China Spying through Hardware, Password Advice
On This Episode…
The Chinese are at it again! Now they have been caught implanting spy chips in the server motherboards they have been manufacturing. Listen in while I explain why this is a big deal and why it proves the point that President Trump is making about the Chinese.
Why isn’t anyone adopting the NIST Password Standards? I will explain why they are easier to use and more secure.
Why are schools using Youtube for Teaching? Listen in and I will explain the thinking behind this and why it is a bad idea.
Airlines are continually under attack. This week another one is breached. Listen in as I discuss why they are targets and how they can stop it.
They tried something new for Alerting the Public Nationwide. The Presidential Alert System — There were some issues. Did you get a text at 2:18 on Tuesday?
Craig is putting up a new insider site (Yes, it is free, but you have to sign up) On it will have all his special reports that he puts out and you will be the first to get them.
- Feds Force Suspect To Unlock An Apple iPhone X With Their Face
- The Big Hack: How China Used A Tiny Chip To Infiltrate Major U.S. Companies
- Why Didn’t I Get an Emergency Presidential Alert Text?
- PHISHING WARNING: One In Every One Hundred Emails Is Now A Hacking Attempt
- YouTube Is Replacing Textbooks In Classrooms Across America
- How Hackers Slipped By British Airways’ Defenses
- Voice Phishing Scams Are Getting More Clever
- The Best Password Advice Right Now
Share This Episode
For Questions, Call or Text:
Below is a rush transcript of this segment, it might contain errors.
Airing date: 10/06/2018
China implants spy chips in popular server motherboards. Password Advice. Textbooks are so old school, Now its Youtube in Classrooms. Airline Hacks. Presidential Emergency Alerts.
Craig Peterson: Hey, welcome of course you’re listening to Craig Peterson. I am live on the radio every Saturday morning on some of these Northeast I Heart Radio Stations. So, I’m glad you’re joining me. Hopefully, you join me every week. If you want to get a notification about the show, make sure you send me a text. I’ll make sure to send you one when we go live every week, or if there is a big emergency. And, unfortunately, there have been a lot of emergencies, lately. Did Did you get one of those texts this week? Yeah, we’ll talk about that, as well. These new presidential alarms. Well, text me 855-385-5553 with any questions, we’ll try and get to them in the show, or I’ll respond to you directly. Usually, within a couple of days, we can, I am usually busy doing some other things. So, it’s hard to say, Well, today we are going to be covering a bunch of subjects. We have eight different subjects, you’ll see them in this morning’s email of my show notes to you. We’ve got YouTube replacing textbooks in classrooms. What do you think about that, huh? What you do with passwords. Turns out that the old advice is bad advice. And, there have been a couple of updates and we’ll talk about, as well. A huge warning about our emails out there, something you might not be familiar with and I think you should, frankly. A bit of a an analysis here for the British Airways hack. If you’re bigger business, you might fall for this same ploy, I got to tell you about this one, as well. Man, we’re not going to get to all of this today. But, China, they’ve done some amazing things. Right now, there’s some accusations about some of the stuff that they have done in order to spy on some of America’s best corporate citizens. We’ve got new phishing scams, voice phishing scams, they’re more clever than ever. And, the Fed here looks like for the first time may have broken into an iPhone x, well they got into it anyways, and will tell you about how that all worked, as well. Stick around, because here we go.
