In this very busy segment, Craig addresses a number of tech issues that are in the news right now. First off BEC scams. Business Email Compromises are also commonly known as Spear Phishing scams and target executives. In the past, many came from outside the US but this has changed. Next, he discusses what happened with Excel and the loss of some Covid data. Then he explains why the IRS is looking at Cryptocurrency on people’s tax returns. So let’s get into it!
For more tech tips, news, and updates, visit – CraigPeterson.com
—
FBI, DHS says hackers have gained access to election systems
The IRS Is Being Investigated for Using Location Data Without a Warrant
Clear Conquered U.S. Airports. Now It Wants to Own Your Entire Digital Identity.
5G in the US averages 51Mbps while other countries hit hundreds of megabits
IRS may put cryptocurrency question at the top of 1040 to catch cheaters
Publishers worry as ebooks fly off libraries’ virtual shelves
25% of BEC Cybercriminals Based in the US
What’s Really Happening in Infosec Hiring Now?
—
Automated Machine-Generated Transcript:
Craig Peterson (2): [00:00:00] Well, we’ve got a story here about how Excel may have lost some 16,000 potential COVID cases. A little story about the IRS and really happening in info security right now. Great career.
Hi, everybody listening to Craig Peterson.
Oh, cybersecurity. IT cybersecurity, I think is a great profession. It is a difficult profession. Don’t get me wrong. I talk with people in IT all the time about how it is just kind of overwhelming. How they just got this major inferiority complex in Infosecurity understandably so. There’s so much going on, it’s a very high-stress job.
There is a great article that was out in Dark Reading earlier this year, talking about what was predicted for security roles going forward. Due to the pandemic scare, what matters.
Six months later, Dark Reading went back and had a look at it. What they’ve found is it’s just as tough to fill open cybersecurity positions as it was pre-pandemic. In fact, there are new problems now that I, I hadn’t really even thought about, frankly. 30% of businesses that responded to the survey said that their security teams are hiring now. 45% said that they need additional staff, but are restricted by hiring freezes or spending limits. So add those two together where it’s 75% of companies are looking to get more cybersecurity people. 12% said that they were recently forced to cut security staff. Which is obviously in my view, more than a little short-sighted, right?
So they went in and started looking at it a little more deeply. It’s a years-old story now, and it typically takes about eight months to replace a security analyst and about four months to train a replacement. There is right now a huge shortage of appropriately skilled workers. Others are claiming it’s an unreasonable set of expectations amongst employers, and that job listings that are put out there are difficult to decipher.
I think that’s funny considering its cybersecurity, right? Get it – decipher. I have thought long and hard about maybe offering some sort of cybersecurity training course. That’s what the cybersecurity mastery thing is all about. Getting you the basics of cybersecurity and then have a couple of phone calls a month to answer questions that people have that are in the program.
That’s the whole thing behind understanding cybersecurity or mastering cybersecurity program because employers want the right skill set. There just aren’t enough people out there.
The pay is very good depends on what you consider good, I suppose. Right now for a not particularly well-skilled person, the salaries are in the hundred thousand dollars a year range, Which is why statistically looking at this whole thing a business that has fewer than 500 employees with standard revenue based on how much revenue per employee cannot afford a cybersecurity team. You just can’t afford it because it’s so darn expensive.
You’re much better to find an outsource team. That’ll do it for you. It’ll save you a whole lot of money. So keep that in mind.
A business email compromise is a very, very big problem. We’ve talked about it before. FBI is talking about all of the hacks that have occurred via BEC. I’ve had firsthand experience with it that is how we picked up a couple of clients. We do a cyber health assessment for one company and this company had a few different servers and some desktop machines. We did a whole, what we call an NSAAP, which is a network security assessment and action plan.
So we gave them this action plan. These machines need to be upgraded. These machines this software needed to be upgraded. These machines were not properly protected. These ports were open. They shouldn’t have been right. So it was a really good network plan for them. I think it was like 300 pages long of stuff they needed to do.
