Jan 29, 2022
Do You Know How Hackers areSpoofing You? All About Email spoofing!
We just got an email this week from a customer and they'resaying, "Oh no, my email has been hacked." What does that mean? Wasit really hacked? We're going to talk right now about emailspoofing, which is a very big deal.
[Following is an automated transcript]
[00:00:15] Email spoofing is being a problem for a long time,really? Since the 1970s. I remember when I got my first spoofedemail back in the eighties and there was really a little bit ofconfusion.
[00:00:30] I went into it more detail, of course, being a verytechnical kind of guy, and looked behind the curtains, figured outwhat was going on. Just shook my head. I marveled at some people.Why would you do this sort of thing? The whole idea behind emailspoofing is for you to receive an email, looks like it's fromsomeone that it's not now, you've all seen examples of this.
[00:00:55] Everybody has. And those emails that are supposedlyfrom the bank, or maybe from Amazon or some other type of businessor family friend, this is part of what we call social engineering,where the bad guys are using a little bit about what they knowabout you, or maybe another person in order to. Frankly, foolyou.
[00:01:19] That's what spoofing really is. There were a lot ofemail accounts that were hacked over the last what, 30, 40 years.And you might remember these people sending out an email saying,oh, my account got hacked because you just got emails. Back in theday, what people were trying to do is break into people's emailaccounts and then the bad guys after having broken in now kneweverybody that was in the contact list from the account that wasjust broken into.
[00:01:54] Now they know, Hey, listen, this person sends anemail. Maybe I can just pretend I'm them. Days it, the same thingstill happens. But now typically what you're seeing is a moredirected attack. So a person might even look in that email accountthat they've broken into and poke around a little bit and find out,oh, okay.
[00:02:16] So this person's account is a purchasing manager at abig company. So then they take the next step or maybe this tabafter that and try and figure out. Okay, so now what do I do? Oh,okay. So really what I can do now is send fake purchase orders orsend fake requests for money. I've seen in the past with clientsthat we've picked up because the email was acting strangely where abad guy went ahead, found.
[00:02:49] Invoices that have been sent out by the purchasingperson and the send the invoices out and changed the pay toinformation on the invoice. So they took the PDFs that they foundon the file server of the invoices went in and changed them, changethe account that they wanted, the funds ACH into. And once they hadthat happen, they just sent the invoice out again sayingoverdue.
[00:03:18] Off goes in the email and the company receives it andsays, oh okay, I need to pay this invoice. Now. Sometimes it markedthem overdue. Sometimes they didn't mark them overdue. I've seenboth cases and now the money gets sent off and that invoice getspaid and then gets paid to the wrong person.
[00:03:38] Or maybe they go ahead and they don't send theinvoice out, but they just send a little notification saying, Hey,our account has changed. Make sure you. Direct all future paymentsto this account. Instead. Now you might be thinking wait a secondhere. Now they send this email out. It's going to go into a bankaccount.
[00:03:57] I can recover the money while no, you can't. Becausewhat they're doing is they are using mules. Now you've heard ofmeals before. He might've even seen that recent Clint Eastwoodmovie. I think it was called. But typically when we think of mules,as people we're thinking about people who are running drugs well,in this case, the bad guys use mules in order to move moneyaround.
[00:04:24] And now sometimes the people know what they're doing.The FBI has had some really great arrests of some people who weredoing this, particularly out in California, some of them cleaned.Yeah. I didn't know what was happening. It was just somebody, askedme to send money. It's like the Nigerian scam where the Nigeria inthe Nigerian scam, they say, Hey I'm, I'm Nigerian prince, you'veheard of these things before. And I need to get my money out of thecountry. I need to place to put them. And so if you have a usaccount, I'm going to transfer money into it. You can keep athousand dollars of that 5,000 and I'm going to wire in just as afee. Thanks for doing this. I, this is so important and it's such ahurry and I'm going to send you the.
[00:05:11] What they'll often do is send you a money order. Itcouldn't be a bank check, could be a lot of things, and then you goahead and you cash it and oh, okay. Or cash just fine. And then youwire the $4,000 off to the bad guy. The bad guy gets the money andis off. Running in the meantime, your bank is trying to clear thatbank check or that money order.
[00:05:38] And they find out that there is no money therebecause frankly what might've happened? I, this is one I've seen,I'm telling you about a story w we helped to solve this problem,but I had taken out a real money order from a bank, and then theymade copies of it. Basically, they just forged it. And so theyforged a hundred copies of it.
[00:06:01] So people thought they were getting a legitimatemoney order. And in some cases, the banks where the money orderwas, you mean deposited, did conf confirm it? They called up thesource bank. Oh yeah. Yeah. That's a legit money order and thenthey all hit within a week or two. And now the, you are leftholding the bag.
[00:06:22] So that's one thing that happens. But typically withthese mules, the money comes to them in that account. They aresupposed to then take that money and put it in their PayPal accountand send it off to the next. And it might try jump to through twoor three different people, and then it ends up overseas and the badguys have gotten so good at this and have the cooperation of somesmall countries, sometimes bigger countries that they actuallyown.
[00:06:54] The bank overseas of the money ultimately getstransferred into. And of course there's no way to get the moneyback. It's a real. So with spoofing, they're trying to trick youinto believing the emails from someone that you know, or someonethat you can trust. Or as I said, maybe a business partner of somesort in most cases, it's some sort of a colleague, a vendor or atrusted brand.
[00:07:22] And so they exploit the trust that you have, and theyask you to do something or divulge information. They'll try and getyou to do something. So there's more complexity tax. Like the onesthat I just explained here that are going after financialemployees, there might be some, an accountant, a bookkeeper, orbill payer and receivables payables.
[00:07:48] I've seen CFO attacks, but the really the spoofedemail message looks legitimate on the surface. They'll use thelegitimate logo of the company that they're trying to pretend thatthey're from. For instance, PayPal. Phishing attack. They have aspoofed email sender and typical email clients like you might beusing for instance, on Microsoft outlook.
[00:08:13] The sender address is shown on the message, but mostof the time nowadays the mail clients hide the actual emailaddress, or if you just glance at it, it looks legit. You've seenthose before these forged email headers. Yeah, it gets to be aproblem. Now we use some software from Cisco that we buy.
[00:08:38] You have to buy. I think it's a thousand licenses ata time, but there were some others out there, Cisco again, by farthe best and this, the software. Receives the email. So before iteven ends up in the exchange server or somewhere else online, thatemail then goes through that Cisco server. They are comparing it tobillions of other emails that they've seen, including in real timeemails that are.
[00:09:06] Right now. And they'll look at the header of theemail message. You can do that as well. With any email client, youcan look at the header, Microsoft and outlook calls, it viewsource. But if you look at the email header, you'll see received.Headers that are in there. So say, receive colon from, and they'llgive a name of a domain and then you'll see another received headerand give another name of a machine.
[00:09:33] And it'll include the IP address might be IVF IPVfour of your six, and you can then follow it all the way through.So what'll happen is partway through. You'll see, it took a hopthat is. Not legitimate. That's where it comes in. Nowadays, if youhave an email address for your business, man, a domain, you need tobe publishing what are called SPF records.
