Duckduckgo For Search – Google Advisory On Windows 7 – Cars Hacked Via Their Security Systems Today on TTWCP Radio Show:[03-16-2019]

On This Episode…

Have you heard about sextortion?  We will talk about this type of blackmail scam and why it is so dangerous.  

Android vs. iPhone, what is your choice? Today, we’re going to talk about it from the resale value side

What’s up with GPS systems? Why are some experts not flying on  April 6?  I got some news and explanations for you.

And we have a report out of the UK, The Guardian about how easy it is to steal modern cars.  We will discuss why that is. 

Did you hear about the warning from Google this week? We will get to that and some other unexpected actions from Google

Read More

Share This Episode

For Questions, Call or Text:

855-385-5553

TRANSCRIPT

Below is a rush transcript of this segment, it might contain errors.

Airing date: 03/16/2019

Duckduckgo For Search – Google Advisory On Windows 7 – Cars Hacked Via Their Security Systems

Craig 0:00 
Hi, everybody, we’re up to show number 998.

Craig 0:12

Does that mean we have to do something special, coming up here in a couple more shows? I can’t believe 1000 weeks worth of shows. I don’t number my shows based on the,

Craig 0:21

you know how many times I’ve appeared or how many times I’ve put podcasts up. Because I do, sometimes five. I’ve done as many as a dozen different podcasts in a week before. So I don’t add them up like that. I’m talking about 1000 weeks on the air, on the radio. That is absolutely fantastic. It’s frankly, it’s just so exciting. I’m glad that it’s happening. Well, today, we are going to be talking about sextortion. You might have seen this, I had one of the listeners reach out to me about this just a couple of weeks ago. And in fact, it happened to me, as well. We’ll talk about Android vs. iPhone. This time, we’re going to talk about it from the resale value side. GPS systems, April 6, I got some news for you. Some experts have decided they’re not going to fly on April 6th, explain why. And we have a report out of the UK, The Guardian about modern cars much easier to steal than the old ones, and why? Google has a very big warning out this week that will get to. And Google did something else that was not expected by a lot of people. Google has quietly added Duck Duck Go as a search engine option for Chrome users. This is about 60 different markets globally in this is really big news. Because the chromium engine, of course, is made by Google. And you know, already the Google is very big in the search engine space. So, having them promote, which is what this effectively is doing. Having them promote competitors is a little bit of surprise to everybody out there. Now, chromium, I mentioned this a few weeks ago, which is the underlying technology for Google’s Chrome browser is being adopted by Microsoft, they are completely shooting their own browser projects in the head. And they’re building it all on top of chromium now, which I think makes a whole lot of sense. So does that mean Microsoft now is going to be using Duck Duck go, let me explain what this is? For those who are wondering, Duck Duck Go isn’t just a kids game from 50 years ago, or probably longer than that, actually duck Duck go is a search engine. And it is designed with privacy in mind. I’ve had the founder of Duck Duck Go on my radio show before we talked a little bit about what he was doing. This was some years back when he was first getting started. And I’m actively promoted since then. And since using it, frankly. But people are saying, well, Duck Duck Go is the search engine to use because it is not tracking what you’re searching for. It’s just giving you kind of general advertisements, just like Google used to 10 years ago. And other people are saying, Well, why would I use Duck Duck go when Google has, frankly, better search engine technology, which it does, in many ways. Google has been able to invest a lot of money into its search engine technology and Duck Duck go just really can can’t, at least not to the level that Google can. Now some people who are kind of skeptical, myself included are thinking that maybe Google did this with chromium in order to avoid some of the antitrust scrutiny. The anti-combines laws that are in Canada, UK much throughout the Commonwealth, but it is good news for people

