features had been bypassed had been a hack. I had been used by law enforcement and criminals in order to get into these phones. They got some of these hacking tools off of the dark web and other places, and they tried to figure.
[01:07:46] So we've got a quote here from Johns Hopkins, cryptographer, Matthew Green, who oversaw the research. It just really shocked me because I came into this project thinking that these phones are really protecting user data. Now I've come out of the project, thinking almost nothing is protected as much as it could be.
[01:08:10] So why do we need a backdoor for law enforcement? When the protections that these phones actually offer are so bad. Now there's some real interesting details of if you like this stuff, I followed cryptography for many decades. Now I've always found it. Fascinating. There are some lightweight things I'm going to touch on here.
[01:08:33] We won't get too deep in this, but here's another quote. Again, Johns Hopkins university on Android. You can not only attack the operating system level, but other different layers of software that can be vulnerable in different ways. Another quote here on iOS in particular, the infrastructure is in place for hierarchal encrypted.
[01:08:57] Now higher are hierarchical. Encryption is various layers of encryption. If you have an iPhone or an iPad, or if you have most Android phones nowadays, if you use a passcode in order to unlock the phone or even a fingerprint or a face. Your method of authentication is used to encrypt everything on the phone, but in reality, everything on the phone is only fully encrypted when the phone is powered off.
[01:09:36] Now that's a real, interesting thing to think about because obviously the phone can't work. If everything's encrypted. It needs access to the programs. It needs access to your data. So what they found bottom line was the only way to have a truly safe machine or a smartphone in this case is to turn it off because when you turn it on and it boots up on first boot, now it gets.
[01:10:08] Either by bio medical information, like your fingerprint or your face sprint or your passcode, it then has a key that it can use to decrypt things. So apple has on the iPhone, something, they call complete protection and that's again, when the iPhone has been turned off on boots up because the user has to unlock the device before anything can happen on the phone.
[01:10:33] And the is protections are very. Now you could be forced to unlock the phone by a bad guy, for instance, or in some cases, a warrant or an order from a judge, but forensic tools that, that they are using the police and the criminals really would have almost no luck at pulling information off of your phone.
[01:10:59] That would be useful at all because it would all be encrypted, right? If they could. So once you've unlocked your phone after that first reboot molt, after that reboot, right? You unlocked it after power up. A lot of the data moves into a different mode that apple calls protected until first user authentication.
[01:11:20] But it's what I call after first unlock. So when you think about it, your phone is almost always in the after first unlocks. Because how often do you reboot your phone? No, it's pretty rare that your phone might do on. And this is particularly true for I-phones might do updates and boot and reboot. And then of course you have to unlock that phone, but it doesn't go much further.
[01:11:49] The net and that's, what's interesting. That's how law enforcement and the bad guys, these Israeli companies and others have been able to get into iPhones and get into Android devices because ultimately if that computer is turned on and you've logged in, there's a lot of data. That's no longer encrypted.
[01:12:10] Oh. And by the way, that's also how some of these attacks occur on our laptops. Particularly if you traveled to. In the memory on that laptop that you close the lid on, you have to re log into is the key to UNHCR, unencrypt, everything, right? Because you logged in once. So all they have to do is freeze the memory, duplicate the memory and put it back in part of the reason, by the way that apple laptops have their memory soldered in you can't do that kind of attack.
[01:12:44] Stick around. We'll be right back.
[01:12:48] VPNs are good and they are bad. It depends on the type of VPN. Many of these commercial VPNs of people are using are actually very bad for you when it comes to your security.
[01:13:04] VPNs are problematic. I did a couple of boot camps on VPNs. Probably I think it was about last year.
[01:13:13] Yeah, it was last spring. And I went through and explained and showed exactly why commercial VPNs are one of the worst things you could possibly do if you want. To stay secure. Now I lemme just give you the high level here. I have given people copies of this, if you're interested in a link to that VPN webinar that I did, I'd be glad to send it to you.
[01:13:45] Just email me Emmy at Craig Peterson, doc. And ask me for the VPN information and I'll send that all off to you. I also wrote something up that I've been sending out to people that have asked about VPNs. Cause it's one of the most common questions we have Franklin, but here's your problem with commercial VPNs?
[01:14:05] Most all of them say, oh, your information safe at zero logging, et cetera. And yet we have found again and again that's not. In fact, it can't possibly be true in almost every case because most of these VPN services are running out of other people's data centers. So they might be in an Amazon data center or IBM or Microsoft.
[01:14:32] And inside that data center, your data is coming in and then it's going to. So let's say you're using a VPN and you're connecting to a website. I don't care. Go to google.com via a VPN. So you're using one of these services. That's advertised all over creation. And what happens now is. Your web request to get to Google passes over that encrypted VPN and comes to an exit point because at some point it has to get onto the regular internet.
[01:15:07] How else are you going to get to that website? On the other side? You can't, unless you get to the regular internet. So at the other side, now the server is that's receiving the end point of view. VPN is going to send the request to Google. Google is going to respond to that VPN server. It's going to be encrypted and sent back to you.
[01:15:30] So what's the problem with that? There's multiple problems. One is the data center can see. That there is the request going up to Google. Now he might not be able to tell who it was. But if that VPN server has been hacked. And let me tell you, it is a big target for hackers, government hackers, as well as bad guys.
