Hackers Using New Email Attack and more all on TTWCP Radio Show: Hackers Using New Email Attack and more all on TTWCP Radio Show [12-01-2018]

On This Episode…

Want to add two years to your life?  Wear an Apple watch. Yes indeed researchers found that just that extra day and a half of physical activity a month increases your expected lifespan by about two years.

Marriott, Marriott, Marriott, Marriott. They are a hotelier, they’ve got restaurants, etc. And they have some entertainment complexes. So, that’s the business they are in, they are not in the IT business and they are not in the security business. Marriott bought Starwood resorts wanted to move them off of this crazy PC system that they had and move them over to a mainframe system. Bad guys had been in their systems and able to access them since 2014.

Do you know how much it takes how much time and effort and money it takes to become a data protection officer? It’s incredible. It’s absolutely incredible. 90 minutes is what it takes to take the course to pass the exam to call yourself a GDPR compliant data protection officer, 90 minutes. Amazing


Related Articles

Share This Episode

For Questions, Call or Text:



Below is a rush transcript of this segment, it might contain errors.

Airing date: 12/08/2018

Hackers Using New Email Attack

Craig Peterson: 0:00

Hi everybody. Craig Peterson here. Welcome to show number 984. Wow. We’ve been busy. And that’s a weekly show. 994 By the way, we have been on the air for many, many years. And those people who’ve been listening on to podcasts you know I’ve been podcasting for narrow on 20 years of course before it was even called podcasting. But today we are doing both on the air in podcasting if you want to listen to the podcast just sign up go to http://CraigPeterson.com/iTunes. You can also while you are there, leave a comment hopefully a little five-star review. I’ve appreciated those people that have taken the time to leave their comments or send an email to me@craigpeterson.com and let me know what they appreciate about the show. What are the things they got the most from and the most of just me@craigpeterson.com. I really appreciate your feedback. And the show, as you might imagine, is a lot of work to put together. And you know, it is a labor of love. And I really hope I’m helping you out Well, today, of course, we are going to be covering some of the technology topics that are going to impact us the most. And typically, that means security stuff, doesn’t it? So we’re going to talk a little bit about 23andMe. And this ties into a bit of a theme this week. How much information do people have about you? What are they doing with it and should you worry about it because there’s another one Delta Yeah, Delta Airlines in Atlanta they’ve got the US is first biometric terminal. We’ll talk about that and see if that’s something that maybe, maybe you want to avoid. We got a Marriott hack. Of course, we’re going to talk a little bit about that this week as well. Because that’s a very, very big deal. And in fact, I am going to this coming week make another free offer. We’ve been working on it this week, a special report not going to cost anybody a dime with some really cool free upgrades as well. I really want to get more information to you. So we’ll be talking about that but all about how to keep your credit safe. What is a credit report mean? I saw a stat last week that really kind of surprised me. And that is that three out of five Americans have never gotten their free credit report or any free or paid right to look at three out of five. So we’re gonna have a special report on that that’s going to be coming out, we’re gonna have a special report on how to absolutely protect your credit, don’t send the money off to Lifelock or some of these other guys out there, you can do better in fact, than Lifelock is Lifelock is going to notice after the fact hopefully that someone has tried to open an account in your name, and then you have to deal with it. Or hopefully, they’ll notice that someone just stole money from your checking account because of your debit card miss being misused. Hopefully, it’s going to get all squared away. But it’s going to take your time, your money, and it can be just a total disaster for you. So there is a way to make sure it doesn’t happen in the first place. And we’re guaranteed in this day and age that if we haven’t been hacked, we are about to be hacked, right. Just think of all of the major hacks over the last couple of years. So I’ve got a solution we’ve been working on it we’re putting it all together and we’re going to offer to you our listeners anybody on my insider’s email list, so make sure you are subscribed. We’ve worked hard on it this week. It’s not quite done yet I had hoped it would be done before the show today so make sure you are signed up for my email you can go to http://CraigPeterson.com/subscribe and give me your name and email address. I don’t harass you I don’t sell my mailing list to anybody use it to get my weekly show notes out to you. And if we have these free special report to let you know or the free master classes or master courses that’s what we use it for. It’s for getting information out so http://CraigPeterson.com/subscribe if you’ve already done it. Hey, thanks to you. I really appreciate it. We are down below 4000 subscribers. I think right now because we’ve been cleaning up the list. So if you haven’t been opening my emails or you haven’t been clicking on them in the last six months we’ve deleted you from our list and you might have to re-sign up so again http://CraigPeterson.com/subscribe, I’m going to immediately small You know, my system is going to immediately send you an email to verify it was you have to click on that link. So it’ll show up in your mailbox a minute to two minutes later, click on that link to confirm it. You and then you be on you’ll be able to get these special reports that are free you’re going to be able to get these master classes that at least information about them that are free and the master courses, as well as they, are released. And, and special alerts about some of the worst things that are happening out there. And by the way, if you are podcast listener, and you are not subscribed, you can get it at http://CraigPeterson.com/iTunes. But that’s another great way to find out what’s happening in advance of everybody else. Because Monday, Tuesdays, and Wednesdays I typically release a podcast and it’s me on some of the major radio stations throughout the northeast and the interviews that I do I’m a guest on those shows and I will be talking in no-shows I always talk about the latest and greatest and technology sometimes on other stations but usually it’s it’s iHeart. It’s the old Clear Channel media guys thanks to them as well.

