Aug 12, 2022
Your Crypto Is Being Tracked- Your Passwordless Future - How Safe is WhatsApp? - Business EmailCompromise - Facebook Lost Your Data - Ransomware PreventionCheaper Than Cure
Cryptocurrencies were thought to be like the gold standard ofbeing secure. Having your information stay private. Maybe if youdon't want to use regular currency and transactions. But it'schanged.
[Following is an automated transcript]
We have had such volatility over the years when it comes to whatare called cryptocurrencies.
[00:00:23] Now I, I get a lot of questions aboutcryptocurrencies. First of all, let me say, I have never owned anycryptocurrencies and I do not own any crypto, crypto, uh, assets atall. Most people look at crypto currencies and think of a couple ofthings. First of all, an investment. Well, an investment issomething that you can use or sell, right?
[00:00:46] Typically investments you don't really use. It's likea house. Is it an investment? Uh, not so much. Uh, it's more of aliability, but people look at it and say, well, listen, it wentfrom, uh, you know, what was a 10,000. Bitcoins to buy a pizza to,it went up to $50,000 per Bitcoin. There's a pretty big jumpthere.
[00:01:10] And yeah, it was pretty big. And of course, it's goneway down and it's gone back up and it's gone down. It's gone backup. But the idea of any kind of currency is can you do anythingwith the currency? You can take a dollar bill and go and try andbuy a cup of coffee. Okay. A $10 bill and buy a cup of coffee, um,in most places anyways.
[00:01:33] Well, that sounds like a good idea. uh, I couldprobably use a cup of coffee right now and get a tickle on mythroat. I hate that. But if you have something like Bitcoin, wherecan you spend it? You might remember Elon Musk was saying, yeah,you can use Bitcoin to buy a Tesla. Also Wikipedia would acceptdonations.
[00:01:54] Via Bitcoin, there were a number of places onlinethat you could use. Bitcoin. In fact, there's a country right nowin south central America that has Bitcoin as its currency. That'skind of cool too. When you think about it, you know, what is, sowhat are you gonna do? Latin American country? Uh, I'm trying toremember what it is.
[00:02:16] Oh yeah. It's all Salvador. The first country in theworld to adopt Bitcoin is an official legal. Now there's a numberof reasons they're doing that and he can do it basically. You know,if you got a dictator, you can do almost anything you want to. Soin El Salvador, they've got apps that you can use and you can goand buy a tree taco using Bitcoin using their app.
[00:02:42] So there you go. If you have Bitcoin, you can go toEl Salvador and you can buy all of the tacos and other basic stuffyou might wanna buy. But in general, No, you, you can't just go andtake any of these cryptocurrencies and use them anywhere. So whatgood are they as a currency? we already established that theyhaven't been good as an investment unless you're paying a lot ofattention and you're kind of every day buying and selling based onwhat the movement is.
[00:03:11] I know a guy that does exactly that it's, he's a daytrader basically in some of these cryptocurrencies, you know, goodfor. But in reality, is that something that makes sense in a longterm? Is that going to help him long term? I, I don't know. I, Ireally don't because again, there's no intrinsic value value.
[00:03:33] So some of the cryptocurrencies have decided, well,let's have some sort of intrinsic value. And what they've done isthey've created what are generally known as stable coins. And astable coin is a type of cryptocurrency that behind it has theability to be tied to something that's kind of stable. So forinstance, one that really hit the news recently is a stable cointhat is tied to the us dollar.
[00:04:01] And yet, even though it is tied to the us dollar andthe coin is a dollar and the dollar is a coin. They managed to getdown into the few pennies worth of value, kinda like penny. so whatgood was that, you know, it has since come back up, some are tiedto other types of assets. Some of them say, well, we have goldbehind us.
[00:04:24] Kinda like what the United States used to do backwhen we were on the gold standard. And we became the petrol dollarwhere countries were using our currency, our us dollars, no matterwhich country it was to buy and sell oil. Well, things have changedobviously. And, uh, we're not gonna talk about. The whole Petrodollar thing right now.
[00:04:46] So forget about that. Second benefit. Third benefitis while it's crypto, which means it's encrypted, which means we'resafe from anybody's spine on us, anybody stealing it. And of coursethat's been proven to be false too. We've seen the cryptocurrenciesstolen by the billions of dollars. We've seen thesecryptocurrencies lost by the billions of dollars as well.
[00:05:14] That's pretty substantial. We get right down to it,lost by the billions because people had them in their cryptowallets, lost the password for the crypto wallet. And all of asudden, now they are completely out of luck. Right. Does that makesense to you? So the basic. Idea behind currency is to make iteasier to use the currency than to say, I'll trade you a chickenfor five pounds of nail.
[00:05:41] Does that make sense to you? So you use a currency.So you say the chicken is worth five bucks. Well, actually chickenis nowadays is about $30. If it's a LA hen and those five pounds ofnails are probably worth about $30. So we just exchanged dollarsback and forth. I think that makes a lot of sense. One of thethings that has driven up the value of cryptocurrencies,particularly Bitcoin has been criminal marketplaces.
[00:06:10] As you look at some of the stats of ransoms that areoccurring, where people's computers are taken over via ransomware,and then that, uh, person then pays a ransom. And what happens whenthey pay that ransom while they have to go find an exchange. Pay usdollars to buy cryptocurrency Bitcoin usually. And then they havethe Bitcoin and they have to transfer to another wallet, whether ornot the bad guys can use the money.
[00:06:42] Is a, again, a separate discussion. They, theycertainly can than they do because some of these countries likeRussia are going ahead and just exchanging the critical currenciesfor rubs, which again, kind of makes sense if you're Russia. Now wehave a lot of criminals that have been using the Bitcoin forransoms businesses.
[00:07:07] Publicly traded businesses have been buying Bitcoinby the tens of millions of dollars so that they have it as anasset. In case they get ransom. Well, things have changed. There'sa great article in NBC news, by Kevin Collier. And Kevin's talkingabout this California man who was scammed out of hundreds ofthousands of dollars worth of cryptocurrency.
[00:07:33] Now this was a fake scam, which is a fairly commonone. It. It tends to target older people who are lonely and aromance starts online and they go ahead and, uh, talk and kind offall in love. Right. And it turns out she or he has this reallyalmost terminal disease. If only they had an extra, a hundredthousand dollars to pay for the surgery.
[00:08:05] You, you know the story, right. So he was conned outof the. What's interesting to me is how the investigation andinvestigative ability has changed over the years. Uh, probablyabout five years ago, I sat through a briefing by the secretservice and. In that briefing, they explained how they had gone andvery, quite cleverly tracked the money that was being sent to andused by this dark web operator who ran a site known as a silkroad.
[00:08:42] And that site was selling illegal things online. Oh,and the currency that they were tracking was Bitcoin. Yes, indeed.So much for cryptocurrency being secure it, five years ago, thesecret service was able to do it. The FBI was able to do it and youknow, they couldn't do a whole lot about it. But part of theproblem is all of your transactions are a matter of publicrecord.
[00:09:13] So if someone sends you a fraction of a Bitcoin. Thatis now in a ledger and that ledger now can be used because when youthen spend. Fraction of a Bitcoin somewhere else, it can betracked. Well, it is tracked is a hundred percent guaranteed to betracked. And once it's tracked, well, government can get in.
