TTWCP Radio Show- 2018-08-18: Two Factor Authentication. Security and Highlights from Defcon Conference
Craig is putting up a new membership site (Yes, it is free, but you have to sign up) On it will have all his special reports that he puts out and you will be the first to get them.
- Hackers can seize practically all your online accounts, and it’s your voicemail’s fault
- Practical Security for the Prudent American
- Ever left your lights on a timer to scare off burglars? Now you can use your Alexa
- Special Report: America’s Greatest Threat Is A Hurricane-Force Cyberattack
- How A Hacker Allegedly Stole Millions By Hijacking Phone Numbers
- Everything You Wanted To Know About VPNs (But Didn’t Want To Ask)
- 3 Trends Hackers At Black Hat And Defcon Are Watching
Airing date: 08/18/2018
Two Factor Authentication. Security and Highlights from Defcon Conference
Craig Peterson: [00:00:00] Hi, there everybody, Craig Peterson here, and as usual I’ve got a ton to talk about. We’ve got a special report about America’s greatest threat. They’re calling it a hurricane for cyber attacks. We’ve got an interesting hacker out there, who has allegedly stolen millions of dollars by hijacking phone numbers and in turn asking kids parents to send some money. Isn’t that something. Another trick here. Your Voicemail. Did you know that hackers are seizing practically all online accounts just using your voicemail? We’ll tell you how some practical security here for the prudent American, great little article that came out in medium, we’ll be talking a little bit about that. Everything you want to know about VPN’s but didn’t want to ask. In fact, I had a request from one of our listeners this week about the VPN stuff because he’s heading out of the country. I love this new Alexa skill, I’ve been playing a lot with my Alexa. You know about the timers, that people have been using for years to make their lights go on and off while they’re out of the house. Well, listen to what you can do with your Alexa. And three trends that hackers, a Black Hat and DEFCON are watching. Did you know that just happened to hear about a week ago? So here we go. Of course, you’re listening to Craig Peterson, right. So, we’re playing around with some different things, let me know what you think? We’ve got some different bumper music and beds and things, and you’ll hear some of the same stuff we’ve always been using, as well today. But, you know it’s been years since we changed any of that stuff so, we’ll just let it go for now, OK. So, our special report, to start things off here today.
[00:01:51] We know about the security vulnerabilities, we’ve seen the vulnerabilities, we know what’s up, and many of us have been hacked, right. Have you been hacked? You may not even know it. But almost every computer that’s online that’s running Windows has been hacked. If you’ve been online for more than a year. Well, what is ahead when we go forward? What are we looking at here? I did a really interesting interview this week for the FBI for their Infraguard program. It’s with a company called Black Ops partners, and you might want to look them up. They’ve got just a ton of cool information. It’s headed by the guy who started IBM Corporation’s whole security division, which is really kind of neat here. He’s won the cybersecurity excellence award, and everything else. So, he and I were talking about cybersecurity 3.0 and where’s it going. What should we be doing? And, you know it’s really interesting when we get right down to it. But, the bad guys are out there. They are coming after us, and they’re coming after us in a big way. We’ve known that right. We’ve we know the Russians are coming after us. We know the Chinese, in fact, this customer I just picked up. We’ve been cleaning things up, and just yesterday we installed a brand new Next-Generation Firewall filter and Security Operations Center support for him.