Again, this was a very small company. I think they’ve only got maybe three or four dozen employees and gave it to them. Thanks. Appreciate it. Bye-bye. Then we got a call from them. I don’t know what was it? Eight months later because they had become, I’m a victim of a business, email compromise attack.
This happens all the time now. This is where someone sends an email pretending to be someone they’re not usually within the organization, but sometimes they pretend to be a vendor. One of the attacks that I know of here, that’s pretty common, comes out of Eastern Europe.
Hey, Mr. CFO. They send this while the owner, CEO, the president is out of town and unreachable, and they know that because the owner posted it on Facebook and the bad guys have been tracking the company for a little while and said, Oh, he’s going to be down in Bermuda. This period of time in February.
So they send an email to the CFO and supposedly from the business owner, and there are methods they use so that they can use a legitimate email address, or it looks really like it is from the business owner. The email says something like, Hey, we started using this new vendor. We haven’t paid their invoices. We’re three months behind unless you wire this $120,000 that is going to go away and can really hurt the company. Can’t deal with this right now. Please just go ahead and wire the money and then the CFO does it.
We saw this happen to Shark Tank’s Barbara Cochran. You know her from Shark Tank. She’s one of the sharks, big real estate investors. Her assistant got tricked into wiring out – Was it 300,000? I can’t remember. It was a fair amount of money. She got tricked into wiring it overseas.
Now the FBI tells us that once that happens, 90 seconds later that money can no longer be recovered. It just disappeared. We have clients that have had the money disappear. Of course, we picked them up after it’s disappeared, right? Just like this customer that did not do what we told him he should do. Right.
Even if they did it themselves, they would have been ahead of the game. They didn’t have to hire us to do it. We gave them an action plan as part of our NSAAP evaluation. Right? They lost, last I heard, actually, it has gone up, a $180,000. So they lost money right out of their operating account. It got emptied and they also ended up incurring all kinds of fees and then they couldn’t deliver some things. So they had problems with customers, right.? It just goes on and on and on.
This stat is something that was a bit of a surprise for me. There’s a study that was just done looking at business email compromises and found that the attacks are coming one-quarter of them from the United States. One-quarter of all of the business emails is coming from the US. Of course, many times these people are caught by the FBI and end up in prison. But of these attackers located in the US, nearly half of them are in these five States, California, Georgia, Florida, Texas, and New York. So be very, very careful.
Interesting reports got information from more than 9,000 defense engagements from this year between May and July, right? 2200 of them, by the way, they could identify the likely location of the attackers. So interesting stuff. That’s a problem.
IRS is saying that they may have a question and on the top of the new form, 1040 asking filers if they dealt in virtual currency in 2020, we talked about the IRS earlier in the show today. The IRS is concerned that people are making money off of these blockchain things, like Bitcoin, and are not reporting the capital gains that they had from these cryptocurrencies. So be careful with that. IRS is starting to take that very seriously.
Then COVID, we put all kinds of systems in place because of the panics around the Wuhan virus and worry about people having the COVID-19 symptoms. Apparently in the UK, more than 50,000 potentially infectious people may have been missed by the contract tracers. How?
Well, Microsoft has a million row limit on the Excel spreadsheet. Now, if you have a spreadsheet with a million rows in it, you are misusing spreadsheet software that really needs to be in a database somewhere. Okay. That’s not something to do in a spreadsheet. Apparently what they were doing in the UK is hospitals, et cetera, or we’re sending in spreadsheets. We’re probably doing the same thing here in the US and then those spreadsheets are being pulled into one master spreadsheet and almost 16,000 positive tests were left off the official daily figures which translate to more than 50,000 potentially infectious people running around. A great little story from the guardian.
Again, all of this stuff is up on my website. I have a great newsletter people love, and I’d love to have you on it. Where I talk about these things. We do a little bit of training. I answer people’s questions. You’ll find it all @craigpetersohn.com slash subscribe. Make sure you’re on that list so you can stay on top of these things.
Take care, everybody we’ll be back next Saturday at one.
—
More stories and tech updates at:
Don’t miss an episode from Craig. Subscribe and give us a rating:
Follow me on Twitter for the latest in tech at:
For questions, call or text:
855-385-5553