[00:10:01] And those SPF records are looked at there compared tomake sure that the email is properly signed and is from. Thecorrect sender. There's a SPF records. There's a mother's too, thatyou should have in place, but you'll see that in the headers, ifyou're looking in the header. So it gets pretty complicated.
[00:10:24] The SPF, which is the sender policy framework is asecurity protocol standard. It's been around now for almost adecade. It's working in conjunction with what are called domainbased message, authentication, reporting, and conformance.Heather's D mark headers to stop malware and phishing attacks. Andthey are very good if you use them properly, but unfortunately whenI look, I would say it's still 95% of emails that are being sent bybusinesses are not using this email spoofing and protection.
[00:11:00] So have a look at that and I can send you a couplearticles on it. If you're in trusted Craig Peterson.com.
[00:11:07] So we've established that email spoofing happens.What are the stats to this? And how can you further protectyourself from email spoofing? Particularly if you're not thetechnical type controlling DNS records, that's what's up rightnow.
[00:11:24] There's so much going on in the cybersecurity world.It affects all of us. Now, I think back to the good old days 40years ago where we weren't worried about a lot of this stuff,spoofing, et cetera.
[00:11:38] But what we're talking about right now is 3.1 billiondomain spoof. Emails sent every day. That's a huge thing. More than90% of cyber attacks. Start with an email message. Email spoofingand phishing have had a worldwide impact costing probably $26billion over the last five years. A couple of years ago, the FBI,this is 2019.
[00:12:09] Reported that about a house. A million cyber attackswere successful. 24% of them were email-based and the average scamtricked users out of $75,000. Yeah. So it's no wonder so manypeople are concerned about their email and whether or not thosepieces of email are really a problem for them. And then anybodyelse.
[00:12:36] So a common attack that uses spoofing is CEO fraud,also known as business, email compromise. So this is where theattacker is spoofing or modifying, pretending to be a certainperson that they're not they're impersonating an executive orowner, maybe of a business. And it targets. People in the financialaccounting or accounts payable departments or even the engineeringdepartment.
[00:13:03] And that's what happened with one of our clients thisweek. They got a very interesting spoofed email. So even whenyou're smart and you're paying attention, you can be tricked theCanadian city treasurer. Tricked into transferring a hundred grandfrom taxpayer funds, Mattel tricked into sending 3 million to anaccountant, China, a bank in Belgium, tricked into sending theattackers 70 million Euro.
[00:13:33] It happens and I have seen it personally with manybusinesses out there. So how do you protect yourself from email?Spoofing now, even with email security in place, there's somemalicious email messages that are still going to get through to theinboxes. Now we're able to stop better than 96% of them just basedon our stats.
[00:13:56] In fact, it's very rare that one gets through, buthere are some things you can do and watch out for whether you're anemployee responsible for financial decisions, or maybe you'resomeone who is. Personal email at work. Here's some tricks here. Soget your pencil ready. Number one, never click links to access aweb.
[00:14:20] Where you're asked to log in, always type in theofficial URL into your browser and authenticate on the browser. Inother words, if you get an email from your bank or someone else,and there's a link in there to click that says, Hey oh man, here'ssome real problems. You got to respond right away.
[00:14:44] Don't do that go to paypal.com or your bank or yourvendor's site, just type it into your browser, even though you canhover over the email link and see what it is. Sometimes it can beperfectly legitimate and yet it looks weird. For instance, when Isend out my emails that people subscribe to that right there onCraig peterson.com, the links are going to come from the peoplethat handle my email lists for me, because I send out thousands ofemails at a time to people that have asked to get those emails.
[00:15:24] So I use a service and the services taking thoselinks, modifying them somewhat in fact dramatically. And using thatto make sure the delivery happened, people are opening it and thatI'm not bothering you. So you can unsubscribe next step. You can,if you want to dig in more, look at the email headers.
[00:15:47] Now they're different for every email client. Ifyou're using outlook, you have to select the email, basically inthe left-hand side. Okay. You're going to control, click on thatemail and we'll come up and you'll see something that says viewsource. So in the outlook world, they hide it from you.
[00:16:07] If you're using a Mac and Mac mail, all you have todo is go to up in the menu bar email and view, header and cut off.There it is. I have many times in the past just left that turnedon. So I'm always seeing the headers that reminds me to keep a lookat those headers. So if you look in the header, And if the emailsender is let me put it this way.
[00:16:33] If the person who is supposed to have sent it to youis doing headers proper, properly. You're going to see. A receivedSPF section of the headers and right in there, you can look for apass or fail and response, and that'll tell you if it's legit. Soin other words, let's use PayPal as an example, PayPal has theserecords that it publishes that say all of our emails are going tocome from this server or that server of.
[00:17:06] And I do the same thing for my domains and we do thesame thing for our clients domains. So it's something that you canreally count on if you're doing it right, that this section of theheaders. And that's why I was talking about earlier. If you have anemail that your sending out from your domain and you don't havethose proper headers in it, there's no way.
[00:17:33] To truly authenticate it. Now I go a step further andI use GPG in order to sign most of my emails. Now I don't do thisfor the trainings and other things, but direct personal emails fromme will usually be cryptographically signed. So you can verify thatit was me that sent it. Another thing you can do is copy and pastethe text, the body of that email into a search engine.
[00:18:05] Of course I recommend duck go in most cases. And thechances are that frankly they've sent it to multiple people. That'swhy I was saying our Cisco based email filter. That's what it does,it looks for common portions of the body for emails that are knownto be bad, be suspicious of email from official sources like theIRS, they're not going to be sending you email out of the blue mostplaces. Aren't obviously don't open attachments from people thatyou don't. Special suspicious ones, particularly people we'll sendPDFs that are infected. It's been a real problem. They'll send ofcourse word docs, Excel docs, et cetera, as well.
[00:18:56] And the more. I have a sense of urgency or danger.That's a part of the email should really get your suspicions up,frankly, because suggesting something bad is going to happen. Ifyou don't act quickly, that kind of gets around part of your brainand it's the fight or flight, right? Hey, I gotta take care ofthis.
[00:19:19] I gotta take care of this right away. Ah, and maybeyou. So those are the main things that you can pay attention to. Inthe emails, if you are a tech person, and you're trying to figurethis out, how can I make the emails safer for our company? You canalways drop me an email as well. Me, M e@craigpeterson.com.
[00:19:45] I can send you to a couple of good sources. I'll haveto put together a training as well on how to do this, but asindividually. At least from my standpoint, a lot of this is commonsense and unfortunately the bad guys have made it. So email issomething we can no longer completely trust. Spoofing is aproblem.
[00:20:07] As I said, we just saw it again this week. Thankgoodness. It was all caught and stopped. The account was not. Itwas just a spoofed email from an account outside the organizationthat was act Craig peterson.com. Stick around.