[00:03:19] And, this is just a small family-owned company. But, he had been compromised. They were able to get past his firewall, he had a great firewall. Yeah, yeah, yeah, I’ve heard that story before, and the bad guys got past it and got into his accounting system, found all of his clients, and managed to steal hundreds of thousands of dollars. It’s just crazy what happened. He ended up going over to China. To try and find out. So, can we get our money back because the money got transferred over to China? Tens of thousands of dollars later and, of course, now there’s lawsuits and legal fees involved and it’s pretty crippling. So, that’s not surprising, right. It’s just like President Trump going out and saying something crazy on Twitter, right. We’re used to hearing that new thing that he says out there, but it is not going to change our opinion about President Trump, right. If you had a pro-opinion, you have one after if you had an anti-opinion, you have the same one after, right. That’s not going to change things. What changes things is a surprise. What changes things is wow, that’s just not what I would expect. And if you had another President in there that didn’t normally do the types of things President Trump does, you would be surprised maybe your opinion would change when he did something on Twitter that just shocks everybody in the whole nation or the whole world,
[00:04:48] right. You kind of get used to it. Well, here’s the big picture. The bad guys aren’t just going after your money. They’re not just trying to get at your clients, and not just trying to get that information. It turns out that the bad guys include nation-state actors. It’s not just some kids in the basement somewhere over in Ukraine that is trying to hack in now. And, we’re talking about the risk here of a crippling cyber attack. The Homeland Security secretary, Kirsten Nielson said just this last week, that the U.S. is in crisis mode comparing the dangers of a massive attack to a Category 5 hurricane looming on the horizon. You heard that right. Category 5 hurricane, and there is no graver threat to the United States. An interesting article that I posted up on my Web site by Axios. You can find it there. They’ve got some quotes from General David Petraeus. He’s the former CIA director, and he’s quoted as saying, what worries me most is a cyber equivalent of a weapon of mass destruction falling into the hands of extremists who would needless to say be very difficult to deter because of their willingness to blow themselves up on the battlefield and take us with them. Leon Panetta, of course, who was President Obama’s former CIA director.
[00:06:20] Quotes and On and on and on. But, the bottom line here is we not only have to protect our businesses from these bad guys that we’re familiar with, that have been out there for a very long time, but in fact, we’ve got to protect our businesses from the nation-state actors, as well. Now, I know the FBI has been working closely with businesses to try and secure our infrastructure and headway is being made there. But, it’s shocking to me more and more as I get into it, how many hospitals, clinics, doctors offices, small banks, et cetera don’t have what’s needed. And, they are part of the critical infrastructure. So, again looking into the FBI Infragard, if you’re involved with one of these businesses and see if you can’t join up if you can pass the Infragard background check and start getting some of this information firsthand that I’m providing and other people are providing to the Infragard members. It is so critically important. And if you’re a regular business guy is, I’m just a business regular guy, What do people care? Think about losing everything. Think about your retirement caught up in the business. What’s going to happen if that’s all stolen from you? And that’s what’s going to happen, by the way, it’s guaranteed. It’s going to happen. It’s happening every day. And you’ve got to reconsider your whole security infrastructure.
[00:07:55] You’ve got to work with the company that knows what they’re doing, and just a funny note here. I’ve got to add this in. I got an e-mail this week that came from a mailing list that I’m on, and they were promoting this two thousand dollar course, become a managed security services provider in six weeks. And, you know I have to chuckle because people have a hard time differentiating, right now. How would you differentiate between my company, Mainstream, and one of these guys that six weeks later puts up a shingle, saying yeah I’m a security services provider, right? And I started adding up the hours. And this is the part that really shocked me. Of course, it helps to be a little bit older and having done this for a long time. I have more than 100,000 hours in the I.T. business doing network related stuff including security. Personally, me personally. This isn’t our company has a combined 20 years. Me personally, 100,000 hours and I have I just laughed when I saw this. Are you kidding me? People are going to be out there peddling themselves as security providers when all they have is a couple of certifications under their belt and a six-week course. Oh, man anyhow, so now let’s go over to our next topic here.
[00:09:33] Well, we kind of started out by talking about hackers and what they’re doing. We’ve got a new problem up there, pretty darn big problem. frankly, and this is a phone hijacking now.