Craig Peterson 6:07
So in addition to the bad news this week there’s a very cool story and that’s how I want to start out today you’ll see it up on my website at http://CraigPeterson.com and this is out of the UK but it’s talking about some new research. Did you know that having an Apple Watch could add two years to your life? Yes indeed researchers that wanted an Apple Watch for Christmas

Craig Peterson 6:34
kidding although hey maybe this is a good, good excuse right? Researchers have found that and looking at 400,000 adults that those that had the Apple Watch or other fitness trackers and use them to track their fitness saw active saw their activity levels increase by more than a third that’s pretty much now if you add all of that up and you look at the stats here that people would trackers managed four and a half or almost five days really five days activity a month on average. So it’s not like these are gym rats, right? These are just regular people you got the tracker it’s in your Apple Watch remind you should go walk in right now. So it’s five days if you have the tracker versus three days, three and a half days for people who don’t have the devices now what’s interesting is that just that extra day and a half of physical activity a month increases your expected lifespan by about two years. Isn’t that amazing? Now some of the biggest changes we’re seeing amongst people who were overweight and the people who were the least active, to begin with and I think that kind of makes sense right that at least it does to me this was commissioned by health insurers over in the UK how second Matt Hancock the National Health Service over there was the forefront in the digital revolution in health so very good technology and a great excuse to start using one of these fitness trackers Of course just having it doesn’t do anything you got to use the darn thing okay Marriott. Marriott, Marriott, Marriott, Marriott. Now I don’t want to totally blame Marriott for this because Marriott is someone that found the problem, you know Marriott’s been on an acquisition spree they have bought some amazing hotel chains. But as is often the case in business, we are involved with our day to day operations. Right, Marriott? It is a hotel business. Right, it’s a hotelier, they’ve got restaurants, etc. And they have some entertainment complexes. So that’s the business they are in, they are not in the IT business and they are not in the security business. At least that’s the mentality. That’s the mentality, I would say, of 99% of the businesses I talked to,