[00:20:26]
[00:20:26] The value of crypto coins has been going down latelyquite a bit across the board, not just Bitcoin, but the amount ofcrypto mining and crypto jacking going on. That hasn't gone downmuch at all.
[00:20:50] hi, I'm Craig Peter Sohn, your cyber securitystrategist. And you're listening to news radio, w G a N a M five 60and FM nine. Point five, you can join me on the morning drive everyWednesday morning at 7 34, Matt and I go over some of the latest innews. You know about crypto coins, at least a little bit,right?
[00:21:18] These are the things like Bitcoin and others that areobstensively private, but in reality, aren't that private. If youreceive coins and you spend coins, you are probably trackable. Andif you can't spend that, the crypto currencies, why even bothergetting it in the first place. One of the big drivers behind theprice of these crypto currencies has been criminal activity.
[00:21:50] We've talked about that before. Here's the problemwe're seeing more and more nowadays, even though the price ofBitcoin might go down 30%, which it has, and it's gone down inbigger chunks before. It does not mean that the bad guys don't wantmore of it. And what better way to mine, cryptocurrency then to nothave to pay for.
[00:22:18] So the bad guys have been doing something calledcrypto jacking. This is where criminals are using really ransomwarelike tactics and poisoned website to get your computer, even yoursmartphone to mine, cryptocurrencies for. No mining, a Bitcoin cancost as much in electric bills that are in fact more in electricbills.
[00:22:45] Then you get from the value of the Bitcoin itself. Soit's expensive for them to run it. Some countries like China havesaid, no, you're not doing it anymore because they're using so muchelectricity here in the U S we've even got crypto mining companiesthat are buying. Old power plant coal-fired or otherwise, and aregenerating their own electricity there locally in order to be ableto mine cryptocurrencies efficiently, effectively so that they canmake some profit from it.
[00:23:20] It's really quite the world out there. Some peoplehave complained about their smartphone getting really hot. Theirbattery only lasts maybe an hour and it's supposed to last all day.Sometimes what's happened is your smartphone has been hijacked.It's been crypto jacked. So your smartphone, they're not designedto sit there and do heavy computing all day long.
[00:23:47] Like a workstation is even your regular desktopcomputer. Probably isn't. To be able to handle day long mining thathas to happen. In fact, the most efficient way to do crypto miningof course is using specialized hardware, but that costs them money.So why not just crypto Jack? All right. There are two primaryways.
[00:24:11] Hackers have been getting victims, computers tosecretly mine. Cryptocurrencies one is to trick them into loading.Crypto mining code onto their computers. So that's done throughvarious types of fishing, light tactics. They get a legitimatelooking email that tricks people into clicking on a link and thelink runs code.
[00:24:32] Now what's interesting is you don't, even forcryptocurrency crypto jacket, you don't even have to download aprogram in. To have your computer start mining cryptocurrencies forthe bad guys. They can use your browser to run a crypto miningscript. And it runs in the background. As you work right, using upelectricity, using up the CPU on your computer.
[00:25:00] They also will put it into ads. They'll put it on awebsite and your browser goes ahead and runs the code beautifully.So they're really trying to maximize their returns. That's thebasics of crypto jacking what's been particularly bad lately hasbeen the hackers breaking into cloud account. And then using thoseaccounts to mine cryptocurrency, one of the trainings that I had onmy Wednesday wisdoms has to do with password stuffing and myWednesday wisdoms, you can get by just subscribing to my email overthere@craigpeterson.com.
[00:25:46] But what happens here is they find your emailaddress. They find. Password on one of these hacks that is occurredon the dark web. You weren't on the dark web, but your username oremail address and password are there on the dark web. And then theyjust try it. So a big site like Amazon, or maybe it was your IBMalso has cloud services can be sitting there running along verywell, having fun.
[00:26:19] Life's good. And. Then they go ahead and try youremail address and password to try and break in. Now, you know how Ikeep telling everybody use a good password manager and this week Iactually changed my opinion on password managers. So you know, thatI really like the password manager that you can get from onepassword.com.
[00:26:46] It really is fantastic. Particularly for businesses,various types of enterprises, one password.com. However, where Ihave changed is that some of these browsers nowadays, particularlythinking about Firefox Google Chrome safari, if you'reparticularly, if you're on a Mac, all have built in passwordmanagers that are actually.
[00:27:12] Good. Now they check. Have I been poned, which is asite I've talked to you guys about for years. To make sure thatyour accounts are reasonably safe than not being found on the darkweb, the new password that it came up with or that you want to use.They check that as well. Make sure it's not in use. So here's anexample here.
[00:27:34] This is a guy by the name of Chris. He lives out inSeattle, Washington, and he makes mobile apps for local publishers.Just this year, new year's day, he got an alert from Amazon webservices. Now Amazon web services, of course, cloud service.They've got some really nice stuff, starting with light ship andgoing up from there, I've used various services from them for well,since they started offering the services over very many yearsand.
[00:28:06] They allow you to have a computer and you can getwhatever size computer you want to, or fraction of a computer. Youwant to, he got this alert because it said that he owed more than$53,000 for a month's worth of hosts. Now his typical Amazon billis between a hundred and 150 bucks a month. My typical Amazon bellis now 50 to maybe $80 a month.
[00:28:36] I cannot imagine getting a $53,000 bill from ourfriends at Amazon. So the poor guy was just totally freaking out,which is a very big deal. So I'm looking at an article from insiderthat you can find a business insider.com. They were able to confirmthat, yes, indeed. He got this $53,000 bill from Amazon and yes,indeed.
[00:29:02] It looks like his account had been hacked bycryptocurrency miners. So these guys can run up just incrediblylarge charges for the raw computing power. They need to producesome of these digital cryptocurrencies, like Bitcoin there's manyothers out there. But this isn't new. This is happening all of thetime.
[00:29:26] Google reported late last year, that 86% of accountbreaches on its Google cloud platform were used to performcryptocurrency mining. So make sure you are using a good passwordmanager that generates good passwords. And I have a special reporton passwords. You can download it immediately when you sign upfor.
[00:29:50] My email, my weekly emailnewsletter@craigpeterson.com and it tells you what to do, how to doit. What is a good password? What the thinking is because it'schanged on passwords, but do that and use two factorauthentication. Multi-factor authentication as well. And I talkabout that in that special report too.
[00:30:13] And visit me online. Sign up right now. CraigPeterson.com.
[00:30:18] We're moving closer and closer to completelyautomated cars, but we want to talk right now about car hacks,because there was an interesting one this week that has to do withTesla. And we'll talk about some of the other hacks on cars.
[00:30:34] Connected cars are coming our way in a very bigway.
[00:30:40] We just talked about the shutdown of two G and 3g inour cars. We, it wasn't really our cars, right? Two G 3g. That wasfor our cell phones. That was. Years ago course now for four GLTE5g, even 10 G is being used in the labs. Right now. It's hard tothink about some of those older technologies, but they were beingused and they were being used by cars, primarily for the navigationfeatures.
