Manage episode 303757893 series 1107025
Could Using the Right Multi-Factor Authentication Save You?
I had a good friend who, this week, had his life's work stolen from him. Yeah. And you know what caused it? It was his password. Now, you know what you're supposed to be doing? I'm going to tell you exactly what to do right now.
Let's get right down to the whole problem with passwords.
I'm going to tell you a little bit about my friend this week. He has been building a business for. Maybe going on 10 years now, and this business relies on advertising. Most companies do so in some way; we need to have new customers. There's always some attrition. Some customers go away. So how do we keep them?
We do what we can. How do we get new customers? For him, it was. Advertising, primarily on Facebook. He did some Google ads as well, but Facebook is really where he was focused. So how did he do all of that? Here's the bottom line you have to, if you are going to be advertising on Facebook, you have to have an advertising account.
The same thing's true. Google. And then, on that account, you tie in either your bank account or your credit card. I recommend a credit card so that those transactions can be backed up. And on top of all of that now, of course, you have to use a pixel. So the way the tracking works is there are pixels on websites, about those already.
And the bottom line with the pixels. Those are also. Cookies are about the pixels are used to set a cookie so that Facebook knows what sites you've gone to. So he uses those. I use those. In fact, if you go to my website, I have a Facebook pixel that gets set. And the reason for all of that is so that we know with.
I'd be interested in something on the site. So I know that there are many people interested in this page or that page. And so I could, I have not ever, but I could now do some advertising. I could send ads to you so that if you were looking at something particular, you'd see ads related to that, which I've always said.
It is the right way to go. If I'm looking to buy a pickup truck, I love to see ads for different pickup trucks, but if I don't want a car or truck, I don't want to see the ads. It isn't like TV where it sometimes seems every other ad is about. Car or a pickup truck. It drives me crazy because it's a waste of their money in advertising to me. After all, I don't want those things.
And it's also not only just annoying in money-wasting. There are better ways to do targeting. And that's what the whole online thing is. Anyways, I told you about that because he had set up this pixel years ago. Basically, the Facebook pixel gets to know you. All of the people who like you that might've bought from you.
Cause you can have that pixel track people through your site, your purchase site, they know what you purchase on the shopping cart, et cetera. And you can identify these people over on Facebook and their ads because they abandoned the cart or whatever it is you want to do there. So there's just a whole ton of stuff that you can do for these people.
And it's so bad. It is so valuable. It takes years to build up that account. Years to put that pixel in place. And our friend here, he had done precisely that. Then he found that his account had been compromised. And that is a terrible thing in this case because the bad guy used his account to place ads. So now there are really two or three problems here.
We'll talk about one of them. Why was the bad guy going after him? He has been running ads on Facebook for a long time. So as far as Facebook is concerned, his account is credible. All of the ads he runs don't have to be reviewed by a human being. They can go up almost immediately. He doesn't have to wait days for some of these things to go up.
So our bad guy can get an account like his that has years' worth of advertising credibility and now start advertising things that are not correct. So there again is part of the value of having one of these older accounts for advertising. And so the bad guy did that use his credibility. And then secondly, he used 25 grand worth of my friend's money to run ads.
Also, of course, very bad, very bad. So I sat down with him. In fact, it was this last week, and I was out on a trip with just a vacation trip. It was absolutely fantastic. I never just do vacation. It's always business plus work whenever I do anything like this, but I was on a trip last week. And so my eldest son who works closely with me, and he's also part of the FBI InfraGard program. So I had him reach out to my friend, and he helped them out, and they talked back and forth. So here's the problem that he has. And I'm trying to figure out a perfect way to solve this. And I haven't figured that out yet.
And if you guys have an idea because you are the best and brightest, you really are. So go ahead and drop me an email at email@example.com if a good way around this particular problem, which is he has. This Facebook could count and many other accounts, including his website, hosting account, email account, et cetera.
And. He has people who manage his ads for him. Who operates his website for him, who put up some promotions, advertising, and everything else. So these are third-party. This is what we generically call a supply chain, risk people who are not him have access to his stuff, his private property.
And how does he do it, or how did he do it? Is he went ahead and gave them. Access by giving them accounts or passwords. How well were they guarding their passwords and their accounts? So the first thing I had my friend do was going to haveIbeenpwned.com.
I had him put in his email address, the one he uses the most, and it showed up in five different. Hacks data dumps. So these are five various sites where he had used that same email address in this case. And he found out that in those five cases, the bad guy's got his passwords and personal information.
All bad. And he went ahead and cleaned it up. So I said put in the password because have I been, pwned also let you check your password, just see if it has been used by someone else and then stolen. So there are billions of passwords in this database. It's incredible of all of these known passwords.
So he put in his password, and no, it had not been stolen, but the problem is how about the people that were managing his ads on Facebook and managing his Facebook ad. We're the usernames, which are typically the email addresses and the passwords kept securely. That's a supply chain thing I'm talking about, and that's where I'd love to get him.
But from you guys, firstname.lastname@example.org. If you think you have a good answer, What we've been doing. And our advice to him was use one password. That's the only one to use. I don't trust last pass anymore. After their last big hack where they got hacked one password, the digit one password. And go ahead.
And set it up. And in a business scenario, you can have multiple vaults. So have a vault. That's just for people that are dealing with your Facebook ad account, maybe have another vault for people who are posting for you on Facebook. Or better yet when it comes to Facebook, go ahead and have an intermediary that is trusted the, if this, then that, or there's a few of them out there that can see that you put the post up on the website and automatically posted on Facebook.
So you don't have to get. All of these people, your passwords, but again, it's up to you. You got to figure out if that makes sense to you that those are the types of things that I think you can do. And that is what we do as well. Now, one of the beauties of using one password like that, where you're not sharing all of your passwords to everything you're sharing, the minimum amount of login information that you possibly can share is that if they leave your employees, All you have to do is remove their access to the appropriate vault or vaults, or maybe all of your vaults.
And this is what I've done with people that worked for me in the US and people would work for me overseas, and there have been a lot of them and it has worked quite well for me. So with one pass, We can enforce password integrity. We can make sure the passwords on stolen. One password ties automatically into have I been postponed.