[00:09:37] Now, in this case, a deputy district attorney inSanta Clara county, California, was able to track the movement ofthe cryptocurrency. Yeah. So this district attorney, okay. Deputydistrict attorney, not the FBI, not the secret service, not the,the, uh, national security agency, a local district attorney inSanta Clara county, California, not a particularly huge county,but.
[00:10:07] Uh, she was able to track it. And she said that shethinks that the scammer lives in a country where they can't easilyextradite them. And so they're unlikely to be arrested at any timesoon. So that includes countries like Russia that do not extraditecriminals to the United States. Now getting into the details.
[00:10:26] There's a great quote from her in this NBC newsarticle, our bread and butter these days really is tracingcryptocurrency and trying to seize it and trying to get therefaster than the bad guys are moving it elsewhere, where we can't.Grab it. So she said the team tracked the victim's money as itbounced from one digital wallet to another, till it ended up at amajor cryptocurrency exchange where it appeared the scammer wasplanning to launder the money or cash out, they sent a warrant tothe exchange.
[00:10:58] Froze the money and she plans to return it to thevictim. That is a dramatic reversal from just a few years back whencryptocurrencies were seen as a boon for criminals. Amazing. Isn'tit? Well, stick around. We get a lot more to talk about here and ofcourse, sign up online Craig peterson.com and get my freenewsletter.
[00:11:24] There have been a lot of efforts by many companies,Microsoft, apple, Google, to try and get rid of passwords. Well,how can you do that? What, what is a password and what are thesenew technologies? Apple thinks they have the answer.
[00:11:41] Passwords have been kind of the bane of existence fora long while. And, and if you'd like, I have a special report onpasswords, or I talk about password managers, things you can do,things you should do in order to help keep your information safe,online things like.
[00:11:59] Bank accounts, et cetera. Just email me, me, Craigpeterson.com and ask for the password special report and I'll getit to you. Believe me it it's self-contained it's not trying to getyou to buy something. Nothing. It is entirely about passwords andwhat you can do again, just email me, me@craigpeterson.com andwe'll get right back with you.
[00:12:22] Well, you know, give us a couple of days. Passwordsare a problem. And over the years, the standards for passwords havechanged. I remember way back when some of the passwords might be 2,3, 4 characters long. and back then, those were kind of hard tocrack. Then Unix came along. I started using Unix and, uh, when wasthat?
[00:12:47] Probably about 81. And as I was messing around withUnix, I. They used to had a couple of changes in how they didpasswords. They added assault to it. They used basically the samecipher that the Germans used in world war II, that enigma cipher,which again was okay for the times today, we have much morepowerful ciphers and the biggest concern right now, amongst realcybersecurity people.
[00:13:14] Government agencies is okay. So what are we going todo when these new quantum computers come along with theirartificial intelligence and other things, that's going to be a bitof a problem because quantum computers are able to problems infractions of a second. Even that traditional computers cannot solveit.
[00:13:40] It's a whole different thing. I want you to think.Something here. I, if you have a handful of spaghetti, uh, nowwe're talking about hard spaghetti, not cooked spaghetti and theyall dried out and they are a varying links. How could you sortthose into the smallest to largest, if you will, how could you findwhich ones were the longest, perhaps?
[00:14:08] Which ones were the shortest? Well, there's kind ofan analog way of doing that and there's a digital way of doingthat. So the digital way for the computer would be. To measure themall and compare the measurements and then identify how long thelongest one was. And then maybe you'd have to go back and try andfind that.
[00:14:27] So you can imagine that would take some time, theanalog way of doing that. Cuz there still are analog computers outthere and they do an amazing job in certain tasks, but the analogway of doing that is okay. So you take that bundle of variouslength spaghetti and you slam it on the table. What's gonna happenwhile those pieces of dried spaghetti are going to self align,right?
[00:14:54] Uh, the shortest ones are going to be down at thebottom and the tallest one's gonna be sticking out from the top. Sothere you go. There's your tallest, your longest pieces ofspaghetti, and it's done. Instantly. So that's just kind of an ideahere, quantum, computing's not the same thing, but that's acomparison really of digital and analog computers, but it's thesame type of thing.
[00:15:17] Some of these problems that would take thousands ofyears for digital computer. To work out, can just take a fractionof a second. It's absolutely amazing. So when we're looking attoday's algorithms, today's programs for encrypting things likemilitary information, secret telegrams, if you will going back andforth in inside the secretary of state embassies worldwide.
[00:15:43] Today they're considered to be quite secure, but withquantum computing what's gonna happen. So there are a lot of peopleout there right now who are working on trying to figure out how canwe come up with an algorithm that works today with our digitalcomputers and can be easily solved by quantum computer.
[00:16:06] We have a pretty good idea of how quantum computersare going to work in the future, how they kind of work right now,but this really gets us to the next level, which is kind of cool.Franklin. That's a, a little bit here about cybersecurity. Well,how about you and your password? How does this all tie in?
[00:16:26] Well, there are a few standards out there that peoplehave been trying to pass is it's no longer the four characterpassword you might remember. Oh, it needs to be eight to 10characters, random mix of upper lowercase, special digits,character numbers. Right? You remember those? And you should changeit every 30 days.
[00:16:45] And those recommendations changed about three or fouryears ago when the national Institute of standards and technologysaid, Hey guys, uh, pass phrase is much better than the, what we'vebeen doing because people are gonna remember it and it can belonger. So if you are using like, I have some pass phrases I usethat are 30 characters or more.
[00:17:09] And I mix up the case and I mix up mix ins on specialcharacters and some numbers, but it's a phrase that I can rememberand I have different phrases for different websites. Cause I use apassword manager right now. I have about 3,100 entries in mypassword manager. That's a lot. And I bet you have a lot morepasswords or at least a lot more websites and accounts than yourealize.
[00:17:40] And so that gets to be a real problem. Well, how doyou make all of this work and make it easy for people? One of theways that, uh, that. They're looking at using is something calledthe Fido alliances, um, technique. And the idea behind Fido isactually similar to what I do right now. Cause I use onepassword.com.
[00:18:03] I have an app on my phone and the phone goes aheadand gives me the password. In fact, it'll. Put it in. I haveplugins in my browsers. It'll put it right into the password formon the website. And then it'll ask me on my phone. Hey, is thatreally you? And I'll say yes, using duo and TA I'm logged in it'sit's really quite cool.
[00:18:28] Well, Fido is a little different than that, but kindof the same, the whole idea behind Fido is you registered a websiteand the website will send a request to the Fido app. That's on yourphone. So now on your phone, you'll use biometrics or maybe, uh,one time pass key, you know, those six digit keys that change every30 seconds.
[00:18:54] And so now you, you, uh, on your phone, you say,yeah, yeah, yeah. That's me. That's good. That's me. Yeah. Okay.And then the app will exchange with the website using public keycryptography. A public key and it's gonna be unique public key forthat website. So it'll generate a private key and a public key forthat website.
[00:19:17] And now TA a, the website does not have your passwordand cannot get your password. And anytime you log in, it's going toask you on your smartphone. Is this. And there there's ways beyondsmartphones. And if you wanna find out more about passwords, I'vegot, again, that free, special report, just Craig peterson.com.
[00:19:42] Email me, just email me@craigpeterson.com and I'llmake sure we send that off to you and explains a lot aboutpasswords and current technology. So Fido is one way of doing thisand a few different companies have gone ahead and have investedsome. Into final registration, because it requires changes on thewebsites as well in order to.