[00:31:15] Some cars use these data links, if you will, that arereally on the cell phone network in order to do remote things likeremote start. For instance, I have a friend who's Subaru. Of coursewas using that. And now she's got to do an upgrade on her carbecause that 3g technology is going away depending on the carrier,by the way, some of it's going away sooner.
[00:31:43] Some of it's going away later, but it'll all be goneat the end of 2020. What are we looking at? As we look into thefuture, I'm really concerned. I don't want to buy one of these newcars at the same time as I do, because they are cool, but I don'twant to buy one of those because of the real problem that we couldhave of what well of having that car.
[00:32:09] I need an upgrade and not been able to do it. Iwatched a video of a guy who took a Tesla that hadn't been damagedbadly in a flood, and it was able to buy it for cheap. Why? BecauseTesla will not sell you new motors and a new batteries for a carlike that. So he got the car for cheap. He found a Chevy Camarothat had been wrecked, but its engine and transmission were justfine.
[00:32:39] He ripped everything out of the Tesla and went aheadafter that, cause you got to clean that out, and water damage. Youspray wash all to the inside. He got right down to the aluminum,everything that wasn't part of the core aluminum chassis was gone.And then he built it back up again. He managed to keep all of thoseTesla systems working, that, that screen that you have upfront thatdoes the temperature control, cruise maps, everything out.
[00:33:11] He kept that it was able to work. The, automatedstuff, cruise control type stuff. And now he had a very hot carthat looked like a Tesla. He took it out to SEMA, which is prettycool. I'd love to see that, but it was a Tesla with a big V8gasoline engine in it. He's done a, quite a good job on it.
[00:33:35] It was quite amazing to see it took them months. Itwas him and some of his buddies. These new cars are even moreconnected than my friend Subaru is they get downloads from the.Some of them are using Wi-Fi and 5g. Really one of the big promisesof 5g is, Hey, our cars can talk to each other because now you canget a millisecond delay in going from one car to another versuswhat you have today, which can be a half a second or more, whichcan be the difference between having a rear end collision and beingable to stop in time when it comes to these automated system.
[00:34:17] So they are more connected. They connect to the wifiin your homes. They connect to obviously the 5g network, which iswhere things are going right now. But what's happening with thehackers because really what we're talking about, isn't a computeron wheels. Oh no. Dozens of computers inside that car and your carhas a network inside of it and has had for many years, this can busnetwork and even fancier ones nowadays that connect all of yoursystems together.
[00:34:52] So your entertainment system, for instance, isconnected to this network. And that was used. You might remember acouple of years ago on a Chrysler product where the bad guyinstalled. Or using the thumb drive onto that entertainment systemand had a reporter drive that car down the road. This is allknown.
[00:35:16] It was all controlled. And was able to the bad guyright there, the demonstration in this case, I guess you'd callthem a white hat hacker. He drove that car right off the road whilethe reporter was trying to steer otherwise because cars nowadaysdon't have a direct linkage between anything in any.
[00:35:38] That's why I love my 1980 Mercedes TESOL. You turnthe steering wheel. It isn't actually connected to the wheels tothat front end of the car. All it's doing is telling the computeryou want to turn and how much you want to turn that brake pedal.Doesn't actually. Compress hydraulics and cause the brakes toengage that fuel pedal doesn't actually move the throttle on thecar.
[00:36:03] The throttle is really being controlled and moved bythe computers. So the car is completely electronic. It feels like aregular car, right? We're not talking about the Tesla's of today ortomorrow. We're talking about Volvos that have been sold for morethan a decade. We're talking about a lot of different cars.
[00:36:24] So now you have a platform on wheels that can bedangerous because it can be, in some cases, remotely controlled, itcan have software that may be crashes. We know that part of theinfrastructure quote, unquote bill, which contains almost noinfrastructure. It's amazing how they named these things. Isn'tit.
[00:36:45] And what is it like 6% it actual infrastructure andthe infrastructure bill? One of the things in there that is notinfrastru. Is a demand, a law that says the car manufacturers haveto include a remote. Button, if you will, so that a police officercould go ahead and say, okay, I'm pursuing this car and they're notstomping.
[00:37:11] I don't want to risk people's lives. As this bad guytries to elude me here in backstreets. Kids can get hit, et cetera.So they push the button and the car stops that all sounds great.The problem is that you could potentially be opening some securityproblems by having this remote stop button that can be used byanybody really right.
[00:37:40] Since when is it going to be limited to just lawenforcement? Isn't that a problem? According to Caren driver, I'mlooking at their magazine right now. They're saying that there wereat least 150 automotive cybersecurity incidents in twenty nineteen,a hundred and fifty incidents, part of a 94% year over yearincrease since 2016.
[00:38:05] In other words, every year. The number of automotive,cybersecurity and incidences has doubled. And that's according toreport from a company called upstream security. So we're lost. Solooking at what w maybe ransomware for a car. So that your car getshacked. You can't hack my 1980 Mercedes diesel.
[00:38:28] It is impossible to hack into an unconnected car, butif you are driving a vehicle it's likely at risk from some sort ofdigital true. We've even seen from some of the bugs. We've seencars from Japan that have decided to drive into the Jersey barrierbecause it misunderstands exactly what it is. We've seen cars fromTesla.
[00:38:57] Drive right into the back of a parked fire truckmentioned doing that at speed, right? And cause a fire truck fullof water, et cetera. I've actually seen that one happenedpersonally. So the more sophisticated the system is, the moreconnected your vehicle is. The more exposed you are in Detroit freepress has a great little article on that right now.
[00:39:23] And in there he's saying we have taken. Whatevermodel car you think of. And we hack them through various places. Ican control your steering. I can shut down and start your engine.Control your brakes, your doors, your wipers, open and close your.There's a lot of people who are trying to break into thesecars.
[00:39:46] And there's a lot of people who are trying to protectthem. That hacker duo back in 2015, who took control of that JeepCherokee, just think about that sort of. There's an Israeli basedautomotive cybersecurity company who told the free press that heexpects the current trend of hackers, holding digital data oncomputers for ransom to also move to cars.
[00:40:12] So when this happens, the driver will not be able tostart the vehicle until they pay off the rant. Or suffer theconsequences, which could be wiping the cars systems operatingsystems could be Kenning the car to catch on fire. Think of whatcan happen with each generation with those batteries.
[00:40:32] There's no way around it. You're going to have to getit towed and get all of the software reloaded in the company. Andnow this week, it comes out that in 19 year old kid said that hewas able to hack into over 25 Teslas that he tried via a bug in apopular. It's an open source tool that people are using to linkinto their Teslas to do various types of remote control.
[00:41:01] And he posted a tweet on this guy's name's DavidColombo. You'll find them on Twitter, went viral and he reportedthe vulnerability to the people who are maintaining the softwareand they fixed it. In fact, the very same day and Tesla also pushedupdates to their vehicle. That invalidated the signatures and thekey exchanges that we're having.
