TTWCP Radio Show- 2018-07-28: Gmail’s dirty little secret. Anti-Virus is now ineffective – SANS report. Stolen military drone document.
There is a new report out from SANS. Today, I will discuss what it said about Anti-Virus.
Can you believe the Military is using home grade routers and then not even changing the default password? We will discuss what led to some very important military documents showing up on the Dark Web and how it could have been prevented.
There is so much to talk about that I ran out of time so be sure to check out the related articles below.
Craig is putting up a new membership site (Yes, it is free, but you have to sign up) On it will have all his special reports that he puts out and you will be the first to get them.
- Gmail app developers have been reading your emails
- Inside Facebook, Twitter and Google’s AI battle over your social lives
- A Hacker Sold U.S. Military Drone Documents On The Dark Web For Just $200
- Top Voting Machine Vendor Admits It Installed Remote-Access Software on Systems Sold to States
- Google’s 89,000+ employees have had zero phishing incidents since switching to hardware security keys in 2017
- Thirty Years On, How Well Do Global Warming Predictions Stand Up?
- ‘Data is a fingerprint’: why you aren’t as anonymous as you think online
Airing date: 07/28/2018
Gmail’s dirty little secret. Anti-Virus is now ineffective – SANS report. Stolen military drone document.
Craig Peterson: [00:00:00] Hi everybody. Craig Peterson here. Thanks for joining us today. I don’t know if you can hear that little Roomba going in the background here, she’s cleaning up the room. We have we have a few things to talk about. This one is going to be kind of interesting. How well do the global warming predictions stand up? Because we’ve heard that. Of course, our whole world is about to fall apart. We’re going to drown if we live in Florida, and everything is over with. You probably remember some of this, we’ll talk a little bit about that. This is very, very cool article from the Cato Institute. We’re going to talk about app developers, here when it comes to Google. They have committed to not reading your e-mails, but the same is not true. Yes, the app developer, so what are they doing. Did you realize thi?. Yeah, Hey, we have lots going on there.
[00:00:53] Half of cyber attacks are, well, more than half, are undetected via antivirus software. Talk about that. A new report, a new study coming out of SANS, the SANS Institute. We’ve got military documents stolen. Some plans here, about the drone the number one, in fact, drone, in the U.S. military the MQ9 Reaper drone, and it’s all because of something I warned you about here on this show a few months ago if the military had been listening in. I know they do. But, if these guys have been listening in the military, we wouldn’t have lost those secret documents. Google. We’re going to talk about how they now have had no phishing incidents. More than eighty-nine thousand employees. How did they do that? Well, we’ll talk about that the top voting machine vendor has admitted something that I suspected for a very long time. Yeah, how can you trust vendors of software, and make sure they don’t install backdoors. How can you do that? Yeah. Well, we’ll talk about that a little bit. You know I’m thinking about it we’re not going to get all of these today. You ought to check them out on my Web site Inside Facebook and Twitter. The artificial intelligence battle going on over our social lives, and Data, as a fingerprint, in fact, data is a fingerprint. We’ll talk about what that means to you, as well. Because you’re not a safe and private online as you might think you are. All right, let’s see how far we can get today.
[00:02:36] All right. We’re going to start here with tech’s dirty little secret. Now, we know about Facebook. Do you see their stock this week? Wild ride. I think that Facebook stock was down 25 percent at one point. The way Facebook has been treating its users is just abysmal, frankly. You do remember a few years ago we talked about this, on the show here, but a few years ago when Facebook decided that if you liked somebody’s page, so let’s say I had a page, which I did, online and a lot of celebrities had a page on Facebook, as well. And they would post stuff for their audience, the people that liked them, Right. So, you could follow any kind of celebrity you wanted on Facebook. You could follow somebody that was a musician because you enjoyed their music and there’s a couple of them out there that I really enjoy, some new guys. Anyhow, you could have the musician you could have someone like me or maybe another radio personality, whomever so you follow them, you like their page on Facebook, and when they posted something it would show up in your feed. So, you would see what they had to say, and that was the idea, Right. You followed them, you like them because you wanted to see what they had to say. It is that simple enough for you. And, what’s happened now is Facebook says, ok well you have a million followers I’m going to show your post to maybe 500 if you want your post to be seen by more people. You have to pay. And, they do that to me all of the time which is why, I’m not a, you know big Facebook user. Well, one of the reasons, about a big Facebook user but I do post stuff up there and they say “hey pay five bucks, and we’ll go ahead, and we will show your post to more people.”