Craig 3:59

I use Duck Duck Go as my first go to choice when I’m searching online, it doesn’t track you it, I kind of like it, it doesn’t always give me the results that I really need or really want. So for those types of results, sometimes I’ll end up going to Google and check there. And I use Bing for some types of searches to. I find bings image search to be a little bit better, in some ways than Google Search. Bing doesn’t have the reverse image search that Google has. But you know, all in all, I think it’s pretty good. There’s another pro-privacy search engine out there called quant I’ve used that before q, w, a, n t and chromium Google now offers that is another default. So you might want to look at that Duck Duck Go and QUANT and QUANT, by the way, is only available as a default over in France, which is where QUANT is from. But you can always just go to Q U A N T dot com or Duck Duck Go dot com. And you can use it in almost any browser out there as a default, and it’s been added in I’m looking through the list Canada, basically all of our neighbors, I don’t see Mexico on here. That’s kind of interesting. See the UK, US Venezuela is, you know, if they get power back down there, they’ll be able to use it. Good old socialist countries, right. So anyways,

 

Craig 5:30
it’s been growing for years, it’s really quite good. And this Chromium instance, available on GitHub, if in case you’re a developer is worth looking at. I also when we’re talking about Chromium, I got to make sure I mentioned my other browser, my favorite browser for privacy. And that’s the Epic browser. E-P-I-C. And I think on today’s coaching call, we’re going to end up talking a little bit about that Epic browser. Because a lot of people are kind of concerned and confused. And the Epic browser also uses Chromium as a code base, which I think is good, because Chromium is kind of those standard but it also just dropped a note down for myself. But it also has the types of security the DuckDuckGo has, in fact, it’s kind of tied in hand in hand, it has VPN routes through it used to just be Indiana out routes through a whole bunch of different places. So check it out. E-P-I-C, browser.com. Epic browser.com online and use DuckDuckGo whenever you can, for your searches. If you want to try and keep things a little bit on the private side. And if you’re very paranoid, your best bet mom depends on how paranoid right if you’re like crazy paranoid, we’re you know, we’re not going to talk about that right now. I could help you out. But if you’re more paranoid do the other thing I do, which just switches it up, use different search engines use different browsers use different machines when it comes to banking because I don’t want many my banking information to be stolen. And I got to get back to some of what I’m doing some of it. Some of it I’m not if you’re interested, let me know might be worth doing a masterclass about you know how to do this, how to do it for free even and keep your banking information safe. So I should write a little note about that. Well, we have a warning from Google, we’re going to get into that right now.

Craig 7:33
Well, our friends at Google have been paying attention to security for a while, if you have the latest versions of the Google Chrome browser, you’re getting automatic updates. It’s a technology that Firefox Mozilla people have been using for a long time.

Craig 7:48
And these auto updates are absolutely fantastic. It can just save you a ton, not only of time but not having to apply the updates. But you know, security people can break in and drive-by download, you know, all the crap that happens when you’re online. So Google has been very good about updating their Google Chrome browser, the Chromium underpinnings and you know, they get updated as well. But then the browser is really where they’re most interested. Well, now, Google is warning people about Windows 7, you know, if you’re listening for a while, that a month or so ago, Microsoft told you to ditch to drag Internet Explorer into that trash can and never use it again. You know that right? Number two now with Google out here is Google’s recommending Windows 7 users to stop using Windows 7 upgrade immediately to Windows 10, if at all possible. And this is because of something called a kernel vulnerability. The kernel is the core part of the operating system. The kernel is where everything happens, really the kernel is how all of the processes talk to each other, how they can access hardware resources, like the disk, or the camera, the microphone, the speakers, everything on your computer ultimately goes through what’s called the kernel.