If a password has been exposed, if it's been stolen online, it's a great way to go. Now I've got an offer for you guys who are listening. I have a special report that I've sold before on passwords, and it goes through talks about one password. He talks about the last pass, which I'm no longer really recommending, but give some comparisons and how you can use these things.
Make sure you go and email me right now. Me, Me@craigpeterson.com. That's ME at Craig Peterson dot com and just ask me for the password special report, and I'll be glad to get that on-off to you. There is a lot of good detail in there and helps you, whether you're a home user or a business.
So the next step in your security is multi-factor authentication. Interesting study out saying that about 75% of people say that they've used it for work or for business, but the hard numbers, I don't think they agree
One of the things that you have to do is use good passwords. And the best way to do that is to use a password manager.
I was talking about a friend of mine who had been hacked this last week and his account was hacked. His Facebook ad account was hacked. We asked him if we could reach out to. BI and he said, sure. So we checked with the FBI and they're looking to turn this into a case, a real case, because they've never seen this type of thing, the hijacking of an advertising account who hijacked it.
And why did they hide jacket? Was this in preparation maybe for. Playing around with manipulating our next election cycle coming up. There could be a lot of things that they're planning on doing and taking over my friend's account would be a great way to have done it. So maybe they're going to do other things here.
And our friends at the FBI are looking into it. How now do you also keep your data safe? Easily simply. When we're talking about these types of accounts, the thing to look at is known as two factor authentication or multifactor authentication. You see my friend, if he had been using multi-factor authentication.
I would not have been vulnerable. Even if the bad guys had his username, email address and his password, they still would not be able to log in without having that little six-digit code. That's the best way to do multi-factor authentication. When we're talking about this code, whether it's four or 5, 6, 8 digits long, we should not be using our cell phones to receive those.
At least not as text messages, those have a problem because our phone numbers can be stolen from us and they are stolen from us. So if we're a real target, in other words, they're going after you. Joe Smith and they know you have some, $2 million in your account. So they're going after you while they can, in most cases, take control of your phone.
Now you might not know it and it doesn't have to be hacked. All they have to do is have the phone company move your phone number to a new phone. Once. So that means one of the things you need to do is contact your telephone vendor, whoever it is, who's providing new that service. That's a company like Verizon sprint T-Mobile a T and Tone of those companies that are giving you cell service, you have to contact them and set up a pass.
So that if they have a phone call coming in and that phone call can be faked. So it looks like it's coming from your phone, even if there was a phone call coming in, whether it's coming from your phone or not, they have to get that password or passcode that you gave them. And once they have that passcode now, and that's great, but if you don't have that in there targeting you specifically, then you're in trouble. So for many of us really it may not make a huge difference. But I would do it anyways. I have done it with every one of my cell phone carriers now. A couple of decades set up a password. So the next step is this multifactor authentication.
If I'm not supposed to get it via text message to my phone, how do I get it? There are a couple of apps out there. There's a free one called Google authentic. And Google authenticator runs on your phone. And once it's there on your phone and you are setting it up on a website, so Facebook, for instance, your bank, most websites out there, the bigger ones, all you have to do is say, I want to set up multi-factor authentication, and then it'll ask you a case.
So how do you want to do it? And you can say, I want an app and they will display. A Q R code. That's one of those square codes with a bunch of little lines inside of it. You're seeing QR codes before they become very common. And you take your phone with the Google authenticator app. Take a picture. Of that little QR code on the screen, and now it will start sinking up so that every 30 seconds Google authenticator on your phone will change that number.
So when you need to log back into that website, it's going to ask you for the code. You just pull up Google authenticator and there's the code. So that's the freeway to do it. And not necessarily the easiest way to. Again, going back to one password. I use this thing exclusively. It is phenomenal for keeping my passwords, keeping them all straight and then encrypted vault, actually in multiple encrypted vault it's so that I can share some of them.
Some of them are just strictly private, but it also has that same authenticator functionality built right into it. Microsoft has its own authenticator, but you can tell Microsoft that you want to use the standard authenticator. Of course, Microsoft has to do everything differently. But you can tell it.
And I do tell it, I want to use a regular authenticator app, not Microsoft authenticator. By the way. That's why I advise you to don't use the Microsoft authenticator, just use one authenticator for all of the sites, and then Microsoft will give you that same QR code. And then you can take that picture and you're off and running.
Next time you log in, it asks you for the code and instead of texting it to you to your phone smarter, otherwise it will not. That require you to open up your authenticator. So for me, for instance, when I'm logging into a website, it comes up and asks for the username, asked for the password. Both of those are filled out automatically by one password for me.
And then it asks for that code identification code and. One password automatically puts it into my pace to buffer copy-paste, buffer, and I just paste it in and they've got the code. So I don't have to remember the codes. I don't remember passwords. I don't have to remember usernames or email addresses.
One password remembers them all for me. Plus it'll remember notes and other things. So you can tell, I really one password. We use it with all of our clients. That's what we have for them. And it does meet even a lot of these DOD requirement on top of. Depending again, how much security you need. We will use duo D U O and it also has this authenticator functionality and we will also use UBI keys.
These are those hardware key. They do oh, can provide you with hardware tokens. Those are those little tokens that can go onto your key ring. That show a changing six-digit number every 30 seconds. And that's the same number that would be there in your smartphone app. Your one password or Google authenticator smartphone.
Hopefully, I didn't confuse you too much. I think most of the reason we're not using the security we should is because we're not sure how to, and we don't know what we're going to be. And I can see that being a big problem. So if you have questions about any of this, if you would like a copy of my password security, special report, just send an email to me.
M email@example.com. That's me M firstname.lastname@example.org. That's S O N.com. I'll be glad to send it to you. Also, if you sign up for my newsletter there on my email@example.com, you are going to get. I was hold little series of the special reports to help you out, get you going. And then every week I send out a little bit of training and all of my articles for the week.
It's usually six to 10 articles that I consider to be important so that, what's going on in the cybersecurity world. So you can. With it for yourself, for your family, for your business. Craig peterson.com.
According to researchers. 32% of teen girls said that when they felt bad about their bodies, Instagram made them feel worse. And you know what Facebook knew and knows Instagram is toxic for teen girls.
There's a great article that came out in the Wall Street Journal.