[00:04:27] Well, wait a minute these people said that they wanted to follow me. They wanted to hear from me. Why do you not show them my information? So, a lot of the big celebrities just said forget it. Some of the people that had more than a million likes on their Facebook fan pages said forget it, I’m gone. They deleted the whole account. They left. Now, this is a few years ago. Fast forward to today. We’ve got Facebook doing, even more, deciding because they’re the Decider, more deciding about what it is you might want to see. What you don’t want to see. Doesn’t matter what you say, doesn’t matter that you like the page, doesn’t matter that they’re a family member. If it says congratulations. OK great. They give high your ranking and you’re more likely to see it. But, I want to know what my family members are saying. I want to know what the people I’m following are saying. Is that too difficult? Is that something that Facebook can’t do for me? Right, I think that’s a really, really, big deal, frankly, because that’s why I was on Facebook in the first place. To find out what these people had to say. But no, Facebook is busy trying to gain you to get you to click on something to feed you stuff. And particularly those people who are libertarian like myself or maybe they’re conservative. And Facebook has been using academics to come in and spend some serious time helping them develop their algorithms. And you know the academics know better than you do. So, they’re going to give you what they think you should see which does not include anything that isn’t on the Socialist Left, Right.
[00:06:13] That’s kind of the bottom line on this.
[00:06:16] Obviously they’re not going to feed anything from the hard right. But the question is? Where’s that line? And, so just a regular moderate conservative person who’s out there, middle of the road, is considered to be too far to the right by many of the algorithms. So your information is put out there. So, there’s a lot of reasons people aren’t using Facebook, the way they used to. Their profit forecast was down. So, their stock went way, way, down. And, they’ve been penalized, Right. The free market at work. Well, Google is getting into, say it has gotten into, and it’s continuing to get into some trouble as well.
[00:06:59] What’s been going on on the Google front is kind of interesting, because Google was going through all of your mail. If you had Gmail Google went through it. They were looking for things and showing you ads based on what was in your e-mail. So, you know people kind of got upset because all of a sudden Google would be sending out a message about your bereavement. Because there was an e-mail about some uncle Dying or something and you would wonder about those ads. What are those ads all about what’s Google doing here? And so Google, committed this was what, two or three years ago.
[00:07:32] Committed to not going through e-mail and while the dirty secret is that they may not be going through it, but a wall street journal examination found that app developers, software developers, who are using Google’s API’s are going through your e-mails. One of the companies that they had a look at and this is from an article from Douglas Macmillan over at the Wall Street Journal. One of those companies does Return Path Inc. Now they collect data from marketers, they scan the inboxes of more than 2 million people who signed up for, one of the free apps and Return Paths partner network, using a Gmail, Microsoft or Yahoo email address, so, think about this. Think about the that what was that silly game, that people used to play over on Facebook where you are planting things you know you’re a farmer. What is the name of that? If you know the name. Go ahead and text me 8 5 5 3 8 5 55 53 8 5 5 3 8 5 55 53. I can’t think of it, anyway.
[00:08:41] Those games when you sign up for them the app developers now gain access to certain of your information, and they don’t have to be a game. They can be a tool, and you might remember of course that’s what Cambridge Analytica was doing, yeah take our survey and now they’ve gained access to all kinds of Facebook information about you and your friends and their profiles. Right, then that’s why they got into so much trouble. That’s why Facebook, also this week, got this huge fine from the European Union. The maximum fine possible under this new G.D.P.R which is the new data protection policy. So, they levied the maximum fine possible which really, Facebook’s not going to notice, from a financial standpoint, because it’s Facebook just makes so much money.
[00:09:29] So, Google is giving that information away. You’ve got to be careful. Oh, yea Farmville. That’s what it was. Thanks, guys. Farmville. There are a few of them I guess but that’s when I was thinking I was Farmville.
[00:09:43] So, Return Path is one of them.