[00:20:08] With Fido. Now you might use a pin, you might use thebiometrics, et cetera, but apple has decided they've come up withsomething even better. Now there's still a lot of questions aboutwhat apple is doing, but they are rolling it into the next releaseof iOS and also of Mac operating system. And you'll be able to usethat to secure.
[00:20:31] Log into websites. I think Apple's gonna get a lot oftraction on this and I think it's gonna be better for all of usinvolved here. We'll see. There's still a lot of UN unansweredquestions, but I'll, I'll keep you up to date on this wholepassword technology stick around.
[00:20:51] There are ways for us to communicate nowadays easyways, but are, are the easy ways, the best ways, kind of thequestion here, frankly. And part of this answer has to do withWhatsApp and we'll talk right now.
[00:21:07] Many people have asked me about secure messaging. Youprobably know by now that sending text messages is not secure.
[00:21:18] In fact, it could be illegal if you have any personalinformation about. Patients or maybe employees, you just can't sendthose over open channels. So what apple has done for instance isthey've got their messaging app and if the message is green, it'sjust reminding you that this is a text message. Now they stuck withgreen because that was kind of the industry's standard.
[00:21:45] Green does not mean safe in the apple world when itcomes to iMessage. Blue does. So they've got end to end encryption.So if the message is blue, that means the encryptions in place fromside to side, there are on the other end of the spectrum. There areapps like telegram, which are not. Particularly safe.
[00:22:06] Now, telegram has pulled up it socks a little bithere, but in order to have end to end encryption and telegram, youhave to manually turn it on. It is not on by default. I alsopersonally don't trust telegram because of their background, thingsthat they've done in the past. So, you know, avoid that.
[00:22:28] WhatsApp is something I've been asked about. I had afamily member of a service member who was overseas, ask if WhatsAppwas safe for them to communicate on cuz they didn't want thirdparties picking. You know, private messages, things you say and doonline with friends and family are not necessarily things there arefor public consumption.
[00:22:51] So the answer that I gave was, well, yeah, kind of,you might remember Facebook getting, uh, WhatsApp. They bought itand deciding they were going to make some changes to the privacysettings in. now that was really a big mistake. They said we'regonna add advertisements. Well, how are you going to effectivelyadvertise?
[00:23:15] If you don't know what we're talking about, have younoticed advertising platforms? If you look up something or someoneelse in your house looks up something, if your neighbors arelooking up, so. They assume that you might be interested in it aswell. So what do they do? They go ahead and show you ads for thatbrand new pair of socks that you never really cared about, butbecause the algorithms in the background figured, well, yeah,that's what you've been talking about.
[00:23:45] Well, let's pass out your pair of socks. So ifFacebook is going to. Add into WhatsApp, what's going to happen.Are they going to be monitoring what you're saying? And thensending you some of these messages, right? These ads, because ofthat, a lot of people started looking for a more secure. Platformand that's frankly, where Moxi Marlin spike comes in kind of a funname, the bloom in this case, but he started a company calledsignal.
[00:24:21] He didn't just start it. He wrote the code for it,the server code, everything. And the whole idea behind signal wasto have a guaranteed safe end to end way to communicate. A a thirdparty with a friend, a relative, et cetera. So signal is somethingthat I've used in the past. And I used from time to time now, aswell, depending on who I'm talking to.
[00:24:49] And it does allow you to send messages. It does allowyou to talk. You can do all kinds of stuff with it. So now, nowthere's an issue with signal. It's disappointing. Moxi has steppeddown from running signal. There's a company behind it in January,2022. And he said, you know, the company's begin off. They can runthemselves.
[00:25:12] He's still on the board of direct. And the guy who'scurrently the head of signal is also a very privacy kind of focusedguy, which is really good too signal by the way is free. And youcan get it for pretty much any platform you would care to have itfor a very, very nice piece of software. I like what they'vedone.
[00:25:34] Now the problem is that some of those people atsignal have decided that they should have a way of making paymentsinside signal. So a few months ago, they went ahead and added intosignal, a piece of software that allows you to send. Paymentsonline. Now this is a little concerning, uh, and the let's talkabout some of the reasons for the concern.
[00:26:06] Basically what we're seeing is a cryptocurrency thatMoxi himself helped to put in place now, you know, I guess that'sgood cuz he understands it. It's supposedly a cryptocurrency thatis privacy. Focused. And that's a good thing. Well, what type ofcrypto is it? That's privacy focused. And how good is it going tobe?
[00:26:33] You know, those are all good questions, but here'sthe biggest problem. I think that comes from this. We've got ourfriends at Facebook, again, trying to add crypto payments to theirvarious messenger and, and other products. We're seeing that from alot of these communication systems, cuz they can skim a little offthe top legally, right.
[00:26:55] Charge you a fee and then make their money that way.But. What happens when you put it into an encrypted messaging app?Well, bottom line, a lot of bad things can happen here because nowall of a sudden you come under financial regulations, right?Because you are performing a financial. Function. So nowpotentially here, there could be criminal misuse of the app becauseyou could have ransomware and they say, reach us on signal.
[00:27:34] Here's our signal account. And go ahead and send uscrypto. it's called mobile coin by the way, this particularcryptocurrency. Uh, so now all of a sudden you are opening up thepossibility of all kinds of bad things happening and your appsignal, which was originally great for messaging now being usednefariously.
[00:27:59] I think that's a real problem. Now, when it comes tomoney transfer functions with cryptocurrencies to say that they'reanonymous, I think is a hundred percent a misnomer because it it'sreally pseudo anonymous. It's never completely anonymous. So nowyou've increased the legal attack surface here. So now the variousregulators and countries around the world can say, Hey.
[00:28:28] This is no longer just a messaging app. You are usingit to send money. We wanna track all money transactions. Right. Andso what does that mean? Well, that means now we need to be able tobreak the encryption or need to shut down your app, or you need tostop the ability to send money. So the concern right now withsignal is we really could have some legal problems with signal.
[00:28:56] And we could potentially cause some real life harm.On the other side of, this is what Moi Marlin spike has been reallydriving with signal over the years, which is we don't want anyoneto be able to break into signal. So there's a particularly oneIsraeli based company that sells tools that you can buy that allowyou to break into smartphone.
[00:29:24] And they're used by everybody from criminals. You caneven buy some of these things on eBay. And they're used also by lawenforcement agencies. So he found that there was a bug in one ofthe libraries that's used by this Israeli soft. To where thatcauses it to crash. And so he puts some code into signal, at leasthe threatened to that would cause any of the scanning software thattries to break into your smartphone to fail to crash.
[00:29:56] Yeah. Yeah. Kind of cool. Greg Peterson here ononline, Craig peterson.com and really you are not alone.
[00:30:14] I got some good news about ransomware and some badnews about B E C business email compromise. In fact, I got a calljust this, uh, just this week from someone who had in fact again,had their operating account emptied.
[00:30:31] Ransomware is a real problem, but it, it'sinteresting to watch it as it's evolved over the years.
[00:30:40] We're now seeing crackdowns driving down ransomwareprofits. Yes, indeed. Ransomware's ROI is dropping the return oninvestment. And so what we're starting to see is a drive towardsmore. Business email compromise attack. So we'll talk about those,what those are. And I have a couple of clients now that becameclients because of the business email compromises that happened tothem.