[00:09:45] You know I’ve told you before that these two-factor authentication schemes that are using your phone where they send you a text are not terribly secure, right. In fact, they’re not secure at all. Well, this is something that’s just a little bit different. We’ve got an article here from Motherboard, talking about California authorities who are saying, that a 20-year-old college student has hijacked more than 40 phone numbers and stolen five million dollars, including some from cryptocurrency investors. Wow. OK, wow is all I have to say here. Here’s what’s happening this guy Joel Ortiz, he’s a 20 year old from Boston. He’s alleged to have hacked these victims, using some accomplices who are unnamed, at least as of yet. And, this is the first reported case against someone who’s allegedly used a technique known as Sim swapping. So, in Sim swapping so, you know you get a phone, you have an unlocked phone you have a sim that Sim has your contacts and other stuff on it. And, that sim also was used to authorize you to the cellular network. So, now that’s what you use to identify your phone, right. So, when someone calls your number it uses the sim, to identify you. That’s how that all works. With sim hijacking what happens is they basically steal your sim. Now, they don’t even have to have access to your sim. All, they have to do is trick your provider. You know like AT&T, T-Mobile, Verizon, and whatever trick your provider into transferring the target’s phone number to a SIM card that’s controlled by the bad guy. So, once they get that phone number and there’s ways to do this, this is really, well documented where they will call up and pretend they’re your wife, or your husband or even you.
[00:11:52] And, so many of us are posting information online that makes it possible for them to be able to very easily impersonate you. So they know your wife’s name your kid’s names your dog’s names where you work where you were born where you graduate from college. So, they can pass the so-called anti-fraud stuff when they call up the provider. So, once they get your phone number the bad guys are using it now to reset your passwords and break into your online accounts. Because remember I was saying that using a text message is not true two-factor authentication. In some cases even working, if you do have a separate type of two-factor authentication. And, its called a port-out scam. It’s relatively easy to pull off, it’s become widespread and that is where they say, yeah I am transferring my phone number from T-Mobile to Verizon, just as an example, right. And, you arrange for that. You’re transferring your phone number and when you do that, you have to have a new sim. In many cases you have to, in this case, you’d have to have a Verizon type sim. And, obviously, you’d have to be working on the frequencies Verizon uses et cetera but easy enough to pull off. So, this guy Ortiz was arrested at the L.A. International Airport was on his way to Europe. He apparently had a Gucci bag that was part of a recent spending spree that, of course, they seized because they’re alleging that it was financed by some of these scams. He’s facing 28 charges, 13 counts of identity theft, 13 counts of hacking, and two counts of grand theft, according to a complaint that was filed. They’re going after some of his co-conspirators apparently they have access to millions of dollars in cryptocurrency.
[00:13:50] And the interesting quote in here, that I’m not going to quote because it is full of all kinds of nasty stuff. OK. So it’s interesting. Think about that. There’s a sim swapping community that’s out there on the dark web, where people are swapping the information back and forth. At least three of the attacks that happened, he stole more than a half million from a cryptocurrency entrepreneur including a million he’d crowdfunded and an initial coin offering. And, you know I am absolutely against putting money into these things. I don’t look at them as an investment. I look at them as highly, risky. It goes on and on. So, bottom line DO NOT tie it to your phone, into authentication for any of these Web sites. Use some of these some of these apps that are out there like Duo or Google authenticator, if you want to learn more about it let me know I’d be glad to put together a special little free mini-course on it, as to how to do all of that. But, that’s what we do. We go even further. We not only use those types of apps, we have physical keys that we have to use in order to get on to certain Web sites. In fact, we’re expert witnesses right now in a case involving a managed services provider, that they obviously they didn’t go to the six week course or they would have known better, who messed up, and wow, major stuff, can’t really talk about the case, but similar type of thing that happened with this other client, that we were talking about that we just picked up. It’s happening every day. Now, you’ve got to pull up your socks and pay attention. All right. So, let’s get on to the voicemail and how that ties into all of this as well.