And I'm going to read just a little bit here from some of the quotes first. When I went on Instagram, all I saw were images of chiseled bodies, perfect. Abs and women doing 100 burpees in 10 minutes, said, Ms. Now 18, who lives in Western Virginia. Amazing. Isn't it. The one that I opened now with 32% of teen girls said that when they felt bad about their bodies, Instagram, I made them feel worse.
So that is studies again, that looks like yeah, these were researchers inside Instagram and they said this in a March, 2020 slide presentation that was posted to Facebook's internal message board that was reviewed by the wall street journal quote comparisons on Instagram can change how young women view and describe themselves.
Apparently, for the past three years, Facebook has been conducting studies into how Instagram is affecting its millions of young users. Now, for those of you who don't know what Instagram is, it allows these users to create little stories, to have. Pictures videos of things that they're doing, and it's a lifestyle type thing you might've heard, of course, of how this I don't know what it is.
Kidnapping murder plot. These, this young couple and the body I think was found up in Wyoming. I'm trying to remember, but of her and it's yeah, there it is. It wasn't my OMI. And I'm looking up right now, Gabby potato. That's who it is. She was what they called a micro influence. And I know a lot of people who can loom, that's what they want to be.
There's a young lady that stayed with us for a few months. She had no other place to live. And so we invited her in here and we got some interesting stories to tell about that experience. And it's, a little sad, but anyhow, she got back up on her feet and then she decided she was going to become an influence.
And what an influencer is someone that has a lot of followers. And of course, a lot means different numbers. You get these massive influencers that have tens of millions of people that quote, follow unquote them. And of course, just think of the Kardashians they're famous for. Being famous, nothing else.
They have subsequently done some pretty amazing things. At least a few of them have. We've got one of those daughters who now was the first earliest billionaire. I think it was ever youngest. So they have accomplished some amazing things after the fact, but they got started. By just becoming famous by posting on these social media sites.
So you get a micro-influencer, like Gabby Petito, who is out there posting things and pictures. And you look at all of these pictures and, oh my gosh, they're up at this national park. Oh, isn't she so cute. I'll look at her boyfriend. They'll look so good together and people. Fall for that image, right? It's just like Photoshopping these pictures of models, changing them.
There've been some real complaints about those over the years. So Instagram sets these kids up with these pictures of people that are just totally unrealistic. One of the slides from a 2019 presentation says, quote, we make body. Excuse me. We make body image issues worse for one in three teenage girls teams, blame Instagram for increases in the rate of anxiety.
And depression said another slide. This reaction was unprompted and consistent across. Groups among teens is this according to the wall street journal who reported suicidal thoughts, 13% of British users, and 6% of American users trace the desire to kill themselves to Instagram. Again, according to one of these presentations, isn't this just absolutely amazing.
And you might've heard it discussed a little bit. I saw some articles about it, obviously in the news wall street journal had it, but this is a $100 billion company, Instagram. That's what their annual revenues. More than 40% of Instagram users are 22 years old and younger. And about 22 million teens log into Instagram in the US each day, compared with 5 million that log into Facebook, the younger users have been declining.
Facebook it's getting the population there is getting older and older on Facebook. In average teens in the us spend 50% more time on Instagram than they do on Facebook. And also tick-tock, by the way I took talk has now surpassed YouTube in some of these metrics. Quote, Instagram is well-positioned to resonate and win with young people said a researcher's slide posted internally.
Inside Facebook. Another post said there is a path to growth. If Instagram can continue their trajectory. Amazing. So Facebook's public phase has really tried to downplay all of these negative effects that the Instagram app has on teens, particularly girls, and hasn't made its research public or available to academics or lawmakers who have asked for it.
Quote, the research that we've seen is that using social apps to connect with other people. Positive mental health benefits said Mark Zuckerberg. He's the CEO of course of Facebook. Now this was 2020. In March one at a congressional hearing, he was asked about children and mental health. So you see how he really lawyered the words that they can have positive mental health benefits, but Facebook's own internal research seems to show that they know it has a profound negative effect on a large percentage of their users.
Instagram had Adam Moseri told reporters in may of this year, that research he had seen suggest the app's effect on team's wellbeing is likely quote quite small. So what the wall street journal seems to be pointing out here is that Facebook is not giving us the truth on any of this stuff. It's really sad.
We've got to be careful. No, apparently Mr. Moseri also said that he's been pushing very hard for Facebook to really take their responsibilities more broadly. He says they're proud of this research. I'm just summarizing this before we run out of time here, but it shows the document. Internal documents on Facebook show that they are having a major impact on teen, mental health, political discourse, and even human trafficking.
These, this internal research offers an unparalleled picture. Courtney told the wall street journal of how Facebook is acutely aware that the products and systems central to its business success routine. Fail great article. I've got it in this week's newsletter. You can just open it up and click through on the link to the wall street journal.
They have a paywall and I hate to use payroll articles, but this one's well worth it. And they do give you some free articles every month. So if you're not on that newsletter, you can sign up right now. Craig peterson.com. You'll get the next one. If you miss a link today, if you want some, the special report on passwords, et cetera, just email me directly.
Give me a few days to respond. But me M firstname.lastname@example.org. That's me M email@example.com.
We've all worked from home from time to time. At least if we're somehow in the information it industry, I want to talk right now about why you need a personal laptop. Even if the business is providing you with a laptop.
Laptops are something that was designed to be personal, but many of us are using them as our main computer.
I know I often am using my laptop, a couple of my kids and my wife. It's really their main computer, even though they all have other computers that they could potentially be using, laptops are just handy and you have them with, you can take them with you. We've got workstation set up that are kind of.
Workstations, if you will, where there are three screens set up and they're all hooked up into one central screen controller that then has a USBC connection that goes right into the, your laptop. So you can be sitting there with four screens on your Mac laptop on your mac pro if you need four screens, it's really handy.
No question. Many of us have a laptop for home and a laptop for business. And many of us also look at it and say, oh wow, this is a great laptop I got from work. It's much better than my home laptop. And you start to use the business laptop for work. At home. Okay. That's what it's for. Right. But then we start to use that business laptop for personal stuff.