[00:31:15] A great article that was in this week's newsletter.You should have received it Tuesday morning from me. If you aresigned up for the free newsletter. Craig peterson.com/subscribe.You'll get these usually Tuesday morning. It's my insider shownotes. So you can kind of get up to speed on some of the articlesI'm talking about during the week that I talk about on theradio.
[00:31:43] And of course talk about here on the radio show andpodcast and everything else as well. So what we're seeing here,according to dark readings, editor, Becky Bracken is some majorchanges, a pivot by the bad guys, because, uh, at the RSAconference, they're saying that law enforcement crackdowns trycryptocurrency regulations.
[00:32:11] We've been talking about that today and ransomware asa service operator. Downs are driving the return on investment forransomware operations across the world all the way across theglobe. So what is ransomware as a service? I think that's a goodplace to start because that has really been an Albert Cross AlbertCross around our next for a long time.
[00:32:36] The idea with ransomware is they get you to downloadsome software, run some software that you really should not berunning. That makes sense to you. So you get this software on yourcomputer, it exfil trades files. So in other words, it takes filesthat you have sends them. Off to the bad guys. And then once it'sdone that, so it'll send like any word files, it finds Excel, otherfiles.
[00:33:06] It might find interesting, uh, once it's done that,then it goes ahead and encrypts those files. So you no longer haveaccess to them and it doesn't just do them on your computer. If youshare a drive, let's say you've got a, uh, Gdrive or something elseon your computer that is being mounted from either another computeror maybe a server.
[00:33:31] It will go ahead and do the same. With those files.And remember it, isn't just encrypting because if you have a goodbackup and by the way, most businesses that I've come into do nothave a good backup, which is a real problem because their, theirbackups fail. They haven't run. I, I had one case where we helpedthe business out and it had been a year and a half since they had asuccessful backup and they had no.
[00:34:00] They were dutifully carrying home. Uh, these USBdrives every day, plug in a new one in, and the backups were notrunning. Absolutely amazing. So anyhow, ransomware is a servicethen. Well, so they they've encrypted your files. They'veexfiltrated. In other words, they've taken your files and then theydemand a.
[00:34:24] So usually it's like this red screen that comes upand says, Hey, uh, you know, all your files are belong to us andyou need to contact us. So they have, uh, people who help you buyBitcoin or whatever they're looking for. Usually it's Bitcoin andsend the Bitcoin to them. And then they'll give you, uh, what'shopefully a decryption.
[00:34:50] Now what's particularly interesting about thesedecryption keys is they work about half of the time. So in otherwords, about half of the time, you'll get all your data back abouthalf the time. You will not, it's just not good. So if you are asmall operator, if you are just a small, bad guy and it's you andmaybe somebody else helping you, you got your nephew there helpingyou out.
[00:35:14] How are you going to. Help these people that you'reransoming by the cryptocurrency. How are you going to threaten themwith release of their documents online? Unless you have a staff ofpeople to really help you out here? Well, that's where ransomware'sa service comes in. The whole idea behind Raz is.
[00:35:38] You can just be a one man shop. And all you have todo is get someone to open this file. So you go ahead and registerwith the ransomware service provider and they give you the softwareand you embed your little key in there, so they know it's you. Andthen you send it off in an email. You, you might try and mess withthose people to get them to do something they shouldn't do.
[00:36:03] And. That's all you have to do because once somebodyopens up that file that you sent them, it's in the hand of theseservice guys and ransomwares the service guys. So the, theseransomwares of service people will do all of the tech support.They'll help people buy the Bitcoin. They'll help them pay theransom.
[00:36:25] They'll help them recover files, you know, to acertain extent. Right. Does this make sense to you? Yeah, it'skinda crazy. Now I wanna offer you, I I've got this document aboutthe new rules for backup and again, it's free. You can get it. Noproblem. Just go ahead and email me, me@craigpeterson.comm@craigpeterson.com because the backups are so important and.
[00:36:52] Just like password rules have changed. The rules havechanged for backups as well. So just drop me an emailme@craigpeterson.com and ask for it and we'll make sure we send itoff to you and is not trying to sell you more stuff. Okay. Uh, it'sreally is explaining the whole thing for you. I'm not holdinganything back.
[00:37:11] Well, these ransoms, the service operators, then getthe payment from you and then pay a percentage anywhere from 80% to50%, sometimes even lower to the person who ransom due. Isn't thatjust wonderful. So our law enforcement people, as well as in othercountries have been going after the ransomware as a serviceproviders, because if they can shut down.
[00:37:40] These RAs guys just shutting. One of them down canshut down thousands of small ransomware people. Isn't that coolworks really, really well. So they have been shut down. Many ofthem there's one that just popped its head back up again. Afterabout six months, we'll see how far they get, but it is a verybig.
[00:38:06] Uh, blow to the whole industry, you know, ransomwarereally because of these O as a service operators has become acentralized business. So there's a small number of operatorsresponsible for the majority of these thousands of hundreds ofthousands of attacks. Really. It's probably worse. So couple of disbig groups are left the KTI group and lock bit, and they've gotmore than 50% of the share of ransomware attacks in the first halfof 2022.
[00:38:40] But now they're going after them. The feds. And Ithink that makes a whole lot of sense, right. Because who do you gofor while you go for the people who are causing the most harm andthat's certainly them. So I expect they'll be shut down sometimes,sometimes soon, too. So. Ransomware had its moment over the lastcouple of years, still a lot of ransomware out there, still a lotof problems, but now we're seeing B C business, email compromisetactics, and I did a.
[00:39:14] At television appearance, where I was working withthe, um, the, the newsmaker or whatever they call them, right.Talking heads on that TV show and explaining what was happening.And the most standard tactic right now is the gift card swindle. Ishould put together a little video on this one, but it was all,it's all about tricking employees into buying bogus gift cards.
[00:39:43] So this, this good old fashioned Grif is stillworking. And what happened in our case is it, it was actually oneof the newscasters who got an email, supposedly from someone elsesaying, Hey, Uh, you know, we wanna celebrate everybody. And inorder to do that, I wanna give 'em all gift cards. So can you goout and buy gift cards?
[00:40:10] And so we messed around with them. It was really kindof fun and said, okay, uh, you know, what denomination, how many doyou think we need? Uh, who do you think we should give them to? Andof course we knew what we were doing. Their English grammar was notvery good. And it was really obvious that this was not.
[00:40:30] The person they were pretending to be. So thathappens and it happens a lot. They got into a business emailaccount, the email account of that newscaster. So they were able togo through their email, figure out who else was in the business,who was a trusted source inside of the business. So they couldpretend that, uh, that they were that newscaster and send emails tothis trusted source.
[00:41:01] And today these business email compromise attacks areaimed at the financial supply chain. And once these threat actorsare inside, they look for opportunities to spoof vendor emails, tosend payments to controlled accounts. And the worst case I know ofof this is a company that sent $45 million. To a scammer.
[00:41:28] And what happened here is the, this woman pretendedto be the CEO who was out of the country at the time and got theCFO to wire the money to her. Uh, an interesting story. We'll haveto tell it to you sometime, but it it's a real problem. And we justhad another one. We've had them in school districts, look, 'em uponline, do a duck dot, go search for them and you'll find themright.
[00:41:56] Left and center because social engineering works. Andfrankly, business email compromise is a clear threat to businesseseverywhere. I, I, as I mentioned, we had one listens to the show,contact us just last week. Again, $40,000 taken out of theoperating account. We had another one that had a, I think it was$120,000 taken out of the operating account.