[00:41:28] So this is a 19 year old researcher. He's able tohack into cars in 13 countries, 38, 13 countries. Yeah. Worth ofTeslas without the owner's knowledge. No, he says I, I can not.Doors, I can turn off the security system. I can open windows. Ikeyless start and things turn on the stereo, honk the horn view,the cars location, and if the driver was present, but he doesn'tthink he could actually move the vehicle remotely, but that's a 19year old.
[00:42:02] What's going to happen when we implement the law thatwas just passed that says our cars have to be remotely controllableby anybody basically. Yeah. It's scary. Hey, I want to invite youguys to take a minute, go to Craig peterson.com. Make sure you signup for my newsletter there, and I'll keep you up to date on all ofthis stuff and you'll even get my show notes.
[00:42:28] Craig peterson.com.
[00:42:30] The hacker world got turned upside down this pastweek as Russian president Putin decided to crack down on thehackers. Now, this is a very big change for Russia. We're going totalk about my theories. Why did this happen?
[00:42:56] hi, I'm Craig Peterson, your cyber security expert.And you're listening to news radio, w G a N a M five 60 and FM98.5. Hey, you can join me. Wednesday morning, did 7 34 on themorning drive. As we keep you up to date, russian hackers have longbeen known to go after basically whoever they want. They havereally gone after the United States and other Western companycountries.
[00:43:30] And as part of what they've been doing, they havebeen making a lot of money and keeping Vladimir Putin pretty darnhappy. He's been a happy because they're bringing more. Into motherRussia, he's happy because they are causing confusion amongstRussia's competitors out there, particularly the United States.
[00:43:55] But there's one thing that Putin has been absolutelysteadfast. And that is not allowing any of the hackers to go andhack any of the countries that are part of their little pact overthere. Think of the old Warsaw pack they got that band backtogether. So as long as they didn't harm any Russian or, aaffiliated country, They could do basically whatever they wantedand they did.
[00:44:29] And they have caused a lot of trouble all over theworld. So Friday Russia. As security agency announced that it hadarrested members of the cyber gang called reveal. Now we havetalked about them for a long time. They have come and gone. The FBIand other countries have shut down their servers.
[00:44:56] So reveal disappears for awhile. Then pops his headup again. And Russia said that they arrested members of revival whowere responsible for massive ransomware crimes against us companiesthe last year. So why would they do that? I'm looking right now atthe Russian website here, that's part of the FSB.
[00:45:26] And it's saying that the Russian federal securityservice in cooperation, the investigation department of theministry of internal affairs of Russia in the cities of Moscow St.Petersburg, Leningrad lips. As, I guess it is regions. They stopthe illegal activities, a members of an organized criminalcommunity and the basis for the search activities was the appeal ofcompetent U S authorities who reported on the leader of thecriminal community and his involvement in an encroachment on theinformation, sir, resources of foreign high tech companies bydrusen militia software, encrypting information and extorting moneyfor its decreased.
[00:46:11] Now that all sounds like the stuff that Vlad has beenjust a happy about in years past. So why did this happen? Whatbrought this about nowadays in this day and age? What is he doing?I've got a little bit of a theory on that one because there havebeen some interesting development. One of them is this hacker.
[00:46:38] In Belarus. Now, Belarus is one of those countriesthat's closely affiliated with Russia friend of Russia, right? Partof the old Warsaw pact. And you might remember that Bella ruse isright there by you. And of course, we've got this whole issue withUkraine and whether or not Russia is going to invade president andBiden said something incredibly stupid where he said, yeah a moralresponse is going to depend upon what Russia does, if it's just aminor invasion.
[00:47:17] You're you remember? The president Biden's sayingthat just absolutely ridiculous. And then of course, the whitehouse press secretary and various Democrat operatives tried to walkthe whole thing back, but it's a problem because Russia has, whatis it now like 120,000 troops on the border.
[00:47:37] Now, if you know anything about history, you knowthat the military army. March on their stomachs, right? Isn't thatthe expression you've got to feed them. You have to have a lot oflogistics in place. In fact, that's what really got a lot of theGerman military in world war two. Very nervous because they saw howgood our logistics were, how good our supply chain was.
[00:48:03] We were even sending them. They cakes to men in thefield that they discovered these cakes in great shape. And some ofthe German armies, particularly later in the war, didn't even haveadequate food to eat. What do you think is happening with theRussian troops that are sitting there?
[00:48:20] They need food. They need supplies, including thingslike tanks, heavy artillery, ammunition. All of that sort of stuff.So how do they do that? They're moving it on rail, which they havedone in Russia for a very long time. You might remember as well inworld war II, the problems with the in compatibility between theGerman rail gauge and the Russian rail gauge as Germany tried tomove their supplies on Russian rails and Soviet rails, ultimately,but on Russian rails and just wasn't able to do.
[00:48:57] So hacktivists in Bella ruse right there next toUkraine said that they had infected the network of Bella Russa'sstate run railroad system with ransomware and would provide thedecryption key. Only if Bella Reuss president stopped. Russiantroops ahead of a possible invasion of Ukraine. So this group, theycall themselves cyber partisans wrote on telegram.
[00:49:30] Now I got to warn everybody. Telegram is one of theworst places to post something. If you want some privacy, excuseme, some privacy, some security it's really bad. Okay. No twoquestions. So they have, apparently this is according to what theywrote on telegram. They have destroyed the backups as part of thepec low cyber campaign.
[00:49:55] They've encrypted the bulk of the servers, databasesand work station. Of the Belarus railroad, dozens of databases havebeen attacked, including, and they name a bunch of the databases.Automation and security systems were deliberately not affected by acyber attack in order to avoid emergency situations.
[00:50:20] They also said in a direct message that this campaignis targeting specific entities and government run companies withthe goal of pressuring the Belarus government to release politicalprisoners. And stop Russian troops from entering Bellaruse to useits ground for the attacks on Ukraine. Now, this is franklyfascinating from a number of different angles.
[00:50:46] One is, it is very easy nowadays to become a cyberhacker. And in fact, it's so easy. You don't even have to doanything other than send N E. And it's been done, frankly. It'sbeen done people who are upset with a, an ax, for instance upsetwith a particular company, you can go onto the dark web and you canfind companies.
[00:51:13] And this revival company was one. That will provideyou with the ransomware and they will do everything for you exceptget that ransomware onto a computer. So you could bring it in to anemployer. You can send it by email to the ax. As I mentioned, youcan do a lot of stuff. And then the. Ms. Cyber hacker guys, the badguys will go ahead now and they will collect the ransom.
[00:51:43] They'll even do tech support to help the people buyBitcoin or whatever currency they want to have used. And then theytake a percentage. So they might take 30% of it. There's a wholelot. We can talk about here too, including trust among thieves andeverything else. It is easy to do this. So to see an organizationlike these cyber partisans, which I'm assuming is an organization,it could be as little as one person taking ransomware, going intospecific computer systems breaking in.
[00:52:18] Because again, even here in the U S how many of ushave actually got their computer systems all patched up to date?The answer to that is pretty close to zero. And they can now goafter a government, they can protect their friends. It's reallysomething. When you start thinking about it, right? No longer doyou have to be North Korea or China or Russia in order to hacksomeone to the point where they commit.
