Safe Shopping Online – China Hacking Even More – Two Factor Authentication Failure – Millions Are Installing Hacks – Porn Watching Leads To Network Compromise and more all on TTWCP Radio Show [11-24-2018]

On This Episode…

Did you rush to finish Thanksgiving Dinner to rush to the sales? Did you go out on Black Friday? Are you shopping today and tomorrow?  How about on-line Cyber Monday?  Well if any of these apply to you listen in for some tips on how to stay safe while you shop and where to get the best deals.

If you have been listening in to prior shows you know I have been talking about China and their different hacking activities.  Well, they are at it again and hacking even more.  Listen in as I tell you some of the ways they are doing it now.

You know that I am a fan of Two Factor Authentication when it is done right.  But unfortunately, sometimes it is not done with much thought and it fails. Today, I will talk about one type of two-factor failures.

How readily do you install apps, plugins, etc?  Today we will discuss why millions are installing hacks at the same time.

Did you hear about the government employees who caused a network compromise?  When you hear how they did it you might be surprised.  Or maybe not. 

 

Related Articles

Share This Episode

For Questions, Call or Text:

855-385-5553

TRANSCRIPT

Below is a rush transcript of this segment, it might contain errors.

Airing date: 11/24/2018

Safe Shopping Online – China Hacking Even More – Two Factor Authentication Failure – Millions Are Installing Hacks – Porn Watching Leads To Network Compromise

Craig Peterson: 0:00

Hey hello everybody. Craig Peterson here. Got a lot today as usual, make sure you visit me online. http://CraigPeterson.com. I’ve got some great information out there when it comes to online shopping tips, of course, right? That’s this time of year when we have to deal with that. So pros & cons. In fact, there’s 10 different tips that we have out there on the website. And we’re going to cover some of those today as well. We finished getting everything else set up, right, there’s always something you forget to do. So let’s get going safer online shopping.

Craig Peterson 0:44
Well. we all shop online. This year, of course, we’re going to set another record not only for travel but for what people are buying online how much money they’re spending. I’ve got 10 tip top of my website at http://CraigPeterson.com, that you might want to pay attention to the first tip. And this is a really big one. I think most people might know about it. Some people might have forgotten about it. But it has to do with how you are paying the first part of this tip, skip the debit card, do not use the debit card. In fact, you can go one step further, if you’d like some of the companies are already offering you on an alternative. For instance, you know, you can use Apple Pay, you can use Samsung Pay, depending on where you are. Apple pay is very safe. Samsung Pay seems to be quite safe as well.

Craig Peterson 1:39
So if you have to use a debit card if you don’t have a credit card, and I want 20 years without a credit card. So I know what you’re feeling here. What’s your thinking. And all I had was a debit card, put that debit card behind another payment system, such as Apple Pay, or Samsung Pay if you have a debit card, otherwise, don’t use it. Okay, that’s kind of the bottom line here. Because debit cards will cause you to know, end of grief of that information is stolen, right. So remember that there’s another new trick that’s out there that’s been available for a few years, depending on whose credit card you have, you have to have a credit card, not a debit card in order to do this. And that is getting a temporary credit card. They’ll give you a number that only works once in some cases. Visa has this MasterCard has their own program. But it only works one time because it’s only working that one time.

Craig Peterson 2:41
If someone steals a number, who cares, right, just because you have a secure server, which that with that HTTPS and that little lock up in the corner doesn’t mean that your data is secure, other than when it’s in transit. So rule number one, skip the debit card, use Apple Pay if you can use Samsung Pay if you have to. And you know how, what I feel about some of the Android devices and the software they have. I’m not a big fan of that, right. So use those or use a temporary credit card number to shop on secure sites. Now,
what does that mean? I’ve had a lot of people ask over the years, hey, listen, this isn’t a secure site, I don’t want to enter information into it. You could have your information intercepted. And we’ve talked to my show before about how Russia and China both have routed internet traffic from the US from businesses to the foreign offices of the spy agencies and have