[00:15:46] Well, remember I was just saying that if you use your phone for authentication, where they send you a text message to make sure you, because you’re logging into a new browser or you’re logging in from a place that they’re not familiar with, right. So, they’ll send you a text message and then you enter that code in. Well, the same type of problem exists with your voicemail. Your Google, your Microsoft, Apple, WhatsApp, signal account, they all have an Achilles heel. Now, Signal is interesting because it is designed to keep things secure. WhatsApp is supposed to keep things secure, not as secure as Signal does. But, here is the weakness, and that weakness was disclosed this last week again in Vegas. In case you weren’t aware of it, there was the Black Hat conference. And at that people were talking about different ways to hack, new things they found, Defcon as part of that, right. One right after the other, these two conferences out there in Vegas. So, this particular one was by Martin Vigo. He was over at the Defcon convention, and he explained how he managed to reset passwords for a whole bunch of different types of online accounts. So, he took advantage of the weakest link in the security chain which is. believe it or not, your voicemail.
[00:17:17] So, what he did was he requested a password reset on some of these services, like WhatsApp, because you have the option of requesting you receive a call with the reset code. So, that’s more than just receiving a text, it’s actually a phone call. So, people think OK, well that’s safe right.
[00:17:40] Well, no it’s even worse than getting a text message because all he had to do was hack the voicemail account first.
[00:17:49] How does he do that? Well, he just wrote a little script that just brute force attacked the passwords. All right. Most people are using a four-digit password. And most of the voicemail systems don’t have incremental backoffs, where they time out. You know where you get it wrong the first time you have to wait five seconds, you can try again, if you get it wrong three times you have to wait five minutes. Yet are wrong again. You might have to wait an hour etc.. No, no. They just let you hack, hack, hack, hack, hack, hack, hack. And, in fact, he did get access to the account’s password reset codes. And, ultimately he got control of the account itself because they sent a reset code via voicemail called up your reset code as 1 2 3 4, and he had previously hacked that voicemail account, and many people it’s easy to find. I was on again research for this case, where we are acting as a consultant to the law firm and we may end up on the stand, as an expert witness. But in that type of a situation, all that has to happen is you go to the website, you can find that person’s password, you can be again password reset information by just finding what is their phone number. Because people are posting their personal cell phone numbers on websites, or they’re posting their business work number on the website. Then I get it right. You
[00:19:22] Want people to be able to contact you. But in this case, he got into all of these accounts and he was able to reset them because he got the password via voicemail reset.
[00:19:32] Oh man, some of the stuff just never ends does it? All right. So let’s talk a little bit about practical security. Got a lot of kids going back to school.
[00:19:47] You’ve got college kids, of course, going back to school. We just had a client bring in a hard disk that was being used for backup. You know one of those pluggable USB drives and guess what it had failed and apparently, their daughter’s dissertation was there on that hard drive. And so we took it apart, the case and everything and it looks like it’s actually a problem with a hard disk itself might be the voice call. You can hear clicking. So, hopefully, that’s what it is it’s only going to cost about five thousand dollars to get that a hard disk fixed. We’re going to send it out to a lab. We don’t actually do that in-house right. Let the experts deal with it. So, guess what doctoral dissertation. Because the machine went south and the backup wasn’t working. We hear that all the time. It’s incredible. That’s why you have multiple layers of backup as well not just one backup. Because in this case her machine failed and she didn’t realize her backup wasn’t working. Oh man. Anyhow it’s really distressing when that happens to you. We’ve got kids now that are starting to get involved with politics for the 2018 election cycle, the same thing is going to be true with the 2020 cycle. We’ve got of course harassment hate campaigns. There’s doxing going on. Russian hackers going on, and these same people that have been involved in trying to disrupt our elections, are going to be busy again this year and in 2020.
[00:21:24] So, anyone who touches sensitive confidential documents, financial records, voter data, you have to protect yourselves. And you might not have thought about that when it comes to these kids, that are working as volunteers may be in election offices that are out there, right. Their favorite candidate left, or right, or center, whatever they might be.