[00:42:25] And another one that had about $80,000 taken out ofthe operating account. Make sure you're on my newsletter. even thefree one. I do weekly free trainings. Craig peterson.com. Make sureyou subscribe now.
[00:42:43] Facebook's about 18 years old coming on 20 Facebookhas a lot of data. How much stuff have you given Facebook? Youknow, did you fall victim for that? Hey, upload your contacts.We'll find your friends. Well, they don't know where your datais.
[00:43:00] There is an article that had appeared on a line fromour friends over at, I think it was, yeah. Let me see here. Yeah.Yeah. Motherboard. I was right. And motherboards reporting thatFacebook doesn't know what it does with your data or. It goes now,you know, there's always a lot of rumors about different companiesand particularly when they're big company and the, the newsheadlines are kind of grabbing your attention.
[00:43:34] And certainly Facebook can be one of those companies.So where did motherboard get this opinion about Facebook? Justbeing completely clueless about your personal. well, it came from aleaked document. Yeah, exactly. So I, we find out a lot of stufflike that. Right. I used to follow a, a website about companiesthat were going to go under and they posted internal memos.
[00:44:08] It basically got sued out of existence, but there'sno way that Facebook is gonna be able to Sue this one out ofexistence because they are describing this as. Internally as atsunami of privacy regulations all over the world. So of course, ifyou're older, we used to call those TIAL waves, but think of whatthe implication there is of a tsunami coming in and justoverwhelming everything.
[00:44:37] So Facebook, internally they're engineers are tryingto figure out, okay, so how do we deal? People's personal data.It's not categorized in ways that regulators want to control it.Now there's a huge problem right there. You've got third partydata. You've got first party data. You've got sensitive categories,data.
[00:45:01] They might know what religion you are, what yourpersuasions are in various different ways. There's a lot of thingsthey might know about you. How are they all CATA categorized? Nowwe've got the European union. With their gen general dataprotection regulation. The GDPR we talked about when it came intoeffect back in 2018, and I've helped a few companies to comply withthat.
[00:45:26] That's not my specialty. My specialty is thecybersecurity side. But in article five, this European law mandatesthat personal data must be collected for specified explicit andlegitimate purposes and not further processed in a manner that isincompatible with those purposes. So what that means is that everypiece of data, like where you are using Facebook or your religiousorientation, Can only be collected and used for a specific purposeand not reused for another purpose.
[00:46:04] So there's an example here that vice is giving inpast Facebook, took the phone number that users provided to protecttheir accounts with two factor authentication and fed it to itspeople, you know, feature as well as. Advertisers. Yeah.Interesting. Eh, so Gizmoto with the help of academic researcherscaught Facebook doing this, and eventually the company had to stopthe practice.
[00:46:31] Cuz this goes back to the earlier days where Facebookwould say, Hey, find out if your friends are on Facebook, uploadyour contacts right now. And most people. Right. What did you knowback then about trying to keep your data private, to try and stopthe proliferation of information about you online and nothing.
[00:46:53] Right? I think I probably even uploaded it back thenthinking, well, that'd be nice to see if I got friends here. We canstart chatting, et cetera. Well, according to legal experts thatwere interviewed by motherboard who wrote this article and has acopy of the internal me, uh, memo, this European regulationspecifically prohibits that kind of repurposing of your phonenumber of trying to put together the social graph and the leakdocument shows that Facebook may not even have the ability tolimit.
[00:47:28] how it handles users data. Now I was on a number ofradio stations this week, talking about this and the example Igave, I is just look at an average business from the time it start,you know, Facebook started how right. Well, you scrape in picturesof young women off of Harvard universities. Main catalog,right.
[00:47:52] Contact page, and then asking people, well, what doyou think of this rate? This person rate that person and off theygo, right. Trying to rate them. Yeah, yeah, yeah. All that mattersto a woman, at least according to mark Zuckerberg or all thatmatters about a woman is how she looks. Right. Do I think she'spretty or not ridiculous what he was doing?
[00:48:13] It just, oh, that's Zuckerberg, right? That's. Who heis not a great guy anyways. So you go from stealing pictures ofyoung ladies asking people to rate them, putting together someclass information and stuff there at Harvard, and then moving on toother universities and then opening up even wider and wider.
[00:48:37] And of course, that also created demand because youcan't get on. If you're not at one of the universities that we haveset it up for. And then you continue to grow. You're adding theseuniversities, certain you're starting to collect data and you'remaking more money than God. So what do you do? Well, you don't haveto worry about inefficiencies.
[00:48:58] I'll tell you that. Right. One thing you don't haveto do is worry about, oh, GE we've got a lot of redundant workgoing on here. We've got a lot of teams working on basically thesame. No, you've got more money than you can possibly shake a stickat. So now you go ahead and send that, uh, money to this group orthat group.
[00:49:20] And they put together all of the basic information,right. That, that they want. They are. Pulling it out of thisdatabase and that database, and they're doing some correlationwriting some really cool sequel queries with some incredible joinsand everything else. Right. And now that becomes part of the maincode for Facebook.
[00:49:43] And then Facebook goes on to the next little projectand they do the same thing. Then the next project, then the nextproject. And then someone comes along and says, uh, Hey, we. Thisfeature, that feature for advertisers and then in that goes, andthen along comes candidate Obama. And, uh, they, one of the groupsinside Facebook says, yeah, yeah, yeah, here, here we go.
[00:50:07] Here's all of the information we have about everybodyand it's free. Don't worry about it. Right. And then when Trumpactually bought it and hired a company to try and process some ofthat information he got in trouble. No, no, no, but, but the Obama.The whole campaign could get access to anything they wanted to,again, because the data wasn't controlled, they had no idea who wasdoing what with the data.
[00:50:34] And according to this internal memo, they still don'tknow. They don't even know if they can possibly, uh, comply withthese regulations, not just in Europe, but we have regulations inpretty much all of the 50 states in the us Canada of course, hastheir own Australia, New Zealand think about all the placesFacebook makes a lot of.
[00:50:59] So here's a quote from that we build systems withopen borders. The result of these open systems and open culture iswell described with an analogy. Imagine you hold a bottle of ink inyour hand, the bottle of ink is a mixture of all kinds of userdata. You pour that ink into a lake of water. Okay. And it flowsevery.
[00:51:22] The document red. Right. So how do you put that inkback in the bottle, in the right bottle? How do you organize itagain? So that it only flows to the allowed places in the lake?They're totally right about that. Where did they collect it fromit? Apparently they don't even know where they got some of thisinformation.
[00:51:43] This data from kind of reminds me of the no fly list.Right. You don't know you're on it and you can't get yourself offof it. Right. It is kind of crazy. So this document that we'retalking about was written last year by. Privacy engineers on the adand business product team, whose mission is to make meaningfulconnections between people and businesses and which quote sits atthe center of a monetization strategy monetization strategy.
[00:52:10] And is the engine that powers Facebook's growth.interesting, interesting problems. And, and I see this being aproblem well into the future for more and more of these companies,look at Twitter as an example that we've all heard about a lotlately. And I've talked about as well along comes Elon Musk and hesays, well, wait a minute now.
[00:52:32] Now I can make Twitter way more profitable. We'regonna get rid of however many people it's well over a thousand, andthen we are going to hire more people. We're gonna start charging.We're gonna be more efficient. You can bet all of theseredundancies that are in Facebook are also there on. and Twitteralso has to comply with all of these regulations that Facebook iskind of freaking out about.