That's where the problems start. We've seen surveys out there that are shown. Then half of workers are using work issue devices for personal tasks that might be doing it at home. They might be doing it at the office. Things like personal messages, shopping, online, social media, reading the news. So the prospect of using your work laptop as your only laptop, not just for work, but also for maybe watching some movies, group chat and messaging, reading, fan fiction, paying bills, emailing to family or friend.
It just seems not. It's so tempting. It's just natural. I'm on it. I'm on it all day long. Why wouldn't I just use it? And this is particularly true for people who are working from home, but we have to be careful with that. It's really something that you shouldn't be doing for a couple of reasons. One that.
Top that's a business. Laptop is the property of the business. It's just like walking home with boxes, full of pencils and paperback in the old days, it is not yours to use for personal use. We also have to assume, assume since it is the company's laptop that hopefully it's been secure. Hopefully they haven't set up.
So it's going through a special VPN at the office and it's going through special filters, maybe snort filters or something else. That's doing some deeper inspection on what's coming through your laptop. Well, there are also likely on that laptop. Tools that are monitoring your device. Things like key loggers, biometric tracking, Jill location, software that tracks your web browser and social media behavior, screenshot, snapshot software, maybe even your cam.
Is being used to keep track of you. I know a number of the websites that I've used in the past to hire temporary workers. Those workers have to agree to have you monitor what they're doing. These hourly workers, subtle take screenshots of their screen, unbeknownst to them. Pictures from the cameras at random intervals.
Again, unbeknownst to them, it'll track what they're doing. And so I can now go in and say, okay, well he billed me five hours for doing this. And I look at his screen and guess what? He wasn't doing that for all of those five hours that he just billed me. Well, the same thing could be true for your company, even if you're not paid by the hour.
Right now, we're looking at stats that show over half of the businesses that are providing laptops for the employees to use more than half of them are using monitoring software. And through this whole lockdown, the usage of these different types of monitoring systems has grown. Now there's some of the programs you're using.
You might be VPN in, you might be using slack or G suite enterprise, all good little pieces of software. They can monitor that obviously, but it goes all the way through to the business. And using your slack access as paid for, by the businesses also idiotic to do things like send messages to your buddies, set up drinks after work, complain to other people about someone else in the business, your boss, or otherwise your it, people at the business can see all of that.
They can see what you're doing with slack. Even if you have a separate personal account. It's still more likely that you'll end up mixing them up if you're logged into both on the same computer. So the bottom line is if you are on a work computer, whether it's a laptop or something else, you can reasonably assume that I T can see everything.
That's not. They own it. Okay. And they have to do some of this stuff to protect themselves. We put software on laptops for companies not to spy on employees. That's none of our business, but we put software on computers for employees. To make sure they stay safe. Think of what happens when your computer, your laptop, whatever it might be, connects to the company's network.
Now that can be through a VPN. It can be because you take your laptop home or on the road when you're traveling and you bring it back into the office. If that computer is infected, somehow now you've brought that infection into the office. And that's how a lot of the malware works. It goes from computer to computer.
So once they get in that front door where there's through a website and email that you clicked on or in a computer that you're bringing into the office, they can start to move around. Now it's not just your activity. And this is an interesting article from the verge by Monica chin. It's not just your activity that they can see on your laptop, but in many cases, they're also able to look at anything you're downloading any of your photographs or videos that you might've sinked up from your smart.
Laura loading these types of things, your text messages on your work device for safekeeping, or just because it's your primary device might seem harmless, right? Cause you're just going to remove them before you hand it in. But some companies such as Apple won't allow you to wipe your device before handing it in regardless of how personal the contents are.
And that makes sense too, because many times an employee leaves. And they don't give the company all of the information that they have, that they're obliged to give back to their employer. Things that they've been working on, customer information, et cetera. So Manalive, there are plenty of other devices out there.
Hopefully if you leave your company with plenty of notice, moving a bunch of things off your work device in the last few days, uh, might raise some eyebrows at the. And I'm saying hopefully, because they should notice that sort of thing, because it could be malicious activity. It could be an insider risk that maybe they're not even aware of.
There's so much you could go wrong here. So bottom line don't use the work laptop for home. So what should you use? You know, my personal recommendation. Almost always is get a Mac. They are safer to use the patches that they get are usually not destructive. You know, sometimes you can install a patch for windows and now your machine just won't work anymore.
Right. You've had that happen. I know every last one of us out there that are tried to install Microsoft patches for a while have had that happen to them. All of a sudden the patch has completely messed up your computer and you are so out of luck, it's ridiculous. Right? So don't, you know, hopefully don't do that, but I like the max because they are basically safer than windows.
And also because the patches just work on them, apple tends to get them out in plenty of time to try and protect us the next level. If he can't afford an apple and. Apple laptops really are not expensive when you consider how long they last and the quality that components, they are not expensive at all.
But if you can't afford that, the next thing I would look at is getting a Chromebook. There are a lot of companies that make Chromebooks Chrome is an operating system from Google. It's similar to Android. Google keeps the Chromebooks up-to-date. They patch them quite regularly and make sure that there aren't nastiness is going on.
You just have some of the same issues and Android has patches might take a while to get to you because it has to go through the vendor that made the Chromebook. You might have a Chromebook for Sam from Samsung, for instance, it's not Google's even though it's called a Google Chromebook. Now Chromebooks rely heavily on the cloud services that Google provides, but they can also run just locally.
So with a Chromebook and you can get them for as little as 150 bucks, but remember you get what you pay for. Or as much as I've seen them in the $2,000 price range with fancy GPU's, local storage and other things, but at 150 bucks, it could be well worth it for you. It lets you do the regular word processing.
Just think of what you can do with Google docs, spreadsheets against Google docs, spreadsheets, all of those types of things are built into it. You can. Cruz the web, obviously using Google Chrome on your Chromebook. And send and receive email, which is what most people do. That's really kind of all, most people do at home.
So consider that as well. I also like iPad. They are quite safe again, but they tend to be more expensive and they can do pretty much everything. And now with Android support built right into Google Chromebooks, you can even run Android apps. So there you go. Keep safe and be safe out there. Right. Have a hack free life.
Make sure you get my newsletter. Craig peterson.com/subscribe. Craig peterson.com/subscribe.