Craig Peterson 3:47
gathered information. So if you’re using a secure server, you are thwarting the Chinese hackers, the Russian hackers etc. And that’s a very good thing. So make sure you are using a site that the URL begins to https. Okay, so secure site. This is an obvious one, right? And yet, every time we go into a business we see this isn’t being paid attention to but update all your software, make sure your operating systems up to date and make sure your browser is up to date. Use the best technology out there. A lot of people have switched to using Firefox. Now it’s fast. It’s designed to be rather safe and secure. They’re updating it constantly. So Firefox seems to be the number one choice for security-conscious web browsers safaris quite good Chrome is quite good. Although Google I’m kind of shaking my head. If you watch this on video, Google is a company that they keep our information right there, they kind of sell our information to other people, but make sure your software is up to date. And you might want to use one of these tablets that are going to be a little more secure. We’ll talk about that in just a second.

Craig Peterson 5:08
Now, email scams, who talked about these before a lot. And business email compromise has cost us companies over $12 billion over the last two years. Can you believe that $12 billion, that’s a lot of money? And that money comes from these business email compromises the scams, where they get you to click on something that you shouldn’t be clicking on. So what’s the easiest way to deal with that I’ve got a solution. The simplest way to deal with business email compromise scams is to use a different email when you’re online shopping. That’s what I do. I’ve been using different email addresses for the last 30-40 years almost. Now those business email addresses that I’m using, I use a different one for every website.

Craig Peterson 6:02
So, I know now emails coming in. And it’s being directed at an address that I know I’ve only ever used on site x. And yet it’s purporting to be from PayPal It ain’t right thing right. This is not them. This isn’t PayPal because it’s coming in from site x that I want to sell. For instance, I sign up for something on Cnet.com I use a different email address now there’s a trick here you might not know and that’s the use of the plus sign depending on your email system you may be able to put a plus sign so for instance if you send an email to me@craigpeterson.com. It’s going to go to me if you send email to me+radioshow@craigpeterson.com. It’s still going to go to me and it’s going to show that it’s sent to craig+radioshow@craigpeterson.com. So I have filters in place, so I know about it. But use a different email address for your online shopping at least have to write maybe more. Maybe another one for your banking. I even go so far as to recommend that you use a different computer. For some of your online shopping. And certainly for your online banking.

Craig Peterson 7:20
Just say no to clicking links. Never click a link. Just go up to the web browser, menu bar, and right in there, type in the URL of where you want to go. Don’t follow those links. but beef up your passwords. You know, I have a special report on passwords. I can send that to you if you email me@craigpeterson.com. How about this. Did you like my last tip? Well, why don’t you try and send it to me+password@CraigPeterson.com. And that allows me to track and say yeah, you want password stuff. And I’ll be glad to send that to you. That’s normally paid special report. But I’ll make it available to you for free. $97 gift to you. But brief them up.

Craig Peterson 8:08
And when you beat them up. The best way to do that, frankly, is to use a password manager because they can generate some of the best passwords. We’re not going to go into and what that means, But that’s in the special report. You know how you should generate them what they should consist of it to deeper right now, but beef them up, okay, never give more information than is absolutely necessary. I think that’s a really big deal. So if they’re asking for your name and address and various other things, you might want to consider doing something I’ve done as well for more than 40 years and that uses a kind of a fake name now you’re not trying to commit a crime here this isn’t fraud but you can now track who’s using it so I will spell my name differently or use part of another name like mine I even very frequently will use the website name as my name.

Craig Peterson 9:07
So again, if the website saw that, it might put seen that Peterson for instance, and then my address so they can ship the stuff to me.

Craig Peterson 9:17
Now I know something comes to an email that says hey, seen that well, who I know where they got my email address from. And I know that nothing that’s in there is stuff that you know, maybe I asked for, maybe I didn’t write, but its marketing material at the best and the worst. It’s someone that stole CNET’s database and is now trying to defraud me on something. So don’t give any more information than needed.