[00:53:00] Well, it, for really a very good reason. So thisdocument is available to anybody who wants to look at it. I'mlooking at it right now, talking about regulatory landscape and thefundamental problems Facebook's data lake. And this is a problemthat most companies have not. As bad as Facebook does, but mostcompanies, right.
[00:53:25] You grow. I, I have yet to walk into a business thatneeds help with cybersecurity and find everything in place as itshould be, because it grew organically. Right. You, you started outwith a little consumer firewall, router and wifi, and then youadded to it and you put a switch here and you added another switchbehind that and move things around.
[00:53:48] Apparently looting is one of the benefits of being aRussian soldier. And according to the reports coming out ofUkraine, they've been doing it a lot, but there's a tech angle onhere that is really turning the tables on these Russianlooters.
[00:54:04] Thanks for being with me today. I really appreciateit. And I'm honored, frankly, to be in front of this micro. , thisis really something, you know, we, we know in wars, there arepeople that loot and typically the various militaries try and makesure, at least recently that that looting is kept to an absoluteminimum.
[00:54:27] Certainly the Americans, the British, even the Nazisduring world war II, the, the, uh, the socialists they're in.Germany, uh, they, they tried to stop some of the looting that wasgoing on. I, I think that's probably a very good thing, right.Because what you end up with is just all of these locals that arejust totally upset with you.
[00:54:56] I found a great article on the guardian and there's avillage. Had been occupied for about a month by Russian troops andthe people came back, they are just shocked to see what happened.They're giving a few examples of different towns. They found thatalcohol was stolen and they left empty bottles behind food rappers,cigarette buts, thrown all over the place in apartments andhomes.
[00:55:25] Piles of feces blocking the toilets, familyphotographs torn, thrown around the house. They took away all ofthe clothes. This is a code from one of the people, literallyeverything, male and female coats, boots, shirts, jackets, even mydresses and lingerie. This is really, really something. The SIUsdidn't do this, but now Russian.
[00:55:49] Military apparently does. So over the past couple ofweeks, there've been reporting from numerous places where Russiantroops had occupied Ukrainian territory and the guardian, which isthis UK newspaper collected evidences suggests looting by Russianforces was not merely a case of a few way, word soldiers, but asystematic part of Russian military behavior across multipletowns.
[00:56:16] And villages. That's absolutely amazing. Anotherquote here, people saw the Russian soldiers loading everything ontoEuro trucks, everything they could get their hands on a dozenhouses on the villages. Main street had been looted as well as theshops. Other villagers reported losing washing machines, foodlaptops, even as sofa, air conditioners.
[00:56:41] Being shipped back, just like, you know, you mightuse ups here, they have their equivalent over there. A lady herewho was the head teacher in the school. She came back in, ofcourse, found her home Lood and in the head teacher's office. shefound an open pair of scissors that had been jammed into a plasmascreen that was left behind because if they can't steal it, they'regonna destroy it.
[00:57:07] They don't only leave anything behind. They found theRussians had taken most of the computers, the projectors and otherelectronic equipment. It, it, it's incredible. So let's talk aboutthe turnaround here. A little. You might have heard stories aboutsome of these bad guys that have smashed and grabbed their way intoapple stores.
[00:57:27] So they get into the apple store. They grab laptopson iPads, no longer iPods, cuz they don't make those anymore. And Iphones. And they take them and they run with them. Well, nowadaysthere's not a whole lot of use for those. Now what they have beendoing, some of these bad guys is, is they take some parts and usethem in stolen equipment.
[00:57:53] They sell them on the used market, et cetera. Butwhen you're talking about something specific, like an iPhone thatneeds specific activation. Completely different problem arises forthese guys because that iPhone needs to have a SIM card in order toget onto the cell network. And it also has built in serialnumbers.
[00:58:16] So what happens in those cases while apple goes aheadand disables them. So as soon as they connect to the internet,let's say they put 'em on wifi. They don't get a SIM card. Theydon't. service from T-Mobile or Verizon or whoever it might be. Sonow they disconnect to the wifi and it calls home, cuz it's gonnaget updates.
[00:58:36] So on download stuff from the app store and they findthat it's been bricked. Now you can do that with a lot of mobiledevice managers that are available for. All kinds of equipmentnowadays, but certainly apple equipment where if a phone is lost orstolen or a laptop or other pieces of equipment, you can get on theMDM and disable it, have it remotely erased, et cetera.
[00:59:02] Now, police have had some interesting problems withthat. Because a bad guy might go ahead and erase a smartphone.That's in the evidence locker at the police station. So they're,they're doing things like putting them into Fairday cages or staticbags or other things to try and stop that. So I think we'veestablished here that the higher tech equipment is pretty wellprotected.
[00:59:26] You steal it. It's not gonna do you much. Good. Soone of the things the Russian stole when they were in, uh, it'scalled, uh, I think you pronounce it. Uh, Mela me pole, uh, whichis again, a Erian city is they stole all of the equipment from afarm equipment dealership and shipped it to Chenia. Now that'saccording to a source in, uh, a businessman in the area that CNN isreporting on.
[00:59:59] So they shipped this equipment. We're talking aboutcombines harvesters worth 300 grand a piece. They shipped it 700miles. and the thieves were ultimately unable to use the equipment,cuz it had been locked remotely. So think about agricultureequipment that John Deere, in this case, these pieces of equipment,they, they drive themselves.
[01:00:26] It's autonomous. It goes up and down the fields. Goesany pattern that you want to it'll bring itself within a foot or aninch of your boundaries, right. Of your property being very, veryefficient the whole time, whether it's planting or harvesting, etcetera. And that's just a phenomenal thing because it saves so muchtime for the farmer makes it easier to do the companies like JohnDeere.
[01:00:52] Want to sell as many pieces of this equipment as theypossibly can. And farming is known to be a, what not terriblyprofitable business. It certainly isn't like Facebook. So how canthey get this expensive equipment into the hands of a lot offarmers? Well, what they do is they. So you can lease the equipmentthrough leasing company or maybe directly from the manufacturer andnow you're off and running.
[01:01:20] But what happens if the lease isn't paid now? It'sone thing. If you don't pay your lease on a $2,000 laptop, right?They're probably not gonna come hunting for you, but when you'retalking about a $300,000 harvester, they're more interested. So theleasing company. Has titled to the equipment and the leasingcompany can shut it off remotely.
[01:01:46] Right? You see where I'm going with this so that theycan get their equipment in the hands of more farmers cuz thefarmers can lease it. It costs them less. They don't have to have abig cash payment. Right? You see how this all works. So when theRussian forces stole this equipment, that's valued. Total valuehere is about $5 million.
[01:02:07] They were able to shut it all. And obviously, if youcan't start the engine, because it's all shut off and it's all runby computers nowadays, and you know, there's pros and cons to that.I think there's a lot of cons, but, uh, what are you gonna do?How's that gonna work for you? Well, it. Isn't going to work foryou.
[01:02:28] And they were able to track it. It had GPS trackersfind out exactly where it was. That's how they know it was taken toChenia and could be controlled remotely. And in this case, how'dthey control it. Well, they completely. Shut it off. Even if theysell the harvesters for spare parts, they'll learn some money, butthey sure can be able to sell 'em for the 300 grand that they wereactually worth.
[01:02:54] Hey, stick around. We'll be right back and visit meonline@craigpeterson.com. If you sign up there, you'll be able toget my insider show note. And every week I have a quick five.Training right there in your emails, Craig Peter san.com. That's SO N in case you're wondering.