Craig 9:18
Wow. Well, the third analysis group is explained that Google’s discovered two different security vulnerabilities, one in the Google Chrome browser. And the other one in Windows. The Chrome bug was already patched. But Windows 7 not yet fixed. Now this month, the Patch Tuesday from Microsoft has a doozy set of patches, a whole bunch of them, Microsoft is fixing all kinds of major flaws and vulnerabilities in their software. I don’t think this particular fixes in that patch set. But it’ll be out sometime, I’m sure Microsoft saying the vulnerability is in the Win32k.sis kernel driver. And it can be used as a security sandbox escape. Now, this is getting all rather technical, but sandboxes are where you set up a basically a way to execute software that nothing else can get access to. And it can’t get access to anything else as well. So you use sandboxes for security. And having a major security problem with the security sandbox obviously is very big. So here’s the statement we strongly believe this vulnerability may only be exploitable on Windows 7, due to recent exploit mitigation to added newer versions of Windows, Windows 10, and eight, all the Windows 10 has the most fixes. They’ve done a lot there.

Craig 10:53
They’re trying to make it as good as Mac OS. It’ll be a while before they get there. But they’re almost to the point that Unix was at 20 years ago. So you know, kudos to Microsoft. To date. Back to the quote to date, we have only observed active exploitation against Windows 7 32 bit systems. So the note from our friends at Google and their security research team is get rid of Windows 7 upgrade to Windows 10 as soon as you can. Microsoft says it is working on a fix. They are publicly disclosing the existence they’re saying it is a serious vulnerability. So they’re admitting it no big deal. There will see, By the way, Windows 7 is reaching the end of support the end of 2019, it’s actually January 2020, read it however you want. But you’ve only got months left before Windows 7 will no longer get patches unless you pay Microsoft a king’s ransom. In other words, our federal government will be spending a lot of software with Microsoft. I’m sure in the years ahead. It’s still paying Microsoft to support Windows XP. Isn’t that crazy? Let’s talk about our new cars for a second

Craig 12:19
We talked last week a little bit about our cars and insurance with autonomous vehicles. What does it mean? When are things going to get better? When are they going to get worse? Well, we have more smart in cars today. They have something called CAN bus which links up all of these computers throughout the machine throughout your car. You know, most cars nowadays and more modern ones, they don’t even have a connection from your stereo to the speakers directly. There’s no amplifier in there. It’s all going over this network in your car, little land in the car. Well, that means that computers are there and they can be exploited. We have already seen that we saw a hack that went through the radio in some of the Chrysler products and allowed people to remote control Chrysler cars if they use this hack on their radios. So it is a concern. I’m not sure they’ve addressed it all well enough and not just talking about Chrysler here I’m talking about everybody gets me very concerned. There’s been issues with BMW and others in the past as well. Well, there’s a British infosec company called Pen Test Partners and they found that the Vipers Smart Start alarm and products from Pandora were riddled with flaws. And these flaws allowed them to have an attacker steal a car fitted with one of these devices. So if you have a Viper Smart alarm, the Smart Start alarm, which I do know people who have this. I’m gonna have to reach out, let them know individually case they’re not listening today. But the Viper Smart Start alarm and products from Pandora allow cars to be hijacked. And now here’s from a blog post about they’re finding from Pen Test Partners. Before we contacted them, the manufacturers had inadvertently exposed about 3 million cars to theft and their users to hijack.

Craig 14:28
This is a very, very big deal. This was really started because of Pandora’s alarms. The company noticed that their security was advertised as being on hackable, which is a bad thing to say right? What’s on the hackable. So I guess Pen Test Partners took that as a challenge. And they found an API, which is this application programming interface and some simple parameter manipulation that allowed them to be able to change the Viper Smart Start user’s account password, registered email addresses, giving them full control over the app. And the car that the alarm system was installed on. All they had to do was send a regular web post request to the API with a parameter email redefined to one of their own choices, and that overrode the legitimate owner’s email address, and now they had control over the account. So there you go. Okay, major issues using the apps ability to clone the key fob issue RF commands from a user mobile phone. And they dug into this little bit more, by the way, and they discovered a function in the Viper interface that remotely turned off the car’s engine. So the pen or a big also allowed researchers to remotely enable the car’s microphone so they could listen to eavesdrop the conversation on the occupants. And they also said the Mazda 6, the Range Rover Sport, the Kia, what is this, Course I guess. The Toyota Forerunner, Mitsubishi Pajero, Toyota Prius 50, and the Rav4 all appear to have undocumented functionality present in the alarm API to remotely adjust the cruise control speed. So it goes on and on car, security remains poor, and you don’t need guns, you don’t need lock picks, to steal modern cars, or to even to cause them to crash. I wonder if, if any of the crash investigators might look into this, if they realize, wait a minute, there’s a remote controllable API in this car, maybe we should subpoena the court records from the manufacturer of the device and poke around a little bit and see if maybe someone manipulated it and told the car to floor it down a back road Street, we’re going to have to get a little smarter about some of this stuff, right? Even though the criminal investigations. Well, let’s talk about April 6 here. Wow, this is something I wasn’t even aware of this until just this week.