[00:09:46] They’re analyzing about 100 million emails a day, apparently, and at one point two years ago Return Path employees were reading about 8000 unredacted emails, employees. Okay, real people reading your emails per day eight thousand a day, while they’re training their software. So, in another case, we’ve got Edison software which is another Gmail developer. They make this mobile app for reading and organizing your email. They personally reviewed the emails of hundreds of users to build a new feature and that’s according to the company’s CEO. So, letting users, employees read private potentially private right not necessarily all e-mails private but you know you consider e-mail private, don’t you. That’s a reasonable expectation, isn’t it? You’d be upset if you found out people were reading your e-mails, Right. So, in this case, it’s become common practice, for employees to read your e-mail. And frankly, it’s a dirty little secret. Now neither Return Path or Edison asked users specifically if it could read their e-mails. They were just granted access to it. Really, really, bad news here. Now Facebook has allowed outside developers to gain access to the user’s data, we know about that because of the Cambridge Analytica breach. Facebook says it stopped it in 2015. We’re not going to go into all of that, but it’s it’s really kind of interesting to look at all of this, but remember, your data is not your data. Again, you are the product, right? We keep having to say that but a lot of people seem to forget about it. You are the product, you are not the customer? So, keep that in mind as you are going online and use your free e-mail and your free Facebook site to your free ecetera. Right. It isn’t free. There is a cost
[00:11:55] All right, it is cyber attack time here, with Craig Petersen. You know, that’s what I do for a living. I don’t attack people I protect them from attacks. In fact most of the time I get involved with a company when they have already been attacked. I picked up three or four new clients, this week alone, that have been attacked. One, of them, basically lost all of their finances. This is a small family owned business and they made, really kind of a cool little device, and wow, things things are bad when your bank account information is used or when your payments are redirected from you when the hackers get into your computers now, gain access to your bank accounts and just wire the money out, it’s gone in 90 seconds. it’s just nuts what happens out there while SANs came out, the SANS Institute.
[00:12:53] Now, these are great guys and gals, obviously, but the great guys and they put together a number of training courses that you might want to check out, online at SANS dot org. Now one of the things they do is obviously they keep track of the exploits, and they just came out with their 2018 survey on Endpoint Protection and Response. So, they polled almost 300 I.T. information technology professionals. They asked about endpoint security concerns and practices. This year’s survey. I want you guys to think about this for yourself. How do you measure up? Where do you fall in? In this survey, if you were asked OK. 42 percent of respondents reported and point exploits. So, that’s pretty darn high. That’s almost half as getting close to half of the respondents. These are information technology professionals, so, these are people who know the bottom line here of whether or not they’re hacked, at least they’re supposed to. And, almost half of them said that they did have exploits on endpoints. Now what the endpoint? Those are your computers. Basically, it’s your Windows machines for the most part. Maybe your Mac? your Linux machine? Etcetera. Now, what’s good about this is they’re saying that’s down from 53 percent last year, but the number of those who reported that they didn’t know that they’d been breached, jumped from 10 percent to 20 percent.
[00:14:36] So, maybe we’re getting a little less honest, in some regards, this year with the tools, now.
[00:14:43] You know I’ve talked about this before, in fact, if you attend one of my webinars I’ll go through these stats but what is being reported right now, from our friends over at SANs is, that your traditional antivirus software, just doesn’t work anymore. Antivirus systems, according to the survey. Now, these are professionals right. This isn’t me. This isn’t some marketer, right. Do you believe these guys? Do you believe these I.T. professionals? Well, they’re saying that the antivirus systems, the traditional antivirus stuff, only detected endpoint compromise 47 percent of the time, 47 percent. Other attacks were caught through various types of automated alerts end point detection and response platforms, 32 to 26 percent. OK, so the most important attacks are intended to exploit the users. More than 50 percent of respondents reported drive-by incidents on the web. Now, all of this stuff is preventable and I think the industry, the security industry is doing everyone a huge disservice because they’re all tooting their horns about how great they are and yet they are not great. None of the standard antivirus software companies you can think of, none of the standard firewall firms you can think of, None of these guys are actually anywhere near as good as they need to be or should be. And, I’ve I’ve said this before, right.
[00:16:27] And so how can you believe their marketing. You’ve got John McAfee out there the founder of McAfee anti-virus saying McAfee antivirus is the worst. You’ve got Symantec senior executive saying yeah, antivirus is dead, don’t use Symantec because it’s just not worth it. And, then by the way somehow leaving his position the next day, it’s just amazing. So, it goes on and on but, credential theft was used in many of these compromises. So, keep an eye on that. Keep an eye on phishing make sure you know what’s happening. You want to use a really, really, good stack. You’re not going to find that frankly from anybody, right now except Cisco. And unfortunately, it’s not just antivirus software, anymore. It’s what we’re doing now. And what you’re going to see most of the really good security professionals doing is a layered approach. I mean layered, layers, upon layers, there’s multiple layers, on the endpoint on the multiple layers, on your computer. There’s multiple layers on the network, and there’s multiple layers of the network edge, where you might find a firewall. Okay. So, keep an eye out for that. And while it’s disappointing but somehow this SANs survey is not surprising. Things are getting worse in Anti-Virus Software it’s effective in less than half of the cases.