[01:03:20] If you've been worried about ransomware, you areright to worry. It's up. It's costly. And we're gonna talk aboutthat right now. What are the stats? What can you do? What happensif you do get hacked? Interesting world.
[01:03:36] Ransomware has been a very long running problem. Iremember a client of ours, a car dealership who we had gone in.
[01:03:47] We had improved all of their systems and theirsecurity and one of their. People who was actually a seniormanager, ended up downloading a piece of ransomware, one of theseencrypted ones and opened it up and his machine, all of a suddenTA, guess what it had ransomware on it. One of those big reds.
[01:04:09] Greens that say pay up is send us this much Bitcoin.And here's our address. Right. All of that sort of stuff. And hecalled us up and said, what what's going on here? What happened?Well, first of all, don't bring your own machine into the office.Secondly, don't open up particularly encrypted files using thepassword that they gave.
[01:04:32] and thirdly, we stopped it automatically. It did notspread. We were able to completely restore his computer. Now let'sconsider here at the consequences of what happened. So he obviouslywas scared. Uh, and within a matter of a couple of hours, weactually had him back to where he was and it didn't spread.
[01:05:00] So the consequences there, they, they weren't thatbad. But how about if it had gotten worse? How about if theyransomware. Also before it started holding his computer ransom,went out and found all of the data about their customers. Right.Would, do you think an auto dealership would love to hear that allof their customer data was stolen and released all of the personaldata of all of their customers?
[01:05:27] Right? Obviously not. So there's a potential costthere. And then how long do you think it would take a normalcompany? That thinks they have backups to get back online. Well, Ican tell you it'll take quite a while because the biggest problemis most backups don't work. We have yet to go into a business thatwas actually doing backups that would work to help restorethem.
[01:05:54] And if you're interested, I can send you, I I've gotsomething. I wrote up. Be glad to email it back to you. Uh,obviously as usual, no charge. and you'll be able to go into thatand figure out what you should do. Cause I, I break it down intothe different types of backups and why you might want to use themor why you might not want to use them, but ransomware.
[01:06:18] Is a kind of a pernicious nasty little thing,particularly nowadays, because it's two, two factor, right. Firstis they've encrypted your data. You can't get to it. And then thesecond side of that is okay, well, I can't get to my data and nowthey're threatening to hold my data ransom or they'll release. Sothey they'll put it out there.
[01:06:42] And of course, if you're in a regulated industry,which actually car dealers are because they deal with financialtransactions, leases, loans, that sort of thing, uh, you can loseyour license for your business. You can U lose your ability to goahead and frankly, uh, make loans and work with financial companiesand financial instruments.
[01:07:06] It could be a very, very big. so there are a lot ofpotential things that can happen all the way from losing yourreputation as a business or an individual losing all of the moneyin your operating account. And we, again, we've got a client that,uh, we picked up afterwards. That, uh, yes, indeed. They lost allof the money in their operating account.
[01:07:31] And, uh, then how do you make payroll? How do you dothings? Well, there's a new study that came out from checkpoint.Checkpoint is one of the original firewall companies and they had alook at ransomware. What are the costs of ransomware? Now bottomline, I'm looking at some stats here on a couple of differentsites.
[01:07:52] Uh, one is by the way, KTI, which is a big ransomwaregang that also got hacked after they said we are going to attackanyone that. Uh, that doesn't defend Vlad's invasion of Ukraine,and then they got hacked and their information was released, buthere's ransomware statistics. This is from cloud words. Uh, firstof all, the largest ransom demand is $50 million.
[01:08:20] And that was in 2021 to Acer big computer company.Uh, 37% of businesses were hit by ransomware. In 2021. This isamazing. They're they're expecting by 2031. So in about a decade,ransomware is gonna be costing about $265 billion a year. Now onaverage, uh, Ransomware costs businesses. 1.8, 5 million to recoverfrom an attack.
[01:08:52] Now that's obviously not a one or two person place,but think of the car dealer again, how much money are they going tomake over the year or over the life of the business? Right? Ifyou're a car dealer, you have a license to print money, right? Youyou're selling car model or cars from manufacturer X. And now youhave the right to do that and they can remove that.
[01:09:15] Right? How many tens, hundreds of millions of dollarsmight that end up costing you? Yeah. Big deal. Total cost ofransomware last year, 20 billion. Now these are the interestingstatistics here right now. So pay closer attention to this 32% ofransomware victims paid a ransom demand. So about her third paidransom demand.
[01:09:40] Last. it's it's actually down. Cuz my recollection isit used to be about 50% would pay a ransom. Now on average that onethird of victims that paid a ransom only recovered 65% of theirdata. Now that differs from a number I've been using from the FBI.That's a little bit older that was saying it's it's a little,little better than 50%, but 65% of paying victims recovered theirdata.
[01:10:11] Now isn't that absolutely amazing. Now 57% ofcompanies are able to recover the data using a cloud backup. Nowthink about the different types of backup cloud backup is somethingthat can work pretty well if you're a home user, but how long didit take for your system to get backed? Probably took weeks,right?
[01:10:34] For a, a regular computer over a regular internetline. Now restoring from backup's gonna be faster because your downlink is usually faster than your uplink. That's not true forbusinesses that have real internet service, like, uh, ours. It it'sthe same bandwidth up as it is down. But it can take again, days orweeks to try and recover your machine.
[01:10:57] So it's very, very expensive. And I wish I had moretime to go into this, but looking at the costs here and the factthat insurance companies are no longer paying out for a lot ofthese ransomware attacks, it could be incredibly expensive for youincredibly. So here you. The number one business types by industryfor ransomware tax retail.
[01:11:31] That makes sense. Doesn't it. Real estate. Electricalcontractors, law firms and wholesale building materials. Isn't thatinteresting? And that's probably because none of these people arereally aware, conscious of doing what, of keeping their data secureof having a good it team, a good it department. So there's yourbottom line.
[01:11:58] Uh, those are the guys that are getting hit. Themost, the numbers are increasing dramatically and your costs arenot just in the money. You might pay as a ransom. And so, as itturns out in pretty much every case prevention. Is less expensiveand much better than the cure of trying to pay ransom or trying torestore from backups.
[01:12:24] Hey, you're listening to Craig Peterson. You can getmy weekly show notes by just going to Craig peterson.com. And I'llalso send you my special report on how to do passwords stick aroundwill be right back.
[01:12:42] You know, you and I have talked about passwordsbefore the way to generate them and how important they are. And wewe'll go over that again a little bit in just a second, but thereis a new standard out there that will eliminate the need forpasswords.
[01:12:59] I remember, I think the only system I've ever reallyused that did not require passwords was the IBM 360.
[01:13:09] Yeah, 360, you know, you punch up the cards, all ofthe JCL you feed the card deck in and off it goes. And does thislittle thing that was a different day, a different era. When Istarted in college in university, we. We had remote systems,timeshare systems that we could log into. And there weren't much inthe line of password requirements in, but you had a username.
[01:13:38] You had a simple password. And I remember one of ourinstructors, his name was Robert, Andrew Lang. And, uh, hispassword was always some sort of a combination of RA Lang. So itwas always easy to guess what his, what his password was. Today, ithas gotten a lot worse today. We have devices with us all of thetime.