I guess this first article should not be a big surprise to most people. If you’re familiar with the online world, in the least, you’ve heard of YouTube. I remember interviewing the founder, a young kid, of YouTube years ago. Well, it’s become very big. Of course, now it’s owned by Google, and it’s replaced a lot of online, not not always, excuse me, as replace a lot of TV viewing. We have a lot of people who go online now in classrooms across the country, even. And, maybe even around the world. But, the classrooms are using YouTube. Now, remember when I was a kid and we would watch filmstrips, right now, it may be the occasional movie, they’d bring a projector and I was the guy that always set it up, because that was kind of cool. And, then we got these reel to reel recording machines. It was just really kind of cool. It used video tape. And so you’d string that tape between the reels and do all of that. It was really neat. And you edited it, just like we used to edit the audio where we take a razor blade to the tape and cut it up and tape it back together. We made our own videotapes. Yeah, that was just so cool. Later years of school for that one. But, now YouTube is where it’s at. We’re not watching those films in the classroom, filmstrips, boy, it has is changed. They are using YouTube. And the Generation Z has grown up with YouTube. Now, you might ask who’s he was? Well, you know, the millennials, and then you had Generation X. And then Generation Y, and generations. Y name Y’s name that became millennials. So, Y is millennials and now of course after y comes z. These are students that are the ages of 14 to 23, right now. So, they are getting into college, maybe even getting out of college and into high school. And, they’re finding that Generation Z students preferred to learn from YouTube, versus books. Millennials like to learn a little bit more from textbooks and Generation Z it’s down. So, it used to be 60% of millennials. Well, in fact, it still is preferred textbooks now, Generation Z, 60% of them prefer YouTube online. Now is not something, YouTube launched in 2005. So, most of these Gen Z kids grew up with it. 85% of teenagers say they use you to more than any other social platform. That’s kind of interesting to. I don’t know, there’s anything terribly scary about this certainly a shift, I think it might be a shift in the right direction. Since now, you can get so much great information online on YouTube. You know why why not use it, frankly,
if you’re a business, you probably have a server, a file server, we were helping them in fact, just this week as small accountancy firm, they have a few accountants, they have a Microsoft server in the middle of all of this, and they have all of their accountants data on that server, right. And they’re trying to keep it safe. So, what did they do to keep it safe, they went ahead and they put VMware, which is really quite advanced for most small companies. But, it’s a phenomenal tool if you use it, right. Of course, they weren’t using it quite right. But they, they had an encrypted desk. So, the thinking was, wow, you know, we, when we boot our machine, even though it’s in the VM infrastructure, we still have to give it the key in order for to boots, therefore, all of our data is safe. And, of course, we went in, and we did an analysis for them risk analysis, and we told them, okay, well, here’s what we found, you’re keeping your windows up to date, they’re using Windows 10, and they have the professional versions, and they have auto updates turned on, which everybody should do. But none of your other applications were kept up to date. So, there are tons of potential security holes, there. And just encrypting the hard disk is not going to protect the data on it. Unless your server stolen, physically stolen,
What are the likelihood of that happening, right? It could happen, but it’s not very likely. So, how do the bad guys get into these machines? And we discussed that a little bit with him. And there are a lot of routes in. Well, this route in just came out on Thursday morning, Bloomberg was reporting this. And that’s kind of the amazing part. But, wow, wow, wow, wow. Chinese spies have reached almost 30 US companies here, including the big guys Amazon Apple, and it could be a lot more than 30. And, what they’ve done is they’ve compromised the technology supply chain. So, for instance, when we go into a place, right, we’re going to a business we’re trying to help the business and how do we help them? What’s the best way to help the business out? Well, first off, we do a risk analysis, try and figure out if the data was lost, what would the risk be? What would their exposure be? And what do they need to protect, here ultimately, in order to keep their business safe? I think that makes sense. So, you go through this whole process, then you figure out, Okay, what are our priorities? What do we actually have to keep safe? And then how do we keep all of that safe. So, those servers are made by a few different companies, one of the biggest companies out there has been having some serious problems, for a while. And ,we’ve used their servers for a long time the company’s name is Supermicro. And, it was founded by a Taiwanese guy, it’s based in the US, out in California, they do all of their designs out there. They make these machines that are used for servers around the world. It can be a Windows Server could be a Unix server, it could be doing almost anything, for almost any company. But what appears to have happened here, and we’re still waiting to hear confirmations from various companies. But, this is as Bloomberg is reporting it. They’re saying back in 2015, Amazon began quietly evaluating a company called elemental technologies as a potential acquisition. They’re trying to help with an expansion of a streaming video service. It’s now called amazon prime video. So, elemental made software for compressing these massive video files, like the movies and TV shows that are part of amazon prime video. And getting them for different ready for different devices, and that’s called transcoding. Well, it was kind of interesting, when they started doing the research, they found a course they done the work for the Olympic Games, which is pretty impressive, making sure all of that goes around. They’ve done stuff for the International Space Station. They had drone footage for the CIA that have been funneled over there. So, it’s kind of cool. And it turned out of course, because of the drone footage elemental had some national security contracts. Well, it was really interesting, not going to go into a lot of details here. But Supermicro computer. A company we’ve used for years, apparently, had been infiltrated. At least one of their suppliers had been. Nesting on some of these servers motherboards that Amazon examined apparently was a tiny microchip. Not much bigger than grain of rice. And it was not part of the boards original design. Apparently they hid it inside the PC board itself, the printed circuit board right inside it, it’s just nuts. These elemental servers can be found inside the Department of defense network, CIA drone operations, onboard networks, for Navy ships and elemental was one of hundreds of companies that use these Supermicro computers. So, they had a top secret probe, that still open apparently after more than three years. But, it determined that the chips allowed the attackers, to create a stealth doorway into any network that included any of these altered machines. Absolutely phenomenal here. So, an interesting article, you’ll find it up on my website, along with all of the articles for today, of course, Craig Peterson.com , make sure you visit me online. Be glad to see you, there. But this is scary, because we have now, bad guys altering the guts of the computers. Oh, by the way, who were the bad guys, kind of looks like it was the People’s Liberation Army. And not only did they find the chip, they found what the chip did, how it embedded itself. And in fact, it was sending traffic out, that the companies, in this case, Amazon and Apple, just weren’t expecting to go out. So, both companies apparently have had a little program in place, quietly replacing all the SuperMicro Machines, but are denying in fact that they have them at least so far. We’ll see where that ends up at.