[00:52:51] And in this case, they're not even after the money,they just want these political prisoners freed and they want Russiato stop shipping in troops supplies, into the area in Belarus nextto or close to. Very fascinating. There, there is a whole lot ofinformation about this online. If you're interested, you can readmore about it.
[00:53:15] It's in my newsletter, my show notes. I have links tosome articles in there, but it really is a tool for the under.We've never really seen this before. It's quite an interesting turnin the whole ransomware narrative. It's just in crazy. That's aquote from a guy over at Sentinel one. Alright.
[00:53:40] Lots to consider and lots to know and do, and you canfind out about all of the. One way, subscribe rightnow@craigpeterson.com. I promise. I'm not going to her Hess. Youstick around.
[00:53:55] We've heard a lot about automated cars. And of coursewe talked about them a lot here too, but that original vision ofwhat we would have, it's gone now. It's fascinating. We're going totalk about that journey of automated cars.
[00:54:12] For years, automakers have been telling this storyabout how these automated cars are going to drive themselves aroundand do just wonderful things for us.
[00:54:24] And as part of that, they've decided that. The wayit's going to work. And I remember talking about this, cause Ithink it's a cool idea is that there will be fleet of thesevehicles think about maybe an Uber or Lyft where you get on thephone and you order up a card and it says, Hey that driver will behere.
[00:54:45] Here's the license plate, the driver's name andpicture. It's really cool, but general motors and Lyft haven'tgotten there. They signed in agreement. To have electric autonomouscars as part of Lyft's fleet of drivers. They did a back in 2016, along time ago. Ford promised what it called robo taxis and thatthey would debut by 2021 Dimeler of course, the company that makesMercedes-Benz said it would work with Uber to deploy fleets oftheir car.
[00:55:27] And the logic was really financial and it made a lotof sense to me, which is why I was so excited. I have car outside.You know about my Mercedes, you. How often do I drive that 40 yearold car? Most of the time it's sitting there parked, most of thetime, because I don't go very many places very often.
[00:55:50] What would it be like then to just be able to have anUber or Lyft type app on my phone that says, okay, tomorrow I havea 10 o'clock meeting in Boston and I want a car to take me there.So the. Checks with the servers and figures out. Okay. At 10o'clock meaning, that means you're going to have to leave at eight30 in order to get around the traffic that's normallyhappening.
[00:56:18] And so we'll have a car there for you. So all I haveto do is walk out the apple, probably remind me, my butt out of bedand get outside. Cause the car is about to arrive. So the car pullsinto my driveway or maybe just stops on the road and the appreminds me, Hey, the car's there I go out. I get in.
[00:56:37] And on the way down, I can work on getting ready forthe meeting, getting some things done, just really kicking back,maybe having a nap as we go. And I'm there on time for my 10o'clock. Just phenomenal. And from a financial standpoint,nowadays, how much is a car costing you? Have you ever done themath on that?
[00:56:59] How much does a typical car loan run you per month?And I also want to put in how about these leases? How many of usare leasing cars? My daughter leaves to Gargan believe she didthat. Didn't leave to me. It didn't make financial sense, but maybethat's just because I've been around a while. But looking right nowat some statistics from credit karma, they're saying us auto loans,new cars, your average monthly payment is $568.
[00:57:32] For an average loan term of 71 months. Good griefused cars, about $400. A month payment and average loan term, 65months. I can't believe that I've never had a car loan for morethan three years. Wow. That's incredible. So we're talking aboutsix year notes on a new car. Wow. I guess that's because people buycars based on the monthly payment, right?
[00:58:04] So figure that out. If you're paying $500 a month,how about just paying a subscription service? $500. You can get somany rides a month and you don't have to maintain the car. Youdon't have to buy insurance. You don't have to make any fixes. Youdon't have to do anything. And the car will just show up.
[00:58:23] That's what I was excited about. And it had some justamazing implications. If you think about it, it city dwell overdwellers and people who were directly in the suburbs, it'd be justphenomenal. And you could also have the robo taxis for longertrips. You can abandon that personal car. Really alternate.
[00:58:46] So now it's been about a decade into thisself-driving car thing that was started. And, we were promised allof these cars, it reminds me of the fifties, we're all going to bedriving, flying cars by. George Jetson one, when was he flyingaround the cities, but that's not happening.
[00:59:07] Okay. The progress on these automated vehicles hasreally slowed automakers and tech companies have missed all kindsof self-imposed deadlines for the autonomy. Look at what Elon Muskhas promised again and again, it's. Basically in 2020, late 2020,it was going to have fully autonomous cars even calls itselfdry.
[00:59:30] When it isn't really self-driving, it certainly isn'tfully autonomous it more or less drives. It stays in the lane asit's driving down the highway. But the tech companies are lookingfor other ways to make money off of self-driving tech. Some of themhave completely abandoned. There's self-driving cars, the sensorslike the LIDAR, and I've had the LIDAR people on my show beforethey've all gotten cheaper.
[00:59:55] It doesn't cost you $50,000. Now just for one LIDARsensor, think about what that means to these cars. So some of thesemanufacturers of these future autonomous cars are shifting to a newbusiness strategy. And that is selling automated features directlyto customers. In other words, you're going to buy a car, but thatcar isn't going to do much.
[01:00:24] Think about the golden key that the tech companieshave used for years, right? IBM well-known for that, you buy amainframe or from IBM or a mini computer from digital equipmentcorporation, and you have the same computer as someone that hasthis massive computer. But in fact the difference is that they turnoff features and we're seeing that right now.
[01:00:49] I'm, I've mentioned that Subaru before where they arecharging people for upgrades, but some of the companies arecharging you monthly to use a remote start feature for instance,and many others. So what's happening is a major change. We have theconsumer electronic show, right? January 20, 20 and general motorsCEO, Mary Barra said that they would quote, aim to deliver ourfirst personal autonomous vehicles as soon as the middle of thisdecade.
[01:01:22] So again, it slipped, right? I'm looking at it, apicture of what they're considering to be. The new Cadillac carthat should be out next year. Maybe thereafter. It is gorgeous.Absolutely gorgeous. But this announcement, right? Yeah. We'regoing to have autonomous vehicles, middle of the 2020s. She had nospecific details at all.
[01:01:48] And apparently this personal robo car project iscompletely separate from this robo taxi fleet that's been developedby GM's cruise subsidiary. And cruise said it has plans to launch acommercial service in San Francisco this year. So they're goingafter multiple paths. The logic here is financial.
[01:02:11] The reasoning has changed and they're offeringautonomy as a feature for the consumer market. Tesla, Elon Musk,they've been charging $10,000 now for the autopilot driverassistance feature. They're planning on raising it to $12,000 hereearly 2022 Tesla technology. Can't drive a car by itself.
[01:02:37] But he's going to charge you if you want it. And Iexpect that's going to be true of all of the major manufacturerthat's out there. And by the way, they're also looking atcustomization, like color changing cars and things. They're goingto charge them as features. Hey, stick around. Visit me online.