[01:14:01] You might be wearing a smart watch. That requires apassword. You of course probably have a smart phone. That's alsomaybe requiring a password, certainly after boots nowadays they usefingerprints or facial recognition, which is handy, but has its owndrawbacks. But how about the websites? You're going to the systemsyou're using when you're at work and logging in, they all requirepasswords.
[01:14:31] And usernames of some sort or another well, apple,Google, and Microsoft have all committed to expanding their supportfor a standard. That's actually been out there for, for a fewyears. It's called the Fido standard. And the idea behind this isthat you don't have to have a password in order to log. Now that'sreally kind of an interesting thing, right?
[01:14:59] Just looking at it because we're, we're so used tohaving this password only authentic. And of course the, the thingto do there is make sure you have for your password, multiple wordsin the password, it should really be a pass phrase. And between thewords put in special characters or numbers, maybe mix.
[01:15:21] Upper lowercase a little bit. In those words, thoseare the best passwords, you know, 20 characters, 30 characterslong. And then if you have to have a pin, I typically use a 12digit pin. And how do I remember all of these? Cuz I use acompletely different password for every website and right now, Letme pull it up.
[01:15:43] I'm using one password dot com's password manager.And my main password for that is about 25 characters long. And Ihave thirty one hundred and thirty five. Entries here in mypassword manager, 3,100. That is a whole lot of passwords, right?As well as, um, software licenses and a few other things inthere.
[01:16:11] That's how we remember them is using a passwordmanager. One password.com is my favorite. Now, obviously I don'tmake any money by referring you there. I, I really do like that.Uh, some others that I've liked in the past include last pass, butthey really messed. With some of their cybersecurity last year andI lost, lost my faith in it.
[01:16:33] So now what they're trying to do is make thesewebsites that we go to as well as some apps to have a consistent,secure, and passwordless sign in. and they're gonna make itavailable to consumers across all kinds of devices and platforms.That's why you've got apple, Google, and Microsoft all committingto it.
[01:16:56] And you can bet everybody else is going to followalong because there's hundreds of other companies that have decidedthey're gonna work with the Fido Alliance and they're gonna createthis passwordless future. Which I like this idea. So how does thiswork? Well, basically you need to have a smartphone.
[01:17:16] This is, I'm just gonna go with the most standard waythat this is going to work here in the future. And you can thenhave a, a. Pass key. This is kind of like a multifactorauthentication or two factor authentication. So for instance, rightnow, when I sign into a website online, I'm giving a username, I'mgiving a password and then it comes up and it asks me for acode.
[01:17:40] So I enter an a six digit code and that code changesevery 30 seconds. And again, I use my password manager from onepassword dot. In order to generate that code. So that's how I loginto Microsoft sites and Google sites and all kinds of sites outthere. So it's kind of a similar thing here now for the sites formy company, because we do cyber security for businesses, includingregulated businesses.
[01:18:08] We have biometrics tied in as. so to log into oursystems, I have to have a username. I have to have a password. Uh,I then am sent to a single sign on page where I have to have amessage sent to my smart device. That then has a special app thatuses biometrics either a face ID or a fingerprint to verify who Iam.
[01:18:33] So, yeah, it there's a lot there, but I have toprotect my customer's data. Something that very, very few it'scrazy. Um, actual so-called managed security services providers do,but it's important, right? By the way, if you want my password.Special report, just go to Craig peterson.com. Sign up for my emaillist.
[01:18:58] I'll send that to you. That's what we're sending outright now for anyone who signs up new@craigpeterson.com. And ifyou'd like a copy of it and you're already on the list, just goahead and email me M E. At Craig peterson.com and ask for thepassword special report where I go through a lot of this sort ofthing.
[01:19:16] So what will happen with this is you go to a websiteand it might come up with a QR code. So you then scan that QR codewith your phone and verify it, authorize it on your phone. Youmight again have it set up so that your phone requires, uh, afacial recognition or perhaps it'll require a fingerprint.
[01:19:37] And now you are. Which is very cool. They fix somesecurity problems in Fido over the last few years, which is greatover the coming year. You're going to see this available on appledevices, Google Microsoft platforms. And it really is simple,stronger authentication. That's what Fido calls it. Right. But itis going to make your life a lot easy.
[01:20:03] It easier. It is a standard and the passwordlessfuture makes a whole lot of sense for all of us. Now I wanna talkabout another thing here that has bothered me for a long time. Ihave a sister-in-law. who is in the medical field and, and, uh,gives prescriptions, you know, doctor thing. And, uh, I think she'snot quite a doctor.
[01:20:27] I can't remember what she has or she's an LPN orsomething. Anyhow. So she. We'll get on a zoom call with someoneand they'll go through medical history and what's happening rightnow and she'll make prescriptions. And so I warned her about thatsaying, you know, it is very bad to be using zoom because zoom isnot secure.
[01:20:52] Never has been, probably never will be right. If youwant secure. To go and pay for it from one of these providers likeWebEx, that's what we use. We have a version of WebEx that is setup to be secure. So I talked to her about that and said, Hey,listen, you can't do this. You you've really got to go another wayhere.
[01:21:15] And so she started using one of these mental or.Medical health apps. What I wanna talk about right now specificallyare some checks that were just performed some audits on mentalhealth apps. That's why I messed up a second ago, but what theylooked at is that things are a serious, serious problem there.
[01:21:42] And then in fact, the threat post is calling it, uh,Frankly, just plain old creepy. So they've got some goodintentions. They want to help with mental health. You've probablyseen these or at least heard them advertise. So you can get on thehorn with, uh, mental health, professional, uh, doctor or otherwisein order to help you here with your psychological or spiritual.
[01:22:05] Well, And people are sharing their personal andsensitive data with third parties and of 32 mental health andprayer mobile apps that were investigated by the open sourceorganization. 28, 28 of the 32 were found to be inherently insecureand were given a privacy, not included label, including, uh, othershere.
[01:22:33] So this is a report. uh, that was released here bythe open source organization, tied into Mozilla Mozilla. Those arethe Firefox people. They have what they call their minimum securitystandards. So things like requiring strong passwords, managingsecurity, updates, and vulnerabilities, et cetera. 25 of the 32failed to meet.
[01:22:57] Even those minimum security standards. So these appsare dealing with some of the most sensitive men, mental health andwellness issues people can possibly have, right? Depression,anxieties, suicidal thoughts, domestic violence, eating disorders.And they are being just terrible with your security Mozillaresearchers spent 255 hours or, or about eight hours per productpairing under the hood of the security, watching the data that wasgoing back and forth, right.
[01:23:33] Between all of these mental health and prayer apps.It was just crazy. So for example, eight of the apps reviewedallowed week passwords. That range. One digit one as the password,2, 1, 1, 1 while a mental health app called a mood fit onlyrequired one letter or digit as a password. Now that is veryconcerning for an app that collects mood and symptom data.
[01:24:02] So be very careful. Um, two of the apps better help apopular app that connects users with therapists and better stopsuicide, which is of course a suicide prevention app have vague andmessy. According to Mozilla privacy policies, they have little orno effect on actual. User data protection. So be very, verycareful.
[01:24:26] And if you are a mental health professional, or amedical professional, don't just go and use these open video calls,et cetera, et cetera, find something good. And there are somestandards out there. Again. Visit me online, get my insider shownotes every week. Get my little mini training. They come out mostweeks, just go to Craig peterson.com.
[01:24:52] Craig peterson.com. And I'll send you my specialreport on passwords and more.