Well, let’s move on to the best password advice. This is one of the top questions people have asked me, we have a special report dive prepared on passwords. And if you want a copy of it, and you want to know how to properly generate and maintain your passwords, I’ve got some emails, you have some of the top password programs out there password managers and things, you can just go ahead and text me let me know my direct text number, its toll free 855-385-5553. Of course, you might have text rates or data rates that you might have to pay, but I’m not going to charge ya, 855-385-5553 and just ask for my password special report. Be glad to send it to you.
But a few years back, and NIST which is the National Institute of Standards and technologies, they submitted some, digital identity guidelines. In other words, these are the guys in the government that come up with the password advice. And they had some new recommended password policies that were frankly running parties, contrary to decades of previous advice out there. And then that’s shall they said, instead of having these long, complex, frequently changing passwords, you should do something different, because they found that if you have long and complex and frequently changing passwords, companies were at greater risk, because it increases the odds that people will reuse those hard to remember passwords and multiple unrelated security domains. Okay, so the compromise of one domain or one machine can more easily lead to another. So, what’s NIST saying now? Well, they’ve got more than two decades of compromises, backing them up, they’ve captured logged on credentials, logged on credentials, as well. Otherwise unrelated security documents and domains. They’ve cruised the dark web out there to find out what’s going on. It’s almost impossible to count the number of compromise that have happened. But it’s easy enough to look at the passwords. And here’s what their guidelines are, keep them easily remembered, use multiple words. Most of our passwords nowadays are three or four words randomly chosen, and some combination with some special characters in there as well. But none of the major computer security regulations or guidelines, including HIPAA, SOX, PCI, NERC and CIS are recommending the newer password policy advice, after years now, since NIST came out with this new advice. So, should you obey the HIPAA policies if your small medical practice or the NIST guidelines, I think you’d be on pretty good footing, but you might want to talk to your lawyer frankly. But I think you’d be on pretty good footing if what you decided to do was follow the NIST guidelines, it’s going to be easier for your employees. They are going to have better passwords and you are guaranteed to have better security.
Alright, well, back in the “Can they unlock them or not category” we’re going to talk about the feds and an iPhone x. Well, this is a huge problem, frankly, for well, bad guys. And it might be a bad problem for yo, too if you are trying to keep your information safe. Because, ultimately, if the Feds can get that information, maybe the bad guys can, as well. And that’s obviously something you don’t want to have happen. So, an iPhone x is different than many of these other phones that we’ve had in the past in that it has the ability to use your face, right? So, you just hold it up and it recognizes your face and then unlocks. Well, we know that some courts have upheld that they can force you to give your fingerprints, right that you have to give your fingerprints they are taken anyways, when you go ahead and you are arrested, right when you’re in jail, or maybe not quite in jail. But in the police station. Well, how about your face? Do you have the right to keep your face private to keep it I don’t know, safe, whatever you might want to call it that kind of the bottom line question here. What can you do in order to keep your iPhone 10 locked or locked, I should say? Well, there’s another investigation that Forbes had come up with here recently about a child abuse case. And Forbes, was was able to uncover the first known case in which law enforcement used Apple face ID facial recognition to open a suspects iPhone. That by the way, is by any police agency anywhere in the world. They did a bunch of research to try and figure out, Are the police doing this? Can they force you to? This happened in August, it was an FBI search of a 28-year-olds home in Columbus, Ohio. And that month, he was also charged with receiving and possessing child pornography. So, they went in with a search warrant, and this federal investigator told him to put his face in front of the phone, which he did. And that allowed the agent to pick through his online chats, his photos, whatever else he deemed worthy of investigation. So, this is a pretty significant moment here. Where we’re talking about whether law enforcement can or should, be able to force you, frankly, to be able to unlock your phone to unlock your device.