Craig Peterson 9:08
and I get it, Okay, I get it, I get it, I get it. You make widgets, right? Or you have clients that you’re servicing. But in this day and age, you have to have competent it people and even more competent security people. Because if you don’t have those people on your staff, you’re going to be in trouble. And we see it again and again, you saw what happened with TJ access, the TJ Maxx stores where they were hacked. And they were hacked in a crazy big way. We had Home Depot, they were hacked, and in both cases, they should have known better and we can get into a lot of the details about it, Equifax, they should have known better Heck, they are in the technology business, right? They’re keeping tabs on all of us and our credit scores. And that makes sense to you. Well, they bought this chain of hotels known as the Starwood. Right. Starwood something group. I can’t remember what it stands for. But it’s now called Marriott Starwood division and Marriott uses mainframes and I think that’s a brilliant idea. By the way, you know, using PC’s for most larger companies is just absolutely insane. It just doesn’t make any sense. So Marriott bought Starwood resorts wanted to move them off of this crazy PC system that they had and move them over to a mainframe system. Now, don’t get me wrong, right? There are places where PCs make sense. In those cases, you might want to look at Apple or even a Linux terminal desktop depending on what you’re doing. It may or may not work for you or even better in this day and age iPads with something really powerful and strong behind them but anyways, Marriott is using these mainframe computers so they had to take the system that Starwood was using and port all of the data over to the mainframe and they’ve been working on it they got it completed this summer sometime well as they were going through this their security people over at Marriott. Notice something now something weird, and

Craig Peterson 11:22
I gotta stop for a second and say something weird is usually a sign people don’t put on blinders. Don’t ignore it. You know, I complain about my kids just walking past the trash cans, right? Trash days. Wednesday, what day is it today, kids Monday, Tuesday,
what are those down by the street because every day I see the trash cans out there. And now you’re trying to remember to remind the kids to take care of it. And most of the time I grabbed the trash cans or my wife grabs a trash can, right and brings them up to the house because they’re just not noticing that detail. And it’s a pretty prominent detail. We have some big trash cans, right? I got a big family. There’s a lot of trash every week. And they still manage not to notice it. And we see this in a business where something weird has been going on. It’s been going on for a while. But you know, we were still able to do our business. But in many cases, it’s an email thing. But you know, can you come and have a look at this. Our emails just acting weird, it’s slow. We’re not sure what’s happening are some of our customers or vendors and been getting emails from us that we didn’t think we sent and what’s going on.

Craig Peterson 12:41
So we see this all the time, we brought the FBI in on one of these investigations that started just with weirdness in the email that was ignored for a long, long time. And it ended up we found Chinese active Chinese backdoors right into their systems. Okay, so so don’t ignore weird stuff. Well, in this case, Marriott security guys noticed some weird stuff because the computer systems that were running brands you’ve heard of, and you may have stayed in like W. Hotels, Sheraton, who has a state in the Sheraton limit ran and Four Points by Sheraton and some others, right. Just think of all of the Starwood properties.

Craig Peterson 13:26
I stayed in the Le Meridien when I was in Paris. Last and I’ve stayed in Sheraton’s and I stayed in a W, we had a conference in the W. And I’ve stayed up for points. I stayed at all of those hotels. So they’re going through the data, the going through the databases, the monitoring the systems as they’re integrated into their new mainframe, and they notice some weirdness. Well, it turns out that what has been happening, just like with this client that we picked up just a few months back looks like what’s been happening is bad guys

Craig Peterson 14:01
had been in their systems and able to access them since 2014. So let me see it is right now as we are talking, in fact, it’s almost 2019. And that means they went in for what almost give or take for years. And apparently, they discovered that this unauthorized party had copied and encrypted information on their systems. Now, encrypting your information that kind of sounds like it might have been one of these ransomware type things, hard to say. Where they tried to hold stuff ransom, did the Starwood group not even notice the rent some emails, I’m going to come in? I, I don’t know. Right? I’m kind of only half joking here. But the databases that apparently were stolen they were copied contained records of 500 million customers think about that number. What would happen with you and your business how many customer records Do you have what would happen if your competitors got a hold of that data right what would happen if it was personally identifiable information like it was here with Starwood apparently about 327 million guests records included some combination of name, address, phone number, email address, passport number account information date of birth, sex, arrival and departure information so that’s everything a scam artist needs to scam someone and we’re going to talk about that here that’s going to be next got another article we’ll get to about how those scams are perpetrated right now but wow.