[01:15:54] Then they do know who went out there and depending on how it was hacked and how the VPN was set up, they may even be able to see all of the data that you're sending back and forth. It's called a man in the middle of. And some of these VPN services do it by having you install some software on your computer.
[01:16:15] And as part of that installation, they provide you with a master key that they then use to spoon. The keys for the websites. You're going to some, explain that what happens is if you were to go right now on your web browser, go to Craig peterson.com as an example. So Craig peterson.com. I'm typing it in right now in the browser.
[01:16:43] That's directly in front of me. Now you'll see a little lock up in the URL. What does that mean? If you click on that lock, it says something about the connection being secure. Are you familiar with that? What's actually happening is it's using SSL TLS keys, but it's using encryption now to send the data from your computer.
[01:17:11] To my server, that's hosting Craig peterson.com. And then my server is sending all of the webpage back to you. Encrypted. Any fact, a VPN has been established between your web browser and my web server. So why use a third-party VB? Because your data is encrypted already, right? Could it be more simple than that?
[01:17:46] Now, remember again, that the server on the VPM service that you're using is a prime attack target for everybody else. As I said from government agencies through hackers. So your data is likely less safe because if they get a hold of it, they can do all kinds of things to your data and to. And then on top of it, all the VPN service may well be selling your data in order to make money, to support the VPN service because free VPNs, inexpensive VPN sees the ones that are charging you five or 10 bucks a month cannot possibly afford to provide you with that service.
[01:18:38] And in the bootcamp, I go through all of the numbers here, the costs involved. With a VPN service it's not possible to do. They can't make any money off of it. So it is a very big problem for you to use one of these public VPN services. Now, I want to talk about an arc article that was on Z.
[01:19:06] Apparently your old pole, which is of course the police over there in the European nations has seized servers. What servers, VPN servers in Europe. Now they seized the servers because they were used by who was it? Grandma looking at pictures of the grandkids. Was it people watching cat videos who was using the VPN server?
[01:19:33] The paid VPN service. Wow. It was criminals. And when they seized these VPN servers that were also being used by criminals, they found more than a hundred businesses that had fallen victims to attacks. So who uses VPN services? People who want to hide something as well as people who just want to have their data secure.
[01:20:01] Another reason not to use VPN services. So as a part of the joint action by Europol Germany's police Hanover police department, the FBI, UK national crime agency, and others seized 15 servers used by VPN lab dot. Okay. So VPN lab.net net, obviously no longer usable. And they started looking at all of the records that were being kept in these servers and use that to find the criminal.
[01:20:36] Does that make sense to you? So VPN lab.net was according to these charges, facilitating illicit activities, such as malware distribution. Other cases showed the services use in setting up infrastructure and communications behind ransomware campaigns, as well as the actual deployment of ransomware. You like that.
[01:20:59] Now they were using open VPN technology, which is actually very good. As part of that VPN information, I can send you if you're interested, just email me M [email protected] Let me know what you're interested in, and I'll whoop you off an email. Give me a few days I can get behind sometimes, but you can set up your own private VPN server if that's what you want to do.
[01:21:25] And I've gotten instructions on how to do that in that little special report in that email, but They were providing what they called online anonymity, this VPN lab.net service for as little as $60 a year. Okay. You like that? So they provided what they call double VPN servers and a lot of different countries and made it a popular choice for cyber criminals.
[01:21:52] Very big deal. Okay. So be very careful with VPNs. Also be careful of the VPN you might be using for your business. Let's say you've got something that isn't terribly secure or not secure at all as your firewall, right? So you buy a nice little firewall or this is so great. It's not expensive. And I got it online from a big box retailer.
[01:22:14] Most of them out there do not meet. The minimum standards you really need in order to keep your business. And there's only two companies that do one of them, Cisco, and one of them's Juniper, that's it? None of the other firewalls with VPNs meet the minimal standards you need to have, but those be glad to sell it to you.
[01:22:37] They'll be glad to tell you that it's perfectly secure, but it is not okay. Just went through that again with a company this week an engineering firm and at least they understand some of the stuff, but they were trying to do the right thing and they were being misled by these various vendors. So this action against VPN lab took place in January involved with authorities from Germany.
[01:23:03] The Netherlands Canada, Czech Republic, France, Hungary, Latvia, Ukraine, us UK, as well as your old pole. So there you go. You've gotta be careful don't trust VPNs, right? I've been saying that for a very long time. And then the other thing I want to. Is hopefully this summer we're going to be traveling.
[01:23:28] And when you're traveling, the temptation is to use public wifi might be at the hotel. It might be at a restaurant coffee shop, whatever. Okay. I admit to doing that myself. But here's two things you need to be careful with. One use, good DNS filtering. Now we sell and provide umbrella, which is a Cisco product, which is extremely good.
[01:23:56] DNS filtering. You can get free DNS filtering that isn't configurable, doesn't have the options, but is fantastic called open DNS. I've got, again, I did a bootcamp on that. I can send you information on it if you want. It doesn't cost you a dime for any of this stuff, but open DNS. And then the other thing I do, I have a high-end Cisco firewall and VPN.
[01:24:21] So when I'm on the road, even when I'm using data from the phone company, I have my secure VPN turned on FIPs compliant, by the way, for those who know what that means. Hey, visit me online. CraigPeterson.com. Get my show notes. Get my "Wednesday Wisdoms," everything. Craig peterson.com. It's easy to sign up right there on any page.