We’ll see we’ll see what happened. We still have two companies that are saying that they can unlock all iPhones, including the iPhone 10.
It’s a device, here that costs 15 to $30,000, that they can buy in order to break into iPhones. see GreyKey and the other Yeah, the other one Cellebrite. So, now facekeys been used for the same purpose, We’ll see what happens using a person’s face as evidence or to obtain evidence is normally considered lawful. How about when it’s used to unlock something? We’ll keep an eye on this for you will let you know what ends up happening, as we go forward. And of course, as the case progresses.
This week, and it was something interesting happened has never happened before. Because it’s never existed before. I was on a phone conversation. And right in the middle of that conversation, my phone came up with an alert. Did you get that alert? This is part of the Federal Emergency Management Agency, and they put a whole new service in play. And, it’s called FEMA’s new wireless Emergency Alert System. Some people didn’t want to get the message. But they got it any way. Steve was on a phone call at the time. And while he’s on the phone call, of course, what ends up happening, this alert goes off. And the guy on the other end of the line also had the alert go off. So, that’s a bit of an issue, right? Having that alert go off in the middle of a phone call. So, not only did the alert go off, but in on top of it all, it cut off the phone conversation now didn’t hang up. But the audio from that phone conversation stopped for about two seconds, while he was on that phone call. Well, some people got it. And there wasn’t a warning that went out before. I don’t know if you heard that they were going to do this. I certainly did. But four staffers at Wired magazine, who published an article about this, did not get the alert at all. And they were all on major carriers. I was on T-Mobile at the time. Verizon and T Mobile both had users that did not receive that alert. So, this is a whole new tech, we’ve never really had this before. Brand new phones insome cases didn’t get the message, others did. And that’s why you run a test. I just like, remember in Hawaii last year, before President Trump was able to stop North Korea from sending all of these missiles over Hawaii
In Hawaii last year, they accidentally sent out an alert. In fact, they I think they even sound at all of the sirens, air raid sirens and everything else. Well, you don’t know if it’s going to work unless you try it. So they tried it. And, the whole idea is to improve the warning delivery. So, if there is something major about to happen, you just might get an alert, you should also be getting them if you’re in an area that may have a flash flood warning or some severe storm activity. I’ve gotten them before, that’s controlled, in most cases, by the state’s themselves. So, the state’s decide what they want to send out. What they’re not going to send out. And, this case is the only one I know of where the feds have tried to send something out. And they can, by the way, they can send these things to just individual localities. So, there’s a tornado that hit as it’s moving, they can send out warnings, tornado, you probably know it’s it’s on your doorstep. But that’s usually done by the states. And who knows what the feds can use it for. So, you may have gotten that this week. You may not have gotten it, this week. But I think it’s kind of cool. It’s a good use of our cell phones for emergency presidential alerts.
So next up, we’ve got a phishing warning. Now we’ve talked about phishing. This is the pH fishing. And this is a very big problem. And it’s it’s huge, and the hugeness of it I think will become pretty apparent to you here shortly.