The national cyber director, Chris Inglis said that we need cyber bullets, that cyber bullets are part of the war on hacks. And it makes sense on one level. But when you get into the reality, it's a much different story..
I had an interesting email this week from a listener. Actually he sent it about two weeks ago when I finally was able to get to it this week and responded, and he was pointing out how there are some things that I talk about on the show that I put into my newsletter that are really good.
And. I'm paraphrasing here but theoretical to so many people, there's some things that you can figure out pretty easily yourself. Some things you can do yourselves and other things that are just different. To do still. And a lot of that has to do with the websites you go to in order to maintain your passwords.
And he was complaining specifically about bank of America and how you can, according to what he has found here in the real world, you can come up with a. Password a 20 character long password that is going to keep everything nice and safe at trend to be generated. You're using one password and great. So you set your password up in bank of America's account, and then you try and log in later, and it doesn't work because it lets you put 20 character passwords and when you're creating it, yeah.
But the login screen only takes the first 16. So of course they'd home match. You see it's things like that really are pushing us back, holding us back. But I'd say pushing us back from being secure as a country, there, there just aren't enough people paying enough attention to make sure this cyber security, even the basic stuff like passwords and two factor authentication are being done properly.
So one of the things I wanted to make sure you guys were aware of is I need to know when you're having these problems, because what I want to do is put together some trainings to show you exactly how to do it. Because on some websites you were saying, it's pretty hard to use one password he's paying for it, but it's kinda difficult for him.
And I think in some ways, a lack of understanding. Then, it can be difficult to spend a bunch of time trying to watch some training videos for some of the software. And so I want to hear when you're having problems so I can do what I did for him this week and spend a little time, write some stuff up, and I even am reaching out to some of this website.
People like bank of America who are really messing up cyber security for people who are trying to do the right thing and writing them and saying, Hey, listen, I'm part of the FBI InfraGard program. I'm a member of it. I paid a lot of attention to cybersecurity. Heck I ran the training for the FBI InfraGard program for a couple of years, and there are some real things lacking.
In the login anyways, and this one particular case of the cybersecurity, but I don't know all of this stuff. I'm not using all of these things and I have a disadvantage over you guys, and that is that I've been doing this for so long. I've forgotten what it's like to not know it. Does that make sense?
So if you have something that I've talked about on the show, that's appeared in my newsletter and you're having some confusion over, let me know. Just email me M firstname.lastname@example.org. What he did is he just hit reply to my newsletter. And of course, that goes to me and email@example.com and it tracks it.
So I know I need to reply, so I can sit down and go through and answer people's questions. I sent out a lot of the copies of my password, special report to people you guys had requested specifically some of the. People out there had requested a little bit of help. And I had sent out an email to most of the people that I could identify as being business people.
I sent out a little thing saying, Hey, listen, if you could use half-hour my help, let me know myself or my team. And then, again, you can just send me an E Craig. So I answered a lot of those questions this week. And in fact, that's how I come up with much of what I cover here on the show. You guys ask the questions and that's how I know that it's a real problem.
If I understand it, that's one thing. But for the people who don't do cybersecurity as their primary job or a strategy, I get it. I can get why you guys are confused. So make sure you get my weekly newsletter. So you can find out about all of the trainings, the free stuff, the paid courses, and. It's easy.
Just go to Craig peterson.com/subscribe. That's Craig Peterson, P E T E R S O N. Craig peterson.com/subscribe. And I'm more than glad. Add you to that list. And there are now thousands of people on that list to get my email pretty much every week. If you miss it one week, it's probably, cause I just got too busy, but I put out all my show notes.
I put it all a little bit of training notes, all. The us government is supposedly getting ready to fire what they're calling cyber bullets in response to these significant hacking attacks. This is what they're calling a comprehensive strategy to dissuade. Adversaries. And this is all from the national cyber security director, Chris Inglis.
This is from an article in American military news.com by Chris Strome. That was out this week. And of course I included that in my newsletter this week as well, coming out. Today or tomorrow, depends on how this all goes right with the weekend. I got to help a buddy out today, but president Joe Biden has been really talking about how do we use cyber weapons to retaliate.
For instance, he gave a list of industries that Russia should not be. As though Putin himself is running all of these hacks or come out of Russia. Yeah, certainly there are some that are part of their military, but there many of them that are just bad guys that are trying to make some money, we should feel sorry for them.
So Biden gives him this list and says, Hey, listen, if you attack any of these various industries or actually portions of our economy, We are going to retaliate. We have seen the us retaliate under President Trump and the retaliation. Of course he did all kinds of economic stuff to stop it. And much of which has been reversed by president Biden's administration, but also he attacked them directly in.
Down some power systems there in the Moscow area, which I thought was really kinda cool. So kudos to President Trump for doing that and for president and Biden now to say, Hey, we are going to attack back. Of course. The biggest question is. What would we be attacking? How would we be attacking it? And for what reason, for instance, the red Chinese have gone after our office of personnel management, OPM records and got them all back in 2015.
So they now know everything about everybody that had a secret security clearance or the took a paycheck from the federal government. All of those records, they would get their hands on them and get them on all of the records a lot. So Inglis was in front of the let's see here, the, yeah, he was a former director of the national security agency.
He's the first to hold his Senate-confirmed position at the white house, this national cyber director position. And he says there is a sense that we can perhaps fire some cyber bullets and shoot our way out of this English set at the conference. It was hosted by the way, by the national security agency and a nonprofit group, he said that will be useful in certain circumstances.
If you had a clear shot at a cyber aggressor and I can take them offline, I would advise that we do so as long as the collateral effects are acceptable. Yeah. What we have done here under president Biden administration is we have shut down some people who were operating illegally, we have shut down some cyber actors that were attacking us.
So we've been doing that, but it isn't exactly. Wow. We just saw a muzzle flash over there. And so we are returning fire to the area of that muzzle flash, because as I've said many times before, we just don't know. Where in fact that bullet is coming from, it makes it a lot more difficult. English went on to say there's a larger set of initiatives that have to be undertaken.
Not one of those elements is going to be sufficient to take this. Out let's see here, the us should make clear to Russia now their adversaries, what kinds of attacks would prompt a response, which is what president Biden did when he was talking with, of course, President Putin over there, red lines of both good and bad red lines are clear and crisp.