[00:18:04] Speaking of antivirus and hacks, we talked on the show before, and it was all over the news about what the FBI had to say. Now, you know I worked with the FBI pretty closely I run their, national webinars for the entire InfraGard program which is the infrastructure Guardian stuff. Check it out online infragard dot org if you’re involved with protecting your company’s physical facilities or maybe your data facilities networks and stuff check it out, infragard dot Org. There are chapters, everywhere, there’s like 80 chapters I think eighty plus nationwide and there is every state even here in New England. We have these chapters, so join your chapter. Keep up to date know what’s going on, it’s so important to have that information, in fact, you got to the webinar, I’m doing, again. We bring in experts, right. But in a few weeks and we’re going to be talking with FRSecure, about this very issue here of how do you do security because you know you mentioned before the break in the last segment here how we have multiple layers on every part of the whole infrastructure. Well, he goes into some more detail where he’s talking about the employees and the physical infrastructure. It’s all well and good if you got the best of you know firewalled and anti-malware prevention and protection software and IDS and IPS, and all this stuff. But what if someone walks out the door with your server? And that’s part of the HIPAA regulations. By the way, if you are involved with a medical practice, you’ve got to make sure all of your devices are physically locked down. All right, So, there’s a lot to know, a lot to remember, a lot to learn.
[00:19:52] So we’ll be we’ll be having him on. I just recorded the Web an hour with him yesterday, in fact, we’re having him on soon. So. FBI warned and I brought it up here on the radio show too before the FBI warning came out warned globally that there are hackers who have hacked many of our routers. If you’re using a router that has not had a software update a firmware update in a while? Particularly if you’re using a lower-end router like a small business router or a personal router for your home. That device has been used, to send all of your data to Russia where important information is harvested out of it, and then it is sent back to you. So, you don’t even know it’s happened. It’s really bad. Some of the stuff is crazy complex that they’re doing. So, if you have not updated your router yet, I’ve got an article about that up on my Web site that leads you through, gives you step by step depending on who the manufacturer is. Some of the older ones you will not be able to update or upgrade. If you have a true business class router, a higher end router, and firewall something you pay north of two-thousand to five-thousand dollars for. And, by the way, you should be paying around five grand for a decent firewall, nowadays. But if you have one of these you’re probably OK, at least for now. This article and I mentioned this is the beginning of this show is mind-blowing, because it’s our number 1 drone out there, the MQ 9 Reaper drone. This is the number one drone, the top in the world. This thing can send missiles and can just do all kind of stuff.
[00:21:46] Well we found online in the dark web and by the way, I hope you’re doing Dark Web scans for yourself and your family. But we found or having them done, we found out there, the plans not for the reaper itself, but the entire maintenance manual, manual on the MQ 9 a reaper, wow, ok. This is the maintenance. This is Delta training is included in this where it’s showing how to use the reaper to attack and to blow up IED’s that might be on the road. How to hit a convoy, OK. All of this information and it is being sold for, drum roll please 150 and 200 dollars, for the lot.
[00:22:39] Isn’t that something. How did they get the information?
[00:22:44] Well, turns out, that apparently, and this is according to bleeping computer, here, Kaitlynn but apparently the military bases I.T. team had not changed their routers default F.T.P. credentials. In other words, the default credentials now they’re using a Netgear
[00:23:08] router. WHAT???? That is a personal home router, it is not military grade, it’s not business grade. What the heck are they doing, using the Netgear Router or are they NUTS? And for two years give or take we’ve known that these Netgear routers have a default set of FTP credentials.
[00:23:34] So, the hacker also bragged about accessing footage of the MQ 1 Predator. My gosh what’s going on?
[00:23:44] So, if you’re a business don’t use these things! If you’re the military, what the heck are you doing using these things? And if you’re just a listener wondering what’s going on, Appreciate you joining us today. Craig Peterson, of course, you can visit me online, all of today’s articles including the ones we didn’t get to like, 30 years on how well did global warming prediction stand up. Quick answer. They didn’t.
[00:24:08] And Google’s 90000 employees how did they stop phishing. I’m going to have to do a special on that one. Top voting machine vendor admits it Restall installed remote access software on voting machines, that were sold to states. Your data is a fingerprint. And Facebook, Google, Twitter, they’re all using AI to battle over your content. It’s kind of interesting lots of stuff. Of course, you don’t have time to get to it today. But, I appreciate you guys joining me. Visit me online Craig Peterson dot com. Make sure you get my alerts. The only way to do that is to text me.
[00:24:47] You can ask any question, you can sign up for alerts, whatever you want. 8 5 5 3 8 5 55 53 8 5 5 3 8 5 5 5 5 3. Have a great week. Thanks for joining us. Bye-bye.