[00:21:47] There is a ton of bad advice out there because most of the security folklore that’s out there in the I.T. industry really is wrong. It can be even dangerously incorrect. The security world five years ago, today, It’s not the same thing, right. So, there are a few things you have to do. I’ve got a special report. You can no longer get it on my Web site. But it’s all about passwords, PASSWORD managers. I give some reviews in there we have some links to using them if you want to find out about password managers e-mail me or just send me a text 8 5 5 3 8 5 55 53, send me a text asking for it. I’ll send you the PDF.
[00:22:33] I think it’s like five or six pages, it’s pretty detailed pretty in-depth, I’ll send to you. It’s something I use with my clients. But, you can you can get that from me. But number one user password manager again if you missed it 8 5 5 3 8 5 fifty-five fifty-three. So, anyhow you’ve got to generate passwords. Get a security key, a Yubi key is probably one of the better ones out there. But, be careful of using the security keys make sure you know what you’re doing because you could break your computer completely if you lose the key. OK. It’s kind of crazy but you know Yubi key is out there. There’s a lot of other things there. Chrome browser has some really good extensions. HTTPS Everywhere is a good extension to use it. You can enroll Google’s advanced program protection and a good article and Medium that I have put my Web site Craig Peterson dot com. You can go there and read up a little bit more. Well only got a few minutes left so, let’s kind of whip through these last few things for this week again you will find all of this and more in the newsletter. Now, we sent out the newsletter on Thursday this week as opposed to Saturday morning.
[00:23:51] We want to see if that’s a little better if you guys pick it up that way. I think a lot of people are subscribed to their work e-mail address, which means you might not notice it when you come in on Monday morning. So, if you check your e-mail you’ll see it’s from me at Craig Peterson dot com. All of these articles with direct links to them so you can find out more. We also have special offers, from time to time, like a couple of months ago we offered that password special report, as well. But a VPN is very important. We use them all the time. We have our own VPN. And, the whole idea behind it is you have a tunnel, hopefully, a secure tunnel. Be careful where you are going, when it comes to VPNs. Geo-blocking is a good thing to get around with a VPN, but as I mentioned at the beginning of the show I have a client that is heading over to Europe and he was asking about VPNs and what he might want to do what he should do. So, I got good advice on that as well. I know I can send you more information. There’s a cool new Alexa’s skill.
[00:25:02] Is really really neat. It’s plain these fake stupid arguments to make people burglars think that you’re at home.
[00:25:10] Ok, so one of them is an emergency PTA meeting to discuss Memes, fidget spinner’s, and other teen fads. There’s another one where couples having a breakup while also trying to watch TV. Another one-two average guys brainstorm what’s unique about themselves so, they can start a podcast about that. Oh man. There’s another one that they can play where they have conversations from a book club, where no one discusses the book. A mom walking her daughter through Ikea assembly over the phone, a stay at home mom losing her mind, and an argument over a board game. Very cool you can. You can find those for Alexa. Great article in Slashdot. You’ll find it on my Web site and cool for burglars keep them out of your home. Three trends that the hackers a black hat and DefCon were talking about and what they’re watching. Mobile devices have moved up the list. The Internet of valuable things, IoT has become very, very big deal. I should do some special stuff on some of this for people and audio hacking. It is now a thing. So, you can find all of this and more details. CRAIG Peterson dot com check your e-mail if you’re on my list. Also, I’ve been trying to send it out via a massive few are on my text list, a link I send out to everybody with this week’s articles but you’ll find all of this. Craig Peterson dot com, any questions any requests. Just text me. I’ve been answering people all week long and fact to getting more and more every week 8 5 5 3 8 5 55 fifty-three and I’ll send you I’ll put on my text list and let you know about current events what’s happening and little reminders about the show and stop 8 5 5 3 8 5 55 53. Have a great week and we’ll be back again next week and I’ll be sure to let you know if anything big is hitting the fan during the week. Take care. Bye-bye.