[01:02:58] Craig peterson.com.
[01:03:01] Ju
[01:03:01] st
[01:03:01] how secure are our smartphones. We've got theiPhones, we've got Android out there. We've talked a little bitabout this before, but new research is showing something I didn'treally expect, frankly.
[01:03:23] hi, I'm Craig Peter sawn, your cybersecuritystrategist. And you're listening to news radio w G a. A M five 60and FM 98.5, like to invite you to join me on the morning, driveWednesday mornings at 7 34, Matt and I always discussing the latestin cybersecurity technology. And, Matt always keeps you up todate.
[01:03:50] We've got some new research that wired had a greatarticle about last week that is talking about the openings that iOSand Android security provide for anyone with the right tools.You're probably familiar at least vaguely with some cases where theFBI or other law enforcement agencies have gone to apple and triedto have.
[01:04:17] Old break into iPhones. Apples, refuse to do that onein particular, down in Southern California, where they tried to getapple to open up this I phone and tell them who was this persontalking to after a shooting of foul of fellow employees at a. Itwas really something, there was a lot of tense times and we've seenfor decades now, the federal government trying to gain access toour devices.
[01:04:51] They wanted a back door. And whenever you have a backdoor, there's a potential that someone's going to get in. So let'ssay you've got a. And your house has a front door. It has abackdoor, probably has some windows, but we'll ignore those fornow. Okay. And you have guards posted at that front. All in someoneneeds to do is figure out to how to get into that back door.
[01:05:18] If they want to get into your house, it might beeasy. It might be difficult, but they know there's a back door andthey're going to figure out a way to get in. And maybe what they'regoing to do is find a friend that works for that security company,that post of the guards out front. And see if that friend can get acopy of the.
[01:05:39] That'll let them in the back door. And that's wherewe've had some real concerns over the year years here, a decades,frankly, our first, I remember this coming up during the Clintonadministration, very big deal with the. That they were pushing.This was a cryptographic chip that they wanted every manufacturerto use if they wanted to have encryption and the white house andevery gov federal government agency, and probably ultimately everylocal agency had the ability to break any encryption that wascreated by the clipper.
[01:06:17] In fact, we were able to track Saddam Hussein and hissons and his inner circle. Because he was using some encryptedphones that were being made by a company in England. And thatcompany in England did have a back door into those encryptedphones. And so we were able to track them and we could listen in,on all of their communications back and forth.
[01:06:44] And it's really frankly, oppressed. When that sort ofthing happens. So what do you do? What are you supposed to do? Howcan you make it so that your devices are safe? There are some waysto be relatively safe, but these cryptographers over Johns Hopkinsuniversity, Use some publicly available documentation that wasavailable from apple and Google, as well as their own analysis.
[01:07:14] And they looked into Android and iOS encryption andthey founded lacking. So they studied more than a decades worth ofreports. How about which mobile security features had been bypassedhad been a hack. I had been used by law enforcement and criminalsin order to get into these phones. They got some of these hackingtools off of the dark web and other places, and they tried tofigure.
[01:07:46] So we've got a quote here from Johns Hopkins,cryptographer, Matthew Green, who oversaw the research. It justreally shocked me because I came into this project thinking thatthese phones are really protecting user data. Now I've come out ofthe project, thinking almost nothing is protected as much as itcould be.
[01:08:10] So why do we need a backdoor for law enforcement?When the protections that these phones actually offer are so bad.Now there's some real interesting details of if you like thisstuff, I followed cryptography for many decades. Now I've alwaysfound it. Fascinating. There are some lightweight things I'm goingto touch on here.
[01:08:33] We won't get too deep in this, but here's anotherquote. Again, Johns Hopkins university on Android. You can not onlyattack the operating system level, but other different layers ofsoftware that can be vulnerable in different ways. Another quotehere on iOS in particular, the infrastructure is in place forhierarchal encrypted.
[01:08:57] Now higher are hierarchical. Encryption is variouslayers of encryption. If you have an iPhone or an iPad, or if youhave most Android phones nowadays, if you use a passcode in orderto unlock the phone or even a fingerprint or a face. Your method ofauthentication is used to encrypt everything on the phone, but inreality, everything on the phone is only fully encrypted when thephone is powered off.
[01:09:36] Now that's a real, interesting thing to think aboutbecause obviously the phone can't work. If everything's encrypted.It needs access to the programs. It needs access to your data. Sowhat they found bottom line was the only way to have a truly safemachine or a smartphone in this case is to turn it off because whenyou turn it on and it boots up on first boot, now it gets.
[01:10:08] Either by bio medical information, like yourfingerprint or your face sprint or your passcode, it then has a keythat it can use to decrypt things. So apple has on the iPhone,something, they call complete protection and that's again, when theiPhone has been turned off on boots up because the user has tounlock the device before anything can happen on the phone.
[01:10:33] And the is protections are very. Now you could beforced to unlock the phone by a bad guy, for instance, or in somecases, a warrant or an order from a judge, but forensic tools that,that they are using the police and the criminals really would havealmost no luck at pulling information off of your phone.
[01:10:59] That would be useful at all because it would all beencrypted, right? If they could. So once you've unlocked your phoneafter that first reboot molt, after that reboot, right? Youunlocked it after power up. A lot of the data moves into adifferent mode that apple calls protected until first userauthentication.
[01:11:20] But it's what I call after first unlock. So when youthink about it, your phone is almost always in the after firstunlocks. Because how often do you reboot your phone? No, it'spretty rare that your phone might do on. And this is particularlytrue for I-phones might do updates and boot and reboot. And then ofcourse you have to unlock that phone, but it doesn't go muchfurther.
[01:11:49] The net and that's, what's interesting. That's howlaw enforcement and the bad guys, these Israeli companies andothers have been able to get into iPhones and get into Androiddevices because ultimately if that computer is turned on and you'velogged in, there's a lot of data. That's no longer encrypted.
[01:12:10] Oh. And by the way, that's also how some of theseattacks occur on our laptops. Particularly if you traveled to. Inthe memory on that laptop that you close the lid on, you have to relog into is the key to UNHCR, unencrypt, everything, right? Becauseyou logged in once. So all they have to do is freeze the memory,duplicate the memory and put it back in part of the reason, by theway that apple laptops have their memory soldered in you can't dothat kind of attack.
[01:12:44] Stick around. We'll be right back.
[01:12:48] VPNs are good and they are bad. It depends on thetype of VPN. Many of these commercial VPNs of people are using areactually very bad for you when it comes to your security.
[01:13:04] VPNs are problematic. I did a couple of boot camps onVPNs. Probably I think it was about last year.
[01:13:13] Yeah, it was last spring. And I went through andexplained and showed exactly why commercial VPNs are one of theworst things you could possibly do if you want. To stay secure. NowI lemme just give you the high level here. I have given peoplecopies of this, if you're interested in a link to that VPN webinarthat I did, I'd be glad to send it to you.