Although I got to say many of our administrations have. Really done anything about it. It's the red line in the sand and Syria president Obama didn't do anything when they stepped over that red line. So yeah. And then with what we just finished doing in Afghanistan, where we drew a red line and said, we're going to protect all of you who helped us.
And then we not only abandoned them, but we abandoned Americans behind there. I don't think a lot of people aren't going to believe us. So here's the last statement here. And again, this is an article in American military news from our cyber chief is the government actions. Aren't always going to be broadcast.
In some cases, it's not helpful to broadcast those for all of mankind to see another one. We are doing some things behind the scenes. And I have certainly seen some of the results of those over the last few years. Stick around. You're listening to Craig Peterson firstname.lastname@example.org.
You've got a smartphone and there are some new versions out, right? New hardware, new software, Android iOS. How long should you keep that device? How long can you stay safe with that older device?
Apple has now done something. Different something they've never done before. One of the reasons that apple equipment tends to be safer than almost anything else out there is that they have, what's known as a closed ecosystem. There's arguments both directions here on whether that's safer or not.
But the real advantage when it comes to cybersecurity is there are only. So many versions of the iPhone out there. What are we now in a couple of dozen versions of the hardware platform that makes it easier for apple to be able to support older versions of the software and multiple pieces of hardware, much easier than for, let's say Microsoft windows.
It doesn't even have a single. Platform or Android, where there are hundreds of hardware platforms out there and tens of thousands of versions of the hardware, because one model phone can contain many. Changes different types of hardware to talk to the cell towers or the screen you name it. So it's very hard to keep up. Android has for quite a while now supported three versions of their operating system. Of course, we're talking about Google, but Android operating system. So they support the current release. Of Android and the Breviary release is two previous releases in fact of Android. Now that is frankly a pretty good thing to know, but there's over a billion Android devices out there that are no longer supported by security updates.
We've got Android 10, nine, and eight that are fairly supported right now. We're actually up to Android 12. So here's how it works. If you've got Android version 10 out, if that's the main one, then you can continue to do. Eight and nine and get updates, security updates. But then here's the problem, everybody, those security updates are coming out of Google, but that does not mean that they are making it all the way to you.
So there you go. It's one thing for Google to provide updates, but if you can't get them because your phone manufacturer is not supporting them, you've got trouble Samsung. Is probably the best company other than maybe Google and the Google Pixel phone. Samsung's the best company to go to. If you want some longer-term support.
Many of these other companies just don't provide support past the current version. So keep that in mind as well. Android 12 was the 12th major version of Android announced by Google, February, 2021. And it is starting to roll out a Android. The 11th, 11 is the one that was out in February of last year. At least it was announced then.
And we're, they're coming out, they're getting pushed out. So basically Google is saying the current version plus two prior versions. And that usually gives you about a four or maybe even a five year window. So if you're. An Android device from a major manufacturer, particularly Samsung on the Android side, your device is going to be good for at least four years, maybe five years now on the, and by the way, you don't necessarily have to upgrade the.
You could be continuing to run an older release saw, as I mentioned earlier, if it version 11 is the current one that's out there being supported, which it is right. 12 is early still, but version 11, that means two prior versions still get security updates. You don't get featured.
Dates, you don't get the new stuff, but you get security updates. So Android 11, the current one that means 10 and nine get security updates. So you don't, you're not being forced to do an upgrade. Most people don't upgrade their phones from an older major release to a newer major release. In other words, they don't try and go from Android eight to Android 11.
Because in fact, most of the time, the hardware manufacturer doesn't support it. That's why there's over a billion Android devices out there right now that cannot get security updates. So have a look at your phone and your vendors. See what you're running. You probably want to do an update because most phones cannot get any support on the, in the apple side.
Things are a lot different with Apple iOS, which is the operating system used on the iPhone and the I pad apple has always forced you to move to the next major version. No, they only force you to do that. If they support the hardware. And I've got to say kudos to them, they're still supporting the iPhone six S which came out quite a while.
The iPhone success is something that my wife has been using and that I had as well. In fact, she got my old iPhone success, but that's a six-year-old. Phone came out in September of 2015. So it is still getting security updates, and we'll probably continue to get them. Not only is it getting security update this six-year-old iPhone success is getting the latest and our iOS operating system.
It's getting iOS 15. Isn't that just amazing? Yeah, exactly. And so not just security updates, like you might get from some of the other vendors out there, Android vendors. So the apple keeps their arms around you for quite a while. Here's, what's changed now with Apple and iOS, the, for the first time ever in the iOS world, Apple is not forcing you to upgrade.
So you're not being forced to upgrade to iOS 15. You can continue to run iOS 14. And that's how apples got around the security patches in the past, because what happens is you get the updates and installs them. Basically. There's no reason for you not to upgrade your phone. And so you do so apple never had to worry about releasing some of these fixes for really old versions of iOS.
Although they have done that from time to time. In the Mac iOS side, Apple has done a couple of good things. The, where they always have supported basically three releases, what Google's doing with Android. So you now have a new feature. If you will, with iOS, here's a PSA for everyone. Public service announcement.
You don't have to take the iOS 15 upgrade. Now I did. I put it on my iPhone and I seem to have some sort of a problem with messages where it's telling people that my phone has notifications turned off, which it does not. So I haven't figured that one out yet. I'll have to look into that a little bit more, but.
This is nice because that means you're not going to have to upgrade your iPhone to iOS 15. You'll still get security updates for iOS 14, something Apple's never done before. We'll see if they continue this. We will see if they match Google going back. Three releases in Android. It just never been done before over on the iOS.
So good news for them. Also course in the windows world and the Mac world, you really should upgrade the operating system as much as you can. Windows 11 though, man, windows 11. And I said this to my newsletter. I warned you guys is going to be a nightmare. For many people. You are not going to be able to do an automatic upgrade unless you have the newest of hardware, with the highest end of features, Craig peterson.com.
One of the very big ransomware operations is back online. And now we have some inside information from one of the contractors working for this ransomware organization and oh yeah, there's an FBI tie, too..