Craig Peterson 15:57
Now some records also occluded according to Marriott included encrypted payment card information, but could not rule out the possibility that the encryption keys had also been stolen. So not entirely Marriott’s fault it was Starwood, they weren’t in like it or security business know they are in the hotel, your business right now everybody’s in the high tea business nowadays, pounding the table here drives me crazy. You’ve got to have competent security people in that does not mean the guy that spent an hour and a half or maybe six weeks in some security course they don’t know enough, they can’t do enough. You have to have experience. We’re working with a client right now over in Europe. And this client has to comply with the new GDPR regulations in Europe as you do too. Bye. Either way, if you have a single customer in Europe, okay. And he hired a data protection officer. Well,

Craig Peterson 17:08
Do you know how much it takes how much time and effort and money it takes to become a data protection officer? It’s incredible. It’s absolutely incredible. 90 minutes is what it takes to take the course to pass the exam to call yourself a GDPR compliant data protection officer, 90 minutes. So we did a cyber health assessment
of their network. They have like 40 computers on their network, their smaller business and we found incredible it was it’s over 100 million euros worth of liability. So, we gave this new data protection officer the report and we said hey, listen, you know, we talked to them first, and we sent them the report after Hey, listen, there’s a lot of data in here. We’re more than glad to go through it with you, review it, help you understand it, whatever we need to do to help you out because there’s some serious deficiencies here and Okay, great. Yeah, we’ll do so we

Craig Peterson 18:09
he sends back a message a few days later because we had detail in there every computer every problem on that computer, the fact that there was no anti-virus, etc. So, he sends a thing back saying, well, Windows Defender was on these computers. Yeah, okay. But Windows Defender is not considered to be a third-party antivirus and does not meet any of the regulations.

Craig Peterson 18:33
If you’re regulated industry at all. If you take credit cards, Windows Defender is not enough according to the laws in the contract, you will have signed and you should read that detailed contract. If you collect credit cards as to what that means, okay, pay attention to the details.

Craig Peterson 18:55
And then he says, well, it has McAfee’s Malwarebytes on this one machine. Well, Malwarebytes has nothing to do with McAfee Malwarebytes, by the way, is great software, okay, don’t get me wrong, we use it. But it’s just one piece, you have to have this onion. So I’m sorry, I’m just kind of going crazy here. But Starwood thought they were not in the security or it business obviously every business today that I can think of except maybe Mr. Slate from the Corey on the Flintstones every business I can think of today has it and depends on it and depends on security So please, please, please, please, please please vet your people and we have a special report in the works again another free special report that talks about how to vet these it people, how to vet some of the people that might be trying to handle your security so that you know and if you’re on my insiders list I will definitely let you know when that’s how that’s going to be free as well again http://CraigPeterson.com/subscribe so that you have all of that information. Okay. Alright, so I’m going to go right now into attackers here. What’s going on? Why does the email address matter?

Craig Peterson 20:26
I was talking this week with a couple of people about this real problem that we’re having right now. No, you know, if you’ve listened for a while that the FBI says the business email compromise has cost $12 billion in losses. That’s pretty dramatic. And that’s over the course of some years, a few years, but $12 billion is huge. So, I thought we’d take a couple of minutes right now since we were just talking about the Marriott hack and if you wanted to know more about that by the check out my podcast I talked a lot about it earlier this week, which is just Craig Peterson comm slash iTunes. And there’s quite a bit of background information that I gave this week. I’m not going to get into that anymore right now. But here’s the problem, right?