Craig 17:21
Of course, I was aware April 6 was coming people, okay. Don’t give me a hard time about that. Because, you know, I gotta remember April 8, which is my anniversary, right? So I don’t want to mess this up. April 6. Anyhow, I knew the 6th was coming. And it’s certainly getting close. But this has to do with GPS systems. If you remember, 1999, if you were doing programming, if you were involved with computers back then, it was a scary time, many people kind of predicted the end of Western civilization. And they weren’t totally wrong about that either. Western civilization could really have come to an end because of what was called the Y2K bug. And it was because of programmers like me, in the 70s and 60s that wrote software that said, Well, if I want to figure out the time between this date, and that date, all I have to do is use it two digit year, and those two-digit years, going to take up less space in the storage. And if you have a million records, times two more digits, which typically would be 2 bytes, then well, that’s, you know, 2 million more bytes of data, which at the time was a whole lot of data. So we took shortcuts, and one of the shortcuts was storing the year as just the last two digits. So we didn’t worry about the 19 part, we only worried about the 79 part or the 99 part. So there were a lot of predictions about software. And I knew a guy who started the company that was designing software to specifically look for this Y2K flaw and fix it. Of course, as it turned out, there were some problems, they were relatively minor. But most of the companies out there are certainly the ones that were in business realized that Y2K was coming and made some basic adjustments so that there wouldn’t be a big problem. Many people expected, they’re not to be another problem until maybe the year 10,000, right. So instead of Y2K, in the future, we’re probably not going to be around. But in another 8000 years, we got another rollover. Well, that’s not the case.

Craig 19:43
I have been aware of what’s called the 2038 problem. Because in the Unix world, there’s a timestamp the Network Time Protocol uses and many machines user, which means by the way, Windows uses us to synchronize times, well, that particular clock is going to roll over in the year 2038. And that’s most likely to affect embedded systems. Now, there are fixes already in place, and many versions of Unix that are out there Linux and some of these other derivatives that are have already taken this into account. And then, of course, there’s bad programmers that really don’t realize all of the implications of what they do.

Craig 20:27
They’ve always existed and they’ll always exist. In fact, I think in many ways, it’s getting worse than it was before, you know, the bad programmers that is.

Craig 20:34
But maybe that’s because I’m just getting to be an old man, right? been doing this for too long. So we know that the Y2K problem was real. And in most cases, it was fixed, that 2038 problem is real. Most cases it will be fixed, although again, we’re going to be affecting embedded systems and most, In other words, those that don’t get the software update one was alive last time you upgraded the software in your car, or some other physical device to clock on your disk. Hopefully, none of it’s going to be life-threatening, because some systems are using Unix that is embedded systems. Well, there’s another one, this is the April 6