This organization, ransomware gang, almost business, whatever you might want to describe them as is known as revolt. They have a few other names, but that's the really big one. And they are basically the 800 pound gorilla in the ransom. Business, you might be using cloud services right now.
Maybe you use Microsoft's email service. Their Microsoft 360, I think, is what they call it now and use it for email and various other things pretty handy. It's mostly in the cloud. Computers you own or operate or have to maintain. I think that makes some sense too, but here's the bottom line it's software as a service right now, salesforce.com software as a service, Oracle has their accounting stuff.
QuickBooks online, all software as a service. It isn't just those legitimate businesses that I just mentioned. That are using the cloud that are providing software as a service where you're paying monthly or however frequently. And you're getting this software as a service. That's what that means.
Typically it means it's in the cloud and you don't have any real control over it. That's what this ransomware gang has been doing. This gang known as rebill. They all appear to be in. And there's some interesting stuff. That's come out. A transcript was released of an interview with one of their contractors.
Now the original interview was in Russian. So I read through a translation of the Russian. I have no idea how good it is, but it is being quoted by a bank. Insider magazine that you might be familiar with bank info, security. That's one of the places that I follow. And there's a few interesting things that he talked about that I want to get into, but these are the people who have been behind things like the colonial pipeline attack and some of the other very large attacks, the way they work, their business model is.
You can license their software, their ransomware software, and you go after a business or a government agency, whatever it might be, you get that ransomware software inside. And the reveal gang will take a percentage of the money that you have in rent. Now, how is that for a, an interesting business model, right?
Taking something that the rest of the world has been using, and then take that model and put it into the legal side of the world. For three weeks, during this whole reveal ransomware attack, this summer turns out that the FBI secretly withheld the key that could have been used to decrypt. And computers that reveal had infected with ransomware and looks like kids up to maybe 1500 networks.
Now those are networks, not just computers. That includes networks run by hospitals, schools, and businesses, including critical infrastructure businesses. The way the FBI got their hands on this decryption game. Is by penetrating reveal gangs servers. So they got into it. They were able to grab the keys and then the FBI waited before.
Did anything with it. See, what they were trying to do is catch the people behind reveal. And so they didn't want to release information, get information out there to the press that might tip off those bad guys over there in Russia. And then shut down their operations. But as you might know, because I mentioned it here before the reveal gang went offline on July 13th, before the FBI could really track them down.
And then the FBI didn't release the key until July 21st. And then I think it was Malwarebytes released a decryption tool. So if you had been hacked by the gang, you could. Now, remember it isn't reveal itself. That's doing most of them. Ransomware hacking if you will or a placement it's small guys. And that's why some people, including this contractor that apparently worked for the reveal gang itself says, people think that it's the Russian government, that it's Putin, that's doing this.
He said, in fact, it's not it's small guys. And people like me are getting four or five hours a night. Because we're working so hard trying to make a whole of this work, come up with the new software approaches. We have to provide code tech support unquote to our affiliates, as well as tech support to the people who have had their computers and their data ransomed.
So it a real interesting mix. Absolutely. Interesting mix. Now Christopher Ray here a couple of weeks ago, he's the FBI director told Congress that cool. We make these decisions as a group, not unilaterally. To the FBI and working with other government agencies, these are complex decisions designed to create maximum impact.
And that takes time and going against adversaries, where we have to marshal resources, not just around the. But all over the world. So this Russian based gang first appeared in 2019, they've been around, they've been exporting large amounts of money from businesses for a very long time. One of the interest he'd things I think about all of this is that this reveal gang has their software as a service, and they provide it to quote affiliates, quote that, go ahead and then install the software, get you to install it on your computers in order to ransom you a double whammy ransom you, but there's now reports out there that there's a secret back door in the ransomwares code that allow.
Rebill to go around their affiliates and steal the proceeds. How's that for hilarious, you've got a bad guy who goes in and gets the software from revolt, pays them a commission, and then reveal apparently has been jumping in on these customer support chats. In other words, you just got nailed and because you got nailed with ransomware, you have to go to.
Chat room. And so you go in there and you're getting customer support on how to buy Bitcoin and how to transfer to their wallet. And apparently revival is getting right in the middle and is extorting money from these people directly instead of having the affiliates do it pretty amazing. So here's this part of this interview?
It was aired on the Russian news outlet, London. And was trans translated by yeah. Flashpoint. Here are the guys that got the full transcript of the interview. He says in the normal world, I was called a contractor, doing some tasks for many ransomware collectives that journalists considered to be famous.
Money is stolen or extorted with my hands, but I'm not ashamed of it. I do. And again, this goes into the thinking of many of these bad guys of Americans are all rich and they don't deserve what they have. He said, let's put it this way. This is a very time consuming job. And if you've earned enough, then you can quit the game.
But chronic fatigue, burnout, deadline. All of these words from the life of ordinary office workers are also relevant for malware developers. So there you go. You should feel sorry for these malware developers who are developing software to steal millions from you and. Down our critical infrastructure.
Hey, join me online. Craig peterson.com. And if you subscribe to my weekly newsletter right there on the site, I'll send you a few of my special reports. The most popular ones will come to you right there in your email box. Craig peterson.com/subscribe.
We all pretty much have some form of insurance. And we're going to talk right now about the types of cyber insurance you may have. Now this might be through your homeowners policy or perhaps a rider on a business policy.
Many of our homeowners policies have started coming with cyber insurance.
So we're going to talk about that. What is it? Businesses as well are also using cyber insurance and I'm sure you've heard of insurance basically called LifeLock and what that's all about. So let's kind of start. When we have a breach in a business, usually what happens is information about our customers is stolen.
Look at some of the biggest breaches in history where we. Hundreds of millions of our personal records stolen Equifax breach is an example of a huge breach where we had all kinds of personal information that was stolen by the bad guys. Now, some of this information gets stale pretty quickly, but of course, other parts of it like our address, our social security number, they are probably not going to change for years.
If for. No, of course our social security number will never change the social security administration. Just doesn't reissue them for very many reasons at all. And they do not reissue a social security number was stolen online because. Just about everybody's has, so what does a company like LifeLock do?