Craig Peterson 21:17
Why would you care? Why do you care? The core was attacked this last week, they disclose that they lost personal information and Cora’s a website. A lot of us use Quora, I love poking around on Quora, why would you care, that Starwood got hacked? Right? That new Marriott division 327 million people if they don’t have your credit card? What does that mean? If they do have your credit card? What does that mean? You know that having your debit card in the hands of the bad guys is very painful because any money they steal by using that debit card number comes where does it come from? You checking account, right? So we already know that. How about your credit card? If you notice that there were fraudulent charges on your credit card, you can report it and no big deal, right? At worst, they’re going to issue your new credit card and you’re going to have to change your credit card number with a few different people that you have on monthly payments, right? Not a terribly big deal. How about your email address, right? That’s even that’s even less worthwhile. I can see Craig I can see that having my bank account number stolen is bad debit card numbers. But you know, come on, what am I going to do get some more spam? Yes, you’re going to get some more spam but it’s a specific type of spam that were really worried about here I mean, really worried and I got a great article up on my website Craig Peterson, calm from security week that I think you might know, want to have a look at. But here’s the bottom line. If they get your email address, things become simple for them to try and scam you. And remember, I just said how much was that number from the FBI. $12 billion.

Craig Peterson 23:19
That’s huge losses, you know, no matter how well I guess if you’re the government, you might not notice 12 billion. But $12 billion is a lot of money to anybody.

Craig Peterson 23:32
What they’re doing is the attackers will use social engineering now, because they have your address to pose as a colleague or business partner. So they’ll run your email address through some databases, figure out what the business is maybe a couple of other people in the business that they can reach out to, if you’re a home user, they’ll try a completely different tactic. But they are going to try and trick you and they’re going to try and trick you into doing something you shouldn’t do. Now, that might be as simple as just clicking on a link. And we know that’s been effective for a lot of years. But these guys are getting better and better, the emails can be quite convincing. The attackers now are making a significant effort to identify an appropriate victim register a fake domain. So at first glance, the email appears to belong to a colleague or a supplier. I have personally seen intelligent educated people who have fallen for this and its really, really big account takeover here. Now attackers are using information and they are going after you they have special malware now t loggers that they’ll put onto your computer and hijack corporate email account. It can be as simple and I’ve I’ve pointed out this video before had it up on my website. It might still it’s probably still there. I’ve got stuff for the last 15 years up there, but of how a hacker from Eastern Europe used social engineering. And what she did was pretend to be somebody’s wife. Because she was able to figure out the guy was out of town, and he was on vacation. And that’s not hard to figure out. How many of us are posting on Facebook or on Twitter, or announcing here on the radio that we are leaving town? Bad, bad idea. So they now get access to your email box. Where does the change my password link? Go? Think about it. Where’s the last time you changed your password? Hopefully recently, where does that link go? Where does it take people? Well, that link goes to your email box. If they now have access to your email box which is relatively easy for the bad guys to do. They now can reset your bank account or other information Okay, that this goes on and on. I should produce some training on all of these individual things. But anyways, keep an eye out. I’ve got some special reports coming out. Make sure you have subscribed http://CraigPeterson.com/subscribe, get my insiders list. I don’t harass you. I’m not some internet marketer. That’s just selling stuff all of the time. I really am trying to help. And I was able to talk to quite a few new clients this week. And including a construction firm right here in the state and help them out and gave me some ideas of some other master classes we should have about how to do backups, how to have data protected at rest, how to do encrypted vault, all stuff that’s very complicated for the average person, the small business, the Soho, right small office, Home Office, so we got some great ideas from that and I’ll be doing those we’re gonna be doing master classes on all of those guaranteed not this year. Okay, we don’t have much time left. I have a lot of stuff to do before the end of the year. If you have ideas about things you think I should either talk about on the show or maybe I should be posting online or some master classes that you think would be useful to you and your business or your home. Email me@craigpeterson..com. me@craigpeterson.com or you can text me anytime 855-385-5553 that goes straight to me. And I usually can get back to you pretty quickly on weekends. Wait till Monday or so 855-385-5553 with any questions or comments that you have right there from your cell phone. Obviously normal data and texting rates will apply. Have a great week and we’ll be back next week with more from Craig Peterson. Bye-bye.

Malcare WordPress Security