Craig 21:18
bug. And this has to do with the GPS and there are some security experts, including one guy over at RSA. And RSA does a whole ton of security work. They provide some of the algorithms that run public key systems. They have little key fobs, little devices that have a timer on them, you’ve seen them before. It’s a little number that rolls over every minute or so. And you might use them with your banks, etc. Well, those guys are the guys that are now warning about this April 6 problem. They talked about it at a security conference just last week out in San Francisco. And he says that some of the older GPS systems are going to be in serious trouble. Because the computers in these GPS systems are going to have counters that flip back to zero. So they are going to literally run out of time reaching the end of their counters. And that really could cause some major major effect. This guy here. Bill Maliki’s there’s another guy he’s a VP over Trend Micro, they do a lot of computer security, cybersecurity. We’ve used some of their stuff in the past, he told the media that he would not be flying on April 6 and suggests that it could be bad, it could be a lot worse than Y2K was because the effects are going to be more widespread, widespread because many more systems have integrated GPS into their operations. And many of these are embedded systems ports. He’s talking about here, loading unloading containers automatically, using GPS to guide the cranes. Some of those systems could be affected in the cranes are going to shut down. Hopefully, public safety systems use GPS traffic monitoring systems for bridges, the bridges that raise and lower automatically the ones that change the lanes ever been on one of those roads were part of the day. This lane is northbound. The other part it’s southbound, you know, 20 years ago, these GPS systems were really important primitive shape, and they were embedded. So the impact on this could be even greater governments have issued warnings to state and private sectors to update their technology. But some of these systems we not, we’re not even aware of how some of these work that companies have gone out of business, there’s no way to get an update. Nobody really realizes their GPS in there. Because you remember, GPS isn’t just used to locate you. GPS is used to locate because it uses very fancy high-resolution timers. And the way it works to locate you is it listens for the satellites to send a clock signal.

Craig 24:24
So each of the clocks will announce what time it is. And because the satellites are different distances from you, you will hear the time at different times. Right? You know, that if someone’s yelling at you from across the room, have you here or you see a gunshot and range you will see the gunshot before you hear it. Right. Well, if someone fires that gun, right next to you, you’re going to hear it instantly correct. So you know, that the the guy that fired the gun, and it took a second for that Soundwave to reach you, you know, that guy’s further away than the guy who fired the gun. And immediately you heard it. Well, that’s how GPS works using extremely high precision timers. So another thing people do with GPS signals is they use it to get a clock source. So many computers are using GPS receivers to figure out what time it is. So the systems are reverse traffic that controls bridges, etc, etc. Many of them are sinking their clocks and their timers up to GPS. And when it’s an embedded system that hasn’t been updated, we could have some serious serious problem couple of real quick things here before we go today. And of course, you’ll find these articles and many more up on my website. http://CraigPeterson.com. I have also been doing a special podcast called It’s A Security Thing, you’re not going to find it unless you look for me because I haven’t split it out yet. But in it, I’m talking about these types of security issues, things in the real world. This week. I was talking about a CPA firm what they did to respond to a cybersecurity event two weeks ago this happened, what they did right what they did wrong and you will find all kinds of these things are posting them almost daily. Now at my website, there’s a special section, http://CraigPeterson.com. So make sure you have a look at it. We are writing all of these articles ourselves. These are not references to other articles. There might be links to other articles, but these are really great. If you’re interested in cybersecurity and finding out more you’ll find them on my home page again, http://CraigPeterson.com and it’s all small businesses. It’s all things that did right things that did wrong and what happened and they’re all very, very current. So check it out. You really really should and wearing sending include some of those also in my weekly email. If you’re not a subscriber /http://CraigPeterson.com/subscribe. Apple is crushing it on resale value in their laptops. But also the iPhones they destroy the Android iPhone X versus a Samsung Galaxy S9 Wow, iPhone X was 1000 bucks when it debuted, it’s still worth 700 9 months later. So that’s a drop of 30% the Samsung Galaxy S9 costs 720 but it was worth just $290 and drop 60%. So consider that too. When you’re looking at the prices of devices what you should be mine and by the way, you should be buying the iPhone. Hey, have a great week. Make sure you check us out online. http://CraigPeterson.com. Take care everybody and we’ll be chatting again next week. Bye-bye.