They keep an eye on your credit report for you. And they're looking at what's going on new accounts that are open. They look at various other things, just related to that. And they, at that point say, wait a minute, something weird is happening. Now my credit cards, for instance, I have a credit card that if let's say I buy two of the same thing, one after the other and the, both the same price that credit card company pops a message right up on my phone saying, Hey, did you just buy two?
Of these $15 things from and I can say yes or no, if I'm out on the road and I am purchasing gas, the credit card can pop up on my phone and it does and say, Hey, will you just trying to buy gas at this gas station? Because what'll happen as you use the credit card at the pump. And the pump says it was denied and then up at pops and yeah.
Okay. No, that was me. And they said, okay, we'll try the transaction. Okay. And we'll approve it next time. And that's all automated. And that has nothing to do with LifeLock. LifeLock is there to more or less detect that something happened and if something happened and it was a bad guy and basically your identity was stolen.
So they might be trying to buy a Ferrari in your name or maybe a 10 year old, four Ford focus, whatever it might be. And. They will help you try and clean it. That's what they do. So that's why it's cheap. And I don't know that it's terribly useful to you if you're really concerned. Go ahead and do that, but do keep an eye on your credit report.
I do as well. My bank has free credit reporting for me, my credit card. Same thing. Free credit reporting that lets me know everything that's going on. So that's an easy way to tell WhatsApp. And there are different types of cyber insurance beyond this sort of thing, beyond the LifeLocks of the world. And many of us just get our cyber insurance through our homeowner's policy.
It's a little rider. And businesses can buy cyber insurance as well. We have cyber insurance, that's underwritten by Lloyd's of London and we provide a $500,000 or million-dollar policy to our clients. As well, because that's what we do is cyber security, right? So the idea is if one of our clients gets hit, we have some insurance to back us up, but of course we go a lot further.
It's almost like the LifeLock where if you do get hit by ransomware or something else, we will help you get back in business. We'll help restore your data. We'll help you with providing you. The information you need in order to do press releases, which agencies you need to contact, which of your customers you need to contact.
And we've got scripts for all of that. So you can send it all out and just take care of it. So the idea is you don't want ransomware. So you hire us. We are extremely likely to keep ransomware out of your systems. And on top of that, if you are hit with ransomware, we restore everything. LifeLock does not do that.
Obviously they all, I'll only do stuff after the fact and the cyber insurance you buy from an insurance agency is much the same, and there's a huge caveat with these policies that we're buying for our businesses and for our homes. And that is. They have a checklist at the insurance companies. Did you do this and this?
And if you did, then they might payout if you did not, they may not payout. In fact, pay outs on cyber insurance policies are not known because. Bottom line. They really don't payout. Okay. I'm looking at some numbers right now and about paying ransoms and everything else. You may or may not.
You got to have a look at it. Many of these policies are never paid out by the cyber insurance covers. They usually just regular insurance companies, but it's a special rider. And what they do is they say, Hey, listen, you did not follow the rules, so we're not going to payout. And there are many cases.
If you go online and do a search, just use duck, go and say cyber insurance, payout. Lawsuits I'm doing that right now is. And it'll come up and show. Oh, okay. Does it cover lawsuits? Why are liability claims so costly? Yeah, exactly. A 2% payouts is talking about here. I'm invoicing, the most common cyber insurance claim denial.
Yeah, it goes on and on. There are a lot is an act of war clause could nix cyber insurance payouts. That's another big one that they've tried to use. So the cyber insurance company will say, Hey, that was China attacking you. Therefore it was an act of. And you can bet if there is a big hack, they will use that.
Think of what happens with the hurricanes coming onshore. How much do they push back on payouts? Especially with the real big one, it would bankrupt them. So we gotta be very careful. There are some different types of cyber insurance. Policies do which have different types of coverages. You've got the first party lost loss, I should say.
So that's you to covering you and your loss, your first-party expenses, third party liability. Each one of those has specific parameters. So sub-limit retention and others. First-party losses are usually including the loss of revenue due to business interruption. First party expenses would include all of the services and resources that you needed to use to recover from attack like forensic or system rebuilding services.
These third-party liabilities. May cover expenses and legal fees related to potential damage caused by the incident to third parties like partners, customers, or employees whose sensitive information may have been compromised. So read them carefully. Be very careful. There are next-generation, cyber insurance policies are going even further and make these types of services.
Prior to any incident to reduce exposures and prevent incidents in the first place. Now we don't provide insurance. We are not an insurance company, but that's basically what we're trying to do here. Not become an insurance company, but to make sure. The businesses have the right services so that the likelihood of anything happening or is extremely low.
And then following up after the fact it's different obviously than insurers in and insurance, the guardians, Jessica Crispin had a great article about a couple of weeks ago that I've been hanging on. And it's talking about this tattle where that's been incorporated into the computers we're using at home.
Now we're specifically talking about employers that are putting this. The software on computers, they belong to the companies. A lot of businesses are worried. If workers are at home or where we can't see them, how do we know that they're actually working, not watching Netflix or something else on.
They have, of course, come up with software that can reassure your boss. It does things like take snapshots of what you're doing. Record your keystrokes grabs photos from. Picture from your camera. There's a new program called sneak, which makes your webcam take a photo of you about once a minute and makes available to the supervisor to prove you're not away from your desk.
There's no warning in advance. It just takes that photograph catches your doom. Pretty much anything can be absolutely anything. Then, it's the type of thing you'd expect the national security agency to do. So there are some good reasons for this lack of trust because sometimes employees have not been doing what they should be doing, but this author is blaming mostly the employer here.
These companies that took out PPP loans to stay running through the end of the pandemic and then laid off thousands of workers. Anyway, there's widespread wage theft that end up to hundreds of millions of dollars a year. There's all kinds of stories out on social media, about restaurant owners, withholding waitstaff tips, et cetera, et cetera.
So this is a problem I would encourage you if you are a business owner to doublethink, should I be spying on my employees at home and a funeral employee realize it is probably perfectly legal for your employer to be using this tattle with. To keep track of you. Hey, I've got a bunch of training coming up.
There is stuff every week, in fact, in my newsletter and you can get it. Craig peterson.com/subscribe. And if you'd like my special report on passwords, make sure you send me an email. email@example.com. And if you subscribe, you'll get a bunch of my special reports. Take care. Have a great weekend and visit me Craig peterson.com