But this is where an email comes in, and it looks legit. Now as part of my webinar series I’m doing right now. And in fact, you can even watch the replays. Still, if you’re interested, just let me know I’m doing free webinars for small businesses, telling them some of the secrets here behind small business cybersecurity, things that need to be aware of, and things I can do to fix the problem ultimately. So, it’s continuing on this week, we’ll have a couple more sessions. So you can just email me at Craig Peterson dot com here if your interested, But part of what we covered was the anatomy of an attack. And when we’re talking about this type of attack, you know, most people, this is different. Most people think of, oh, there’s a hacker and they’re sitting there and they’re trying different passwords, and they’re trying software that’s cracking their way into our organization. No. In most cases, that’s not how an attack happens. And we’re talking about a huge attack vector. The FBI says that $12 billion dollars has been stolen from businesses using this type of an attack. That’s, that’s a huge deal. I’m very, very big deal. It’s not theoretical either. So, the Department of Justice just published some documents, and it’s showing how email played a key role in the 2014 Sony Pictures breach, remember that one. Remember the hack of the DNC, the Democratic National Committee, where they said the Russians hacked them. It wasn’t hack, either. It was this type of email phishing that was happening. And it only takes one of these malicious phishing attacks, to destroy a small business. And about 50% of small businesses find that if, if that small businesses hacked if they lose their customers data that in about half of the cases their customers don’t want to do business with them anymore. So, that’s a pretty, pretty big deal. So, researchers are out there, here’s a stat that’s going to surprise you, over a half a billion emails were examined by researchers over at Fire Eye they’re looking at emails that were sent just the first six months of this year, isn’t that amazing? A half a billion emails they have access to. And they found that 1% one in 100 emails
were out right malicious. Now, we’re not talking about regular spam, where someone’s trying to get you to buy this special pump, that’s going to help you out right, we’re talking about malicious, nasty email. The whole goal of these things was compromising a user or network. And when you get rid of the spam from that pool, so in other words, when you consider all of the messages that weren’t spam, only one third of emails were considered clean. So, two thirds of non-spam emails, were malicious in nature. So, we’re talking about a huge problem, a problem that can absolutely kill your business. And, that this isn’t just true for businesses, right? This is true for individuals in their homes and everything else because you get email too, not just businesses, 10% of these are blocked, typically. 90% of them don’t involve malware in the initial attack. And with my training I’m doing this week I’m showing you how exactly it happened. I walk through a woman who is doing exactly that. And she is not using malware, she is not using viruses, she’s not using ransomware to get her nastiness into the businesses networks. So we walked through I’ll show you exactly how it happens. Be careful this is a brand new article it’s on from ZD net and it’s up on my website as are all of the articles today, that we’re talking about. Quick hit here before we run out of time today. Voice fishing is becoming even more prevalent than ever has before. Its easy to forget that we have got scam artists out there, but they’re using your your voicemail. To fool you up, here’s a sample of female voice explaining the credit union, to block phony looking charges in Ohio made to his debit ATM card. And, then she read him the last four digits of the card. It he pulled out this card from the wallet it was the correct last four digits. So she he told the lady need to replacement card immediately because he was going to travel out of state without missing a beat. The caller said he could keep us card and the credit union would simply block any future charges, that weren’t made in either Oregon or California. Okay, so this struck that guy’s a little off and a little research happened. So, be careful of phone calls. You never know. They may or may not be legit
Hackers, here they got into British Airways defenses and they got behind the doors. They disclosed British Airways, a little bit about what happened. But, we’re talking about a data breach impacting information from roughly 400,000 bookings that were made just 400,000 over the course of about month. Three weeks, actually, it’s crazy. So, names, addresses, email, sensitive information, pay card details, it looks like even some passport information was all compromised. Why? Well, because they had a problem on their website. This page that was compromised, hadn’t been modified since December 2012. So, we’re to the wise of your business person. And if you have a website and you are not maintaining it properly, or applying patches to it, making sure its using the latest, greatest code, you could have your information stolen. And, like British Airways, and so many other businesses lose customers. Because remember what I said the latest stat 47% of people will not do business with any business that has had a compromise. So that’s frankly, I think that’s a big deal. There’s a lesson to be learned there for all of us. So thanks for joining us today. Again, if you want some more information, make sure you sign up for my webinar. It’s you’re going to be coming in in the middle because this is a webinar series but you’ll find it right on my homepage at Craig Peterson dot com, this is free, no credit card for registration, right. I’m not I’m not stealing your money from you. But I can going through explaining this stuff and how it applies to small business. Because small businesses, they are the backbone of our economy. They are the job creators in this country. We need to make sure they’re protected. And frankly, they are amongst the least protected of everyone out there. Well, with the exception of homes and in most cases homes, then you might benefit from this, as well. But we’re really talking about small businesses, I really hope that somebody’s going to come up with a great solution for homes. But still, the costs are too high. I’m unable to get them down for small businesses. But as far as homes go there, they’re still not in the right price range. But at least all of this wonderful code and software that’s been available for the fortune 500 companies for all these years, is now available through small businesses or for small businesses I should say through us. So, anyways, this is all free. I’m trying to help, you’re going to learn a lot. You can take the replays of the previous sessions, if you’d like to, and you can ask some questions, you can get on as we have a couple more sessions this week. I’ll be holding more webinars as time goes on. But Craig Peterson dot com register right there. I’m not a spammer. I’m not going to sell your information. Anyways, have a have a great week and we’ll chat again next week. Bye-bye.