Craig Peterson 9:44
Another really good tip here. These are some great ones, I got them up on my website. http://safewise.com has these, of course, I’m adding some more in as I go. But don’t use free hotspots. They’re like manna, right? Everybody uses them unless you have the right kind of VPN. And I gotta say, most people have no idea what that VPN is really doing. Most of the free VPN and the cheap VPN are stealing your data. Now, they’re not necessarily stealing it to have your credit card and use your credit card against us. Some of them are, but they are stealing your data. So be careful with that public networks just plain aren’t secured. Other people can also connect to your computer. And many times a bad guy will set up a fake little wireless network and make it look like hits for the coffee shop or for the story are in and when you connect to it. You’re really connecting to them. And they’re stealing your data. Be smart about the shopping apps that you’re using.

Craig Peterson 10:49
If you’re an Android, particularly people only use apps from the Play Store that does not guarantee that they’re safe, by the way, because the Google Play Store is not meticulous about making sure that all of the apps are safe that they’re not doing something nefarious Apple’s store Apple’s App Store much better about doing that. But again, you’re not necessarily safe. Okay? Don’t let your computer or your device remember your credit card number. You probably don’t want them to remember passwords and things again, that’s why you should use a password manager.

Craig Peterson 11:27
Does that make sense to you? Bottom line is is that something that you think you should be doing is it obvious I think it is so if you want that password manager information, just email me@craigpeterson.com, you’ll find this article and others right there online. https://craigpeterson.com. Alright, and next up here, we’re going to be talking about what China is up to.

Craig Peterson 12:00
Well, you can’t think that I would do a whole show just on Cyber Monday. And shopping over the holidays. Do you think China has taken the gloves off when it comes to the theft of US technology? Now, you might call this a great microchip heist, we’ve seen China breaking into computer systems. In fact, right here locally, we’ve picked up a new security client where I’m I’m acting as their data security officer. And we found Chinese backdoors on it. But there’s a great article from the la times I’ve put up on http://CraigPeterson.com, and it’s talking about this stunning microchip heist. Our computers have memory in them. There’s different types of memory, one of those types is called DRAM. It’s very important memory. It’s kind of typically it’s the main memory for your computer. Right, not the hard disk, not the SSD. But the main computing memory that’s in it, what we’ve been tracking this for a while. And it turns out that the US federal government has been tracking for the last couple of years Beijing.

Craig Peterson 13:11
Now, I’m not going to get into all of the details, you might want to read this article up on http://CraigPeterson.com, but it’s talking about China and how they’ve prioritized stealing intellectual property. And they really wanted to be able to manufacture these DRAM chips.

Craig Peterson 13:27
So they managed to get this information. And believe me, they’re doing it by hook or by crook, the small-medium businesses are the most attacked, they’re the most vulnerable and they have the most to lose. So the Special Agent in Charge of the FBI, San Francisco office, John Bennett is saying that out there in Silicon Valley, and they’ve been going double time, the quote is, they don’t care if they get caught, or people go to jail, as long as it justifies there. And they are not going to stop. And of course, the Trump administration has been increasing some of its rhetoric when it comes to the Chinese and what the Chinese have been doing. So it’s been a big deal all the way around. It’s kind of a scary thing, frankly. So that’s our little bit of a china story here. When we come back, we’re going to talk about some more leaky data out there.

Craig Peterson 14:26
Alright, so next up, this is kind of interesting, because all of us have SMS, right? You have a phone, SMS is the simple messaging system, a gay texting, right that you’re used with your phone. And we all have these, we all use these. And we talk a lot about two-factor authentication with our clients. And I’ve talked about it on the on the show here before, you’ve got to have the ability to not only know of password but have something the best security is something you know, along with something you have so many websites have decided that the easiest way to have a two factor authentication is you’ve, you’ve got your cell phone, right, that’s something you have along with something, you know, which is your password. So what do they do when you try and log in, or maybe once a week, when you try and log in, they’ll send a text to you. And then that text is used to do what that text is used to send you a number so that you log in with your username and password. And then you enter that number. That’s a type of two-factor authentication. And that works great except when it doesn’t. So there are bad guys out there who have been very busy trying to do a couple of things to us. One is they will do sim hijacking, which is a real problem nowadays. Or in this case, we’ve got a massive security lapse.