[01:13:45] Just email me Emmy at Craig Peterson, doc. And ask mefor the VPN information and I'll send that all off to you. I alsowrote something up that I've been sending out to people that haveasked about VPNs. Cause it's one of the most common questions wehave Franklin, but here's your problem with commercial VPNs?
[01:14:05] Most all of them say, oh, your information safe atzero logging, et cetera. And yet we have found again and againthat's not. In fact, it can't possibly be true in almost every casebecause most of these VPN services are running out of otherpeople's data centers. So they might be in an Amazon data center orIBM or Microsoft.
[01:14:32] And inside that data center, your data is coming inand then it's going to. So let's say you're using a VPN and you'reconnecting to a website. I don't care. Go to google.com via a VPN.So you're using one of these services. That's advertised all overcreation. And what happens now is. Your web request to get toGoogle passes over that encrypted VPN and comes to an exit pointbecause at some point it has to get onto the regular internet.
[01:15:07] How else are you going to get to that website? On theother side? You can't, unless you get to the regular internet. Soat the other side, now the server is that's receiving the end pointof view. VPN is going to send the request to Google. Google isgoing to respond to that VPN server. It's going to be encrypted andsent back to you.
[01:15:30] So what's the problem with that? There's multipleproblems. One is the data center can see. That there is the requestgoing up to Google. Now he might not be able to tell who it was.But if that VPN server has been hacked. And let me tell you, it isa big target for hackers, government hackers, as well as badguys.
[01:15:54] Then they do know who went out there and depending onhow it was hacked and how the VPN was set up, they may even be ableto see all of the data that you're sending back and forth. It'scalled a man in the middle of. And some of these VPN services do itby having you install some software on your computer.
[01:16:15] And as part of that installation, they provide youwith a master key that they then use to spoon. The keys for thewebsites. You're going to some, explain that what happens is if youwere to go right now on your web browser, go to Craig peterson.comas an example. So Craig peterson.com. I'm typing it in right now inthe browser.
[01:16:43] That's directly in front of me. Now you'll see alittle lock up in the URL. What does that mean? If you click onthat lock, it says something about the connection being secure. Areyou familiar with that? What's actually happening is it's using SSLTLS keys, but it's using encryption now to send the data from yourcomputer.
[01:17:11] To my server, that's hosting Craig peterson.com. Andthen my server is sending all of the webpage back to you.Encrypted. Any fact, a VPN has been established between your webbrowser and my web server. So why use a third-party VB? Becauseyour data is encrypted already, right? Could it be more simple thanthat?
[01:17:46] Now, remember again, that the server on the VPMservice that you're using is a prime attack target for everybodyelse. As I said from government agencies through hackers. So yourdata is likely less safe because if they get a hold of it, they cando all kinds of things to your data and to. And then on top of it,all the VPN service may well be selling your data in order to makemoney, to support the VPN service because free VPNs, inexpensiveVPN sees the ones that are charging you five or 10 bucks a monthcannot possibly afford to provide you with that service.
[01:18:38] And in the bootcamp, I go through all of the numbershere, the costs involved. With a VPN service it's not possible todo. They can't make any money off of it. So it is a very bigproblem for you to use one of these public VPN services. Now, Iwant to talk about an arc article that was on Z.
[01:19:06] Apparently your old pole, which is of course thepolice over there in the European nations has seized servers. Whatservers, VPN servers in Europe. Now they seized the servers becausethey were used by who was it? Grandma looking at pictures of thegrandkids. Was it people watching cat videos who was using the VPNserver?
[01:19:33] The paid VPN service. Wow. It was criminals. And whenthey seized these VPN servers that were also being used bycriminals, they found more than a hundred businesses that hadfallen victims to attacks. So who uses VPN services? People whowant to hide something as well as people who just want to havetheir data secure.
[01:20:01] Another reason not to use VPN services. So as a partof the joint action by Europol Germany's police Hanover policedepartment, the FBI, UK national crime agency, and others seized 15servers used by VPN lab dot. Okay. So VPN lab.net net, obviously nolonger usable. And they started looking at all of the records thatwere being kept in these servers and use that to find thecriminal.
[01:20:36] Does that make sense to you? So VPN lab.net wasaccording to these charges, facilitating illicit activities, suchas malware distribution. Other cases showed the services use insetting up infrastructure and communications behind ransomwarecampaigns, as well as the actual deployment of ransomware. You likethat.
[01:20:59] Now they were using open VPN technology, which isactually very good. As part of that VPN information, I can send youif you're interested, just email me M e@craigpeterson.com. Let meknow what you're interested in, and I'll whoop you off an email.Give me a few days I can get behind sometimes, but you can set upyour own private VPN server if that's what you want to do.
[01:21:25] And I've gotten instructions on how to do that inthat little special report in that email, but They were providingwhat they called online anonymity, this VPN lab.net service for aslittle as $60 a year. Okay. You like that? So they provided whatthey call double VPN servers and a lot of different countries andmade it a popular choice for cyber criminals.
[01:21:52] Very big deal. Okay. So be very careful with VPNs.Also be careful of the VPN you might be using for your business.Let's say you've got something that isn't terribly secure or notsecure at all as your firewall, right? So you buy a nice littlefirewall or this is so great. It's not expensive. And I got itonline from a big box retailer.
[01:22:14] Most of them out there do not meet. The minimumstandards you really need in order to keep your business. Andthere's only two companies that do one of them, Cisco, and one ofthem's Juniper, that's it? None of the other firewalls with VPNsmeet the minimal standards you need to have, but those be glad tosell it to you.
[01:22:37] They'll be glad to tell you that it's perfectlysecure, but it is not okay. Just went through that again with acompany this week an engineering firm and at least they understandsome of the stuff, but they were trying to do the right thing andthey were being misled by these various vendors. So this actionagainst VPN lab took place in January involved with authoritiesfrom Germany.
[01:23:03] The Netherlands Canada, Czech Republic, France,Hungary, Latvia, Ukraine, us UK, as well as your old pole. So thereyou go. You've gotta be careful don't trust VPNs, right? I've beensaying that for a very long time. And then the other thing I wantto. Is hopefully this summer we're going to be traveling.
[01:23:28] And when you're traveling, the temptation is to usepublic wifi might be at the hotel. It might be at a restaurantcoffee shop, whatever. Okay. I admit to doing that myself. Buthere's two things you need to be careful with. One use, good DNSfiltering. Now we sell and provide umbrella, which is a Ciscoproduct, which is extremely good.
[01:23:56] DNS filtering. You can get free DNS filtering thatisn't configurable, doesn't have the options, but is fantasticcalled open DNS. I've got, again, I did a bootcamp on that. I cansend you information on it if you want. It doesn't cost you a dimefor any of this stuff, but open DNS. And then the other thing I do,I have a high-end Cisco firewall and VPN.
[01:24:21] So when I'm on the road, even when I'm using datafrom the phone company, I have my secure VPN turned on FIPscompliant, by the way, for those who know what that means. Hey,visit me online. CraigPeterson.com. Get my show notes. Get my"Wednesday Wisdoms," everything. Craig peterson.com. It's easy tosign up right there on any page.