Craig Peterson 15:58
This is a massive database containing tens of millions of text messages, including password reset links to factor code, shipping notifications, and more. So let that sink in. Have you ever used your phone to identify yourself I’ve ever used your phone to get a password reset link? Now, some of these companies that send it to your phone or are pretty smart, they realize hey, listen, that’s your phone, the stuff like this could happen. And at that point, your data is exposed, right which is a very bad thing. So they put a limit on it. It’s only good for maybe 510 minutes. Some of them though are good for a very long time the expose server belongs to a company called box ox and it used to be called tell centrist they’re out of San Diego, California their communications company and they lost a huge number was it I’m trying to the number here in this article 26 million. Here you go text messages year-to-date.

Craig Peterson 17:05
So what was found by TechCrunch in looking at this they found passwords sent in plain text to a phone number from a dating app called battle several Booking. com customers are sent their six-digit to factor codes to log into the company’s corporate network Fidelity Investments, fidelity, right, they’re located right here in my town
also sent six-digit security codes to one number in Chicago. Many messages included two-factor verification codes for Google account all over the world, including Latin America, Mountain View, California credit union, it goes on and on shipping notification text sent by Amazon. That’s a little less troublesome. Unless you are someone who is trying to steal some of these Amazon packages we must before but it goes on and on Huawei ID, verification phones, etc. Very, very bad. But this goes to the point of two-factor authentication. And using your phone for two FA two factor authentication. If you can avoid it, avoid it, what I do is I use an app and it’s called duo. Let me pull it up here for you. Right now. If you’re watching this on video, you can see my phone. If not, you’re going to have to kind of imagine.

Craig Peterson 18:30
But this is my duo app. And you can see I’ve got my mainstream protected login, my Craig Peterson login, Facebook, Amazon, and more right here. So what happens with this is this is a special app to run on smartphones ties into these applications.

Craig Peterson 18:48
And if I am trying to log in, particularly if I’m logging into a system that has our customers data on it, it will go ahead and send notification sorry for the little coughing fit there and hit the cough button.

Craig Peterson 19:06
But it’ll send a notification to my phone that the app activates. And I now have to authenticate to the app. So it uses passcodes. But it also uses biometric identification. So I’m logging into a system that has climbed information on it, obviously, that’s critical, right? That’s something we have to watch for. So we’re logging into the system,

Craig Peterson 19:32
I am now authorized to access it. Because I’ve given the password I’ve given bio information thumbprint or face print, etc.

Craig Peterson 19:42
And so now that application knows, it really is me. So think about that use something like duo it was just bought by Cisco. It’s funny, all of these companies that we’ve been using that Cisco ends up buying it’s good because you know, we’re part of the Cisco ecosystem are pretty high up actually in the Cisco installing reseller’s space, but they bought it, it’s now integrated. And you can expect more and more of these things as time goes forward. But these are the leaks that we worry about. This is one we found out about how many of them did we not find out about? That’s what’s next here. We’re going to tap can talk right now about the hack

Craig Peterson 20:20
that millions of people are installing themselves. Yeah, yeah, really. And you might be doing this to this is something we’re always cleaning up for customers.

Craig Peterson 20:37
Now, you are using a web browser, right? Who doesn’t use web browsers nowadays, you go on, I just did some banking this morning, using my web browser. Now, again, I use a different web browser for banking than I do for other things. And I often will use a different machine kind of depends on what accounts I’m messing around with. But the internet browser is the gateway from your world to the internet world. And many of us just don’t pay the type of attention, we should pay to our internet browsers. Now, everyday users.

Craig Peterson 21:10
According to this study that was done here. Very recently, information that was released from Google, nearly half of all users of Chrome on the desktop use browser extensions. Now, they can be very handy. In fact, a Chrome browser is essentially an operating system in and of itself, right. But some of these are now these browser extensions are being used to hack into people’s computers by the millions.

Craig Peterson 21:43
Now simple things like unwanted advertisements is one thing. But they’ve been stealing passwords, they’ve been siphoning other sensitive information, they’ve been using some of these browser plugins to mind for cryptocurrency, which means your machine is now going to overheat as it’s looking for cryptocurrency, which by the way, will make them money, but will cost you a lot more in only your electric bill. Why is it getting hot because it’s burning all that electricity? Okay, so this is a prime target for hackers, you might not want to use them, avoid them. When possible, I do use a few. And what I tend to do is activate an extension when I need it.

Craig Peterson 22:28
So if I’m trying to figure out a Facebook Pixel, I’ll turn on the Facebook Pixel extension. If I want to add something to instant paper or my pocket account so that I can use it and follow up in some of the webinars I do or this radio show. I turn it on when I need it because it’s giving these devices privileged access. And that’s something frankly we just don’t want to do. Okay, well, I’m a million users here, just for one Chrome extension. This is getting to be a very, very big problem.

Craig Peterson 23:04
Now we’re going to talk about something that is also a big problem and cost the federal government of a whole lot of money. Most of us are smart enough, right. And we were just talking about extensions to Chrome and other web browsers and how that can really cause some havoc with your security. Most of us are smart enough not to go to online porn sites or gambling sites.

Craig Peterson 23:31
Those are the two worst right now when it comes to malware. Well, this is kind of interesting because the Interior Department has this watchdog and they found that the US Geological Survey had been the source of a massive breach. And I mean, massive breach, the agency’s inspector general traced malicious software to a single unnamed you USGS employee. That’s US Geological Survey employee. Now, that employee reportedly used a government-issued computer to visit some 9000 tall websites. So this is according to a report that was published about a month ago, many of these prohibited pages were linked to Russian websites containing malware, which was ultimately downloaded to the employee’s computer and use to infiltrate Geological Survey networks. Now that this is according to the auditors that went in afterward, the investigation found the employees saved much of the pornographic material on an unauthorized USB drive and personal Android cell phone, both of which were connected to their computer against agencies. protocol, by the way, the employee’s cell phone was also infected with malware.

Craig Peterson 24:52
Well, what can we learn from this? Has this happened to you in your business? Have you got first of all in place policies and procedures that say employees cannot should not do that? And then secondly, do you have any method in place to stop them from doing that, even if they’re breaking the policies, right? The policies are there, but that doesn’t mean that they’re going to be obeyed. So do you have the proper filters at the network edge that are going to stop people from breaking out into the internet How about on the local computers have you turned off the USB ports and you know, a lot of places do that you can turn them off in the BIOS and then the employee goes in and turns them back on which means of course, you should have at very least protected BIOS is on those machines of course nowadays and not using bio says, but the same concept applies many businesses and government agencies have decided that they have to completely disable those ports which are too bad because employees are taking their phones right the Android phone a hook it up, plug it in, let me see. Oh, look at this. I’ve got a charging cable right here. I think I’m going to plug my phone in. Right, and they do that now. Viruses come out from their phones that go into the computers they spread through the networks the phones become infected by infected computers so they’re putting epoxy into those ports on the computers and I’ve had more than one client that had their employees your walk around you see all of these cables whether they’re like this for an apple or regular USB cables you know micro USB or now USB C cables and we recommend that they all be removed and so we remove them all and employees get upset because they know they want to hear from their family from time to time they’re not necessarily on their phone all day long.

Craig Peterson 26:49
How do you deal with that right that’s a problem and then add on to that the fact that they’re on your network or on your business network is it being controlled is being controlled properly right? All great questions so keep an eye on this one porn watching government employee introduced a massive problem for the US Geological service How about for you in your business right. Think about it for a minute put those in place if you want more information reach out to me@craigpeterson.com got some great employee handbook sections that we can share with you we’ve got all kinds of good information there on the website again http://CraigPeterson.com. Make sure you sign up and that’s easy enough to do and I would love for you to rate my show and my podcast. Go to http://CraigPeterson.com/iTuneshttp://CraigPeterson.com/iTunes. That will take you right to my podcast on iTunes where you can subscribe and I’d really appreciate it if you did because those numbers really help us reach more people out there. And while you’re there, hopefully you’ll give me a five star rating. I’d appreciate it. http://CraigPeterson.com/iTunes. Have a great week ahead and we’ll talk with you again soon. Bye bye.